When an incident involves personal data, a system failure, or a compliance breach, two parallel clocks start running. The operational clock: contain and resolve. The regulatory clock: document the response timeline for potential authority notification. Most organizations manage both clocks inside the same Slack channel. That channel serves neither objective well.
Five distinct phases. Detection, initial response, containment, root-cause analysis, corrective action planning. Each has specific owners, hard deadlines, and produces evidence that regulators later evaluate. Without an execution layer that enforces this structure, phases collapse into each other, evidence gaps form, and 'we'll reconstruct it afterward' becomes the plan.
Structure the postmortem as a single Flow run with task groups for each phase. Detection logging is a mandatory task with a hard one-hour window, its timestamp becomes the official detection record. Containment tasks go to named owners with explicit SLA windows. Regulatory notification, required under LGPD Article 48, GDPR Article 33, or sector-specific rules, is a conditional task that activates automatically when breach confirmation is logged, counting from that timestamp forward.
The legal and compliance review is a formal approval gate, not a Slack thread. Before an incident is classified as non-notifiable, a high-stakes legal determination, the DPO and legal counsel must approve directly in the Flow. Their decision, the rationale they document, and the precise timestamp are immutable in the run's activity log. A senior approver can override. But the original position doesn't disappear.
Corrective action is where most postmortems lose discipline after the incident closes. Root cause gets identified correctly. Then the action items migrate to a project board and quietly age. In Cadenio, corrective actions are tasks within the same run: named owners, due dates, mandatory evidence for closure. A task not completed on time generates an SLA alert and creates a visible gap in the compliance record.
The export capability is what makes this framework enterprise-grade. When a regulatory authority requests documentation, the response is an exported run, complete, structured, every timestamp, every approval decision, every attached file, full activity history. Incident documentation response time drops from days of inbox reconstruction to hours of structured retrieval.
For organizations demonstrating operational resilience to enterprise buyers or certification auditors, a library of completed incident postmortem runs carries more evidentiary weight than any incident response policy document. It shows not how you claim you'd respond, but how you actually responded, repeatedly, under real pressure.