For those with organizations that have developed minimally viable system (MVS) resilience strategies in association with business impact input and business continuity, what sources has helped you get started on aligning those discussions with your non-IT business partners?

Your query is important in the new age of business continuity management where old concepts are becoming obsolete. For the benefit of other readers who may find this interesting and to ensure that we are talking the same definitions, my take of MVS (Minimally Viable System) resilience strategies is that these focus on identifying and rapidly restoring only the most essential systems, processes, and data required for an organization to function after a cyberattack or disruption. Key strategies include identifying critical assets, implementing rapid recovery plans with redundancy, establishing a resilient organizational mindset, and ensuring regulatory compliance, all to minimize downtimes. These strategies are derived post undertaking a modern BIA framework. Now, to answer your query about aligning that discussion with your non-IT partners, then there are couple of options I can fathom.

1. Push Option- Less effective - You call non-IT business partners into an awareness exercise and tell them about gaps in process resilience, their single point of failures in IT systems or exposure to single source 3rd parties in charge of managing critical processes. Enlighten them and get them onboard.

2. Pull Option - More Effective in long term
a. Get a seat in Enterprise risk management (ERM) function. Usually this function is in-charge of managing financial and operational risks. Cyber risk is an operational risk and business continuity is getting more and more ingrained in cyber/digital risks management as in the past 6 years, digital transformations have matured with most processes have been automated. So, modern business continuity is 70% digital process resilience while remaining 30% is 3rd party/supply chain resilience. Ask this ERM team to define cyber risk appetite for the organisation or define it for them.
b. Define key risks indicators (risks that are reaching or are about to go beyond already established risk appetite), for cyber risks and map those risks to digital systems (applications primarily). Your BIA should already have business processes linked with computer applications. So, your cyber KRIs will have a direct mapping to business processes that are at risk of disruption/downtime.
c. For KRIs that have triggered, your recommendation to ERM steerco will be to get back within the risk appetite and operate at safe levels. That's your MVS! This way, non-IT business partners will be able to easily understand the direct correlation of the important work of drafting MVS that you have undertaken.
Hope it helps.

Great question — I’ve seen success with a one-page BIA-style template (inspired by ISO 22301 and simplified to just ‘must-stay-up vs can-wait’) paired with a short tabletop — e.g., ‘claims down for four hours.’ That combo turned MVS into plain business choices and gave non-IT leaders clear ownership without the technical deep dive. In healthcare, layering in HIPAA/CMS impacts made the conversation even more tangible.