These are just a few “Above-The-Line” patterns we’ve observed in cases over time, and potential nicknames for the patterns in the style of how cons are named in movies such as Ocean’s Eleven. Is this shorthand that we use in regular use in our work? Not regularly, but it’s been fun to name them once we’ve seen these scenarios play out across multiple organizations. ????
(based on the Knight Capital event)
This is when:
- Team develops an understanding of what is happening based on what they’ve been able to gather.
- They take action that is reasonable, given #1 above.
- Because this understanding was mis-calibrated in some minor way, the action in #2 makes things worse
A “Here Goes Nothing”
This is when uncertainty is significant enough that while someone is committed to taking an action, they’re explicit that doing so has a non-zero chance of making things worse.
A “Slow Burn” (or “Invisible Wick”)
This is when a scenario goes from “huh, that’s weird…but <shrug>…” to “ugh, yep: this is totally A Thing™ now”
- People recognize that behaviors are interesting enough to warrant attention but not enough to declare it an “incident”
- Some discussion takes place about the significance of the signal(s) and time passes because either:
- While the signal(s) look to be anomalous, they can be discounted or explained away – to be “within normal variation”
- They might be acknowledged as anomalous, but not enough concern is raised for doing much more than “keeping an eye on it”
- The behavior gets significantly worse, or downstream effects (in time or space) begin to show some important impact
- The recognition that the issue was (now seen in this new light) indeed out of the range of “normal”
(Later, someone often remarks that the early signals were “leading indicators” and that observers needed to “pay more attention.”)
This is when during the response to an incident, multiple team members are concerned/worried that what is happening will lead to something much more significant or damaging, but it doesn’t end up going that way. Because the worries or concerns don’t play out in the way they feared, the team members see no reason to make their worries explicit, and therefore they are not captured in the post-incident activities.
A variation on this is when some but not all team members express these concerns and because they assume all of the others are also worried about the same thing, they feel no need to share the concerns during the event. This is an example of the so-called ‘fundamental common ground breakdown’.
A “Parallel Pete”
This is when while an incident is continuing to be worked by responders, one member takes the initiative to prepare for a potential outcome (that hasn’t been proven to be inevitable) example: getting ready to restore databases from backups, writing data repair scripts, getting into position to turn up new capacity, etc.)
Note: we’ve sometimes seen a “Suppressed” lead to a “Parallel Pete”
This is when multiple efforts (some orgs call these “swimlanes”) are happening in parallel; they can be diagnostic or therapeutic. The fastest direction or route is taken or committed to, and when a “slower” thread activity is identified as being more productive, it’s too late; the initial effort must finish before any other directions can be taken.
A “Saves The Day”
After a team struggles with working an incident for some period of time, a latecomer interjects with a significant contribution that wasn’t known previously. This is typically from a “knowledge island” engineer who has either esoteric knowledge about the behavior and what to do about it, or possession of a tool or set of approaches that significantly simplifies or washes away confusion or uncertainty about what is happening or what to do about it.
Any of these seem familiar to you? ????