Skip to main content
Image coming soon

The Global Risk Operations Incident Runbook for Platform Trust

$199.00
Adding to cart… The item has been added

A focused course, tailored for you

The Global Risk Operations Incident Runbook for Platform Trust

Turn the daily integrity escalation queue into a documented, reviewable risk operation a board committee can read in fifteen minutes.

Your team owns the daily incident queue across integrity, abuse, and platform harm. By the time an incident is closed, the evidence trail is scattered across four tools and three threads, and a regulator-readable reconstruction takes a full week of senior time to assemble.

$199 one-time
Tailored to your situation. Access within 24 hours. 30-day money-back.

Includes a hand-built implementation playbook delivered alongside course access, generated for your specific situation.

Why this course

Global Risk Operations sits between policy, product, legal, and external regulators. The work is reactive by design: an integrity signal fires, a Sev is opened, a triage call spins up, a remediation ships, the ticket closes. What is missing is the operating layer that captures the decision trail, the impacted-user count, the root-cause hypothesis, and the policy interpretation in a single chronological record that the same shift, the next shift, an internal Privacy review, an external auditor, and a regulator inquiry can all read without translation. The cost shows up later: an Oversight Board referral that needs a fifteen-minute briefing takes three days to assemble, a DPC questionnaire that should be a copy from existing records becomes a six-week reconstruction project, and the same incident pattern recurs because the post-incident review never closed the loop. This course teaches the operating runbook that fixes that. Not a policy document. The actual day-to-day artefacts and decision-log structure that turn the incident queue into a durable, reviewable record.

What you walk away with

  • Ship a single incident-decision log template that is used on every Sev opened by your team within thirty days.
  • Cut the time to produce a regulator-readable chronology of a closed incident from one week to under two hours.
  • Run a post-incident review that closes the policy, product, and ops follow-up actions with named owners and review dates.
  • Hand a Privacy XFN, internal audit, or external counsel a single evidence pack per incident instead of a forwarding chain.
  • Build the quarterly Global Risk Operations narrative that a board risk committee reads in fifteen minutes.

The 12 modules

Module 1. The incident-decision log: structure and shift discipline
The single artefact that fixes most of the reconstruction problem. Module covers the decision-log template structure, the four field types every entry must capture (signal, decision, decider, time), the shift-handoff ritual that keeps it current, and the worked example of one Sev-2 written up cleanly from open to close. Includes the downloadable template you can drop into Quip or Workplace today.
Module 2. Severity classification that a regulator can defend
Most internal severity scales are tuned to engineering response time, not to harm magnitude. Module walks the harm-based severity rubric used by mature platform risk teams, how it maps to existing engineering Sev levels, where the two scales diverge, and how to document the diverge so an external reviewer reads consistent classification across a quarter of incidents. Worked examples across integrity, abuse, and access-control incidents.
Module 3. The impacted-user counting protocol
Counting impacted users sounds simple. In practice it is the most contested number in any post-incident report because the count depends on the time window, the harm definition, and the data freshness of the underlying tables. Module covers the four counting protocols (exposed, affected, harmed, materially harmed), when to use each, how to document the choice, and the worked example of a counted incident that survived legal review unchanged.
Module 4. Root-cause hypothesis discipline for non-engineers
Risk Operations people often inherit a root-cause statement from engineering and rewrite it for policy or regulator audiences. Module covers the five-question root-cause structure that operations leaders can drive without being engineers, how to frame product, policy, and operational root causes side by side, and how to write a root-cause section that engineering signs off on without re-litigation. Includes the rewrite-vs-summarise decision tree.
Module 5. The escalation matrix from Ops to Policy to Legal to External
Most incident queues have an informal escalation pattern that lives in tribal knowledge. Module covers how to draw the explicit matrix: which incident attributes trigger which escalation layer, what each layer owes the next, the named-role handoff at each step, and the worked example of an integrity incident that hit all four layers cleanly. Includes the downloadable matrix template ready to localise to your incident categories.
Module 6. Working with Privacy XFN and internal audit on a closed incident
Internal Privacy and internal audit will ask for an incident reconstruction with their own framing and their own questions. Module covers the standing evidence pack that pre-answers eighty percent of those questions, the meeting structure for the live review, the records-of-processing implications that often surface, and the worked example of a Privacy review closed in two meetings instead of eight.
Module 7. Regulator-readable chronologies (DPC, Oversight Board, FTC consent decree)
The chronology document is where most reconstructions die because it must read consistently to a regulator who has never seen your internal tooling. Module covers the chronology template (with the time-zone, source-system, and confidence-of-record fields a regulator wants), how to redact internal jargon without losing fidelity, and the worked example of a chronology that went to external counsel and back unchanged.
Module 8. The post-incident review that actually closes the loop
Post-incident reviews routinely produce action items that never close. Module covers the action-item structure (owner, due date, evidence of closure, review owner), the thirty-day and ninety-day check-back ritual, how to escalate stalled actions without breaking working relationships across teams, and the worked example of a PIR that closed nine actions in twelve weeks.
Module 9. Patterns, repeats, and the quarterly trend report
The value of an incident-decision log compounds when it is read across incidents. Module covers how to roll up the log into a quarterly pattern report that surfaces recurring policy gaps, recurring product weaknesses, and recurring operational friction, the small-N inference rules that keep the report honest, and the worked example of a quarterly report that drove a product roadmap change.
Module 10. Working with external counsel and outside auditors
External counsel asks different questions, on different timelines, with different document-handling rules. Module covers the standing engagement protocol, the privilege boundary on operational records, the document-production workflow that survives discovery, and the worked example of an external counsel engagement that produced a clean closure record.
Module 11. Building the board risk committee narrative
A board risk committee will read your function for fifteen minutes per quarter at most. Module covers the four-slide structure that earns those fifteen minutes (volume, severity mix, top-three patterns, top-three asks), how to write the narrative without naming individual closed incidents, and the worked example of a board-ready narrative built directly from the quarterly trend report.
Module 12. Standing up the runbook across a multi-shift, multi-region team
All of the above falls apart if it lives only with you. Module covers the rollout sequence (one shift first, then one region, then global), the training structure that gets new joiners productive in week two, the shift-handoff ritual that keeps quality high without slowing response, and the operating cadence (weekly ops review, monthly pattern review, quarterly board narrative) that holds the discipline in place.

How this addresses your situation

Specific modules that map to what you said you are dealing with.

When the Sev-2 closes Friday and the regulator-readable write-up is still blank, modules 1, 3, and 7 give you the artefacts to compress that gap.
When Privacy XFN opens a review of a closed incident, modules 6 and 10 give you the evidence pack that closes the review in two meetings.
When the same incident category keeps reopening, modules 8 and 9 give you the closed-loop PIR and the quarterly pattern report that drive an actual product or policy change.
When a board risk committee asks what your function did this quarter, module 11 gives you the four-slide narrative built from records you already keep.

What you get with this course

  • Twelve written course modules with downloadable templates for the incident-decision log, harm-based severity rubric, impacted-user counting protocol, escalation matrix, post-incident review, regulator-readable chronology, quarterly trend report, and board risk committee narrative.
  • Worked examples for each module taken from anonymised platform integrity, abuse, and access-control incidents.
  • A hand-built implementation playbook tuned to your team's incident category mix, shift structure, and regulator exposure.

What you will have in hand by Day 1, Week 1, Month 1

Day 1: account provisioned in the Art of Service learning environment, all twelve modules and templates available immediately.

Day 1: hand-built implementation playbook delivered alongside course access, tuned to your team's incident category mix and shift structure.

Weeks 1 to 4: work through modules at your own pace alongside the playbook, with the incident-decision log live on your next Sev.

Week 8 to 12: full operating cadence (weekly ops review, monthly pattern review, quarterly board narrative) running across the team.

Before and after

Before

An incident closes Friday afternoon. The decision trail is split across a Workplace post, a Tableau pull, a CRT thread, and a half-finished Quip page. A regulator inquiry ninety days later kicks off a week of senior reconstruction time.

After

Every incident closes with a single decision log, a chronology, an impacted-user count with its protocol named, and a PIR with owned follow-ups. The regulator inquiry ninety days later is two hours of work.

What happens if you do not address this

Without a documented operating runbook, the function stays exposed to reconstruction tax on every external inquiry, and recurring incident patterns never close because the post-incident review never produced an owned, evidenced action.

Who it is for

Senior individual contributor or manager in a Global Risk Operations function at a platform company. Owns or shares ownership of the on-call rota for an integrity, abuse, or platform-harm queue. Reports up through a Risk, Trust and Safety, or Integrity Ops org. Touches policy, product, legal, and external counsel several times a week. Writes or reviews Sev post-mortems. Has been pulled into at least one regulator-facing reconstruction.

Who this is NOT for. Not for product policy writers who do not work the incident queue. Not for trust and safety reviewers whose work is per-item enforcement rather than incident-level operations. Not for engineers building the detection systems themselves.

How it arrives

Text-based course in the Art of Service learning environment, plus downloadable templates and worked examples for every module, plus the hand-built implementation playbook delivered alongside course access.

Time investment. Roughly eight to twelve hours of reading across the twelve modules, plus the time to tailor each template to your existing tooling. Most teams stand up the incident-decision log on their next Sev within seven days of starting the course.

Why $199 is the right number

Generic incident response courses are tuned to engineering on-call, not to regulator-facing platform risk operations. Trust and safety certifications focus on per-item enforcement rather than incident-level operating discipline. This course sits in the gap between those two: the operating runbook that makes a Global Risk Operations function legible to a board committee, a regulator, and a successor team.

FAQ

Do I need engineering background to run the runbook?
No. The runbook is built for non-engineering Risk Operations leaders. Module 4 specifically addresses how to drive root-cause discipline without being an engineer.
Will the templates fit our existing tooling stack?
Yes. The templates are tool-agnostic and the implementation playbook is hand-built against the tools your team actually uses, whether that is Quip, Workplace, Tableau, CRT, or any mix.
What if our incident categories do not match the worked examples?
The implementation playbook is built against your category mix specifically. The worked examples cover integrity, abuse, and access-control as the most common shapes, but the runbook generalises to any platform-harm category.
How does this hold up to external counsel review?
Module 10 covers the privilege boundary on operational records, the document-production workflow that survives discovery, and the engagement protocol with external counsel. The template structure is built to keep privileged and non-privileged records cleanly separated.

30-day money-back guarantee. If after a week of working through the materials this is not what you needed, reply to the receipt email and a full refund is processed. No questions, no forms.

Within 24 hours your account in the learning environment is provisioned and the tailored implementation playbook is delivered alongside it.

!