The Hit by a Bus Protocol - Building a Business That Survives Your Absence for Business Continuity

Why Your Business Must Survive You

It’s March 2024, and Sarah, founder of a 12-person marketing agency, gets into a car accident on her way to the office. She’s alive but hospitalized for six weeks. Within 48 hours, her team realizes they can’t access the company bank account. Payroll is in five days. The password to their project management system? Only Sarah knows it. Their biggest client needs a contract signed by Friday, but no one has signing authority.

This scenario plays out across thousands of businesses every year. Unexpected events like this can cause serious business disruption, leading to operational interruptions that threaten the survival of the company. The “hit by a bus protocol” isn’t morbid—it’s a practical framework for making your business operationally independent from any single person, including you. Think of it as a business continuity plan specifically designed to protect against the sudden absence of key people, whether due to illness, burnout, parental leave, or worse.

The examples are painfully common:

• Payroll doesn’t run because only one person knows how

• A key client goes angry because their account manager is the only one with context

• Critical systems stay locked behind a single password

• Vendor payments stop because approvals bottleneck at one desk

This article is for owners, founders, and leaders of small and mid-sized businesses who recognize they’ve become a single point of failure. To ensure your business is prepared for unexpected disruptions, you need to proactively address these vulnerabilities. By the end, you’ll know the concrete steps, documents, and systems to put in place within 90 days to make your company survivable—and even thriving—without you.

Business continuity planning and disaster recovery are often part of the same conversation, as both are essential for operational resilience, even though they address different aspects of keeping your business running during and after a crisis.

Step 1 – Map Your Single Points of Failure

Before you can protect your business from disruption, you need to identify where you’re most vulnerable. This means finding every “bus factor 1” risk—tasks or access that depend entirely on one person.

The term “bus factor” comes from software development: it’s the minimum number of team members who must be “hit by a bus” (or otherwise disappear) for your operations to fail. A bus factor of 1 means one person’s absence halts everything. Consider a 15-person agency in 2025 where only the founder can approve invoices or access the Stripe account. If she’s unavailable for 30 days, cash flow stops completely.

The 60–90 Minute Audit Process

Set aside 90 minutes and work through this process:

1. List all critical functions: Sales, finance, delivery, HR, compliance, IT, customer support

2. For each function, identify the current owner: Who performs this task today?

3. Ask the key question: “If this person disappeared for 30 days, what stops completely?”

Apply this question to specific operations:

• Client onboarding

• Payroll processing

• Domain and hosting renewals

• Vendor payments and expense approvals

• Contract signatures

• Password resets and system access

• Responding to security incidents

Structure Your Findings

Organize your audit results in a simple format with these columns:

Function | Current Owner | Backup Person | Risk Level | Next Action

For example:

• Function: Payroll processing

• Current Owner: CFO (Maria)

• Backup: None

• Risk Level: Critical

• Next Action: Document SOP and train office manager

By the end of this audit, you should have:

1. A prioritized list of the top 10 critical tasks that must keep running if you’re out

2. Clear visibility into which employees are bottlenecks

3. A risk assessment identifying your most vulnerable operations

4. Specific next actions for each high-risk area

his business impact analysis becomes the foundation for everything that follows.

Step 2 – Document the Non-Negotiables (Your Minimum Viable Operations) for Business Continuity

Now that you’ve identified potential risks, focus on documenting the smallest set of processes that must work for 30 days without the owner. Standard operating procedures (SOPs) are a set of step-by-step instructions for performing a routine activity.

This is your Minimum Viable Operations (MVO)—the essential systems that keep cash flowing in, cash flowing out, and clients served. SOPs should be followed the same way every time to guarantee that the organization remains consistent and complies with industry regulations and business standards.

Comprehensive documentation is crucial for ensuring that anyone can step in and maintain operations. A well-crafted SOP offers clear direction and instruction specifically designed to avoid deviations, which is necessary for maintaining compliance and delivering quality products. Documenting and following recommended practices is essential for operational consistency.

What Qualifies as MVO?

Think about what happens if these activities stop for even a week:

• Issuing invoices every Friday

• Running payroll on the 1st and 15th

• Responding to top-tier client tickets within 24 hours

• Processing customer payments

• Paying critical vendors on schedule

The 8-12 Processes Every Business Should Document

Regardless of your industry, these routine operations need clear documentation:

1. Invoicing and accounts receivable – How to create, send, and track invoices

2. Payroll processing – Step by step instructions for running payroll

3. Bank transfers and cash management – How to move money and maintain data backups

4. Expense approvals – Who can approve what amounts

5. Client onboarding – How new customers get set up

6. Incident response – What to do when things break or when you need to report suspicious activity

7. Password resets and access management – Maintaining data security and strong passwords

8. Contract signatures – Who can sign and the process for execution

9. Domain and hosting renewals – Preventing website outages

10. Vendor payment processing – Keeping the supply chain running

Creating an Effective SOP

Each process should become a standard operating procedure—a 1-2 page document with:

• Purpose: Why this process exists

• Tools used: QuickBooks, Gusto, Google Workspace, etc.

• Detailed instructions: Step-by-step tasks anyone can follow, written in active voice to ensure clarity and ease of understanding

• Who is responsible: Primary owner and backup

• Frequency: Daily, weekly, monthly

• Get out of trouble: Recommended solutions to potential problems that may arise during the process

Example: How to Run Payroll on Gusto on the 1st of Each Month

Here’s a mini-walkthrough in bullet narrative form:

• Log into Gusto at gusto.com using credentials stored in the team password vault

• Navigate to “Run Payroll” from the main dashboard

• Review employee hours imported from the time tracking system

• Verify any PTO or sick time adjustments submitted by managers

• Check for any new employees added since last payroll

• Review and approve the payroll total (verify it matches the expected range from last month ±10%)

• Submit payroll by 10 AM local time to ensure direct deposits process on time

• Save the payroll report as PDF to the Finance > Payroll > 2025 folder

• Notify the CEO via Slack that payroll has been submitted

This documentation prevents the chaos of missed salaries if the finance lead is suddenly absent. When procedures exist, new employees can be trained quickly, and the team can answer questions without hunting down the one person who “just knows” how it works.

Step 3 – Build Your “Hit by a Bus” Vault (Access, Assets, and Accounts)

Documentation is only useful if people can find it when they need it. Creating a secure, accessible file containing passwords, bank accounts, vendor contracts, client contacts, and insurance policies is essential for business continuity. Your hit-by-a-bus vault is a secure, centralized place where the right people can access critical information if you’re unavailable, and managing digital files or records—such as support tickets and security documentation—ensures that nothing important is overlooked.

What Goes in the Vault?

Master Account List

• Bank accounts and payment processors (routing numbers, account contacts)

• CRM and email marketing platforms

• Domain registrars and hosting providers

• All critical SaaS tools with login methods

Key Documents

• Operating agreement and corporate documents

• Insurance policies (general liability, D&O, cyber)

• Major contracts with customers and vendors

• Employee handbook and HR policies

Emergency Contacts

• Business attorney

• Accountant/CPA

• IT administrator or managed services provider

• Key client contacts

• Insurance broker

Tools for 2024-2025

Several methods work well for building this vault:

• Password managers (1Password, Bitwarden) with shared vaults for sensitive information and credentials

• Cloud storage (Google Drive, SharePoint) with a dedicated “Bus Protocol” folder and restricted access

• Encrypted backups stored offsite or with a trusted third party

• Physical backup (optional) – printed emergency sheet in a safe or with your attorney

Structure Your Vault in Clear Sections

Finance

• Bank account access procedures

• Payment processor logins

• Accounting software credentials

• Tax filing resources

Legal

• Operating agreement

• Buy-sell agreement

• Key vendor contracts

• Insurance policy documents

Operations

• Master SOP folder

• Client delivery playbooks

• Vendor contact list

• Government agencies contact information (for compliance reporting)

Technology

• Domain registrar access

• Hosting provider credentials

• Email and communications systems

• Security tools and monitoring access

People

• Org chart with responsibilities

• Emergency contact list

• HR system access

• Benefits administration

Access Rules and “Break Glass” Protocols

Define who gets what level of access:

• Full access: CEO, COO, and one trusted board member

• Read-only access: Department heads (only their relevant sections)

• Break glass access: Instructions for when both primary users are unavailable (e.g., sealed envelope with attorney, or emergency contact who can grant temporary access)

Establish version control and schedule quarterly review dates—first Monday of January, April, July, and October—to keep logins, contact details, and documents current. Outdated plans are nearly as dangerous as no plan at all.

Step 4 – Design Clear Authority and Decision-Making Pathways

Surviving your absence isn’t just about passwords and documents. It’s about ensuring someone can decide what needs to happen—and act on it—within clear limits.

Decision Charters and Delegation of Authority

A decision charter defines who can make which decisions and up to what threshold. Without this clarity, your team either freezes (waiting for you) or makes decisions that create compliance or financial problems.

Examples of delegated authority:

• Who can sign contracts up to $10,000? Up to $50,000?

• Who can issue refunds to customers?

• Who can approve new hires or terminate employees?

• Who can commit to 12-month vendor agreements?

Create a One-Page Authority Matrix

Structure this as a simple reference document:

A Concrete Scenario

Imagine you’re offline for 3 weeks. Your largest client demands a 20% discount to renew their annual contract worth $120,000. Without a clear decision rule, your team faces a dilemma:

• Say no and risk losing the client?

• Say yes and potentially set a bad precedent or violate margin requirements?

• Wait for you and frustrate the client?

With a documented authority matrix, the Head of Sales knows they can offer up to 15%, and anything above requires the COO. The COO can then make the call within their authority, keeping both the relationship and the organization’s interests protected.

Combine Decision Rules with Incident Response Plans

Your response plan should cover scenarios like:

• Major security incidents while you’re away

• Client emergencies or service outages

• Employee issues requiring immediate action

• Threats to business operations

For regulated industries (finance, healthcare), ensure decision rights align with formal roles and comply with legal requirements. Informal habits like “everyone just asks the founder” won’t satisfy auditors or protect your company.

Step 5 – Train, Test, and Run “Owner-Free” Drills

Protocols that exist only on paper don’t work. They need to be practiced like fire drills. Conducting drills is a way to prepare the team to run operations without the owner for a determined period. Cross-training staff helps ensure work continues even if someone is sick or absent.

Implementing these training and testing practices is crucial for effective business continuity. Training is not just about compliance; it’s about making sure everyone knows what to do when the unexpected happens. A well-trained workforce is the best defense against identity theft and data breaches.

Schedule “Founder-Free” Time

Commit to at least one “founder-free week” or “key person-free day” per quarter. During this time:

• The designated person does not touch operations

• The team runs entirely from documented playbooks

• All questions must be resolved using SOPs and the vault

• Someone tracks every friction point encountered

What to Test Concretely

During each drill, verify that the team can:

• Send invoices on schedule without assistance

• Run payroll on time using the documented process

• Make urgent client decisions using the authority matrix

• Access all critical systems through the vault

• Follow SOPs without texting, calling, or emailing the absent person

• Respond to a simulated security incident appropriately

Gather Feedback and Improve

After each drill, hold a short debrief meeting:

1. What worked exactly as documented?

2. What broke or felt unclear?

3. Which SOPs need updates?

4. What’s missing from the vault?

Use this feedback to update your documentation immediately. The goal is continuous improvement—each drill should reveal fewer gaps than the last.

Build This Into Ongoing Training

Make hit-by-a-bus procedures part of your company culture:

• Include vault access and key SOPs in new manager training

• Train employees on decision authority during onboarding

• Review protocols during annual performance conversations

• Test backup people on their assigned processes quarterly

Track Readiness with a Simple Scoring System

After each drill, rate readiness using a green/yellow/red system:

• Green: Process executed smoothly with no intervention

• Yellow: Process completed but with friction or minor errors

• Red: Process failed or required emergency contact with absent person

Track these scores over 12 months. You should see steady improvement from red/yellow toward green as your systems mature and your team builds confidence.

Step 6 – Integrate the Protocol into Your Long-Term Continuity and Succession Plan

The hit-by-a-bus protocol isn’t a one-time project—it’s the foundation of broader business continuity and succession planning.

Connect to Existing Plans

Your protocol should integrate with:

• Business continuity plan (BCP): How the organization responds to major disruptions

• Disaster recovery plan (DRP): Technical recovery from IT failures

• Standard operating procedures: The day-to-day documentation that keeps services running

These aren’t separate documents gathering dust in different folders. They should reference each other, use consistent formats, and be stored in the same vault with the same review schedule.

Identify and Develop Successors

Beyond surviving a 30-day absence, consider who could step into key roles permanently:

• Which senior operations manager could become COO within 2-3 years?

• Who on your team could lead their department if the current head left?

• How are you developing these people today?

Document succession candidates and their development plans alongside your hit-by-a-bus materials. This creates a clear pathway for leadership development and organizational resilience.

Address Ownership and Equity Scenarios

For founders and owners, ensure your legal documents align with operational protocols:

• Buy-sell agreements: What happens to shares if you’re permanently unavailable?

• Wills and estate planning: Who inherits ownership and control?

• Powers of attorney: Who can make legal and financial decisions on your behalf?

Work with your attorney to ensure these documents reflect your wishes and won’t create confusion or conflict if activated.

Your 12-Month Roadmap

Days 1-90: Map and Document

• Complete the single-point-of-failure audit

• Document your top 10 Minimum Viable Operations

• Create the initial vault structure

• Define your authority matrix

Days 91-180: Build and Populate

• Complete all critical SOPs

• Populate the vault with all access credentials and documents

• Test vault access with designated backup people

• Train key personnel on their backup responsibilities

Months 7-12: Train, Test, and Refine

• Run quarterly founder-free drills

• Gather feedback and update documentation

• Identify succession candidates for key roles

• Integrate with broader business continuity and compliance requirements

Key Takeaways

• The bus factor measures how many people must be unavailable for your business to fail—aim for at least 2-3 for every critical function

• Minimum Viable Operations defines only what must keep running for 30 days: cash in, cash out, client delivery

• Your vault centralizes all access, assets, and accounts in a secure, accessible location

• Decision charters prevent bottlenecks by clarifying who can decide what within which limits

• Regular drills reveal gaps before real emergencies do

• This protocol forms the foundation of long-term continuity and succession planning

Take Action This Week

Building a business that survives your absence isn’t optional—it’s a core leadership responsibility. The founders who avoid this work aren’t being brave or indispensable. They’re being negligent.

Schedule your first hit-by-a-bus audit within the next 7 days. Block 90 minutes on your calendar, grab a whiteboard or spreadsheet, and answer the question: “If I disappeared for 30 days, what stops completely?”

Start there. Then work through the remaining steps over the next 90 days. Your team, your customers, your family, and your future self will thank you for building something that can thrive—even in your absence.