As an investor or acquirer of a technology company, you have many aspects of due diligence to consider as part of the valuation and informing the decision-making process on whether to make the investment or purchase (or on what terms). You’re going to do financial diligence on the target, and likely market diligence as well that will provide you with the information and guidance needed to understand the opportunity. The technology due diligence aspect of this, when done right, will provide you with unique insight that can inform you before, during, and after the deal closes.
The value of an assessment
The key value to expect from a tech assessment is the knowledge of what and where the risks are, and what to do about them in which order. To uncover these risks requires an assessment methodology structured and designed to the unique goals and needs for investment grade due diligence. To provide the guidance on what to do about them requires operationally seasoned experts that have seen and know how to address the various types of risks that might exist. You’ll want to make sure the person or firm you hire to perform the technology assessment has both of these capabilities.
There are always risks, the key is to know what they are and which aspects of the business might be impacted, and how this affects the investment capital utilization. There are many different types of technology-oriented risks that an investor or acquirer might care about. And beyond knowing about the risks themselves, you need to know how approximately much it will cost and how long it will take to mitigate and eliminate at least any of the existential and critical level of risks.
Before getting into the risks, a quick detour to the business is required. A solid technical diligence exercise will start with the business and investment objectives and an overview of the overall operation. This frames and provides context for the exercise, and ultimately which risks matter and which might not be as important. The entire assessment needs to be conducted with this context in mind, else the findings and recommendations will lack suitability to purpose.
A technology assessment looks at the current state of the operation across the entire product life-cycle from ideation to delivery/operation, and customer onboarding. This means that the assessment creates a broad view into the current state of the organizational functions and technology posture inclusive of:
- Product Management
- Software Development
- Technical Architecture
- Product Inventory
- Product and Code Quality
- Product Delivery
- Security and Monitoring
- Client & Partner Services
This current state serves as a baseline snapshot from which gap analysis of the business goals and objectives can be created, and from which progress can be measured as items are addressed in the future. In order to know how to get somewhere, you have to know where you are.
Types of Risk
A well-formed technology assessment will break the risks down in to categories as follows:
- Intellectual Property Risk: Is there any IP in sight? Is what the target claims as the unique advantage defensible or can anyone do what they’ve done relatively easily? If they’ve claimed things like machine learning or artificial intelligence, what exactly do they have? Another aspect of this is compliance with open source and 3rd party software licenses.
- People Risk: Are the product and technology teams capable, stable, and skilled? Or are there critical flight risks, missing skills, etc.
- Process Risk: Are the processes used to create, evolve, and operate the technology assets solid, repeatable, and scalable?
- Operational Risk: Especially for SaaS companies, this is a big ticket item and includes items such as ability to recover from production failure.
- Data Risk: What kinds of data does the target manage, and what risks does this pose (i.e.: PHI->HIPPA). What is the level of governance and maturity for managing data assets?
- Technology Risk: Is the technology itself sound? Are the correct architecture and technology selections in place to support the stated business goals?
- Product Risk: How is product definition and roadmap managed?
- Scalability Risk: Is the technology and the organization capable of scaling as more customers are added, as new markets are entered? Are there reasonable operating costs for the business, how do operating costs scale?
- Security Risk: Are there security issues for: architecture, users, data, network, process?
- General Risk: What other factors came up during the assessment that are worth noting?
Just having the risks identified and categorized is not enough. You need to know which ones, across categories, need to be prioritized. This is similar in nature to medical triage, where life-threatening issues are dealt with before all others. Generally, you can think of the priorities as having 3 segments:
- Do now: These are the existential and critical risks. If something is not done about these pretty soon, major and potentially unrecoverable failures will ensue. Risks that show up in this category might be things like insecure sensitive data, inability to recover from a production failure, or issues that will lead to loss of key resources. It’s safe to say that no matter how big or costly these are, it will be less expensive to address them now than it will be after the fact.
- Do next: Once the Do Now risks have been addressed, you can safely turn your attention to this category. These risks represent a real potential for future and finite non-existential loss. Examples of these items might include ad-hoc or manual processes, outdated technology components, or missing skills within the team.
- Put on the Roadmap: This segment represents areas for improvement of items that might be creating opportunity cost, unrealized sunk cost, or dragging down the efficiency of the operation. Items that often show up here are technical debt, inefficient processes/methodologies, and optimization opportunities.
Within each of these segments, the well-formed assessment will provide clear guidance on what order to attack these risks and what the impact assessment of not doing them is. And while estimation in the technology world is a cruel mistress, a rough order of magnitude level of effort needs to be provided so that you know where the early dollars will need to go in order safeguard the overall investment. This information can also serve as an opportunity to discount the purchase price.
Once the assessment itself has been completed and a report delivered, the investors (and ideally, the target stakeholders) should get a thorough walk-through of the report and an opportunity to ask questions and provide clarifications. These reports are often dense and contain a broad array of information, so it is important for all parties to ensure that they understand the contents of the report and what to do with the information provided; what to act on and what to be informed by.
As you have read, a true technology assessment conducted in support of investment diligence is a comprehensive and methodical undertaking that provides a wealth of information. While these assessments can often be conducted in just a few days’ time, having a structured and methodical approach is key to producing valuable data. This information benefits both the investors as well as the target company when understood and acted on appropriately.