How to define criticality?

Juliano,

Your BIA questionnaire should be set to assess the impact for disruption for e.g. 4 hours - 8 hours - 24 hours - 48 hours - 1 week. If the impacts of disruption are acceptable for e.g. 4 hours and 8 hours, but for 24 hours and after they are not acceptable, this means your MAO (Maximum Acceptable Outage) is somewhere between 8 and 24 hours. 

To determine MAO more precisely (where it is between 8 and 24 hours), you will have to consult with the owner of the process.

Dejan,

Actually, i want identify the criteria that i can use to define the criticality of my business process, eg: mission critical, important, minor.

I understood how to identify the MAO/MTPD, but i think that are different things right?

So, the BIA results will show:

Process A - Mission Critical - MAO 4hours

Process B - Important - MAO 5hs

Juliano,

Actually ISO 22301 does not require you to grade the criticality of your processes - it is either critical or not. If it is critical, the only thing that matters is how quickly it needs to recover - this is defined by MAO/RTO.

Dejan,

How you define the priority of business process recovery? Do you use only de RTO or quantitative impacts too?

Juliano,

Priority of recovery is determined on the basis of RTO - the activity with the shortest RTO will be recovered first. Quantitative impacts are an input for determining the RTO - for instance if the impact of disruption that lasts 24 hours is US$ 100,000, you can determine that this is not acceptable, so that your RTO needs to be less than 24 hours.