How to actually run each of the ten techniques: step-by-step procedure, a worked example, a copy-ready worksheet, the errors to avoid, and where each hands off to the next. The Field Guide tells you which method and why; this tells you how.
Read the worksheet in each section as a template to copy — the blank tables and skeletons are meant to be reproduced in a ticket, doc, or whiteboard and filled in. All worked examples are illustrative, not real incidents.
METHOD 01
5 Whys
Drill a single causal thread from a confirmed fact down to a systemic, fixable root.
Reasoning · abductive, tested deductivelyBest for · a clear single threadAvoid for · interacting / parallel causes
Procedure
Start from a confirmed symptom or proximate cause — never a guess.
Ask why it happened; answer from evidence. If you can't evidence the answer, tag it suspected and verify before continuing.
Make the next "why" interrogate the previous answer.
Branch whenever a "why" has more than one valid answer — pursue each line.
Stop when the cause is systemic, within your control, and fixing it would prevent recurrence.
Validate by reading the chain back forward with "therefore." If a step doesn't follow, the chain is broken — repair it before you accept the root.
Worked example (illustrative)
Data accessed by unauthorized party → why? valid employee login used → why? credential phished, no second factor → why? MFA not enforced on the portal → why? no policy required MFA on internet-facing services, and no control checked for it. Root: the missing policy + control — not "the user clicked." Read back: no policy → MFA unenforced → a phished credential was sufficient → attacker logged in. Logic holds.
OR gate — any one input alone causes the event above it. AND gate — all inputs must occur together. Breaking any single input of an AND gate stops the event above; an OR gate requires breaking every input.
Procedure
Write the undesired outcome (the top event) precisely at the top.
Identify the immediate events/conditions that could produce it.
Connect them with OR or AND gates — be deliberate about which.
Decompose each intermediate event until you reach basic events you can't or needn't break down further (your candidate roots).
Derive the minimal cut sets — the smallest sets of basic events that together cause the top event.
Prioritize: a single basic event that alone causes the top event (a one-element cut set) is a single point of failure — fix first.
Skeleton — name the top event, choose the gate, decompose to basic events.
Cut-set worksheet
Cut set
Basic events in it
Single point of failure?
Fix / barrier
1
…
yes / no
…
2
…
…
…
Common errors
Choosing the wrong gate — AND where it should be OR — which inverts your conclusion about leverage.
Stopping decomposition too high, so "basic events" are still compound.
Ignoring cut sets and treating every leaf as equally important.
Hand-off: often built from Fishbone survivors; cut sets feed CAPA prioritization.
Across many incidents, find the few causes responsible for most of them — so you fix those first.
Reasoning · inductiveBest for · many recurring incidentsCaveat · prioritizes, doesn't diagnose
Procedure
Fix a dataset and timeframe (e.g., last quarter's incidents).
Categorize each incident by its cause. Use consistent, mutually exclusive categories.
Count occurrences — or weight by impact if a rare cause does most of the damage.
Sort categories descending by count/weight.
Compute the cumulative percentage down the list.
Identify the small set of causes that reaches roughly 80% of the total — start there.
Run a 5 Whys on each top category to find what the cause actually is.
Worked example (illustrative)
40 incidents categorized: no-MFA 16, unpatched 9, misconfig 6, phishing 5, insider 2, other 2. Sorted, the first two causes (no-MFA + unpatched = 25/40 ≈ 63%) and the third (misconfig, cumulative ≈ 78%) account for the bulk — fix MFA enforcement and patching before anything else.
Tally worksheet
Cause category
Count (or weighted)
% of total
Cumulative %
…
…
…
…
…
…
…
…
…
…
…
…
Common errors
Inconsistent or overlapping categories, so counts are meaningless.
Counting frequency when a low-frequency, high-impact cause should dominate — weight by impact.
Treating the top bar as "the cause" — Pareto tells you where to look, not what is wrong.
Hand-off: the top categories feed individual 5 Whys / Fault Tree analyses.
When something worked before and fails now, the cause is usually a change — find it by comparison.
Reasoning · comparative / deductiveBest for · "worked yesterday, broke today"Pairs with · Timeline
Procedure
Define the failed state and a known-good baseline (same system when it worked, or a working peer).
List every difference: deployments, config edits, patches, new/changed accounts, network/firewall changes, data volume, certificates, upstream dependencies, time/scheduled jobs.
For each difference, ask: could this plausibly cause the observed failure?
Rank suspects by plausibility and by timing alignment with onset.
Test the top suspect — revert it, or compare against the baseline directly.
Confirm the change is the cause (the removal test), then trace why that change was harmful.
Worked example (illustrative)
WEB-03 began returning 503s at 14:10. Diff vs the 13:00 baseline: a 14:00 deploy, a TLS cert rotation, and a traffic spike. Timing points at the deploy; reverting it restores service → the deploy is the change. Then drill why the deploy broke it.
Difference worksheet
Dimension
Known-good baseline
Failed state
Difference
Suspect?
Code / deploy
…
…
…
…
Config
…
…
…
…
Accounts / access
…
…
…
…
Network
…
…
…
…
Data / load
…
…
…
…
Common errors
An incomplete baseline — you only compare what you thought to look at.
Missing "invisible" changes: certificate expiry, an upstream provider change, gradual data growth, a scheduled job that just fired the first time.
Assuming the most recent change is guilty without testing timing against onset.
Hand-off: the identified change becomes the starting fact for a 5 Whys.
Proactively enumerate how a system could fail and rank the modes, so you fix the worst before they happen.
Reasoning · predictive / deductiveBest for · design & hardeningNot for · post-incident (use RCA)
Procedure
Pick the system/process and break it into components or functions.
For each, list potential failure modes (how it could fail).
For each mode, describe the effect and rate Severity (S).
Identify causes and rate Occurrence (O).
Note current controls and rate Detectability (D) — how likely you are to catch it before impact.
Compute a priority figure (traditionally RPN = S × O × D), sort descending.
Act on the top items — reduce Severity or Occurrence, or improve Detection — then re-score.
Worked example (illustrative, 1–10 scales)
Function
Failure mode
Effect
S
O
D
RPN
Login
Credential stuffing succeeds
account takeover
9
6
5
270
Login
Session token not expired
replay access
7
3
6
126
Credential stuffing (RPN 270) outranks the token issue (126) → address it first, e.g., add MFA (lowers O) and rate-limit + alert (improves D).
FMEA worksheet
Function
Failure mode
Effect
S
Cause
O
Controls
D
RPN
Action
…
…
…
…
…
…
…
…
…
…
Scoring caveats — read before using RPN
The 1–10 scales are relative and team-defined; an RPN is a prioritization heuristic, not an absolute risk value, and it shouldn't be compared across different FMEAs. Multiplying ordinal scores is statistically weak — very different S/O/D combinations can produce the same RPN, so always inspect Severity directly (a high-severity mode deserves attention even at a modest RPN), and never lower a Severity score because detection is good. Newer AIAG-VDA FMEA guidance replaces RPN with an Action Priority (AP) table for this reason. If your organization follows a specific FMEA standard, verify its current revision and use that scheme rather than these defaults.
Common errors
Reducing Severity because a failure is easy to detect — Severity is about consequence, not catchability.
Treating RPN as an objective number or comparing it across systems.
Scoring once and never revisiting after controls change.
Hand-off: high-priority modes feed the hardening backlog; after a real failure, switch to RCA.
All methods here (5 Whys, Ishikawa/fishbone, Fault Tree Analysis, Pareto, Change Analysis, Barrier Analysis, timeline/event sequencing, Kepner-Tregoe IS/IS-NOT, Bowtie, FMEA) are established, widely documented techniques; procedures are synthesized from standard practice and the source notes. Worked examples, scores, and counts are illustrative, not real incidents or measured data. Scoring scales and any framework- or standard-specific scheme (e.g. FMEA RPN vs AIAG-VDA Action Priority) should be verified against your organization's currently adopted revision before use.