error
Subscriptions are not available for this site while you are logged into your current account.
close
Skip to main content
Submit RFP

      In an uncertain, contemporary operating environment, organisations are navigating rising regulatory expectations, market uncertainty, and unprecedented dependence on digital operations. Against this backdrop, an important strategic question is emerging: What is the minimum version of a company that can continue to operate safely, sustainably, and compliantly in the face of an extreme but plausible disruption?

      This question underpins the emerging concept of the Minimum Viable Company (MVC). There is growing recognition that defining these constructs, and understanding when, why, and how they should be deployed, should become a critical part of future operational resilience strategies.

      This article provides a foundational perspective on how organisations can begin articulating their MVC, how this differs from Important Business Services (IBS), and what steps organisations should consider next.

      The term “minimum viable” introduces a resilience‑driven lens to the concept of a company, framing it around understanding the services an organisation provides and identifying what is most critical to sustaining its MVC – namely, what is required to keep the lights on and continue delivering its most important services.

      Steve Horgan
      Steve Horgan

      Senior Manager, Operational Resilience

      KPMG in the UK

      What is the minimum set of capabilities, assets, processes, and services that must remain operational for your company to still be considered a functioning MVC?

      This inevitably leads to a complementary question:

      At what point, if those capabilities were lost, would the organisation no longer be considered an MVC?

      This is not simply an academic exercise. It provides a structured way of thinking about survivability in catastrophic, but still plausible, scenarios that go far beyond the severe‑but‑plausible conditions used in today’s stress testing.

      Recent cyber incidents have illustrated why MVC thinking matters. If an organisation has to fully stop the provision of its services, and cannot perform the essential activity that defines its business identity, it could be argued that the organisation does not have a suitable MVC in place. However, if an organisation is facing disruption to certain services, but is capable of delivering its core services, and the continuation of revenue generating activity, albeit whilst degraded, this organisation could be perceived as remaining above the threshold: operating at a reduced but still coherent, legally functional, and economically recognisable level.

      Breaking down the MVC: services, processes, and assets

      If an MVC exists, then by definition it also contains:

      account_balance

      Minimum Viable Services (MVS)

      These are the services so fundamental that, without them, the entity ceases to function in its essential form. In a bank this may include services such as:

      • Access to Cash
      • Make a Payment

      These can be contrasted with services that have been identified previously as being important but are not necessarily essential to the identity of the organisation, such as Mortgage Disbursement or Making an Insurance Claim. These might be considered IBS today but may not be part of an MVC. Ultimately, this will depend on the market share and criticality of a service line to a specific organisation and leads to MVS being nuanced to each organisation.

      memory

      Minimum Viable Processes (MVPs)

      The presence of MVS further implies that each MVS depends on a foundational set of business processes. These are the processes that must remain operational, albeit at potentially degraded levels, to support those core services. For example, there are a number of process steps in a make an online purchase service: order processing, picking and packing, and delivery. 

      auto_awesome

      Minimum Viable Assets (MVAs)

      Beneath both MVS and MPS lies a minimum set of required assets across:

      • People
      • Technology
      • Data
      • Property
      • Third‑party supply chain

      An MVC cannot function if critical assets under any of these asset classes fall below a certain threshold. For example, expanding the make an online purchase service further, without a functioning website, or fleet of vehicles, the organisation would not be able to complete the end-to-end processes within the service and therefore the MVC would not be achievable.

      MVC vs. IBS: why they’re not the same

      Through resilience frameworks organisations have been identifying IBS and demonstrating that these services can remain within impact tolerances during severe but plausible disruptions.

      However, the MVC concept introduces a materially different perspective. MVC is identity‑centric.

      The question becomes: what must survive for the organisation to continue conceptually and practically existing as a company at all?

      This addresses a potential gap in today’s resilience frameworks.

      Certain internal functions such as payroll, HR, or core finance are not typically classified as IBS. They are not directly customer‑facing and therefore may not breach harm-based thresholds if disrupted. Yet without them, a company cannot meaningfully operate.

      In an MVC framework, these internal services could be elevated to MVS/MVP status even though they are not IBS. This is one of the most compelling reasons the MVC concept is strategically important.

      When would an MVC be deployed?

      Organisations, in certain industries, are currently required to demonstrate how IBS can withstand severe but plausible scenarios.

      The MVC construct instead raises the question:

      What if the scenario is catastrophic but still plausible, beyond anything the current operational resilience and business continuity frameworks expect, and all business mitigations have failed?

      Examples could include:

      • Destruction or long‑term loss of physical premises
      • National level telecoms or network infrastructure disruption
      • Loss of large proportion of personnel for extended periods
      • Cascading third-party failure across multiple critical suppliers
      • Systemic cyber events with prolonged remediation times
      • Prolonged regional unavailability of cloud provider
      • Peer-on-peer warfare

      The MVC scenario is not about remaining within impact tolerance. It is about the continuity of identity i.e. operating at a reduced but still legally and functionally recognisable level for a potentially extended duration.
       

      So what should organisations do next?
       

      Organisations looking to explore this concept should consider a structured, multi‑stage approach:

      Identify the MVC

      Define the threshold at which the company retains its essential identity. This includes determining:

      • MVS
      • MVP
      • MVA

      Assess dependencies and criticality

      Map the MVS down through the supporting processes, assets, people, and supply chain. Identify which assets truly underpin minimum viability.

      Conduct extended scenario testing

      Move beyond asset based testing, and your severe-but-plausible scenarios. Test catastrophic-but‑plausible events lasting longer than current impact tolerances. Evaluate whether the MVC remains operable and viable under these extreme conditions.

      Explore tooling enablement

      There is strong potential for technology platforms to support the modelling, mapping, simulation, and orchestration required to operationalise MVC frameworks.

      The MVC prepares you for the worst plausible scenarios

      As operational resilience evolves, organisations must prepare not only for severe‑but‑plausible disruption, but also for catastrophic scenarios that could challenge their very identity as a functioning organisation.

      By defining MVS, MVP and MVA, and understanding the gaps between MVC and existing IBS frameworks, organisations can better equip themselves for the uncertainties of the future.

      Our regulatory insights

      Something went wrong

      Oops!! Something went wrong, please try again
      MTD

      Get in touch

      Discover why organisations across the UK trust KPMG to make the difference and how we can help you to do the same.

      Contact us