โ† All Articles
OperationalLeadershipEducational

How to Be an Effective Incident Commander

Christopher Spurgeonยทยท8 min read

How to Be an Effective Incident Commander

Most organizations have an incident response plan. Very few have someone who actually knows how to run one.

That is the gap. Not documentation. Not policy. Not even training, exactly. It is the absence of someone who can walk into chaos, take command, and drive decisions when everything is moving fast and nothing is clear.

That person is the Incident Commander. And the role is harder than most people expect -- not because the skills are exotic, but because they have to work under conditions that make every skill harder to execute.

Here is what effective incident command actually looks like.

Understand What the Role Is -- and Is Not

The Incident Commander does not fix the problem. That is the first thing to get right.

The IC coordinates the people who fix the problem. That distinction matters enormously. The moment an Incident Commander puts their head down and starts working the technical issue themselves, they have abandoned command. No one is watching the full picture. No one is making the next decision before it becomes urgent. No one is communicating with leadership or managing the clock.

Your job is to maintain situational awareness across the entire incident while everyone else is focused on their lane. You are the only person in the room whose job it is to see everything.

That is a discipline. It requires you to resist the pull toward familiar work -- especially if you are technically competent -- and stay at altitude.

Establish Command Immediately

The first sixty seconds of an incident set the tone for everything that follows.

When you step into the IC role, say it out loud. "I have command of this incident." Not implied. Not assumed. Said. Everyone in the room or on the call needs to know who is running it, because ambiguity in command structure costs time -- and during an incident, time is the only resource you cannot recover.

Immediately establish three things:

Who is on the response team. Do a quick roll call. Know who is present, what function they cover, and who is missing that you need.

What you know and what you do not know. State your current situational awareness plainly. "Here is what we know. Here is what we do not know yet. Here is what we are doing right now to close the gap." This is not a briefing for its own sake. It synchronizes the room and forces your own thinking.

Your command rhythm. How often will the team check in? Every fifteen minutes? Every thirty? Set it at the start and hold to it. A predictable cadence prevents the two failure modes that kill incident response: constant interruption and total silence.

Control Information, Not Just Action

Most incidents do not fail because responders made wrong decisions. They fail because the right people did not have the right information at the right time.

Information management is the IC's core function during a live incident.

This means you are tracking what is known, what is assumed, and what is unknown -- and you are keeping those three categories clearly separated. Assumptions that get treated as facts are how incidents spiral. Someone says "the backup should be clean" and the response plan proceeds as though it is confirmed. It is not. That is an assumption. Name it as one.

It also means managing the flow of information out of the response team. Leadership wants updates. Customers may need notification. Legal or compliance may need to be in the loop. The IC decides what goes out, to whom, and when -- and delegates someone to handle that communication so it does not consume the IC's own attention.

When you are managing information poorly, you will feel it. People will be asking the same questions repeatedly. Decisions will get made on stale data. The same issue will surface in two different workstreams because no one knew the other team was already on it.

Make Decisions with Incomplete Information

This is the hardest part of the job. It is also the most important.

Incidents do not wait for certainty. The conditions that would give you a perfect decision will not arrive before you need to act. You will have partial information, conflicting reports, and time pressure -- and you still have to decide.

Effective incident commanders develop a threshold: enough information to act. Not complete information. Enough. They ask: what is the cost of acting now versus waiting another ten minutes? If waiting is likely to give them meaningfully better information, they wait. If waiting only gives the incident more time to grow, they act on what they have.

They also separate reversible decisions from irreversible ones. Reversible decisions -- spin up an additional resource, notify an internal team, pull in a vendor -- can be made quickly and corrected if wrong. Irreversible decisions -- public disclosure, shutting down a production system, engaging law enforcement -- deserve more weight and more information before committing.

Move fast on reversible. Move carefully on irreversible. Know which is which before you decide.

Manage the Room

Command is not only operational. It is human.

People under pressure behave differently. Some go quiet. Some talk too much. Some fixate on a single problem and lose the broader picture. Some need direction to function and freeze without it. The IC has to read all of this and respond to it in real time while also running the incident.

A few principles that hold across almost every response situation:

Keep communication short and direct. This is not the time for nuance or lengthy explanation. State the situation, state what you need, state the timeline. Ask for confirmation that it was understood.

Do not allow parallel side conversations to run unchecked. One voice runs the room. Sidebar conversations fragment attention and produce conflicting actions. If someone has something important, they bring it to you.

Name the stress when it is real. You do not have to pretend the situation is fine when it is not. Acknowledging that the pressure is high and that the team is doing what needs to be done is not weakness. It is leadership. People work better when they are not also managing unacknowledged tension.

Watch your own state. Incident command is cognitively expensive. If you are four hours into a response and you can feel your thinking degrading, name it. If you have a qualified person who can take command for an hour, hand it off. A rested IC making decisions at the five-hour mark is worth more than an exhausted one.

Conduct the After-Action Review -- and Use It

The incident ends when the immediate threat is resolved. The work does not.

Within 24 to 48 hours, before memory degrades and people move on, conduct an after-action review. This is not a blame session. It is a structured debrief that asks four questions:

  1. What did we expect to happen?
  2. What actually happened?
  3. Where did the gaps appear?
  4. What do we change before the next incident?

The gaps you find in the after-action review become the injects in your next exercise. The communication failures become drill scenarios. The decision bottlenecks become topics for facilitator discussion.

An incident without an after-action review is a paid lesson you did not learn from.

The Skill That Underlies All of It

Effective incident command is a practiced skill. Not a personality type. Not a title. Not something that activates automatically under pressure because you have read the right documents.

You have to practice it before you need it.

That means running exercises where someone has to actually stand in the IC role, make decisions under time pressure, manage a room, and work through incomplete information. Not a discussion about what would happen. An actual simulation where the role is real and the pressure is approximated.

The organizations that handle incidents well are not lucky. They have practiced the response so many times that command feels familiar when the real thing starts. The IC has been the IC before. The team has responded before. The communication patterns are established.

You do not rise to the occasion. You fall to the level of your preparation.

Running your own exercises? TabletopExercise.app includes scenario libraries with facilitator guides built for testing incident command structures -- decision authorities, communication chains, and escalation paths. See the scenario library
Share this article

Related Scenarios

ScenarioIncident CommandView in app โ†’ScenarioIncident ResponseView in app โ†’ScenarioCrisis ManagementView in app โ†’ScenarioDecision MakingView in app โ†’ScenarioAfter Action ReviewView in app โ†’

More Articles

View all โ†’
The Illusion of Readiness: Why Your Executive Tabletop Exercise Might Be Lying to You
ยท 6 min read
How to Build an Incident Command Structure from Scratch
ยท 7 min read