Going Back to the Office: Determining Key Personnel Risk in a New Reality

Team leads around the world know the feeling. The late-night text from a trusted colleague: “This is Mike. I don’t feel well, not sure I’ll be able to work the next few days.” Not a big deal, you think to yourself, a few days is doable. The team’s new high-profile project is in the planning phase and, so far, all systems and Mike’s daily responsibilities are running smoothly. A few days pass and Mike is still out. That big project is nearing the first visible deadline. He emails in a doctor’s note: “ugh – COVID – out at least 2 more weeks.” To make matters worse, the 14 days bleeds into monthly testing of key systems and interfaces, where again, Mike is key. The deadline for that project is missed. A couple of systems begin to lag due to regular project management not occurring. Again, Mike is key. Now what? Where else is Mike key? In less than two weeks, the unavailability of one resource has created considerable problems for the organization.

Determining Key Personnel Risk

As concerns of the COVID-19 pandemic slowly begin to transform, companies are contemplating critical decisions on how to best return to the office while evaluating the various risks that will arise due to these decisions. One risk associated with returning to the office is certain and stands out among the rest: employees will be exposed to elevated risk as their contact with others, and non-isolated environments, increase. This heightened key-person risk requires mitigation efforts to ensure operational strategies, efforts, focus and objectives remain intact. As part of an enterprise business continuity management program, key-person risk should be considered as resumption plans are developed and activated. These mitigation efforts should include disciplined steps, at the organization level, to evaluate personnel’s influence and to determine operational impacts associated with each employee’s potential absence. The identification of key skillsets, extent of reach across an organization, and depth of knowledge associated with each person is a straightforward concept but challenging to implement and maintain.

One approach that can be leveraged to identify key personnel is developing a rule-based risk model to assess the quantitative impacts and qualitative likelihood of absenteeism for each employee. The use of a rule-based risk model allows the organization to focus on objective criteria and detach subjective inputs. Objective criteria an organization may consider including in the risk model are:

  1. An employee’s input into maintaining or supporting daily operations and business as usual
  2. Collateral responsibilities (e.g., business continuity plans, disaster recovery plans)
  3. Ease of replacement as it relates to an employee’s primary role and collateral responsibilities

Additionally, it is important to note that organizations will differ based on structure and leadership risk tolerance. These objective criteria set a foundation for the organization to build while remaining flexible enough to quickly pivot. To understand the overall risk, the potential impact must be coupled with the relevant likelihood of absenteeism. For example, during a pandemic, the infection of an employee is important to consider, but incorporating hospitalization rates and population density to determine absenteeism likelihood is a more complete view that can support actionable management insights. Additionally, the data feeding the model needs to allow for regular updates as metrics will change daily based on the State and County level data available. A recognized resource for pandemic statistics and information on the current pandemic is the COVID-19 Dashboard by the Center for Systems Science and Engineering (CSSE) at Johns Hopkins University (JHU) that provides daily state and county level infection and hospitalization rate updates.

Finally, by exploring the current pandemic as a use case, this model is even more relevant by also integrating a qualitative metric to allow for those nuances of what each person brings to their roles beyond the tacit and objective data points. That understanding can then inform succession planning strategies across any size organization.

The value provided by the above approach can be found in the conceptualization of employee impacts and likely absenteeism. Management should be equipped with this information to gain insight into their workforce and use it to inform management decisions. Ultimately, mitigation efforts for key personnel risk should lie within leadership’s purview.

Return to the Office

As back to office efforts are planned and implemented, there are several factors that management should consider. The first steps should be the clear alignment of at least one alternate for those roles and skillsets deemed high-risk, while also formally capturing those alternates in documentation such as business continuity and disaster recovery plans. Further, once alternates are identified, a clear and disciplined approach to keep these resources apart should be in place. This approach decreases the likelihood of both resources being unavailable over the same period. Additional mitigation efforts impacting personnel risk while returning to the office may include:

  1. Splitting teams and implementing a ‘shift work’ schedule
  2. Developing a seating chart in shared office spaces that limits face to face work and spacing that does not allow for social distancing
  3. Restricting the use of common areas of shared resources, e.g., coffee makers, refrigerators, conference space, phone rooms, etc.


The challenges that arise in the implementation of this approach primarily exist at the data level. The format, design, likely sync issues and various sources of that data result in a need for initial normalization. Without this first step, the ability to accurately and objectively quantify impact criteria decreases significantly. Indeed, organizations may find that once data is received, the implementation of process improvements may be a temporary, though necessary, deviation from the planned approach. Outdated data requires updating while a sync issue may point to data integrity concerns. Ultimately, any data issue will require process improvement to be implemented and actionable. The data challenges can be difficult to address, but process improvements at the onset are necessary for a leverageable data set and actionable risk model.

Challenges may also present themselves when defining criteria for the risk model. The risk model must be objective to provide value for managers and the business. Leveraging subjective criteria to perform an analysis with the risk model presents skewed results influenced by manager bias. Skewed results may disproportionally influence management and result in misplaced focus toward employees who may not be at a higher risk. The best way to prevent subjectivity when management input is required is to include a rule-based approach in the risk model grounding the model in objectivity rather than subjectivity.

Looking Beyond the Pandemic

Any approach that evaluates key personnel risk can, and should, be expanded beyond the use case of COVID-19. Implementing a tool that leaders can leverage to understand key-person risk can better equip organizations to identify areas of potential concern. It is said that knowledge is power and any forethought that can influence a response – versus a reaction – to specific events, e.g., cones of uncertainty for severe weather or localized events can be extremely valuable. Employees are at the core of every business and, in the long run, keep a business operational. The evaluation of key personnel risk is critical for an organization’s longevity and ability to withstand adverse events.

To learn more about how Protiviti can support your COVID-19 recovery efforts, contact us.

Dugan Krwawicz

Associate Director
Technology Strategy and Operations

Richard Colesante

Senior Consultant
Technology Consulting

Subscribe to Topics

Privilege access credentials are a main target attackers use to carry out #cybersecurity breaches. Join #ProtivitiTech to learn how to apply #zerotrust measures to thwart attacks. http://ow.ly/iuXH50KXwBy

#identity #security #cloud #devops #cyberattack

September is National Preparedness month and we’ve updated our Guide to Business Continuity and Resilience. Download your copy today for answers on key questions and industry perspectives. http://ow.ly/B5mF50KG4l5

#ProtivitiTech #businesscontinuity #businesscontinuitymanagement

“I’ve seen some amazing advancements in #qubit fidelity,” #ProtivitiTech @KonstantHacker said. “We don’t need perfect qubits and we need enough to do what’s called error correction.” Read more of the @CNBC interview on #quantum investing. http://ow.ly/ahaK50KXwwk

Next week, #ProtivitiTech Greg Hedges and @KonstantHacker will discuss post #quantum cryptography in this new #cybersecurity webinar series. Learn the benefits and risks of #quantumcomputing and understand the post quantum #cryptography timeline. http://ow.ly/RX1p50KIGaA

Let's transform together. Migrate and modernize your @SAP applications on @Azure increasing flexibility, scalability and security with Protiviti. Learn more: http://ow.ly/RnKa50KTJer

#ProtivitiTech #Microsoft #Azure #SAP #scalability #security

Load More