The purpose of tiering isn’t bureaucracy—it’s clarity. If critical services don’t have defined targets and owners,
outages become “surprises,” and recovery becomes improvised.
Tier definitions
RTO / RPO
Availability
Ownership
Minimum controls
What a resiliency tier actually is
A resiliency tier is a business-backed classification that sets minimum expectations for reliability and recovery.
It connects criticality to concrete targets and required controls.
Start with 4 simple questions
- What breaks if this service is down? (Operational impact)
- How quickly must we recover? (RTO)
- How much data can we lose? (RPO)
- Who owns recovery and readiness? (Named accountability)
Define “minimum controls” per tier
- High availability and failover expectations
- Backup/restore frequency and verification
- Monitoring/alerting and incident response readiness
- Dependency documentation and change controls
- Testing cadence (DR tests, failover tests, runbook drills)
Common mistake: targets without funding
If leadership signs off on a tier but doesn’t fund the controls, teams inherit impossible expectations.
A good tiering program forces clear tradeoffs and transparent decisions.
Back to Insights
Contact