3.3.1. Example Value Stream: Request to Resolve Incident
💡 First Principle: The primary value stream for service restoration is a rapid, coordinated flow from engagement and detection through delivery and support, with feedback loops into improvement.
Scenario: A website monitoring tool (Monitoring and Event Management) detects that the site is down and automatically creates a high-priority ticket. This triggers the Incident Management process. The on-call engineer is paged, diagnoses the issue using information from Service Configuration Management, and applies a fix. The monitoring tool confirms the site is back up, and the incident is resolved.
This value stream describes the steps taken from a user reporting an issue to the service being restored.
Detailed Flow: Standard Incident
| Step | SVC Activity | What Happens | Practices Involved |
|---|---|---|---|
| 1 | Engage | User contacts Service Desk reporting "I can't access email." Agent logs the incident, categorizes it (email/access), and assigns initial priority based on impact and urgency. | Service Desk, Incident Management |
| 2 | Deliver & Support | Agent checks known errors database—finds a matching workaround: "Clear cached credentials." Walks user through the fix. Service restored. | Incident Management, Problem Management (knowledge) |
| 3 | Engage | Agent confirms resolution with user: "Is your email working now?" User confirms. Agent documents resolution and closes incident. | Service Desk, Incident Management |
| 4 | Improve | Weekly trend analysis shows 47 similar incidents this month. Problem record created to investigate root cause. | Problem Management, Continual Improvement |
Detailed Flow: Major Incident
When the impact is severe (many users affected, critical business function down), the value stream expands:
| Step | SVC Activity | What Happens | Practices Involved |
|---|---|---|---|
| 1 | Engage | Monitoring detects website down. Alert triggers automatic P1 incident creation. Major Incident Manager notified. | Monitoring & Event Management, Incident Management |
| 2 | Deliver & Support | Major Incident Manager activates swarming—pulls network, application, and database specialists into a bridge call simultaneously rather than escalating sequentially. | Incident Management (swarming) |
| 3 | Deliver & Support | Team queries CMDB to identify affected components and dependencies. Discovers database server is unresponsive. | Service Configuration Management |
| 4 | Deliver & Support | Database specialist identifies corrupted transaction log. Decision: restore from backup (requires emergency change). | Incident Management, Change Enablement |
| 5 | Obtain/Build | Emergency change approved by on-call change authority. Backup restoration executed. | Change Enablement (emergency), Deployment Management |
| 6 | Deliver & Support | Service restored. Monitoring confirms website responding. Users notified via status page. | Monitoring & Event Management, Incident Management |
| 7 | Engage | Stakeholder communication: CIO briefed on incident, timeline, and root cause. Customer communication sent. | Incident Management, Relationship Management |
| 8 | Improve | Post-incident review (PIR) conducted within 48 hours. Problem record created for "database transaction log corruption." Improvement action: implement transaction log monitoring. | Problem Management, Continual Improvement |
Practice Interactions in This Value Stream
⚠️ Common Pitfall: Treating incident closure as the end. A mature value stream includes the Improve activity, ensuring lessons are learned and preventive actions are taken via Problem Management.
Key Trade-Offs:
- Speed vs. Documentation: During major incidents, focus is on restoration. But skipping the post-incident review loses learning. Balance by time-boxing PIR within 48 hours while details are fresh.
- Swarming vs. Tiered Escalation: Swarming is faster but pulls multiple specialists simultaneously. Use it for major incidents where speed justifies the resource cost.
- Manual vs. Automated Detection: Automated monitoring catches issues before users notice, but requires investment in tooling and threshold tuning.
Reflection Question: In this value stream, why is Service Configuration Management critical during the "Deliver & Support" activity? What happens if CI data is inaccurate?
