🚨 Incident Command Language
5 exercise sets. Master the precise English vocabulary of incident command — roles, assumptions of authority, status updates, escalation, and resolution.
IC Roles & Responsibilities
Incident Commander, Operations Lead, Communications Lead, Scribe, Subject Matter Expert roles.
Assuming Command Language
"I'm assuming IC", command acknowledgment phrases, handoff language in incident response.
Incident Status Updates
Status update cadence, stakeholder update template, "we are actively investigating" vocabulary.
Escalation & Severity Language
Severity escalation, "declaring SEV-1", executive notification, paging the on-call escalation chain.
Incident Resolution Language
"Mitigated vs. resolved", "standing down", "monitoring for recurrence", post-mortem vocabulary.
Frequently Asked Questions
What does "assuming command" mean in incident response?
Assuming command is the formal verbal act by which an engineer takes over as Incident Commander. The standard phrase is "I'm assuming IC" followed by a brief situation summary. This explicit handoff language — borrowed from emergency management — ensures there is never ambiguity about who holds decision-making authority during an active incident.
What is the difference between "mitigated" and "resolved" in an incident?
"Mitigated" means the immediate customer impact has been stopped or reduced, but the root cause may still exist — for example, traffic has been rerouted away from a broken service. "Resolved" means the incident is fully closed: root cause addressed, systems restored to normal operation, and monitoring confirms stability. Using these terms precisely avoids premature closure and sets the correct expectation with stakeholders.
How do you declare a SEV-1 incident in English?
A typical declaration is: "I am declaring this a SEV-1. We have a complete outage affecting all users in the EU region. I'm paging the on-call escalation chain and opening an incident bridge now." The key elements are: the severity label, a one-sentence impact statement, and the immediate actions being taken. Clear, concise language is essential because the incident bridge may include engineers who are still waking up.
What is an incident bridge and what language is used on it?
An incident bridge is a live communication channel — typically a video call or phone conference — where the incident response team coordinates in real time. Standard bridge language includes structured check-ins ("Ops, what's your status?"), action assignments ("Can you own the rollback?"), and periodic stakeholder updates ("Status as of 14:32: we've identified the failing component and are executing a rollback. ETA to mitigation is 20 minutes.").
What role does the Communications Lead play and what language do they use?
The Communications Lead (Comms Lead) owns all external and stakeholder communication during an incident, freeing the Incident Commander to focus on technical resolution. They use templated status update language such as: "We are aware of an issue affecting [service]. Our team is actively investigating. Next update in 30 minutes." They also manage incident status pages and draft executive notifications.
What does "standing down" mean at the end of an incident?
"Standing down" is the formal declaration that the incident is resolved and the response team is no longer on active duty. The Incident Commander typically says: "We are standing down from SEV-1. Service has been restored and we are monitoring for recurrence. The post-mortem will be scheduled within 24 hours." This phrase signals responders that they can return to normal work.
What is a post-mortem and what vocabulary is used in the write-up?
A post-mortem (also called a blameless retrospective) is a structured analysis of an incident written after resolution. Key vocabulary includes: timeline, contributing factors, root cause, action items, detection gap, and mean time to detect (MTTD) / mean time to resolve (MTTR). The phrase "blameless" signals that the goal is systemic improvement, not individual fault-finding.
How do you communicate a severity escalation during an incident?
Escalation language is direct and structured: "I'm upgrading this incident from SEV-2 to SEV-1. Impact has expanded to the payments service and we now have complete transaction failure. I'm notifying executive stakeholders and paging the payments on-call." Always state the new severity, the reason for escalation, and the immediate actions triggered by the escalation.
What is unified command and when is it used in IT incidents?
Unified command is an ICS structure where multiple teams with authority over different parts of the incident share command jointly. In IT, it is used when an incident spans organisational boundaries — for example, a cloud provider outage affecting a client's platform may require unified command between the provider's SRE team and the client's operations team. Decisions require agreement from all command members.
What is the on-call escalation chain and how do you describe it in English?
The on-call escalation chain is the ordered sequence of people paged when an incident cannot be resolved at the current support tier. It typically follows this pattern: first the on-call engineer, then the on-call lead, then the engineering manager, then the VP of Engineering. You might say: "The primary on-call hasn't acknowledged in 5 minutes — I'm escalating to the secondary." Understanding this chain and its vocabulary is essential for effective incident communication.