CALL US 1-888-553-2256

ITIL/ISO 20000 Knowledge base

'. get_the_author_meta('first_name'). ' '.get_the_author_meta('last_name').'

ITIL Incident Management – How to separate roles at different support levels

Author: Neven Zitek

Can you remember the days when each company employee used to have “his/her personal support IT guy”, or at least a “favorite IT guy” they would call in any situation they thought even remotely related to IT? I was always impressed by the amount of free coffee that “favorite IT guy” would get. Yes, having “your own” personal IT support was great for some employees, and I personally know of cases when people wouldn’t report any issues or incidents if their “favorite IT guy” was on vacation, or otherwise unavailable.

Well, to be perfectly honest, it wasn’t that great for all of the employees, and the “favorite IT guy” could only be at one place at the time, troubleshooting priority based on a “first-come-first-served” basis, and in the end no one really knew whether IT personnel were troubleshooting an isolated issue, a major incident, fulfilling some request, or what was going on in general.

All of that changed when IT organizations stared transforming to service-based IT organizations, and it became very important not only to know what was going on at any given time, but who was doing what as well. Establishing a single point of contact with the end users (customers), and handling incidents from there is a very important part of the customer relationship, as customers will turn to the service provider for assistance when an Incident occurs.

Before we continue, here is my interpretation of ITIL Incident and Incident management definition: “An Incident is, by definition, any unplanned service degradation or interruption, and within ITIL best practices framework – Incident Management is responsible for incident identification, logging and categorization, with the primary goal being a quick-as-possible restoration of service.”

Incident Manager or Service Desk Manager

Within the IT Service Operation part of the ITIL Service Lifecycle, the Service Desk function is center-stone, acting as a single point of contact for all end users. The Service Desk usually logs and manages all incidents and service requests, and provides an interface for all other Service Operation processes and activities. The Service Desk is the key to the implementation of the Request Fulfillment and Incident Management processes. It’s important to understand that Incident Management is a cross-IT organization process, not a Service Desk-only process!

The Incident Manager is responsible for maintaining the incident management system, producing management information and KPIs, and ensuring that all IT Teams follow the incident management process for all incidents. This makes the Service Desk Manager an ideal candidate for the Incident Manager role as well, in small- and medium-sized organizations.

ITIL_role_separation.pngFigure: Example of ITIL role separation for the Incident Management process. While Problem Management does not support end users directly, it is responsible for finding and removing the root cause of an incident.

First-Line Support / Service Desk

Once again, we have the Service Desk involved in the Incident Management process, in the role of First-Line Support. Once end users contact the Service Desk, it makes perfect sense that the Service Desk attempts to collect as much information and diagnostics about the incident as possible, and even resolves the issue on the spot, if possible. This will reduce resolution time for all minor incidents (q: my computer doesn’t work – a: did you try to turn it on?), and first-contact resolutions consequently increase end user satisfaction.

In general, First-Line Support staff within ITIL Incident Management will be managed by the Service Desk Supervisor, who will also serve as the escalation point, if needed. If First-Line Support is not able to resolve the incident right away, it will escalate the incident to Second-Line Support.

Second-Line Support

Second-Line Support of Incident Management is a role generally composed of the staff with greater technical skills than those of First-Line.  They should have enough time on their hands to devote themselves to incident diagnosis and resolution. Second-Line Support will pay a visit to the end user if required, something that Service Desk staff can’t do.

One common example, which I believe anyone in IT support can relate to, is fixing or setting up a projector in a conference room(s), or providing enough cables and enabling network access for all computers in a conference room. The Service Desk, in this situation, can’t help remotely – you wouldn’t send someone from the Service Desk to do it, as at some point you wouldn’t have any Service Desk personnel left to answer the phone / e-mail and provide the first level of support.

Third-Line Support

The Third-Line Support role is usually reserved for external suppliers and vendors; however, it may be an internal technical group if they possess specific knowledge required; e.g. network support, voice support, database support, hardware maintenance, etc.

A good example of Third-Line Support is a printing service that may be provided by an external provider or vendor, and disregarding the in-house expertise that the IT department may possess, they are contractually forbidden to try to fix anything relating to printers. In that case, the external provider or vendor has to be contacted for support when something goes wrong with the printing service.

If that Third-Line Support function, for which expertise in narrow fields is required, gets provided by in-house experts, you may reserve the Fourth-Line Support role for external providers and / or vendors.

If it’s something weird, and it don’t look good – Who you gonna call?

Within ITIL Service Management, Incident Management is one of the most basic, and most visible (to the customer) processes that IT organizations often choose to implement first  when transitioning to an IT service-oriented organization. Customers will often value the whole IT organization based solely on its Incident Management performance, as that is the part of the IT organization that they see, and interact with, the most. Having a single point of contact to interact with end users (customers) is vital for ITIL Incident Management. In that way, you can ensure that no information about an incident gets lost, and that incidents are handled as a real, business-valued priority, not according to a first-come-first-served principle.

On the other hand, if we look at Incident Management from the inside of IT, it provides an excellent overview about what is actually going on, and to relate to the beginning of the article, who is doing what. The first line of support provides basic / common assistance; for more complex tasks, there is the second line of support; and for external services or highly technology-specific issues, there is the third line of support. The matter of separating workload based on skills, know-how, and personnel availability is no longer a matter of concern. The only non-winner is our “favorite IT guy,” who, from now on, will have to pay for his own coffee.

Download a free sample of our  Incident Management process template to find out more about roles and responsibilities in the scope of the process.

If you enjoyed this article, subscribe for updates

Improve your knowledge with our free resources on ISO 20000 and ITIL standards.

You may unsubscribe at any time.

For more information on what personal data we collect, why we need it, what we do with it, how long we keep it, and what are your rights, see this Privacy Notice.

Leave a Reply

Your email address will not be published. Required fields are marked *



  • Advisera is Exemplar Global Certified TPECS Provider for the IS, QM, EM, TL and AU Competency Units.
  • ITIL® is a registered trade mark of AXELOS Limited. Used under licence of AXELOS Limited. All rights reserved.
  • DNV GL Business Assurance is one of the leading providers of accredited management systems certification.