Practical guides to help your team implement ITIL Incident Management, achieve ISO/IEC 20000 alignment, and make the business case for ITSM tooling investment.
Getting an ITIL-aligned Incident Management process off the ground doesn't require a multi-year transformation programme. Most teams can reach a working, auditable process within four to six weeks using the right tooling and a clear sequence of steps.
Who this is for: IT Service Desk managers, ITSM process owners, and IT Directors standing up or improving a formal Incident Management process. Assumes a team of 5β50 IT staff and a service desk handling at least 200 incidents per month.
A successful rollout requires three things to be in place before you run a single incident through the new process:
Map where incidents are currently being logged, by whom, and how they're resolved. Identify the top five failure modes; most organisations find these cluster around poor triage, unmanaged escalation paths, and absent Major Incident procedures.
Agree on a P1βP4 priority scheme with clear business impact descriptions. Tie each priority to a target resolution time and an escalation trigger. Document this in writing and circulate before go-live.
For each process lane, name a responsible owner and at least one deputy. The Service Desk lane owner is typically the Team Lead or Service Desk Manager; L2/L3 lane owners are typically the relevant technical team leads.
Distribute ProcessRaven Incident Management to all staff who will touch an incident, not just the Service Desk. The interactive process map removes ambiguity about decision points and escalation criteria, reducing ramp time on the process from days to hours.
Before go-live, run at least two scenario walkthroughs using the process simulator: one standard P2 incident, one simulated P1 Major Incident. Record where the team hesitates; those are your process gaps. Fix them before they surface in a real incident.
Ensure your ticketing system (ServiceNow, Jira Service Management, Freshservice, etc.) reflects the agreed process: correct assignment groups, escalation workflows, and SLA timers. The process simulator is the authoritative reference; the tool should implement it, not the other way around.
Run the defined pilot scope through the new process for four weeks. Use the process simulator's built-in SOP index for rapid reference during live incidents. Log deviations from process so they can be reviewed, not just worked around.
Track Mean Time to Resolve (MTTR), escalation rate, re-opened incident rate, and SLA compliance. The first two weeks will show a slight slowdown as the team adjusts; this is normal and expected. By week four, resolution times typically improve by 15β25%.
Gather the lane owners and process sponsor for a 90-minute review. Identify the top three process improvements, update the SOP documentation accordingly, and obtain attestation sign-off from all lane owners using the built-in Compliance Attestation feature.
Roll out to the remaining scope using the refined process. Schedule quarterly process reviews. The Compliance Attestation and PDF export features in the Professional Edition provide the audit trail required for ISO/IEC 20000 and internal governance reviews.
| Role | Typical job title | Process responsibility |
|---|---|---|
| Incident Manager | Service Desk Manager / ITSM Process Owner | Overall process ownership, Major Incident co-ordination, KPI reporting |
| Service Desk Agent | 1st Line Analyst / Support Technician | Intake, triage, classification, L1 resolution, escalation decision |
| L2 Resolver | 2nd Line Engineer / Technical Analyst | Technical investigation, workaround identification, L2 resolution or L3 escalation |
| L3 Specialist | Senior Engineer / Vendor SME | Deep technical resolution, root cause identification, workaround for P1/P2 |
| Major Incident Manager | Service Desk Manager / On-call Manager | MI bridge co-ordination, stakeholder communication, business impact management |
| Problem Manager | Problem Management Process Owner | Problem Record creation, root cause analysis, known error database |
| Change Manager | Change Advisory Board Chair / IT Manager | Emergency change authorisation, normal change scheduling, release co-ordination |
ISO/IEC 20000 is the international standard for IT Service Management. Certification demonstrates that your organisation operates an ITSM system meeting defined requirements for planning, delivering, and improving IT services. It is increasingly required by government and regulated-sector procurement.
ISO/IEC 20000-1:2018 is structured around a Service Management System (SMS): the framework of policies, processes, documented information, and continual improvement activity that governs IT service delivery. Key clauses relevant to Incident Management teams include:
| Clause | Title | Relevance to Incident Management |
|---|---|---|
| 4 | Context of the Organisation | Define scope of SMS; identify internal and external stakeholders |
| 5 | Leadership | Management commitment, policy, and roles: the RACI requirement |
| 6 | Planning | Risk management, service management objectives, change planning |
| 7 | Support | Documented information, competence, awareness: training evidence |
| 8.6 | Resolution and Fulfilment | The core Incident Management clause: covers incident recording, classification, prioritisation, escalation, resolution, and closure |
| 8.7 | Service Request Management | Separation of service requests from incidents: required for accurate reporting |
| 10 | Improvement | Continual improvement plan, corrective actions: post-incident reviews |
Clause 8.6 (Resolution and Fulfilment: Incident Management) is where most auditor attention focuses. It requires organisations to demonstrate documented procedures for each of the following:
β Covered by ProcessRaven | ~ Partially covered | β Requires your ITSM tool
Based on publicly available ISO/IEC 20000 audit findings and ITSM practitioner guidance, these are the gaps that cause the most audit observations and non-conformities:
| Gap | Why it's common | How ProcessRaven addresses it |
|---|---|---|
| Process not understood by all staff | Traditional process docs are static PDFs nobody reads | Interactive process simulator with 38+ built-in SOPs; staff navigate the actual process rather than read about it |
| No evidence of staff training / awareness | Verbal briefings leave no audit trail | Compliance Attestation module generates signed, timestamped PDF records per reviewer |
| Major Incident procedure undocumented or untested | Teams avoid documenting what they haven't practised | Dedicated Major Incident lane with bridge procedure, stakeholder comms checkpoints, and scenario walkthrough capability |
| Escalation criteria unclear or inconsistent | Ad-hoc decisions by individual agents | Gateway decision points with defined criteria at every escalation node; enforces consistent decision-making |
| Problem Management handoff not systematic | Handled by email or verbal agreement | Explicit Problem Record Creation gateway with trigger criteria and documentation requirements |
Note: ProcessRaven supports your ISO/IEC 20000 compliance effort but is not a certification body and cannot guarantee certification. Formal certification requires an accredited third-party audit. We recommend engaging a UKAS-accredited (UK) or ANAB-accredited (US) certification body for your formal assessment.
Securing budget for ITSM process tooling requires a clear financial case. This section provides industry-benchmark data, a worked calculation model, and narrative guidance for presenting the case to Finance or senior leadership.
Source note: MetricNet benchmarks are drawn from their Global IT Service Desk Benchmarking Database (800+ organisations). HDI data is from the annual State of the Service Desk report. Forrester ROI data references the Total Economic Impact methodology for ITSM platform investments. All figures are industry averages; your results will vary based on team size, current maturity, and incident volume.
The following model is designed for a mid-size IT organisation handling 1,000 incidents per month. Adjust the inputs for your own environment.
| Input | Example value | Your value |
|---|---|---|
| Monthly incident volume | 1,000 | |
| Current escalation rate (% reaching L2+) | 35% | |
| Estimated avoidable escalation rate (MetricNet: 18%) | 18% | |
| Cost per L2/L3 escalation (MetricNet: $491) | $491 | |
| Average L2/L3 hourly cost (fully-loaded) | $85/hr | |
| Average resolution time (pre-process improvement) | 4.2 hrs |
Step 1. Avoidable escalation cost per month:
Monthly escalations = 1,000 Γ 35% = 350 escalations/month
Avoidable escalations = 350 Γ 18% = 63 avoidable escalations/month
Monthly waste = 63 Γ $491 = $30,933/month
Step 2. Resolution time saving per month (23% MTTR reduction):
Resolved escalations = 350/month
Time saved per incident = 4.2 hrs Γ 23% = 0.97 hrs
Monthly hours saved = 350 Γ 0.97 = 339.5 hrs
Cost saved = 339.5 Γ $85/hr = $28,858/month
Step 3. Annual savings:
($30,933 + $28,858) Γ 12 = $717,492/year
| Cost item | Year 1 cost |
|---|---|
| ProcessRaven Professional licence (per-file, perpetual) | $397 |
| Internal implementation time (est. 16 hours @ $85/hr) | $1,360 |
| Total Year 1 cost | $1,757 |
| Estimated Year 1 saving | $717,492 |
| Year 1 ROI | 408Γ |
Conservative framing: Even at 10% of the projected savings ($71,749), the ROI is still 41Γ investment. Present the conservative scenario first; it builds credibility and the upside sells itself.
Finance teams and CxOs respond to three things: hard numbers, risk reduction, and strategic alignment. Structure your business case around all three.
Lead with operational cost. Use the calculation above to show a concrete monthly waste figure from avoidable escalations. This is quantified, defensible, and directly tied to headcount cost, the most legible cost category for Finance. Benchmark data from MetricNet and HDI gives independent credibility to your assumptions.
Frame compliance as risk reduction. ISO/IEC 20000 alignment and auditable process documentation directly reduces the risk of failed audits, regulatory penalties, and the reputational damage from a poorly handled Major Incident. Quantify this as risk exposure: e.g., the estimated cost of a single unmanaged P1 incident (direct remediation, SLA penalties, and management time) is typically $15,000β$80,000 depending on industry. One prevented Major Incident typically pays for years of ITSM tooling.
Tie to existing strategic initiatives. If your organisation is pursuing ISO/IEC 20000 certification, Cyber Essentials Plus, SOC 2, or a digital transformation programme, process documentation and compliance evidence directly support these goals. Frame the investment as accelerating something the organisation is already committed to, not adding new overhead.
Address the alternative cost. Ask: "What does it cost us to not fix this?" A team of 10 L2/L3 engineers spending 20% of their time on avoidable escalations represents 2 FTE of wasted capacity annually. At $85/hr fully-loaded, that's $353,600/year of misallocated resource. Reallocating that capacity to proactive work, project delivery, or self-service enablement has compounding long-term value.
Download the Free Edition to evaluate the full process today, or purchase the Professional Edition for complete Compliance Attestation and PDF export capabilities.