The Number That Should Concern Every Acquirer
70 to 75 percent of acquisitions fail to deliver expected returns.
That figure comes from Lev and Gu's rigorous analysis of 40,000 deals over 40 years, published in The M&A Failure Trap (Wiley, 2024). It is one of the most substantiated statistics in corporate finance.
Most of those deals did not fail because the numbers were wrong. The financial due diligence was thorough. The legal team reviewed every contract. The price was fair. They failed because the business could not function once the people who actually ran it were no longer in the room.
This is key-person risk. And in founder-led mid-market businesses, it is consistently the least priced risk in the deal.
What Is Key-Person Risk?
Key-person risk is the dependency of a business on one or more individuals whose departure, incapacity, or disengagement would materially compromise the company's ability to operate or grow.
It is not about whether those individuals are good at their jobs. It is about whether the business can function without them.
This distinction matters because key-person risk is almost always underestimated in due diligence. Financial models assume continuity. Legal due diligence flags employment contracts and restraint clauses. But neither fully accounts for what happens when the knowledge, relationships, and decision-making authority that underpin the business walk out the door.
"The contracts may be with the company. The loyalty is to the individual."
Why Key-Person Risk Is So Dangerous
Key-person risk is dangerous because it is invisible on a balance sheet and difficult to price in a transaction.
A founder-led business with strong historical earnings can appear operationally sound in financial due diligence. But if the founder holds all the customer relationships, all the technical knowledge, and all the strategic decision-making capability, the business is effectively non-transferable.
Earnouts and retention agreements can delay the problem. They do not solve it. If the business has not been structured to operate independently of the key person, the value will erode once that person leaves, regardless of how well the legal documents were drafted.
Mercer's Global M&A People Risks Survey found that the greatest perceived people risk in transactions is acquiring management talent with the ability to execute on the plan. This is not a secondary concern. It sits at the centre of whether the investment thesis is deliverable.
Founder-led and family-controlled businesses frequently lack the institutional infrastructure, documented processes, and distributed decision-making that characterise more mature organisations. The result: a business that runs well as long as the founder is present, and becomes fragile the moment that dependency is tested.
Where Key-Person Risk Hides
Key-person risk does not only sit with the CEO or the founder. It can reside anywhere in the organisation where critical knowledge or relationships are concentrated in a single individual.
Customer Relationships
If the founder or a senior salesperson is the only person who speaks to the top clients, the revenue is at risk. In services businesses and B2B companies, personal relationships drive repeat business. The contracts are with the company. The loyalty is to the individual.
The test: if this person left tomorrow, would the client stay?
Technical or Domain Expertise
In businesses with complex products, proprietary processes, or specialised technical requirements, the individual who designed the system or holds the deep knowledge often becomes indispensable. If that person leaves, the company loses the ability to maintain, troubleshoot, or evolve the core offering.
Strategic Decision-Making
Some businesses have no meaningful decision-making capability outside the founder. Product development, pricing, hiring, capital allocation — all of it flows through one person. The organisation has never been required to function independently, so it never developed the capability to do so.
Regulatory or Compliance Knowledge
In financial services, healthcare, and construction, the person who understands how to navigate the regulatory environment is often a single point of failure. Lose that person, and the business loses its ability to operate within the law or to bid for regulated work.
Regulatory and Compliance Dimensions
Key-person risk can carry a further dimension in markets where the departing individual holds a position with regulatory or compliance significance. In some jurisdictions and sectors, a key person is not only operationally critical but holds a specific directorship, licence, or ownership position required for regulatory compliance or for bidding on certain categories of work. Replacing that individual may require restructuring at an ownership or governance level — a process that can take months and carries real commercial consequences.
In South African transactions, B-BBEE compliance adds this layer of complexity. A key person who holds a qualifying ownership or directorship position for B-BBEE scorecard purposes cannot simply be replaced with a direct substitute. Restructuring the compliance structure post-close can take months and will directly affect the company's ability to bid for tenders, maintain certain client relationships, and operate freely — often at exactly the moment when the new owner is trying to accelerate growth.
"Wherever a key person's exit triggers a regulatory or compliance consequence beyond the operational, that consequence must be assessed as part of due diligence, not assumed away post-close."
How to Assess Key-Person Risk in Due Diligence
Assessing key-person risk requires more than reviewing the organisational chart. It requires understanding where power, knowledge, and relationships actually sit.
Map critical functions to individuals. Identify the activities essential to the business's ability to generate revenue, serve customers, and maintain operational continuity. Determine who performs those activities and whether there is any redundancy. If a critical function is owned by one person with no backup, that is a key-person risk.
Test decision-making pathways. What decisions can be made without the founder's input? If the answer is "very few," the business is not institutionalised. A well-run business makes routine operational decisions without escalating everything to the top. This is not a criticism of the founder. It is an observation about the structure of the organisation.
Test client and supplier relationships directly. Who has spoken to the top three clients in the past six months? Who negotiates with critical suppliers? If those relationships are tied to one individual, the business is exposed.
Assess documentation and knowledge transfer. How much of the business's operational knowledge exists only in people's heads? Are processes documented? If the answer is no, the business is running on institutional memory, which is fragile by definition.
Mitigation: Beyond the Retention Agreement
Key-person risk can be mitigated, but only through deliberate action. Retention agreements and earnouts are the most common tools deployed. They are not solutions. They delay the problem.
True mitigation reduces the dependency itself.
- Knowledge transfer programmes — a multi-month process of documentation, shadowing, and structured skill transfer. Not a handover meeting.
- Client relationship transition — gradually introducing other team members into client relationships before the key person exits. The goal is to shift loyalty from the individual to the company.
- Process documentation — documenting critical processes and decision-making frameworks. If the business cannot operate from documented procedures, it is operating from memory.
- Organisational restructuring — distributing decision-making authority. Creating functional leads who can make decisions within their domains. Building redundancy into critical roles.
None of this is glamorous work. All of it is essential.
The Bottom Line
Key-person risk is the most common unpriced risk in mid-market transactions. It does not appear on the balance sheet. It is rarely flagged in legal due diligence. But it determines whether the business you are buying today will still be operationally viable in two years.
Identifying and mitigating it is one of the core functions of operational due diligence. It requires structured assessment, honest interrogation of the business's dependencies, and a deliberate plan for how those dependencies will be reduced or managed post-transaction.
Frequently Asked Questions
What is key-person risk in M&A?
Key-person risk in M&A is the operational and financial exposure that arises when a business depends on one or more individuals whose departure would materially compromise the company's ability to generate revenue, serve clients, or execute its strategy. It is the most commonly unpriced risk in mid-market transactions.
How do you identify key-person risk during due diligence?
Key-person risk is identified by mapping critical business functions to specific individuals, testing whether decisions can be made without the founder's input, reviewing who maintains client and supplier relationships, and assessing whether operational processes are documented or exist only in individuals' institutional memory.
What is the difference between key-person risk and key-man risk?
The terms are used interchangeably. "Key-man risk" is the older financial services term, typically used in the context of investment fund management. "Key-person risk" is now the broader operational due diligence term, covering business operations across all industries and functions.
How does regulatory compliance affect key-person risk?
In markets or sectors where a key person holds a position with regulatory or compliance significance — a required directorship, a professional licence, or a qualifying ownership position — their departure can trigger structural consequences beyond the operational. In South African transactions, for example, a key person who holds a B-BBEE qualifying position creates a compliance restructuring requirement on exit that can take months and affect the company's ability to bid for certain work. Equivalent risks arise in regulated industries globally wherever a licensed individual is embedded in the operation.
Can retention agreements solve key-person risk?
Retention agreements delay key-person risk, they do not eliminate it. True mitigation requires reducing the operational dependency itself through knowledge transfer programmes, client relationship transition, process documentation, and organisational restructuring.
If you found this article useful, consider sharing it with a colleague involved in M&A or private equity. It takes 30 seconds and helps us reach the practitioners who need it most.
Disclaimer: This article is for informational purposes only and does not constitute legal, financial, investment, or professional advice of any kind. The content reflects Diadem Advisory's general views on operational due diligence practice and should not be relied upon as advice specific to any transaction, business, or set of circumstances. Readers should obtain independent professional advice before making any transaction-related decisions.
AI Disclosure: This article was developed with the assistance of AI tools and reviewed and edited by Diadem Advisory. All analysis, opinions, and professional judgements are those of Diadem Advisory and reflect the firm's own experience and expertise. AI was used as a drafting and research aid only.
© 2026 Diadem Advisory. All rights reserved.