The Sev-1 was declared at 02:14, the bridge filled with 23 people, nobody knew who was running the call, and the first status update went out 47 minutes later to the wrong distribution list. Major Incident Management in ServiceNow gives you the process structure; the operational discipline of using it consistently is what separates the teams that recover quickly from the ones that compound the outage.
What Counts as Major
Define criteria up front and write them into a policy document — user impact (number of users affected, criticality of impact), revenue impact (direct revenue loss per hour, billing failure rate), security implication (data exposure, regulatory implication), and service criticality (which business services are degraded). An ad-hoc “manager calls it major” process leads to inconsistent response and audit findings. Encode the criteria as a Decision Table that the MIM declaration form references.
Major incident criteria (any one triggers MIM):
affected_users >= 1000
affected_business_critical_service == true
estimated_revenue_loss_per_hour >= 10000
pii_exposure_suspected == true
regulatory_reporting_required == trueThe Bridge
Major incidents need a dedicated communication bridge — typically a Microsoft Teams or Zoom room auto-created on MIM declaration. Integrate via IntegrationHub or Teams/Zoom spokes so the bridge URL posts to the incident record and notifies the on-call roster. The bridge URL belongs on the incident form prominently; people who join late should not have to ask in chat for the link.
// On MIM declaration: create bridge and post URL
function createMimBridge(incidentSysId) {
var bridge = sn_teams.createMeeting({
subject: 'MIM: '+incidentSysId,
participants: getMimRoster()
});
var inc = new GlideRecord('incident');
inc.get(incidentSysId);
inc.work_notes = 'Bridge: '+bridge.join_url+'\nDial-in: '+bridge.phone_number;
inc.update();
}Comms Cadence
Status updates every 30 minutes during the incident, even if the update is “still investigating.” Silence breeds escalation, executives start texting individuals, and the MIM team loses control of the narrative. Automate the reminder via a scheduled job that posts to the comms channel and pings the comms owner if the last update is more than 30 minutes old. Stakeholder distribution lists should be pre-defined per business service, not assembled live during the incident.
Bridge Leaders and Roles
Incident commander (the person calling shots), scribe (capturing the timeline in real time), tech lead (driving the technical investigation), comms owner (managing stakeholder updates). One person, one role — overlapping responsibilities create gaps. In small teams, the commander can double as scribe but only on low-complexity incidents; the moment things accelerate, the dual role fails. Document the role assignments on the incident record at declaration time.
Post-Incident Review
PIR within five business days of resolution. Capture the timeline (from scribe’s notes), root cause (with the framework used), and corrective actions with named owners and due dates. Track corrective action completion as a first-class metric — a PIR with unowned or undriven actions is a missed PIR. Closed PIR with three open corrective actions 90 days later is a recurrence waiting to happen.
Common Failure Modes
Roles assigned only verbally at the start of the bridge and forgotten an hour in — capture them on the incident record so latecomers can self-orient. Comms updates written in technical detail aimed at engineers — the audience is business stakeholders; rewrite each update for clarity. Corrective actions logged as good intentions rather than discrete change tickets — convert them to Change records linked to the original incident so completion can be tracked.
What Changed in 2026
Service Operations Workspace adds an MIM-specific layout that surfaces bridge, roster, and last comms time prominently. The Now Assist integration (where licensed) drafts the recurring status updates from worklog activity, which the comms owner edits before sending. Treat the AI draft as a productivity aid; the human still owns the narrative.
Implementation Sequence
Document the MIM criteria first and validate against the last 12 months of incidents — would the criteria have called the same major incidents the team did call? Adjust until the criteria match operational reality. Then automate the bridge creation, then the comms reminders, then the PIR template. Trying to deploy the full MIM suite in one sprint produces a process the operations team treats as paperwork.
What to do this week: review the last three major incidents and ask whether the role assignments were documented on the record at the time; if not, that is the cheapest first improvement.
