Run 5 Whys That Surface Contributing Factors, Not Scapegoats

Most senior engineers have already lived through a bad 5 Whys.

It starts with good intent. It ends with a name. A missed alert. A line of code.

Everyone leaves knowing the incident will happen again, but unable to articulate why.

That failure mode is not caused by a lack of rigor or intelligence. It comes from applying a tool designed for deterministic systems to modern sociotechnical ones.

This post explains why the 5 Whys so often collapses into blame, and how to run it in a way that reliably surfaces contributing factors across detection, diagnosis, mitigation, and prevention.

Root Cause vs. Contributing Factors

This distinction is the heart of the problem and the key to fixing it.

The Original Intent (and Its Limits)

The 5 Whys technique originated with Taiichi Ohno as part of the Toyota Production System. In its original manufacturing context, problems were relatively bounded, repeatable, and mechanically deterministic. Asking "why" multiple times often converged on a meaningful underlying condition.

Modern production systems are different.

They are distributed, adaptive, partially observable, and deeply intertwined with human judgment. In these environments, incidents rarely have a single cause. They emerge from multiple conditions interacting over time.

This distinction matters.

A method built to isolate faults in deterministic systems will fail, both socially and technically, when applied unchanged to complex ones.

From Root Cause to Contributing Factors

Resilience engineering has been making this argument for decades.

Researchers such as Sidney Dekker and David Woods show that failures emerge from normal work operating under normal constraints. Incidents are not anomalies. They are signals.

When teams insist on finding a single root cause, three predictable things happen:

• Inquiry narrows prematurely
• Social pressure pulls analysis toward individuals
• Systemic risks remain invisible

A productive 5 Whys does not seek the answer. It maps the conditions.

A More Useful Frame: Four Dimensions of Inquiry

Instead of asking "why" in a single linear chain, run the 5 Whys across four dimensions.

Detection

Why did it take this long to notice? Why was the signal weak, late, or ambiguous?

Diagnosis

Why was the problem misunderstood or misclassified? Why did early hypotheses fail?

Mitigation

Why did recovery take this long? Why were mitigations risky, manual, or delayed?

Prevention

Why was the system in a fragile state to begin with? Why were safeguards missing or ineffective?

Each dimension gets its own set of "whys."

This reframes the exercise from explanation to exploration.

Draw a Tree, Not a Line

Draw a tree. Do not stop after one path.

Every meaningful incident has multiple contributing paths, and they rarely align neatly. Detection issues intersect with diagnosis gaps. Mitigation failures reveal prevention debt.

Some heuristics for knowing when you have gone deep enough:

• You begin to surface organizational or cultural constraints
• The same contributing factor appears across multiple branches
• Findings shift from events to conditions

If every branch ends in a human action, you have not gone deep enough.

Common Antipatterns (and Why They Persist)

Stopping Early

Inquiry halts as soon as the conversation becomes uncomfortable. The system remains unchanged.

Narrow Scope

Teams analyze only the moment of failure, not the conditions that shaped it.

Blame Gravity

In low-trust environments, analysis is pulled inexorably toward individuals. This is not a facilitation mistake. It is a system property.

Facilitation Matters More Than Technique

A principal engineer already knows this, but it bears stating plainly:

Effective facilitation requires:

• Explicitly protecting participants from blame
• Redirecting "who" questions into "what conditions"
• Holding space for ambiguity instead of rushing to closure

Technique without facilitation discipline is theater.

A Worked Example: One Incident, Many Contributing Factors

Incident Summary

A payments API experienced intermittent 500 errors for 47 minutes during peak traffic. Approximately 6 percent of checkout attempts failed. No data loss occurred.

A naive 5 Whys might conclude:

True. And almost useless.

Let's analyze the same incident using contributing factors across four dimensions.

Detection Factors

Why did it take 18 minutes to detect the issue?

• Alerts were based on averaged error rates, not tail latency
• The failing path was a background retry job, not the primary request path
• Dashboards aggregated all payment methods, masking card-specific failures

Why were tail signals missing?

• Service-level objectives focused on synchronous success only
• Retry queue depth was not monitored

Insight: The system was failing quietly before users noticed. This was an observability design decision, not an operational mistake.

Diagnosis Factors

Why was the issue initially misdiagnosed as a third-party outage?

• Logs surfaced Stripe timeouts but not database wait time
• Error messages collapsed distinct failure modes
• Runbooks biased responders toward external dependency checks

Why did diagnosis take time to correct?

• There was no shared mental model of retry amplification effects
• Similar past incidents were not easily discoverable

Insight: Responders reasoned correctly from incomplete data.

Mitigation Factors

Why did mitigation take 29 minutes after detection?

• Traffic shedding required a manual feature-flag change
• Rate limits were undocumented and conservative
• No dry-run mode existed to validate mitigations

Why was rollback risky?

• Recent schema changes complicated reversal
• Oncall engineers lacked familiarity with the migration path

Insight: Recovery was slowed by fear of compounding failure, not lack of effort.

Prevention Factors

Why was the system vulnerable?

• Retry logic accreted over several quarters
• Load testing never exercised amplification scenarios
• Capacity planning assumed steady-state behavior

Why were these risks not visible earlier?

• Prior action items were scattered across documents
• There was no mechanism to track recurring contributing factors

Insight: This was not a new failure. It was a pattern without memory.

Collapsed Factor Tree

Notice what is absent:

• A single engineer
• A single line of code
• A single moment in time

What This Example Demonstrates

A traditional 5 Whys might produce one action item:

This analysis produces something more valuable:

• Observability design changes
• Runbook restructuring
• Safer mitigation tooling
• A clear signal that institutional memory is failing

The difference is not depth. It is structure.

When 5 Whys Is Not Enough

Even a well-run 5 Whys has limits.

For highly complex incidents, it works best alongside other approaches such as:

• Structured timeline reconstruction
• AcciMap-style system mapping
• STAMP-inspired control and feedback analysis

The goal is not methodological purity. It is insight.

Where Tooling Becomes Essential

Manually assembling this kind of factor map from Slack threads, PagerDuty alerts, dashboards, and call recordings is slow and lossy. Weak signals disappear as soon as the incident ends.

This is where tooling matters.

COEhub helps by aggregating fragmented incident context, preserving early hypotheses and weak signals, and making recurring contributing factors visible across incidents.

The value is not automating analysis. It is organizational memory.

The Real Test of a Good 5 Whys

A productive 5 Whys does not end with an answer. It ends with shared understanding.

You know it worked when:

• Multiple teams recognize themselves in the findings
• The same factors explain more than one incident
• Future oncall engineers can learn without being in the room

If the outcome fits on a single line, very little learning occurred.

Closing Thought

The question is not whether you can identify a cause.

It is whether your system can remember the conditions that made failure possible and change them before the next incident assembles the same way again.