Incident Management Practice
An Incident is defined as any event that is a deviation from normal that causes disruption to the agreed service for an IT service, or causes a reduction in the quality of agreed service for an IT service, or could lead to a disruption or a reduction in quality of agreed service for an IT service (this includes monitoring activities that provide early detection of possible Incidents).
The primary goal and objective of Incident Management is to restore normal service operation as quickly as possible in order to minimize the adverse impact on business operations. This ensures that the best possible levels of service quality and availability are maintained.
RACI Matrix
A RACI Matrix, also known as Responsibility Assignment Matrix (RAM), clarifies to all involved with a practice which activities each person, group, or team is expected to fulfill. It is also helpful in clarifying the staffing model necessary for operation and improvement.
The RACI model specifies that only one role is accountable for an activity, although several people may be responsible, consulted, and informed for parts of the activity.
The RACI model stands for 4 main practice activity roles as follows:
| RACI | Description | 
|---|---|
| A = Accountable | The single owner who is accountable for the final outcome of the activity. | 
| R = Responsible | The executor(s) of the activity step. | 
| C = Consulted | The expert(s) providing information for the activity step. | 
| I = Informed | The stakeholder(s) who must be notified of the activity step. | 
RACI Matrix for Incident Management Practice
Practice Roles Described
A Practice Role is defined as a set of responsibilities, activities and authorities granted to a person or team. One person or team may have multiple roles, and may have different roles and responsibilities at different times due to involvement with separate practices one after the other.
| Role | Description | 
| Incident Owner | The Incident Owner is responsible for ensuring that all activities defined within the practice are undertaken and that the practice achieves its goals and objectives. | 
| Incident Manager | The Incident Manager is responsible for practice design and for the day to day management of the practice. The manager has authority to manage Incidents effectively through First, Second, Third Level Support. | 
| Customer | The Customer is the business – a person or department – who is paying for an IT Service to be available for use by their End Users. This role is responsible to report all Service Level complaints and complements to the Customer Relationship Manager role of Service Level Management. | 
| End User | The End User is the person using an IT resource. This role is responsible to report all Incidents and make all IT requests and contacts through the Service Desk. | 
| IT Staff | Any IT staff from the IT Organization. This role is responsible for the IT infrastructure and the delivery of IT Services, and will report all Incidents or possible Incidents through the Service Desk. | 
| Service Desk Manager | The Service Desk Manager is responsible for the day to day management of the Service Desk function and assisting with all management escalated issues. | 
| Service Desk Analyst | The Service Desk Analyst is responsible for the day to day communication with all End Users and to facilitate the resolution and fulfillment of Incidents and Requests. The Service Desk Analyst and the Service Desk function form Level 1 Support. | 
| Incident Analyst | The Incident Analyst is responsible for implementing and executing the Incident practice as defined by the Incident Owner/Manager, and to be a point of contact for escalated issues, questions, or concerns. | 
| Support Level 2/3 | Level 2 Support is responsible to handle Incidents that Level 1 Support could not resolve. These group(s) will have general technical support skills, but with greater skill level than Level 1 Support. These groups are separated from “End User first point of contact” responsibility and typically have longer timescales to perform incident diagnosis and resolution tasks. Level 3 Support is responsible to handle Incidents that require specialized and in-depth technical skills. Escalation to these groups may be direct from Level 1 Support or from Level 2 Support based on the Priority and Complexity of the issue. | 
| Incident Management Team | The Incident Management Team is a group of individuals brought together to manage hierarchically escalated Incidents. This team includes the Service Desk function, the IT organization, and Third-Party companies. | 
| Major Incident Team | The Major Incident Team is a group of individuals brought together to manage a Major Incident. This team includes the Service Desk function, the IT organization, and Third-Party companies. | 
| Service Desk | The Service Desk organization and functional role. | 
| Incident Management | The Incident Management practice role. | 
| Request Fulfilment | The Request Fulfilment practice role. | 
| Problem Management | The Problem Management practice role. | 
| Change Management | The Change Management practice role. | 
| Service Level Management | The Service Level Management practice role. | 
Incident Management Practice RACI Chart Example
Practice Steps Described
1.0 Incident Identification
- Objective: To be available for all End Users of IT Services (and IT Staff) to report an Incident or to initiate a Request.
- Policy: The Service Desk acts as a Single Point of Contact (SPOC) for all End Users of IT services and IT staff and is available as per agreement.
- Input(s): A phone call, email, or any other form of communication to the Service Desk related to an Incident or Request.
- Output(s): Contact and communication with the Service Desk.
- Status: None
- Description: The End User can be anyone in the organization who requests Incident resolution or Request fulfillment services from the IT organization. Or, the End User can be anyone in the organization who detects and reports an Incident (typically IT Staff). - (A,I) The Service Desk function is Accountable to have analysts available for contact to be Informed of an Incident or Request.
- (R,I) The Service Desk Analyst is Informed and Responsible for notification of Incidents and Requests.
- (R) All End Users are Responsible to follow the contact details and procedures outlined in the Service Catalog for all requests for IT Incident or Request services.
- (R) It is the Responsibility of all End Users, Customers, IT Staff, and IT Management to report all Incidents to the Service Desk, including those IT staff responses to events that resolve an Incident before End Users are aware (such Incidents are reported for documentation purposes only).
 
2.0 Incident Logging
- Objective: To document all relevant details from the End User and IT staff regarding the Incident or the Request, as structured by the Service Desk Record.
- Policy: All contacts with the Service Desk are recorded related to an Incident or Request.
- Input(s): Details gathered from the End User and IT staff is structured by mandatory fields on the Service Desk Record.
- Output(s): A detailed record in the Service Management System (SMS) tool, of Incident or Request type.
- Status: Open
- Description: - (A,R) The Service Desk analyst accepting contact from the End User / IT staff is Accountable and Responsible for creating a Record and logging all relevant information. The Service Desk analyst is also Responsible for the following: - Determine if the End User / IT staff is referring to an existing open Record, a Primary Major Incident Record, or is reporting a new Incident or Request.
- Update existing Records with all contacts made by the End User / IT staff. Additional information provided (if relevant) will be assessed for changes to existing Category, Priority, and/or required Escalation.
- Map all Incidents and Requests to the affected IT Service(s) identified from the Service Catalog.
- In the event a NEW serious degradation of service is detected, Inform the Service Desk Manager immediately and continue Categorizing and Prioritizing the Record.
 
- (I) The Service Desk Manager is informed immediately when a NEW serious degradation of service is detected.
- (C,I) The End User / IT staff is Consulted for a detailed description of the hardware and/or software involved, and to provide a brief history of known events leading up to the Incident. - The Service Desk Analyst will inform the End User / IT staff of next steps to be taken.
 
 
- (A,R) The Service Desk analyst accepting contact from the End User / IT staff is Accountable and Responsible for creating a Record and logging all relevant information. The Service Desk analyst is also Responsible for the following: 
3.0 Incident Categorization
- Objective: To categorize every new Service Desk Record for assignment, diagnosis, and reporting purposes.
- Policy: The Service Desk will categorize the Record using the Categorization Model.
- Input(s): Open Incident Record
- Output(s): Categorized Incident Record
- Status: Open
- Description: All Open Records are first classified as either Incident or Request types. All Records are further categorized using the Categorization Model, and all Records are matched to the Services affected as outlined in the Service Catalog. - (A,R) The Service Desk analyst will be Accountable and Responsible for classifying and categorizing all Records.
- (C) The Service Desk Manager will be Consulted if there are questions or uncertainty as to the Classification or Categorization of Records.
- (I) The Service Desk Analyst will inform the End User / IT staff of next steps to be taken.
 
4.0 Service Request?
- Objective: To determine if the Record should be handled as a Request or an Incident.
- Policy: The Service Desk will categorize all Record as either Incident or Request.
- Input(s): Open Incident Record
- Output(s): Categorized and Classified Incident or Request Record
- Status: Open, Incident or Request type Record
- Description: If the End User / IT staff description of the situation matches the definition of an Incident, then the Record shall be classified as an Incident and handled through the Incident practice. All Records NOT classified as Incident shall be classified as a Request and handled through the Request Fulfillment practice. - (A,R) The Service Desk analyst will be Accountable for classifying all Records as Incident type or Request type, and Responsible for updating the Record appropriately and handling the Record with the appropriate next steps. - (I) Issues classified as Service Request are handled though the Request Fulfillment.
- Issues classified as Incident continue to be handled within this Incident Management Practice.
 
- (C) The Service Desk Manager will be Consulted if there are questions or uncertainty as to Classifying an issue as an Incident or Request.
- (I) The Service Desk analyst will inform the End User / IT staff of next steps to be taken as an Incident or a Request
 
- (A,R) The Service Desk analyst will be Accountable for classifying all Records as Incident type or Request type, and Responsible for updating the Record appropriately and handling the Record with the appropriate next steps. 
5.0 Incident Prioritization
- Objective: To set an appropriate Priority for scheduling and handling the Incident.
- Policy: The Service Desk will prioritize the Record based on matching to the Prioritization Model.
- Input(s): Open, Categorized Incident Record
- Output(s): Open, Categorized and Prioritized Incident Record
- Status: Open, Incident Record
- Description: - (A,R) The Service Desk Analyst will be Accountable and Responsible for prioritizing all Records.
- (C,I) The Service Desk Manager will be Consulted if there are questions or uncertainty as to the Priority of Records, and will be Informed immediately of all Incident Records prioritized as “Priority 1” and “Priority 2”.
- (C) The Incident Analyst role will be Consulted where there is uncertainty of Priority at the Service Desk.
- (C,I) The End User / IT staff is Consulted for the Impact and Urgency of the Incident, will be Informed of next steps to be taken.
 
6.0 Major Incident?
- Objective: To identify Major Incidents and manage them appropriately.
- Policy: The Service Desk will treat all Incidents prioritized as “Priority 1” and “Priority 2” as a Major Incident.
- Input(s): Open, Categorized and Prioritized Incident Record
- Output(s): Open, Categorized and Prioritized Incident Record
- Status: Open, Incident Record or Open Major Incident Record
- Description: All Major Incidents will be escalated to the Service Desk management level and handled with the utmost urgency. - (A,R,C,I) The Incident Manager role will be Informed, Accountable, Responsible and Consulted when a Major Incident is detected.
- (R,I) The Service Desk Analyst will be Responsible for hierarchically escalating all Major Incidents immediately to the Service Desk Manager, and will be Informed of the next steps to be taken.
- (R,C,I) The Service Desk Manager is Responsible, Consulted and Informed of all Major Incidents detected, and to confirm the decision to raise a Major Incident and contact the Incident Manager.
- (I) Incidents prioritized as Major Incidents trigger and are handled though the Major Incident Procedure.
- (I) The End User / IT staff is Informed of the next steps to be taken.
 
7.0 Initial Diagnosis
- Objective: To resolve and recover as many Incidents as possible at the Service Desk.
- Policy: The Service Desk (Level 1 support) is responsible to ensure Service Level Agreement (SLA) targets are met while attempting to achieve First Contact Resolution (FCR) within timelines stipulated in the relevant Operational Level Agreement (OLA).
- Input(s): Open, Categorized and Prioritized Incident Record
- Output(s): Level 1 diagnosed Incident Record
- Status: Assigned, Diagnosed
- Description: Initial diagnosis will be carried out using all tools, skills, and techniques made available from the Service Desk. This may include matching to similar Incident Records, matching to Known Errors and Work-Arounds, use of knowledge bases and Frequently Asked Questions (FAQ) documents. - (A,R) The Service Desk Analyst will be Accountable and Responsible for performing initial diagnosis of all Incident Records with an aim of achieving First Contact Resolution (FCR).
- (C,I) The End User / IT staff will be Consulted and Informed by the Service Desk analyst as needed and of next steps to be taken.
 
8.0 Functional Escalation?
- Objective: To escalate unresolved Incidents to the appropriate Level 2/3 role that may include a Third-Party related contacts.
- Policy: All Incidents that can not be resolved at the Service Desk are escalated to the appropriate Level 2/3 role or Third-Party related contact as indicated by the SLA and supporting OLAs/UCs.
- Input(s): Level 1 diagnosed Incident Record
- Output(s): Level 1 assigned Incident Record
- Level 2/3 assigned Incident Record
- Status: Assigned
- Description: When Incidents can NOT be resolved at the Service Desk support level, the Incident is escalated to the appropriate Level 2 or Level 3 support role(s) according to the SLA and supporting OLAs/UCs. - (A,R) The Service Desk Analyst will be Accountable and Responsible to functionally escalate the Incident to the appropriate Level 2 or Level 3 support role(s) when the Service Desk Analyst has not been able to achieve First Contact Resolution of the issue within timelines as specified in the SLA and supporting OLA/UC.
- (C,I) All Support Level 2 or Level 3 role(s) related to the Incident will be Informed of the need for functional escalation and Consulted for status details related to resolving the Incident.
- (C) The Incident Analyst role will be Consulted when there is uncertainty around functionally escalating an Incident.
- (I) The End User / IT staff will be kept informed of all status changes to the reported Incident Record.
 
9.0 Functional Escalation (Level 2/3)
- Objective: To resolve all Incidents that can Not be resolved at the Service Desk level.
- Policy: All Incidents functionally escalated by the Service Desk will be resolved by the appropriate Level 2/3 role or Third-Party related contact as indicated by the SLA and supporting OLA/UC.
- Input(s): Level 1 diagnosed Incident Record
- Output(s): Level 2/3 accepted Incident Record
- Status: Assigned, Accepted
- Description: - (A,I) The Service Desk Analyst will be Accountable for ensuring that the Incident continues to be worked on and is resolved within the specified timelines of the SLA. - The Service Desk will also be Informed with all new information from the End User / IT staff.
 
- (R,C,I) All Support Level 2/3 support role(s) will be Responsible for accepting escalated Incident assignments, shall be Consulted for status updates, and will be Informed with all new information related to the Incident.
- (C) The Incident Analyst role will be Consulted when there is uncertainty around functional escalations to Third-Party organizations.
- (R,I) All End User / IT staff will be Responsible to contact the Service Desk and report all new symptoms and information related to the Incident, and will be Informed of all significant status changes and progress.
 
- (A,I) The Service Desk Analyst will be Accountable for ensuring that the Incident continues to be worked on and is resolved within the specified timelines of the SLA. 
10.0 Hierarchical Escalation?
- Objective: To minimize Incident impact on the business where an Incident is NOT being resolved within appropriate time lines, or where an Incident has been identified with higher Impact than initially diagnosed and requiring management involvement.
- Policy: All Incidents that can not be resolved within appropriate Functional timescales, or Incidents that have been re-assessed with higher Impact and/or Urgency, are escalated to the appropriate Service Desk and/or Incident Management contact.
- Input(s): Level 1 assigned Incident Record or Level 2/3 assigned Incident Record
- Output(s): Management escalation and involvement
- Status: Assigned, Accepted
- Description: When Incidents can NOT be resolved within appropriate timescales as specified by the SLA and supporting OLA/UC, or where the Impact and/or Urgency has been reassessed at higher levels, the issue will be hierarchically escalated to management.
- Hierarchical escalation can happen as necessary at any activity step in the Incident Practice. - (A,R,I) The Service Desk Manager is Informed of hierarchically escalated Incidents and is Accountable and Responsible for triggering the Management Escalation Procedure.
- (R,I) The Service Desk Analyst is Responsible for detecting and/or being Informed of situations that need to be hierarchically and for informing the Service Desk Manager.
- (R,I) Support Level 2/3 role(s) are Responsible for reporting higher levels of Impact and/or Urgency that may be uncovered during support activities, and to report threats and/or failures to reach resolution deadlines. - Support Level 2/3 role(s) will be kept Informed of all management decisions and next steps.
 
- (I) Hierarchically escalated Incidents trigger and are handled though the Management Escalation Procedure.
 
11.0 Investigation and Diagnosis
- Objective: To determine the points of failure related to the Incident and to reassess the Impact and/or Urgency of the Incident in light of findings.
- Policy: The assigned Incident role shall make all effort to determine the point(s) of failure leading to the Incident and to determine the quickest resolutions in order to minimize impact on the business.
- Input(s): Initial Diagnosed Incident Record
- Output(s): Diagnosed Incident Record
- Status: Assigned, Diagnosed
- Description: The Investigation and Diagnosis activity can be undertaken by the Service Desk Analyst (as Support Level 1 and First Contact Resolution), or by the appropriate assigned Support Level 2 or Support Level 3 group. - (A,R,I) The Service Desk Analyst will be Accountable for ensuring that all Incidents within the Service Desk organization continue to be worked on and progressed. - In cases where there has been no Functional escalation, the Service Desk Analyst will be Responsible for investigating and determining all points of failure leading to the Incident and to determine the quickest resolutions, which may involve a temporary work-around.
- The Service Desk Analyst will be Informed of any relevant new or changed information to the Incident.
 
- (R,C,I) Support Level 2/3 roles will be Responsible for Incidents escalated to them. They are responsible for investigating and determining all points of failure leading to the Incident and to determine the quickest resolutions, which may involve a temporary work-around. - The Support Level 2/3 roles will be Consulted for information related to the Incident Record, and in turn will be Informed of any relevant new or changed information to the Incident.
 
- (R,I) All End User / IT staff will be Responsible to contact the Service Desk and report all new symptoms and information related to the Incident, and will be Informed of all significant status changes and progress.
 
- (A,R,I) The Service Desk Analyst will be Accountable for ensuring that all Incidents within the Service Desk organization continue to be worked on and progressed. 
12.0 Change Required?
- Objective: To manage and control all changes through formal Change Management.
- Policy: All changes to hardware and software will be carried out under the Change Management practice for all Normal and Emergency changes.
- Input(s): Investigated and Diagnosed Incident Record
- Output(s): RFC
- Status: Assigned, Pending Change
- Description: All resolutions to IT Hardware and Software that are NOT pre-authorized Standard Changes will be forwarded to the Change Management practice in a Request for Change (RFC) and be practied under Change Control. - (A,R,I) The Service Desk Analyst will be Informed of the need for IT Changes to be made and is Accountable for ensuring the Change Management practice is initiated for all Incidents whose resolution requires an IT Change. - Where Incident Records are assigned to the Service Desk Analyst, this role will be Responsible to complete and submit the RFC.
 
- (R) Where Incident Records are escalated to Support Level 2/3, this role(s) will be Responsible to inform the Service Desk Analyst of the need for an IT Change and will complete and submit the RFC.
- (I) The Service Desk Manager is Informed by the Service Desk Analyst of all changes to be made (for the purpose of spreading awareness through the Service Desk to detect incoming notifications of a potential worsening of the situation).
- (I) All End User / IT staff will be Informed of all significant status changes and progress.
 
- (A,R,I) The Service Desk Analyst will be Informed of the need for IT Changes to be made and is Accountable for ensuring the Change Management practice is initiated for all Incidents whose resolution requires an IT Change. 
13.0 Resolution and Recovery
- Objective: To determine the most likely to succeed resolution and to recover the points of failure related to the Incident.
- Policy: The assigned Incident role shall make all effort to determine the best course of action to recover the point(s) of failure leading to the Incident, including backout steps should the recovery fail or worsen the Incident.
- Input(s): Investigated and Diagnosed Incident Record
- Output(s): Recovered Incident
- Status: Assigned, Recovered
- Description: The Resolution and Recovery activity can be undertaken by the Service Desk Analyst (as Support Level 1 and First Contact Resolution), or by the appropriate assigned Support Level 2 or Support Level 3 group.
- When implementing resolution and recovery plans, backout steps should be determined wherever possible as a precaution to control escalating Incident Impact should the recovery fail or worsen the Incident. A recovery failure will be reversed wherever possible and will re-initiate Step 11 Investigation and Diagnosis. - (A,R,I) The Service Desk Analyst will be Accountable for ensuring that all Incidents are resolved and restored back to the End User / IT staff. - In cases where there has been no Functional escalation, the Service Desk Analyst will be Responsible for determining and implementing the most likely to succeed Incident resolution and recovery plan.
- The Service Desk Analyst will be Informed of any relevant new or changed information to the Incident.
 
- (R,C,I) Support Level 2/3 roles (Third-Parties) will be Responsible to determine and implement the most likely to succeed Incident resolution and recovery plan, and for informing the Service Desk Analyst of the results. - Other Support Level 2/3 roles will be Consulted for information related to the Incident Record
- The assigned Support Level 2/3 roles will be kept Informed of any relevant new or changed information to the Incident.
 
- (R,C,I) All End User / IT Staff will be Responsible to contact the Service Desk and report all new symptoms and information related to the Incident, and will be Consulted and Informed of all significant status changes and progress.
 
- (A,R,I) The Service Desk Analyst will be Accountable for ensuring that all Incidents are resolved and restored back to the End User / IT staff. 
14.0 Incident Closure
- Objective: To ensure that all Incident Records are confirmed successful by those who reported the Incident, to fully document all Incident Records, and to close all Incident Records.
- Policy: The Service Desk shall be accountable to close all Incident Records and to ensure that all steps have been followed.
- Input(s): Documentation from the Service Desk Analyst
- Documentation from Support Level 2/3
- Output(s): Fully Updated Incident Record
- Status: Closed
- Description: - (A,R,I) The Service Desk analyst will be Informed of all Incident resolution activities and their results. This role is Accountable and Responsible to: - Where the Service Desk Analyst has NOT functionally escalated the Incident, this role is Responsible for submitting full documentation of investigation, diagnosis, resolution and recovery steps taken.
- Collect and document all information for investigation, diagnosis, resolution and recovery steps taken. Attachment of submitted documentation is acceptable.
- Contact and confirm Incident resolution with all parties who reported the Incident.
- Close all open Incident Records after all activity is complete.
 
- (R,C,I) The Support Level 2/3 role is Responsible to inform the Service Desk of all Incident resolution activities and their results, and for submitting full documentation of investigation, diagnosis, resolution and recovery steps taken - This role is Consulted for information relating to Incident Closure and will be Informed of final Incident status and closure.
 
- (C,I) The End User / IT staff is available to be Consulted for information relating to Incident Closure and will be Informed of final Incident status and closure.
 
- (A,R,I) The Service Desk analyst will be Informed of all Incident resolution activities and their results. This role is Accountable and Responsible to: 
15.0 Ownership, Monitoring, Tracking, and Communication
- Objective: To ensure that there is a single source of information for all Incidents; that this information is of the highest quality and integrity; and that the Service Desk is the owner of all Incident Records that are NOT deemed Major Incidents.
- Policy: The Service Desk shall own all non-Major Incident Records from open to closed status, and acts as a Single Point of Communication (SPOC) to all End User / IT Staff, and to ensure that the Service Desk acts as a Single Point of Coordination (SPOC) to all IT escalations during the Incident practice.
- Input(s): Incident Records, Status Updates, Incident Documentation
- Output(s): Communication, Updated Incident Records
- Status: NA
- Description: - (A,R,C,I) The Service Desk will be Accountable, Responsible, Consulted, and Informed for: - Coordination and facilitation of non-Major Incidents.
- Creating, updating, and documenting all non-Major Incident Records
- Communication to End User / IT staff
- Providing operational reports
 
- (R,C,I) All Incident roles involved with an Incident or Request are Responsible to provide complete and accurate updates and information to the Service Desk, to be Consulted at any time for information, and to be Informed of all status updates and new information.
- (I) All Practices and the Service Desk function itself are Informed and provided with data and information to support operational reporting.
 
- (A,R,C,I) The Service Desk will be Accountable, Responsible, Consulted, and Informed for: 
Download the Incident Management Activity Design document template