Special Feature
Part of a ZDNet Special Feature: Enterprise Startups: Risk vs. Reward

Five risks of using a startup as your vendor

Should you choose a startup to provide a critical system? Maybe not. Here are five risks every IT leader should consider before picking a startup as an enterprise vendor.

security-risk-thumb.jpg
Image: Shutterstock

Working with a startup on an innovative project or a business need that requires a fresh approach can be a great opportunity -- but before you ink the contract, here are five key risks you should evaluate:

1. Stability

Most startups have two immediate goals: 1) launching a product and securing customers; and 2) continuing to seek out investors so they can continue their operations until they secure a firm financial footing. Consequently, if you are an early customer, one of the risks of using a startup is stability. In your risk management assessment of the startup, you should be able to answer questions like: Is the vendor likely to remain solvent, do I trust the management team, and can I expect the startup's management to remain stable?

What does it take to launch a startup? Find out with Launching a startup: A primer for new entrepreneurs from ZDNet's sister site Tech Pro Research.

Most startups are not going to have Dunn and Bradstreet ratings that can give you a sense of their financial stability -- but they should have financial statements and corporate documentation that can be evaluated by your financial and legal experts. The financials that the startup hands you should also have the stamp of review upon them from a credible audit firm.

Just as essential is having confidence in the integrity, business savvy and technical expertise of the startup's management team, beginning with the CEO. How well do you know these people, their work, and their previous backgrounds and histories? Do they possess unique knowledge and technology that your company needs and that you can't get elsewhere?

Finally, even if you are sold on management, will they remain with the startup for the long term so you can plan on a long term business partnership? Many startups aim to establish reputable businesses with large books of business, but just as many plan to build up to a certain level of committed customers and revenues and then put the business up for sale. When startups get sold, management also has a tendency to move on.

Key takeaway : Startup solvency and a valid business case are easy to confirm, but where many companies falter is when a startup change of management occurs. One IT manager recounted how he desperately wanted to terminate a bad relationship with an existing vendor, so he went with a startup -- only to have the startup acquired 18 months later by the company he wanted to escape! Always include a "change of management" clause in your contract that enables you to opt out of the contract if a management change occurs that is unacceptable.

2. Compliance and security

Last year, the CEO of a SaaS company told me that from his interactions with other SaaS company leaders, he estimated that "about two-thirds" of these providers lacked third-party audits of their internal IT security. Many SaaS vendors also use third-party data centers that their customers are unaware of and have no relationship with. From the startup's standpoint, this is understandable, because cash is limited and few startups have the flexibility to make major investments in technology and data centers at the onset. If a company elects to use a startup vendor in the SaaS/cloud space in particular, there is additional concern for safety and stewardship of any enterprise data stored by the startup. Data safety and compliance issues place companies at risk if data safekeeping and security practices at the startup do not fully meet enterprise criteria. Research firm Gartner confirms these risks, noting that, "through 2015, 80 percent of IT procurement professionals will remain dissatisfied with SaaS contract language and protections that relate to security. We continue to see frustration among cloud services users over the form and degree of transparency they are able to obtain from prospective and current service providers."

Key takeaway: The IT security and data teams should examine the startup for data security, safekeeping and compliance and even engage an audit team if necessary. It should also ask the startup if it has its own data center or if it outsources a data center from a third party. If the startup uses a third party, IT should vet the third-party vendor for security. Specific language should be incorporated into startup contracts that articulate data security and safekeeping responsibilities, liabilities and warranties.

3. Service, reliability and responsiveness

Because they're lean, startups frequently lack substantial service and support personnel. Any company considering a startup should have a thorough understanding of the startup's depth should the startup's key technologist choose to leave, and whether the startup will be able to respond in a timely fashion if the solution that the startup is providing experiences a problem in production.

An equal concern is disaster recovery. A company using a startup should write a disaster recovery procedure for the startup solution into its own plan and also test the plan annually with the startup to ensure that failover really works. Late this year, a Spiceworks study reported that over 45 percent of respondents using SaaS services had reported data loss in their organization, and that 14 percent of those respondents said that they were unable to retrieve the valuable information they had lost. These are unacceptable levels of data unaccountability that could increase when a startup is used.

Key takeaway: Avoid signing contracts with startups that don't contain an agreement that the startup will collaborate annually with you on a test of disaster recovery and failover. Also be sure to ask the startup what its policies on data retention (and on who 'owns' the data) are. No contract with a startup should be entered into without first including a list of the minimum service level agreements (SLAs) that the startup must meet for time to response, time to problem resolution, etc. If the startup can't provide these, it might be best to avoid working with it -- unless there is a non-mission critical purpose for using the startup that can outweigh the value of having SLAs.

4. Research and development

The startup's solution might be revolutionary for your company today -- but will it hold the same value three or five years from now? Startups offer agility and innovation to large enterprises that enterprises can't achieve internally -- but only if advances in startup technology and the ability to continuously commit R&D dollars to new product development within the startup can keep pace with rapidly emerging business needs within the enterprise. The risk with any startup is whether it will be able to sustain its level of R&D, to secure new investment capital, and to retain key contributors.

Key takeaway: Understanding the startup's capacity to continuously invest into R&D and to expand its products so they can keep pace with your company's business is vital. One of the key values a startup can offer a large company is unfettered innovation -- but value is lost if the startup has no way to sustain its innovation.

5. Explaining your decision to the board

If you are a CIO making a choice to go with a startup and you work at a fairly conservative company, you will have your CEO, your CFO and very likely your board to convince. Of the three, CEOs with an entrepreneurial past are the most likely to be open to the idea of using a startup. At the other end of the spectrum is the CFO, who tends to be risk averse. The board is often somewhere between these two extremes.

Since a great deal of risk is involved when a company decides to go with a startup, CIOs often find it easier to just adopt a solution that is already broadly subscribed to in the industry. The board and other C-level executives are generally comfortable with this. If you go with a startup, your business case must be very compelling, and usually on the order that the startup is the only company 'out there' that has what you need.

Key Takeaway: Fully weigh your risks before recommending a startup to the board, or to fellow C-level officers. A startup recommendation should never be made without first performing due diligence into startup risk areas (security, solvency, management stability, etc) cited earlier in this article. You should also be prepared with contingency responses to the inevitable questions that board and management will ask. If they ask what happens if the startup folds, you might have a strategy in place that allows you to acquire the solution from the startup and import it into your own internal IT. If they ask about the startup's ability to keep product in production, you might show them a disaster recovery plan and a set of SLAs. If they ask about the credibility of the startup and any third party vendors it uses, you should be prepared with third party audit reports and recommendations from others well thought of in the industry. Most importantly, you should come prepared to tell a compelling story on what this particular startup offers, and how it is going to deliver business value that the company desperately needs -- and that it can't get elsewhere.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All