← Back to blog

Runbooks Are Technical Debt

· X min read
Automation SRE Operations

Every team has a wiki full of runbooks. Somewhere between the onboarding docs and the architecture diagrams sits a collection of step-by-step procedures for handling incidents. Restart this service. Check that dashboard. Run this query. Escalate to that team. Most of them are wrong.

Not because they were poorly written. When they were created, they were probably accurate. The problem is that systems change and documentation doesn't keep up. That runbook written six months ago references a service that's been renamed, a dashboard that's been deprecated, and an escalation path that routes to a team that no longer owns the component. The runbook isn't just unhelpful. It's actively dangerous.

The Decay Problem

Runbooks are point-in-time snapshots of operational knowledge. They capture what was true at the moment someone wrote them. But infrastructure is not static. Services get refactored. Dependencies change. Endpoints move. Configuration formats evolve. Ownership shifts between teams.

The moment any of these things happen, the runbook starts drifting from reality. Sometimes the drift is minor -- a flag name changed, a port number updated. Sometimes it's catastrophic -- the entire remediation workflow assumes a component that no longer exists.

Here's what makes this insidious: you don't discover the decay until you're in an incident. Someone is paged at 2 AM, opens the runbook, follows the steps, and hits a dead end. Now they're dealing with two problems: the original incident and the confusion caused by stale documentation. Stale instructions during an incident are worse than no instructions at all, because they consume time and mental energy while providing false confidence.

Documentation has no built-in feedback loop. Code fails loudly when it's wrong -- tests break, builds fail, users complain. Runbooks fail silently. They sit in your wiki, looking authoritative, rotting from the inside.

Why We Keep Writing Them

If runbooks are so fragile, why does every team keep producing them? Because they feel productive. Writing a runbook after an incident feels like progress. Post-mortems generate action items, and "update the runbook" or "create a runbook for this failure mode" is the path of least resistance. It's concrete, completable, and easy to verify. Box checked. Action item closed.

But this addresses the symptom, not the disease. The symptom is that someone didn't know what to do during an incident. The disease is that the remediation process is manual, fragile, and dependent on human memory. A runbook is a band-aid on a process that shouldn't require human intervention in the first place.

There's also an organizational incentive problem. Writing a runbook takes an hour. Automating the remediation might take a week. When you're under pressure to close post-mortem action items and move on to feature work, the runbook wins every time. This is how teams accumulate operational debt: one well-intentioned wiki page at a time.

The Toil Trap

Google's SRE handbook defines toil as work that is manual, repetitive, automatable, tactical, and devoid of enduring value. Runbooks are toil encoded as procedure. They take human actions that could be scripted and instead write them down as instructions for other humans to follow manually.

Think about what a runbook actually is: a sequence of deterministic steps. Check if the service is running. If not, restart it. Check if the restart worked. If not, check the logs for a specific error. If that error is present, clear the cache and restart again. This is an algorithm. It belongs in code, not in a wiki.

Every runbook is a confession that you haven't automated something yet. That's not necessarily a failure -- there are good reasons to defer automation. But it should be recognized for what it is: debt. And like all debt, it accrues interest. Every time an engineer follows manual steps instead of running an automated remediation, the organization pays that interest in time, cognitive load, and risk of human error.

Automated Remediation

The better model is to encode runbook logic into the system itself. Instead of documenting "if the service crashes, restart it," configure the system to auto-restart crashed services. Instead of writing "if CPU exceeds 80%, scale up the cluster," set auto-scaling policies that respond to thresholds. Instead of maintaining a rollback procedure, build deployment pipelines that auto-rollback when health checks fail.

This isn't about removing humans from the loop. It's about removing humans from the routine and keeping them for the novel. Automated remediation handles the cases you've seen before. Human judgment handles the cases you haven't. The distribution should look something like this:

The goal is to push as many incident types as possible toward the top of that list.

Decision Trees Over Procedures

Full automation isn't always possible or practical. Some failures require diagnostic reasoning. Some remediations carry risk that warrants human approval. For these cases, the answer isn't a static runbook -- it's an interactive decision tree.

A decision tree guides a responder through diagnostic steps based on what they're actually seeing, not what someone assumed they'd see six months ago. It asks questions: Is the service responding to health checks? What's the error rate? Is this affecting a single availability zone or multiple? Each answer narrows the path to the right remediation.

The advantages over static runbooks are significant:

A wiki page last edited 18 months ago has none of these properties. A decision tree implemented in code, tested in CI, and triggered by your incident management system has all of them.

The Graduation Model

Not everything can be automated on day one. The path from manual runbook to self-healing system is a spectrum, and it helps to be explicit about where each incident type sits on it.

Level 0: Manual Runbook

A wiki page with steps. This is where everything starts. It's acceptable for rare, complex, or newly discovered failure modes. It's not acceptable as a permanent state for anything that happens regularly.

Level 1: Automated Check

The system detects the problem and alerts the right person with relevant context. The human still performs the remediation, but they don't have to discover or diagnose the issue.

Level 2: Assisted Remediation

The system detects the problem, presents a decision tree or remediation script, and the human approves or executes it. The cognitive load is minimal -- the responder validates rather than invents the response.

Level 3: Automated Remediation

The system detects the problem and fixes it automatically. A human is notified after the fact. The notification includes what happened, what was done, and confirmation that the remediation worked.

Level 4: Self-Healing

The system is designed so the failure condition can't persist. Auto-scaling prevents capacity exhaustion. Retry logic with circuit breakers handles transient failures. Redundancy eliminates single points of failure. The "incident" never materializes.

Track where each of your common incident types sits on this spectrum. Set explicit goals to graduate them. If your most frequent page is a Level 0 runbook that someone follows manually every time, that's a problem worth solving before building the next feature.

Starting Point

If your team is sitting on a pile of runbooks and this all sounds good in theory but overwhelming in practice, here's a concrete path forward:

  1. Audit your runbooks. Go through your wiki and check when each runbook was last updated versus when the system it describes was last changed. You'll likely find that a significant percentage are stale. Quantify this. The number will be sobering and useful for making the case for investment.
  2. Identify the top 5 most-used runbooks. Look at your incident history. Which runbooks get referenced most frequently? These are your highest-value automation targets because they represent the most recurring toil.
  3. Automate the simplest one end-to-end. Pick the runbook with the most straightforward, deterministic steps and convert it into an automated remediation. This gives you a quick win, builds confidence, and establishes patterns for the harder ones.
  4. For complex ones, build decision trees. Take the runbooks that require diagnostic reasoning and convert them into interactive decision trees. Store them as code. Test them in CI. Integrate them with your incident management tooling.
  5. Measure MTTR before and after. Track mean time to resolution for incident types before and after automation. This data justifies continued investment and reveals which automations are working and which need refinement.

This isn't a six-month project. Start with one runbook. Automate it. Measure the impact. Then do the next one. The compounding effect of each automated remediation is significant: less toil, faster resolution, fewer 2 AM pages, and more engineering time for work that actually matters.

The best runbook is the one you never have to open. Not because it was well-written, but because the system handles the problem before a human ever needs to get involved.

Runbooks aren't evil. They're a natural starting point for capturing operational knowledge. But they should be treated as a temporary state, not a permanent artifact. Every runbook in your wiki should carry an implicit expiration date and an explicit plan for graduating to automation.

The teams that operate most effectively aren't the ones with the best-documented procedures. They're the ones that have systematically eliminated the need for procedures altogether. They've turned their runbooks into code, their tribal knowledge into automated checks, and their manual remediation into self-healing systems. The wiki is quiet not because no one writes documentation, but because there's nothing left that needs to be done by hand.

Comments