We should have talked about this earlier: risk management in startups

The end of 2020 seems like a good point to talk about risk management for your startups, right? A super timely decision, considering the fact most businesses, especially SMEs, have been struggling to deal with a dynamic crisis-inducing environment since the pandemic started.

So: is it— threat predictions —a point you should be concentrating on, building your risk strategy? Is there a point to prepare the structure of your business for absolutely troublesome events that might or might not happen in the future? Should you, as a founder of a startup, even care about de-risking as many threat points as you can, if startups—ventures—are, per very very definition, an embodiment of risk-taking (cause without risk there is no reward)?

We’ll try to answer these and other questions in this article. We’ll also (very briefly) describe the standard risk management cycle and how to employ it and give you some risk management strategies to think about.

Digging into classics

When talking about startup risk management, most sources use some variations of these two graphics we all, we’re sure, have met on the Internet at some point.

Risk management structure

Sources: Xalitech& QuantumFBI

And all of it is pretty straightforward.

Risk management is the process where you:

  1. Find the risks. For instance: there’s a risk the market won’t need your product. Risks can be internal (like hiring a person without experience) and external (like a new competitor’s product that shifts customer experience to a place where you aren’t ready to meet them).
  2. Analyze risks or figure out how probable it is for each risk to occur and what impact they might have on your organization, in other words—try accurately to predict the risks.
  3. Evaluate risks or prioritize which risks need to be addressed to remove the most severe consequences of them happening.
  4. Treat risks: remove all the high-impact things that can screw up your entrepreneurial journey.
  5. Monitor risks or continuously track everything connected to your company and your market; learn to identify potential crises and shifts in the surrounding landscape before they manifest and respond to them preventively.

Now classic strategies of treating the risks and some of their examples are:

  1. Avoidance (If you don’t enter a well-developed, highly competitive market, you wouldn’t need to deal with all its struggles.)
  2. Reduction (If you reduce the impact of risks or create a soft landing, e.g.: if you don’t market your product widely, then, if you fail, fewer people will notice. On other hand, in this case—as with all “positive,” high-reward risks—if the product is successful, you’ll wish you’d marketed it more.)
  3. Sharing (Share responsibility for dealing with the consequences of the risk with other people: co-founders, colleagues, insurers, partner companies, f.i. when a crisis hits, you’re forming partnerships with companies that operate in your industry, sharing your market share and tapping into theirs.)
  4. Retention (This strategy is used for sure, predictable, transparent, and small risks: you accept them, accept the losses, associated with them and their consequences, and like… move on with them in mind?)

Now, there are two definitions to think about:

Pure (static) risks that happen where an event results in no gains or benefits, only loss or no loss, like a hazard on the manufacture. Pure risks are usually easily calculated and can be prevented or insured.

Dynamic risks: risks from environments, markets, and events that are constantly changing; our pandemic is a dynamic risk. Behind those are often lots of questions: if they occur, what would we do? When they occur? If this happens, how do we recover?

Dynamic risks can benefit an organization, if they are dealt with, their sources are removed, and weaknesses that these risks would target are strengthened. For instance, 2020 has been the most funded year for digital healthcare, because its development—like telemedicine, wearables, and R&D analytics,—has been aiding the world to fight the pandemic.

At the same time, starting a business itself is a dynamic risk comprising many smaller dynamic risks. But then, of course, there is gain, a sweet reward you’ll get for making right, bold decisions and doing something no one has done; bringing value to the people.

De-risking major risks for startups

Leo Polovetz, a software engineer turned VC, made a super-useful and fairly universal de-risking instruction for startups and risks they’re commonly facing.

There are, like, ten risks which, quite suspiciously, are well-correlated with most prominent reasons for startups’ shut down. Polovets offers to display these risks on the scale between [very, very high risk on 1] and [super low risk on 5].

Risk evaluation spectrum

Risk spectrum

He uses three principles for ranking startups’ risks, assessing them, and incorporating strategies to mitigate them.

  1. Show, don’t tell. If you *think* your product solves a certain solution, that’s a 1 - high risk. If you can *show*, like, your prototype that helps your audience and is loved by them, that’s 5 - low risk. In-between them, if you, for example, don’t have anything to show, but you built products that help people before—like, has been a startup founder before or worked in the industry you’re trying to build the product for—it’s a 3, a medium risk.
  2. External validation > Personal opinion. Again, if you just *claim* you can build a mobile app, that’s a high risk. If people who know you say you can build a mobile app, that’s medium risk. If other random people who don’t know you say you can (ideally, your users), that’s a low risk.
  3. Data wins. Quite simple: your sales aren’t at risk if you already have 100 customers; If you have 10 or zero customers, you have medium and high risk on sales.

Considering the fact Polovetz is investing in startups, these models of risk evaluation are kind of showing what your VCs or angels will be looking for in your pitch.

Now, common risks to manage in any startup firm and how to “get out” from them are:

  • Market fit — You build product people want
  • Product quality — Your product is good
  • Team — Your team is expert and engaged, interested in reaching your vision. They can execute in every area needed to build, test, ship, and promote your product.
  • Recruiting — You can grow your team
  • Sales — You or your team can sell your product
  • Market — Your market is big and you can *demonstrate* earn enough profit to exit in $1b (here, you need to remember that it's an investor's perspective; the majority of them are interested in your startup making a large exit because if the market isn’t big, there are not enough customers and the probability of getting a high valuation is lower.)
  • Funding — You have enough money to reach the investor’s milestones needed to raise money on better terms and you have money backup in case you won’t be able to raise money
  • Short-term competition — You have differentiated from existing competitors on the field
  • Long-term competition — If others try to copy you, you can maintain and sustain your place on the market

Now, according to Polovetz, to assess these risks you need to prove all these things: if the evidence for, f.i., your team capacity to execute isn’t solid enough (basically: if you’re assuming, and don’t have any external opinion, data, or a tangible Thing to show), that’s a high risk.

You can use this framework for your startup’s risk assessment. Rank each one of these aspects from 1 (the answer is no) to 5 (the answer is yes.)

Risk Assessment and Prioritization for Your Startup

Source: Risk Assessment and Prioritization for Your Startup

This exercise will then help you to prioritize risks you need to address right now—red ones: mitigating big risks has a big impact, whereas removing small risks, despite pleasant, has a small impact.

Which is… kind of logical, because bigger threats pose a bigger danger for an organization.

Two things to remember here

  • If you can’t remove the risk (and, in case of, e.g., a bad funding plan or lack of product-market fit, you usually can’t. It’s not one-hour activity), mitigate it: reduce its impact from high risk to medium one. Find people to test your product, do some interviews. Prioritize your spendings, and so on.
  • So, for yourself (and for investors), you need to prove that you can do all these things, right? It’s easy to fall into the trap of convincing yourself that something you decided to do removes risks when in truth it doesn’t. For instance, if you don’t have customers who pay, your 200 potential leads don’t prove you’ve mitigated market fit risk. If you micromanage your whole team, you still have a high risk on the execution side—despite the fact you’ve hired 10 additional people.

You have to be able to measure the efficiency of your de-risking. In this case, if you can’t measure it, it doesn’t exist holds true. Measure de-risking by KPIs, the number of new customers, the outsider’s perspective—and don’t forget that you can de-risk several big or medium things simultaneously.

Plus, if you already have employees or collaborators—like co-founders, an outsource company, or partners—you should involve them in your risk mitigation process, ‘cause, as you grow and hopefully will nail the “efficient manager” risk, you’ll need your team to be able to do all this.

Misconceptions around de-risking

But what about “no risk no reward” we’ve mentioned earlier, you’d ask.

The same argument holds Julian Ritter on Sifted. He argues: sure, de-risking is what investors have in mind when managing their portfolio, but for founders who are building a

venture, risks have to be involved—they’re part of the innovation process. “The concept of de-risking alone will never guarantee success,” he says, adding that strategic goals and innovation strategies, as well as the right setup for exploring different business models and tactics, are necessary parts of reaching The Top, too.

That’s valid.

The article he holds the argument with focuses on sharing responsibilities and reducing and re-distributing costs across partners and different business models. Authors offer to use these strategies to reduce risks, accelerate innovations, and decrease costs of production.

And that’s valid too.

Now, startups need to de-risk aka address their weak points and reduce uncertainty around their product if they want to raise money. Because, as Ritter rightfully notes, it’s crucial for lots for startup investing and the whole risk vs. reward conversation for VCs—especially in later stages.

But: however controversial that will sound, de-risking isn’t a refusal to take risks. De-risking is the mitigation of those you already have—and those that already or very soon—will pose a threat to your startup.

In the environment that forces you to play by competition’s rules, the bold move you make to differentiate yourself from the other players is a dynamic risk that can benefit you in the long-term, that’s true. But de-risking strategies Polovets advocates for are not indicators of hesitancy; they help you cover your bases and avoid falling into making founders’ common mistakes, like (unexpectedly) getting to the end of a runway or trapping yourself in the innovation loop (when you add a feature, and then another feature, and then the third feature—but no living human saw your product).

Now, let’s move to how you can deal with risks.

The expected value for decision-making

First, let’s learn an easy way to determine whether to risk or not. With risks where you can easily quantify loss/reward numbers—transparent risks, try calculating expected value. Expected value (EV) is a “sum of all possible values for a random variable, each value is multiplied by its probability of occurrence.”

So: you want to hire engineers for your MVP. Let’s say it’s a mobile application, so you’re looking for a cross-platform developer. They must be on a senior level because you don’t know the tech stuff and want this engineer to build quickly and build with business problems in mind. According to Glassdoor, if you live in the USA, you’ll be paying them between $96K and, let’s say, $140K, depending on their experience. Let’s stop at 100k for the ease of it (though it’s really underpaid senior developer for the American standards.)

Now, 100k/year is about $8.3k/month. You want MVP ready in six months to show first adopters and your investors, so, you need to pay about $50k for this period. Let’s say you have solid product-market fit research already, have a proof of concept, and your marketing team already has an email list of people actively interested in your future release (they, ideally, have paid money to look at your product already, and their feedback is involved with the development. It’s all perfect.)

Let’s say the probability of your engineer is great in what they’re doing is 50/50 (which is not okay, because you need to be sure your engineers know what they’re doing. How to be sure? Look at their past projects, other people’s testimonials—tangible evidence).

Let’s also say you plan to sell your app for $10, and you estimate that about 7000 people will install your app during the first six months after release. You’ll be getting $7k/month.

+7k | -50k

50% | 50%

EV: 7k(0.50)+-50k(0.5)

Expected Value: -21.5k

Doesn’t sound good, does it? A major loss for a young startup.

But if we were to go long-term, and consider the rise in users and popularity and the possibility of exponential growth occurring (which usually happens if there’s a true fit between your product and market) at some point, this investment would pay off.

What you need to decide in this case is: whether you are ready to wait for it—can you afford it?

And finally, do keep in mind that this is a perfect scenario where your app fits your market, you have your ready-to-engage customers, and everything on the product side of the equation is researched, planned, and ready to shoot.

Keep in mind, that the EV formula is good for dealing with more certain risks, like purchasing equipment or its components. It works for investment decisions, too (hiring = investment), but there are a lot of unknown variables in play to fully rely on EV; what EV can give you is a solid hint.

Dealing with unknown, but knowable

Now, some of the startupers’ risks we’ve talked about above can be described as opaque risks: risks that can be easily quantified and researched, but they haven’t been before. If we were to remove the current crisis from the equation, the usual risks in the corporate/business environment for the startup (like the lack of product-market fit) would be dealt through:

Sampling - get into the market, talk to customers, figure out what they’ve needed, come back, and implement what you’ve learned.

Modeling - tap into people’s social media, figure out what they like, read reports on what this generation/type of customer needs, read studies on industries. Create a model for your audience on the basis that isn’t directly about your audience (you haven’t heard about it from them), but relates to them very closely. For this to work, you need to know the factors that would make your audience buy or consider buying things you’re offering.

Though in crisis, you need to deal with opaque risks with more caution and put more safeguards in place for the case of entering a more turbulent market zone. Sampling and modeling can work with every risk you can find substantial data on: is your marketing strategy right? What should be done to increase customer satisfaction? How to sell more efficiently? Sample & model and you’ll be alright.

Strategies for sudden and dynamic risks

Sudden and dynamic risks are also called Knightian. They’re risks that occur in areas, industries, and environments that resist calculations; you cannot sample or model to deal with them, because they are either sudden and sometimes devastating (Black Swan) or their attributes change all the time.

These are what you’ll have to deal with in the startup in case it will enter the crisis (hi!) and they’re the most interesting to talk about in terms of risk management and risk-resistant startup structure as a whole.

Knightian risks are those you face and your initial reaction is to shout at the sky—because, if bad, they’re often shocking, unpredictable, and extremely stressful to deal with.

There are three types of them.

Black swans. The black swan is the term coined by Nassim Taleb (who is very cool and you should read his books) and it means an unpredictable, rare, catastrophic in its scale event that no one could have envisioned. Before you think, like so many people in business, that pandemic has been a black swan, let us stop you: the scale of the pandemic—in its roaring and terrible power, has been foreseen when it’s started, and Taleb himself predicted the whole mess of it in January; coronavirus isn’t a Black Swan. 9/11 is.

Black swan events aren't always bad; Taleb considers the rise of the Internet a black swan. ”Positive” black swans are usually stretched in time, whereas “negative” ones are sudden and quickly impactful.

Dynamic environments are not a risk type, but environments that make rules for your risk management. In cases where you’re dealing with risks in the dynamic environment, you’ll find that it changes quicker than you can do any research at all: as you find the solution that seems viable, the circumstances change and the solution doesn’t fit anymore; information that would usually be an underlying basis for your future strategy is outdated as soon as you’ve found it.

And finally, adversarial environments are environments that render your efforts to understand and mitigate risk useless; these are environments that actively work against you and any shifts in your risk management will cause these environments to change their efforts to suppress you. For instance, making business under a totalitarian government is operating in an adversarial environment.

The dynamic and adversarial environments will be our pandemic at the beginning: everything locks and is threatening; change is so worrying that it’s hard to focus and know what to do. Even for businesses that work in healthcare that environment will be dynamic, as, despite realizing the organizations’ functions and risks they need to mitigate to continue their work, the volume of a problem is just too much to handle and governmental structures are resistant to collaboration and do not help mitigate the risks.

Also, founding a startup is a dynamic, Knightian risk in an adversarial environment—with competitors creating a hostile rivalry, constantly trying to push you out of the race.

So: how to deal with those types of risks?

Effectuation in risk-management

Love being proactive in your risk mitigation? This set of strategies are for you.

They were described by Saras Sarasvathy. She talked to 27 founders of companies with $200M-$6.5B valuations and conducted questions to study their problem-solving methods. She wanted to find out if there are any differences between the mental work of a successful entrepreneur and your usual not-entrepreneurs.

So: is there a specific “entrepreneurial thinking”? It occurred that yeah, there is an underlying principle to the way cool founders think and it is not mostly casual thinking, as she thought. It’s effectual. Here’s the picture.

Casual vs Effectual reasoning

Your usual casual thinking is: I want to attract 10 restaurants to use my delivery app, what should I do to achieve my goal?

Your effectual thinking is: I have a delivery app. What can I do with it?

So, effectual thinking is moving from your means instead of moving to your goal. It eliminates a lot of futile efforts to predict the outcome of things (Will I achieve the goal?) and makes you, like, imagine multiple outcomes while doing a lot of things.

In terms of risk management, what can be learned from effectuation basic principles?

Bird in the hand. Don’t wait for an opportunity to use your means. Action is one of the main things effectuation strategy requires—if an unpredictable thing hits, transform, and adapt based on what you know, and make sure to do it quickly. Startups who seized the opportunity to open delivery businesses and retailers who quickly stepped into e-commerce are winning right now. Taking action, you can turn a risky situation into an advantage but—this is important—do this only if you have enough resources to gain control of the momentum.

Affordable loss. Set up affordable loss and don’t risk more than you can afford. While affording losses, make sure to maximize the gain. For instance, when testing ads, you can install a small monthly budget, f.i. $300/month, and try different communication strategies. With good analytics, you’ll be able to find working approaches and then maximize your gain using them, only, but your losses will remain the same.

Crazy Quilt principle is, basically, about forming a partnership, even with competitors, and sacrificing flexibility for certainty. Then, you’ll get access to their resources and decrease risks, splitting them. Crazy Quilt doesn’t help with Black Swans because huh, both of you are screwed when Black Swan hits, but it’s really effective when doing business, expanding market shares, and turning competitors into your friends. Teladoc and Livongo, we’re looking at you.

Lemonade principle. Use contingencies and uncertainty as opportunities to learn more and become more; don’t hold onto your goals too much. Make decisions based on the situation; add the situation to the list of your means. Again: finding new opportunities after crises happening is about this. Pivoting and re-positioning in a low-touch economy holds ground here in our case: the faster you’re changing, the better you’re weathering the Thing.

Pilot in the plane principle says that control is everything, so you should be able to react quickly in case of trouble and be ready to use lemonade or crazy quilt to get out of it ASAP. For that, some preparations might be in order: operational processes that are lean enough for you to change gear and start controlling the tide, potential partners, market research for adjacent markets, or other business models.

Effectuation process

Does effectual thinking mean you should embrace changes and gain advantages from them? Yes. Does it mean you should step away from your initial goals? No. It should be used when solving problems—per the design of Saravathy’s experiment; and it’s a really good approach (or even mindset) for early-stage founders: what can you do with things you already have?

Antifragility in risk management

Anti-fragility is another concept coined by Taleb, and it, too, can be used as a strategy to deal with risks. You’ll notice that some of them conflict with Saravathy’s effectuation or similar to it, but it’s fine. Our goal is to show you different approaches to risk management, not to advocate for any of them.

Taleb argues that there’s no way to predict dynamic risks, rare events and market shooks, but there are ways to find fragile zones in your startups and make them tougher. That can be viewed as de-risking, yet it’s done without any specific risks in mind. He argues that intervention with specific risks in mind can be harmful, especially if they’re based on assumptions: overtreatment is one example of this.

What antifragility strategies aim to do is to make sure black swans or tides on adversarial and dynamic environments hurt your startup less and less with each time you encounter them.

Optionality. Taleb says that one of the greatest moving forces behind anything is its ability to change: optionality. Optionality makes things grow and work, and if so, businesses need to be able to keep many options of doing something to thrive, so when the rare events hit, it won’t hit everything you have. When de-fragilizing your startup, favor the options that will allow you to choose more options and train to switch between them.

We’ve talked about this in our article on business models in healthcare: optionality de-centralizes your business model; the more options of revenue streams you have, the more chances you have to weather Bad Things. Your eggs are in different baskets. Apart from that, when you enter a dynamic environment, you’ll find that, in terms of cost-efficiency, switching between favorable options costs less than before. For instance, if you’ve painfully pivoted from D2C to B2B2C at the end of 2019, you are in a much better position right now than you would have been with just D2C.

Hormesis. When the crisis hits, make sure the similar Thing will hurt less in the future: build up immunity for a particular type of negative event. If your organization is prone to cyberattacks, increase security safeguards, and train your staff. If pandemic forced you to work remotely and you’ve found that documentation in your startup isn’t sufficient to work through your project without micromanagement, improve documentation. Classic entrepreneurial thing: if something hurts, address it and become stronger.

Evolution. Taleb writes: the gene pool takes advantage of shocks to enhance its fitness. Evolution, as you know, actually gains from randomness and unpredictable stressors— until some limit, of course, but it’s quite high (risk of extinction or nuclear winter), so let’s not bother about it right now. Evolution is quite an obvious strategy for testing your strategies and assumptions: if they survive the hit, they’re here to stay and to be used; if they die, don’t try them again.

The Barbell strategy. That’s actually something we’ve talked about in Leo Polovetz’s section: mitigate risks in parallel and combine high-risk high-impact mitigation with the removal of transparent low-risk threats. Working with the latter is no less important. It doesn’t matter that much if you’re a good manager or not if you have, like, a team of five people, but it will matter when your startup enters a dynamic environment. Like with the pandemic, right? Good managers are pure gold in the pandemic.

Via Negativa or “just work on removing the pebble in your shoe”. Choose subtraction over addition. In decision making, less is more: when dealing with risks, remove the sources of big risks instead of over-optimizing existing protections and trying to predict the next big hit. That’s basically the evolutionary concept, but more future-depended: as an example, it advises against taking big loans before paying off the previous one—because, if you enter the dynamic environment, oh how these two loans are gonna suck.

Skin in the game. This is not a strategy per se, but a thing to observe. For antifragility approaches to really work, every person in your startup needs to be aware of fragile places in the structure of your business and be motivated to fix them. Taleb says that for that, they need to be exposed to the consequences of a business’ fragility.

Situations when there’s no skin in the game usually happen when the system is fragile and facing risks actively harming a lot of people except, for example, managers or other people who hold power. If managers are equally harmed by Bad Things, they are interested in making sure harm won’t come again.

The classic example of applying skin in the game principle is corruption: if people in power wouldn’t benefit from corruption and would actually face consequences of, e.g., underfunded healthcare, they wouldn’t be keeping covering it up.

In terms of your startup—and your team-related risk (we’ve discussed it a few centuries ago on the first page)—the team’s skin in the game is whether they’re willing to take responsibility for their mistakes and whether all of them are willing to work towards antifragility.

Final thoughts (how not to be scared watching horror movies)

There are always risks in a startup and, hopefully, this article provided you with at least a few ideas on how to deal with them.

As a conclusion, we wanted to say two things: first, please remember about survival bias when studying the history of how people dealt with risks in startups. We always recommend reading startups post-mortem. It’s a good time: we are often so focused on successful cases that we forget there is a whole narrative of failure behind it.

Second, learn to see early signs of disturbances around you. Your team can be your biggest competitive advantage, and it can be a big risk, especially in a dynamic environment. If you didn’t have any risk management options in place before the pandemic, your employees now are more fragile than ever—so address this; certainty is a good, rare thing to have right now, especially combined with attention and support from The Boss. Remember that you are part of your workforce, and you, too, are fragile right now. Take care of yourself.

Now, risk management gets easier if you dedicate some time in your week to it. It’s like watching horror movies: you’re learning tropes, know what to expect when sinister music starts playing, know what will happen if the party splits up.

Of course, sudden risks don’t exactly fit into tropes.

But, as coronavirus is often defined as a Black Swan type, lots of other, predictable (but no less scary) risks happen and will happen, creating a hostile, fast-changing environment over you.

There’s no riskless building of a startup, but you can build an organization that will, in case of a hit, degrade gracefully instead of crumbling to pieces at once; or a system that adjusts quickly, thanks to the operational structure you’ve established before; or even moves with a pace and agility that allow you to gain new ground and accumulate more control than you had before.

De-risk, study risk strategies and build in such a way that will allow you to appreciate these Uncertain Times (and many others Times, Better and Worse Ones.) Also, read our article on how big companies turned past crises to their advantage.


Tell us about your project

Fill out the form or contact us

Go Up

Tell us about your project