Key Person Dependency Risk or KPDR is the risk that occurs when an organization relies on a few individuals for continued business operations due to their proven knowledge or skill. These individuals may be in leadership positions, but they could just as easily serve in any department, such as IT or HR.
Workforce Turnover Exacerbates Existing KPDR Vulnerabilities
When organizations don’t properly manage their KPDR, their business continuity plans are at risk from workforce turnover. In 2021, more than 47 million employees voluntarily left their jobs for a variety of reasons, including improved work/life balance, company culture, and compensation.
“The Great Resignation is really industry agnostic,” says Andres Franzetti, “The pandemic and the last couple of years has really forced folks to reevaluate both what they’re doing personally as well as work, and the type of environment they want to work in.”
The pre-pandemic talent gap in industries like I.T. and cybersecurity has exacerbated the issue. Now, surviving the Big Quit is not only about evaluating where you have key people in your organization, but is also tied to a larger recruitment and retention strategy, especially where competition for talent is most acute.
Redundancy and Knowledge Transfer Help Mitigate KPDR
Collecting and protecting critical knowledge – information that’s specific to your organization but may not be documented – is the first step toward mitigating your KPDR. Software can assist in developing a knowledgebase that documents Standard Operating Procedures (SOPs) and other important information for greater business continuity. “If a key person were to leave tomorrow, what does the next person need to hit the ground running?” asks J.P. Ruiz, “That’s the mentality an organization has to have when deciding what to document.”
“Additionally,” says Andres “it’s about building up redundancies and succession planning.” The definition of “key person” has evolved from primarily leadership roles after organizations were caught off-guard when large numbers of employees responsible for the day-to-day running of the organization resigned and exposed KPDR vulnerabilities. Using a broader lens to identify key persons means taking stock of the core business capabilities and those who fulfill them, which may include vendors or third parties.
Beyond just documenting critical knowledge, to build resiliency firms must develop and implement knowledge transfer plans that include cross-training and tailored, multi-skill career paths for employees. Unhealthy company culture has been a key drivers of the Great Resignation; leadership can work to change their company culture by showcasing key persons playing a part in educating their coworkers, rather than withholding information to protect their key person status. Cross-trained employees enhance the organization’s ability to weather change, and become pillars of the organization themselves through participating in a new, more inclusive company culture.
Addressing KPDR Reduces Related Risks, Like Insider Threats
Insider threats are another facet of KPDR, which involves risks that originate within the organization and intentionally (or unintentionally) cause harm to the business – from disgruntled employees taking proprietary information to mistakenly clicking on a phishing email that exposes network vulnerabilities. CISA has some effective tools for evaluating insider risk while software can help track role-based access and standardize the process to reduce risk. Additionally, the cooperation of HR and IT can be a winning combination to adequately control onboarding offboarding access to mitigate insider risk at those junctures.
As cyber insurance premiums rise in response to increases in the frequency and costs of cyber attacks, carriers are requiring these kinds of additional controls for coverage eligibility. Companies will find that having detailed incident response plans will help keep insurance costs down for not only cyber, but also liability, employee liability and other types of business coverages.
Outsourcing certain business functions, such as accounting or IT, is one way to free up internal resources while adding skills and redundancy. Traditional key person insurance helps transfer the financial risk of losing a key person and often covers high-level executives. However, with the expanded definition of “key persons,” so must key person coverage evolve to include critical business functions. Cyber policies often contain integrated resources to mitigate risk while insulating companies from the financial losses and augment capabilities for response.
Conclusion
In our current risk landscape, KPDR is a real threat to firms of all sizes and across industries and adequately identifying and addressing key person dependency risk is another way organizations can build operational resilience in the face of complex risks.
VIEW THE WEBINAR RECORDING:
Maintaining Business Continuity & Reducing Key Person Dependency Risk
Have questions? Send us a message.