A few months ago, a friend of mine got caught up in a political situation he did not choose. These things happen more often than we like to admit, and they are rarely fair. He had to be away from his life, his family, and his company for a long time.
His business did not stop because of the politics. It stopped because of the keys.
Nobody else had access to the bank account. Employees who had nothing to do with any of it could not get paid. Nobody had access to the cloud admin account either, so when the card on file expired a couple of months later, the providers started doing what providers do: they shut the servers down. Customers in the dark, payroll frozen, infrastructure disappearing - not because the business failed, but because one man was unreachable.
I stepped in to try to mitigate the damage. What followed was a journey I would not wish on anyone, and one I think every founder should hear about before it is their turn.
The Recovery Nobody Plans For
Trying to take over an account you do not own is a humbling exercise. From the provider’s point of view, you are exactly what their security procedures exist to stop.
We started with email, because email is the master key to everything else - every password reset, every invoice, every provider warning lands there. Then the cloud accounts. The official recovery paths at Google and Microsoft come down to the same thing: prove you control the company’s domain by planting a DNS record, then wait, then explain yourself. It works, eventually. It is not designed to be fast, and it should not be.
The bank was a dead end. No second signatory, no mandate, no power of attorney means no access - not for the employees, not even for his wife. An attorney is now working to get her access. It is still ongoing, and nobody can tell us how long it will take.
Every one of those recoveries replaced something that could have been a five-minute setup task, done on any calm Tuesday before the storm.
Why Serious Companies Trust No One
There is a reason banks force certain employees to take their vacation. The FDIC has formally endorsed it since 1995: officers in sensitive positions should be absent for at least two uninterrupted weeks, precisely so that someone else has to perform their duties. The Basel Committee’s core principles for banking supervision name the companion rule - the “four-eyes principle”: segregation of duties, cross-checking, dual control of assets, double signatures.
None of this is bureaucracy for its own sake. It is an institution admitting something uncomfortable: it does not know if any given person will be there tomorrow - or what that person might do if nobody else is looking.
When the Canadian crypto exchange QuadrigaCX collapsed, the story everyone repeated was that founder Gerald Cotten died holding the only keys to the wallets. What the Ontario Securities Commission actually found was worse: Cotten had been the only person in control of client assets since 2016, and that monopoly is what let him run the platform, in the regulator’s words, “like a Ponzi scheme” - undetected, until 76,000 clients were owed C$215 million. His death did not lock the money away. His sole control meant nobody could see that most of it was already gone.
Concentrated access fails in both directions. If the one person disappears, everything freezes. If the one person goes wrong, nobody notices.
And this is not just a company instinct. Japan currently has a bill before its parliament to designate a “second capital” - a district in another city, ready to carry the government’s core functions if Tokyo is knocked out by a catastrophic disaster, like the mega-earthquake its own scientists place in their highest risk class for the next thirty years. Predictably, the fight over which city gets the job is already messier than the principle itself. But the principle stands: a whole nation looked at its capital and saw a single point of failure.
We hear “single point of failure” and we picture a server, a database, a load balancer. We architect around it in our systems all day, and then we go home and run our companies through one phone, one inbox, one signature.
A single point of failure is not a technical term. It is a person.
Usually the founder. Usually you.
The Company of One Is the Most Exposed
Software teams have had a name for this for thirty years: the bus factor, commonly traced to a June 1994 Python mailing-list thread that asked, bluntly, “if Guido was hit by a bus?” - Guido van Rossum being Python’s creator and, at the time, its single indispensable maintainer. So no, none of this is a new idea. There is even an international standard for business continuity, ISO 22301. The knowledge is old. The gap is in who applies it.
Because “build redundancies” sounds like advice for companies with an HR department and a risk committee. It is the opposite. The smaller you are, the more of the company lives in one head, one inbox, one wallet.
And the numbers say most of us are running exposed. In PwC’s 2021 global family business survey, only 30% had a robust, documented and communicated succession plan. In Nigeria it was 25%. In East Africa, 21%. And those are established family businesses - the ones with the most to lose and the most people watching. A company of one or two rarely has even that.
Notice what a succession plan actually is, too. It is not paperwork about who holds the passwords. It is about whether the direction survives - what the business is becoming, and who else could carry that forward.
Your customers do not care that you are small. If they depend on you, the business has to go on - especially then.
The One-Page Continuity Plan
Not a 40-page binder. A short list that answers one question: if I am unreachable for six months starting tomorrow, what breaks, and who can fix it?
- The bank. A second signatory, or at minimum a documented mandate. “My spouse knows my PIN” is not a plan; it is a liability for the spouse.
- Cloud, domains, email. Admin access held by more than one person. Billing contacts and cards that do not expire with one individual.
- Passwords. A password manager with emergency access configured, so the vault outlives the phone.
- Payroll. At least one other person who can actually run it, and has done it once.
- The one-page document. Where things are, who to call, in what order. The document we have been reconstructing from the outside, under pressure - you can write it in an afternoon.
- The vision. The keys keep the lights on; they do not tell anyone where you were going. Write down what you are building and why - the direction, the commitments you have made, the decisions in flight. Someone can run payroll perfectly and still let the company die of drift.
- The legal layer. A power of attorney, and yes, a will. For personal accounts, the tools already exist: Google’s Inactive Account Manager, Apple’s Legacy Contact. Five minutes each.
- Test it. Can the second person actually log in, today? Untested redundancy is a hope, not a plan.
Every item on that list is something we had to rebuild the hard way, from outside, while the clock ran and people waited on their salaries.
The Honest Reckoning
Redundancy is not free, and pretending otherwise would be dishonest.
Sharing access means trusting someone, and trust can be betrayed. QuadrigaCX cuts both ways here: simply handing a full copy of the keys to one more person does not fix concentration, it doubles it. The banking rules got this right decades ago - the answer is controls, two people and a paper trail, not duplication.
Some founders genuinely have no second person. There are workarounds - emergency-access features, documents held in escrow with an attorney, a reciprocal arrangement with a trusted peer - and every one of them is weaker than a real partner. That is worth admitting rather than papering over.
And in some places, the exposure is not only practical. There are contexts where formally naming who controls what can itself put people at risk. I will not pretend the calm Tuesday setup task is equally simple everywhere.
Mostly, though, I have to implicate myself. I did not have all of this in place either. I am an architect; I design for failure professionally, and my own affairs assumed I would always be reachable. It took watching someone else’s servers go dark to start fixing that.
The Part We Do Not Like to Think About
We always assume these things happen to other people. My friend assumed that too. He did nothing wrong - and his employees were still left wondering if the company would survive him being away.
We take cars. We take planes. We go on trips. Nobody plans to not come back.
Preparing for it is not pessimism, and it is not just estate planning. A will protects your family. Redundancy protects everyone else who depends on you - the employee who needs the first of the month, the customer who built on your service, the spouse left negotiating with a bank.
So, two questions, the same ones I now ask myself. If you were unreachable starting tomorrow, who gets paid on the first of the month? And who could tell your team where you were taking all of this?
I hope you never need the answers. Prepare them anyway.

