All Articles
Engineering LeadershipPost-MortemDevOps

We Shipped on Friday. The Post-Mortem That Changed How I Run Releases.

One Friday deploy at a reinsurer taught me more about release engineering than a year of best-practice blog posts. Here's what actually broke, and why.

MGMohamed Ghassen BrahimJanuary 16, 20268 min read

One Friday deploy taught me more about release engineering than a year of best-practice blog posts. It was not catastrophic — nobody lost data, no SLA breach hit the regulator's desk, no headlines. But it consumed an entire weekend for six people, triggered an emergency change board review on Monday, and revealed three systemic problems we had been quietly ignoring for months.

The feature itself was boring. A configuration change to how a reinsurance pricing engine applied regional factors. Three files changed. Tests passed. The lead engineer had reviewed the diff twice. We shipped at 4:15pm on a Friday because the product team needed it live for a Monday demo, and everyone said it was low-risk.

By 6pm, we had a production incident.

4:15pm
Time of Friday deploy
Standard business hours, low urgency
1h 45m
Time to first alert
Monitoring gap exposed
6 people
Weekend responders
Two of whom had no on-call role
3 root causes
Found in post-mortem
Zero found in pre-deploy review

What Actually Broke

The configuration change was correct in isolation. The problem was that it triggered a downstream pricing recalculation job that nobody had mapped as a dependency. That job was scheduled to run at 5pm — which, in production, meant 45 minutes after our deploy. When it ran, it picked up the new configuration and re-priced a batch of policies that had already been quoted and locked.

The system did not error. There was no exception, no alert, no red dashboard tile. The prices were recalculated silently, logged correctly, and surfaced in a reporting view that nobody checked on Friday evening. An analyst spotted it on Saturday morning while preparing for the Monday demo.

The sequence of events that caused the incident unfolded like this:

Three things failed simultaneously:

The dependency wasn't mapped. We had architecture diagrams for the pricing engine, but they were six months out of date. The downstream recalculation job had been added during a sprint two quarters earlier and was never added to the dependency map.

Our monitoring was feature-coverage monitoring, not behavioural monitoring. We watched for errors, latency degradation, and service health. We did not watch for "prices in a locked batch changed after lock." That was business logic that our observability stack had never been asked to cover.

The Friday window was not a policy decision — it was drift. We had an informal "no deploys on Friday afternoon" norm, but it had been eroded by repeated exceptions over six months until it existed only in the institutional memory of two senior engineers who happened to both be on leave that week.

The Post-Mortem We Actually Ran

I want to be specific here, because most post-mortems I see are either blame-avoidance rituals or superficial five-whys exercises that identify a proximate cause and call it done.

We ran a two-hour session with eight people: the two engineers who shipped, the on-call engineer, the analyst who spotted the issue, the product manager who had pushed for the Friday timeline, and myself. The goal was not to identify what went wrong — we already knew that. The goal was to identify the systemic conditions that made it possible to go wrong at all.

🔍

The question that changes everything in a post-mortem

Stop asking "why did this happen?" and start asking "what would have had to be true for this not to happen?" The first question leads to a single root cause and a point fix. The second question reveals the systems, norms, and gaps that need to change.

The session produced a different set of findings than the initial technical review. Not "the configuration change triggered a downstream job" — we knew that. But:

  • Dependency maps had no owner and no update cadence. They were documentation, not living artefacts.
  • Business-logic monitoring was implicitly assumed to be the application team's responsibility — but no application team had been given time to instrument it.
  • The Friday deploy norm had no enforcement mechanism. It was a cultural expectation that had quietly died.
  • The product pressure to hit the Monday demo was real and had never been pushed back on — because the engineering team had no established framework for flagging release risk to non-engineers.

What Changed as a Result

These are not aspirational bullet points. These are the specific changes we implemented within 30 days of that post-mortem.

ChangeWhat It ReplacedOwner
Dependency maps moved into IaC — generated from the actual service definitions, not maintained manuallyStatic Confluence diagrams updated quarterly at bestPlatform team
Deployment freeze window: Thursday 4pm to Monday 8am, enforced by the CD pipeline (not culture)Informal "no Friday" norm with no enforcementEngineering lead
Business-logic alerting added for all pricing operations: "locked batch prices changed" alert, P1Feature-availability monitoring onlyApplication team with dedicated sprint allocation
Release risk rating required in every PR for production changes, surfaced to product ownerNo formal risk communication to non-engineersEngineering + Product process
Post-mortem template updated: "What systemic conditions enabled this?" as a mandatory sectionFive-whys template that stopped at proximate causeEngineering lead

That table took five weeks to implement fully. None of it was technically hard. All of it required someone deciding it was worth the time — which is the actual constraint in most engineering organisations.

The Friday Window Is Not the Problem

Let me be direct about something: the Friday deploy was not the problem. It was the symptom.

Teams that have never shipped on a Friday have simply not had the opportunity to discover that their dependency maps are wrong, their monitoring is incomplete, and their informal norms have eroded. They have a false sense of process maturity. The Friday constraint is a workaround for systemic problems — not a solution to them.

The correct question is not "should we deploy on Fridays?" The correct question is: "how do we build a release process where the day of the week is irrelevant because the risk is understood, the dependencies are mapped, the monitoring will catch problems, and the rollback is rehearsed?"

⚠️

Freeze windows are technical debt

A no-deploy-Friday policy that has no expiry date is technical debt with a calendar. It acknowledges that your release process cannot be trusted under conditions of reduced staffing — and it treats that distrust as a permanent operating assumption instead of a problem to solve. Build toward making the window irrelevant.

Most organisations I audit are between two and four years into a "no deploys on Friday" policy that started as a short-term safeguard. It became permanent because the underlying problems were never fixed. The freeze window is the workaround that ran for years. (More on that in a future post.)

What Good Release Engineering Actually Looks Like

The organisations I've seen handle releases well — across financial services, energy, and SaaS — share a set of practices that are less about what day you deploy and more about the state of knowledge you carry into every deploy.

PracticeWhat It Looks Like in Practice
Dependency mapping as codeService definitions declare their downstream dependencies; maps are generated, not maintained
Pre-deploy impact analysisA script or pipeline step that identifies what downstream processes will be triggered within 2 hours of this deploy
Business-logic monitoringAlerts defined by domain experts: "this metric should not change during this state"
Rehearsed rollbackRollback procedure tested in staging in the week before any significant release
Risk-rated changesAll production changes carry a risk rating (Low / Medium / High) that determines approval flow and deploy window
Blameless post-mortems with systemic scopeTemplate forces the question: what conditions made this possible, not just what triggered it

None of this is exotic. All of it exists in the tooling most teams already have. The gap is almost always prioritisation: someone has to decide that building the release process is product work, not overhead.

The Business Consequence of Weak Release Engineering

I frame this to engineering leaders the same way I frame it to CFOs: every production incident caused by a release failure has a cost you can calculate.

The Friday incident cost us approximately 48 engineer-hours of weekend response time, 6 hours of Monday incident review, a deferred demo that pushed a sales conversation by two weeks, and a change board review that delayed our next three planned releases by an average of four days each while we wrote the remediation report.

In loaded cost terms at a mid-size reinsurer: roughly €40–60k for a weekend incident that looked, on its face, like a low-risk configuration change.

That number — not the post-mortem document, not the five-whys, not the lessons-learned presentation — is what made the conversation about investing in release process infrastructure actually happen.


If your organisation is wrestling with release risk, post-mortem quality, or the gap between engineering process and business confidence, let's talk. Book a 30-minute discovery call — in my experience, the release process is one of the highest-leverage places to spend a few hours of senior engineering attention.

Ready to act

Ready to put this into practice?

I help companies implement the strategies discussed here. Book a free 30-minute discovery call.

Schedule a Free Call