SAP Logo LeanIX is now part of SAP
The Definitive Guide to

Application Criticality Assessment & Matrix

Application criticality assessments help organizations protect assets vital to business operations. It is a key part of an Application Portfolio Assessment.

What is an application criticality assessment?

An application criticality assessment is a process of evaluating the importance of applications based on their potential impact on business operations, data, and infrastructure.

Organizations rely on technology to function effectively. That is why running asset criticality assessments help IT architects predict and monitor the impact of potential failures.

Application or system criticality assessments can be done as part of a wider application portfolio assessment.

Importance and benefits

It’s important to know exactly which applications in your portfolio are critical to your organization. An assessment will help prioritize applications for any use case.

The assessment helps identify the criticality of an application, which in turn determines the level of protection and resources required for the application.

Some of the importance and benefits of application criticality assessment are:

  • Risk Management: Identifying the criticality of an application helps prioritize resources and efforts to mitigate risks. By understanding the potential impact of an application's failure or downtime, organizations can allocate their resources and prioritize their security and recovery efforts.

  • Business Continuity: Application criticality assessment is a critical component of business continuity planning. It helps organizations identify the critical applications required to keep their business operations running in the event of a disaster or disruption.

  • Compliance: Many regulatory requirements and industry standards require assessing the criticality of their applications and implementing appropriate security controls based on their risk level. Assessment helps organizations comply with these regulations and standards.

  • Resource Optimization: Assessment helps to optimize resources by identifying applications that require the most attention and resources. By focusing on critical applications, organizations can ensure that they are allocating their resources effectively and efficiently.

  • Budget Planning: Application criticality assessment helps to prioritize the budget for security, maintenance, and upgrades. By understanding the criticality of applications, organizations can allocate their budget effectively to ensure that critical applications are adequately protected and maintained.

📚 Related: Application portfolio management guide


Reduce IT Costs & Risks with Application Rationalization

One of the most effective ways to save costs and mitigate technology risks is through application rationalization. 

Reduce IT Costs & Risks with Application Rationalization

What is the application criticality matrix?

An application criticality matrix is a way for IT architects and application owners to list and prioritize the applications in their portfolios.

The applications are ranked based on how critical they are to the organization. Thus, it’s easy to determine which are the most important.

Application landscape report with business criticality view available in LeanIX EAM.

Application landscape report with business criticality view available in LeanIX EAM.

The application criticality matrix is also known as asset criticality, system criticality, or business criticality matrix.

A new matrix can be created for various different assets. Hence, the names of each level will usually be specified for each industry or business.

But even if the names of the levels are different, the context stays the same.

Why is the application criticality matrix important?

The application criticality matrix is important because it allows everyone in your team to understand each level of the matrix.

From this starting point, processes can be defined that improve, enhance and protect the organization’s most vital assets from risk.

Classification - categories of matrix

The application criticality matrix is made up of four quadrants—mission-critical applications, business-critical applications, business operational applications, and administrative applications.

Business Criticality Levels available in LeanIX EAM.

Business Criticality Levels available in LeanIX EAM surveys.

Other industries or businesses can also use the matrix with two axes only. The x-axis represents the likelihood or probability of an application's failure, and the y-axis represents the impact or consequence of the failure on the organization.

Since the classifications in both options are very similar, we will only explain one - the four quadrants.

1. Mission-critical applications

In an application portfolio assessment, mission-critical applications (MCAs) are software applications that perform an essential function in business operations. Mission-critical systems can consist of any kind of IT component including software, hardware, processes, applications, etc.

Organizations rely on mission-critical applications to run their business activities successfully, and any failure or disruption can be catastrophic. These applications must be available to run at any cost. 

2. Business-critical applications

A business-critical application is a label given to business-critical processes, software, and services that require consistent availability. While breaks in service are not catastrophic, they are highly undesirable. Business-critical applications should be consistent and reliable.

Factors that determine business-critical applications are whether they can cause reputation damage, sensitive information loss, financial loss, or some kind of operational risk.

3. Business operational applications

Business operational applications are the next label in our application criticality matrix. These are also fairly non-critical applications that contribute to running efficient business operations.

When they are disrupted it can cause problems within the organization. However, they are out of the direct line of service to the customer.

Business operational applications provide business functionality such as communication tools, CRM applications, finance services, and other applications that help the organization function.

4. Administrative applications

Lastly, administrative service applications tend to be those that are low-priority and non-critical to everyday business operations. When these applications fail it can cause some problems but it will not affect the customer and can be tolerated a bit more.

Factors include applications for record keeping, mail services, and office upkeep.

How to create a matrix and perform an assessment?

The levels of your criticality matrix will depend on your business. When you begin the application criticality assessment, you will need to define each level that’s relevant to your assets and business needs.

From here, you can create the roadmap to identify applications and determine the levels of criticality for each one.

Then you can report and plan any maintenance or upgrades on applications vital to business operations.

1. Define criticality levels or quadrants

The first step of any application criticality assessment is identifying all the criticality levels/quadrants that the applications will fall into.

Which applications will end up in each quadrant will depend on what the organization deems as critical to business operations.

It’s best to have a minimum of three levels. This is because large organizations will tend to utilize hundreds or thousands of applications and assets that vary in criticality levels.

✍️ Two levels are not enough to effectively communicate the importance an application plays in the organization.

2. Identify applications

If your organization is small enough you can list them using an Excel spreadsheet to document applications in your inventory.

However, this is not efficient for large organizations or enterprises. Enterprise architecture tools like the LeanIX EAM help leaders build a complete application inventory.

The EAM has a built-in Application Portfolio Management (APM) which is a specialized module to identify and manage a company’s applications.

3. Determine the level of criticality

Once all the applications have been gathered in the spreadsheet, the next step is to assign a level of criticality to each one.

When using LeanIX EAM, this is a collaborative effort through surveys sent to application owners.

This will give you a clear and concise overview of the applications that are vital to the success of the business.

4. Report and plan

Application portfolio reports can now be created for stakeholders. The LeanIX EAM allows users to view their portfolio from many different angles depending on what data is needed.

LeanIX EAM users can build multiple types of reports, depending on the stakeholder's needs.

LeanIX EAM users can build multiple types of reports, depending on the stakeholder's needs.

Stakeholders can combine reports with other tags such as functional fit vs. technical fit, lifecycle, etc. all within certain business capability maps.



The goal of application criticality assessment is to help IT teams to prioritize an enterprise's assets and make better use of resources.

Assessing application portfolios with the LeanIX EAM is the starting point for application rationalization, application modernization, cloud migration, and other use cases.

By using the matrix you can reach the target architecture — and reduce the catastrophic consequences these systems can have if they fail.

Free White Paper

The Definitive Guide to
Application Portfolio Management

Reduce IT Complexity - Gain IT Portfolio Insights - Reduce Costs by up to 45%

Preview the first 7 pages of our white paper

Page: /

Fill out the form to get the full version

Frequently asked questions on the application criticality assessment

How do you determine the criticality of an application?

How critical an application is to an organization depends on how vital it is to business operations. The organization cannot continue running as usual if the application is interrupted.

What are the three 3 steps in assessing criticality or severity?

The first step is to define each criticality level before you do anything else. Then, in the second step, you get to assign the appropriate level to each application based on its importance to the organization. The third step is to monitor these assets for issues and implement measures that protect mission-critical applications.

What are the criticality categories?

Categories of criticality in an application criticality matrix are Mission Critical, Business Critical, Business Operational, and Administrative.


Free Whitepaper

A definitive guide to application portfolio management.

Save for later!