Lower your startup risk with this template

You know the numbers: 90% of startups fail. And that’s within their first three years. Startups fail often and they fail fast.

But we know why they fail. And often it’s because we’ve overlooked the same basic set of risks. Pause for a moment and ask yourself: have I taken the time to really identify and reduce every risk I face?

TL;DR: Copy and use this Google Docs spreadsheet to systematically de-risk your startup.

Last week, when I saw Leo Polovets‘ article on how to de-risk a startup, I was immediately captivated. Take some time to read the post to discover the most common areas of startup risk, broken down and ranked from 1 (high risk) to 5 (low risk).

The risk areas included here are: product/market fit, product quality, team, recruiting, sales, market, funding, and short- and long-term competition; you may face additional risks. Lowering them should drastically increase your chances of success.

After watching other founders – including myself – flail about, pivoting their way through the darkness, I’ve become obsessed with being more systematic and disciplined about entrepreneurship. So I decided to take Leo’s lead and standardize risk management for Code Corps into a single spreadsheet.


You can copy, download, remix, and re-share this spreadsheet by grabbing it on Google Docs. All credit for the words and inspiration goes to Leo.

For my fellow self-funded founders, there are some new lines in the “Funding” risk area, which means this sheet is not solely relevant for startups seeking venture capital. You can modify “Market” too, if you’d like, but nothing about self-funding should make you less ambitious.

Looking at the spreadsheet, you’ll see the first tab is “Evaluation”, where you’ll conduct your initial risk evaluation. Each row has a dropdown that populates with the common risks from “How to De-Risk a Startup”. You can evaluate your own risks, but it’s probably best to get outside feedback.

The second tab, “Controls”, is where the magic happens. By brainstorming controls that systematically reduce your risk over time, you can plot a path to success. You can modify the third tab, “Risks”, to adjust the risk level or modify individual risks, much like I did by adding self-funding. Be careful as the formulas are brittle in places.

To learn how to implement our controls we need to briefly discuss the risk management process, which I’ve wrangled for years as a young officer in the California Army National Guard.

The risk management process

My fellow weekend warriors out there have become almost desensitized to risk management in the Army. We do a risk assessment for everything: convoys, rifle ranges, Christmas parties. Invariably, people complain about the process. But it works. I would much rather hear a Soldier groan about a risk assessment than preside over their funeral because we had “better” things to do.

The Army formalized its risk management process into a publication aptly called Risk Management [PDF], or ATP 5-19.

Roughly, the risk management process works as follows:


  1. Identify the risk
  2. Assess the risk
  3. Develop controls
  4. Implement controls
  5. Supervise and evaluate

And the process repeats itself again.

In his blog post, Leo gives us a five-point spectrum for risks that ranges from low to high. In my spreadsheet, I’ve adjusted this slightly to: very low, low, medium, high, and very high.

The Army has roughly the same risk levels, but opts for a matrix for evaluating risks. By matching probability (the expected frequency of the risk manifesting) and severity (the expected consequence should the risk manifest), you can come to a conclusion about the expected risk level.


For example, a risk that leads to likely death or mission failure would be extremely high. In my Army world, signing off on this risk would require an approving authority far beyond my pay grade. As a startup founder, I’m free to take all the stupid risks I’d like.

I was torn on whether to use the matrix approach in my spreadsheet. For now, the spreadsheet takes the simpler path of choosing from a list of possible options. However, you probably want to pause to consider each risk’s frequency and severity when assessing and developing your controls.

How to mitigate your risks

Assessing your current risk is useless without also determining how to mitigate it. The spreadsheet uses the Deliberate Risk Assessment (DD Form 2977, for reference) as the basis for managing risk.

For each risk, brainstorm every possible short-, middle-, and long-term action your team can take to achieve at least one step decrease in risk. You can break it down like this:

  • Control – The specific action your team will take to lower the risk.
  • How to implement? – Break down into the who, what, when, where, why, and how.
  • Who implements? – Be specific about who on your team has the responsibility. Don’t make assumptions here.


The Army’s Risk Management publication also provides some further thoughts on how to judge the quality of your controls. I’ve reworded them slightly here. Each control you have should be judged by:

  • Feasibility – Your company can actually implement this.
  • Acceptability – The cost in resources and time is worthwhile.
  • Suitability – The risk is actually mitigated.
  • Support – You have the required team, tools, and other resources.
  • Explicitness – You clearly specify who, what, where, when, why, and how.
  • Standards – Your procedures are clear, practical, and specific.
  • Training – Your team has the right knowledge and skills.
  • Leadership – You have buy in from your leadership.
  • The individual – Each affected individual on your team can contribute.

Going further

Beyond the basics of this exercise, you can take this risk management process further. Some things I would like to do, and implement in future versions of this spreadsheet:

– Use this to find advisors. In the past I’ve been biased to seeking advice from like-minded people, often in the same domain. If you’re an engineer with a bias against or distaste for sales or marketing: break that habit now. If you pour time into advisors who share your skills, you’ll not only see diminishing returns on your strengths, you’ll undoubtedly increase risk in your weakest areas over time.

– Use this to gather feedback. I would love to further implement a Google Forms survey that collects feedback from key stakeholders and ideally tracks progress over time. Lines, not dots. You could simplify this by simply copying your template every few months and updating.

– Find a way to more deeply integrate this into our experiment and product prioritization process. Risk management should hold equal weight in prioritization with product development and growth, and everyone on the team should be regularly thinking about how to de-risk.

Found this helpful?

Don’t forget to copy the spreadsheet!

We’re always thinking about how to help people build things that have maximum impact with minimum risk. You can subscribe to our email list to get more tools and thoughts on these subjects. You can also always reach me on Twitter @joshsmith or just send me an email.

Enjoyed this post?

Our best content on open source, social good, and building products. Delievered each week for free.