Vital Activities
The business outcomes (or Important Business Services) your organization must preserve no matter what. Non-negotiable by definition.
Minimum Viable Company
THE EXECUTION GAP
Companies don't fail from lack of plans. They fail from inability to execute.
Your organization has Business Continuity Plans. Probably run a Business Impact Assessment. Crisis documentation are reviewed annually, signed off by the right people, stored in the right place, external to your core IT, secure, easily & always available. The governance is in order.
None of it runs on its own !
When a ransomware attack encrypts your environment, when a critical SAP migration fails at the worst moment, when a key site goes dark, when an external government or provider cuts the service, when a fire takes out your data center or your core provider; teams open the plans and discover the same thing every time: the documentation is there, but the critical processes, vital data, and minimum tools to execute them are not. The data is locked in systems that are down. The approvals require access that no longer works. The people who know the process are not the ones in the room.
From that point, everything compounds. Operations stop. Counterparties notice. Trust erodes faster than systems recover. The (huge) financial damage accumulates every day, long after the incident is resolved.
DEFINITION
What is a Minimum Viable Company?
Closing the execution gap does not require rebuilding everything. It requires identifying and protecting the right things. During COVID, organizations that survived the first weeks were not the ones with the most sophisticated daily systems; they were the ones who knew exactly what had to keep running, with the minimum viable set of people, processes, and data to make it happen.
The same logic applies to any major disruption. Not 100% of operations. Just the irreducible core, defined in advance, built to run independently, ready when everything else is not.
That is the Minimum Viable Company.
Most organizations share the same handful of vital activities: deliver core services, serve customers and collect revenue, protect people and sites, execute critical payments, communicate and comply. The scope varies by industry; the principle does not.
A Minimum Viable Company (MVC) is the minimal set of critical processes and data that an organization must keep executable by the available people, to sustain its vital activities through a major disruption. It is an execution posture, not a documentation exercise.
It is built on three components: the Vital Activities that must never stop, the Critical Processes that deliver them, and the Needed Data that makes execution possible.Together, they form the operational core that must remain alive no matter what happens.
That core is your AlwaysReady® foundation.
Critical Processes
The step-by-step procedures that deliver each vital activity, pre-designed, executable without primary IT systems. Every process activated is one less vulnerability in a crisis.
Needed Data
The specific datasets each process requires to execute. Sourced from your existing systems, stored independently, kept fresh.
WHAT IT IS NOT
What the MVC is not
Not another document
Most organizations already have continuity plans. The problem is not the plan. When a crisis hits, the plan sits in a folder, the systems are down, and no one knows what to do next. The MVC does not add another document to that folder. It replaces the question "what should we do?" with the ability to actually do it.
Not an IT or cyber tool
The MVC is owned by the business: COO, CFO, Head of Operations. Not because IT is excluded, but because the MVC must function precisely when IT cannot. That is not a governance preference. It is a structural requirement. An execution layer that depends on the systems it is designed to replace is not a backup. It is a risk.
Not a replacement for your BCP
Your BCP identifies which processes matter. The MVC makes them executable. ExCom defines Vital Activities. Business lines map the critical processes that cover them. The MVC is the executable subset of that work: no documentation, no dependency on primary systems, ready to run. If you have a BCP, you already know what belongs in your MVC. What you likely do not have yet is the ability to execute it.
REGULATORY ALIGNMENT
Regulators no longer accept plans. They require proof of execution.
DORA, NIS2, ISO 22301, and the UK PRA/FCA Operational Resilience Policy have all moved in the same direction: documented continuity is no longer sufficient. Organizations must demonstrate that critical processes can actually run during disruption, not just that procedures exist on paper. For COOs, CFOs, and CISOs, this is no longer a compliance checkbox. It is a board-level exposure.
DORA — Article 11
ICT business continuity must be executable, not merely documented. Non-compliance exposes financial entities to supervisory action and reputational risk with counterparties.
AlwaysReady delivers: governed process execution independent from primary IT systems, with full audit trail.
NIS2 — Chapter IV
Entities must implement operational continuity measures with demonstrable recovery capability. The burden of proof now falls on the organization.
AlwaysReady delivers: independent execution layer activated without IT dependency, testable at any time.
ISO 22301
Organizations shall establish operational procedures for continuity activities, versioned, governed, and regularly tested.
AlwaysReady delivers: structured, versioned, auditable procedures by design, with simulation capability built in.
UK PRA / FCA Operational Resilience
Firms must remain within impact tolerances during severe but plausible scenarios and must be able to demonstrate it.
AlwaysReady delivers: process-level execution capability validated through simulation, mapped to defined impact tolerances.
STARTING POINT
The first test of survival is financial.
When a crisis hits, a company's most immediate obligations are also its most visible: pay critical suppliers, run payroll, service debt. A company that cannot do these things within days does not get to recover. It starts losing counterparties, employees, and creditors before the incident is even contained.
Treasury is the recommended entry point for building an MVC for a precise reason: its processes are already cross-functional by design. Paying suppliers requires Procurement. Running payroll requires HR. Servicing debt requires Finance and ExCom sign-off. The internal coalition you need to scale MVC adoption is not built from scratch. It already exists inside Treasury operations.
The Head of Treasury and the CISO are the natural co-owners of MVC implementation. Treasury brings the process knowledge, the critical data, and the first set of executable workflows. The CISO provides the resilience framework and the operational security requirements. The COO sponsors the program at ExCom level and holds accountability for the outcome.
HOW TO GET STARTED
Start fast. Build right. Do both.
The pragmatic approach starts with the obvious. Every organization has processes that no one needs to study to recognize as critical: pay critical suppliers, run payroll, service debt, handle customer claims, maintain production site safety. These processes are identifiable in days, deployable in weeks, and each one activated immediately reduces exposure. You do not need a complete MVC vision to begin. You need one process that everyone agrees matters, made executable without your primary systems.
The governed approach starts at Executive Committee level. ExCom defines the company's Vital Activities: the business outcomes the organization must preserve to survive. Business lines then work from their existing BIAs to identify and prioritize the critical processes that cover each Vital Activity. The result is a structured, top-down framework with clear ownership at every level. It takes longer, but it produces a complete, coherent MVC, not a collection of isolated processes.
The operational recommendation: start with the no-brainers, do not wait for governance. The two tracks converge quickly, and the processes deployed first slot directly into the governed structure when it arrives. Nothing is wasted. More than that: the no-brainers actively improve the governed approach. They introduce a ground-level pragmatism that prevents the governance work from drifting into theoretical cartography. When ExCom and business lines have already seen what a real, executable process looks like in practice, they make better prioritization decisions. They remember that the goal is "minimum viable", not exhaustive. The no-brainers keep the framework honest.
MVC ALWAYS READY
Your first critical process can be live in 4 weeks.
The Minimum Viable Company is a framework. AlwaysReady® is what makes it operational.
Most organizations spend months debating scope before a single process is protected. AlwaysReady® is designed to break that pattern: start with one process, prove the model, expand. The platform handles process design, data synchronization, access governance, guided execution, and audit trail, so your teams focus on what needs to run, not on building the infrastructure to run it.
From day one of a crisis, your teams open AlwaysReady®, follow step-by-step guided execution with the right data in context, and every action is automatically timestamped, signed, and exportable. No improvisation. No dependency on systems that are down.
The readiness dashboard gives your executive team a live view of MVC coverage, which processes are protected, which are not, and what the next priority is. Simulation tools let you test before you need it.
The MVC is the posture. AlwaysReady® is the proof that it works.
