What is the industry standard for business-critical IT incidents - are there any rules of thumbs to gauge if a dept has "too many" or is on par?

169 views9 Upvotes4 Comments

VP of IT and Platform Strategy and Product Management in Telecommunication, 1,001 - 5,000 employees
Super complex question as it relates to industry and business criticality. Obviously some areas should be 1 is too many if the product or solution is business critical, requires real-time experience, etc. In such cases, redundancy and survivability (e.g. telecoms) must be invested in. Vs. products which dont require real-time services. 
Director of Information Security in Software, 10,001+ employees
Number of users and geographical reach (the greater the users base and usage across geographies).  

Financial month-end and or quarter end, applications, solutions and or back-end jobs.
CTO for Digital & IT in Healthcare and Biotech, 10,001+ employees
This is a really hard question actually, as there are a lot of variables:
- How have you defined "business-critical", and have you been super-disciplined in applying the rules so that only the most truly critical incidents are considered business-critical ? For example, we consider an incident critical (P1) if it involves a critical service, and either involves multiple users on a critical site, or affects all users. And the definitions of critical service and critical site are precise and applied with discipline so that only a few incidents are truly considered P1s.
- There can be a lot of noise early in the incident management process that leads to P1s being created because the user was screaming or the service desk misread the situation => reclassifying things quickly and objectively is very important as well.
- If you assume that what's left are the "real" P1s, I'm not sure there is a target number I can point to, but where I work (3000 locations, 70k users), the number of *real* qualified P1s is fairly stable at between 10 and 20 a month overall across all of IT (infra, apps...) and I think that feels about right given that you can't wholly avoid these kinds of outages.
- You need to track a couple things on this front, namely the trend over time of P1s (and take action if it diverges suddenly for some reason), and perhaps most importantly the number of P1s that are related to an IT-managed change, as those are the nastiest to explain to the business => the target there should really be 0.
Chief Information Security Officer in Healthcare and Biotech, 1,001 - 5,000 employees
Depends on the context of the business.. As a starting point refer ISO27001

Content you might like

Strongly Agree10%


Neither Agree nor Disagree16%


Strongly Disagree5%