A friend and I were discussing Chicago’s appointment of a Chief Resilience Officer, a role that focuses on the city’s ability to recover rapidly from economic, environmental or health shocks. This and Fred Wilson’s Worry post got me thinking about how shocks differ from other risks and how startups and investors digest and plan for all types of risks.
A shock is one type of risk – characterized by low probability but also high magnitude and high energy. The meaning of probability and magnitude are straight forward, but how about energy? Energy is the speed with which something of high magnitude happens. For example, a cyber security breach for a startup (or any company) is a very high magnitude event that also happens extremely quickly. Trust crumbles, and customers seek a new solution immediately. Here is how I see startup risks and where shocks fit in:
“Normal” stage-appropriate startup risks:
Entrepreneurs and investors spend most of their time thinking about the upper left-hand quadrant, lower energy and magnitude risks that are high probability. These tend to be stage appropriate and include everything that “can” and will go wrong in a startup like:
- Early startup challenges: finding PMF, key hire failures, economic scaling of sales
- Competitive issues: new entrants, pricing wars
- Product failures, big bugs and other operational glitches
- Normal economic cycles that dampen demand or capital access (down cycle) or make talent scarce (up cycle)
Each of these risks is likely to impact a startup along its journey, and collectively they kill most startups. However, none alone or once is likely to be the death knell of startup. While some early startup risks (eg, finding PMF) ultimately beat startups, these are risks that a startup has years and many tries to overcome.
Inherently weak models:
The upper right-hand corner covers high energy/magnitude, high probability risks that create inherently weak startup models. Business models that rely on ethical misappropriations are an obvious in this category. If you are beating the competition or making money by cheating, you can’t expect that to be sustainable. This Fortune article highlights the natural tension of startups’ trying to make something from nothing while avoiding clear ethical violations like those at Theranos, Zenefits and even funds like Rothenberg. While I acknowledge there is a grey area, the truth is most of us know an unethical business model or practice when we see it. Further, the probability of getting caught increases the more successful one of these models becomes – an inherent disequilibrium that is the universe’s check and balance system. I’ve shared more thoughts on startup ethics here.
Extremely high burn without commensurate levels of revenue and revenue growth is the other mode of inherently weak model that we see. How much burn is too much? The rule of 40 captures the tradeoff nicely for late stage startups. For companies between $3M and 10M in revenue, we get nervous when burn rate is >$500K a month unless the company is clearly growing 150-200% (eg 2.5 to 3x) a year or more. For companies less than $3M in revenue, we get nervous when burn rate is above $300K per month unless the company is clearly 3x ing. When these conditions aren’t met, companies set themselves up for massive cuts and talent losses that are hard to recover from.
Shocks are different from both categories above because they represent the type of high-magnitude but long-tail outcomes that people are bad at predicting. There was much talk about shocks as a risk factor – and increased planning for them – after September 11th and the 2008 financial crisis. Shocks come big and out of the blue, leaving little time to react. Startups should think about, plan for and (when possible) avoid these types of exposures. There are a number of shocks startups can face, but here are a few of the most common:
Single point of human failure: Startups struggle when a “cult of the CEO” culture or a single founder becomes too powerful. This is true in the early stages, and of course the world knows about Uber’s recent woes with Kalinik at the late stage. In short, good governance and a strong team of leaders is important to uninhibiting a company from those who create and run it. Human failure shocks also include risks associated with married or dating founders (whose breakup can be a startup’s undoing) or to the risk of a solo founder becoming debilitated. There are always exceptions, but as much as possible, avoid, avoid, avoid.
Platform dependency: A much decried startup risk in a world where Facebook, Google, LinkedIn, Twitter, et al are increasingly dominant, platform dependency is truly shocking in speed and magnitude when it goes awry. We have seen three or four of our companies navigate this type of shock, with only a 50% success rate. Most people think of platform dependency as a product built or dependent on API access to another major industry player that brings additional value to that player’s platform (or extracts value from it…). But platform dependency can also include single buyer/distributor situations. In particular, the few startups we’ve seen that have found effective reseller channels are often overly reliant on one or two, a major business risk.
What to do about platform risk? With so many innovation opportunities that necessitate platform dependency, it is too hard to avoid altogether either as an entrepreneur or investor (though we try!). To mitigate the risks, we look at alignment in the dependency. The many companies that used to extract value from the LinkedIn API were not well aligned with LinkedIn, and some were outright competitive. It is no surprise access was shut down for most. These startups didn’t send checks to LinkedIn and were effectively leaching LI’s data. One could argue that many of these companies actually had a high magnitude, high probability risk – an equilibrium that was too good to be true, like pirating cable service from the utility pole! On the other hand, companies built on or connected to Salesforce often expand Salesforce’s product in directions Salesforce doesn’t go, helping to keep ecosystem customers happy while sharing some of the revenue with Salesforce. This is not without risk if Salesforce decides to make a product that competes, but it is at least more stable.
Cyber security: Every company, big and small, is at risk of cyber security breaches and threats. As we know from Target and Equifax, breaches can destroy customer goodwill and shareholder value practically overnight. Because any vendor is a weak link to large customers, startups need to be as good (or better) at security than big companies. If things go wrong, there isn’t a strong brand or scapegoat game to fall back on as at large companies.
This is true both for insider and outsider attacks. The normal democratization of information at startups doesn’t work when customers’ personal or financial data is at risk, as Twitter recently learned with a rogue employee shutdown the POTUS account. With respect to outside threats, startups typically put cyber security under the CTO. Good place to start, but startups that are a particular target (those with consumer or customer financial or health data) should institutionalize their cyber security departments well below $10M in revenue, with a Director or VP level information security hire to own the risk. This is just one action among several startups should take to attenuate cyber risk.
Macro risks: The financial crisis was a big shock to startups too! Which is to say that big macro risks like terrorism, storms and unusual financial cycles can significantly upset a startup’s trajectory. How do you plan for these? Terrorism and weather shocks are geographic. If you are in a high-risk geography, you should have a plan for both day-of response (with respect to employee safety and production/data continuity) and resilience (how you will recover operations and work with affected customers, even with reduced staff and facilities).
Financial crises require a mind-set shift for startups. “Growth at all costs” must become “protect the base”. Customers – whether consumer or B2B – will have much less appetite to buy, driving CAC up. Meanwhile access to capital from VCs will be reduced. That combination makes a focus on growth ill-conceived. Instead, focus on keeping your existing customers happy so you can live to fight another day on the other side.
No need to talk about the lower magnitude, lower probability risks. You can’t worry about everything!