Every serious engineering organization claims to do “blameless postmortems.” Most don’t, at least not in practice. The word “blameless” is easy; the culture is hard. This article is about what actually makes postmortems useful.
What a postmortem is for
A postmortem serves one purpose: make sure this doesn’t happen again the same way.
Not to assign blame. Not to punish. Not to demonstrate to leadership that the team is competent. Just: understand the system, find the weaknesses, fix them.
If the postmortem doesn’t result in specific, tracked, actually-shipped improvements, it failed regardless of how well-written it was.
The structure that works
Every postmortem should contain:
1. Summary. One paragraph. Impact, duration, root cause, how resolved.
2. Timeline. Minute-by-minute from detection to resolution. Not an executive summary; actual timestamps and decisions.
3. Impact. Users affected, revenue lost (if quantifiable), downstream systems affected, SLO budget consumed.
4. Root cause analysis. Not “human error.” The system conditions that allowed the failure. Usually a chain.
5. Contributing factors. Things that made it worse, took longer to detect, blocked faster resolution.
6. What went well. Detection was fast. Runbook worked. Rollback was quick. Recognize these explicitly.
7. Action items. Specific, owned, tracked. “Add alert on metric X, owned by Team Y, by date Z.”
8. Lessons learned. What this teaches about the system.
What “blameless” actually requires
The word gets thrown around. In practice, blameless means:
Assume everyone did their best with information available. If the on-call engineer ran the wrong command at 3 AM, the question isn’t “why did they run it” — it’s “why was the wrong command runnable in the first place?” Better: why did our system allow that command to cause this damage?
No individual names in root cause. “Engineer X deployed broken code” is blame. “A broken deploy passed CI because tests didn’t cover this case” is blameless.
Focus on system, not individuals. Humans are fallible; systems should assume that. If a single human mistake caused an outage, the system is broken.
Curiosity, not judgment. “Why did that seem like the right thing to do at the time?” is the key question. Not rhetorical; actually answered.
This is hard. Engineers feel personally responsible. Managers want accountability. Both impulses can push the postmortem toward blame. Hold the line.
Who attends
- On-call engineer(s) who handled the incident
- Service owner team
- Anyone who made decisions during the incident
- Observer from another team (fresh eyes)
- Facilitator (experienced in running postmortems)
Senior leadership present makes blameless harder — people posture. Avoid if possible.
The facilitator’s job
- Keep discussion on “what happened” and “why the system allowed it”, not “who should have known”
- Challenge vague statements (“we don’t monitor this well” → “specifically, metric X doesn’t alert below threshold Y”)
- Watch for anyone getting defensive; redirect
- Ensure every action item has a real owner and a deadline
A good facilitator makes the postmortem feel collaborative. A bad one makes it feel like a trial.
Action items that actually ship
The most common failure: action items listed, never done. A month later, same incident recurs.
Rules:
- Each action item in the team’s regular backlog
- Owner is an individual, not a team
- Deadline is realistic (not “ASAP”)
- Priority set by severity of the incident
- Reviewed weekly until closed
- A few closed items celebrated; open ones escalated
If the org doesn’t prioritize postmortem action items above feature work, postmortems are theater.
5 Whys, used correctly
A classic technique: ask “why” five times to reach root cause.
Wrong use:
Service failed. Why? Bug in code. Why? Engineer made mistake. Why? Didn’t test well. Why? Rushed. Why? Aggressive deadline.
Now you’re blaming the engineer and leadership. Unhelpful.
Better:
Service failed. Why? Bug in X code path. Why? Test suite didn’t cover input combination. Why? No property-based testing for this module. Why? We’ve never adopted it. Why? Nobody’s championed it. Action: investigate property testing for this critical module.
Ends with a system improvement, not a person to blame.
Incident severity
Not every incident needs a full postmortem. Common tiers:
- SEV-1 — major outage, customer-facing, full postmortem, 48-hour turnaround
- SEV-2 — partial outage, full postmortem, 1-week turnaround
- SEV-3 — brief degradation, abbreviated review, 2-week turnaround
- SEV-4 — near-miss, internal note, optional review
Scaling the investment to the impact keeps the overhead sustainable.
Publishing postmortems
Internally: every engineer should be able to read recent postmortems. Builds shared context; new engineers learn from past incidents.
Externally: for public-facing products, consider publishing high-severity postmortems (with sensitive details redacted). Builds trust. Many top engineering orgs do this publicly.
Common failure modes
Postmortem as status update. “We had an incident. Fixed it. Moving on.” No root cause analysis, no action items. Useless.
Blame the pager-holder. “Why didn’t you catch this?” — misses that the alerting or runbook failed.
Action items too vague. “Improve monitoring” — what specifically? Which metric? Who owns it?
No follow-through. Action items noted, nobody tracks them. Back to square one.
Defensive writing. Postmortem reads like a defense against liability. Not useful; nobody learns.
The long game
Organizations that take blameless postmortems seriously see:
- Fewer recurring incidents
- Better systems over time (each postmortem shipping improvements)
- Psychological safety (engineers report problems early instead of hiding)
- Faster onboarding (new engineers read postmortems and learn)
Organizations that do them badly see the opposite: same incidents recur, engineers hide near-misses, culture of blame emerges.
Closing note
Postmortems are the mechanism by which incidents pay for themselves — the pain of the outage converted into system improvements that prevent the next one. Done well, they compound: every year, the system is more resilient than the last. Done badly, they’re paper exercises that satisfy nobody. The difference isn’t in the template or the process — it’s in whether the organization actually believes blame is less useful than understanding. That’s a cultural stance, not a procedural one.