04 May Key Person Risk
Key Person Dependency Risk is the threat posed to an organization by a team’s over-reliance on one or a few individuals.
Generally, this Key Person or Key People have sole custody over critical institutional knowledge, creativity, reputation or experience that makes them indispensable to the organization’s business continuity and its future performance.
In other words, if this person or people were to leave, the organization would suffer an overwhelming loss of valued experience, skills and expertise.
There is no truer key person risk than that of the IT person. While we generally assume that an IT person oversees everything plugged into a wall—they also manage your organization’s Microsoft licenses, firewall, management tools and much more.
Here are 5 key questions to evaluate your risk:
1.) Will there be significant pain, expense and time to recruit a replacement?
2.) In this white-hot job market, will it be tough to retain and find talent?
3.) Can business continue as usual when an employee is on vacation?
4.) What if an employee leaves without providing documentation?
5.) Or worse, does harm on the way out?
There are inherent costs (and risks) associated with key person risk.
Hiring additional talent to operate as a replacement is critical—but that is hard to do given that most professionals do not stay employed at a single location longer than three to four years. This means that there would be a constant rotation of potential replacements being hired and re-trained every few years. Further, the costs associated with their training, salaries, etc. makes this a daunting task.
If your organization has a small to single-person IT team, another way to avoid key person risk is by keeping proper documentation of all processes, operations and critical knowledge. Documenting a key person’s critical knowledge will enable the organization to not only have a living document for reference but will also enable that organization to cross train. This cross-training protocol will establish a succession plan which will ultimately create an employee-level continuity plan.
However, even when a replacement is found and trained—they can still be more bane than boon to an organization.
Consider the situation:
In 2019, Steffan Needham was terminated for poor performance. After his termination, Needham used a former coworker’s Amazon Wed Services account to access 23 AWS servers, and promptly deleted all his former employer’s customer data. Further, Needham wasn’t found for 10 months. There are two key factors that make this situation much, much worse. The first of which is that the company Needham worked for had failed to implement multi-factor authentication—which more than likely would have foiled Steffan’s disruptive attempts. The second key factor was that Steffan was hired to join a technology team of 1 (or as court documents noted, being groomed to take over the company’s IT department).
Needham’s story is not uncommon. However, when addressing key person/people risk one main thing needs to be understood: understaffed IT departments will fail prey to this issue.
At TetherView, we offer managed services which can either eliminate the cost of IT or enable your IT team to focus on their core competencies. We recently released a case study which detailed how TetherView was able to help Lexington Realty Trust’s internal IT manage tickets, save money and ultimately eliminate the dependency on any one person or group of people.