What is a Minimum Viable Company (MVC)?

MVC is the ability to keep the most critical business processes executable through any disruption. Not a plan, an execution capability with roles, controls, and accountability.

Why is business interruption now a CFO/COO issue?

Because multi-day and multi-week interruptions translate directly into revenue loss, cost spikes, and trust erosion across cash operations, compliance, and customer trust.

Where do most enterprises start their MVC journey?

Most enterprises start with Finance and Treasury because it is where the cash is and deadlines are non-negotiable.

Astran | Operational Resilience Platform

Business interruptions last weeks. The damage lasts longer.

When core systems go down, the clock starts immediately: on payroll, supplier payments, production, regulatory obligations, client commitments. Every day without execution is a day your counterparties start looking for alternatives.

Recent incidents show what "a few weeks of disruption" actually means in practice: hundreds of millions in losses. These are not edge cases. For any large enterprise, a 4-week operational freeze represents 5 to 30% of annual operating profit; before reputational damage, regulatory scrutiny, and the client relationships that don't come back.

And yet, most large enterprises still rely on the same approach: documented continuity plans, built for audit, not for execution. Plans that assume systems will be available. Plans that have never been tested under real conditions.

Retail example

Marks & Spencer (M&S)

~£300m expected impact on operating profit.
~30% of FY25 operating profit.

Manufacturing example

Jaguar Land Rover (JLR)

~£196m declared exceptional direct costs.
~8.0% of FY25 operating profit.

Operational resilience is not an IT problem. It is a business survival problem and it belongs on the executive agenda, not in a risk register.

Minimum Viable Company keeps the essentials running no matter the disruption.

A Minimum Viable Company is the minimal set of critical processes and data that an organization must keep executable to sustain its essential operations through a major disruption. It is an execution posture, not a documentation exercise.

Vital Activities The handful of business outcomes your organization must preserve no matter what: usually Deliver Core Services, Serve & Monetize Customers, Protect People & Sites, Execute Critical Payments, Communicate & Comply.

Critical Processes The step-by-step procedures that deliver each vital activity, pre-designed, governance-ready, and executable without your primary IT systems. Every process activated is one less vulnerability in a crisis. Built once, available instantly when needed.

Needed Data The specific datasets each process needs to make decisions and execute. Sourced from your existing systems, stored independently, kept fresh.

WHERE TO START

Start with Finance Continuity. Expand to full MVC over time.

In crisis, cash is the lifeblood of the enterprise. Treasury is the recommended entry point: process-intensive, data-driven, and naturally connected to procurement, HR, and finance.

A company that can pay its critical suppliers, its employees, and service its debt during a crisis has preserved its most fundamental operating capability.

Supplier payments continue with approvals and controls
Payroll execution remains on time, with audit evidence

Operational resilience is a shared responsibility

Head of Operations (COO)

The executive sponsor. Validates the list of vital activities and empowers the organization to build and maintain them. Chairs the annual readiness review. Resilience starts and ends on their agenda as owner of company operations.

Head of Business Units (starting with Treasury)

The process experts. They know what needs to run, in what order, what data is required, and under what regulatory and compliance constraints. Treasury is the natural entry point: critical payments are universally understood, immediately quantifiable, and directly connected to survival.

Head of Resilience (CISO)

The governance layer. Signs off on the independent execution architecture, guarantees confidentiality, integrity, and availability and owns the audit trail. Turns executive intent into verifiable and secure capability.

What enterprise leaders say about Astran

Trusted by leading enterprises to keep critical execution going when the environment fails.

Operational in 1 month

Context: Critical treasury and payroll continuity during crisis conditions.
What stayed executable: Treasury workflows and HR data validation with confidential collaboration.
Result: Payroll execution remained controlled and auditable under disruption.

Guillaume Peslin
Head of Treasury Middle Office and IT Systems, ELIOR GROUP

Operational in 2 weeks

Context: During a major disruption.
What stayed executable: Treasury and HR critical workflows.
Result: First critical process live in two weeks.

Jean-Philippe Faure
Chief of Organization and Information Systems, Eiffage

Operational in 3 months

Context: High-threat operating environment.
What stayed executable: Treasury and critical operations continuity.
Result: Continuity maintained under cyber pressure.

Jean-Yves Poichotte
Global Head of Cyber Security, Digital Risks & Compliance, Sanofi

Operational in 1 month

Context: Resilience modernization under cyber risk pressure.
What stayed executable: Recovery coordination and continuity workflows.
Result: Faster recovery readiness and stronger continuity posture.

Samir Hatim
Group CIO, VINCI

Questions executives ask first.

Ensuring continuity of the core business is an executive committee responsibility, and resilience must become operational fast. The question is no longer if disruption happens, but when it happens.

The problem today

Execution breaks first. Within hours, teams lose access to the tools, approvals, and data they need to operate. Payments stop. Supplier commitments are missed. Regulatory deadlines pass. IT recovery takes weeks, business damage accumulates from day one, before any system is restored.

BCP plans describe what should happen. They do not make it happen when the infrastructure that runs them is unavailable. Cloud uptime is not process resilience: your SaaS can be online while identity, SSO, and approval workflows are completely down. Most continuity plans were built for audit, not for execution under real crisis conditions. The gap between the plan and what actually runs is where companies lose hundreds of millions.

DORA, NIS2, ISO 22301, and the UK PRA/FCA Operational Resilience Policy to just name a few, all explicitly require that critical processes remain executable during disruption. Documented plans no longer satisfy regulators. The standard has shifted from "we have a plan" to "we can prove it runs." Non-compliance is now a board-level exposure, not a technical checkbox.

Why now

Because the financial meter starts on day one of a disruption. M&S lost ~£300M, approximately 30% of FY25 operating profit. Jaguar Land Rover declared £196M in direct exceptional costs. Government agreed to guarantee up to £1.5 billion in commercial borrowing to provide liquidity to JLR & its suppliers and protect jobs! These are not tail risks: they are recent, documented, and directly attributable to the inability to execute critical operations during a crisis. A risk register entry does not stop a payment chain from collapsing.

The threat surface changed. Cyberattacks now target identity and access layers, not just data. IT interdependencies have multiplied with SaaS adoption. Other risks joined the game as geo-political desicions. And regulators have moved from principles to enforceable standards. Organizations that built their resilience posture five years ago are managing today's risks with yesterday's architecture. The question is not whether to revisit, it is whether to do it before or after an incident.

What is the Minimum Viable Company

A documented plan tells people that we migh need them in a crisis, but not what to do. An executable process gives them the steps, the data, the approvals, and the access to actually do it; independent of whether primary systems are available. The difference only becomes visible during a crisis. By then, it is too late to close the gap.

Virtually every large enterprise starts with Finance/Treasury: critical payments, payroll, and supplier settlements. Cash obligations are non-negotiable, universally understood, and directly connected to survival. Once the first processes are operational, the same model extends to any vital activity as procurement, supply chain, HR, customer commitments; following the same build-once, run-independently logic.

What does it take to get started

A simple, well-documented process can be operational on Astran in under two weeks while a complex undocumented process may take up to three to three months. The constraint is rarely Astran. It is the quality of crisis process documentation/knowledge on the client side.

The core work requires two to three people: a process owner from the business unit, an IT contact for data access and integration, and a project lead. There is no infrastructure to deploy and no long onboarding cycle. The build phase is additive; it does not touch primary systems and does not disrupt daily operations. Most of our clients describe it as the least disruptive resilience initiative they have ever run.

The project always requires three functions to align: the COO or executive sponsor to validate vital activities and fund the initiative, the Head of Treasury or relevant Business Unit to own the processes (calling when needed SMEs from their teams), and the CISO to validate the independent architecture and sign off on security. Experience shows that Treasury is the fastest entry point to build consensus; the business case is immediate, the perimeter is clear, and the value is visible within weeks of go-live.

Why Astran

BCP tools produce documentation. DR and backup platforms restore infrastructure. Neither makes your business processes executable during the window between incident and recovery, which is precisely where the financial and operational damage happens. Astran is the only platform that combines dynamic process execution, independent data continuity, and post-quantum data confidentiality in a single service. No equivalent exists on the market today: each of these three capabilities is available elsewhere in isolation. The combination is not.

Astran is SOC 2 Type II certified with regular penetration testing. The platform's cryptographic architecture is patented and post-quantum secure. Every action executed on the platform is immutable, versioned, and traceable, producing a complete audit trail that satisfies both internal audit and external regulatory scrutiny. Procurement teams receive a standard security package covering assurance and architecture documentation.

Your critical processes run. No matter what.

Adopted by enterprise groups operating under high continuity and risk constraints