In a recent blog we talked about mitigating key person risk and the challenges that can involve (Loss of Critical Knowledge and Skills – How an EA Tool can Help). We have since been asked how we would approach key person risk, so this article builds on that previous blog to suggest how you can address key person risk and the next steps you should take.
There are two approaches you can take, bottom up or top down. Whichever is right for your organisation will depend on your specific circumstances, read on to understand more:
Top Down Approach to Key Person Risk
With a top down approach, you focus on the business processes and work down from those to see if you have any risks, the first step is to understand the critical business processes in your organisation. Once you have identified those you need to understand the following for the critical processes:
- The people that support the processes
- The applications that are used to support the processes
- The technology that underpins those applications
- Who supports the applications and the technologies in turn.
Once you understand the above, the next step is to document the skills that the people supporting the processes, applications and technologies have, and then understand whether they are unique to each person, or whether there is coverage across the organisation that would allow someone else to pick these areas up.
As an example, you may have a critical business process that is supported by an application written by one individual. The question is, if that application stops working, how many people can help fix the problem. If the answer is only one, then a key person risk is present and needs to be managed, as you now have a critical process that has a dependency on a single person. A real-world example at one of our clients uncovered an application supporting a critical process that used a Paradox database, which only one person in the organisation had experience of. It was only by mapping the critical processes and working down from there that we understood the risk and were able to take the appropriate action.
Bottom up Approach to Key Person Risk
The second approach is to work from the technology stack back up. This makes sense when you know you have reliance on specific individuals, or you know there are technologies that are not commonly used. In the previous blog we talked about one company where the whole reporting system was reliant on one individual, who wrote and managed the software that supported the process. Any system problems had to wait until that individual fixed the issue. While that is clearly not a great position, the biggest issue racing towards the organisation was that the individual was nearing retirement.
In a bottom-up approach, the first step is to identify these individuals (or technologies), document the key skills that only they hold, and then plan the de-risking of that key person risk. Prioritise who to target based on the criticality of the systems or processes involved.
Once you have identified the key person risk and the criticalities, what do you do?
- Inform management of the processes/systems at risk and the unique skills of the key person(s) – management can occasionally be indifferent to key person risk conversations, but a picture showing criticality and impact can often focus their minds
- Assess the transferability of these skills:
- If transferable, identify potential successors
- If not, explore alternative solutions
- Decide on the most viable option
- Develop a plan to reduce the risk
- Concurrently, conduct ‘what-if’ scenarios to prepare for the unexpected departure of the key person
Experience tells us that in the event of a critical resource leaving, the world doesn’t stop, but it is very painful (and sometimes very costly) for a while. Early planning and proactive mitigation of risk can save long term costs and reduce business risk significantly.