This front-matter style approach allows teams to scan the critical path quickly. Each section answers a specific question: What does this problem look like? What should I do first? Who do I call? What if I make things worse?
## Building the Response Workflow
Every runbook should follow a clear sequence: Detect, Assess, Act, Escalate, Communicate. Let's break each step for distributed teams.
### Detection and Initial Assessment
When you're woken up at 3 AM, cognitive load is your enemy. Your runbook must minimize decision-making. Group symptoms into clear buckets with matching response paths:
IF error rate > 5% AND single service THEN follow: service-specific runbook ELSE IF error rate > 5% AND all services THEN follow: infrastructure runbook ELSE IF latency only THEN check: recent deploys correlation
This branching logic removes ambiguity. The responder reads the current state, matches it to a bucket, and follows the corresponding path.
### Immediate Actions
List commands with full context. Instead of "restart the service," write:
```bash
# From your local machine with VPN active
kubectl rollout restart deployment/api -n production
# Verify with:
kubectl rollout status deployment/api -n production --timeout=300s
Including the verification step matters. Distributed teams can’t easily confirm success by asking “does it look fixed?” in the next room. The runbook must include self-verifying steps.
Escalation Paths
Account for time zone gaps explicitly. Your escalation matrix should look like:
| Severity | Time (responder) | Primary | Secondary | Tertiary |
|---|---|---|---|---|
| SEV-1 | 22:00-06:00 UTC | On-call engineer (paged) | Engineering manager (paged) | CTO (paged) |
| SEV-1 | 06:00-22:00 UTC | On-call engineer (paged) | Team lead (notified) | Engineering manager |
| SEV-2 | Any | On-call engineer (paged) | Team lead (notified) | - |
This clarity prevents the “should I wake someone up?” paralysis that plagues distributed teams.
Handling Handoffs Between Time Zones
The trickiest part of distributed on-call is the transition period. When the San Francisco engineer hands off to the London engineer, critical context often gets lost. Build explicit handoff requirements:
- Handoff document: Before going off-call, document active issues in a shared location
- Active incident status: If an incident is open, the on-call engineer stays until the handoff is explicitly acknowledged
- Recent changes: List deploys, config changes, and any unusual traffic patterns from the last 24 hours
Here’s a simple handoff template:
## On-Call Handoff - [Date]
### Active Issues
- JIRA-1234: Memory leak in payment service, monitoring closely
- JIRA-5678: Known issue with search, working as expected
### Recent Changes
- Deployed auth service v2.3.1 at 14:00 UTC
- Config change: increased cache TTL to 1 hour
### Watch Items
- Payment success rate trending down slightly
- Database CPU at 75%, may need scaling discussion
### Handoff Acknowledged By: ___________
Testing Your Runbooks
A runbook that hasn’t been tested is just documentation. Build testing into your routine:
Tabletop exercises: Walk through a scenario without executing. Identify gaps in your runbooks where the written instructions don’t match reality.
Game days: Deliberately trigger non-production incidents and follow the runbook end-to-end. Time how long each step takes. If step 3 requires SSH access and you don’t have keys configured, you’ll discover this during a game day, not during a real incident.
Chaos engineering: If you use tools like Chaos Monkey or Gremlin, use the same runbooks you’d use in production. The real test is whether your documentation survives real conditions.
Automating Runbook Steps
Where possible, reduce manual steps to commands. If your runbook says “restart the service and check logs,” consider wrapping this into a script:
#!/bin/bash
# restart-and-verify.sh - Safe service restart with verification
SERVICE=$1
NAMESPACE=${2:-production}
echo "Restarting $SERVICE in $NAMESPACE..."
kubectl rollout restart deployment/$SERVICE -n $NAMESPACE
if kubectl rollout status deployment/$SERVICE -n $NAMESPACE --timeout=300s; then
echo "Deployment successful. Checking health..."
sleep 10
HEALTH=$(kubectl get pod -n $NAMESPACE -l app=$SERVICE -o jsonpath='{.items[0].status.phase}')
if [ "$HEALTH" == "Running" ]; then
echo "Service $SERVICE is healthy"
exit 0
fi
fi
echo "Verification failed - escalation may be needed"
exit 1
This script returns a clear exit code that your monitoring can interpret. The runbook becomes: “Run ./restart-and-verify.sh api production” instead of a multi-step manual process.
Maintaining Runbooks Over Time
Runbooks decay. Systems change, commands become outdated, and escalation contacts shift. Build review cadence into your workflow:
- Monthly: On-call engineers review runbooks they used during incidents
- Quarterly: Dedicated runbook audit across all SEV-1 covered systems
- Post-incident: Update runbooks as part of every post-mortem action items
Track changes with version control. When someone proposes a runbook update, the diff shows exactly what changed—this matters when you’re trusting this document during a stressful incident.
Common Pitfalls to Avoid
Several patterns reduce runbook effectiveness in distributed teams:
- Over-linking: If your runbook is “click here for the full guide” repeated five times, you’re creating navigation overhead. Include critical steps inline.
- Assumed context: Never assume the responder knows which dashboard, which repo, or which account. Every resource needs explicit identification.
- Single points of failure: If one person wrote all your runbooks and leaves, you have a knowledge gap. Distribute runbook ownership across the team.
- Perfectionism: A good runbook that exists beats a perfect runbook that doesn’t. Start with the basics and iterate.
Runbook Template and Examples
Here’s a complete runbook template optimized for distributed teams:
# [Service Name] Incident Runbook
## Quick Facts
- **Owner**: [Team name]
- **On-Call**: [Name] (until [timezone]/time)
- **Escalation**: [Manager name] if owner unreachable
- **Critical Links**:
- Logs: [Grafana/Datadog link]
- Metrics: [Link]
- Deployment history: [Link]
## Detection Symptoms
- Error rate above X% for more than 2 minutes
- P99 latency exceeds Yms consistently
- Specific error message pattern: [example]
## Immediate Actions (First 60 Seconds)
1. Acknowledge alert in PagerDuty
2. Check deployment status: `./scripts/check-deploy-status.sh`
3. Review last 10 commits: `git log --oneline -10`
4. Measure current error rate and latency
5. Decide: Is this a rollback situation?
## Decision Tree
IF error_rate > 10%: THEN follow: Quick Rollback procedure
ELSE IF error_rate 5-10% AND latency normal: THEN check: Dependency health (database, cache)
ELSE IF error_rate < 5%: THEN probably transient, monitor for 5 minutes
ELSE IF latency high BUT error_rate normal: THEN check: Resource utilization, recent deploys
## Rollback Procedure
```bash
# On-call engineer with deploy access runs:
# Verify current state
kubectl get deployment [service] -n production
# Check previous stable version
git log --oneline | head -5
# Trigger rollback
./deploy.sh --service=[service] --version=[previous-stable] --env=prod
# Wait for: "Deployment successful"
# Verify health
kubectl rollout status deployment/[service] -n production
curl https://api.example.com/health
Database Issues Procedure
- Check connection pool:
SELECT count(*) FROM pg_stat_activity; - Look for long-running queries:
SELECT query, duration FROM pg_stat_statements; - If queue building: Scale read replicas or restart pool
Cache Issues Procedure
- Redis: Check memory with
redis-cli INFO memory - Memcached: Review eviction rate and hit ratio
- If full: Flush non-critical cache or scale up
Escalation Checklist
Before escalating, complete:
- Deployed most recent stable version
- Checked dependency health (database, cache, external APIs)
- Monitored for 5+ minutes to confirm issue persists
- Checked for any recent configuration changes
- Notified customers in status page if applicable
If still unresolved after 15 minutes, escalate to: [Manager name] or [CTO name] based on severity and time of day
## Infrastructure Documentation System
Many teams fail to maintain runbooks because documentation feels like overhead. Instead, integrate runbooks into daily workflow:
Git-based runbook structure:
runbooks/ ├── services/ │ ├── api/ │ │ ├── incidents.md (this file) │ │ ├── troubleshooting.md │ │ └── metrics.md │ ├── database/ │ │ └── incidents.md │ └── cache/ │ └── incidents.md ├── infrastructure/ │ ├── networking.md │ ├── kubernetes.md │ └── scaling.md └── procedures/ ├── deployment.md ├── database-migration.md └── security-incident.md
Runbooks live in your code repo
Every engineer reviews them during code review
Runbooks are versioned and deployed with your application
This approach ensures runbooks stay current because they're treated like production code, not separate documentation.
## Tools That Support Runbook Integration
| Tool | Strength | Cost | Best For |
|------|----------|------|----------|
| GitHub Wiki | Version controlled, accessible | Free | Small teams, 5-20 engineers |
| Notion | Searchable, structured | $100-200/year | Teams wanting beautiful docs |
| Confluence | Integrated with Jira | $100-500/month | Organizations with multiple teams |
| GitBook | Published docs from Git | Free-100/mo | Public/internal runbook sites |
| Custom Wiki | Complete control | Dev time | Mature organizations with CI needs |
## Performance Metrics for Your Runbooks
After implementing runbooks, track these metrics monthly:
Mean Time To Recovery (MTTR):
- Before runbooks: [baseline]
- After month 1: [your metric]
- Target: 30% reduction in MTTR after 3 months
False Escalations:
- Track how many pages the on-call engineer escalates
- Target: <20% of incidents require manager involvement
Runbook Usage:
- Pull/view count per runbook
- Identify orphaned runbooks (zero views = outdated)
- Update or archive unused runbooks quarterly
False Alarm Rate:
- Percentage of alerts that aren’t real issues
- If >30%, refine your alert thresholds
- Runbooks should include false-alarm-specific steps ```
Example: Complete Service Runbook
# Payment Service Incident Runbook
## Overview
Processes customer transactions. Handles ~1000 requests/second peak.
Data loss is critical—always check database consistency before restart.
## Symptoms → Actions
1. "Payment declined" errors increasing
→ Check Stripe API status (external issue likely)
→ Check our service health dashboard
→ If our service: database or API timeout
2. Timeouts in payment processing
→ Check database connection pool (maxed = timeout)
→ Check Stripe API latency (external slowness)
→ Review recent deploys or config changes
3. Database replication lag > 5 seconds
→ Check network between primary and replica
→ Restart replica sync if lag doesn't clear
→ If persists, escalate to database team
## Critical Checks
Before ANY restart or config change, verify:
- [ ] No active transactions in database: `SELECT count(*) FROM transactions WHERE status = 'processing'`
- [ ] Recent backups present: `ls -la /backups/payment/`
- [ ] Slack notification posted to #payment-incidents
## Rollback Decision
Rollback if:
- Error rate jumped >50% after recent deploy
- Payment success rate dropped below 98%
- Database health degraded after migration
DO NOT rollback if:
- Issue exists before most recent deploy
- Issue is in external dependency (Stripe API)
- Database migrations are involved (rollback only on instruction)
## Escalation
After 10 minutes if unresolved:
- Notify [Team Lead] in Slack @mention
- After 15 minutes: Page [Manager]
- After 25 minutes: Page [CTO] if tier-1 revenue impact
Post-Incident Runbook Review Process
After every incident, improve your runbooks:
Post-Incident Review (40 minutes):
1. Incident owner (20 min): Timeline and root cause
2. On-call engineer (10 min): Was runbook helpful?
- What steps worked?
- What was missing?
- How could we improve?
3. Team lead (10 min): Long-term fixes needed?
Action items from review:
- If runbook was incomplete: Add missing steps
- If decision tree was wrong: Revise detection logic
- If escalation timing was off: Adjust thresholds
- If new tool revealed: Document and link in runbook
Update runbook same week while incident is fresh.
Related Articles
- Migration runbook example structure
- Scale Remote Team Incident Response From Startup to Mid-Size
- How to Scale Remote Team Incident Response Process From
- Remote Team Security Incident Response Plan Template for
- incident-response.sh - Simple incident escalation script
Built by theluckystrike — More at zovo.one ```