You’re sitting at a blackjack table. You have a 17 in your hand and your dealer has 18, what do you do? The fact is, if you do nothing, you’ve lost. If you take another card, you have a chance of losing or a chance of winning. The actual probability will be determined by the other cards on the table and what’s next in the shoe.
This is risk. You’re in a tough spot and really have to take that next card. In a few seconds, the truth will be facing you, but that moment of decision is yours. Is your stomach tightening at the thought of what may come? Are you getting clammy hands at the prospect of winning the hand? Are you wrought with anxiety over the position you find yourself in?
Let’s modify this scenario a bit. You have $10 on the line. How does this change your reaction? What if it’s $50? $100? $10,000?
In all cases, nothing has changed except for the amount at stake. You are at the mercy of the order of the deck. The odds haven’t adjusted because you have more money at stake. The only thing different is your reaction based on your perception of loss. Can you maintain good decision making despite the stakes?
This is something we always tend to gloss over while discussing startups and actually business in general. If you go to business school, there are no courses in the curriculum called “risk” at either the undergrad or graduate level. Sure, statistics is covered, which allows you to quantify probability, but handling risk is more than just knowing the numbers.
Risk comes in many forms.
In a startup, we are all acquainted with risk as a concept just in moving our project forward. There’s risk in taking the plunge and filling our starting paperwork. There’s a risk in putting together operating agreements. There’s a risk in soliciting funding. There’s a risk in closing a funding round. There’s a risk in developing a product. There’s a risk in taking it to market. There’s a risk in scaling up. And so on it goes.
These are all risks any entrepreneur is well versed in considering. It’s the risks that keeps most of us up at night. These are obvious, existential probabilities that mean the difference between the success we dream about and having to find something else to do. But, these are risks that we can control and have input around. Through our direct actions, we can usually mitigate most of them to a point where the threat is minimized into an acceptable form. Through education and either experience or surrounding ourselves with experienced advisors, we can navigate the uncertain waters.
However, there are risks that lurk beyond our attention most of the time. As we delve deeper into our operation, these risks begin to grow and linger like mold in the basement of a home. We don’t realize they are there until we are forced to face it head on by which time we have a sudden understanding that the time for mitigation is long past. We simply have to deal with the issue and hope we can make it through.
Let’s look at a few of these. As I write this, it’s getting on into October and the time for scary stories and Halloween is fast approaching, so it seems apropos to give some new things to keep us awake in the dead of night.
One of the big things I see from so many startups is a lack of in-depth understanding of the risks posed by cyber-security incidents. To be fair, I’ve never talked with a startup founder who hasn’t given me an earful on how well-prepared and committed to security they are. To listen, one would assume they are the NSA protecting national security secrets. In reality, I’ve never seen a startup practicing what they preach. I’ve seen security tasked to an overwhelmed tech team focusing on getting product out the door. I’ve seen sensitive data thrown into mongo databases with nothing beyond host-based authentication. I’ve seen quizzical looks from CTOs when the initials VPC were mentioned in relation to their cloud instance. And so on with even more egregious examples of what can only be described in this day and age as negligence.
I spent years working in incident response and assisting many major companies with breach remediation so this is something near and dear to my heart. Taking this risk and ignoring it because of ignorance or hubris is dangerous and expensive. As a founder, are you ready to spend hundreds of thousands of dollars on a preventable cleanup? In the US, according to recent studies, a data breach can cost upwards of $214 per record with an average aggregate compromise of around 30,000 records. Do the math and figure out if your last round would cover that cost.
That is an existential threat. In absolute dollars, it will put most startups under. In reputational damage, it will end most startups. In fact, national stats state that around 60% of small businesses fold within six months of a systems breach. Are you taking the risk serious enough?
In a different, yet somewhat related direction, I was working with one startup who had an employee leave the company. She decided that the startup wasn’t that novel or unique and the business model could be easily replicated. Understandably, the executive team called in the litigation partners at their law firm. The CEO might have had an involuntary bowel movement when the estimate for just a temporary restraining order was quoted in the quarter million dollar range.
Having experience in these things, I mentioned it would be expensive, but it’s much more impactful hearing it from the litigation partner versus the consultant. In the end, the CEO blinked and decided to roll the dice that the ex-employee would lose interest or fail to execute.
This was a case of not understanding the full scope of information security and let’s not confuse the issue by thinking it was something else. This was theft of intellectual property, which is an information security matter. It was an unmitigated risk by not having the proper policies in place to negate information leakage, not having proper background checks in place to screen for these types of problems, and not having good exit procedures in place to bind exiting employees to their NDAs and commitments. It was still a lesson that cost tens of thousands of dollars to learn — a lesson that was not budgeted or accounted for.
Finally, I’ll bring up the general risk of litigation.
A friend’s company is going through a litigation brought about by a former employee. The claim is baseless on its face and will be dismissed if it goes to trial, but it’s still a major expense.
As we discussed it, his feeling is to fight tooth and nail to prove the point since it’s frivolous and he would like to deter future situations like it. Between him and I, I advised him to work with his attorneys to seek a settlement. Why would I give that advice?
As pointed out above, litigation is expensive. Very expensive. His case is still in an early phase, which means the costs have been controlled and can be limited. Coming up though is not only the motions, response to motions, and initial hearings, but also discovery. Again, having worked with litigation counsel on numerous civil and criminal cases, I know that discovery in even simple cases can easily top $100,000 once attorneys, experts, analysts, examiners, and operational costs are factored in. That doesn’t include actual litigator time in court along with fees for documents, phone calls, paralegals, and other lines on the legal bill. And, if they do pull a bad decision, that doesn’t include fees, penalties, and damages to be paid. Make the case go away for $25k or $30k versus easily a half million or more in potential risk and the advice is easy. It doesn’t satisfy the need to be proven right, but it doesn’t eat company revenue and put the bottom line in serious jeopardy. It’s a decision made from a pure cost-benefit analysis.
Does your pro-forma model have a line item for litigation expenses that reflect reality? I’ve seen some from budding startups that win points for having a litigation line item but lose points because they optimistically put it at $10k or only slightly more.
This is not a doom and gloom article at all. In fact, although the three examples provided are huge expenses they are common risks. As such, they can be quantified, managed, and mitigated usually through nothing more than good policies and procedures. They key is planning for them, which first relies on knowing they are there. This is why it’s important to have good people around you who understand the risks associated with doing business today and can push to put things in place early. It is infinitely better to spend some early money on things that might not seem relevant (even if they are) than to try to spend a lot of later money on corrective measures. Prevention is never frivolous as long as you keep it in balance with the needs of the operation and goals of the business.