Engineers obsess over single points of failure. We build redundant servers, backup databases, and failover systems so that no one machine going down can take the whole thing offline. Then we walk past the real single point of failure every morning and say good morning to it, because key person risk business owners face is almost never a server. It is a person.
There is usually one employee who holds the whole operation together. They know the passwords, they remember the process nobody wrote down, and the important customers call their personal number. Everyone agrees they are invaluable. That word, invaluable, is the warning sign.
If that person resigns tomorrow, gets sick for a month, or simply takes the vacation they have earned, how much of your business stops working? Most owners have never honestly run that scenario. Let's run it.
Run the "Resigns Tomorrow" Test on Every Critical Function
You do not need a fancy framework. You need one uncomfortable question asked about each part of your business: if the person who does this walked out today, what breaks and how badly?
Go function by function:
- Finance. Who can access the bank accounts, run payroll, and reconcile the books? If it is one person, that is key person risk in its purest form.
- Technology. Who holds the server logins, the domain registrar account, the code repository, the payment gateway keys? If your developer vanished, could anyone else even log in?
- Sales and key accounts. Which relationships live in one person's phone and one person's head? When they leave, do the customers leave with them?
- Operations. The daily process that keeps orders moving, is it written down, or does it exist only as muscle memory in one person?
For each function, rate the damage honestly: a minor inconvenience, a painful few weeks, or an existential threat. Most owners find at least one existential threat they had been comfortably ignoring, usually because the person is loyal and it felt disloyal to plan for their absence.
Planning for someone's absence is not distrust. It is respect for the business and, frankly, respect for them. Nobody should be so trapped by their own indispensability that they cannot take a real holiday.
Why This Risk Hides in Plain Sight
Key person risk business owners tolerate because the loyal, capable employee is genuinely making things run smoothly today. The cost is invisible right up until the day it is catastrophic.
It hides for a few reasons:
- Competence masks fragility. The better the person is, the less anyone notices how much depends on them alone.
- Documentation feels like overhead. Writing down what one person already knows feels like paying for something you already have. You are actually buying insurance.
- Asking feels awkward. Requesting passwords and process documents from a trusted person can feel like an accusation. It is not, and framing it as basic continuity hygiene fixes that.
This is the same failure of imagination that leaves businesses exposed elsewhere, and it pairs closely with the thinking in The Year-End Security Audit You Can Do in One Afternoon. Both come down to one question: what happens when the thing you rely on is suddenly not there?
The Defusing Playbook
Once you have found your single points of failure, defusing them is straightforward. Not always comfortable, but straightforward. Three moves cover most of it.
1. A Shared Credentials Vault
No critical login should live in one person's memory or one person's personal notes app. Put them in a proper password manager that the business owns, with access granted by role, not by favor.
- The business owns the master account, not an individual employee.
- Access is granted per role and revoked the day someone leaves.
- No shared account uses a password that only one person knows.
This single step removes a huge share of technology-related key person risk. The day someone leaves, you are not locked out of your own systems.
2. Recorded Walkthroughs
You do not need a polished operations manual. You need the knowledge out of one head and into a form someone else can follow. The fastest way is a screen recording with narration.
Ask each critical person to record themselves doing their core process, talking through it as they go. Fifteen minutes of "here is how I close the books" or "here is how I process a return" is worth more than a document nobody writes. Store these where the business, not the individual, controls them.
3. Enforced Leave as a Stress Test
Here is the move most owners skip, and it is the one that actually proves your work. Make the key person take a full week off, unreachable, and see what breaks.
This does two things. It reveals the gaps your documentation missed, because the person is not there to quietly fill them. And it forces the rest of the team to actually use the vault and the walkthroughs instead of just texting the expert. A dependency you have never tested is a dependency you do not understand. Banks enforce mandatory leave for exactly this reason, and it works.
Practical Takeaways
Treat your people-dependencies with the same seriousness you would treat a server with no backup:
- Audit every critical function. Ask what breaks if each person resigns tomorrow, and rate the damage honestly. Find your existential threats.
- Own your credentials. A business-owned password vault, access by role, revoked on exit. This defuses most technical key person risk on its own.
- Get the knowledge out of the head. Short recorded walkthroughs beat unwritten operations manuals every time.
- Stress-test with real leave. A week of enforced, unreachable absence is the only honest proof that your business does not depend on one irreplaceable person.
The goal is not to make anyone less valuable. It is to make sure the business survives their day off, their sick week, and eventually their departure. If you want help mapping where your business is quietly fragile and building the continuity to fix it, that is work I take on as a technical partner.