In the winter of 2022, I received a phone call from my co-founder and business partner at Humble Health – the type that you hope never comes: our majority shareholder was pulling the plug. We were done. Two and a half years of blood, sweat and tears up in smoke.
We had an MVP that generated a small amount of income and provided customer trials that demonstrated a decent product-market fit with an ARPC perfectly in line with expectations. We sipped capital in the early days and had a pristine cap table as a result. Eleven months prior, we negotiated a dream acquisition: a strategic partner purchased a majority stake and gave us carte-blanche and near-infinite runway to pursue our existing business plan. We were 3 weeks away from launch with a modest but full-featured version of our product. We had everything going for us. How could this have happened?
A few months of reflection have led me to a single conclusion: opportunity cost. Let me explain.
The True Cost of Compliance
I met my co-founder a few years back while we were both undertaking an MBA. He was an industry insider with a clear vision and mission. I was an engineer with a desire to use technology to solve real problems. Combined we had the connections, skills, and resources to pull off something great. We kicked off in May 2020, determined our primary value proposition, figured out a feasible tech strategy and rolled up our sleeves to make it happen.
Regulatory compliance was one of those things that were on our radar from the early days. Having a background in IoT and industrial control systems, I was familiar with grappling with security concerns and regulatory environments: be it FCC, CSA, ATEX, ISO, or any other of a myriad of acronyms.
Healthcare was different. That point was driven home in October of 2020 when I sat down to read through the legislation as part of my due diligence: there’s private information legislation, healthcare information legislation, college requirements, and privacy commissioner audits.
All of that was just on the provincial level and each province is different. Federal legislation was something different still, and it was difficult to determine where the jurisdiction of one ended and the other began. It only got worse when we considered expansion to America.
Unlike what I was familiar with from my product development days, compliance wasn’t a one-time effort. Technical compliance alone was not enough. We couldn’t just cut a cheque and hire a consultant to recommend a few changes to our design.
These requirements permeated every design decision my team would make and we’d have to continually monitor for changes to our underlying technology stack and continually maintain and upgrade our system.
The Myth of Risk-Insulation
Now you must understand: I’m a system architect by temperament, which means that I design against complexity and risk mitigation over long time horizons. Having done my own startups a few times now, I was determined to ensure we were impervious to external factors. My co-founder is brilliant and as CEO he structured our financing to be effectively self-sufficient. I kept our expenses to a minimum and maximized runway.
But that’s the funny thing about risk: it’s easy to think that you’ve protected yourself only to be blindsided by something completely outside of your control. As Nassim Taleb warned, “one is capable of unwittingly playing Russian roulette – and calling it by some alternative ‘low risk’ game… Reality is far more vicious than Russian roulette. First, it delivers the fatal bullet rather infrequently, like a revolver that would have hundreds, even thousands of chambers instead of six. After a few dozen tries, one forgets about the existence of a bullet, under a numbing false sense of security.”
Ultimately, the time required to juggle the technical and administrative complexities of compliance was what did us in. As a founder, I’d be tearing my hair out at having my runway cut in half but for some reason, I didn’t think that spending half our time in the weeds wasn’t effectively the same thing. We couldn’t just spin up a new microservice or modify the system to add a particular feature – it would have to be reviewed against regulatory requirements, checked and double-checked.
Every hour we spent devising a backup strategy was one less hour building value into our product, every hour ensuring proper access controls was one less hour I was listening to our customers… and every week that went by was one more spin of the barrel.
In the end, it didn’t matter how insulated we were or how clever I was or how effective we were. It doesn’t even matter what the particular reason, or combination of factors, was that ended the company: spin the barrel enough times and eventually you’ll get the phone call that I got.
This is not merely to stress “time-to-market” as every early-phase angel and accelerator likes to harp ad-nauseum.
While I would have loved to have a specialist on staff who could navigate the vicissitudes of compliance and security for us, it would be far more practical to have templated procedures and components that we could contextualize and deploy.
These would reinforce to the rest of the team that compliance saturates every decision they make while still providing reference implementations and best practices.
This is why I joined MedStack. As founders, we want to create value, solve real problems and change things for the better. Compliance costs are the table stakes that we must ante up before we can even start playing.