Is your business at risk because critical functions or knowledge are vested in one person? What happens if this person wins the lottery and resigns, or worse still, is hit by a bus? The bus test is a thought experiment for considering and exploring the consequences of losing a critical person from the business. In some cases, a warning of impending change is available such as the receipt of a resignation letter, but in cases such as personal injury or fatality the changes are instantaneous and businesses need to be resilient to such challenges.
In the case of small businesses, the death of one person can result in the death of the company and consequently key person insurance policies have become popular. Essentially the business takes out an insurance policy on key members of staff, pays the necessary premiums, and is the beneficiary of the policy in the event of death or injury which prevents the key person from working.
Large businesses also have the option of taking out key person insurance. However, the issue is that staff often become key persons over time. Undocumented activities and processes become ingrained into the daily routine, others become dependent on them, and it becomes business as usual without further consideration.
There are common signs which indicate a failed bus test including:
- Unable to achieve something because someone has taken the day off. The key is to make sure that everything can be done by more than one person and there are no dependencies on specific individuals.
- Requesting information from a department and being told ‘Joe is the expert, you will need to speak with him’. Knowledge critical to the day-to-day running of the business should always be shared between team members and fully documented.
- Individuals within the business keeping crucial information to themselves and being evasive when asked, rather than openly sharing their knowledge with others. There is a general misconception on the part of some staff that if they are the only person who knows something or is able to do something specific within their working environment, that their employer will be compelled to keep them or pay more for their work. In practice, the reverse is true, it is less risky to remove them than to be held over a barrel.
- Staff using a different approach, different tools, or different software from everyone else to get the job done. Having a standard way of working and using specific software means that work will be transferable between staff. One person choosing a different programming language from everyone else, for example, could make it impossible for it to be maintained by others in the team.
Avoiding scenarios which fail the bus test requires a different mindset:
- Adopt the notion that process is equal to, or more important than, the end result
- Ensure that all actions within the business are documented and repeatable
- Remember that people follow processes, and processes deliver consistent results
- When you complete business recovery exercises, randomly remove people who have been ‘impacted’ by the scenario and see how the recovery progresses without them.
Information security consultant with over 20 years’ extensive experience gained across a diverse range of private and public industry sectors including insurance, banking, telecommunications, health services, charities and more, both in the UK and internationally. Graduated in 1997 with a software engineering degree and specialising in cyber security, risk analysis, compliance reporting and access management.