Incident response: status, timeline, and risk links

Status lifecycle: detected → triaging → responding → resolved → closed → reviewed. The four timestamps (detected, responded, resolved, closed) let you compute MTTR and other response metrics.

Use the timeline on each incident to log every meaningful action, categorised as detection, triage, action, escalation, communication, resolution, or review. This is your post-incident record — treat it like an ops ledger: who did what, when, and why.

Linking incidents to risks. After the incident is resolved, open the detail and link the risk(s) it materialised. This closes the loop: your risk register said X could happen, X happened, and now the link between them is first-class data. When the same risk recurs, you can count incidents against it — a much better health signal than "has anyone heard complaints lately".

After closure, move status to reviewed once the post-incident review is complete and the lessons learned field is filled in.