Business Continuity for Small Business: Your 'Hit by a Bus' Plan

The Question Nobody Wants to Ask

Here is the question: what happens to your business if you get hit by a bus?

It is a crude way to frame it, and the software industry has been using this phrase for decades. They call it the "bus factor" — the number of people who would need to be suddenly unavailable before a project or business grinds to a halt. A bus factor of 1 means a single absence could stop everything.

For most small businesses I work with across Volusia County, the bus factor is 1 — and that single person is usually the owner.

That does not mean you need to be paranoid. It means you need to be prepared. The difference between a business that survives a crisis and one that does not almost always comes down to documentation and access. Not luck. Not size. Not revenue. Just whether someone wrote things down and made sure more than one person could get to them.

A Deltona restaurant owner I consulted with put it perfectly: "I thought I was building a business. Turns out I was building a job that only I could do." That realization prompted him to spend a weekend documenting every process, from how to place produce orders to where the insurance documents lived. Six months later, when he had an emergency appendectomy, his team ran the restaurant for two weeks without a single missed order.

What Is a 'Bus Factor'? (And Why Yours Is Probably 1)

The bus factor originated in software engineering at the University of Paris. Researchers studied open source projects and found that many critical codebases depended entirely on a single contributor. If that contributor disappeared, the entire project stalled. They quantified this as the "bus factor" — technically the minimum number of developers whose departure would halt a project.

For small businesses, the concept translates directly. Think of every system your business touches: your bookkeeping software, your website, your point-of-sale system, your email, your social media, your vendor accounts. Now count how many people have access to each. If the answer is "just me" for more than two of those systems, your bus factor is 1.

Here is a quick self-assessment using a mermaid diagram that maps the decision flow:

graph TD
    A[List Critical Systems] --> B[Map Access]
    B --> C{Single Person?}
    C -->|yes| D[Single Point of Failure]
    C -->|no| E[Low Risk]
    D --> F{High Criticality?}
    F -->|yes| G[Add Backup Access]
    F -->|no| H[Document in 30 Days]
    G --> I[Test Recovery]
    H --> I
    I --> J[Quarterly Review]

The red boxes are your fire-alarm items. If any critical system has only one person who can access it, that is a vulnerability that needs immediate attention. Not next quarter. Not when you get around to it. Now.

A DeLand veterinary clinic learned this lesson the expensive way. The practice manager — the only person with admin access to their practice management software — resigned on a Friday and was unreachable by Monday. It took the clinic owner three weeks and nearly $4,000 in emergency IT consulting fees to regain full access to their own system. The fix would have taken fifteen minutes of preventive setup.

The Five Things That Disappear When You Do

When a key person suddenly becomes unavailable, five categories of knowledge typically vanish with them. Understanding these categories is the first step toward protecting against them.

1. Access credentials. Passwords, PINs, security questions, two-factor authentication devices. If the only copy of your QuickBooks password lives in one person's head, that person is a single point of failure for your entire financial operation.

2. Process knowledge. The step-by-step procedures for daily tasks that have never been written down. How to close out the register. How to process a return. How to run payroll. How to reorder inventory. A Daytona Beach retail store owner once told me, "My morning routine takes forty-five minutes and involves eleven different apps. Nobody else in the company even knows what those eleven apps are."

3. Relationship context. Which vendor gives you the bulk discount if you mention the owner's name. Which client prefers email over phone calls. Which supplier has a thirty-day grace period that is not in the contract. This institutional knowledge often matters more than people realize — until it is gone.

4. Financial access. Bank accounts, credit cards, payment processors, tax documents. In Florida, a business bank account often requires specific signatories, and adding new ones can take weeks if the original signatory is unavailable. A Port Orange landscaping company discovered this when the owner had a health emergency — they could not access their operating account for nine days, missing payroll by three days and nearly losing their entire crew.

5. Technical infrastructure. Domain registrar logins, hosting credentials, SSL certificates, API keys, DNS settings. If your website goes down and nobody can access the hosting dashboard, you are losing customers every minute it stays offline. I have seen this happen to three Volusia County businesses in the past year alone.

The good news: every one of these five categories can be documented, backed up, and made accessible to a trusted second person. The bad news: most business owners do not do it until after the crisis hits.

Step 1: Audit Your Key Person Risk

Before you can fix the problem, you need to see the problem. That means running an access audit — mapping every critical system to every person who can access it and identifying the single points of failure.

Here is a Python script that does exactly that. It is stdlib only, meaning it runs on any machine with Python installed — no packages to install, no accounts to create.

#!/usr/bin/env python3
"""
Business Continuity Access Audit
Identifies key person risk by mapping who has access to what.
No dependencies — Python 3.8+ stdlib only.
"""
 
import json
import datetime
 
SYSTEMS = {
    "QuickBooks Online": {
        "access": ["owner"],
        "criticality": "high",
        "category": "finance"
    },
    "Domain Registrar": {
        "access": ["owner"],
        "criticality": "high",
        "category": "infrastructure"
    },
    "Google Workspace Admin": {
        "access": ["owner", "office_manager"],
        "criticality": "high",
        "category": "communication"
    },
    "Website CMS": {
        "access": ["owner", "marketing"],
        "criticality": "medium",
        "category": "marketing"
    },
    "Social Media Accounts": {
        "access": ["marketing"],
        "criticality": "medium",
        "category": "marketing"
    },
    "Vendor Portal": {
        "access": ["owner", "operations"],
        "criticality": "medium",
        "category": "operations"
    },
    "POS System": {
        "access": ["owner", "shift_lead"],
        "criticality": "high",
        "category": "sales"
    },
    "Payroll System": {
        "access": ["owner"],
        "criticality": "high",
        "category": "finance"
    }
}
 
def audit_access(systems):
    report = {
        "generated": datetime.datetime.now().isoformat(),
        "total_systems": len(systems),
        "risks": [],
        "summary": {}
    }
 
    person_count = {}
    single_access = []
 
    for system, info in systems.items():
        for person in info["access"]:
            person_count[person] = person_count.get(person, 0) + 1
 
        if len(info["access"]) == 1:
            single_access.append({
                "system": system,
                "sole_accessor": info["access"][0],
                "criticality": info["criticality"],
                "category": info["category"]
            })
 
    bus_factor_1 = [s for s in single_access if s["criticality"] == "high"]
 
    report["risks"] = single_access
    report["high_risk_count"] = len(bus_factor_1)
    report["summary"] = {
        "person_system_counts": person_count,
        "single_point_failures": len(single_access),
        "high_criticality_spof": len(bus_factor_1),
        "bus_factor_rating": "CRITICAL" if len(bus_factor_1) >= 3 else
                            "WARNING" if len(bus_factor_1) >= 1 else "OK"
    }
 
    return report
 
if __name__ == "__main__":
    report = audit_access(SYSTEMS)
    print("=" * 60)
    print("BUSINESS CONTINUITY ACCESS AUDIT")
    print("=" * 60)
    print(f"\nGenerated: {report['generated']}")
    print(f"Systems audited: {report['total_systems']}")
    print(f"\nBus Factor Rating: {report['summary']['bus_factor_rating']}")
    print(f"Single points of failure: {report['summary']['single_point_failures']}")
    print(f"HIGH criticality SPOFs: {report['summary']['high_criticality_spof']}")
 
    if report["risks"]:
        print("\n--- SINGLE POINT OF FAILURE RISKS ---")
        for risk in report["risks"]:
            flag = " *** HIGH RISK ***" if risk["criticality"] == "high" else ""
            print(f"  {risk['system']}: only {risk['sole_accessor']} has access "
                  f"[{risk['criticality']}]{flag}")
 
    print("\n--- ACCESS DISTRIBUTION ---")
    for person, count in sorted(report["summary"]["person_system_counts"].items(),
                                 key=lambda x: -x[1]):
        print(f"  {person}: {count} system(s)")

Customize the SYSTEMS dictionary with your own business systems. Add or remove entries, adjust who has access, and set the criticality level. Then run it. The output will show you exactly where your single points of failure are.

When I ran a version of this script for a Deltona medical billing company, the results were sobering: seven out of ten critical systems had a bus factor of 1, all pointing to the same person — the office manager who had been with the company for twelve years. Nobody had ever questioned it because she was reliable. But reliable and irreplaceable are not the same thing, and the company had been confusing the two for over a decade.

Step 2: Document What Lives in Someone's Head

Once you know where your vulnerabilities are, the next step is extracting the knowledge that currently lives only in people's heads and putting it into a format that someone else can actually use.

The key principle is simple: could a reasonably competent person follow this document and complete the task without calling anyone for help? If the answer is no, the document is not finished.

Here is what good process documentation looks like for a small business:

Format for each process:

• Process name: What is this task called?
• Frequency: Daily, weekly, monthly, as-needed?
• Current owner: Who does this now?
• Backup person: Who could do this in an emergency?
• Tools required: What software, accounts, or physical tools are needed?
• Step-by-step instructions: Numbered steps, with screenshots where helpful.
• Common problems: What goes wrong, and how do you fix it?
• Escalation: If the backup person gets stuck, who do they call?

A Daytona Beach property management company I worked with took two days to document their twenty most critical processes. The owner estimated each process would take about thirty minutes to write up. The actual average was closer to ninety minutes, because every process revealed sub-processes that nobody had ever articulated. "Close out the month" turned into a forty-seven-step procedure that involved six different platforms and two phone calls to their accountant.

The effort was worth it. Within six months, they had cross-trained two additional staff members on every critical process. When the property manager took a three-week vacation — her first real vacation in four years — the business ran without interruption.

You do not need to document everything on day one. Start with your top five highest-criticality items from the access audit. Then work through the rest at a pace of two or three processes per week. Within a month, you will have covered your most dangerous gaps.

Step 3: Automate the Documentation Trail

Here is where automation enters the picture. The hardest part of business continuity is not creating documentation — it is keeping it current. Processes change, passwords get updated, new vendors replace old ones, and within six months your carefully written documentation is obsolete.

Automation solves this in two ways. First, it can automatically track when critical changes happen — a new user added, a password changed, an account setting modified — and flag those changes for documentation updates. Second, it can run periodic audits to check whether your documentation is still complete.

If you are already using n8n for workflow automation, you can set up a quarterly audit trigger that sends your team a documentation checklist. The workflow pings each process owner with their assigned documentation and asks a simple question: "Is this still accurate?" If they do not respond within a week, it escalates to the business owner.

For a more immediate check, here is a Node.js script that scores your documentation completeness:

#!/usr/bin/env node
/**
 * Documentation Completeness Checker
 * Scores how well your business processes are documented.
 * No dependencies — runs on Node.js 18+.
 */
 
const CRITICAL_DOCS = [
  {
    name: "Password Manager Access",
    category: "security",
    weight: 10,
    question: "Is there a shared password manager with emergency access?",
  },
  {
    name: "Bank Account Access",
    category: "finance",
    weight: 10,
    question: "Can someone else access business bank accounts?",
  },
  {
    name: "Payroll Process",
    category: "finance",
    weight: 9,
    question: "Is the payroll process documented step-by-step?",
  },
  {
    name: "Client Contact List",
    category: "operations",
    weight: 8,
    question: "Is there a centralized, accessible client contact list?",
  },
  {
    name: "Vendor Agreements",
    category: "operations",
    weight: 7,
    question: "Are vendor contracts and contacts documented?",
  },
  {
    name: "Website Admin Access",
    category: "infrastructure",
    weight: 8,
    question: "Can someone else update the website?",
  },
  {
    name: "Social Media Credentials",
    category: "marketing",
    weight: 5,
    question: "Are social media logins in a shared location?",
  },
  {
    name: "Insurance Policies",
    category: "legal",
    weight: 7,
    question: "Are insurance policy details documented and accessible?",
  },
  {
    name: "Emergency Contacts",
    category: "operations",
    weight: 9,
    question: "Is there a current emergency contact list?",
  },
  {
    name: "Daily Operations Runbook",
    category: "operations",
    weight: 8,
    question: "Could someone run daily operations from written docs alone?",
  },
];
 
function assessReadiness(responses) {
  const maxScore = CRITICAL_DOCS.reduce((sum, doc) => sum + doc.weight, 0);
  let earnedScore = 0;
  const gaps = [];
  const covered = [];
 
  CRITICAL_DOCS.forEach((doc, i) => {
    const documented = responses[i] || false;
    if (documented) {
      earnedScore += doc.weight;
      covered.push(doc.name);
    } else {
      gaps.push({ name: doc.name, weight: doc.weight, question: doc.question });
    }
  });
 
  const pct = Math.round((earnedScore / maxScore) * 100);
  let grade;
  if (pct >= 90) grade = "A — Excellent";
  else if (pct >= 75) grade = "B — Good";
  else if (pct >= 50) grade = "C — Needs Work";
  else if (pct >= 25) grade = "D — At Risk";
  else grade = "F — Critical Risk";
 
  return { earnedScore, maxScore, pct, grade, gaps, covered };
}
 
// Simulate a typical small business
const sampleResponses = [
  false,
  false,
  false,
  true,
  false,
  true,
  true,
  false,
  true,
  false,
];
 
const result = assessReadiness(sampleResponses);
console.log("=".repeat(60));
console.log("DOCUMENTATION COMPLETENESS AUDIT");
console.log("=".repeat(60));
console.log(
  `\nScore: ${result.earnedScore}/${result.maxScore} (${result.pct}%)`,
);
console.log(`Grade: ${result.grade}`);
console.log(`\nDocumented (${result.covered.length}/${CRITICAL_DOCS.length}):`);
result.covered.forEach((name) => console.log(`  [x] ${name}`));
console.log(`\nGAPS (${result.gaps.length} items — fix these first):`);
result.gaps
  .sort((a, b) => b.weight - a.weight)
  .forEach((gap) => {
    console.log(`  [ ] ${gap.name} (priority: ${gap.weight}/10)`);
    console.log(`      ${gap.question}`);
  });

Edit the sampleResponses array to match your actual situation — true if documented, false if not. The script will score you, grade you, and tell you exactly where to focus first, sorted by priority.

The typical small business scores between 25% and 40% on their first run. That is not a failure — it is a starting point. The businesses that actually improve are the ones that run this check quarterly and track their score over time.

Step 4: Set Up Access Continuity

Documentation without access is useless. If your backup person has the runbook but cannot log into the systems described in the runbook, the plan falls apart in the first five minutes.

Access continuity means ensuring that at least two people can get into every critical system. Here is the practical approach:

Use a shared password manager. Tools like 1Password for Teams, Bitwarden, or LastPass Business let you share credentials securely without texting passwords around. Set up an emergency access feature — most password managers offer this — so a designated person can request access if the primary user becomes unavailable. The emergency access request typically has a waiting period (24-72 hours) that the primary user can deny, preventing misuse while still enabling emergency recovery.

Designate a digital executor. This is the person who gets access to everything if you are incapacitated. For small businesses in Florida, this should be documented alongside your legal documents. Some Volusia County business attorneys now include digital asset provisions in operating agreements — ask yours about it.

Set up succession for two-factor authentication. This is the one most people miss. You have a shared password manager, great. But if the 2FA codes are on someone's personal phone, the shared password is worthless. Use a team-accessible authenticator or backup codes stored in a sealed envelope at your attorney's office.

Create a master access document. One page that lists every system, the login URL, the username format, and where the password lives in the shared vault. Keep it updated quarterly. A DeLand accounting firm I work with keeps this document in two places: their password manager and a printed copy in a fireproof safe at the senior partner's home.

An Ormond Beach HVAC company took this step after a close call — the owner was hospitalized for a week, and the office manager spent three days contacting various vendors just to get password resets for critical systems. After implementing a shared password manager and emergency access protocols, the same disruption would now take fifteen minutes to recover from instead of three days.

Step 5: Test Your Plan (The Fire Drill)

A business continuity plan that has never been tested is just a collection of good intentions. You need to run a fire drill.

The concept is simple: pick a day where the key person steps away entirely — no phone calls, no texts, no "just one quick question." The backup person runs the show using only the documentation. Every point of confusion, every missing step, every locked account gets logged as a gap to fix.

Here is a practical fire drill schedule:

Month 1: The owner takes a full day off. The designated backup handles everything using only the written documentation. Log every question that comes up.

Month 3: The owner takes a three-day weekend. No contact. The backup runs operations and logs gaps. Revise documentation based on what they find.

Month 6: The owner takes a full week off. This is the real test. If the business survives a week without the key person touching anything, your continuity plan is working.

A Deltona fitness studio owner ran this exact progression. During the month-one test, her manager called her seventeen times. After documenting the answers to all seventeen questions and updating the runbook, the month-three test produced only two calls. By month six, the manager ran the studio for a full week without any contact. The owner described that week as "the first time I felt like I owned a business instead of a job."

The fire drill also reveals something most owners do not expect: it shows you which processes are unnecessarily complex. When you force someone else to follow your procedures, the convoluted steps that "make sense to you" get exposed. A Daytona Beach e-commerce business discovered during their fire drill that their end-of-day reconciliation process had fourteen steps that could be reduced to five with a simple spreadsheet formula. The continuity exercise actually improved their daily operations.

Real Businesses, Real Wake-Up Calls

The statistics on small business continuity are brutal. According to FEMA, roughly 40% of small businesses never reopen after a disaster. But what most people miss is that "disaster" does not have to mean a hurricane or a fire. For small businesses, the most common disruption is simply losing a key person — temporarily or permanently.

A Port Orange dental practice had the classic setup: the office manager of fifteen years handled everything from insurance billing to supply ordering to patient scheduling templates. When she retired with only two weeks' notice, the practice spent four months recovering. Revenue dropped 30% during the transition because nobody else understood the insurance billing codes and the negotiated rates with each provider. The knowledge walked out the door with her.

Contrast that with a Deltona auto repair shop that had implemented a continuity plan the year before their lead mechanic left for a competitor. Because every diagnostic process, every vendor relationship, and every warranty procedure was documented and cross-trained, the transition took two weeks instead of four months. They did not lose a single customer.

The difference was not budget, technology, or industry. It was preparation. One business treated knowledge as something that lived in people's heads. The other treated it as an asset that belonged to the business.

For businesses in hurricane-prone areas like Volusia County, continuity planning serves double duty. The same documentation that protects you from key person risk also protects you from weather events, power outages, and facility damage. When Hurricane Ian disrupted operations across Central Florida, the businesses that recovered fastest were overwhelmingly the ones that had already documented their processes and set up remote access to critical systems — not because of the hurricane, but because they had already done the key person continuity work.

The Tools That Make This Easier

You do not need expensive enterprise software to build a functional continuity plan. Here are the tools that work well for small businesses:

For documentation: Google Docs or Notion. Free tiers are sufficient. The key is that documents are cloud-based (accessible from anywhere) and shareable (accessible by more than one person). Avoid storing critical documentation only on a local computer.

For passwords: 1Password for Teams ($4/user/month), Bitwarden ($3/user/month), or LastPass Business ($6/user/month). Any of these work. The best one is whichever one your team will actually use.

For automated reminders: If you are already using n8n for automation, set up a quarterly workflow that sends documentation review reminders. If you are not using n8n yet, even a recurring Google Calendar event works. The point is that documentation review happens on a schedule, not "when someone remembers."

For backup verification: Follow the 3-2-1-1-0 rule that IT professionals now recommend: three copies of critical data, stored on two different media types, one copy off-site, one copy offline (air-gapped), and zero unverified backups. That last zero is the one most small businesses skip. Run a test restore at least quarterly to verify your backups actually work.

For key person insurance: Talk to your insurance broker about key person life and disability policies. In Volusia County, these typically run $100-300 per month depending on coverage amounts and the health of the insured individual. The policy proceeds buy your business time — time to hire, time to train, time to transition — rather than forcing an immediate shutdown.

If you need help building a continuity plan or running a formal access audit, our IT consulting services include business continuity assessments tailored for small businesses. We also have an employee onboarding automation playbook that overlaps significantly with continuity documentation — if you have built one, you are halfway to the other.

Custom-Built for Volusia County: We work with small businesses across Deltona, Daytona Beach, Port Orange, DeLand, Ormond Beach, and New Smyrna Beach on continuity planning and IT automation. Our IT consulting in Deltona specializes in helping local businesses eliminate key person risk through documentation, cross-training, and smart automation. Schedule a continuity audit and find out your bus factor score in thirty minutes.

FAQ: Business Continuity for Small Business

What is a business continuity plan for small business?

A business continuity plan documents how your business will keep operating if key people, systems, or facilities become unavailable. For small businesses, it means writing down every process that currently lives in one person's head — passwords, vendor contacts, daily procedures — so the business can survive any disruption.

What is a bus factor and why does it matter?

The bus factor measures how many team members would need to be suddenly unavailable before a critical business function stops entirely. A bus factor of 1 means one person's absence would halt that function. Most small businesses have a bus factor of 1 for their most critical systems, which is extremely risky.

How much does a business continuity plan cost?

For small businesses, creating a basic continuity plan costs nothing beyond time. The audit scripts in this article are free. Key person insurance typically costs $100-300 per month depending on coverage. Professional continuity consulting in Volusia County runs $2,000-5,000 for a full assessment and documentation package.

How often should I update my business continuity plan?

Review your plan quarterly and update it whenever you add new systems, change vendors, hire or lose team members, or change any critical process. Set a calendar reminder — outdated continuity plans are nearly as dangerous as having no plan at all.

What is the difference between business continuity and disaster recovery?

Disaster recovery focuses specifically on restoring IT systems and data after a technical failure — servers crash, data gets corrupted, ransomware hits. Business continuity is broader: it covers everything needed to keep the business functioning, including people, processes, physical locations, and vendor relationships, not just technology.

Your business is too valuable to be a single point of failure. Start with the audit script above, run the documentation checker, and schedule your first fire drill. The best time to build a continuity plan was five years ago. The second-best time is today.