Risk management encompasses the identification, analysis, and response to risk factors.
For medical device startups, risk management is part of the regulatory process itself, but for all startups risk management encompasses many areas. There are risks associated with property and personnel, intellectual property, process interruption, product failure, lack of projected sales, and more. No company is without risk, and that goes for both startups and established firms. Here are descriptions of some common areas where biotech and medtech startups may experience risk.
Information security: Information security is far-reaching for many companies. Intellectual property, experimental results, written processes, and personally identifiable information about employees are some common types of information for a medtech or biotech company to store. The risk that these could be stolen, misused, or lost is important to consider.
Property: Many biotech and medtech companies have tangible property that represents much of their company’s value. If such property were to be lost, destroyed, or stolen, that could spell the end of a startup. Therefore, for companies that have this kind of risk, its mitigation is of utmost importance.
Supply chain: One might think that supply chain risks only affect companies that are already manufacturing their products, but most scientists know that the slightest change to a reagent can be disastrous. Therefore, the suppliers that produce or procure essential components should be monitored by the startups that purchase from them. Shipping delays, changes in formulation, natural disasters, and business failure can all lead to a startup’s inability to get the items that it needs.
Personnel: Employee safety is a major concern for all companies, as unsafe conditions can lead to fines and injuries can yield lawsuits. Additionally, many startups do not have human resources professionals on staff and may therefore not understand all of the applicable labor laws. Again, this can result in lawsuits (which are more likely if an employee leaves a company on bad terms). Finally, people are expensive and judging the quality of work someone will produce from just an interview and a resume can be difficult. It is expensive to replace employees when one doesn’t work out, so people are an inherent financial risk to a company.
Regulatory: Even if everything else at a startup were to go perfectly, the FDA can still decide that a product is too risky to approve. Therefore, the risk in not considering the regulatory landscape of a potential product is high.
Quality: The lack of quality assurance and control represent a significant risk for startups. Quality assurance and control is itself a risk management strategy for making sure that experiments and products conform to certain specifications. Otherwise, data can't necessarily be trusted. Frequently, biotech and medtech startups don't consider quality until they are getting ready to talk to the FDA. To learn more about quality assurance and control, see this blog post.
Almost always, an entrepreneur will have done some serious risk consideration before ever starting a biotech or medtech company. Starting a company is a leap of faith, but the more understanding of the risk, the better. The risk that any startup will fail is statistically high, and it is even greater in the life sciences with the additional question of whether the technology will work at all. Therefore, the answer to the question of when a startup should consider risk management is: before starting! Here are some areas that entrepreneurs can consider to ascertain the risk of their venture before beginning.
Does the proposed product solve a problem that enough people are willing to pay to fix? If not, there is a high risk that there are not enough customers for the product to make back the money it will cost to develop.
Are there other solutions to this problem already in existence or that are currently being developed? If so, there is a risk that the startup might not beat the competition, but this could be mitigated by keeping track of the other solutions, how close they are to being sold to customers, how much they cost, and how effective they are.
Does the founder/Do the founders have the expertise required to develop the technology and run a company? If not, it would be very risky for these founders to attempt to run the startup without significant input from people who do have the requisite expertise. This risk could be significantly limited by hiring experts in the appropriate areas and finding mentors.
Once the decision has been made to found a startup, risk management should not be forgotten. Startups are often valued by large biotech and medtech companies because they do the riskiest work in the drug/biologic/device development processes, so by the time a big company wants to buy them a big chunk of risk has been eliminated. In order to get to that point, however, a startup must be constantly aware of avoidable risks. It is one thing to fail due to a technology not functioning the way it was predicted; it is another to fail because of a lack of risk management.
The best way to manage risk is by preventing and limiting it where possible. In order to do this, companies can utilize the following basic method.
The process of identifying risks involves working through a multitude of hypothetical scenarios. What if the lead scientist quits? What if a supplier discontinues a product that is essential to a startup’s progress? What if there’s a natural disaster? It can be difficult for startup founders who don’t have previous experience with risk management or biotech to think of all the “what ifs.” Therefore, this can be a good time for first-time entrepreneurs to talk to advisors, other startup founders, or even consultants.
Once a list of risks to the company are identified, they should be analyzed to determine what the possible damages would be if these things actually happened. For example, if there were a natural disaster would that result in the company losing all of their samples? Would it also result in the laboratory being unusable for a long stretch of time? Would the company be able to continue paying its employees during a prolonged shutdown? If not, would the loss of any of the employees result in more problems for the company? These potential consequences should be understood.
The next step is to take the risks and their consequences and decide how likely each is to actually happen, and how severe the damage to the company would be. Some companies choose to use a grid like this, where likelihood and severity are each an axis and form four quadrants: Low-likelihood and low-severity; high-likelihood and low-severity; low-likelihood and high-severity; and high-likelihood and high-severity. The quadrant to focus first on is high-likelihood and high-severity. The risks that fall into this category have higher probability of happening and if they do, the consequences are bad. On the opposite end, low-likelihood and low-severity risks can be ignored. The cost of mitigating them is likely to outweigh the damage they might produce. And high-likelihood, low-severity risks can be referred to as “nuisance risks.” These are often solvable through policy and behavior change. Risks that are low-likelihood but high-severity are frequently insurable (but mitigation strategies should still be discussed).
Starting with the most severe and likely risks, a company should determine what actions they can take to reduce the chances that those problems will occur and reduce the cost to the company if they do happen. For example, a high-likelihood and high-severity risk might be a freezer failure. For a company that has a proprietary compound that must be stored cold and is located in an area where power outages are common during parts of the year, freezer failure would count as high-likelihood and high-severity. To mitigate this risk, steps to take might include storing some aliquots of the compound in a different location, installing temperature monitoring probes in the freezers, and having a written plan for what to do in case the freezer is not holding the correct temperature for whatever reason.
Insurance is the most common risk management tool used by companies. However, insurance doesn’t stop a bad thing from happening, it just mitigates the resulting financial damages to the company. Therefore, insurance is important for startups but it should not be the only method of risk management.
Commercial liability insurance is required by landlords and by most membership-based incubators. This insures the premises and operations of the business. For example, if there were a cord across a walkway and a visitor tripped on it and hurt themselves, this is the type of insurance that would most likely cover it.
Workers compensation is required for any business that has employees. Business owners do not themselves have to be covered by workers compensation, but anyone they hire does. Workers compensation pays out if an employee is injured on the job.
Other types of insurance that a startup may want to consider include: insuring of specific property such as chemical compounds, directors and officers insurance, and fidelity (crime) insurance. The pros and cons of each depend on the quality of risk prevention measures, the likelihood of a particular damage occurring, and the relative cost of the insurance.
Creating company policies that lessen the possibility that something will go wrong is the cheapest way to mitigate risk. However, policies can be time consuming and tedious to write so many startups skip this step. Luckily, the most basic level of risk mitigation is following established laws and regulations, all of which are published and publicly available. The Occupational Safety and Health Administration (OSHA) provides its standards online and there are numerous resources dedicated to helping companies keep the workplace safe for their employees. OSHA is a great place to start because its whole purpose is to limit on-the-job safety hazards for employees—in other words, OSHA is an occupational risk mitigator. Other policies a company might want to write can include “common sense” measures, such as making it a rule that the last person to leave the lab at night checks that all hot plates and heating blocks are turned off.
Some companies may not have the expertise or bandwidth to develop their own risk mitigation strategies, so hiring a consultant can be a good alternative. This will cost more money, but there are benefits to having not only a third-party but an expert come in and tell a startup where their biggest risks lie and how to fix them. Consultants may specialize in different areas, such as environmental health and safety, regulatory strategy, or human resources. There are also consultants who consider risk management as a whole and can assist a company in their strategy, helping to identify, analyze, prioritize, and mitigate risks.
Especially in an industry where so few startups succeed, risk management is an important topic. However, it is often not discussed until after something bad has happened. At that point, people (and investors) will ask if it could have been prevented. If the answer is yes and the damages are severe enough, a startup CEO may find that they are being asked to step down. Considering risk management from the start is a strategy for business success.