Failure is not Definitely an Option
People agree that starting a business is risky and although the failure rates might not be as dire as people like to say, 20% fail in their first year and only 50% make it to five years. A decade in, only 30% are still around (Stats courtesy of Fundera.).
A tech startup takes that to a whole new level because of the additional layers of uncertainty that technology imposes. Startup’s risks are significant.
Unlike a coffee shop or shoe store which can use relatively accessible market data for planning, most tech startups are operating in newer, untested areas. Some are even pushing the boundaries of medical science or the laws of physics. Startups aren’t a single sector so there is no single model geography, market or user-group for a startup.
However, you’re an entrepreneur with a vision so you aren’t going to stop tackling your world-changing idea just because the odds are stacked against you. But what can you do to improve those odds?
Unfortunately, most articles titled ‘startup risks’ give you very superficial advice and certainly not enough to turn into an actionable plan. These are similar to growth articles that tell you to ‘make more sales’. Duh!
However, that doesn’t mean you can’t improve your odds and you do that by understanding and managing your risks. What’s outlined here is a simple risk management framework that you can apply to your startup to better understand and prepare for the things that threaten your success.
Best of all, it doesn’t take long and you already have most of the information you need.
KISS
Risk management might sound like the kind of thing that your startup won’t need for years, the kind of thing you think about when you have your own in-house lawyer and accounting team. By that stage, you will definitely be thinking about risk management, especially if you plan to IPO. However, if you start managing your startup risks now, you will have a better chance of actually getting to that stage.
Plus, risk management doesn’t have to be complicated.
In the same way that you can start coding with:
print("Hello World!")
instead of:
using System; namespace HelloWorld { class Hello { static void Main() { Console.WriteLine("Hello World!"); // Keep the console window open in debug mode. Console.WriteLine("Press any key to exit."); Console.ReadKey(); } } }
You can start risk management with a simple approach that will scale as you grow.
Risk Management 101
Before we get into the model in detail, here’s a very quick primer on risk and risk management. Definitions are boring but necessary here because risk management is something where people often disagree on terms

- A simple definition for risk is ‘the effect of uncertainty on objectives‘ (this is the ISO definition). It’s how the things we don’t understand and manage properly can prevent us from reaching our goal.
- Two key risk management processes are:
- A risk assessment is how you can understand what your challenges are.
- Risk management is the process to reduce or overcome the risks you identify.
- To help us assess risks, we can break each risk into its component parts. These are:
- Threat – What is the negative thing that could happen?
- Vulnerability – What is in place to prevent this or how prepared are we for this event?
- Impact – How badly would this event affect our plans if it happened?
If you understand the above points, that’s all you need to know far as definitions or the technicalities of risk management. Now we’re going to move on to how to apply this to your business to assess and understand your startup risks.
Three Questions
The simplest way to understand your risk is to ask a series of three questions for each of the main areas of startup risk. These questions allow you to understand the threats to your business, how vulnerable you are and what impact an event might have.
- How severe is the negative thing that could happen? (Threat)
- What is in place or how well prepared are we to avoid or prevent this? (Vulnerability)
- If this event happened, how badly would this affect our plans? (Impact)
Once you have run through these questions, you will be able to prioritize your risks and start to take preventative action.
Threat Categories
To help add some structure, I’ve grouped similar threat types together to make discussions easier. The categories are shown in bold and the individual threats to think about are also listed.
Market
- Potential market
- Market saturation / dominance (existing)
- Competition (emerging)
Financial
- Availability of funding
- Cash-flow / burn rate
- Financial model
Statutory / Political / Regulatory
- Government regulation
- Political support / opposition
- Applicable statutes
Safety / Security / Health
- Threats to venture
- Threats to users
Environmental
- Environmental effects
- Environmental threats
License to Operate / Reputation
- Reputation of the founders
- Reputation of the firm / associated brand
- Public perception of the venture / sector
Technology / Infrastructure
- Technical challenges
- Infrastructure challenges
- Dependencies
People
- Founders
- Skilled individuals
Grouping threats like this will make your discussions easier and it’s also going to help later when you get to the actual risk management part because the same person will usually own similar threats (e.g. the CTO will own technology / infrastructure, the CFO might own Financial and market, etc.)
At this stage, you might think that some of these threats don’t apply and you will be tempted to strike these off the list.
Don’t. Leave them there for now because you might be surprised what poses a threat once you have thought about it.
You might also need to add to this list, depending upon any specific threat to your startup. Again, you know your business best so feel free to add factors where necessary. The only advice that I would give is to try to avoid having too many specifics at this stage. You can always add more later but we are trying to keep things simple at this stage.
Scoring and Calculations
Scoring
Scoring can get out of hand and become very complicated, very quickly, so it’s best to keep it simple. That said, you should have a combination of quantitative (numbers), qualitative (descriptions) and visual (color coding) to help ‘score’ each element as this helps with calculations, discussions and presentations of the data respectively.

This mix allows you to describe something (‘Moderate’) in a discussion, apply a value (‘3’) for scoring and color-code the results (‘amber‘) all within the same system.
Calculations
The overall risk ratings use similar colors and terminology but the values are shown in a 1 – 100 range. We defined risk as:
risk = threat x vulnerability x impact
So the calculation using the 1 – 5 values is:
r = tvi/1.25
This gives you a result between 1 and 100 which you then use to order your risks from highest (worst and most urgent) to lowest. You can read more about risk metrics and this system here.
This is a relatively straightforward assessment as there are only 21 elements so a spreadsheet can work (there’s a template for one here). Alternately, you can use software to speed up and simplify the process. Whatever you do, just make sure the system is stable and that everyone is applying the metrics consistently.
Once you have scored each risk, list them in descending order to work out which fire needs putting out first.
Mandatory Public Safety Announcement

Remember, you are in the early stages of a startup so many (all?) of your risks will score pretty highly. You already know that, it just looks worse when it’s written down in detail so don’t be alarmed if everything comes up red.
Bringing it all Together
Here’s the process for understanding and managing your startup risks in full.
- For each element, ask:
- How severe is the negative thing that could happen? (Threat)
- What is in place or how well prepared are we to avoid or prevent this? (Vulnerability)
- If this event happened, how badly would this affect our plans? (Impact)
- Evaluate each element and give it a value for threat, vulnerability and impact to give us an overall score.
- Compare the risks to determine which needs to be addressed most urgently.
- Design and implement ways to bring our risks down as low as possible. (More on this in Part II.)
- Review and repeat.
Again, this doesn’t need to be a complicated or time consuming process. Big organizations will spend months on these but you won’t have time for that. However, you only need to carve out a couple of hours per month to do this and you will be in much better shape.
That’s It
And that’s all there is to it. Think about your startup and the threats that you face using the categories suggested above. Then, ask yourself the three questions and score the results.
Once you’ve done that, you will end up with a numeric score for each element so you can prioritize these for action.
As I said, everything is going to run hot in a startup and you will end up with a lot of ‘reds,’ but now you at least have a better understand what you are dealing with. Most importantly, you might spot some left-field threats that weren’t on your radar before.
May the Odds be ever in your Favor….
If you are reading this, then you know running a startup is hard. And turning that into a successful business is even harder.
But we owe it to ourselves, our users and investors (and our families) to give our ideas the best chance of success. The failure rate will still be high – we are doing hard things so that’s to be expected – but we can stack the odds in our favor if we really understand what our risks look like. I hope this system you understand and manage your risks.
Good luck and may the odds be ever in your favor…
You can find a lot more detail on risk, risk management and even try the DCDR risk management tool at DCDR.io.
I’d love to know what you think – please leave a comment below.
Note A – Threat Statement Examples
One quick caveat. Examples help explain something like this but examples also start to add biases into the calculations. So when you look at the example below, please keep in mind that these are general statements for illustration, not hard and fast definitions for lower versus higher threats. (I’m deliberately using the more general low / high terms here too for that reason.)
Example Threat Statements
Here are some examples of the answers that you might find when you ask about the threat from each element. The grid below shows the kinds of statement that would result in a lower or higher results but again, make sure you are thinking about your startup, your market and your challenges when you complete your assessment.
Keep in mind that threats are events that are normally outside the control of the organization. For example, under ‘cashflow’ the threat is cash flow in your field generally is high or low. So if you are doing biomedicine, your burn rate is going to be very high compared to something wholly browser-based. You might be able to control your cash flow and do things faster and cheaper (maybe that’s your secret sauce) but you address that in the next section.
Example Threat Statements
Low < —————————————-> High
Market | ||
| There is a well-defined, validated market for the offering. | There is no clear market for the offering. |
| The market is new and no mature players operate in the space. | The market is mature and is dominated by a single entity with significant competitive advantages. |
| Interest in this space seems limited. | There are multiple capable and competent startups entering this area |
Financial | ||
| There is a lot of interest in funding ventures in this space | There are very few opportunities to raise funds. |
| Cash-flow / burn rate in this space is very low | Cash-flow / burn rate in this space is very high |
| The financial model projects high profit margins and rapid profitability | The financial model projects very low margins and a long path to profitability |
Statutory / Political / Regulatory | ||
| There are no specific government regulations relating to this sector | This is a highly regulated sector |
| There is no known political opposition to this type of venture | There is significant opposition to this type of venture |
| No specific statutes apply to this sector | This sectors has to comply with multiple statutes which differ by location |
Safety / Security / Health | ||
| There are no specific Safety / Security / Health threats | The venture faces significant, persistent security threats |
| Users do not face any significant or unique threats from the technology. | Users face significant physical danger if the technology fails |
Environmental | ||
| The venture has no notable environmental impact | The venture imposes a significant burden on the environment due to waste products / resource usage. |
| There are no specific environmental threats to the venture | Critical parts of the venture are based in areas of environmental instability |
License to operate / reputation | ||
| The founders have a positive reputation | There is significant skepticism or distrust of the founders |
| The firm and brand and well regarded | The firm and brand are tarnished |
| The public is well-disposed to operators in this sector | The public is hostile to operators in this sector |
Technology / Infrastructure | ||
| The technical challenges are well understood and have been overcome previously | The technical challenges are largely unknown |
| Widely available, stable infrastructure is available | There is no supporting infrastructure |
| There are no specific dependencies required to make the venture operational | The venture is wholly dependent on third-party dependencies. |
People | ||
| The founding team has the ability and temperament required to make the venture succeed. | The founding team has very few applicable skills or experience. |
| The venture has a deep bench of skilled talent | There are no skilled individuals within the venture (e.g. everything is outsourced). |
Want this whole article as a PDF? Just send me an email.