If I were undertaking a project today to evaluate what systems to protect in my enterprise, I would start with a loose consideration of the following:
- The relative cost of outages for systems in my enterprise
- The cost of protecting those systems
- The potential likelihood of a disaster
- The potential outage period from a disaster
I would use those criteria to evaluate systems supporting key business processes, all of the infrastructure systems that support key business processes, and then place them on a quadrant-like grid that would visually present the cost of outage and the cost of protection for each primary application in the enterprise.
By projecting the cost of an outage and considering those costs in the context of disaster risk, you may be able to better establish a threshold with senior management to what should be protected in your enterprise. So that's how I would begin assessing whether it would be critical for a day-to-day business system that enterprises normally consider less critical.
After that exercise is done, I would undertake it for general operational IT systems, like email and general infrastructure services. Then I would add one more element; the potential number of systems and business processes that are dependent upon those services.