Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Introduction
This
guide
is
created
to
explain
how
the
incident
management
process
is
designed
to
work
specifically
using
ServiceNow.
It
should
be
used
by
engagement
managers,
technical
consultants
and
anyone
involved
in
implementing
the
incident
management
application.
It
should
be
used
in
conjunction
with
technical
implementation
guides
to
ensure
the
application
is
applied
consistently
to
all
customers.
This
should
also
ease
customer
upgrade
paths
and
the
ability
to
expand
their
use
of
the
platform.
Incident
Manager
Unlike
the
change
management
process
where
each
ticket
needs
to
be
reviewed
in
some
manner
by
the
managers
of
the
process
incident
management
does
not
require
that.
The
Incident
Manager
is
concerned
primarily
with
those
incidents
that
are
causing
a
higher
impact.
Typically
they
focus
on
managing
critical
incidents
and
the
health
of
the
incident
management
process.
Responsible
for:
• Developing
and
maintaining
the
incident
management
process
and
procedures
• Leadership
and
facilitation
of
the
incident
management
process
within
the
Technology
organization
• Continual
improvement
of
the
process
• Gathering
and
reporting
on
metrics
to
ensure
the
process
is
being
followed
and
is
effective
• Managing
critical
incidents
Caller
The
Caller
is
the
individual
who
is
being
impacted
by
degradation
to
a
service
or
someone
who
has
discovered
an
impact/potential
impact
to
a
service.
This
could
be
a
member
of
an
operational
support
team.
Alternatively
if
the
issue
has
been
discovered
automatically
through
an
event
monitoring
system
then
the
Caller
may
be
captured
against
that
system.
Responsible
for:
• Bringing
incidents
to
the
attention
of
the
Service
Desk
• Participating
in
the
implementation
of
a
solution
or
workaround
• Confirming
successful
resolution
New
This
is
where
the
incident
ticket
is
opened
and
all
known
information
about
the
symptoms
experienced
is
captured.
Any
services
that
have
experienced
an
impact
are
logged
as
a
Business
Service
CI.
The
incident
remains
in
New
state
until
it
is
being
worked
on.
It
can
be
updated
with
additional
information
from
the
Caller
many
times
not
just
when
it
is
first
raised.
Incidents
can
be
created
from
multiple
sources.
• The
Service
Desk
Analyst
can
create
the
incident
directly
as
a
result
of
a
phone
call
or
email
from
a
user.
• End
users
are
able
to
make
use
of
the
Self
Service
portal
where
they
can
directly
create
a
ticket.
This
would
use
a
record
producer
to
generate
an
incident
record
rather
than
exposing
the
full
incident
form
to
users
that
would
not
understand
most
of
it.
• Incidents
can
be
automatically
generated
via
external
systems
such
as
event
monitoring.
• Inbound
emails
can
generate
incident
records.
In
Progress
The
incident
is
now
actively
being
worked
on.
This
is
quite
often
recognized
when
the
Assigned
to
field
has
been
populated
with
an
individual
and
many
customers
will
want
to
automatically
update
the
state
field
when
this
has
happened.
However
just
because
an
Assignee
has
been
named
does
not
mean
they
have
actually
begun
to
work
on
it.
It
may
simply
be
assigned
to
their
list
of
work.
It
will
be
for
the
customer
to
determine
what
constitutes
moving
to
In
Progress
and
this
could
be
manual.
While
the
incident
is
in
progress
the
goal
is
to
conduct
diagnostic
steps
to
determine
the
cause
and
then
to
fix
the
issue.
The
fix
could
either
be
a
temporary
workaround
or
a
permanent
solution
whichever
will
end
the
impact
soonest.
As
the
incident
is
being
diagnosed
it
may
be
reassigned
to
a
number
of
different
groups
as
certain
things
are
ruled
out
or
in
and
the
cause
is
narrowed
down.
It
is
common
for
customers
to
want
to
track
the
number
of
times
an
incident
ticket
is
reassigned
as
one
of
the
key
metrics
of
the
process.
On
Hold
The
On
Hold
state
is
used
to
highlight
when
work
has
begun
on
resolving
the
incident,
it
is
not
yet
resolved
but
it
is
temporarily
not
being
worked
on
due
to
waiting
for
a
further
action
to
occur.
There
could
be
a
number
of
reasons
for
this
but
commonly
they
are
things
such
as
the
Caller
needs
to
provide
further
information
or
the
solution
is
identified
but
a
change
needs
to
be
implemented
to
achieve
this.
There
is
a
separate
on
hold
reason
field
to
determine
why
the
incident
is
on
hold.
This
is
a
choice
list
so
that
customers
can
only
include
those
reasons
which
they
determine
legitimate
for
pausing
an
incident
therefore
guiding
the
users
of
the
process
to
follow
it
correctly.
The
Service
Level
Management
product
will
make
heavy
use
of
this
state
since
putting
something
on
hold
will
typically
act
as
the
pause
condition
for
all
SLAs.
Resolved
Once
the
fix
has
been
applied
and
tested
by
the
Assignee
and
they
deem
that
it
has
been
successful
they
will
move
the
incident
to
Resolved.
The
Caller
is
notified
of
this
and
it
is
during
this
state
that
they
are
expected
to
validate
the
Assignees
belief
that
is
it
fixed.
If
they
agree
then
the
incident
can
be
closed
with
no
further
action.
If
they
disagree
and
are
still
experiencing
an
impact
then
they
can
send
the
incident
back
to
In
Progress
state
with
their
explanation
around
why.
In
most
cases
customers
will
set
a
time
limit
on
when
the
Caller
can
disagree
with
a
Resolved
state
and
this
will
be
around
5-‐7
days.
Once
the
time
limit
is
reached
the
incident
will
automatically
move
to
Closed
and
the
Caller
would
need
to
raise
a
brand
new
incident
if
symptoms
persisted.
There
may
be
situations
where
it
was
not
possible
to
resolve
the
incident.
Maybe
the
symptoms
were
too
difficult
to
reproduce
or
the
cost
of
fixing
the
issue
was
deemed
prohibitive.
In
these
cases
the
incident
would
still
be
considered
resolved
but
with
a
close
code
of
Not
Solved.
If
the
incident
has
followed
the
Major
Incident
Management
process
it
may
be
that
a
customer
would
also
want
to
conduct
some
form
of
post
mortem
review
process.
This
should
take
place
during
the
Resolved
state.
Closed
Once
the
incident
has
been
confirmed
as
resolved
and
any
necessary
close
out
work
has
been
completed
the
incident
is
moved
to
Closed.
At
this
point
all
work
on
the
ticket
is
finished.
Should
any
follow
up
work
be
required
this
will
be
via
a
problem,
change
or
other
associated
process.
Canceled
An
incident
should
only
be
set
to
Canceled
if
it
was
opened
by
mistake
and
an
incident
did
not
actually
exist.
Establishing
Priority
Incident
prioritization
typically
drives
the
timescales
associated
with
the
handling
of
the
incident
and
the
targeted
time
to
resolution.
There
are
a
couple
of
methods
that
can
be
used
to
determine
priority.
In
most
cases
priority
is
established
using
a
combination
of
impact
vs.
urgency,
where:
Impact
is
the
effect
that
an
incident
has
on
business.
For
example
if
the
incident
only
impacts
a
single
employee
the
impact
is
low
in
comparison
to
500,000
paying
customers
with
Twitter
accounts.
Urgency
is
the
extent
to
which
the
incident's
resolution
can
bear
delay.
Priority
is
generated
from
urgency
and
impact
according
to
the
following
table.
It
is
possible
to
automatically
establish
the
priority
of
the
incident
based
on
the
CI
that
is
identified
in
the
incident
record.
With
this
technique,
the
business
criticality
value
of
the
CI
is
used
to
determine
the
priority
of
the
incident.
This
ensures
a
more
accurate
and
consistent
prioritization
of
incidents,
as
the
determination
of
impact
and
urgency
can
be
a
subjective
call.
Incident
Categorization
Incident
categorization
is
commonly
used
to
drive
assignment
in
the
incident
management
process
as
well
as
establish
trends
(incident
types/frequencies)
for
use
in
problem
management,
supplier
management
and
other
ITSM
activities.
See
Categorize
incidents
in
ServiceNow
Docs
for
a
list
of
the
category
and
subcategory
values
available
in
the
base
system
although
these
are
just
considered
examples
rather
than
best
practice
categories.
See
Define
an
assignment
rule
for
incidents
in
ServiceNow
Docs
for
a
description
of
how
to
automate
assignment
based
on
categorization.
This
method
of
categorization
requires
the
creator
of
the
incident
to
manually
select
the
category
and
subcategory
from
predefined
lists.
It
is
possible
to
automatically
categorize
and
assign
the
incident
based
on
the
CI
that
is
identified
in
the
incident
record.
With
this
technique,
the
incident
management
process
inherits
the
same
categorization
schema
as
CIs
maintained
through
the
configuration
management
process
and
the
category
of
an
incident
is
automatically
determined
once
the
affected
CI
is
identified
in
the
incident
record.
This
technique
ensures
more
accurate
and
consistent
categorization
of
incidents
and
supports
a
CI-‐centric
approach
to
IT
service
management.
Once
the
major
incident
has
been
resolved
there
will
be
follow
up
steps
to
review
what
happened
and
where
improvements
can
be
made
in
the
future.
Typically
lessons
learned
and
next
steps
are
produced.
It
is
common
for
a
problem
record
to
be
generated
to
track
any
further
work
required
even
if
the
incident
itself
has
been
resolved.
Parent/Child
Incidents
Where
an
incident
is
causing
a
wide
impact
this
will
be
evident
with
a
number
of
records
being
raised
by
different
Callers
for
the
same
issue.
Although
these
incidents
are
reporting
the
same
thing
and
might
be
considered
duplicates
of
each
other
it
is
good
to
capture
each
instance
where
the
impact
has
been
experienced
so
that
the
size
of
impact
can
be
more
easily
determined.
The
down
side
of
having
many
incidents
logged
with
the
same
issue
is
that
they
will
all
need
to
be
updated
as
the
incident
is
diagnosed
and
resolved.
This
can
be
easily
handled
by
designating
one
incident
as
the
parent
and
relating
all
other
incidents
to
this
parent
via
the
Child
Incidents
related
list.
When
work
notes
or
comments
are
added
to
the
parent
these
will
automatically
copy
to
all
related
child
incidents.
In
addition
when
the
parent
is
resolved
the
child
incidents
will
also
be
resolved
and
the
closure
information
copied
over.
Incident
Templates
Incident
templates
may
be
also
be
established
to
handle
issues
that
are
seen
repeatedly
and
require
the
same
steps
to
resolve
each
time.
The
Service
Desk
agent
can
raise
a
new
incident
from
a
template
when
they
are
responding
to
a
call
or
email
from
a
user.
See
Templates
in
ServiceNow
Docs
for
a
description
of
how
to
use
the
template
feature
of
ServiceNow
to
support
this
concept.
In
addition
to
reports,
each
user
can
create
a
personal
homepage
and
add
gauges
containing
up-‐to-‐the-‐minute
information
about
the
current
status
of
records
that
exist
in
ServiceNow
tables.
See
Customize
homepages
in
ServiceNow
Docs
for
details.
Metrics
and
Performance
Analytics
can
be
used
to
understand
the
health
of
the
incident
management
process
and
where
improvements
can
be
made.
Some
useful
indicators:
• Open
Incidents
–
Are
there
many
open
incidents
for
a
long
time
-‐
more
than
90
days?
Are
more
assigned
to
a
particular
group?
• New
incidents
-‐
Do
you
have
a
peak
on
Mondays
–
so
you
need
more
staff
on
that
day?
Any
other
seasonal
variations?
• Backlog
growth
-‐
Are
you
keeping
pace?
What
factors
(category,
etc)
affect
it?
• Resolved
incidents
–
What’s
the
resolution
time?
Which
group
is
resolving
the
most?
These
type
of
metrics
can
be
used
in
conjunction
with
Performance
Analytics
to
get
an
easy
to
understand
view
of
where
to
focus
improvement
efforts.
Problem
Management
Problem
Management
is
the
‘next
step’
process
for
incidents
that
require
further
investigation
for
the
root
cause.
Problem
records
can
be
generated
directly
from
the
incident
record
and
will
copy
over
key
data.
Incidents
can
be
put
into
On
Hold
state
with
a
reason
of
Awaiting
problem.
There
could
be
many
incidents
associated
with
a
single
problem
and
the
higher
the
number
of
incidents
the
clearer
the
scale
of
impact
becomes.
It
may
be
that
when
the
problem
was
first
encountered
the
number
of
associated
incidents
was
low
and
so
it
was
decided
not
to
pursue
a
permanent
fix
however
as
the
number
increases
and
the
impact
widens
that
decision
may
be
reviewed.
If
a
workaround
exists
for
the
problem
this
can
be
logged
into
the
problem
record
and
automatically
pushed
into
all
associated
incident
records.
Once
the
problem
has
been
fixed
all
associated
incidents
can
be
automatically
closed.
Change
Management
For
many
incidents
the
solution
will
require
work
on
a
service,
hardware
or
software.
Conducting
this
work
will
require
a
change
record
to
be
raised.
Emergency
changes
typically
require
an
incident
record
to
be
related
to
prove
that
they
are
urgent
enough
to
bypass
the
full
process
and
lead
times.
In
some
cases
a
change
was
implemented
that
resulted
in
an
incident.
An
incident
record
can
be
created
from
the
originating
change
record
to
show
the
cause
and
link
the
chain
of
events
together.
Knowledge
Management
Knowledge
is
a
vital
part
of
the
incident
process.
It
is
available
using
the
Contextual
Search
feature
embedded
into
the
incident
record
and
record
producers
to
display
relevant
knowledge
articles
as
the
incident
is
being
created.
Contextual
Search
will
use
text
entered
into
the
Short
description
fields
or
other
text
fields
to
search
for
close
matches
in
the
knowledge
base
and
display
these
on
the
screen.
This
is
designed
to
assist
either
the
Caller
with
information
that
may
help
them
to
resolve
their
own
incident
without
having
to
log
it
at
all.
Or
it
can
help
the
Service
Desk
Analyst
to
find
information
that
may
resolve
the
incident
without
having
to
escalate
to
an
SME.
Configuration
Management
The
configuration
management
system
underpins
all
incident
management
activities.
It
not
only
hosts
the
incident
and
other
service
management
records,
but
contains
details
of
the
infrastructure
vital
to
efficient
call
handling.
Event
Management
Automated
event
monitoring
tools
scan
infrastructure
to
check
for
certain
acceptable
conditions
that
are
considered
healthy.
Once
these
conditions
are
no
longer
met
an
event
or
alert
can
be
created
to
draw
attention
to
the
change
in
health
of
the
infrastructure.
Where
that
change
has
been
significant
enough
or
is
occurring
frequently
enough
that
criteria
would
then
be
considered
an
incident
where
support
resources
would
need
to
take
action.
Incidents
can
be
automatically
created
based
on
certain
criteria
allowing
support
teams
to
react
quickly.
Typically
these
alerts
can
be
set
to
catch
issues
before
they
create
a
much
larger
and
more
visible
impact
and
a
major
incident
can
be
avoided.