A practical guide for crypto founders, COOs, and risk managers on identifying single points of failure in people, private keys, and institutional knowledge, and building a key man risk plan that keeps your firm operational when critical individuals are unavailable.
Why Key Man Risk Hits Crypto Firms Harder Than Traditional Companies
In December 2018, Gerald Cotten, the CEO of Canadian crypto exchange QuadrigaCX, died while travelling in India. The problem? He was reportedly the only person with access to the exchange’s cold wallet private keys.
The result: approximately $190 million in customer funds became permanently inaccessible. The exchange filed for creditor protection months later, and thousands of customers lost their savings.
This is not a theoretical risk exercise. This is what happens when a crypto firm has no key man risk plan.
Traditional companies face key person dependencies too. A visionary CEO leaves, a top salesperson retires, a lead engineer gets poached. It hurts, but the firm usually survives. In crypto, the consequences are fundamentally different.
When a key individual holds sole access to cryptographic private keys, controls multi-signature wallet quorums, or is the only person who understands a proprietary smart contract architecture, their sudden absence does not just disrupt operations.
It can permanently destroy assets and collapse the entire business. The operational risk management process that works for a bank or a manufacturer needs significant adaptation for this industry.
According to Chainalysis’s 2025 regulatory round-up, over $3.4 billion in cryptocurrency was stolen during 2025, with at least $2 billion attributed to North Korea-linked actors.
The FDIC, OCC, and Federal Reserve’s July 2025 joint statement on crypto-asset safekeeping explicitly highlighted the need for governance expertise, contingency planning, and incident response protocols at every level of the enterprise. Key man risk sits at the centre of all three.
What Is Key Man Risk in a Crypto Context?
Key man risk (also called key person risk or key person dependency) is the exposure an organisation faces when critical knowledge, authority, relationships, or access rights are concentrated in a single individual or a small, non-redundant group.
In a standard risk management process, you would assess this under operational risk. In crypto, it cuts across operational, technology, custody, compliance, and strategic risk categories simultaneously.
Crypto firms face a unique amplification of key man risk across several dimensions:
| Risk Dimension | Traditional Company Impact | Crypto Firm Impact |
| Private Key Access | N/A (bank accounts have institutional controls) | Permanent, irrecoverable loss of assets if sole keyholder is unavailable |
| Multi-Sig Wallet Quorum | Board signing authority can be reassigned | If key signers leave and quorum cannot be met, funds are frozen indefinitely |
| Smart Contract Knowledge | Software can be reverse-engineered or rewritten | Immutable contracts with undocumented logic can become permanent liabilities |
| Regulatory Relationships | Replaceable with new counsel | Jurisdictional licences may be personally tied to named compliance officers |
| Investor/LP Confidence | Gradual erosion over time | Immediate redemption triggers and liquidity crises in fund structures |
As Request Finance’s crypto risk management framework notes, operational risk in crypto includes treasury processes, key man risks, governance failures, and cybersecurity breaches, all of which can severely impact cash flows and business continuity.
The BPM compliance and risk management guide similarly emphasises segregation of duties and access control protocols as foundational controls.
Step-by-Step: How to Build a Key Man Risk Plan for Your Crypto Firm
The framework below aligns with ISO 31000 risk management principles and ISO 22301 business continuity management standards, adapted for the specific operational realities of crypto firms. If you need a broader understanding of business continuity concepts, see our guide on Business Continuity Planning.
Step 1: Identify Your Key Persons and Their Risk Concentrations
Start by mapping every individual in your firm who holds one or more of the following:
- Sole or critical access to private keys, seed phrases, or hardware wallets
- Signing authority in multi-signature wallet configurations (e.g., is part of a 2-of-3 or 3-of-5 quorum)
- Exclusive knowledge of smart contract architecture, deployment keys, or admin functions
- Primary regulatory relationships (named compliance officer, money transmitter licence holder)
- Sole custody of critical vendor or exchange relationships
- Irreplaceable technical expertise (blockchain protocol development, cryptographic implementations)
- Decision-making authority for treasury management, staking, DeFi positions, or liquidity pools
For each identified person, document: what they control, who knows what they know, what happens if they are unavailable for 24 hours, 7 days, 30 days, or permanently.
Use a dependency register format that maps person to function to impact. Our risk register elements guide provides a template structure you can adapt.
Step 2: Conduct a Business Impact Analysis (BIA) on Key Person Scenarios
A BCP risk assessment should quantify the impact of each key person’s unavailability. For crypto firms, this BIA must go beyond standard revenue-loss calculations to include:
- Asset accessibility: Can the firm access its treasury, hot wallets, cold storage, and staking positions without this person?
- Transaction continuity: Can the firm execute trades, process customer withdrawals, or manage DeFi positions?
- Regulatory compliance: Can the firm continue to meet AML/KYC obligations, file required reports, and maintain licence conditions?
- Smart contract administration: Can the firm upgrade, pause, or interact with deployed contracts?
- Incident response: Can the firm respond to a security breach, hack, or exploit without this person?
Set Recovery Time Objectives (RTOs) for each critical function. In crypto, the MTPD (Maximum Tolerable Period of Disruption) for wallet access is often measured in hours, not days.
A hot wallet that cannot process withdrawals for 48 hours will trigger customer panic, regulatory scrutiny, and reputational damage that compounds exponentially. The CoinCover business continuity guide provides an excellent breakdown of crypto-specific BIA considerations.
Step 3: Eliminate Single Points of Failure in Cryptographic Access
This is where crypto key man risk planning diverges most sharply from traditional business continuity. You need technical controls that make it structurally impossible for one person’s absence to lock out the firm from its own assets.
Multi-Signature Wallets
Implement multi-signature (multisig) wallet configurations for all material holdings. A 3-of-5 configuration means five key holders exist, and any three can authorise a transaction. According to BitGo’s 2025 data, the enterprise multisig wallet market reached $1.27 billion in 2024 and is projected to reach $4.37 billion by 2033, with enterprise deployments growing 47% year-over-year to 9 million wallets.
This is no longer optional infrastructure. Configure your quorum so that no single individual’s absence breaks the signing threshold. As Chainlink’s multisig guide explains, this eliminates single points of failure while maintaining operational efficiency.
Multi-Party Computation (MPC)
For firms requiring more flexibility, MPC wallets split a single private key into multiple encrypted shares distributed across parties. No single share is meaningful alone, and the complete key never exists in one location.
This approach works across all blockchains without requiring specific smart contract support. Cobo’s comprehensive comparison of multisig versus MPC can help you choose the right approach for your operational model.
Hardware Security Modules (HSMs) and Geographically Distributed Backups
Store key shares or backup seed phrases in geographically distributed, tamper-resistant hardware security modules. Ensure at least two physically separate locations with independent access controls.
Your disaster recovery plan should document the exact procedures for accessing backup keys under emergency conditions, including who has physical access, what authentication is required, and what legal authorisations are needed.
Step 4: Build Succession Plans and Cross-Training Programs
Technical controls handle cryptographic access. Succession planning handles everything else: institutional knowledge, relationships, decision-making authority, and operational expertise.
For each key person identified in Step 1, build a succession profile:
| Succession Element | Minimum Standard | Best Practice |
| Named successor | One identified backup per key role | Two backups per role with rotating responsibilities |
| Knowledge transfer | Documented procedures stored securely | Quarterly cross-training sessions with hands-on practice |
| Authority delegation | Board resolution enabling emergency authority transfer | Pre-authorised delegation matrix with tiered escalation |
| Relationship continuity | Introduction to key regulators, auditors, and partners | Joint meeting attendance and dual-contact relationships |
| Smart contract documentation | Commented code with deployment records | Full architecture docs, test environments, and deployment playbooks |
The Verified Metrics key man risk guide offers practical succession planning templates you can adapt. For crypto-specific succession, also document DeFi protocol positions, staking validator configurations, and any time-locked smart contract interactions that require specific knowledge to manage.
Step 5: Secure Key Man Insurance Coverage
Key man insurance (key person insurance) pays a death or disability benefit to the company, not the individual, providing financial runway to recruit replacements, manage transition costs, and cover revenue gaps. For crypto firms, consider:
- Life and disability coverage on founders, CTO/lead engineers, and any individual whose absence would trigger fund redemptions or regulatory issues
- Coverage amounts that reflect not just replacement costs but potential asset losses during transition periods
- Policy structures that account for the global, often distributed nature of crypto teams
As Key Person Insurance notes for hedge funds, investors should verify that any fund they invest in carries key man life and disability insurance on its key investment decision-makers.
Many institutional investors and limited partners now require this as a condition of investment. The Founder Shield crypto risk management roadmap similarly identifies key man insurance as part of foundational risk treatment for crypto companies.
Step 6: Implement Governance Controls and Segregation of Duties
Good governance reduces key man risk structurally. Implement:
- Segregation of duties: No single person should be able to initiate, approve, and execute a crypto transaction. The Three Lines Model (management controls, risk/compliance oversight, independent audit) applies directly. See our operational risk management guide for framework details.
- Transaction limits: Set thresholds that require escalating numbers of approvers. Single-person authority should be limited to clearly defined, low-value operational transactions.
- Documented policies: Ensure all key procedures, from wallet access protocols to smart contract deployment processes, are documented, version-controlled, and accessible to authorised personnel. Align these with a comprehensive risk management policy that covers operational, compliance, and strategic risks.
- Regular access reviews: Quarterly reviews of who holds what access, with immediate revocation procedures for departing personnel. This includes not just system access but physical access to hardware wallets, HSMs, and backup locations.
Step 7: Test, Exercise, and Update
A key man risk plan that has never been tested is a document, not a plan. Schedule:
- Tabletop exercises: Quarterly scenario walkthroughs: “The CTO is hospitalised and unresponsive. Walk me through the next 48 hours.” Test whether backups can actually access what they need, sign what needs signing, and make the decisions that need making.
- Live recovery drills: Semi-annually, have the backup team execute actual (test-network) transactions using backup keys and documented procedures. Identify gaps between documentation and reality.
- Plan updates: After every exercise, personnel change, or significant business change (new wallet infrastructure, new DeFi positions, regulatory changes), update the plan. The risk management lifecycle is continuous, not a one-time project.
VeChain Foundation pioneered one of the first cryptocurrency disaster recovery plans, audited by PwC, which included multi-stage recovery procedures, pre-authorisation processes, and regular exercise testing. This remains a benchmark for the industry.
Key Risk Indicators (KRIs) to Monitor
Build a dashboard that tracks key man risk exposure on an ongoing basis. For guidance on building effective KRIs, see our best key risk indicators guide and KRI examples for banks, both of which can be adapted for crypto firms.
| KRI | Threshold (Green) | Amber | Red |
| Single-person wallet access concentration | 0% of wallets with sole access | 1-5% | >5% of wallets accessible by only one person |
| Multisig quorum redundancy ratio | Quorum achievable with 2+ member absences | 1 absence tolerance | No absence tolerance (quorum = total signers) |
| Key role succession coverage | 100% of critical roles have tested backups | 75-99% | <75% coverage |
| Cross-training completion rate | All critical functions cross-trained | Partial gaps | Critical functions with no backup knowledge |
| Days since last recovery drill | <90 days | 90-180 days | >180 days since last test |
| Key man insurance coverage ratio | 100% of critical personnel covered | Partial coverage | No coverage in place |
The Regulatory Push: Why This Matters Now
Regulators are closing in on key man risk in crypto. The Greenberg Traurig analysis of the July 2025 federal banking guidance confirmed that banking organisations engaging in crypto safekeeping must demonstrate effective governance and subject-matter expertise across all levels of the enterprise, with contingency planning and incident response protocols as baseline expectations.
The Fireblocks 2025 policy review notes that 2026 will see substantive rulemaking across the U.S., EU (MiCA), UK, Japan, and multiple emerging market jurisdictions, with custody arrangements and key management practices receiving increasing supervisory scrutiny.
For EU-regulated firms, MiCA’s governance requirements explicitly require sound administrative and accounting procedures, internal control mechanisms, and continuity arrangements.
In the U.S., the SEC’s Project Crypto initiative and the CFTC’s “crypto sprint” both signal a shift from enforcement-only oversight to principles-based frameworks that expect firms to demonstrate robust risk management, including people-risk management.
The bottom line: regulators will increasingly ask crypto firms, “What is your key man risk plan?” Having one is moving from best practice to regulatory expectation.
Common Mistakes to Avoid
- Treating key man risk as an HR problem only. In crypto, it is simultaneously a custody risk, technology risk, compliance risk, and business continuity risk. Address it across all domains.
- Relying on “dead man’s switch” mechanisms without testing. Time-locked recovery mechanisms and social recovery schemes sound elegant in theory. In practice, they introduce complexity that can itself become a source of failure. Test them.
- Documenting procedures but not training people. A 50-page key management manual is useless if the backup team has never actually used it under pressure. Conduct hands-on training, not just document distribution.
- Ignoring emotional and psychological factors. Founders resist succession planning because it forces them to confront their own replaceability. Frame it as investor protection and regulatory compliance, not personal inadequacy.
- Underinsuring or not insuring at all. Key man insurance is relatively inexpensive compared to the potential loss exposure. Many crypto VCs and institutional LPs now require it as a condition of investment.
Your Action Plan: Start This Week
Day 1-3: Identify every key person and their risk concentrations using the framework in Step 1. Map cryptographic access, institutional knowledge, and regulatory dependencies.
Week 1-2: Conduct a BIA for each key person scenario. Set RTOs for wallet access, transaction processing, and compliance functions.
Week 2-4: Implement multi-sig or MPC wallet configurations that eliminate single points of failure. Ensure quorum can be met with at least one key person absent.
Month 2: Build succession profiles, begin cross-training, and source key man insurance quotes.
Month 3: Conduct your first tabletop exercise. Test backup access, decision-making, and communication under simulated key person unavailability.
Ongoing: Monitor KRIs monthly. Update the plan quarterly. Exercise semi-annually. Review annually with the board.
For a broader framework on building your crypto firm’s resilience, see our guides on business continuity planning for small cryptocurrency firms and the essential risk management process flow chart. And for enterprise-level cybersecurity integration, our enterprise risk management cyber security guide provides the holistic view.
Related Articles from Risk Publishing
- Business Continuity Plan for Cryptocurrency
- Business Continuity Plan for Small Cryptocurrency Firms
- Operational Risk Management Process
- BCP Risk Assessment
- Key Components of a Risk Management Policy
- Key Elements of a Risk Register
- Best Key Risk Indicators
- Risk Management Lifecycle
- Enterprise Risk Management Cyber Security
- Essential Risk Management Process Flow Chart
External Sources and Further Reading
- Chainalysis: 2025 Crypto Regulatory Round-Up
- FDIC Joint Statement on Crypto-Asset Safekeeping Risk Management (2025)
- Greenberg Traurig: Federal Banking Regulators Guidance on Crypto-Asset Safekeeping
- Fireblocks: 5 Key Digital Asset Policy Changes in 2025
- BPM: Crypto Compliance & Risk Management Strategies
- Request Finance: Crypto Risk Management Framework
- CoinCover: Business Continuity Planning for Institutional Crypto Assets
- BitGo: What Is a Multi-Signature Wallet?
- Chainlink: Multi-Signature Wallets Guide
- Cobo: Multisig Wallet Complete Guide
- Verified Metrics: Key Man Risk Guide
- Key Person Insurance: Key Man Risk in Hedge Funds
- Founder Shield: Crypto Risk Management Roadmap
- VeChain: First Cryptocurrency Disaster Recovery Plan (PwC audited)
- Medium: BCP, Key-Person Risk Lessons from QuadrigaCX
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.