Develop > Processes and Best Practices Guide > Incident Management Workflows > Incident Investigation and Diagnosis (process SO 2.3)

Incident Investigation and Diagnosis (process SO 2.3)

Each support group involved with handling incidents must perform investigation and diagnosis tasks to determine the categorization of and solution to the incident. All actions performed by support group personnel are documented in the incident, so that a complete historical record of all activities is maintained at all times.

Incident Investigation and Diagnosis includes the following actions:

  • Establishing the exact cause of the incident
  • Documenting user requests for information or for particular actions or outcomes
  • Understanding the chronological order of events
  • Confirming the full impact of the incident, including the number and range of users affected
  • Identifying any events that could have triggered the incident (for example, a recent change or user action)
  • Searching known errors or the knowledgebase for a workaround or resolution
  • Discovering any previous occurrences, including previously logged incident or problems and known errors, the knowledgebase, and error logs and knowledgebases of associated manufacturers and suppliers
  • Identifying and registering a possible resolution for the incident

The Incident Analyst asks the following questions to determine how to resolve an incident:

  • Is there a problem?
  • Do I have the knowledge and tools to solve this problem?
  • Can the incident be reproduced?
  • Can the incident be related to an open problem or known error?
  • Was the incident caused by the implementation of a change?
  • Can a solution be found for this incident?

You can see the details of this process in the following figure and table.

The Incident Investigation and Diagnosis workflow is illustrated in the following figure:

Incident Investigation and Diagnosis process

Process ID

Procedure or Decision

Description

Role

SO 2.3.1

Review Incident

The Incident Analyst monitors the queue of incidents assigned to him/her and reviews the incoming incidents.

Incident Analyst

SO 2.3.2

Request for information?

The Incident Analyst evaluates the incident to see if it is categorized as a Request for Information (RFI) or if it is a service disruption. If it is a RFI, continue with SO 2.3.12. If it is a service disruption, go to SO 2.3.3.

Incident Analyst

SO 2.3.3

Investigate and Diagnose Incident

The Incident Analyst starts to investigate and diagnose the cause of the incident. The status of the incident is set to Work in Progress.

Tasks could be created for carrying out the investigation activities.

Incident Analyst

SO 2.3.4

Match to outstanding Problem/ Known Error/ Incident?

The Incident Analyst searches the problem database to see if there is already a problem or known error defined for this incident. If yes, continue with SO 2.3.5. If no, go to SO 2.3.6.

Incident Analyst

SO 2.3.5

Relate incident to Problem/ Known Error/ Incident

When an incident matches an outstanding problem or known error, the incident is related to the problem or known error record.

Incident Analyst

SO 2.3.6

Incident caused by change?

The Incident Analyst searches the changes database to see if a recent change may have caused the service disruption. If the configuration item associated with the incident is listed, the Incident Analyst can also look at any changes that have recently been performed against this configuration item. The Incident Analyst can also view the configuration item tree to discover if related configuration items could have caused the incident. If yes, continue with SO 2.3.7. If no, go to SO 2.3.8.

Incident Analyst

SO 2.3.7

Relate incident to change (caused by)

When the incident is caused by a previous change, the incident is related to the change request. A solution still needs to be found to solve the incident.

Incident Analyst

SO 2.3.8

Resolution found?

The Incident Analyst checks the known error/knowledgebase for a workaround or resolution to this incident, or tries to find a solution. If yes, continue with SO 2.3.13. If no, go to SO 2.3.9.

Incident Analyst

SO 2.3.9

Reassignment Required? If reassignment is required, go to SO 2.3.11. Otherwise, go to SO 2.3.10. Incident Analyst

SO 2.3.10

Escalation Required

If a solution has not been identified review whether to escalate the Incident to the Incident Coordinator.

If yes, go to SO 2.6.1 to determine how to resolve the Incident. If not, go to SO 2.3.3.to continue investigation and diagnosis of the Incident.

Incident Analyst

SO 2.3.11

Reassign Incident to Coordinator

The Incident Analyst reassigns the incident to the Incident Coordinator if no resolution can be found. The analyst also provides information on the current status, work performed on the Incident, and information on reassignment. The Incident Coordinator can decide whether to escalate the incident, reassign the incident, or close the incident.

Incident Analyst

SO 2.3.12

Search Collect information

The Incident Analyst searches for information to provide the requested information to the User.

Incident Analyst

SO 2.3.13

Document Resolution/Workaround

The Incident Analyst documents the solution or workaround in the incident.

Incident Analyst