Incident roles are a standard way to define key responsibilities during an incident. They bring clarity to the chaos, making expectations clear from those involved, at all stages of an incident.
Well thought-out roles help to ensure collaboration goes smoothly. They can avoid distractions by funnelling information and questions to the right people, and streamline decision making by clearly articulating who’s responsible to decide on the course of action.
Useful roles can vary greatly from incident to incident and certain types or severities of incidents may need a completely different set of roles to others.
The only essential role for all incidents is the Incident Lead (sometimes called Incident Commander). For a smooth response process, it must be clear who is responsible for seeing an incident through to completion.
Your Incident Lead should be compulsory and set as soon as possible when a new incident is raised. The lead is the person who should know what state the incident is in and what activities are currently ongoing to progress it.
The responsibilities of the lead should be clearly listed, and can vary with organization size and incident scope.
Smaller, simpler incidents
The lead can be much more hands-on — managing debugging, communications, and creating follow-ups.
Larger, more complex incidents
The lead should take a coordinator role, confirming the course of action, and ensuring the incident is running smoothly. See The lifecycle of an incident for more on how to coordinate teams effectively.
It’s important to be judicious about the roles you define for your incidents and, like severities, have as few defined as you can reasonably get away with. When responders are spending more time figuring out your role than responding to the incident, you have a problem!
Roles should only be used for vital responsibilities that need to be attributed to a single person.
As long as you have a clear Incident Lead, you can lean on actions to avoid duplication of work and a clear flow. Actions should be clearly assigned to specific people, and your Incident Lead can coordinate the various threads. You can learn more about this in Communicating within your organization.
For incidents that need internal or external updates, it’s good to define who’s responsible for these. This role becomes more important with high severity incidents, where handling communications needs to be delegated away from the incident lead.
Responsibilities of a communications lead will include deciding the cadence of updates, monitoring who knows what, and gathering information to provide new updates. Without a dedicated person, it’s easy for communication to become an afterthought.
For larger incidents, you may decide to split this into two roles: one responsible for internal updates to the company (which are critical for effectively communicating within your organization) and one for external updates to your customers or partners (see Keeping your customers in the loop).
High severity incidents or ones with significant impact may need quick decisions to be made by more senior stakeholders. An accountable executive can be responsible for making large and complex decisions quickly, avoiding the need for a slow escalation process.
Certain incidents will benefit from named representation from other teams across the business:
These will generally be situational, so the key is to identify when you need this person, and assign them clearly so all the responders know who’s on point for that function.
Roles are vital so that everyone knows who is accountable for what during an incident: particularly the lead role. It allows responders to focus on specific tasks, instead of everyone trying to do everything.
For incident response to continue running smoothly, roles should quickly be reassigned if someone is no longer able to fulfil them. Make sure the handover process is clear. New joiners should always see up to date information on who is leading an incident. Previous leads should make the current status clear and allow the next person to pick up seamlessly.