Overview
Every incident is a free learning opportunity — provided you have a mechanism to extract lessons from it. A Postmortem is not about writing a confession or finding a scapegoat. It is a structured engineering methodology for converting incident experience into systemic improvements.
One of the core tenets of Google SRE is: “Blameless postmortem.” The focus of a review is always on “why did the system fail,” not “who messed up.” This is not sentimentality — it’s engineering rationality: if people feel threatened during a review, they will hide information, and you will never see the true root cause of the incident.
This article systematically covers how to turn Postmortems from “going through the motions” into “real learning” — covering the significance of postmortem culture, the blameless principle, root cause analysis methods, postmortem templates, action item tracking, and organizational culture barriers.
For a systematic methodology on Postmortem culture, see Google SRE Book - Postmortem Culture and Google SRE Workbook - Postmortems.
1. Why Postmortem Culture Matters
The Engineering Reality of Inevitable Failures
In distributed systems, failure is not a question of “if” but “when.” A typical microservice architecture may have hundreds of service nodes, dozens of dependency systems, and deployment across multiple availability zones — the combinatorial complexity grows exponentially. Under this complexity, the following scenarios are almost certain to occur:
- Network partitions causing inter-service call timeouts
- Configuration changes triggering cascading failures
- Dependency on third-party API rate limiting or unavailability
- Database connection pool exhaustion
- A release introducing an edge-case bug
The question is not whether incidents happen, but: will the same incident happen again?
The Cost of Not Doing Postmortems
Teams without a Postmortem culture typically fall into the following cycle:
Incident occurs → Emergency fix → Sigh of relief → Never followed up → Similar incident happens again
The cost of this cycle is far greater than you might think:
| Dimension | Cost |
|---|---|
| Recurring incidents | Same root cause not eliminated, incidents repeat, MTBF cannot improve |
| Knowledge gap | Critical troubleshooting experience stays in individuals’ heads; lost when people leave |
| Eroded trust | Team repeatedly makes similar mistakes; management and user trust steadily declines |
| Personal stress | Without institutional support, on-call engineers bear psychological pressure alone, accelerating burnout |
| No improvement tracking | Fixes remain in verbal conversations and chat logs, with no tracking or acceptance |
The Engineering Value of Postmortems
A mature Postmortem system delivers value at three levels:
- Knowledge consolidation: Convert implicit incident troubleshooting experience into explicit, searchable knowledge
- System improvement: Drive systemic optimization through root cause analysis, rather than treating symptoms
- Culture shaping: Build a “focus on the issue, not the person” safety culture that encourages candor and transparency
2. The Blameless Postmortem Principle
Core Tenet
Blameless is the soul of Postmortem culture. Its core tenet can be summarized in one sentence:
Assume that everyone involved made the most reasonable decision given the information and pressure they had at the time.
The goal of the review is to understand “why this decision seemed reasonable at the time,” not to judge “how stupid this decision was.”
Why Blameless Is Not Sentimentality
Some argue that blameless is about excusing mistakes. The opposite is true — blameless is about finding the real root cause more efficiently. Consider two scenarios:
Scenario A (blame culture):
Review facilitator: "Who was responsible for this release? Why wasn't there a canary?"
Release engineer: (defensive) "Time was tight, product was pushing hard, tests passed..."
→ Focus shifts to defensiveness and blame-shifting; technical root cause is obscured
Scenario B (Blameless culture):
Review facilitator: "In the release process at the time, what factors made a full rollout seem reasonable?"
Release engineer: (candid) "Canary release requires manual weight configuration, which is cumbersome,
and the last few direct releases had no issues, so the risk seemed low."
→ Focus shifts to process deficiency (high cost of canary operations); root cause surfaces
Blameless doesn’t mean no accountability — it means shifting accountability from “personal fault” to “system improvement.”
Practical Guidelines for Blameless
| Guideline | Description | Anti-pattern |
|---|---|---|
| Focus on systems and processes | Ask “why did the system allow this error” not “who made the mistake” | “Zhang San’s code has a bug” |
| Use neutral language | Avoid emotional expressions and judgmental words | “This design is simply unreasonable” |
| Encourage candor | Clearly state that the review does not affect performance; the more complete the information, the more valuable | Tying review outcomes to KPIs |
| Consider decision context | Understand the information constraints and pressure conditions at the time | Second-guessing decisions with hindsight |
| Focus on issues, not people | Action items point to processes/tools/architecture, not “someone should be careful” | Action item: “Zhang San needs to be more careful” |
3. When to Trigger a Postmortem
Not every incident requires a formal Postmortem. Over-reviewing leads to fatigue and going through the motions; under-reviewing means missing learning opportunities. Here are common trigger criteria:
Severity-Based Triggers
| Severity Level | Postmortem Required | Depth Required |
|---|---|---|
| SEV1 (P0) | Mandatory formal review | Full Postmortem document + review meeting |
| SEV2 (P1) | Mandatory formal review | Full Postmortem document |
| SEV3 (P2) | As needed | Brief review or lightweight analysis |
| SEV4 (P3/P4) | Not required | Log in ticketing system |
Other Triggers
Beyond severity, the following situations should also trigger a review:
- Novel failure mode: Even if impact is small, a new type of failure is worth reviewing to prevent recurrence
- Response time exceeds target: MTTR far exceeds the SLO target, requiring analysis of response process bottlenecks
- Near-repeat incidents: Similar root causes within a short period (e.g., 30 days) indicate previous action items weren’t implemented
- User complaint-driven: Even if monitoring systems didn’t detect it, users reported a clear impact
Postmortem Time Window
Incident recovery → Within 24-48 hours: Complete Postmortem draft
→ Within 3-5 business days: Hold review meeting
→ Within 48 hours after meeting: Finalize and archive
The core principle is review while it’s fresh: after recovery, participants’ memories are sharpest and context is most complete. Delaying too long leads to forgotten details and “rationalized reconstructions.”
4. Root Cause Analysis Methods
Root Cause Analysis (RCA) is the technical core of a Postmortem. The goal is to find the most fundamental cause of the incident, not the most superficial trigger.
Causal Chains and the Definition of “Root Cause”
An incident is typically a causal chain:
Configuration error → Connection pool exhaustion → Service timeout → Upstream cascading failure → User-facing error
Fixing only “connection pool exhaustion” is not enough — the root cause is “configuration changes lack validation mechanisms.” The criterion for a root cause is: if this problem were solved, would this class of incident be completely prevented?
5 Whys Method
5 Whys is the most commonly used root cause analysis technique: for each answer, continue asking “why” until you reach a systemic root cause.
Example: Database primary-replica failover failure
Q1: Why did the primary-replica failover fail?
A1: Because the replica's replication lag exceeded 30 seconds, and data was inconsistent at failover time.
Q2: Why was the replica's replication lag over 30 seconds?
A2: Because the primary was doing bulk writes, and the replica couldn't apply binlogs fast enough.
Q3: Why was the primary doing bulk writes?
A3: Because a data migration job was running bulk INSERTs in the early morning.
Q4: Why did the migration job run in the early morning without write rate limiting?
A4: Because the migration script had no rate limiting, and the job scheduler didn't account for database replication lag.
Q5: Why does the migration script lack rate limiting and why doesn't the scheduler consider replication status?
A5: Because the data migration tool lacks a "write rate limit" feature, and the scheduling system
and database monitoring are two independent systems with no integrated health check mechanism.
Root cause: Data migration tool lacks rate control + scheduling system and database monitoring lack integrated health checks.
Action items:
- Add write rate limiting to the migration tool
- Integrate database replication lag checks into the scheduler; automatically pause tasks when lag exceeds threshold
5 Whys considerations:
- It doesn’t have to be exactly 5 “whys” — you might reach the root cause in 3, or need 7-8
- Each level’s answer should be based on facts and data, not speculation
- There may be multiple branches — incidents are often tree-structured, not linear causal chains
Fishbone Diagram (Ishikawa Diagram)
For complex incidents, the causal chain is not linear but a combination of multiple factors. Fishbone diagrams are well-suited for mapping multi-dimensional factors:
┌─ People: On-call engineer unfamiliar with this service
│
├─ Process: Change approval didn't cover configuration items
│
Incident: Service unavailable ──────┼─ Technology: Config center has no canary release mechanism
│
├─ Environment: Test environment config differs from production
│
└─ Tools: Config validation tool doesn't cover this field
The fishbone diagram’s categorization dimensions typically reference the 6M framework:
| Dimension | Meaning | SRE Example |
|---|---|---|
| Man (People) | Human factors | Insufficient knowledge, fatigue, poor communication |
| Method (Process) | Working methods | Missing change process, insufficient approval |
| Machine (Technology) | Technical solutions | Architecture flaws, missing fault tolerance |
| Material (Data/Materials) | Data/Configuration | Configuration errors, data quality issues |
| Measurement (Metrics) | Monitoring | Missing alerts, overlooked metrics |
| Environment (Environment) | Runtime environment | Environment inconsistency, resource shortage |
Choosing an Analysis Method
| Method | Suitable Scenario | Advantage | Limitation |
|---|---|---|---|
| 5 Whys | Single causal chain incidents | Simple, intuitive, fast | May miss factors in complex multi-cause incidents |
| Fishbone diagram | Multi-factor complex incidents | Systematic and comprehensive, avoids omissions | Highly structured, time-consuming |
| Fault Tree Analysis (FTA) | Safety-critical systems, high complexity | Rigorous logic, quantifiable probabilities | High learning curve, over-formalization risk |
| Timeline analysis | Long-evolving cascading incidents | Reconstructs event evolution | Doesn’t directly produce root cause; needs complementary methods |
In practice, the most common combination is 5 Whys + timeline analysis: first use the timeline to reconstruct the full event, then apply 5 Whys to key turning points for root cause analysis.
5. Postmortem Document Template
A good template lowers the writing barrier and ensures content completeness. Here is a battle-tested template:
# Postmortem: [Incident Title]
## Basic Information
| Field | Content |
|------|------|
| Incident time | 2026-07-10 14:30 ~ 15:15 (45 minutes) |
| Severity | SEV1 |
| Impact scope | Payment service unavailable, ~12% of users affected |
| Incident owner | Zhang San (On-Call Engineer) |
| Review date | 2026-07-12 |
| Status | Finalized |
## Incident Summary
One sentence: When, which service, what went wrong, how many users affected, how long it lasted.
## Impact Assessment
- **User impact**: ~12% of payment requests failed, estimated transaction revenue impact of ¥XXK
- **Business impact**: Payment service SLI dropped from 99.97% to 99.82%, July SLO budget consumed 35%
- **Data impact**: No data loss/inconsistency
## Timeline
| Time | Event | Owner |
|------|------|--------|
| 14:30 | Alert triggered: Payment service error rate >5% | Automated alert |
| 14:32 | On-call engineer responded, began investigation | Zhang San |
| 14:35 | Confirmed as database connection pool exhaustion | Zhang San |
| 14:40 | Attempted connection pool restart, no recovery | Zhang San |
| 14:45 | Escalated to DBA team, found primary DB connections at limit | Zhang San → Li Si |
| 14:52 | Identified anomalous SQL from reporting service | Li Si |
| 14:58 | Rate-limited reporting service, connections dropped | Li Si |
| 15:05 | Payment service recovered | Zhang San |
| 15:15 | Confirmed full recovery, closed incident | Zhang San |
## Root Cause Analysis
### Direct Cause
The payment service's database connection pool was exhausted by anomalous SQL from the reporting service, preventing payment requests from obtaining database connections.
### 5 Whys Analysis
(Expand the 5 Whys analysis chain here)
### Root Cause
The reporting service and payment service share a database, and the reporting service lacks query timeout and concurrency control.
## What Went Well
- Alert triggered within 2 minutes, timely response
- DBA team identified the problem within 3 minutes of escalation
- Rate limiting took effect quickly, avoiding longer impact
## What Didn't Go Well
- Reporting service shares database with payment service (architecture flaw)
- Reporting service has no query timeout limit (code defect)
- Alert only showed error rate, didn't correlate with database connections (monitoring gap)
- Initial investigation didn't check change records, wasting 5 minutes (process gap)
## Action Items
| # | Action Item | Type | Owner | Due Date | Priority |
|---|--------|------|--------|---------|--------|
| 1 | Isolate reporting service database from payment service | Architecture | Wang Wu | 2026-08-10 | P0 |
| 2 | Add query timeout (30s) and concurrency limit to reporting service | Code | Zhao Liu | 2026-07-20 | P0 |
| 3 | Add database connection count as correlated alert metric | Monitoring | Zhang San | 2026-07-17 | P1 |
| 4 | Add "check change records" step to incident Runbook | Process | Zhang San | 2026-07-17 | P2 |
## Lessons Learned
1. Shared databases are a reliability risk — core services should have independent database instances
2. All queries should have timeout limits — database query timeouts are a basic defense measure
3. Alerts should have correlated context — single-dimension alerts make rapid diagnosis difficult
4. Investigations should start from "recent changes" — 90% of incidents are related to changes
Template Design Principles
- “What went well” before “what didn’t go well”: Balance the perspective, prevent the review from becoming a trial
- Action items must be trackable: Every item has an owner, due date, and priority
- Timeline is factual record, not analysis: Only record “what happened,” don’t speculate here
- Lessons should be generalizable: Not “watch out for this SQL next time,” but “all queries need timeout limits”
6. Action Item Tracking Mechanism
Writing the Postmortem is just the beginning — action item implementation is where the real value lies. Many teams hold many reviews but the same incidents keep recurring — the root cause is that action items aren’t tracked and closed.
Action Item Categories
| Type | Description | Example |
|---|---|---|
| Immediate fix | Temporary fix executed right after incident recovery | Rate-limit the reporting service |
| Root cause elimination | Systemic improvement that eliminates the root cause | Database isolation |
| Defense hardening | Add defense layers to reduce similar incident impact | Query timeout, connection pool alerts |
| Process improvement | Optimize workflows and standards | Add configuration checks to change review |
| Knowledge consolidation | Update Runbooks, training materials | Update database incident troubleshooting Runbook |
Tracking Process
Review meeting → Enter action items into tracking system → Regular review (weekly/biweekly)
→ Due date acceptance → Close/extend
Key design principles for action item tracking:
- Enter into ticketing system: Action items can’t just live in documents — they must be entered into Jira/ticketing systems and incorporated into normal iterations
- Regular review: SRE team reviews all open action items weekly/biweekly, tracks progress
- Acceptance criteria: Every action item must have clear acceptance criteria — what does “done” mean?
- Overdue handling: Overdue action items need escalation, explaining why and resetting due dates
- Trend tracking: Track action item completion rate and average closure cycle as SRE team metrics
Action Item Tracking Dashboard
# Action item status statistics example
postmortem_action_items:
total: 47
completed: 32 # 68% completion rate
in_progress: 10
overdue: 5 # 5 overdue
by_priority:
P0: { total: 8, completed: 8, overdue: 0 } # P0 must be 100% on time
P1: { total: 20, completed: 16, overdue: 2 }
P2: { total: 19, completed: 8, overdue: 3 }
avg_close_time_days: 18 # Average closure cycle 18 days
target_close_time_days: 30
Preventing “Zombie” Action Items
The biggest risk in action item tracking is “zombie items” — items that sit open indefinitely but no one pushes forward. Counter-strategies:
- P0 action items must be completed within 30 days, otherwise the SRE lead must explain why
- Action items open for more than 90 days are auto-escalated to tech lead review
- Quarterly action item completion rate tracking — teams below 70% need a root cause analysis (a Postmortem on the action item management process itself)
7. Organizing the Review Meeting
Participants
| Role | Count | Responsibility |
|---|---|---|
| Facilitator | 1 | Guide the process, control pace, ensure blameless principles |
| Incident Commander (IC) | 1 | Provide the full picture of the event, decision rationale |
| On-Call Engineer | 1-2 | Provide investigation process details |
| Related service owners | As needed | Provide technical context |
| Note taker | 1 | Record discussion points in real time |
| Management representative | Optional | Listen but don’t lead; provide resource support |
Recommended participant count: 5-8 people. Too many reduces discussion efficiency; too few may miss critical perspectives.
Meeting Process
1. Facilitator reads the blameless principle (2 min)
→ Set the tone: this is about learning, not blame
2. Incident Commander summarizes the event (5-10 min)
→ Timeline review, ensure everyone understands the full picture
3. Section-by-section timeline discussion (15-20 min)
→ Ask "why" at each key time point
→ Record all "went well" and "didn't go well"
4. Root cause analysis discussion (15-20 min)
→ Use 5 Whys or fishbone diagram to derive root cause
→ Confirm consensus on root cause
5. Action item discussion (15-20 min)
→ Brainstorm improvement measures
→ Assign owners and due dates on the spot
6. Summary (5 min)
→ Facilitator reviews root cause and action items
→ Confirm note taker finalizes within 48 hours
The Facilitator’s Core Responsibilities
Review meeting quality largely depends on the facilitator. A good facilitator needs to:
- Guard the blameless principle: When blame-oriented comments appear, immediately redirect to systems and processes
- Control the pace: Avoid going too deep on one detail; record for “offline discussion” when needed
- Ensure root cause depth: If discussion stays at the surface, ask “why does this become a problem”
- Focus on action item quality: Action items should be specific, actionable, and owned — “improve training” is not a good action item
- Manage emotions: Incident participants may feel frustrated; the facilitator needs to create a safe, constructive atmosphere
8. Postmortem Knowledge Management
Archiving and Searchability
Postmortem documents lose value over time — if they’re not retrieved and reused, writing them is like throwing them into a paper archive.
Archiving best practices:
postmortem/
├── 2026/
│ ├── 01/
│ │ ├── 2026-01-15-payment-db-connection-exhausted.md
│ │ └── 2026-01-22-cache-cluster-failover.md
│ ├── 02/
│ │ └── 2026-02-05-cdn-config-error.md
│ └── 07/
│ └── 2026-07-10-report-sql-overflow.md
├── templates/
│ └── postmortem-template.md
└── index.md # Index file, categorized by service/root cause
Index file example:
# Postmortem Index
## By Service
### Payment Service
- [2026-01-15 Database Connection Pool Exhaustion](2026/01/2026-01-15-payment-db-connection-exhausted.md)
- [2026-07-10 Reporting SQL Caused Connection Exhaustion](2026/07/2026-07-10-report-sql-overflow.md)
### Cache Cluster
- [2026-01-22 Primary-Replica Failover Failure](2026/01/2026-01-22-cache-cluster-failover.md)
## By Root Cause
### Database-Related Issues
- Connection pool exhaustion × 2
- Primary-replica failover failure × 1
### Configuration Change Issues
- CDN configuration error × 1
Periodic Review
Beyond individual incident reviews, periodic aggregate analysis is recommended:
- Quarterly review: Count incident numbers, root cause distribution, action item completion rate for the quarter
- Root cause trend analysis: Is a certain root cause decreasing? Are new high-frequency root causes emerging?
- Action item ROI assessment: Have completed action items effectively reduced similar incidents?
# 2026 Q2 Postmortem Aggregate Analysis
## Overview
- Total incidents: 23 (SEV1: 3, SEV2: 8, SEV3: 12)
- Postmortems completed: 11/11 (100% coverage for SEV1+SEV2)
- Action item completion rate: 72% (target 80%)
## Root Cause Distribution
| Root Cause Category | Count | Trend |
|---------|------|------|
| Configuration changes | 7 | ↑ |
| Insufficient capacity | 4 | → |
| Dependency failures | 3 | ↓ |
| Code defects | 3 | → |
| Network issues | 2 | ↓ |
## Key Findings
- "Configuration changes" rose for two consecutive quarters; configuration change governance needs strengthening
- Last quarter's "connection pool alerting" action item was effective; database incidents down 50%
9. Organizational Culture Barriers and Breakthroughs
Common Cultural Barriers
When implementing Postmortem culture, you will almost certainly encounter the following resistance:
| Barrier | Manifestation | Root Cause |
|---|---|---|
| Blame culture | Reviews become trials, participants are defensive | Management habitually uses blame instead of improvement |
| Formalism | Postmortems become going through the motions, document quality is low | Failure to recognize the true value of reviews |
| Action items not implemented | Written and archived, no one tracks execution | Lack of tracking mechanism and accountability |
| Selective reviews | Only small incidents reviewed, major ones skipped due to “political sensitivity” | Lack of institutional safeguards and transparency |
| Recurring incidents | Same type of incident keeps happening | Action items not implemented or root cause analysis not deep enough |
| Low engagement | Non-on-call staff don’t care about reviews | Knowledge not shared, review outcomes not disseminated |
Breakthrough Strategies
1. Start from Management
Blameless culture can’t be driven only bottom-up by the SRE team. Management’s attitude determines the safety of reviews:
- When management attends review meetings, they listen only, without judging
- Review action items require management to provide resource support (headcount, budget)
- Management OKRs/KPIs should include action item completion rate and recurring incident rate
2. Let Data Speak
Using quantitative data to prove the value of Postmortems is more effective than verbal persuasion:
Before reviews (6 months): Average SEV1+SEV2 incidents per month: 4.2, MTTR 45 min
After reviews (6 months): Average SEV1+SEV2 incidents per month: 2.1, MTTR 28 min
→ Similar incidents down 50%, MTTR reduced 38%
3. Establish Institutional Safeguards for “Blameless”
- Clear rule: Postmortem documents are not used as performance evaluation inputs
- Anonymous option: For sensitive incidents, allow anonymous submission of review information
- Public archiving: Postmortem documents are visible internally across the company, encouraging cross-team learning
- Reward candor: Recognize individuals who proactively expose problems and propose systemic improvements
4. Lower the Participation Barrier
- Provide standard templates to lower the writing barrier
- Keep review meetings to 60-90 minutes, no marathon discussions
- Have new hires attend as observers, building mentorship
- Hold periodic “Postmortem share sessions” with representative cases for cross-team sharing
5. Integrate Reviews into Daily Workflow
Incident recovery → Auto-create Postmortem ticket → Set draft deadline
→ Auto-extract timeline from alerting system
→ Auto-link related change records
→ Auto-notify relevant teams when review is complete
Make reviews an organic part of the incident response process, not an extra burden.
10. Automated Postmortem Toolchain
As system scale grows, purely manual Postmortem writing becomes increasingly difficult. Here are some automation directions:
Automated Timeline Generation
# Auto-extract incident timeline from alerting system
def generate_timeline(alert_ids, start_time, end_time):
timeline = []
for alert_id in alert_ids:
alerts = query_alertmanager(alert_id, start_time, end_time)
for alert in alerts:
timeline.append({
"time": alert["starts_at"],
"event": alert["annotations"]["summary"],
"severity": alert["labels"]["severity"]
})
# Correlate change records
changes = query_changes(start_time, end_time)
for change in changes:
timeline.append({
"time": change["timestamp"],
"event": f"Change: {change['description']}",
"severity": "INFO"
})
return sorted(timeline, key=lambda x: x["time"])
Automated Root Cause Recommendations
Based on historical Postmortem root cause classification, match current incidents by similarity and recommend likely root cause directions:
# Root cause recommendation rules example
recommendations:
- pattern:
symptoms: ["database connection timeout", "connection count alert"]
services: ["payment-service"]
likely_causes:
- "Insufficient connection pool configuration"
- "Slow queries exhausting connections"
- "Connection leak"
related_postmortems:
- "2026-01-15-payment-db-connection-exhausted.md"
- "2026-07-10-report-sql-overflow.md"
Automated Action Item Tracking
# Action item overdue check
def check_overdue_action_items():
items = query_action_items(status="open")
for item in items:
if item["due_date"] < datetime.now():
# Overdue notification
notify(item["owner"], f"Action item overdue: {item['title']}")
# Escalate to manager
if item["days_overdue"] > 14:
notify(item["manager"], f"Action item overdue >14 days: {item['title']}")
Summary
The core of Postmortem culture can be summarized in three points:
- Blameless doesn’t mean no accountability — it shifts accountability from individuals to systems. Only by understanding why the system allowed an error to occur can you fundamentally prevent incidents.
- Root cause analysis must go deep, action items must be concrete. 5 Whys is not going through the motions; action items can’t be empty platitudes like “improve training.”
- The value of a review lies in closing the loop. Writing without tracking is the same as not writing; tracking without acceptance is the same as not doing.
A healthy Postmortem culture has the following indicators:
- Team members proactively initiate reviews after incidents, rather than doing so only when asked
- Review documents are frequently retrieved and referenced, becoming important learning material for new hires
- The recurrence rate of similar incidents continues to decline
- Action item completion rate is stable above 80%
- The team has a sense of safety and trust around reviews, with no information hiding
Remember the Google SRE saying: “Be ruthlessly hard on problems, but gentle with people.” This is not a slogan — it’s the engineering rationality of Postmortem culture. Because only when people feel safe will they expose the system’s true weaknesses.
References & Acknowledgments
This article referenced the following materials during writing. We thank the original authors for their contributions:
- Google SRE Book - Postmortem Culture — Google SRE Team, referenced for Google SRE Book - Postmortem Culture
- Google SRE Workbook - Postmortems — Google SRE Team, referenced for Google SRE Workbook - Postmortems