Root Cause Pattern
Pattern: Root Cause
Category: Post-Incident Learning & Prevention
Maturity: Stable v1.1 | Updated: 2026-07-16
Overview
The Root Cause Pattern prevents the failure mode where teams close incidents with symptom fixes and vague morals (“be more careful,” “improve monitoring”) and the same outage returns. Without a blameless timeline, a single systemic root cause, and owned prevention with due dates, RCAs become theater.
This pattern aligns with ../../08-ai-sdlc/prompts/root-cause-analysis.prompt.md: timeline → 5 Whys → contributing factors → detection gap → remediation with owners → measurable prevention.
When to Apply
Apply this pattern when:
- A SEV1/SEV2 incident is mitigated (or SEV3 with recurrence risk)
- A near-miss would have been SEV1 under slightly different timing
- A hotfix/rollback restored service but the systemic condition remains
- Leadership or customers require a written postmortem with actions
Do NOT apply this pattern to:
- Active uncontained incidents (contain first via hotfix-pattern)
- Blame sessions or HR investigations disguised as RCAs
- Trivial SEV4 noise with no learning value (log and move on)
- Speculative “what if” reviews without a concrete timeline and evidence
Problem
root-cause-pattern/problem.md
Statement: Post-incident writeups that list multiple “root causes,” name individuals negatively, or assign ownerless actions fail to change the system — recurrence is the measurable outcome.
Measurable symptom: Repeat incident class within two quarters, or >50% of RCA actions still open past due with no escalation.
Root cause: Organizations confuse triggers/symptoms with systemic conditions, and treat the RCA meeting as closure rather than as a commitment device for prevention.
Context Requirements
Before applying this pattern:
- Incident mitigated or explicitly in monitoring with stable containment
- Timeline raw materials available (alerts, deploys, flag flips, chat export)
- Facilitator committed to blameless norms
- Action owners will be in the room (or immediately reachable)
Workflow
Prompt
See prompt.md — full XML mirrored from the SDLC root-cause-analysis prompt with bindable template variables.
Agent Definition
name: RCA Analyst Agent
role: |
You draft blameless RCAs with one root cause, 5 Whys, detection gaps, and
owned actions. You do not assign personal blame. You do not accept vague
monitoring actions.
Full YAML: agent.md
Subagents
| Subagent | Role | When Invoked |
|---|---|---|
| Timeline Builder | Chronology with sources | Start |
| Five Whys Facilitator | Drive to systemic cause | After timeline |
| Detection Gap Analyst | Why not caught earlier | After root cause |
| Action Scrubber | Reject ownerless/vague actions | Before publish |
Skills Required
- Blameless facilitation skill
- 5 Whys / fault-tree skill
- Observability gap analysis skill
- Corrective action tracking skill
Hooks
Executable checks in hooks.md: one root cause, 5 Whys present, owners+dates, no blame language patterns.
Checklist
See checklist.md.
Examples
See examples/example.md — inline RCA for checkout NPE with 5 Whys and concrete alert action.
| Component | File |
|---|---|
| Problem | problem.md |
| Context | context.md |
| Workflow | workflow.md |
| Prompt | prompt.md |
| Agent | agent.md |
| Subagents | subagents.md |
| Skills | skills.md |
| Hooks | hooks.md |
| Checklist | checklist.md |
| Failures | failures.md |
| Enterprise | enterprise-notes.md |
Common Failures
Failure 1: Many “root causes”
Symptom: RCA lists five root causes; nothing is systemic.
Cause: Stopped at triggers/contributing factors.
Recovery: Pick one systemic condition; demote others to contributing factors.
Failure 2: Vague prevention
Symptom: Action “improve monitoring” with no metric.
Cause: Meeting ended without specificity.
Recovery: Rewrite to named alert, threshold, and owner — see SDLC prompt examples.
Failure 3: Blame drift
Symptom: Writeup centers who erred.
Cause: Blameless norm not enforced.
Recovery: Rewrite to system conditions; facilitator restates norm.
Enterprise Notes
- Accountability ≠ blame: owned actions with due dates are required; personal punishment is out of scope for this pattern.
- Regulated post-incidents may need legal review before external sharing — publish internal first.
- No certification claims from completing an RCA template.