The Resilience Mandate: Governing the Minimum Viable Business

In a technologically connected business environment, boards must define and protect a minimum viable business mandate that keeps essential services running through disruption.

For too long, boards have asked: Is the business secure? But that is the wrong question. In an era of weaponized disruption, sustaining perfect security is impossible. Directors’ fiduciary duties now require shifting from prevention to survival: If the company's operations go dark tonight, what must be restored to survive tomorrow?

The traditional business continuity plan is often a “dusty binder,” or an encyclopedic list of technical assets that disintegrates on contact with a crisis. Business continuity plans focus on recovering servers, but a business is not a collection of servers; it is a set of value-generating services. To exercise true oversight, boards must move beyond the business continuity plan and mandate a minimum viable business (MVB) approach.

The MVB Doctrine

MVB doesn’t represent a return to “business as usual”; instead, it is the operational floor required to survive a prolonged digital crisis. Defining MVB is a governance duty, not an information technology task. Boards must accept that simultaneous recovery of all services is impossible and work with management to explicitly prioritize essential services so that the organization knows what is expected and what to build. 

For a bank, this might mean clearing payments before originating mortgages. For a hospital, it could mean emergency room intake before billing. IT is often critical to executing recovery, but the board should define the services that ensure survival. 

Deconstructing the Business

Protecting the MVB requires business service decomposition, which views the organization as value-adding services rather than just technology stacks. For example, visualize a three-layered pyramid:

• The business service, or top layer, is the output that matters to stakeholders and customers, such as making withdrawals or deposits from a bank account or receiving medical treatment in the emergency room.
• The operational process, or middle layer is the people, workflows, and third-party dependencies required to execute that service.
• The technology estate, or bottom layer, is the applications, data, and infrastructure that power the process.

Current board resilience reporting often focuses directors on the bottom layer using abstract technology metrics. Effective governance reverses this focus. Boards should ask management to map the ”golden thread” that connects critical services in the top layer to their specific fulfillment assets, such as people, processes, and technology. This clarity ensures that risk prioritization focuses on protecting the organization’s heartbeat services.

Mapping Business Service Decomposition

Source: Rubrik

With this analysis in hand, the board can provide targeted governance and risk prioritization to ensure critical business services continue to operate.

The "Peanut Butter" Problem

Without an MVB definition, organizations suffer the “peanut butter effect,” spreading resilience budgets thinly across the entire estate. But protecting a cafeteria menu system with the same rigor as core deposit or withdrawal services amounts to capital malpractice. 

Directors often assume this distinction is implicitly understood by IT, but it is not. Making prioritization explicit through an MVB mandate ensures capital is directed to the critical services that matter, rather than being diluted across the general estate.

MVB compels disproportionate investment. Boards should empower management to prioritize the 5 percent of assets that sustain critical operations, surrounding them with immutable vaults, which are ​​isolated environments where data cannot be modified or deleted, even by compromised administrator credentials.

Furthermore, testing for these assets must shift from a compliance-based annual drill to a quarterly or monthly technical recovery standard, ensuring that the rapid rate of operational change has not broken the recovery path. In a crisis, the other 95 percent can wait.

Questions to Ask Management

To operationalize this, directors should pose the following questions to management:

1. Are the three to five business services that constitute the organization's MVB formally defined?
2. If all technology goes down tomorrow, which services must be restored and in what order to prevent material failure?
3. Has the company visualized the “golden thread” for these specific services and stress tested every internal and third-party dependency?
4. If the digital layer fails, how long can the business operate these critical processes manually?
5. Does staff have the physical checklists to run the business manually, without the supporting technologies, for 48 hours?

From Technology to Trust

Resilience is not a technology upgrade; it is a psychological shift that acknowledges that breaches and business interruptions are inevitable. Board effectiveness is no longer measured by prevention but instead by the speed of recovery. 

By mandating the MVB doctrine, directors elevate resilience from a technical backup task to a strategic imperative. In 2026, ensuring survival is the ultimate fiduciary duty.

The views expressed in this article are the author’s own and do not represent the perspective of NACD.

Rubrik is a NACD partner, providing directors with critical and timely information, and perspectives. Rubrik is a financial supporter of the NACD.