In school, there are some subjects (especially Maths) –  a part of the students  find it very easy and many others would just not get it! The people who ‘get it’ thinks (even aloud some times): what is so difficult in this? Isn’t this plain simple and logical? While those who ‘doesn’t get it’ are still left without any clue.

ITIL® has been carrying a few concepts like that (no – I am not getting into the Incident –Problem debate once again! Why don’t you get it, it is sooo simple!! 😉 ):

One such area in ITIL V3 is the clarity between Event and Incident.

Many of my students go through the sessions and finally raises the question: ‘Can you explain to me once again how an Event is different from Incident?’

First of all, the confusion is created by the choice of terminology there. (and to think ITIL is from a British origin! Sigh… I always wondered how many organizations were calling ‘service interruptions as ‘incidents’ before ITIL defined and used that word!).

In plain English if you think, the meaning (of both terms almost) point us to ‘some thing that occur or occurred’.

Which is true (in ITIL terms) for Events ; or at least closely. Event is defined as ‘change of state, that is significant to Service management’.  So event can be purely normal ‘change of state’

Let us look at some examples of events in typical service management:

  • A particular service started on a Server X
  • Internet Link utilization increased from 60% to 70%
  • A network switch went down
  • A user logged into the system A
  • The system B went into ‘idle’ mode.
  • An application PQR crashed
  • Back up of System Z has completed successfully

It is clear from the above list (examples) that an event can indicate some thing which is usual, some thing which is unusual or some thing which is clearly exception. All these events has certain level of significance to services and service management. Some events would require some action – some would not. Understanding that significance and deciding what action (if required) to be taken, is the event management process.

Now, Incident is and ‘unplanned interruption of an IT service, reduction in quality of service, or a failure of a CI(configuration item)

Here it is clear that Incident is some thing that creates a (negative) impact on the service or service quality.

Going back to the above list of events, all of them are NOT incidents. Only the following ones qualify as Incidents:

  • A network switch went down
  • An application crashed

So, all incidents are events – but all events are NOT incidents. (Just like we say ‘all Indians are Asians, but all Asians are not Indians’  Yeah – I prefer that analogy because I am Indian – and NO: I am not comparing Indians with Incidents! Just an analogy, Stupid !! 🙂 )

I hope that analogy didn’t confuse you again – just ignore if it did, not important…!

So, if the event management identifies an event which is qualified as an Incident, that will trigger the registration of an Incident and hence Incident management process. For other events, their respective response actions (where required) will be initiated.

Now coming back to the possible reasons for such a confusion among the terms (in addition to the choice of terminology mentioned above) :

When I ask many of my students (while explaining event management) ‘what is monitoring (of infrastructure, network etc) for ’ , they typically answer: it is to ‘detect when some thing goes wrong‘.

So, if the scope of monitoring (event management) becomes only to detect when ‘some thing goes wrong’ it is just detecting Incidents – hence ‘events’ in that case almost equates to ‘Incidents’.

To conclude, the value of the two terms as well as the two different processes are seen only when you realize the following points above Event and Event management:

  • Event monitoring is NOT just to detect ‘some thing wrong’ ; it is also to get assurances of things ‘going right’ and also things that ‘might’ need some action.
  • When events are indicating ‘some thing really wrong’ , then it is an incident and calls for Incident management process
  • For other events, some might not require any particular action (but gives you assurance of some thing going ‘right’ ) while others might need some deeper look to see if any action is required, and then select appropriate response action.

Thoughts and comments and welcome!

ITIL® is a Registered Trade Mark of the Office of Government Commerce in the United Kingdom and other countries