Criticality ratings

Maturity tells you how well you do something. Criticality tells you how much it matters. Without criticality, every gap would look equally urgent, and that is never true.

The three levels

Forest rates criticality on a simple scale:

1. Nice-to-have useful, but the organization functions without it

2. Core important to normal operations and security posture

3. Compliance-required mandated by regulation, contract, or framework

The scale is deliberately short. Three levels force a real decision instead of letting everything drift toward the middle.

Why criticality is a multiplier

Forest calculates Priority as (target maturity minus current maturity) times criticality. Criticality is the multiplier, which means it can change the ranking even when two capabilities have the same maturity gap.

Consider two capabilities, each three maturity levels below target. The compliance-required one scores a priority of nine. The nice-to-have one scores three. Same gap, very different urgency, because the work that protects you from a regulatory finding should not wait behind work that is merely convenient.

How it feeds the Org Score

Criticality also weights your Org Score, which is criticality-weighted maturity across in-scope capabilities on a 0 to 100 scale. Strong maturity on capabilities that matter most lifts your score more than strong maturity on capabilities that do not.

Rate criticality honestly. Inflating everything to compliance-required defeats the purpose and flattens your priorities back into noise.

For how criticality combines with the maturity gap, see Current maturity vs target maturity.