AboutBlogBusiness First AIFounder FreedomBook a conversation

What the holiday test actually tells you about your business

May 17, 2026
A person at a cafe table with a closed notebook and coffee cup, looking out the window
TL;DR

The holiday test asks one question: can your business keep running when you step away? For founder-managed service firms with five to fifty staff, the answer surfaces concentration risk in decisions, processes, and system access. It is a practical first diagnostic for operational resilience, but it has real limits. This post explains what it reveals, where it stops short, and the moves worth making on the back of it.

Key takeaways

- The holiday test reveals whether your business can function without you by exposing gaps in decisions, processes, and system access that only become visible when the founder steps back. - The three categories it typically surfaces are: decisions only the founder can make, work that lives in the founder's head rather than in written steps, and systems or approval rights that only one person controls. - For FCA-regulated firms, the holiday test is a useful informal diagnostic but does not substitute for the formal operational resilience mapping and impact-tolerance testing required by 31 March 2025. - A meaningful holiday test should run during a representative period, not the quietest week of the year, and should include stress-testing incident response, data breach handling, and supplier dependency alongside day-to-day admin. - The practical response is to write down the five recurring decisions only you make, assign each a named deputy with a simple checklist, and test those arrangements before you travel, not after you return.

She’d been planning this trip for six months. Two weeks in Sardinia, the first proper break in three years. By day three, her operations lead had sent a message: the renewal proposal was stuck because only she had the login for the pricing tool, and the client wasn’t going to wait. She sorted it from the pool in twenty minutes and knew, from that moment, that the holiday was effectively over.

That situation has a name in business operations. It’s the holiday test, and the result told her something many founders already suspect but haven’t formally diagnosed.

What is a holiday test in business?

The holiday test is a practical diagnostic. If you step away for two weeks and the business keeps running, your decisions are documented, your key tasks are delegated, and no single person is a bottleneck. If things stall or your team messages you on the beach, you have a concentration risk. The test doesn’t fix anything. It tells you where to look.

The framing comes from operational resilience thinking, where the question is whether a firm’s services hold up when a key person is unavailable. The FCA has formalised that question for regulated firms: they must map all the people, processes, technology, facilities, and information needed to deliver each important business service, then test whether those services survive severe but plausible disruptions.

For owner-managed service firms outside regulated sectors, the holiday test does the same diagnostic job informally. A business that cannot run without its founder for a fortnight has a resilience problem that will surface eventually, whether through illness, a family emergency, or a buyer’s due diligence process. The holiday is just the first opportunity to find it on your own terms.

Why does it matter for your firm?

Founder dependency carries a cost that runs deeper than a disrupted holiday. A business that stalls when you step away is operationally fragile, commercially discounted, and difficult to exit or hand over. Buyers routinely apply a valuation discount for founder dependency, and the FCA has formalised the same principle by requiring regulated firms to remain resilient when critical personnel are unavailable.

The FCA’s 2025 observations on operational resilience made the point directly: some firms were focusing too narrowly on technology resilience and missing dependencies on location and critical personnel. For a ten to fifty person services firm, that personnel concentration usually sits with the founder. When key client relationships are personal rather than documented, or when only the founder knows which supplier to call or how to approve a payment above a certain threshold, those are operational single points of failure.

The Pinsent Masons analysis of the FCA’s 2025 findings highlighted another dependency that many smaller firms overlook: third-party contracts. Delivery that depends on cloud software, outsourced payroll, or specialist subcontractors creates dependencies that may not be visible until the founder steps away and a supplier can’t be reached or a renewal decision stalls. Mapping those relationships is what makes the next absence survivable.

What does the holiday test actually expose?

The holiday test tends to reveal three categories of gap. The first is decisions that only the founder can make. The second is work that lives in the founder’s head rather than in written steps. The third is access, systems, passwords, and approval rights that only one person controls. Each of these is fixable, but you can only fix what you have first named.

On the people side, the practical question is whether staff can handle a client complaint, approve a routine invoice, or respond to a suspicious email without escalating to you. The NCSC’s small business guidance makes a point that applies directly: a founder’s absence shouldn’t be the moment the business discovers that only one person knows how to reset admin access or manage a potential security incident. If that person is you, the dependency is real.

On the process side, the test reveals whether your documented procedures are usable or just policy folders that nobody has opened in practice. The NCSC is clear that backups should be tested, not merely made. The same principle applies to delegation: a written checklist that nobody has ever followed in a real situation is a theory, not a handover.

On the access side, the ICO’s breach guidance is relevant even to firms that don’t think of themselves as data-intensive. If you are the only person who understands how personal data is handled in the business, a holiday reveals a compliance bottleneck as well as an operational one. A qualifying personal data breach must be reported to the ICO within 72 hours of becoming aware of it. If awareness depends on you being available and reachable, that’s a gap worth closing before you board the flight.

When is the holiday test not enough?

The holiday test is a useful informal diagnostic, but it has real limits. A short absence or a quiet week reveals only day-to-day admin gaps, not the dependencies that surface at billing peaks, onboarding bursts, or under genuine pressure. The FCA requires resilience testing covering severe but plausible scenarios of varying nature and duration, and a fortnight on the beach doesn’t automatically simulate those conditions.

For FCA-regulated firms, the holiday test should be understood as a starting observation rather than a substitute for formal resilience work. The FCA’s transition deadline for mapping and testing against impact tolerances was 31 March 2025, and its 2025 observations noted that many firms still need more work on third-party vulnerabilities and full dependency mapping. The holiday test may surface useful data, but it doesn’t constitute the programme the regulator expects.

Even outside regulated sectors, the test can mislead if the firm is highly seasonal or project-based. A founder who steps away in a quiet August may conclude everything is running smoothly. The pressure points, billing cycles, client onboarding peaks, and deadline crunches may all be invisible during that window. To get a representative read, the test should run during a normal trading period, not a week chosen precisely because it’s known to be calm.

If the founder’s personal involvement is a deliberate quality signal rather than a default that accumulated over time, the test will surface that design choice rather than a failure. The distinction matters: some founder involvement is intentional and appropriate. The question is whether it’s a considered decision or something that happened without being examined.

What’s the practical move from here?

The holiday test tells you what to fix. The practical move is to write down the five recurring decisions that only you currently make, assign each a named deputy with a simple checklist, and test whether that person can actually execute them. Testing means running the scenario, not writing it down. Do this before you book the holiday, not after you return and patch whatever went wrong.

Start with the highest-risk gaps: payment approvals, key client responses, access to essential systems, and incident handling. On that last point, if your deputy doesn’t know where the incident log lives or what the 72-hour ICO breach clock means in practice, they aren’t ready. Brief them explicitly and make sure they’ve used the process at least once in a low-stakes situation before it matters.

For FCA-regulated firms, align this exercise to your important business services and impact tolerances. The FCA’s expectation is that scenario testing becomes part of business as usual, not a periodic event prompted by a leave request. If your firm relies on third-party suppliers for delivery, check that the contracts give you the audit and information rights needed to include those suppliers in your dependency mapping. The Pinsent Masons analysis of the FCA’s 2025 findings flagged contractual information rights as an area where many smaller firms still need strengthening.

A basic cyber security review is worth running alongside the holiday test. The NCSC’s small business guidance covers password hygiene, multi-factor authentication, and backup testing in practical terms suited to firms without dedicated IT resource. These aren’t additions to the exercise. They are part of the same question: can this business keep running securely when you’re not in the room?

Sources

- FCA (2025). Operational Resilience Insights and Observations. The FCA's published observations on how firms are implementing the operational resilience regime, including dependencies on critical personnel and third parties. https://www.fca.org.uk/firms/operational-resilience/insights-observations - Pinsent Masons (2025). FCA Operational Resilience: Analysis of 2025 Observations. Legal analysis of the FCA's findings, including the need for stronger contractual audit and information rights with third-party suppliers. https://www.pinsentmasons.com/out-law/analysis/fca-operational-resilience-necessitate-action - NCSC (2025). Small Business Guide. UK government cyber security guidance covering password hygiene, multi-factor authentication, and backup testing for firms without dedicated IT teams. https://www.ncsc.gov.uk/collection/small-business-guide - NCSC (2025). Backing Up Your Data. Guidance on testing backups rather than merely making them, with practical steps for small businesses. https://www.ncsc.gov.uk/collection/small-business-guide/backing-up-your-data - ICO. Report a Personal Data Breach. ICO guidance on the 72-hour notification requirement for qualifying personal data breaches, relevant where incident response depends on founder availability. https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/ - ICO. Ransomware and Data Protection. ICO guidance on incident response arrangements, backups, and recovery planning before a cyber incident, and what organisations should have in place. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/security/ransomware-and-data-protection/ - Protiviti UK (2025). Operational Resilience Overview. Professional services analysis of operational resilience frameworks applicable to UK firms across regulated and non-regulated sectors. https://www.protiviti.com/uk-en/operational-resilience - AJG UK (2025). Cyber Lessons for Businesses from 2025: Why Building Resilience Matters. Industry commentary on resilience gaps in small and mid-sized businesses following 2025 cyber incidents. https://www.ajg.com/uk/news-and-insights/cyber-lessons-for-businesses-from-2025-why-building-resilience-matters/ - Aviva Risk Management Solutions. Building Your Business Resilience. SME-focused guidance on operational resilience from a UK insurer, covering continuity planning and dependency mapping for smaller firms. https://www.aviva.co.uk/risksolutions/building-your-business-resilience/

Frequently asked questions

What is a holiday test in business?

The holiday test is a practical diagnostic where a founder steps away from the business for a week or more and observes what happens. If decisions, client relationships, and operational tasks continue without disruption, the firm has achieved meaningful delegation. If things stall or the founder keeps getting called, the test has identified concentration risk in the people, process, or access layers of the business.

How long should a holiday test last?

Two weeks is a useful minimum because it forces the business through at least one full billing or decision cycle without the founder. A single week may only reveal whether routine admin can be covered, not whether deeper dependencies surface. For firms with irregular project rhythms or seasonal peaks, the test should run during a representative period, not the quietest week of the year.

Does the holiday test satisfy FCA operational resilience requirements?

The holiday test is a useful informal diagnostic but does not substitute for the FCA's formal operational resilience regime. FCA-regulated firms were required to complete mapping and testing against impact tolerances by 31 March 2025. The exercise may surface useful dependency data, but it should be aligned to the firm's important business services and tested against the FCA's severe but plausible disruption scenarios to meet the regulator's expectations.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

Two professionals reviewing documents together across a meeting table

Should your management team buy the business?

A practical guide for founders weighing up whether their management team is ready to buy the business and what the decision actually turns on.

Two professionals in a focused conversation across a meeting table with papers and a laptop between them

How private equity buyers approach law, accountancy and consultancy firms

Private equity is moving into UK law, accountancy and consulting at pace. Here is what PE buyers look for, how they change firms, and what it means for UK owner-operators who may or may not want to sell.

Two people in discussion across an office desk, papers spread between them

Comparing the main succession planning options for owners

Five succession routes for UK owner-managed businesses explained: the trade-offs between family transfer, MBO, EOT, trade sale, and wind-down, and how to choose.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd