You’re small, comparatively. You’re new. Certainly, the vulnerabilities you have to manage are minnows compared to the big fish at mega-corporations, right? How much do you really need to worry about risk assessment and management? You don’t have any targets on your back yet, right?
You have more than you might think. I must admit: When I first started out, I thought of risk management as a concern for only large companies like IBM or Walmart. Now I realize that risk planning and management is something you do from even inception and creating your business plan. Risk management needs to start before you’ve even hired your first employee.
Truth is, we do risk management every day — we just don’t realize it. All founders have done some form of risk management, even in the planning phase of their startups. When you’re leaving the house for the office and grab an umbrella because you see clouds even though it’s not raining, that’s risk management. When you create a budget pro forma that has a percentage of chargebacks (disputes) factored into profitability, or when you hire an insurance company to transfer risk for events you produce by underwriting liability for them, that is risk management, too.
Lessons from an industry leader
A formal risk management process is simply making sure this is done properly across all business concerns — regularly, appropriately, in advance and efficiently — and not as an afterthought.
Look no further than Microsoft, which might not be the first company that comes to mind when thinking of proactive risk management. The company has actually done it quite well, on more than one occasion. Skipping past its development of the Xbox platform, we can look at its acquisition of Minecraft as a great example of proactive risk management, which really had very little to do with the Xbox platform and gaming ecosystem.
During Microsoft’s risk-management evaluation process, the company recognized that losing users to nontraditional computer devices was an existential risk. This is what fueled their foray into other screen types and devices, not just the Xbox. They tried to execute in the mobile phone space but failed. Still, Microsoft did not give up.
The decision to acquire Minecraft was twofold: It offered a diversification into devices and operating systems not currently in its fold, and it also gave them a new generation of eyeballs — in the form of coveted young customers — who could turn into Microsoft loyalists for many years to come. If Microsoft simply sat on its laurels, its market share would slowly erode until Apple, Google, Samsung, Huawei and the rest controlled the operating system market.
Covering all the necessary bases
So what are the best strategies for staying protected from the full gamut of risks from a company’s outset? Here are the three priorities entrepreneurs should keep in mind:
1. Analyze all risks, not just clear and present dangers
Risk management is where those who think outside the box really shine. The goal is to see what can go wrong well before it goes wrong. If that were so easy, everyone would avoid mistakes. The corporate world is not leading the way in this regard, as a McKinsey & Co. survey of 1,100 global companies showed that their boards spent only 9 percent of their time on risk mitigation; only 6 percent of respondents felt their companies were effective at managing risk.
It’s a tricky proposition. Risk management requires creative and critical thinking skills. Think of risks those in your industry might not have encountered yet. Look at the disasters that startups in other verticals have experienced. If you can’t rule it out from happening to you, analyze it and rank it.
2. Consider the true cost of risks, including loss of business or sales
Sort vulnerabilities by potential cost, including loss of business, not just direct cost. You can’t mitigate all risks, so you will have to prioritize. How much would it cost you if your business shut down for an entire week, like Texas businesses recently experienced during winter power outages? If your risk management plan accounted only for the higher power bills associated with an outage, you’d be left quite short in assessing the true cost, as you’d also be facing a week or more of lost revenue.
Handy guides are available for how to create a risk management plan chart. Make sure to also sort risks by probability, not just possibility. It’s unwise to waste resources (time and money) mitigating a risk that has both a low probability of happening and a low cost of impact should it happen. But if a risk has a low possibility but a very high potential cost (think existential), you should have a plan for it.
3. Understand that you can’t completely neutralize vulnerabilities
Transferring a risk to an underwriter still involves some cost; it is only marginally mitigated. Let’s say you operate a startup that allows owners to lease out their cars, so you hire a third-party insurance company to insure against theft of the vehicles. However, you find that theft is increasing as time goes on, from 1 percent to 2 percent and so on. The insurance company will eventually drop you or increase your premiums. In this scenario, there is not a full transfer of risk — it is partial, at best — and there is always a cost involved. Never remove any risk from your chart just because you can “transfer” part of it to an underwriter.
The startup world is rife with risk. But playing it safe isn’t what entrepreneurs typically do. If you’re willing to play the high-stakes game of building a brand from scratch, you need to know the risks involved. Those who proactively manage and mitigate those risks will survive the longest.