When Is Employee Retention A Resiliency Issue?
Posted April 11, 2024 by Kevin Finch
A couple of decades ago, back when I was working as a System Administrator, I had a contracting gig working for a utility company. As utilities go they were fairly small, but they were still a large company with a few thousand employees. There were probably a half-dozen of us there working as System Administrators, maintaining their Microsoft Active Directory, Microsoft Exchange servers, general file shares, and phone switches.
Back in those days, one of the things that we fought off from time to time was Exchange email worms. Old timers out there remember how those worked: someone would preview an email without even opening it, and then embedded scripts in the email would make it send copies of itself out to everyone in that user’s contact list (thanks to flaws like this with Internet Explorer). Then everybody that opened that would unwittingly send a copy of it to all of their contacts, and so on. It was not uncommon for a single email entering that utility company to spawn several million copies flooding around the two dozen email servers that we administered. This was back before email filtering had really developed, so the only way to do a purge was to have a high-level administrator, with the administrative password to the entire Exchange environment, go in and delete those millions of messages. Otherwise, the servers would be paralyzed processing those messages that continued to propagate as various users opened copies of the infected email.
Not too long after I left there for a permanent job, that utility company laid off several IT people as a cost-cutting measure, and one of the people they laid off was the head of their Exchange server team. In doing so, they got rid of the only person that knew their administrative password. Their next email virus hit a couple of days later, and the company quickly realized that they had no way at all to fix the problem.
“Don’t it always seem to go… That you don’t know what you’ve got ’til it’s gone?”
Joni Mitchell, Big Yellow Taxi
I know this is kind of an extreme example, but if you talk to anybody that’s worked in IT for a while they probably have their own version of a story just like this. That administrator leaving the company didn’t cause the outage that shut down email, but when his expertise and knowledge walked out the door, their ability to respond to that issue walked out right along with him. Extreme or not, I think this story is nearly an ideal example of the way that employees leaving the company can turn into a resiliency issue. Even the happiest employees may end up leaving your company for one reason or another, and when they do, it’s vitally important to make sure that your business can retain critical information from those employees.
It’s not just passwords though, it can also be critical expertise. A manufacturing company I worked for more recently, in order to avoid having layoffs, offered many employees a generous early retirement package. While that works well as a cost saving measure, a program like that can also have unintended consequences. There were several engineering departments where over 50% of the employees decided they wanted to take the early retirement package – one department had over 70%. When a situation like that happens, it’s vital to not let your knowledge workers take all of that knowledge with them when they walk out the door. Decades of experience, tribal knowledge about the manufacturing process, and the competitive environment in that industry, was getting ready to walk out the door. One of the first things we did with that group of engineers was sit them down and do an exhaustive Business Impact Analysis (BIA), detailing business process dependencies throughout the organization. That helped ensure that much of that tribal knowledge stayed with the company, rather than leaving.
“We only know what we know when we need to know it.”
Dave Snowden, Management Consultant
I think situations like this highlight the need for documenting recovery processes, and documenting to a level of detail that the recovery can easily be handled by someone besides your designated subject matter expert. If only one person knows how to recover your data and they’re not available to do it, a minor outage can turn into a catastrophic one very quickly.
Situations like this also reinforce the idea of updating your BIA data and recovery plans annually. (This is following best practices, by the way.) Even minor changes in your environment can cause your plans and recovery processes to become outdated. If the only link between an outdated plan and reality is knowledge held by a handful of employees, then the state of your documentation can easily put your business at risk.
It isn’t just that the cost of replacing an employee can be up to twice what their annual salary costs you, or that higher employee turnover is directly correlated to lower profitability in almost every industry. Efforts to collect employee knowledge about your business can help make you more resilient when emergency strikes, and asking people about their work might even make them less likely to leave your company.
Oh, and that utility company I worked at got lucky. That recently-laid-off exchange administrator volunteered to come in and fix it for them right away, and didn’t charge them a dime.
“Luck is great, but most of life is hard work.”
Iain Duncan Smith, MP
Worried about collecting and analyzing your employee’s knowledge to help your business stay more resilient? Sayers is here to help. Our Business Resiliency team has tools and techniques to help you see where vital knowledge lives in your company, and can help you create strategies to better protect your business from interruptions.