Incident Management Best Practices for Small Teams

Enterprise incident management literature assumes you have a dedicated SRE team, a 24/7 NOC, and an incident commander on standby. Most teams have 3-10 engineers who also build features, answer support tickets, and occasionally sleep. This guide is for those teams.

The Small Team Reality

When you are a team of 5, incident management looks different:

• Everyone wears multiple hats: The person debugging the database is also the person updating the status page
• There is no separate on-call team: Engineers rotate through on-call alongside their normal work
• Resources are limited: You cannot throw people at a problem
• Communication is simpler: You do not need formal incident commander roles for most issues
• Recovery matters more than process: Getting the service back up trumps following a 20-step protocol

The goal is not to replicate Google’s incident management process. The goal is to detect incidents fast, fix them fast, and learn from them.

Detection: The Foundation

The best incident management process is worthless if you do not know there is an incident. For small teams, automated monitoring is not a nice-to-have — it is essential because you cannot have someone watching dashboards 24/7.

Minimum Monitoring Setup

Every small team should have:

1. Website monitoring: Is your app accessible? (30-second checks)
2. API monitoring: Are critical endpoints responding correctly?
3. SSL monitoring: Are certificates valid?
4. Heartbeat monitoring: Are background jobs running?

With StatusApp, this costs $0-15/month and takes 10 minutes to set up.

Alert Routing

Keep it simple:

• Critical alerts (service down): SMS + Slack to on-call person
• Warning alerts (degraded performance): Slack channel
• Informational alerts (SSL expiring in 30 days): Email

Use a single #alerts Slack channel. Do not create separate channels for different services until your monitoring is complex enough to need it.

On-Call for Small Teams

Weekly Rotation

For a team of 4-5, a weekly rotation works well:

• Week 1: Alice (primary), Bob (backup)
• Week 2: Bob (primary), Charlie (backup)
• Week 3: Charlie (primary), Alice (backup)

The primary handles all alerts. The backup only gets paged if the primary does not acknowledge within 10 minutes.

Sustainable On-Call

On-call burnout kills small teams. Protect your people:

• Limit the blast radius: Only alert on things that truly need immediate attention
• Reduce false positives: Use confirmation checks (multiple failures from multiple locations before alerting)
• Provide comp time: If someone handles a 2 AM incident, let them start late the next day
• Maintain runbooks: Documented procedures reduce the stress of 3 AM debugging
• No heroics culture: If the on-call person is stuck, they should escalate, not suffer

When You Are Too Small for On-Call

If your team is 1-3 people, formal on-call rotation is impractical. Instead:

• Set up monitoring with SMS alerts to all team members
• Use aggressive auto-scaling and self-healing infrastructure
• Design for graceful degradation (can your app survive a database restart?)
• Accept that response time during off-hours will be longer
• Communicate this honestly to customers via your SLA

Incident Response Process

The 5-Minute Version

For most small-team incidents, this is the entire process:

1. Alert fires (0:00)
2. On-call acknowledges (0:00-0:05)
3. Assess severity: Is this customer-impacting? (0:05)
4. If customer-impacting: Update status page, post in Slack (0:05-0:10)
5. Investigate and fix (0:10-??)
6. Verify resolution (when fixed)
7. Update status page: Mark resolved
8. Write a brief post-mortem (within 24 hours)

That is it. No incident commander, no scribe, no communications lead. One or two people fixing the problem and keeping the status page updated.

When to Escalate

Scale your response based on severity:

Severity 1 (All hands): Complete service outage, data loss risk, security breach

• Wake up the entire team
• All other work stops
• Continuous status page updates

Severity 2 (On-call + 1): Major feature broken, significant degradation

• On-call person leads
• Pull in one specialist if needed
• Status page updated every 30 minutes

Severity 3 (On-call only): Minor issue, small number of users affected

• On-call person handles independently
• Status page updated if customer-facing
• Can wait until business hours if caught at night

Tools That Work for Small Teams

You do not need a $500/month incident management platform. Here is a practical stack:

Monitoring and Alerting

• StatusApp ($0-49/month): Uptime monitoring, alerts, status pages
• PagerDuty (free tier available): On-call scheduling and escalation
• Or simply: StatusApp alerts to Slack/SMS (no additional tool needed)

Communication

• Slack (or Discord): Real-time coordination during incidents
• StatusApp status page: External communication to users
• Email: Post-incident summaries to the team

Documentation

• Notion, Google Docs, or a Git repo: Runbooks and post-mortems
• Keep it simple — a shared document beats a sophisticated wiki that nobody updates

Runbooks

Runbooks are the highest-ROI investment in incident management. They turn a panicked 3 AM debugging session into a step-by-step procedure.

What to Document

For each common failure mode:

## Service: Web Application
### Symptom: 502 Bad Gateway
**Likely Causes:**
1. Application process crashed
2. Application server overloaded
3. Upstream dependency timeout

**Steps:**
1. Check application logs: `ssh app-server 'tail -100 /var/log/app/error.log'`
2. Check process status: `ssh app-server 'systemctl status app'`
3. If process is down, restart: `ssh app-server 'systemctl restart app'`
4. If process is up but unresponsive, check CPU/memory: `ssh app-server 'htop'`
5. If server is overloaded, check for traffic spike in monitoring dashboard
6. If dependency is down, check StatusApp for alerts on dependent services

**Escalation:** If not resolved in 15 minutes, wake up [CTO name]

Keep Runbooks Updated

After every incident, ask: “Would the runbook have helped? Does it need updating?” Update it immediately while the incident is fresh.

Post-Mortems That Actually Help

Post-mortems are how you prevent the same incident from happening again. For small teams, keep them lightweight:

Template (15 Minutes to Write)

# Incident: [Brief Description]
**Date:** YYYY-MM-DD
**Duration:** X hours Y minutes
**Severity:** 1/2/3
**Impact:** [Who was affected and how]

## Timeline
- HH:MM — Alert triggered
- HH:MM — On-call acknowledged
- HH:MM — Root cause identified
- HH:MM — Fix applied
- HH:MM — Verified resolved

## Root Cause
[2-3 sentences about what actually went wrong]

## What Went Well
- [Thing 1]
- [Thing 2]

## What Could Be Better
- [Thing 1]
- [Thing 2]

## Action Items
- [ ] [Specific action] — Owner: [Name] — Due: [Date]
- [ ] [Specific action] — Owner: [Name] — Due: [Date]

Rules for Post-Mortems

1. Blameless: Focus on systems and processes, not individuals
2. Action-oriented: Every post-mortem should produce at least one action item
3. Follow through: Actually complete the action items. A post-mortem without follow-through is just documentation theater
4. Time-boxed: 30 minutes to write, 30 minutes to discuss as a team

Building a Culture of Reliability

For small teams, culture matters more than process:

• Monitoring is everyone’s responsibility: Not just the DevOps person
• Alerts are never ignored: If an alert fires, someone responds
• No blame: People who break things also fix things. Punishment discourages honesty
• Automate recovery: If you have fixed the same issue three times, automate the fix
• Invest in reliability: Dedicate time to reducing incident frequency, not just improving response

The goal is not zero incidents — that is impossible. The goal is detecting incidents in seconds, resolving them in minutes, and preventing them from recurring.

---

Build your incident management foundation with reliable monitoring. Start with StatusApp free and detect issues before your users do.