Error Budget Policies That Actually Get Followed
Error budgets only work if the consequence of exhausting them is real. The discipline is political; the policy is structural.
Why most policies are decoration
Most error budget policies say ‘if budget exhausted, freeze feature work.’ In practice, feature work continues.
The policy lives only if it costs feature shipping when triggered.
Three enforcement mechanisms
- 1. CI gating. Out-of-budget services cannot deploy non-reliability changes.
- 2. Sprint planning gating. Affected team plans only reliability work that sprint.
- 3. Public scorecard. Budget status visible to leadership.
Getting product buy-in
Product accepts because the alternative is worse: incidents that block features anyway, less predictably.
Frame: ‘the budget is feature-shipping insurance.’
The exception safety valve
Exceptions exist (regulatory deadline; customer contract); document them; cap their use (max N/year).
Without exceptions, policies become brittle and get ignored entirely.
Antipatterns
- Policy with no enforcement. Decoration.
- No exception path. Brittle.
- Exceptions every quarter. Policy gone.
What to do this week
Three moves. (1) Apply the pattern to your most-impactful service. (2) Measure adherence for 30 days. (3) Rewrite the policy or the SLO if the gap is durable.