DocsProcess GovernanceBusiness Criticality

Business Criticality

Assess business criticality for your processes — a structured approach to determining which processes matter most to your organization.

What Is Business Criticality?

Business criticality measures how essential a process is to your organization's ability to achieve its objectives and sustain operations. It is fundamentally different from risk:

  • Risk asks: "What could go wrong?"
  • Criticality asks: "How important is this process to the business?"

A process can be highly critical but low risk (well-controlled payment processing) or low criticality but high risk (an experimental workflow with poor controls). These are independent dimensions that together drive different decisions.

Why Criticality Matters

Business criticality drives several key governance decisions:

Decision AreaHow Criticality Guides It
Business ContinuityCritical processes get priority recovery targets (RTO/RPO).
Resource AllocationHigher criticality justifies more investment in controls and people.
Audit FrequencyCritical processes should be reviewed more often.
Change ManagementChanges to critical processes require more rigorous approval.
Incident ResponseFailures in critical processes trigger escalation.

Criticality Levels

Dictiva uses four levels to classify business criticality:

Critical

The process is essential to the organization's survival. If this process stops, the business cannot operate, customers are immediately affected, or regulatory obligations are breached.

Examples: Payment processing, production systems, regulatory reporting, customer-facing platforms.

Indicators:

  • Downtime is measured in minutes, not hours
  • Failure triggers immediate executive attention
  • No viable manual workaround exists
  • Direct revenue or compliance impact

High

The process is very important to operations. Disruption would cause significant impact but the organization could sustain a short period of degradation.

Examples: Employee payroll, supply chain management, internal communications, data analytics.

Indicators:

  • Downtime tolerance of hours to one day
  • Failure affects multiple departments or customer segments
  • Manual workarounds exist but are unsustainable
  • Indirect revenue impact or significant efficiency loss

Medium

The process contributes meaningfully to operations but disruption can be managed. The organization can operate at reduced capacity for a period.

Examples: Internal reporting, training programs, non-critical vendor management, internal documentation.

Indicators:

  • Downtime tolerance of days to a week
  • Impact is contained to specific teams
  • Manual workarounds are practical
  • No direct customer impact

Low

The process is useful but not essential. Disruption causes inconvenience rather than operational impact.

Examples: Internal social platforms, non-essential monitoring, archival processes, optional integrations.

Indicators:

  • Downtime tolerance of weeks or more
  • Impact limited to convenience
  • Alternatives readily available
  • No compliance or revenue implications

Guided Assessment Questions

Use these questions to determine the appropriate criticality level for a process. Answer each honestly and use the highest resulting level as your rating.

1. Revenue Impact

  • Does this process directly generate or enable revenue?
    • Yes, primary revenue stream → Critical
    • Yes, supports revenue indirectly → High
    • Contributes to efficiency → Medium
    • No revenue connection → Low

2. Customer Impact

  • If this process fails, are external customers affected?
    • Immediately and visibly → Critical
    • Within hours or indirectly → High
    • Only internal users notice → Medium
    • No one notices externally → Low

3. Regulatory and Compliance

  • Does this process fulfill a legal or regulatory requirement?
    • Yes, failure triggers regulatory breach → Critical
    • Yes, failure creates compliance risk → High
    • Supports compliance indirectly → Medium
    • No regulatory connection → Low

4. Operational Dependencies

  • How many other processes depend on this one?
    • Many critical processes depend on it → Critical
    • Several important processes depend on it → High
    • A few processes depend on it → Medium
    • Standalone, no dependencies → Low

5. Recovery Tolerance

  • How long can the organization tolerate this process being down?
    • Minutes → Critical
    • Hours → High
    • Days → Medium
    • Weeks or indefinitely → Low

6. Substitutability

  • Can this process be performed manually or by an alternative system?
    • No alternative exists → Critical
    • Alternatives exist but are costly or slow → High
    • Manual workarounds are practical → Medium
    • Easily replaced → Low

Criticality vs. Risk: Key Differences

DimensionBusiness CriticalityRisk
Question"How important is this?""What could go wrong?"
MeasuresStrategic value to the businessProbability and impact of adverse events
ChangesRarely (tied to business model)Frequently (tied to threats and controls)
DrivesBCP, resource allocation, audit priorityControl design, risk treatment, escalation
Independent ofCurrent risk level or control maturityBusiness importance

A mature governance program assesses both dimensions independently and uses them together: critical processes with high residual risk demand the most urgent attention.

Best Practices

  1. Assess at the L1/L2 level first -- Start with your top-level processes. Children typically inherit their parent's criticality unless they have unique characteristics.

  2. Involve process owners -- The people who run the process understand its importance better than anyone. Use the guided questions as a conversation framework.

  3. Review annually -- Business models change. A process that was "Medium" last year might be "Critical" after a strategic pivot.

  4. Don't inflate -- If everything is "Critical," nothing is. Reserve this level for processes where failure genuinely threatens the business.

  5. Document your reasoning -- Future reviewers should understand why a rating was assigned. The guided questions provide a natural structure for this.

Framework References

Business criticality assessment draws from established continuity and governance frameworks:

  • ISO 22301 -- Business Continuity Management. Defines the Business Impact Analysis (BIA) methodology for identifying critical functions.
  • NIST SP 800-34 -- Contingency Planning Guide. Provides criteria for categorizing systems by impact level (Low, Moderate, High).
  • COBIT 2019 -- Governance framework that ties process importance to enterprise goals through a cascade model.
  • BCI Good Practice Guidelines -- The Business Continuity Institute's methodology for identifying and prioritizing critical activities.