Key Takeaways from SuiteWorld 2023: AI, Automation, Analytics, and ...
The IT Factor: An IT Due Diligence Checklist and Guide for M&A Deals
Expanding your footprint and capabilities through mergers and acquisitions can be a genuine game-changer for your company. At least if you mind your transactional Ps and Qs, which, unfortunately, is where many companies go astray. Perhaps even most. And IT due diligence is toward the top of the list for areas an organization – maybe even yours – will stumble, derailing entire deals along the way.
To that point, technology diligence has historically been an afterthought in many M&A transactions. Put differently, while buyers scrutinize financial statements and pore over tax returns, information technology (IT) systems and infrastructure often just get a passing glance at best. But we’re going to put an end to that today.
As you’ll soon see, between a mountain of relevant, practical, real-world insights and our accompanying technology due diligence checklist, there’s no reason for IT to be an afterthought in the broader M&A due diligence process anymore. In fact, our goal is to make it an absolute strength along your transactional journey. So let’s jump right in.
5 Key Risks of Not Performing IT Due Diligence
To put it mildly, M&A is complex, dependent on countless moving parts syncing up for deals to succeed. And technology serves as the central nervous system coordinating all those disparate parts into a fully functional system, where it only takes a single hiccup for everything to go sideways.
But if IT diligence is such an essential part of the M&A equation, why are many organizations so lackluster about it? Well, that’s a very good question, one with a few common answers:
1. Not Understanding the Implications
Sometimes buyers simply don’t comprehend just how deeply IT systems and infrastructure impact downstream factors like costs, timelines, integration complexity, and value realization. They fail to grasp the dire implications of skimping on technology diligence.
2. Capacity Constraints
IT departments often run lean, with limited bandwidth. Bringing on entirely new systems and tools from acquisitions can quickly overwhelm already overloaded IT teams. Of course, insufficient diligence only exacerbates this issue.
3. Failure to Consider IT Requirements
Without consulting IT leaders, private equity (PE) groups can make critical M&A decisions that conflict with technology constraints or requirements. For example, we’ve seen groups choose cutover dates that are entirely infeasible due to system migration timelines, and yet those dates still don’t change. IT delays can ripple down to business integration and impact customers.
4. Inability to Estimate Costs
Due to a lack of proper, thorough IT due diligence, organizations struggle to accurately estimate one-time and recurring IT expenses related to integrations, upgrades, licensing, staffing, and new tools.
5. Undetected Risks
Overlooked risks like cyber vulnerabilities, disaster recovery (DR) gaps, unsupported systems, licensing non-compliance, and even potential intellectual property issues can turn into expensive liabilities post-close.
For these reasons and others, taking the time upfront to thoroughly evaluate IT systems, infrastructure, policies, and staff is mission-critical, not to mention the million other components of effective project management. Ultimately, IT should have a plum seat at the M&A table, providing key inputs on synergies, costs, timelines, and risk mitigation.
After all, once the deal concludes, there’s no undo button. Thus, proper tech diligence is a critical key to the M&A castle, helping teams make informed decisions and avoid digitally driven deal disasters that make stakeholders and investors grimace.
The Core Areas of IT Due Diligence
A comprehensive, far-reaching IT due diligence process is a bit like assembling a jigsaw puzzle, where each piece provides a more complete picture of the digital landscape you’re trying to integrate. So let’s take an in-depth at some of the most critical puzzle pieces.
IT Strategy and Roadmap
Gaining visibility into the target company’s overall IT approach, current technology stack, and strategic roadmap provides critical context for determining alignment with your own objectives. In fact, just understanding that strategic direction often reveals philosophies or planned initiatives that might otherwise derail a successful integration or, at the very least, prevent critical synergies down the road. Key facets to analyze in this area include:
- Competitive Analysis: Review where the target firm stands compared to competitors and industry benchmarks. Look for technology gaps or advantages that could impact value creation. For example, is their e-commerce platform as advanced as market leaders?
- Portfolio Planning: Examine the target’s process for evaluating and prioritizing technology initiatives and investments. Do they rationally allocate resources to projects with the highest ROI?
- Alignment to Business Goals: Check that planned IT projects and the strategic roadmap tie directly to supporting broader organizational goals and a growth strategy. If misaligned, an entirely effective integration can quickly become the impossible dream.
- Feasibility of Execution: Assess whether the IT organization is realistically positioned to execute on the technology strategy based on budget, staff capabilities, and technical resources. Unfeasible strategies spell trouble. And then some.
- SWOT Awareness: Evaluate the IT department’s understanding of organizational strengths, weaknesses, opportunities, and threats as they relate specifically to technology. Limited insights here can blindside everyone involved.
Organization, Structure, and Leadership
Taking a hard look at the IT organization itself – including staff competencies, sub-departments, reporting structures, and relationships with partners – is absolutely crucial. Remember, an acquisition is ultimately a merging of talent and human capital, so ensuring the IT organization is poised to mesh with your own is pivotal. In this light, keep a few essential items in mind:
- Org Design and Staffing: Scrutinize what roles make up the IT team. Are staffing levels sufficient and appropriate for the environment? Is this corner of the organizational chart optimized for efficiency?
- Vendor and Supplier Management Process: Review how they manage relationships with third-party technology providers in terms of service-level agreements (SLAs), security protocols, and budget controls. Strong vendor governance is another must.
- Benchmarking and Budgeting: Determine whether the IT budget is in line with industry standards for the target company’s size, technologies, and business model. Are technology costs optimized?
- Governance Model: Examine what IT decision-making frameworks and investment prioritization processes are in place.
- Who decides what technology projects get funded?
- How do they weigh risks?
- Is leadership proactive about root-cause analysis?
- Would they benefit from IT Infrastructure Library (ITIL) training?
Developing a catalog of the core-ERP and non-ERP business applications provides invaluable insight into integration complexity, data flows, vendor dependencies, and scalability. Unlike infrastructure, business applications contain key processes and data – think manufacturing, production systems for oil and gas, supply chain and procurement, etc. – so assessing integration points and requirements is critical to a smooth transition. Key platforms to inspect include:
- ERP Systems: Assess core ERP systems like SAP, Oracle, Dynamics, and NetSuite that contain critical finance, operations, supply chain, and manufacturing data.
- CRM Platforms: Review Salesforce, Zendesk, and other CRM tools housing key customer data, sales processes, and pipelines.
- HRIS Systems: Evaluate Workday, SuccessFactors, and other HR platforms with sensitive employee data, org models, and performance metrics.
- Accounting Systems: Assess accounting packages, financial consolidation systems, and enterprise budgeting tools.
- Integration and Data Flows: Check how all of these applications integrate with each other and core data flows between them. Complexity here can hinder integration.
- Vendor Relationships: Identify critical application vendors and SaaS providers a company relies on, reviewing contract terms, security and support models, and negotiating leverage.
- Scalability and Maintenance: Determine whether systems can readily scale to support organizational growth. Estimate recurring maintenance costs.
While foundational software may seem mundane, it includes critical connectivity agents like collaboration tools and security systems that touch virtually every team member in every business unit, not to mention most technology assets. Even seemingly small gaps in these ubiquitous platforms can have cascading, enterprise-wide impacts post-acquisition, making it important to review:
- End-to-End Security Tools: Inventory endpoint, network, cloud access security, malware protection, data encryption, firewall, and other security platforms.
- Collaboration Tools: Assess email, productivity software licenses like Office 365 and G-Suite, telephony, chat, and unified communications.
- IT Support Systems: Review core help desk, IT documentation, monitoring, DevOps, and ITSM tools like ServiceDesk, ManageEngine, and ServiceNow.
- Reporting and BI Systems: Identify analytics, business intelligence, financial reporting, and data visualization platforms like PowerBI and Tableau.
Drilling into the technology infrastructure enabling operations, communications, and productivity is crucial, as infrastructure is the foundation underpinning all applications and data. Undiscovered risks or deficits here can handicap growth and productivity if you don’t identify and address them early. Key components to inspect include:
- Networking Architecture: Evaluate the LAN/WAN ecosystem including topology, circuits, latency, edge routers, and switches that underpin connectivity.
- Data Centers: Catalog all primary on-premise and co-location facilities housing critical production systems. Review redundancy, security, and capacity.
- Telephony Systems: Assess PBX systems, VoIP infrastructure, call analytics, and contact center technologies for robustness and scale.
- End User Hardware: Take stock of the quantity, age, standardization, and management of laptops, desktops, mobile devices, and peripherals.
- Capacity, Performance, and Redundancy: Determine how infrastructure will scale to support increased load. Review uptime SLAs and redundancy mechanisms to ensure reliability.
Risks and Security
Thoroughly evaluating security and risk management capabilities is imperative, as cyber threats and regulatory obligations never take a vacation. Ever. Thus, lagging policies, controls, or vulnerabilities you inherit become your own to bear post-close. Therefore, it’s vital to rigorously evaluate:
- Cybersecurity Controls: Catalog Identity and Access Management (IAM) controls, data, endpoint, network, application, cloud, and mobile security tools in place and review effectiveness.
- Physical Access Control: Examine measures like guards, badges, biometrics, and surveillance safeguarding facilities and technology assets.
- Business Continuity and Disaster Recovery: Validate plans and capabilities to maintain and restore technology services during outages. Review dependencies.
- Monitoring and Threat Detection: Identify security monitoring, SIEM, and vulnerability scanning platforms. Gauge skills to leverage them effectively.
- Compliance Audits: Evaluate results of recent internal and external security assessments, penetration tests, and compliance audits for adherence to HIPAA, GDPR, and SOX.
- Third-Party Oversight: Scrutinize how a target manages, monitors, and enforces vendor and third-party security, privacy, and compliance.
Evaluating Findings and Mitigating Risks
Yes, the mere act of completing tech due diligence provides invaluable insights during M&A, but it’s still just the first step – albeit a critical one. The real work begins when it’s time to methodically interpret those findings, prioritize risk areas, and engineer mitigation plans. This layered process involves:
Assessing Integration Complexity and Risks
Gaining visibility into systems with high integration complexity lets teams develop contingency plans for potentially lengthy or problematic transitions. Thus, buyers should pinpoint and scrutinize applications containing critical business data and processes. From there, they can develop detailed transition plans for smooth cutovers of ERP, CRM, and other core platforms.
Equally important is cataloging potential risks requiring immediate remediation like unsupported operating systems susceptible to malware or lacking vendor security patches. While a team can’t identify every shortcoming pre-close, spotting the most severe threats lurking in the transitional shadows allows for more proactive mitigation planning.
Prioritizing Risk Areas for Remediation
Post diligence, groups should catalog and rank all identified risks by severity of potential impact and likelihood of occurrence. This helps determine which require immediate remediation investments versus those that may take several budget cycles to fully address. Low-hanging fruit like implementing backups or addressing patching and other basic security controls should be addressed first. While swallowing the full risk remediation bill upfront may be impossible, buyers can at least prioritize the risks wisely.
Developing Integration Roadmap and Timelines
With diligence insights in hand, teams should construct a detailed IT integration roadmap based on findings, synergy goals, and available staffing bandwidth. Leadership alignment between IT and business leaders is critical to ensure rollout sequencing and timing support the overarching objectives. Also, teams should build contingency time buffers into each stage of the roadmap to absorb unforeseen issues or delays since surprises undoubtedly lurk ahead.
Reviewing Vendor Relationships
Diligence typically should include acquired vendor contracts needing re-negotiation or posing potential conflicts with existing agreements. This process should incorporate the analysis of licensing models to determine the most cost-effective consolidation plans post-acquisition. Likewise, support and cloud agreements present opportunities to maximize leverage across both entities. The buyer’s procurement team plays a pivotal role in this process.
Estimating Costs for Upgrades
Armed with IT diligence findings, buyers can work with the target company’s IT leaders to estimate costs for required upgrades across the IT infrastructure and workflows, applications, security, and more. This helps develop a multi-year budget forecast to cover necessary integration programs. Further, by understanding the true scope of the effort, buyers can secure the proper funding well in advance.
Diligence can also uncover opportunities for post-M&A cost optimization like the consolidation of duplicative tools. While some discovered deficiencies represent unavoidable cost burdens, buyers may also find savings that offset portions of the technical debt they’re left with.
Identifying Staffing Gaps and Needs
Due diligence frequently highlights where IT staffing or competency gaps exist that could very well threaten a successful integration. Buyers must determine which in-house skills may require vendor augmentation in the near term while also creating transition plans for the retraining, redeployment, or severance of IT staff. Likewise, recruiting efforts may need to quickly ramp up to support unfamiliar systems and increased workloads.
Examining Disaster Recovery Preparedness
Business continuity is under a bright spotlight during diligence, where recovery capabilities, testing procedures, contracted providers, and overall maturity must stand next to the buyer’s standards for all to see and compare. Thus, teams must remediate deficiencies through updated DR plans, accounting for additional sites, systems, and data sources. Most importantly, buyers must make sure they can still achieve recovery time objectives after the integration.
Leveraging Expert Guidance: Bring in the Specialists
For buyers undertaking their first acquisition or entering a new industry, leveraging experienced IT merger integration specialists pays dividends. And that’s a vast understatement. Because, truth be told, seeing everything from a fresh and objective, independent angle to assess IT infrastructure and associated M&A risks is invaluable to buyers, propelling diligence, integration planning, and value realization every step of the way.
Unless buyers possess their own robust internal IT M&A talent – which some absolutely do, but most do not – external guidance provides game-changing reductions in cost overruns and productivity losses. The bottom line – while internal IT and M&A teams may sufficiently conduct diligence for some acquisitions and needs, most complex deals warrant leveraging external specialists for common scenarios like:
Navigating Highly Complex IT Environments
For target firms with vast, intricate IT landscapes, relying solely on internal staff threatens risk oversight. For example, a retailer running multiple ERP instances with custom extensions poses integration challenges beyond typical IT skills.
Further, external experts bring diligence methodologies honed across diverse, complex environments. Their seasoned skillsets identify vulnerabilities that might otherwise slip between the cracks of the integration couch, especially when internal teams are unfamiliar with the target’s systems. Consultants also lend objectivity not influenced by internal opinions or organizational politics.
Bridging Internal Bandwidth/Experience Gaps
Even robust, veteran IT groups get stretched too far when juggling multiple unfamiliar systems while still addressing their daily responsibilities. Comprehensive diligence and limited bandwidth are a bad combination, usually leading to teams kicking the can further down the road rather than getting critical diligence tasks done.
Thankfully, IT consultants augment strained teams with specialized expertise and bandwidth. If internal staff lack M&A integration experience, specialists help avoid easily prevented missteps, proactively addressing problems and planning gaps that internal teams sometimes fail to anticipate.
Incorporating an Independent Lens
Although internal IT provides critical contextual insights, their close proximity to existing environments can blind them to risks. Even the most competent IT staff fall victim to this dynamic. Independent consultants counteract the can't-see-the-forest-through-the-trees phenomenon, providing unbiased assessments of the risks involved.
Experienced advisors also ask tough questions and illuminate areas even the best internal teams on the planet often can’t see within their own environments.
Obtaining Guidance on IT Cost Benchmarking
Accurately forecasting upgrade costs, integration expenses, expanded licensing requirements, and other IT costs requires financial expertise and benchmarks beyond most IT departments’ abilities. Integration specialists lend valuable cost modeling based on historical deal data and industry metrics that typical IT staff lack exposure to, enabling far more accurate budget planning.
While cost constraints can limit use of external services, judicious help navigating highly complex environments and unfamiliar integration scenarios pays long-term dividends that outweigh the investment. Ultimately, the proof is in the pudding by way of enhanced risk mitigation and new value creation.
The Benefits of a Technical Due Diligence Checklist
As you can see, thorough IT due diligence is a heavy lift requiring time, resources, and commitment from both organizations. And like it or not, given technology’s increasingly prominent role in driving business capabilities and competitive advantage, IT diligence is now non-negotiable. No ifs, ands, or buts about it.
Therefore, cutting corners just heightens the risks of data security gaps, integration snafus, unforeseen costs, and wasted synergies post-close. But done right, comprehensive diligence paves the way for accelerated value realization and strategic growth supported by integrated IT capabilities.
But while these insights will go an awfully long way in helping you realize all of those benefits, they work best in conjunction with the accompanying IT Due Diligence Checklist. As you’ll see, our checklist facilitates a more deliberate, meticulous approach to your IT diligence, ensuring you leave no transactional stone unturned with an eye toward making every stakeholder and investor happy with your decision-making. And that sort of thing is tough to put a price on, right?
Transforming Your Deal Lifecycle with Embark
Of course, there’s plenty about IT due diligence and the broader M&A process that we can’t capture in even the most thorough and informed guide and checklist – it’s simply too big of a topic. But that’s why the Transaction Advisory and Business Transformation teams at Embark exist – to provide the experience and expertise you need to navigate the complexities of modern, digitally-driven M&A.
You see, our gurus live at the intersection of people, processes, and technology, helping clients engineer and implement IT diligence, integration, and digital transformation solutions that turn M&A risk into reward. So take these insights to heart, download our handy checklist, and let our battle-tested specialists guide you through technical due diligence – and beyond – to help your growth dreams come true. It’s what we do.