An agreed prioritization matrix should be used to determine the appropriate timescales and effort applied for response and resolution to identified incidents. The general formula by which to calculate incident priority is:
IMPACT + URGENCY = PRIORITY
* Impact: Degree to which the user/business is affected by the incident(s)
* Urgency: Degree to which the resolution of the incident can be delayed
For following factors are usually taken into account for determining the impact of an incident:
* The number of users being affected
o (e.g. single user, multiple users, entire business unit, organization wide)
* Possible risk of injury or death
* The number of services affected
* The level of financial loss
* Effect on credibility and reputation of business
* Regulatory or legislative breaches.
Urgency is calculated by assessing when the potential impact of the incident will be felt. In some cases the incident resolution can be delayed when the disruption to an IT service (e.g. payroll) has not yet affected business operations (but will if the service is not available in three days time).
The prioritization matrix would be accompanied by agreed timelines for resolution.
E.g. Priority 1 = Critical = 1 hour target resolution time
Priority 2 = High = 8 hours
Priority 3 = Medium = 24 hours
Priority 4 = Low = 48 hours.