Using the 5 Whys Technique for Major Incident Management

Major Incident Management is a critical process that requires swift resolution to restore normal service, minimize business impact, and prevent recurrence. One of the most effective root cause analysis techniques used in this context is the 5 Whys method. It’s simple, yet powerful in helping teams drill down to the root cause of an issue by repeatedly asking “Why?” until the fundamental issue is uncovered.

The 5 Whys technique is known well in the Problem Management space as a key technique but its simple and effective method is equally valuable for Major Incident Managers.

In this article, we'll explore how to apply the 5 Whys technique specifically for managing major incidents, and why it’s effective in identifying the cause and implementing a workaround or permanent fix.

What is the 5 Whys Technique?

The 5 Whys is a root cause analysis technique where you ask “Why?” five times, or as many times as needed, to identify the true root cause of a problem. It helps teams avoid settling for superficial fixes that treat symptoms rather than addressing the underlying issue.

For example, if a system outage occurred, rather than stopping at "The server crashed," the 5 Whys technique forces a deeper investigation into why the server crashed, leading to more durable, long-term solutions.

Why the 5 Whys is Effective in Major Incident Management

1. Simplicity: The technique is easy to understand and apply without requiring advanced tools. This makes it especially valuable during the urgency of a major incident.
2. Prevents Superficial Fixes: Often in IT, teams may resolve the immediate symptom (e.g., restarting a server), but fail to address the underlying issue (e.g., memory leak in the application). The 5 Whys forces a deeper dive.
3. Collaborative: The process encourages cross-team collaboration. For example, network, application, and infrastructure teams can contribute to uncovering answers to each "Why."
4. Structured Process: It provides a clear, structured method to guide discussions, ensuring the investigation doesn’t veer off course. This is critical in high-pressure environments where efficiency is key.
5. Documentation and Learning: The results of a 5 Whys analysis can be documented for post-incident reviews, creating a valuable knowledge base to prevent future incidents.

How to Apply the 5 Whys in Major Incident Management

Here’s a step-by-step approach to using the 5 Whys method during a major IT incident:

1. Identify the Problem Clearly

Start by stating the problem in a clear, concise way. For example, "The database server is down, causing outages across our e-commerce platform."

2. Ask the First "Why?"

Ask why the problem occurred. For example, "Why is the database server down?"

• Answer: "The server ran out of memory and crashed."

3. Continue Asking Why

Drill deeper by asking "Why?" again. Repeat this process up to five times (or more, if necessary), each time building on the previous answer.

Example:

• Why did the server run out of memory?
• "A memory leak in the application consumed all available memory."
• Why did the memory leak occur?
• "The application has a bug that wasn’t detected during testing."
• Why wasn’t the bug detected during testing?
• "The specific use case that triggered the bug wasn’t covered in our test cases."
• Why wasn’t this use case covered in testing?
• "The test scenarios were incomplete because of time constraints."

4. Find the Root Cause

By the fifth "Why," you've often reached the true root cause of the problem. In this case, the root cause might be insufficient testing procedures. This insight allows the team to go beyond fixing the immediate issue and focus on improving testing protocols to prevent future problems.

Major Incidents require service to be restored as quickly as possible so we can consider either applying a workaround to restore service as quickly as possible or if the time required to permanently deal with the root cause is similar, fix the root cause where possible.

5. Develop an Action Plan

Once the root cause is identified, create an action plan that addresses both the immediate issue and the underlying cause if possible. In the above example, you may need to fix the memory leak and also update the testing process to ensure more comprehensive coverage.

Best Practices for Using the 5 Whys in IT

• Involve Multiple Teams: In major incidents, the root cause often spans multiple systems or layers (network, application, hardware). Involve relevant experts from each area to answer the "Whys" accurately.
• Stay Objective: Focus on facts, not assumptions. It’s easy to jump to conclusions, but 5 Whys works best when each answer is based on evidence or verified data.
• Document the Process: Record each step and the rationale for each "Why." This not only aids in incident resolution but also provides a learning tool for future post-mortems.
• Don't Overcomplicate: While it's called the "5" Whys, sometimes fewer or more are needed to reach the root cause. Stop once you’ve found the true cause, regardless of whether it takes three or seven questions.

Example of Using the 5 Whys in a Major IT Incident

Let’s walk through a hypothetical example of a major IT incident in an e-commerce company.

Incident: The checkout system crashed during peak traffic, preventing customers from completing purchases.

1. Why did the checkout system crash?
• The payment processing service became unresponsive.
2. Why did the payment processing service become unresponsive?
• The service reached its maximum number of concurrent connections.
3. Why did the service reach its maximum number of connections?
• The load balancer failed to distribute traffic properly.
4. Why did the load balancer fail?
• The configuration was incorrect, causing it to route too much traffic to one server.
5. Why was the configuration incorrect?
• A recent update to the load balancer was not properly tested.

Root Cause: Insufficient testing of configuration changes in the load balancing system, leading to an overload of one server.

Conclusion

The 5 Whys technique is an invaluable tool in Major Incident Management. It cuts through surface-level symptoms and uncovers the deeper issues that cause recurring Incidents and problems in IT environments. By integrating this method into your incident response process or techniques as a major incident manager, you not only resolve incidents more efficiently but also prevent them from happening again, leading to more resilient systems and better overall business outcomes.

By consistently applying 5 Whys analysis also during post-incident reviews, organizations can foster a culture of continuous improvement, ensuring that major incidents lead to long-term operational resilience.