Stack the Odds in your Favor (I): How to Understand your Startup Risks

Failure is not Definitely an Option

People agree that starting a business is risky and although the failure rates might not be as dire as people like to say, 20% fail in their first year and only 50% make it to five years. A decade in, only 30% are still around (Stats courtesy of Fundera.).

A tech startup takes that to a whole new level because of the additional layers of uncertainty that technology imposes. Startup’s risks are significant.

Unlike a coffee shop or shoe store which can use relatively accessible market data for planning, most tech startups are operating in newer, untested areas. Some are even pushing the boundaries of medical science or the laws of physics.  Startups aren’t a single sector so there is no single model geography, market or user-group for a startup.

However, you’re an entrepreneur with a vision so you aren’t going to stop tackling your world-changing idea just because the odds are stacked against you. But what can you do to improve those odds?

Unfortunately, most articles titled ‘startup risks’ give you very superficial advice and certainly not enough to turn into an actionable plan. These are similar to growth articles that tell you to ‘make more sales’. Duh!

However, that doesn’t mean you can’t improve your odds and you do that by understanding and managing your risks. What’s outlined here is a simple risk management framework that you can apply to your startup to better understand and prepare for the things that threaten your success.

Best of all, it doesn’t take long and you already have most of the information you need.

KISS

Risk management might sound like the kind of thing that your startup won’t need for years, the kind of thing you think about when you have your own in-house lawyer and accounting team. By that stage, you will definitely be thinking about risk management, especially if you plan to IPO. However, if you start managing your startup risks now, you will have a better chance of actually getting to that stage.

Plus, risk management doesn’t have to be complicated.

In the same way that you can start coding with:

print("Hello World!")

instead of:

using System;
namespace HelloWorld
{
    class Hello 
    {
        static void Main() 
        {
            Console.WriteLine("Hello World!");

            // Keep the console window open in debug mode.
            Console.WriteLine("Press any key to exit.");
            Console.ReadKey();
        }
    }
}

You can start risk management with a simple approach that will scale as you grow.

Risk Management 101

Before we get into the model in detail, here’s a very quick primer on risk and risk management. Definitions are boring but necessary here because risk management is something where people often disagree on terms

  • A simple definition for risk is ‘the effect of uncertainty on objectives‘ (this is the ISO definition). It’s how the things we don’t understand and manage properly can prevent us from reaching our goal.
  • Two key risk management processes are:
    • A risk assessment is how you can understand what your challenges are.
    • Risk management is the process to reduce or overcome the risks you identify.
  • To help us assess risks, we can break each risk into its component parts. These are:
    • Threat – What is the negative thing that could happen?
    • Vulnerability – What is in place to prevent this or how prepared are we for this event?
    • Impact – How badly would this event affect our plans if it happened?

If you understand the above points, that’s all you need to know far as definitions or the technicalities of risk management.  Now we’re going to move on to how to apply this to your business to assess and understand your startup risks.

Three Questions

The simplest way to understand your risk is to ask a series of three questions for each of the main areas of startup risk. These questions allow you to understand the threats to your business, how vulnerable you are and what impact an event might have.

  1. How severe is the negative thing that could happen? (Threat)
  2. What is in place or how well prepared are we to avoid or prevent this? (Vulnerability)
  3. If this event happened, how badly would this affect our plans? (Impact)

Once you have run through these questions, you will be able to prioritize your risks and start to take preventative action.

Threat Categories

To help add some structure, I’ve grouped similar threat types together to make discussions easier. The categories are shown in bold and the individual threats to think about are also listed.

Market

  • Potential market
  • Market saturation / dominance (existing)
  • Competition (emerging)

Financial

  • Availability of funding
  • Cash-flow / burn rate
  • Financial model

Statutory / Political / Regulatory

  • Government regulation
  • Political support / opposition
  • Applicable statutes

Safety / Security / Health

  • Threats to venture
  • Threats to users

Environmental

  • Environmental effects
  • Environmental threats

License to Operate / Reputation

  • Reputation of the founders
  • Reputation of the firm / associated brand
  • Public perception of the venture / sector

Technology / Infrastructure

  • Technical challenges
  • Infrastructure challenges
  • Dependencies

People

  • Founders
  • Skilled individuals

Grouping threats like this will make your discussions easier and it’s also going to help later when you get to the actual risk management part because the same person will usually own similar threats (e.g. the CTO will own technology / infrastructure, the CFO might own Financial and market, etc.)

At this stage, you might think that some of these threats don’t apply and you will be tempted to strike these off the list.

Don’t. Leave them there for now because you might be surprised what poses a threat once you have thought about it.

You might also need to add to this list, depending upon any specific threat to your startup. Again, you know your business best so feel free to add factors where necessary. The only advice that I would give is to try to avoid having too many specifics at this stage. You can always add more later but we are trying to keep things simple at this stage.

Scoring and Calculations

Scoring

Scoring can get out of hand and become very complicated, very quickly, so it’s best to keep it simple. That said, you should have a combination of quantitative (numbers), qualitative (descriptions) and visual (color coding) to help ‘score’ each element as this helps with calculations, discussions and presentations of the data respectively.

This mix allows you to describe something (‘Moderate’) in a discussion, apply a value (‘3’) for scoring and color-code the results (‘amber) all within the same system.

Calculations

The overall risk ratings use similar colors and terminology but the values are shown in a 1 – 100 range. We defined risk as:

risk = threat x vulnerability x impact

So the calculation using the 1 – 5 values is:

r = tvi/1.25

This gives you a result between 1 and 100 which you then use to order your risks from highest (worst and most urgent) to lowest.  You can read more about risk metrics and this system here.

This is a relatively straightforward assessment as there are only 21 elements so a spreadsheet can work (there’s a template for one here). Alternately, you can use software to speed up and simplify the process. Whatever you do, just make sure the system is stable and that everyone is applying the metrics consistently.

Once you have scored each risk, list them in descending order to work out which fire needs putting out first.


Mandatory Public Safety Announcement

Remember, you are in the early stages of a startup so many (all?) of your risks will score pretty highly. You already know that, it just looks worse when it’s written down in detail so don’t be alarmed if everything comes up red.


Bringing it all Together

Here’s the process for understanding and managing your startup risks in full.

  1. For each element, ask:
    • How severe is the negative thing that could happen? (Threat)
    • What is in place or how well prepared are we to avoid or prevent this? (Vulnerability)
    • If this event happened, how badly would this affect our plans? (Impact)
  2. Evaluate each element and give it a value for threat, vulnerability and impact to give us an overall score.
  3. Compare the risks to determine which needs to be addressed most urgently.
  4. Design and implement ways to bring our risks down as low as possible. (More on this in Part II.)
  5. Review and repeat.

Again, this doesn’t need to be a complicated or time consuming process. Big organizations will spend months on these but you won’t have time for that. However, you only need to carve out a couple of hours per month to do this and you will be in much better shape.

That’s It

And that’s all there is to it. Think about your startup and the threats that you face using the categories suggested above. Then, ask yourself the three questions and score the results.

Once you’ve done that, you will end up with a numeric score for each element so you can prioritize these for action.

As I said, everything is going to run hot in a startup and you will end up with a lot of ‘reds,’ but now you at least have a better understand what you are dealing with. Most importantly, you might spot some left-field threats that weren’t on your radar before.

May the Odds be ever in your Favor….

If you are reading this, then you know running a startup is hard. And turning that into a successful business is even harder.

But we owe it to ourselves, our users and investors (and our families) to give our ideas the best chance of success. The failure rate will still be high – we are doing hard things so that’s to be expected – but we can stack the odds in our favor if we really understand what our risks look like. I hope this system you understand and manage your risks.

Good luck and may the odds be ever in your favor…

You can find a lot more detail on risk, risk management and even try the DCDR risk management tool at DCDR.io.

I’d love to know what you think – please leave a comment below.


Note A – Threat Statement Examples

One quick caveat. Examples help explain something like this but examples also start to add biases into the calculations. So when you look at the example below, please keep in mind that these are general statements for illustration, not hard and fast definitions for lower versus higher threats. (I’m deliberately using the more general low / high terms here too for that reason.)

Example Threat Statements

Here are some examples of the answers that you might find when you ask about the threat from each element. The grid below shows the kinds of statement that would result in a lower or higher results but again, make sure you are thinking about your startup, your market and your challenges when you complete your assessment.

Keep in mind that threats are events that are normally outside the control of the organization. For example, under ‘cashflow’ the threat is cash flow in your field generally is high or low. So if you are doing biomedicine, your burn rate is going to be very high compared to something wholly browser-based. You might be able to control your cash flow and do things faster and cheaper (maybe that’s your secret sauce) but you address that in the next section.

Example Threat Statements

Low < —————————————-> High

Market
  • Potential market
There is a well-defined, validated market for the offering.There is no clear market for the offering.
  • Market saturation / dominance (existing)
The market is new and no mature players operate in the space.The market is mature and is dominated by a single entity with significant competitive advantages.
  • Competition (emerging)
Interest in this space seems limited.There are multiple capable and competent startups entering this area
Financial
  • Availability of funding
There is a lot of interest in funding ventures in this spaceThere are very few opportunities to raise funds.
  • Cash-flow / burn rate
Cash-flow / burn rate in this space is very lowCash-flow / burn rate in this space is very high
  • Financial model
The financial model projects high profit margins and rapid profitabilityThe financial model projects very low margins and a long path to profitability
Statutory / Political / Regulatory
  • Government regulation
There are no specific government regulations relating to this sectorThis is a highly regulated sector
  • Political support / opposition
There is no known political opposition to this type of ventureThere is significant opposition to this type of venture
  • Applicable statutes
No specific statutes apply to this sectorThis sectors has to comply with multiple statutes which differ by location
Safety / Security / Health
  • Threats to venture
There are no specific Safety / Security / Health threatsThe venture faces significant, persistent security threats
  • Threats to users
Users do not face any significant or unique threats from the technology.Users face significant physical danger if the technology fails
Environmental
  • Environmental effects
The venture has no notable environmental impactThe venture imposes a significant burden on the environment due to waste products / resource usage.
  • Environmental threats
There are no specific environmental threats to the ventureCritical parts of the venture are based in areas of environmental instability
License to operate / reputation
  • Reputation of the founders
The founders have a positive reputationThere is significant skepticism or distrust of the founders
  • Reputation of the firm / associated brand
The firm and brand and well regardedThe firm and brand are tarnished
  • Public perception of the venture / sector
The public is well-disposed to operators in this sectorThe public is hostile to operators in this sector
Technology / Infrastructure
  • Technical challenges
The technical challenges are well understood and have been overcome previouslyThe technical challenges are largely unknown
  • Infrastructure challenges
Widely available, stable infrastructure is availableThere is no supporting infrastructure
  • Dependencies
There are no specific dependencies required to make the venture operationalThe venture is wholly dependent on third-party dependencies.
People
  • Founders
The founding team has the ability and temperament required to make the venture succeed.The founding team has very few applicable skills or experience.
  • Skilled individuals
The venture has a deep bench of skilled talentThere are no skilled individuals within the venture (e.g. everything is outsourced).

Want this whole article as a PDF? Just send me an email.

What do you think? Leave a Reply