How to do a business risk assessment
It’s raining as you stumble out of a bar at 1:00am. Pulling your coat over your head, you make your way to the train station but when you arrive you realise it’s been closed for an hour. You need to find another way home, and you have a choice. You could call a taxi or you could flag down the nearest car and see if they’ll give you a ride.
Let’s weigh up the two options. The taxi is regulated (the driver has to be insured and vetted, and the car up to date with its MOT) so the risk of anything going wrong is small. Not so much with the passing car. You have no idea who the driver is and why they’re giving you a lift, there’s no record of you getting into their vehicle, and they may not even be insured. Even in your befuddled state you instinctively know that this option presents a greater risk.
We assess and manage risks all the time in our daily lives, and it’s no different with our businesses. Taking risks is an inherent part of running a start-up, and if we’re honest it’s part of what makes it fun. You didn’t become an entrepreneur because it was the safe option, did you? However, there’s a difference between taking a calculated risk that’s designed to bring you a benefit if it works out, and straying into dangerous territory unawares. Successful entrepreneurs make sure that they know what they’re letting themselves in for in any scenario, and take steps to reduce their exposure to risk. Then they can spend their time and energy on the good stuff instead of dealing with problems that needn’t have arisen in the first place.
Avoiding and managing risk is complicated by the fact that different risks apply to different types of business. If you’re operating a restaurant, you might worry about giving food poisoning to your customers or people slipping on the floor and hurting themselves. If you’re running a software business, you’re more likely to worry about data breaches or a coding malfunction. It’s a completely different picture in each case, but either situation could — in the most extreme situation — sink your business. It’s that big a deal.
Let's go though the kinds of risks your business could face and how you can minimise and manage them. We’ll cover:
- legal risks
- reputational risks
- regulatory risks
- financial risks
- compliance risks
- trading risks
You’ll also learn how you can make strategic use of insurance to help you sleep soundly at night.
About three years ago, during the initial boom in legalised cannabis derivative products, a couple of co-founders approached my firm for help. They’d put together a detailed and realistic business plan for a venture to sell these products, and they had a crystal clear vision of what they were trying to achieve. It all looked good, but there was a teeny, tiny wrinkle in their proposal: they planned to plant vast fields of cannabis in rural Kent. This is the kind of activity that lands you in prison.
So the first question to ask yourself is: is my business idea legal? Being an optimist, I reckon that most people can figure this out for themselves, but as you’ve seen they don’t always get it right. It’s something to check out before you go any further.
Some businesses are legal but still involve activities that aren’t always socially acceptable. Escort services and certain types of pornography are good examples of this. There’s nothing to stop you setting up this kind of business and promoting it, but you’ll find that many web and mobile app platforms, and payment gateways, won’t want to expose themselves to what they see as the reputational risks associated with your company. This can give you problems when you try to sell your products or services.
There are also certain types of business that are perceived (often unfairly) to be more attractive to criminals and fraudsters than most, such as those in the cryptocurrency space. Even if your only exposure to cryptocurrency is to allow payment in Bitcoin or Ethereum, the anonymised and non-centralised nature of these currencies means that there may be an increased risk of attracting the wrong type of customer. This can not only create problems for you, but may also mean that third party vendors and support services steer clear of you as well.
Just as you need to ask yourself whether your business is legal, you should also identify whether it operates in a regulated area. The main regulated sectors are financial services, medical products, services such as biotech and medtech, gambling, and the professions (law, accountancy, architecture). If your business will operate within these, and if you’ll be carrying out regulated activities, you may have to secure the appropriate clearances before you can start trading.
Businesses in this sector are often subject to significant regulatory obligations imposed by the Financial Conduct Authority (FCA), including the need to be compliant with anti-money-laundering and terrorist financing laws. However, the good news is that many such businesses, particularly in the financial technology space, don’t actually carry out regulated activities. Even if yours does, gaining authorisation is now much more straightforward than it used to be. What’s more, you don’t need to be directly authorised by the FCA but can ‘rent’ another company’s regulatory clearance by becoming what’s known as an ‘authorised representative’. It’s an expensive way of doing it but it’s relatively quick and simple, allowing you to push out your product to market and start trialling it. If it works you can go for full authorisation later.
The FCA also helps start-ups through its regulatory sandbox, which allows you to test out an innovative proposition with real consumers but within the safe confines of its testing space.
If you operate in the medtech space you have two areas of risk to focus on. The first is patient safety, and the second centres on the processing of special category data (in your case, relating to health and illness). This is something we’ll cover in a later chapter, but for now it’s worth knowing that you have a serious obligation to get this right.
If you intend to sell your software to the NHS you’ll need to comply with its guidelines and regulations. The NHS has a similar service to the FCA sandbox, allowing you to test your software with its application programming interfaces (APIs). This means you can check that you’re meeting its standards, as a first step towards becoming a supplier.
This is the big one. How do you intend to make money from your company? Have you thought it through? It sounds like such an obvious question that you may be tempted to stop reading, but please don’t. It’s surprising how deep the risks to your financial success can be if you make the wrong decisions at the wrong times. This is when it pays (literally) to think both long-term and strategically.
Lifestyle versus scalable businesses
In the start-up world there are two main types of business, which fulfil different needs for their owners. Understanding which kind you’re setting up is vital if you’re to make the right financial decisions:
Lifestyle businesses: the aim of these is to provide an ongoing income, probably from the start, for their owners and investors.
Scale-ups: the aim of these is to return value to their shareholders when they’re sold, rather than through ongoing revenue.
Lifestyle businesses need to become profitable quickly so that they can pay their owners, investors, suppliers, creditors, and employees. If this is your type of business, your key financial questions are: how much money do I need to launch my business? And how quickly can I turn a profit? You’ll want to be cautious about how much (if any) investment you seek and how much equity you give away in return — the more equity you give away, the smaller your share of profits.
Scale-ups tend to re-invest any profits in growth. Often (although not always) based online, they provide little or no income to owners and investors until they’re sold — or at least until shareholders can sell some of their shares, probably to a venture capitalist (VC) in a later stage investment round. If your business is a scale-up, your key questions are: how can I pay my costs and expenses as they fall due and remain solvent until sale? How can I attract and retain enough users to give me the traction I need to sell at a high price? And how will I monetise those users? Unlike with a lifestyle business, you’ll probably want to raise large amounts of investment throughout your company’s lifetime. This will enable you to scale your business quickly and accelerate the time frame to exit.
Many tech businesses raise money at huge valuations without yet turning a profit, with Twitter being a classic example. In 2013 it listed for a valuation of over $14 billion even though it was significantly loss-making at the time. This approach to valuation would be unlikely to happen with a lifestyle business, because their valuations tend to be based on revenue or profit multiples. Twitter was able to list at this crazy valuation because it had such huge traction in its market. It’s fair to say that the days of high-growth scale-ups being sold for vast amounts, despite having no proven way of monetising their users, are fading fast. Failure to think through monetisation can sink a scale-up. So often, I’ve seen clients raise a couple of investment rounds at really punchy valuations, only to find that they can’t raise a further one because they haven’t shown a coherent, deliverable route to making money. You need to figure out up front where your sales will come from, even if it may take time to get there.
In all of this, please don’t forget your biggest financial risk of all: not managing your cash flow. Customers have a habit of paying late and it’s easy to be unrealistic with your expenses, which can lead to you being unable to pay your debts as they fall due. Poor cash flow can kill a company in a frighteningly short space of time, no matter how amazing (and successful) the business idea behind it. However, it’s an avoidable risk that you can manage by being on top of your book keeping. That way you’ll always be aware of your costs and revenue, and who is and isn’t paying on time.
As an entrepreneur I don’t imagine that rules are your favourite thing, but when you’re in business there are certain ones that you have to follow. If you don’t know about them, or don’t have procedures for keeping to them, you expose yourself to the risk of being fined and — even worse — of having your brand name dragged through the mud.
Data protection and GDPR
This is a topic we’ll cover later on, but just to flag up for now that it’s a major compliance area that you’ll need to plan for from the start. Lots of founders are scared of data protection compliance because some specialists try to make it seem as confusing as possible. However, the truth is that it’s primarily about understanding the personal data you collect and putting in place processes to deal with it.
Payment Card Industry (PCI)
If you collect people’s payment card data when selling to them you have to comply with onerous PCI standards. The easy way out of this is to use an established payment gateway that handles the problem for you. It will cost you more than taking payments yourself, but will seriously reduce your risk. These days it’s rare for businesses to take and store card data themselves, as platforms such as Stripe are so accessible and widely adopted.
This is especially relevant to you if you have a retail business. Chargebacks happen when a customer checks their credit card statement and sees a transaction that they don’t recognise. They call their bank, who claws back the money from your business and refunds the customer. The banks do investigate these claims but they aren’t always that thorough, despite the fact that some are the result of customer forgetfulness or fraud by a third party.
The risk for you is that you not only lose the money, but you also have to pay bank fees on top. Research shows that every £1 of chargeback costs the retailer £2.50. With chargeback rates in the UK being up to one percent of sales, this is a significant liability for your business which you’ll need to include in your forecasting. There are ways to reduce chargebacks, such as ensuring that your trading name appears on your customers’ statements, and notifying customers in advance of any payments that may come as a surprise.
You have to be an optimistic person to launch a business, and the assumption that nothing will go wrong is part of that mentality. Yet, as in all areas of life, bad things happen. We mess up an order. A customer is upset. We inadvertently cause a data breach. It’s life.
However, the consequences of mistakes are far less dire if you have the right customer agreement in place. This vital document reduces your risks because it limits your liability and therefore protects your business. You can think of it as being like a bullet-proof vest. Hopefully you won’t need it and sometimes it will seem a little cumbersome, but if the day comes that you’re in the line of fire you’ll thank your lucky stars that you took the trouble to put it on. We’ll cover your customer contract in more detail in Chapter 5, but seeing as we’re talking about risk at the moment it’s worth understanding the most important reason for having this document: it limits your liability.
The word ‘liability’ means the state of being legally responsible for something, and you can exclude liability for most risks in your customer contract. Take, for example, a lead generation platform which has customers who use it to earn thousands of pounds a week in sales. A hurricane on the east coast of the US takes out its servers, crashing the site and temporarily removing a lucrative source of leads (this actually happened to one of our clients back in 2010). Without a standard clause that appears in most contracts, stating that the business isn’t liable for lost profits, it could be liable for its customers’ losses. This shows how including the right clauses in a well drafted customer contract protects your business.
The point of solicitors
The joke is: how many solicitors does it take to change a light bulb? As many as you can afford.
Wisecracking aside, the point of solicitors is to help you to identify and reduce the risks in your business. When you buy a house it’s likely to be your most significant investment, so you don’t think twice about appointing a solicitor to make sure that it’s not about to be knocked down to build a motorway, for example. Why, then, wouldn’t you use a solicitor to help you protect the business that you’re going to spend most of your time on and that will, hopefully, end up being your most valuable asset?
A common misconception is that the job of solicitors is to draw up documents. Of course, documents are what often comes out at the end of the process, but they’re not the main purpose. They’re the end result of a detailed analysis of your business risks, and they protect you from being sued. Your documentation is an investment in your company’s security.
You may have found template legal documents online for a fraction of the price of what you’d pay a solicitor. They seem okay, so why not use them? Because they’re generic and not specific to your business. They’re sold by companies that may look like law firms, but are actually neatly-marketed sales platforms. The people who run them aren’t insured or regulated as solicitors, nor do they provide detailed, tailored advice. Your specific business risks depend on the sector your company operates in, what kinds of customers you want to attract, the level (and timing) of any investment you need, and your aims as an entrepreneur. These are crucial variables, and there are many more. No generic set of terms and conditions can hope to cater for them all in a way that will protect your business from going under if the worst happens. That’s the difference between paying £20 for a template document and, say, £4,000 for one drawn up by someone who’s experienced, regulated, and insured. It’s also the difference between your business being built on sand, and being built on rock.
As a final note, anyone can call themselves a ‘lawyer’ and provide legal documentation such as terms and conditions. Solicitors, however, are bona fide legal professionals. It’s a good idea to check the Law Society website to make sure that you’re dealing with a qualified solicitor.
In the next chapter we’ll explore the benefits of protecting your company’s intellectual property, and how to go about it.
- Ignoring risks, or not being aware of them, can potentially sink your business.
- Legal, reputational, regulatory, financial, and compliance risks can all be managed — as can pretty much any other type of risk.
- A qualified solicitor is the best person to help you with this process.
This is an extract from Built on Rock: The busy entrepreneur’s legal guide to start-up success. The book is written by Michael Buckworth, a qualified solicitor and founder of Buckworths, a UK law-firm working exclusively with start-ups and high growth businesses. Built on Rock makes the complicated aspects of start-up law simple. In everyday language, it walks you through the key legal and commercial considerations
Built on Rock is available at all good bookstores and online at Amazon.