Enforce 5 minutes of data-only observation in incident response before any theories
During incident response, enforce a mandatory 5-minute observation period where team members only report dashboard data and log patterns before anyone proposes a causal theory.
Why This Is a Rule
In incident response, the first theory proposed anchors the entire investigation. Under time pressure, the team converges on the first plausible explanation and spends the next 30 minutes investigating it — even if it's wrong. Every subsequent data point gets filtered through the anchor: confirming data is noticed, disconfirming data is dismissed. This anchoring effect routinely doubles mean time to resolution.
The 5-minute observation-only period prevents the anchor from forming. For five minutes, the only allowed activity is reporting raw data: dashboard readings, log patterns, error messages, metric changes. No theories, no "I bet it's the...", no hypotheses. Data only.
After five minutes of shared data accumulation, theories that form are grounded in the collective observation rather than in one person's initial gut reaction. The data has had time to assemble a pattern that's more accurate than any individual's first impression.
When This Fires
- At the start of any incident response (production outage, security incident, major bug)
- When a team assembles to investigate an urgent problem
- During any high-pressure diagnostic situation where premature theories are likely
- Complements Read logs for five minutes before proposing theories during incidents (individual 5-minute observation) for team contexts
Common Failure Mode
Someone proposes a theory before the 5 minutes are up, and the team follows it: "I bet it's the recent deploy." Now everyone is investigating the deploy, the observation period collapses, and the actual cause (a DNS change that happened 2 hours earlier) goes unexamined for another 20 minutes. The facilitator must actively enforce the observation-only constraint.
The Protocol
At incident start: (1) Facilitator announces: "Five-minute observation period. Report data only — no theories yet." (2) Set a literal 5-minute timer visible to the team. (3) Team members report: dashboard states, error messages, log patterns, metric changes, timing of events. (4) Facilitator redirects any theory attempts: "Hold that — we're still in observation. What data are you seeing?" (5) After 5 minutes: "Observation period complete. Based on what we've all seen, what hypotheses should we investigate?" The shared data foundation produces better-grounded, more diverse hypotheses than any individual's premature theory.