Building a Blameless Post-Mortem Culture That Actually Works
Most engineering teams run post-mortems. Most post-mortems produce documents. Most documents produce action items. Most action items are never completed. The blameless post-mortem is a well-understood concept that is poorly practiced — not because of bad intentions, but because the process is usually designed to document what happened rather than to change how the team operates. This guide is about the latter.
The action item completion problem
Engineering teams complete an average of 34% of post-mortem action items within 90 days. Teams with a designated action item owner and a weekly check-in process complete 78%. The post-mortem itself is not where improvement happens — the follow-through is.
What "Blameless" Actually Means
Blameless does not mean consequence-free. It does not mean that engineers who make mistakes are protected from feedback. It means that the post-mortem process does not treat individual human error as the root cause — because human error is never the root cause. It is always a symptom of a system that allowed or created the conditions for that error.
The foundational insight, articulated by John Allspaw at Etsy in 2012 and validated by every serious reliability engineering organization since, is this: given the same information and the same context, almost any engineer would have made the same decision. The engineer who deployed the change that caused the incident was not reckless — they were operating in a system that made the risky action feel like the normal action.
Blameless post-mortems ask: what was the system that made the risky action feel normal? Changing that system prevents the next incident. Blaming the individual engineer does not.
Who Should Run the Post-Mortem
The facilitator should be someone not directly involved in the incident response. This is non-negotiable. The engineers who were paged at 2am and resolved the incident spent their cognitive energy on the incident itself — they are not well-positioned to simultaneously document it, facilitate a retrospective, and generate systemic improvements.
Good facilitator choices: the engineering manager (if they were not on the call), a senior engineer from an adjacent team, or a dedicated reliability engineer if your organization has one. The facilitator's job is to guide the timeline construction, ask "why" rather than "who," and prevent the conversation from collapsing into blame or from staying at the surface level.
The Timeline Construction Phase
The most important part of the post-mortem document is the timeline. Not the summary, not the action items — the timeline. A detailed, chronological account of what happened, what was known at each moment, and what decisions were made based on that knowledge.
The timeline should be constructed collaboratively, not written after the fact by one person. Tools like PagerDuty timeline, Slack channel history, and deployment logs are primary sources. The timeline should capture:
- When the deployment happened and what it contained (PR number, PR size, who merged)
- When the first anomaly appeared and in which signal (error rate spike, alert, user report)
- When the incident was declared and who was paged
- Each hypothesis the team investigated and why it was ruled in or out
- When the root cause was identified
- What the mitigation was and when it was applied
- When the system returned to normal
The 5 Whys Applied to Deployment Incidents
Once you have a timeline, the facilitated analysis phase uses 5 Whys to move from symptom to system cause. For deployment-related incidents, the 5 Whys has a predictable structure:
5 Whys Example
Why did the incident occur?
A database migration removed a column that a running service was still reading from, causing 500 errors for all authenticated requests.
Why was the column removed before the service was updated?
The migration and the service update were in separate PRs that were intended to be deployed in sequence, but the second PR was not merged before the migration ran.
Why were they deployed out of order?
There was no enforcement mechanism to sequence them. The dependency was communicated in a Slack message but not codified in the deployment process.
Why was there no mechanism to enforce deployment sequencing?
The team had no process for marking PRs as deployment-dependent on other PRs. The DDL migration PR was not flagged as high-risk in the review process.
Why was the DDL migration not flagged as high-risk?
The deployment risk review process did not include automated DDL detection. The reviewer manually inspected the migration but missed the breaking change because they were not familiar with the consuming service.
By the fifth "why," you are at the system level: the review process did not include DDL detection, and the reviewer lacked domain context. These are things you can change. "The engineer should have read the migration more carefully" is not something you can change at scale.
Generating Action Items That Actually Get Done
Post-mortem action items fail for three reasons: they are too vague to implement, they have no owner, or they have no deadline. The fix for each:
Too vague: "Improve our DDL review process" is not an action item. "Add automated DDL detection to the pre-merge risk check that flags migrations containing ALTER TABLE ... DROP COLUMN as high-risk" is an action item. Every action item should be specific enough that you could write a Jira ticket for it immediately.
No owner: Every action item gets one owner — not a team, not a list, one person. That person is responsible for completing it or escalating if they are blocked. If no one wants to own an action item, that is a signal it is not actually a priority.
No deadline: Action items without deadlines are postponed indefinitely. Set a default deadline of two sprints for high-priority items and one quarter for systemic improvements. Put action items in your project tracker as real tickets, not in a post-mortem document that no one revisits.
The Recurring Review: Closing the Loop
Add a standing 10-minute item to your weekly team sync: open post-mortem action items review. For each open item: is it still on track? Is the owner blocked? Has the deadline passed? This prevents the slow decay of action items from priority to afterthought.
Track action item completion rate as a team metric. If your team consistently completes less than 50% of post-mortem action items within the target deadline, the post-mortem process is producing theater rather than improvement. That is useful information — it means the team either does not believe the action items will prevent future incidents, or the items are too large to execute on within normal sprint capacity.
| Action Item Type | Target Timeline | Priority Signal |
|---|---|---|
| Immediate mitigation | Done during incident | P0 — already completed |
| Process change | Current sprint | P1 — blocks similar incident |
| Tooling improvement | Next 2 sprints | P2 — reduces risk |
| Architectural change | This quarter | P3 — systemic improvement |
| Monitoring / alerting | Next sprint | P2 — improves detection speed |
Sharing Post-Mortems Across the Organization
Post-mortems are organizational learning artifacts. Keeping them in a shared, searchable repository — not just Slack threads — allows engineers on other teams to learn from incidents that did not happen to them. Over time, a searchable post-mortem library creates institutional knowledge about failure patterns that would otherwise be lost when engineers leave.
Redact anything that could be used to identify specific engineers if your organization is still developing psychological safety. "An engineer unfamiliar with the database schema deployed a migration that dropped a column" is more useful than a named individual — the systemic lesson is the same, and the blameless framing is preserved.
Koalr links incidents to the deployments that caused them
Koalr automatically correlates production incidents with the deployments that preceded them, surfaces the PR risk score at the time of deployment, and tracks MTTR — giving your post-mortem team the data they need to build a complete timeline without manual log archaeology.
Connect incidents to deployments automatically
Koalr tracks incident attribution to deployments, surfaces risk signals from the PR that caused the incident, and measures MTTR trends over time — so your post-mortems start with data, not detective work. Connect GitHub and PagerDuty in 5 minutes.