Skip to main content.

Business and operations risks in a biotech start-up


Our client was a small, biotechnology start-up company, consisting of a small team of highly motivated scientists, administration and management personnel, and the venture capital firm that was providing them with financial support. The company had developed a novel technology that provided performance and manufacturing benefits in a broad array of life science applications. The technology enables the design of improved, cheaper diagnostic tests as an initial commercial offering, with other applications in development.

At the time of the assessment described here, the company was cash flow negative, but it was adequately funded to achieve its business plan.

The venture capitalist believed that the company would optimise its ability to achieve strategic and business objectives by maintaining a sound risk management approach, one that would assist management decision-making and provide early warning of major risks. The risk assessment we facilitated was a step in the development and implementation of this approach.

Assessment overview

The risk assessment was part of a process based on ISO 31000 Risk management – Principles and guidelines, outlined in Figure 1. Building on Broadleaf’s long experience with risk management, it was tailored to fit the specific circumstances of the company and their requirements at this stage in their development.

Figure 1: ISO 31000 risk management process

The risk management process

Preparation for the workshop


The scope of the assessment was to assess the risks to the company in the context of its business goals and objectives, outlined in Table 1.

Table 1: Business goals and objectives

Business goals

Provide more reliable and more sensitive tools that are easier to use for better and earlier diagnosis in the health care sector

Profitably develop the current diagnostic technology product

Business objectives

Create a safe and engaged high performing team

Provide a motivating, open and enjoyable work environment

Gain a share of the market for the company’s products, and grow the market while maturing the products and optimising further development

Honour commitments and build trusted relationships

Make the company’s product the industry standard for diagnostic testing in its area

Maximise the value of the company’s intellectual property (IP)

Protect the IP and the competitive advantage it confers Safely, reliably and efficiently produce the company’s products


The main stakeholders and their objectives are noted in Table 2.

Table 2: Stakeholders and their objectives




Improved company value and share price

Good relationships with partners and other key stakeholders

Strong safety and environmental performance

Good governance of the company

Good communications

Venture capital provider

Good return on invested capital

Viable medium-term exit strategy


Good governance of the company

Give the current diagnostic product every opportunity to succeed

Ensure all statutory legal obligations are met or exceeded

Use shareholder funds effectively

Provide a clear plan of action and business strategy

Avoid liability for adverse events resulting from the use of the company’s products


Safe management of operations and facilities

Sustain profitable operations

Maintain staff morale, mutual respect and welfare in a safe, equitable and stimulating workplace

Continued employment at competitive remuneration

Maintain the reputation of the organisation for high quality, innovative science and speed of response


Develop new tests quickly and reliably

Reduce costs of new diagnostic development


Industry development

Effective use of incentives

Tax concessions used effectively and in a defendable way


Protect the environment and the community

Comply with workplace health and safety regulations

Ensure compliance with health product requirements


Viable customer

Compliance with regulations (including dangerous goods)

Business context

The main external and internal factors that might affect the business are listed in Table 3, with some of their implications.

Table 3: Business context



Government regulation is becoming more onerous

Many approvals are needed, under many regulations across many countries

There are environmental and safety constraints on our operations

As a provider of therapeutic products, we are subject to stringent auditing

Competitor activities may impact the company

Poor practices by competitors may have an adverse effect on the company’s reputation

Competing technology may reduce the commercial attraction of the company’s product

Diagnostic service providers may block or enhance change to the company’s product


The company’s customers may develop competing products

Some of the company’s customers are resistant to change; they desire not to write off their current investment and reinvest in the company’s products

We must demonstrate the safety of our product to the company’s customers

Some customers are concerned about the size and viability of the company

Other technology

The market may move away from the diagnostic approach the company is developing to other forms of testing

Business expansion

The company will need to exploit our IP quickly, to maximise its value during the period of exclusivity

The company will need to continue to develop new IP

Key contracts need to be put in place

The company need to maximise cash flow, which requires major contracts to be in place soon

Product performance

Quality and responsiveness are key criteria for our customers

Safety is a key driver

Health and safety is a major focus of the business

Initial risk register

An initial risk register was developed for the workshop. It was derived from:

  • Recent assurance activities, including a workplace health and safety audit
  • A comprehensive questionnaire about opportunities and threats to the business, resulting in an initial list of 142 risks before the removal of duplicates
  • Other information provided by management before the workshop.

Key elements

A set of key elements was developed (Table 4) to provide a structure for the initial risk register and set the agenda for the workshop. They covered business matters (B) and operations (O).

Table 4: Key elements



Includes …



People management, communication, resources, staff, security, processes, procedures



Market place, customers, products, resources, technical issues, approach


IP and technology

Patents, licenses, protection, competitive advantage



Business relationships, funding, commercial functions, debtors, creditors


Business priorities

Direction of business development, priorities for development



Information, data, records and documentation management



Relationships, stakeholder management



Safety, health, environment, legal, therapeutic goods regulation and registration



Facilities, equipment, information technology



Quality, responsiveness, costs, efficiency


Product development

Product development



Suppliers, materials

The risk management context

The criteria for analysing risks were developed as part of setting the context. The scales for consequences and likelihoods, and the way in which individual measures of consequence and likelihood are combined into a level of risk, are expressions of the company’s risk appetite and they provide a structure for making judgements about risks and their treatment. The development of these risk criteria was an important part of the preparation for the workshop, and a fundamental component of the larger risk management development activity across the company. It was created for this risk assessment with a view to it being at the heart of the company’s risk management arrangements.

Briefing material

The context was summarised in a briefing document that was distributed to the participants prior to the workshop.

Assessment workshop

The workshop process is illustrated in Figure 2 and outlined below.

Figure 2: Workshop process

The workshop was divided into two sessions: the initial session concentrated on the business elements and the second on the operations elements.

Workshop participants were drawn from the business and scientific areas of the company. Many of them participated only for those business or operations elements to which they could make a direct contribution.

The assessment process examined each key element in turn. The same pattern was followed for each key element.

  • Threats and opportunities in the risk register were reviewed and a concerted effort was made to identify further risks. Risk descriptions were revised where necessary and the existing controls were also reviewed and edited as necessary.
  • The effectiveness of the controls was assessed for each risk considering the aggregate effect of all controls relevant to a risk. Control effectiveness is a relative measure of the actual level of control that is currently present and effective, compared to what is reasonably achievable for a particular risk (Table 5).
  • Most likely consequences of each risk were agreed, taking into account the current controls and their effectiveness. Consequence criteria included: financial impact, health and safety, brand and reputation, environment and community, management impact, and legal and compliance. Where a risk had a potential effect on two or more objectives, the highest rating was selected.
  • The likelihood of the assessed level of consequences arising was assessed, taking into account the current controls and their effectiveness.
  • The consequence and likelihood ratings were combined to generate a level of risk that indicates the priority for attention (Table 6).
  • The potential maximum consequence (PMC) for each risk was agreed using the consequence scales alone. PMC is the maximum possible impact on the company if all the controls were to fail.
Table 5: Control effectiveness

Control effectiveness


Fully effective

Nothing more to be done except review and monitor the existing controls. Controls are well designed for the risk, are largely preventative and address the root causes and Management believes that they are effective and reliable at all times. Reactive controls support preventative controls.

Substantially effective

Most controls are designed correctly and are in place and effective. Some more work to be done to improve operating effectiveness or management has doubts about operational effectiveness and reliability.

Partially effective

While the design of controls may be largely correct in that they treat most of the root causes of the risk, they are not currently very effective. There may be an over-reliance on reactive controls.


Some of the controls do not seem correctly designed in that they do not treat root causes, those that are correctly designed are operating effectively.

Largely ineffective

Significant control gaps. Either the controls do not treat root causes or they do not operate at all effectively. Controls, if they exist are just reactive.

None or totally ineffective

Virtually no credible control. Management has no confidence that any degree of control is being achieved due to poor control design and/or very limited operational effectiveness.

Table 6: Levels of risk and priority for attention

Risk owners were assigned after the workshop.

Assessment outcomes


The assessment generated 60 risks, of which none was Extreme and eight were rated as High. Of the High risks, four had consequences that were generally beneficial (opportunities) and four had primarily detrimental effects (threats). The opportunities related to diversifying the diagnostic product range, increasing the productivity of research and development activities, improving the effectiveness of marketing and enhancing the scientific reputation of the company. Threats related to failing to attain sales targets or meet customer expectations and to maintaining staff capabilities and specialities.

Evaluation of the risk analysis outcomes provided recommendations for:

  • Those risk which senior managers should attend to immediately, based on levels of risk
  • Control improvement priorities for line managers
  • Monitoring and assurance activities to ensure that key controls remained effective.

Levels of risk

Table 7 summarises the risks by their risk levels, showing their consequences and likelihoods. Line managers flagged risks in the upper right of the table, where the consequences and the likelihoods are both high, for risk treatment attention.

For example, risk B5.04 was related to diversification of the company’s products. This was a primary focus for the scientific management team as they sought to expand their innovation activities to explore new diagnostic applications of their technology.

Table 7: Levels of risk – focus for risk treatment

Control improvement

A separate presentation of the results is useful for understanding control effectiveness and priorities for control improvement (Table 8). The current level of control effectiveness was good with only three risks having ineffective or no controls. Line managers flagged risks in the lower right of the table for control improvement; they have high risk levels but the controls are not as good as they could be.

For example, risk O1.07 related to personnel who needed to work on the leading edges of their specialities, and expand into new specialties, as they sought to develop new products and applications. Line managers were actively seeking additional operational controls to address this.

Table 8: Control improvement priorities

Control assurance

Table 9 summarises the risks by their level of risk and their maximum potential consequences, based on the risk consequence scales, if all the controls failed. Risks in the upper left of the table were flagged to receive attention for assurance activities such as inspections, reviews and monitoring by managers and assurance providers, as the controls are important here for maintaining the current lower level of risk. Potentially severe risks that are currently well controlled can slip from sight without a conscious effort to keep them under active consideration.

For example, risk O1.09 related to biosafety, where controls were fully effective (shown in Table 8) but the consequences of a control failure would be very high (shown in Table 9). Assurance activities to maintain biosecurity controls were a continuing priority for the company that was entrenched in its formal management processes and kept at the forefront of management attention by being categorised in this way by the risk assessment.

Table 9: Assurance priorities


Because the company was focussed on innovative technology, it is probably no surprise that half the risks rated High had beneficial rather than detrimental consequences. Here they emerged easily during risk identification, but in many cases careful preparation and workshop facilitation is needed to enable participants to explore opportunities for better than planned outcomes as well as threats to those planned outcomes. The risk management process must usually be tailored carefully if it is to generate significant numbers of risks with beneficial outcomes, as there is a natural tendency and historical practice of focussing on ‘what might go wrong’. Our previous experience with the company and its senior managers allowed us to conduct this workshop to achieve this broader view with only small adjustments to the facilitation process.

We used an expanded risk analysis process, with ratings of control effectiveness and potential maximum consequences as well as the more common consequences, likelihoods and levels of risk. This entails very little extra work for the participants while allowing a far broader and more useful evaluation process, providing managers with more than just a list of the ‘top risks’. Control effectiveness ratings allow priorities for control improvement to be explored, and potential maximum consequence ratings provide a framework for setting priorities for assurance activities, including audit planning. We strongly recommend this approach, which is simple and easy to implement in an assessment workshop.

We developed a set of key elements to guide and structure the risk assessment workshop. They formed an agenda for the workshop, which allowed specialists to attend and contribute usefully, without distracting them unnecessarily from their day-to-day activities.

The company was operating in an environment in which strong compliance and verified processes and controls were mandated by legislation and regulation. In this case the risk assessment generally confirmed what was understood by the management. There were no major surprises. The process allowed the management to document this understanding in a form that could be reviewed and kept up to date with minimal ongoing effort. It provided a timely opportunity to refocus management attention, particularly on business-related matters that are largely outside the scope of many of the company’s regulatory requirements that can become the dominant focus of attention given the severe consequences of failing to comply with them.

Biotechnology start-up company; venture capital provider
Health, pharmaceuticals and biotechnology
Services included:
Risk assessment and risk treatment
Risk assessment