Minimum Viable Organisation: Maximise Resilience in uncertain times

Why a Minimum Viable Organisation (MVO)? 

Many organisations prepare for resilience by listing potential scenarios and preparing for them through an All Hazards approach. Potential scenarios may include cyberattacks, widespread IT outages, supply chain disruption, weather or natural disasters and geopolitical events. However, experience shows many scenarios could happen concurrently or be unpredictable — think of COVID-19 pandemic – so one cannot know what tomorrow will bring. Therefore, it is our belief that organisations should understand what is time‑critical to sustain, using a concept we call the MVO. 

What is an MVO? 

The MVO is the understanding and prioritisation of the time‑critical services, processes and (IT) dependencies required to deliver the minimally acceptable level of operations of an organisation. In essence, it answers three critical questions: what is the minimum you need to deliver to keep the organisation functioning, when does the impact become unacceptable if you cannot deliver it, and what resources and capabilities do you need to maintain that level of service? 

An MVO strategy provides the basis for informed decision‑making by leadership and requires focused input from key senior stakeholders and resilience experience. Using a step‑by‑step approach, organisation’s capture the time-critical processes and dependencies — such as (IT) infrastructure, people and supply chains. By cultivating this view of time-criticalities, the MVO establishes top‑down resilience from board‑level and clarifies where they must concentrate protection when under pressure. The goal is to prioritise robustness and resilience—not efficiency. That enables coherent decisions in times of stress, reassures stakeholders, safeguards daily operations and clarifies where to prioritise upfront investments in resilience. 

3 P’s concept: Prioritise, Protect and Pressure 

Understanding the MVO is crucial as it shifts resilience beyond prevention, to a leadership capability helping to a) prioritise, b) protect and c) pressure.  

How do you prioritise?
Together, we identify and rank the most critical services and processes that are essential for your organisation’s continuity. This is a key outcome in understanding the MVO. 

What do you protect? 
Organisations implement strategies and measures to safeguard valuable tangible and intangible assets - information, resources, reputation and people — from crises. The MVO indicates which assets must be protected. 

How do you deal with pressure? 
The MVO is used under pressure to guide the right choices. When a crisis arises, decision‑makers are prepared, and pressure has less effect on their decisions. 

The MVO helps in scoping the organisation’s resilience program:  

• It focuses your BCM program towards the processes and vital assets that need protection; 

• It directs your physical security program towards the physical assets that require protection. The protection of these assets should be prioritised in the light of continuity; 

• It supports your decision-making in Crisis Management during a crisis or major incident; 

• It aligns your IT DR program with the IT assets that most directly and significantly affect the continuity of (business) operations. 

Strategic drivers to understand the MVO – regulations, geopolitical, digital landscape and financial pressures 

Organisations must proactively anticipate, prepare for, and strengthen their resilience capabilities in response to evolving threats. 

Regulations 
Organisations that fulfil a vital role in society are deemed critical under various legislation because of their dependencies on critical suppliers, digital platforms and infrastructure. If an organisation can prioritise its time critical services, it can scope compliance obligations to the parts that are relevant under regulation. It is important to recognise that being compliant is not the same as being resilient.

While regulations provide a necessary foundation, true organisational resilience must be intrinsic and deeply embedded in business strategy and operations. This enables targeted resilience investments — focusing effort and spend on the measures that have the greatest impact for the organisation and for society in the event of an outage. This prioritisation should also inform the scope and expectations of legislation, so regulatory requirements remain proportionate, and outcome focused. At a rapid pace, resilience regulations are being introduced, such as:

• Digital Operational Resilience Act (DORA), 2022 — cybersecurity and resilience requirements for financial organisations. 

• EU Network and Information Security Directive (NIS2), 2023 — regulates risk and supply chain controls, rapid incident reporting and board accountability; requires robust resilience programmes, including strategic governance. 

• EU Critical Entities Resilience (CER), 2023 — aims to strengthen the resilience of public and private critical infrastructure organisations. 

Geopolitical 
Global tensions require proactive prevention and preparation for various disruptive scenarios. To streamline such efforts, the MVO can determine what geopolitical factors come at play if one understands how the time-critical tasks, processes and dependencies are geographically dispersed and focus on strategies and measures around this. 

Digital landscape 
For digital resilience, the MVO should not just be a strategic collection of tasks, processes and dependencies, but also an in-depth view of all minimally required operational IT assets and their interdependencies. This to pervasive connectivity, AI‑enabled operations and extensive third‑party software supply chains that increase the frequency and impact of cyber incidents, outages and IT failures. A clear identification of time‑critical IT services of the organisation bolsters continuity and recovery. 

Financial pressures 
Volatile demand, rising input costs and tighter regulation mean even short disruptions can have outsized financial impact. The MVO translates these pressures into clear priorities, directing limited resilience budgets to the services whose continuity delivers the greatest economic and societal value. This focus protects cashflow, supports compliance and market confidence, and makes the business case for targeted resilience investments more convincing. 

Concrete output? 

The MVO establishes a validated list of priorities to be used in scoping across resilience domains (see 3 P’s domains). The MVO output helps to prioritise an organisations resilience effort, provide insight in what to protect in what extent, and in case of testing, simulating or exercising, what needs to be pressured. 

If you'd like to understand how an MVO can help you maximise resilience in your organisation; feel free to reach out to Danny Tinga (Partner, Resilience, Crisis and Reputation team), Jurgen Schot or Cate Pratt (Senior Managers, Resilience, Crisis and Reputation team).