Vital Activities
The business outcomes (or Important Business Services) your organization must preserve no matter what. Non-negotiable by definition.
Minimum Viable Company
THE EXECUTION GAP
Companies don't fail from lack of plans. They fail from inability to execute.
Your organization has Business Continuity Plans. Probably run a Business Impact Assessment. Crisis documentation are reviewed annually, signed off by the right people, stored in the right place, external to your core IT, secure, easily & always available. The governance is in order.
None of it runs on its own !
When a ransomware attack encrypts your environment, when a critical SAP migration fails at the worst moment, when a key site goes dark, when an external government or provider cuts the service, when a fire takes out your data center or your core provider; teams open the plans and discover the same thing every time: the documentation is there, but the critical processes, vital data, and minimum tools to execute them are not. The data is locked in systems that are down. The approvals require access that no longer works. The people who know the process are not the ones in the room.
From that point, everything compounds. Operations stop. Counterparties notice. Trust erodes faster than systems recover. The (huge) financial damage accumulates every day, long after the incident is resolved.
DEFINITION
What is a Minimum Viable Company?
Closing the execution gap does not require rebuilding everything. It requires identifying and protecting the right things. During COVID, organizations that survived the first weeks were not the ones with the most sophisticated daily systems; they were the ones who knew exactly what had to keep running, with the minimum viable set of people, processes, and data to make it happen.
The same logic applies to any major disruption. Not 100% of operations. Just the irreducible core, defined in advance, built to run independently, ready when everything else is not.
That is the Minimum Viable Company.
Most organizations share the same handful of vital activities: deliver core services, serve customers and collect revenue, protect people and sites, execute critical payments, communicate and comply. The scope varies by industry; the principle does not.
A Minimum Viable Company (MVC) is the minimal set of critical processes and data that an organization must keep executable by the available people, to sustain its vital activities through a major disruption. It is an execution posture, not a documentation exercise.
It is built on three components: the Vital Activities that must never stop, the Critical Processes that deliver them, and the Needed Data that makes execution possible.Together, they form the operational core that must remain alive no matter what happens.
That core is your AlwaysReady® foundation.
Critical Processes
The step-by-step procedures that deliver each vital activity, pre-designed, executable without primary IT systems. Every process activated is one less vulnerability in a crisis.
Needed Data
The specific datasets each process requires to execute. Sourced from your existing systems, stored independently, kept fresh.
WHAT IT IS NOT
What the MVC is not
Not another BCP
The MVC does not document what should happen. It operationalizes what can happen, with the right people, the right data, and no dependency on primary systems.
Not an IT or cyber tool
The MVC is owned by the business — COO, CFO, CISO. IT is an enabler, not an owner. The MVC must work precisely when IT cannot.
Not a one-time project
The MVC is a living operational posture. It requires regular simulation exercises, at minimum annually, and must evolve with team changes, system migrations, and regulatory updates.
REGULATORY ALIGNMENT
Regulators no longer accept plans. They require proof of execution.
DORA, NIS2, ISO 22301, and the UK PRA/FCA Operational Resilience Policy have all moved in the same direction: documented continuity is no longer sufficient. Organizations must demonstrate that critical processes can actually run during disruption, not just that procedures exist on paper. For COOs, CFOs, and CISOs, this is no longer a compliance checkbox. It is a board-level exposure.
DORA — Article 11
ICT business continuity must be executable, not merely documented. Non-compliance exposes financial entities to supervisory action and reputational risk with counterparties.
AlwaysReady delivers: governed process execution independent from primary IT systems, with full audit trail.
NIS2 — Chapter IV
Entities must implement operational continuity measures with demonstrable recovery capability. The burden of proof now falls on the organization.
AlwaysReady delivers: independent execution layer activated without IT dependency, testable at any time.
ISO 22301
Organizations shall establish operational procedures for continuity activities, versioned, governed, and regularly tested.
AlwaysReady delivers: structured, versioned, auditable procedures by design, with simulation capability built in.
UK PRA / FCA Operational Resilience
Firms must remain within impact tolerances during severe but plausible scenarios and must be able to demonstrate it.
AlwaysReady delivers: process-level execution capability validated through simulation, mapped to defined impact tolerances.
STARTING POINT
Follow the cash.
Treasury is the recommended entry point for building an MVC. It is process-intensive, data-driven, and connects naturally to adjacent functions — procurement, HR, and finance — creating the internal coalition needed to scale. A company that can pay its critical suppliers, its employees, and service its debt during a crisis has preserved its most fundamental operating capability.
The CISO and Head of Treasury are the natural co-owners of MVC implementation. The CISO brings the resilience mandate and the operational security framework. Treasury brings the process knowledge and the first set of critical data. The COO holds executive accountability.
HOW TO GET STARTED
Start with one process. Build from there.
You do not need a complete MVC vision to begin. You need one critical process, properly defined, executable without your primary systems. Every process activated immediately reduces your exposure.
The baseline today is zero : celerity matters. Next: Build Governed
The governance follows naturally. A facilitated ExCom session to define your Vital Activities list, using your existing BIAs and crisis assets as input, nothing starts from zero. Set a readiness target, review annually or when your systems undergo significant change. Speed and governance are not in conflict: you implement first, you govern as you scale.
Here is what that first process looks like in practice (starting with Treasury).
Vital Activity
Ensure critical payments
Critical Process
Vendor payment procedure (degraded mode)
Needed Data
Supplier list, bank accounts, approval matrix
Standalone Execution
Runs without SAP, without email, without primary network
Audit Trail
Every action timestamped, signed, exportable
MVC ALWAYS READY
Your first critical process can be live in 4 weeks.
The Minimum Viable Company is a framework. AlwaysReady® is what makes it operational.
Most organizations spend months debating scope before a single process is protected. AlwaysReady® is designed to break that pattern: start with one process, prove the model, expand. The platform handles process design, data synchronization, access governance, guided execution, and audit trail, so your teams focus on what needs to run, not on building the infrastructure to run it.
From day one of a crisis, your teams open AlwaysReady®, follow step-by-step guided execution with the right data in context, and every action is automatically timestamped, signed, and exportable. No improvisation. No dependency on systems that are down.
The readiness dashboard gives your executive team a live view of MVC coverage, which processes are protected, which are not, and what the next priority is. Simulation tools let you test before you need it.
The MVC is the posture. AlwaysReady® is the proof that it works.
AlwaysReady illustration placeholder