Key person risk in finance is fundamentally a data governance problem, not just an HR concern — it manifests when critical financial knowledge (reconciliation logic, manual adjustments, data transformation rules, exception handling, reporting definitions) exists only in one person’s head. BDO found that 62% of mid-market companies experienced significant disruption when a key finance person left, not because the role was unfilled but because the knowledge was undocumented. The holiday test is the simplest diagnostic: if the month-end close cannot happen while one person is on holiday, you have a key person risk that is also a data governance gap. ACCA reports that 45% of organisations have unclear accountability for financial data. Documentation is the primary mitigation — not hiring a backup. Hackett Group data shows top-quartile finance teams have 80% of their processes documented, versus under 30% for the bottom quartile.
Every finance leader knows the feeling: one person goes on holiday and the month-end close stalls. The board pack is late. The reconciliation nobody else understands sits unfinished. The problem is not absence — it is that critical financial knowledge lives in one person’s head, and the organisation has no mechanism to access it without that person present. This is key person risk, and in finance it is fundamentally a data governance problem, not just an HR concern.
In the mid-market — companies with one to five people in finance — key person risk is not an edge case. It is the default operating model. The controller who built the reporting workbook, the bookkeeper who knows which manual journals are needed each month, the finance director who carries the chart of accounts logic in memory. When that knowledge is undocumented, every month-end is a single point of failure.
The Bus Factor Applied to Finance Data
Software engineers use the term “bus factor” to describe the number of people who would need to be hit by a bus before a project stalls. In most mid-market finance teams, the bus factor is one.
BDO’s Mid-Market Report 2025 found that 62% of mid-market companies experienced significant disruption when a key finance person left. The disruption was not about finding a replacement — it was about reconstructing the undocumented knowledge that person carried: which adjustments are made manually, how intercompany transactions are eliminated, where the source data comes from, and why certain reconciling items exist.
The bus factor in finance is not primarily about people. It is about data processes:
- Reconciliation logic — which accounts are reconciled, how, and against what source
- Manual adjustments — the monthly journals that exist nowhere except in one person’s routine
- Data transformation rules — how raw ERP data becomes the management report
- Exception handling — what to do when the bank feed does not match, when a cost centre is miscoded, or when an intercompany balance does not net to zero
- Reporting definitions — what exactly “revenue” means in the board pack versus the statutory accounts
Each of these represents institutional knowledge. When it is undocumented, the organisation does not have a process — it has a person. And people leave, fall ill, get promoted, or simply go on holiday.
The Holiday Test — A Diagnostic for Knowledge Concentration
The simplest way to identify key person risk in finance is the holiday test. Ask one question: can the month-end close, management reporting, and board pack production happen — at the same quality and timeliness — while each member of the finance team is away for two consecutive weeks?
If the answer is no for any individual, you have identified a key person dependency. The holiday test works because it is concrete, non-threatening, and immediately actionable. It does not require a risk assessment framework or a consulting engagement. It requires honesty.
Running the Holiday Test
For each finance team member, map the processes that would stall or degrade in their absence:
| Team Member | Process at Risk | Impact if Absent | Documentation Status |
|---|---|---|---|
| Controller | Month-end close, board pack | Close delayed 5+ days | Partially documented |
| Bookkeeper | Bank reconciliation, AP/AR | Cash position unknown | Undocumented |
| Finance Director | Forecast model, investor reporting | No forward view | In their head |
This exercise typically reveals that 70–80% of critical finance processes depend on one person — and that fewer than half are documented at all. ACCA’s Global Survey 2024 confirms the pattern: 45% of organisations have unclear ownership and accountability for financial data, meaning knowledge defaults to whoever happens to perform the task.
Knowledge Concentration Mapping
The holiday test identifies the problem. Knowledge concentration mapping quantifies it. The goal is to create a visual inventory of which knowledge sits where and how exposed the organisation is.
Step 1: List Critical Finance Processes
Start with the processes that directly affect reporting quality, close timeliness, and decision-making:
- Month-end close procedure
- Bank and balance sheet reconciliations
- Revenue recognition and cut-off
- Intercompany eliminations
- Manual journal entries
- Management report compilation
- Budget and forecast model maintenance
- Payroll processing and reconciliation
- VAT and statutory return preparation
- Board pack assembly
Step 2: Map Knowledge Distribution
For each process, assess how many people can perform it competently and whether it is documented:
| Process | Primary Owner | Backup Exists? | Documented? | Risk Level |
|---|---|---|---|---|
| Month-end close | Controller | No | Partial | Critical |
| Bank reconciliation | Bookkeeper | No | No | Critical |
| Forecast model | FD | No | No | Critical |
| VAT return | Bookkeeper | Controller (partial) | Yes | Medium |
| Board pack | Controller | FD (partial) | No | High |
A process with one owner, no backup, and no documentation is a critical knowledge concentration risk. In a typical three-person finance team, we find that 60–70% of processes fall into this category.
Step 3: Calculate the Knowledge Concentration Score
A simple scoring model:
- 3 points — single owner, no documentation, no backup
- 2 points — single owner, partial documentation or partial backup
- 1 point — documented process with at least one backup
- 0 points — fully documented, multiple people competent
Sum the scores across all critical processes. A score above 20 (out of a possible 30 for ten processes) indicates severe knowledge concentration risk. Most mid-market finance teams we assess score between 22 and 27.
Why Documentation Is the Primary Mitigation
The instinct when identifying key person risk is to hire a backup. But hiring does not solve the problem if the knowledge remains undocumented. The new hire inherits the dependency — they learn by watching, not by reading, and within months the organisation has two people who carry knowledge in their heads instead of one.
The Hackett Group benchmarks show that top-quartile finance organisations have approximately 80% of their critical processes documented, compared with under 30% for the bottom quartile. The difference is not headcount — top-quartile teams are often leaner. The difference is that knowledge lives in the process, not in the person.
Documentation as mitigation works through three mechanisms:
1. Continuity — The Process Survives the Person
When the controller leaves, a documented close checklist, reconciliation procedure, and reporting template allow anyone with basic accounting competence to execute the process. Not perfectly — but adequately. The difference between a two-week disruption and a two-month crisis.
2. Quality — Consistency Replaces Memory
Undocumented processes drift. McKinsey research on process degradation finds that undocumented procedures lose 2–3% of their quality per month as shortcuts accumulate, exceptions become habits, and the original logic fades from memory. Documentation creates a baseline that can be reviewed, challenged, and improved.
3. Governance — Auditability Requires Written Evidence
Auditors cannot audit what is not written down. BDO notes that 30–40% of audit findings in mid-market companies trace back to unclear ownership and undocumented processes — not to errors in the numbers themselves, but to the inability to demonstrate how the numbers were produced.
Connection to Data Ownership
Key person risk and data ownership are two sides of the same coin. When a data ownership framework assigns explicit accountability for data accuracy, it also forces the question: is this accountability documented or does it exist only in one person’s practice?
The Data Ownership Framework we describe in detail elsewhere addresses this directly. Ownership without documentation is dependency. Ownership with documentation is governance. The distinction matters because it determines whether the organisation can survive a personnel change without a data quality crisis.
Consider the relationship:
| Without Data Ownership Framework | With Data Ownership Framework |
|---|---|
| Knowledge lives in one person | Knowledge lives in the process |
| Accountability is assumed, not assigned | Accountability is explicit and documented |
| Leaving disrupts operations | Leaving triggers handover, not crisis |
| Audit finds gaps | Audit finds evidence |
| Quality depends on individual diligence | Quality depends on systematic controls |
Practical Steps to Reduce Key Person Risk
Step 1: Run the Holiday Test (Week 1)
Identify which processes stall when each person is absent. Document the findings in a simple matrix as shown above. This takes one meeting — not a project.
Step 2: Prioritise by Impact (Week 1)
Not every undocumented process is equally critical. Focus first on processes that affect the month-end close, financial reporting , and cash management. These are the processes where disruption causes immediate, visible damage.
Step 3: Create Minimum Viable Documentation (Weeks 2–4)
For each critical process, create the minimum documentation needed for a competent person to execute it: a step-by-step checklist with the source system, the sequence of actions, the validation checks, and the expected output. This is not a 50-page procedures manual — it is a one-to-two-page runbook. See Documenting Financial Data Processes for a detailed playbook.
Step 4: Test the Documentation (Month 2)
Have the backup person execute the process using only the documentation. If they cannot, the documentation is incomplete. This is the practical test — not a review meeting, but an actual dry run.
Step 5: Establish a Review Cadence (Ongoing)
Documentation decays. Processes change. Schedule a quarterly review of critical process documentation to ensure it reflects current practice. Assign this review to the process owner as part of their accountability.
The Cost of Inaction
The cost of key person risk materialises in three ways:
- Disruption cost — when the key person leaves, the close is late, reports are wrong, and the audit is compromised. BDO’s 62% disruption finding is not a probability — it is a frequency.
- Quality degradation — McKinsey’s 2–3% monthly degradation means that within a year, an undocumented process has drifted materially from its intended design. Errors compound silently.
- Audit exposure — the 30–40% of audit findings attributable to unclear ownership and undocumented processes translate directly to higher audit fees and management letter points that erode board confidence.
For a mid-market company paying £30,000–£80,000 in annual audit fees, a 20–30% increase due to preparation issues (a pattern noted across UK mid-market firms where fees rose 8–12% in 2024–2025) represents £6,000–£24,000 per year — recurring, and entirely avoidable with basic documentation.
Frequently Asked Questions
What is the bus factor in finance? The bus factor is the number of people who would need to be unavailable before a critical finance process — month-end close, reporting, reconciliation — cannot be completed. In most mid-market finance teams, the bus factor is one for the majority of critical processes.
How do I know if I have a key person risk? Run the holiday test: ask whether every critical finance process can be completed at the same quality and timeliness while each team member is on a two-week holiday. If the answer is no for any individual, you have a key person risk.
Is hiring a backup the solution? Hiring helps, but only if the knowledge is also documented. An undocumented process with two people who learned by watching is still fragile — both carry tacit knowledge that cannot be transferred systematically. Documentation must come first or alongside hiring.
How does key person risk relate to data governance ? Key person risk is a symptom of ungoverned data processes. When a data governance framework assigns ownership, documents processes, and establishes audit trails , the organisation’s knowledge moves from individuals to systems. Governance eliminates key person risk by design.
What is the minimum documentation needed to mitigate key person risk? A step-by-step checklist for each critical process: the source system, the sequence of actions, the validation checks, and the expected output. One to two pages per process. For a ten-process finance function, that is ten to twenty pages total — achievable in two to four weeks.
Related Reading
- Data Ownership Framework — assigning explicit accountability for financial data
- Documenting Financial Data Processes — the practical playbook for capturing institutional knowledge
- Financial Data Governance Framework — the overarching governance structure
- Financial Data Quality Checklist — validation controls that reduce person-dependency
- Single Source of Truth in Finance — ensuring definitions survive personnel changes
- Financial Data Governance — Why It Is the Foundation of Trustworthy Reporting — the broader case for governance
- FP&A Maturity Framework — maturity levels that require documented processes
Sources
- BDO Mid-Market Report 2025 — 62% of mid-market companies experienced significant disruption when a key finance person left
- ACCA Global Survey 2024 — 45% of organisations have unclear accountability for financial data
- McKinsey — “The Data-Driven Enterprise” 2024 — undocumented processes degrade 2–3% per month
- The Hackett Group — top-quartile finance teams: 80% of processes documented vs. under 30% bottom quartile
- BDO Audit Quality Report 2025 — 30–40% of audit findings trace to unclear ownership and undocumented processes
- Gartner — organisations with defined data owners experience 3x fewer data quality incidents
Martin Duben is the founder of Onetribe, where he helps mid-market finance teams build governance frameworks, reporting infrastructure, and data foundations that do not depend on any single person. With experience spanning controllership, FP&A, and finance redesign across multiple industries, he focuses on making financial data trustworthy, documented, and audit-ready.