Key Risk Conversations to Have With Your Board and Investors


Building a startup is a risky business. The only way to stay ahead of the risks is to be aware and informed about them.

The board of directors, in particular, needs to know enough about the risks in the business to make well-rounded strategic decisions. As for investors, most of them do their own risk analysis on a startup before putting in money. But if the startup is upfront about identifying and discussing its risks with investors, it is more likely to inspire confidence and credibility. With that in mind, here are a few key risks that startups should definitely discuss with their board and investors.

Business Plan Risks

The purpose of analyzing your business plan risk is to demonstrate to investors and the board that you’ve thought through the major risks confronting the organization, and have developed effective strategies to deal with these risks. Your business plan should be able to survive when things go wrong. Because things will go wrong.

So, while developing your business plan, consider the following risk areas:

Market risk is the risk that the market will evolve in an unexpected way. For instance, your offering could be too early for the market. Many companies developed tablet computers in the early 2000s, including Microsoft, Fujitsu, and HP. But the market wasn’t ready then. Now it is hard to imagine life without a tablet computer. Sometimes markets take too long to develop, and cash runs out while a company is waiting for customers.

Product risk is the risk that the product can’t be developed as envisioned with the right economics, scale, or performance. Biotech firms often have a high degree of product risk. There is no certainty that they can produce the drug that is expected.

Financial risk is the risk that a company will run out cash before achieving a state where more funds can be raised. Customers don’t always materialize at the expected rates, and may not always renew their contracts. Often, costs are much higher than expected to achieve the set milestones. The cost of capital is also very high. Boards and directors want to know these risks have been analyzed, and that reasonable plans have been identified to mitigate them.

Talent risk is another major risk area. A startup’s performance is directly linked to the capabilities, expertise, and experience of its employees. Therefore, the startup needs to figure out how to find employees with the required skills and capabilities. They also need to factor in the cost of attracting and retaining these employees. Then at some point, most startups dream of going public. But do they have the time, effort, and money to do so? Filing an IPO is an expensive process. And there are multiple legal, reporting, and regulatory compliance risks involved. After all that, what if the company doesn’t take off? Also, what if ownership gets diluted? Many startups forget that when people are investing in a company, they have the right to vote on certain decisions. As a result, business goals and operation methods may change. Is the startup prepared for these risks?

Another risk area is that of acquisitions, divestitures, and mergers. The opportunities involved are plentiful. But acquiring or merging a company means absorbing their liabilities, risks, legal claims, compliance obligations, and everything else. It also means reconciling major cultural differences between two different workforces. Have these issues been considered? When I was part of the board for a company, it was not uncommon for us to spend as much time discussing the business risks as the opportunities of acquisitions. And that’s an approach that I continue to practice and recommend.

Cybersecurity Risks

Many startups think that they’re too insignificant to matter to cyber attackers. But, in fact, they are prime targets because unlike larger companies, startups don’t usually have the time or funds to implement sophisticated cybersecurity measures. Recently, the New York Times reported how several small Web startups—including Vimeo, Basecamp, Shutterstock, and MailChimp—were hit up by a wave of denial-of-service (DDoS) attacks.

Meanwhile, the latest internet security threat report from Symantec revealed that targeted spear-phishing attacks aimed at small businesses (1-250 employees) increased throughout 2013. One in five small businesses was targeted with at least one spear-phishing email.

Are startups doing enough to manage these risks? What about the risks in the data supply chain? It isn’t unusual for a startup to store its data with a cloud service provider. But have these providers been thoroughly vetted? Do they have multiple layers of security to protect data?

What about internal data leaks which can be both malicious and accidental? Has the startup established strong policies, procedures, and controls to protect itself? The strength of cybersecurity measures is directly proportionate to the health and well-being of a business.

Supply Chain Risks

When companies start out, they usually focus all their time and energy on their core operations. So, it makes sense to outsource non-core functions such as recruitment, PR/marketing, and sometimes, product testing and IT infrastructure management.

Yet, as with anything else, outsourcing has its risks. A supplier may fail to deliver up to standards. A crisis may disrupt the supplier’s operations. Worse still, a supplier may steal its customer’s intellectual property.

The board will want to know if a startup has researched its suppliers thoroughly. Has it validated supplier qualifications with industry authorities? Has it checked what kind of insurance the supplier has—be it professional liability insurance, public liability insurance, or general liability insurance?

Insurance certificates also need to be inspected to ensure that they provide a sufficient level of coverage, so that if the supplier faces a failure, the loss effects don’t ripple out to customers.

Reputation Risks

The horsemeat scandal, the Gulf of Mexico oil spill, a musician’s viral YouTube rant against United Airlines customer service, a massive data breach at Adobe… these incidents might seem completely unrelated. But all of them caused significant reputational damage to the companies involved.

A startup’s reputation is one of its most valuable assets. It determines how the business will be treated by investors, shareholders, customers, and partners. A good reputation takes years to build, but just a moment to crumble—especially in today’s hyper-connected and socially networked world, where the news of a failure at a company can spread like wildfire.

Reputational risk comes in many forms—regulatory non-compliance, supplier issues, bad customer experiences, cyber attacks, and more. A startup might not be able to control all these risks, but it can definitely identify its biggest vulnerabilities, and prioritize its reputational risks accordingly. It then becomes easier to mitigate these risks.

Taking the Risk Conversation Forward

Most risks are identifiable and manageable. But the key to effective risk management is collaboration—the board and management team need to have regular, creative, and practical discussions about the risks facing the business in order to ensure that the right focus and resources are being applied. Organizations that do this display a high level of risk maturity—which is always a good sign to investors.

Shellye Archambeau is CEO of MetricStream, a Palo Alto, CA-based company offering governance, risk, compliance, and quality management solutions to enterprises in the pharmaceutical, medical device, high tech manufacturing, energy, financial services, healthcare, manufacturing, food and beverage, and automotive industries. Follow @metricstream

Trending on Xconomy