There you stand, figuratively speaking, with a fistful of sticky labels all bearing the words "mission critical." Now, what to affix them to? Which applications and processes are truly mission critical and which are not? Ha! That's a trick question, right?! Yeah, actually it is.
"There are many stories where a failure in an unimportant system had monster impact on the business or where secondary systems took on significant roles in product management, service support or disaster recovery," warns Brian Barnier, a principal at ValueBridge Advisors who also serves on standards and practices committees such as ISACA, ARMA and OCEG.
And, he's right. There are lots of actual disasters to learn the general lesson from, but there are still no steadfast rules to follow. So, we're back to the fistful of sticky labels and the conundrum that represents. What to do, what to do?!
I humbly recommend what I call the fire alarm scale to rank apps and processes. It's an adaptation of Michael Lee's three category breakdown of app importance. Lee, by the way, is principal consultant at SWC, an IT firm that specializes in serving mid-sized businesses. Anyway, Lee categorizes apps as:
- Mission critical: those apps or processes that cost the company money any time they fail,
- Mission important: no harmful loss to the company if it fails in the short term, but harmful if it stays down in the long term, and
- Mission supported: will not stop the company's mission but will impede operations if lost.
That's a pretty good demarcation of apps and processes in general. However, I would remind you to also think about Barnier's warning of how secondary systems and seemingly insignificant apps and processes can suddenly pack a monstrous punch to an unsuspecting organization. Hence, my fire alarm scale which simply means weighing each app or process by the size of the panic it causes if it is down.
You could scare the heck out of everyone and just start unplugging stuff to see who - and how many - scream. I don't recommend that. It's very noisy and generally makes the company operations a mess for the duration. Plus, plugging things back up always entails more work than unplugging them, so it isn't a very efficient use of your time. It can be fun however if you are the sort that likes to remind people what it is that IT actually does. Ok, we've had our snicker let's get back to the fire drill.
The easier way to determine whether a downed app potentially amounts to a one-two-three or even four alarm catastrophe is to use app performance monitoring (APM) applications to automatically discover where the apps are, who uses them, and what resources they consume. But don't stop there. Find out what those apps are actually used for in order to discover their potential impact on mission critical processes. Trace it, track it, map it from source to end and back again; which is to say evaluate the importance of the data it contains, who is using that data and to what end.
"In an ideal world, all business processes within a company would directly or indirectly support revenue generation. But, in reality every process contributes differentially to this goal," says Deepak Bharathan of PA Consulting Group, a global management and IT technology consulting firm.
That's why you better know the terrain - every nook and cranny - and where the dangers really lie. Then and only then can you mark them clearly by the fire scale because then and only then do you really know what is and is not mission critical.