An owner scored 290 on their Exit Ratio 360. Two buyers were lined up. They lost everything in 60 days because a crisis hit — and there was no system in place to respond. Two years of preparation, gone. The vampires, the werewolves, and the pirates came out. That is what happens when you have no threats framework.
THREATS stands for Turnovers, Hacks, Reputation, Economic disruption, Actions, Trouble, and Surprises. Crisis protection is not part of your readiness score — it is the shield that protects your readiness score. The THREATS framework exists as a standalone seven-category system with four response protocols, because the fastest way to destroy two years of preparation is to have no plan for the moment something goes wrong.
The full system is at What Is the Exit Ratio 360. Scott’s book is available on Amazon.
What Buyers Ask About Crisis Preparedness
When buyers are evaluating a deal, they expect things to go wrong. They know they may own the business from halfway across the country or in a different country entirely. So they ask: walk us through your contingency plan for key people leaving. Walk us through your client concentration response plan. Walk us through your financial disruption protocol. If the answer is “I have never heard of that” or “I will figure it out” — you may end up with dings and dents, or the due diligence conversation may simply end. Nobody has the moral courage to tell you — the deal just fizzles out.
The THREATS framework is different from every other component in the Exit Ratio 360 because it does not score your readiness — it protects it. Think of your other eight frameworks as the engine of your exit value. THREATS is the insurance policy that keeps the engine from being destroyed before you close.
The Four-Tier Response Protocol
Build one threats category per month or per quarter — pick the highest likelihood first. Structure each one on a four-tier system: monitor the indicators, alert trigger and 72-hour response protocol, emergency escalation plan, and assigned owner. Document it, test it, run red team exercises against it. Walk into the office, pull out a folder, say “I am leaving and turning off my phone — here is the situation, fix it” — and leave. You want to build the ability for your team to do the right thing at the toughest moment, so you can transfer that knowledge in the sale.
What is something that might happen to your company in the next three months? If it happened at 4pm on a Friday, what would you tell a buyer who was mid-diligence? If the answer is “I will figure it out over the weekend” — that is not a plan. It is a prayer. And hope is not a plan.
What is the THREATS framework in the Exit Ratio 360?
The THREATS framework is a standalone seven-category crisis protection system with four response protocols. THREATS stands for Turnovers, Hacks, Reputation, Economic disruption, Actions, Trouble, and Surprises. Unlike the other eight frameworks which score your readiness, THREATS protects your readiness score from being destroyed by a crisis that hits during your preparation window or active sale process.
Why is crisis protection different from the other Exit Ratio 360 frameworks?
All other frameworks build your readiness score. The THREATS framework protects it. Your other frameworks are the engine of your exit value — THREATS is the insurance that keeps that engine from being destroyed before you close. A business with a 290-point score and no crisis protocols is more vulnerable than a business with a 250-point score and documented response plans for every major threat category.
What are the seven threat categories in the THREATS framework?
The seven categories are Turnovers — key people leaving; Hacks — cybersecurity and data breach events; Reputation — PR crises and public perception events; Economic disruption — market downturns and cash flow shocks; Actions — legal and regulatory challenges; Trouble — operational failures and internal disruptions; and Surprises — unexpected events that fall outside the other six categories. Each requires its own documented response protocol.
How does the four-tier response protocol work in the THREATS framework?
The four tiers are: monitor the indicators so you see the threat coming; alert trigger with a 72-hour response protocol that activates when the indicator crosses a threshold; emergency escalation plan for situations that require outside resources or leadership intervention; and assigned owner who is responsible for executing each tier. Every category needs all four tiers documented, tested, and assigned before a crisis occurs.
What is the “it will never happen to us” syndrome in the THREATS framework?
The “it will never happen to us” syndrome is the most common reason business owners skip crisis planning. Business owners with strong businesses often feel protected by their track record. The THREATS framework addresses this directly — every major threat category is documented and tested regardless of the owner’s confidence level, because crises arrive without warning and buyers evaluate whether you have a plan before they close.
How does crisis preparedness affect the business sale process?
Buyers know they may own the business from another state or country. They will ask directly about contingency plans for key people leaving, major client disruption, cash flow problems, and regulatory changes. An owner who can say “we have documented response protocols and we run red team exercises quarterly” is presenting an A-plus level business. An owner who says “I will figure it out” is handing buyers a reason to reduce the multiple or walk.
What is a red team exercise in the THREATS framework?
A red team exercise in the THREATS framework means assigning a simulated crisis event — drawn from your documented threat categories — to your management team while the owner is physically absent and unavailable. The team executes the response protocol, documents what worked and what failed, and the results are recorded. Over time these exercises build a history of documented crisis responses that buyers can review as evidence of organizational resilience.
How does a cybersecurity breach affect a business sale?
A cybersecurity breach that occurs during an active sale process can kill the deal entirely. Buyers will find it in due diligence. If there is no documented incident response plan, no evidence of preventive security measures, and no recovery protocol, buyers interpret it as both a current liability and a signal of operational immaturity. Documented cybersecurity protocols and incident response plans are increasingly required in mid-market M&A due diligence.
What is a key person departure plan and why does it matter for exit value?
A key person departure plan is a documented protocol for what happens when a critical team member — your ops manager, your top salesperson, your CFO — leaves unexpectedly. It identifies who takes over, what knowledge transfer happens, and how client relationships are managed through the transition. Buyers ask about this directly because they are buying a business they will operate from a distance, and key person departures are one of the most common post-acquisition disruptions.
How do you build the THREATS framework documentation?
Build one threats category per month or per quarter, starting with the highest likelihood first. Use a four-tier structure for each: monitor, alert trigger, emergency escalation, assigned owner. Templates are widely available online. Document it, test it, run a red team exercise, and then repeat at a future date with no warning. What is documented is transferable — and in the context of crisis protection, what is documented is the difference between a deal that closes and one that fizzles out when something unexpected happens.
About Scott Sylvan Bell
Scott Sylvan Bell is a mid-market exit strategy consultant and the creator of the Exit Ratio 360™ — the only 360-point business evaluation system built specifically for owners of $10M to $250M companies preparing for a sale. His book Exit Ratio 360™ is available on Amazon — learn more at scottsylvanbell.com/why-scott/.
Follow Scott on LinkedIn | Read the weekly newsletter on Substack | More on Medium
Full Episode Transcript
Aloha and welcome to episode number 40 — the THREATS framework, crisis protection for your business. We are working within the Exit Ratio 360.
THREATS stands for Turnovers, Hacks, Reputation, Economic disruption, Actions, Trouble, and Surprises. An owner scored 290 on their Exit Ratio 360. Two buyers lined up. Lost everything in 60 days because a crisis hit and there was no system in place. That is when the werewolves, the vampires, and the pirates come out.
Crisis protection is not part of your readiness score — it is the shield that protects your readiness score. The THREATS framework exists as a standalone seven-category system with four response protocols, because the fastest way to destroy two years of preparation is to have no plan for the moment something goes wrong.
Buyers expect things to go wrong. They may own your business from halfway across the country. They will ask: walk us through your contingency plan for key people leaving. Walk us through your client concentration response. Walk us through your financial disruption protocol. If the answer is “I have never heard of that” or “I will figure it out” — you may end up with dings and dents, or the due diligence conversation quietly ends. Nobody has the moral courage to tell you. The deal just fizzles out.
The THREATS framework is different from every other component in the system. It does not score your readiness — it protects it. Think of your other eight frameworks as the engine. THREATS is the insurance policy that keeps the engine from being destroyed before you close.
Build one threats category per month or per quarter — highest likelihood first. Four-tier structure: monitor the indicators, alert trigger with 72-hour response protocol, emergency escalation plan, assigned owner. Document it, test it, run red team exercises. Walk into the office, pull out a folder, say “I am leaving and turning off my phone — here is the situation, fix it” — and leave. Build the ability for your team to do the right thing at the toughest moment.
What is something that might happen to your company in the next three months? If it happened at 4pm on a Friday and you were in the middle of due diligence — what would you tell the buyer? If the answer is “I will figure it out over the weekend” — that is not a plan. It is a prayer. Hope is not a plan. Build the protocols now, test them, and document the results. That is what converts an A-level deal into an A-plus Titan deal. Aloha and Mahalo.