Whether you’re buying or investing in a SaaS, e-commerce store, mobile app, plugin, or any other type of tech-enabled business – you need to conduct thorough due diligence of the technology. In this guest article, we provide investors with a guide to technology due diligence.
About the author:
Frank Oelschlager is a partner and senior consultant at Ten Mile Square. With 30 years of product technology and operational experience, he can be found most days helping companies of all shapes and sizes sort out their product and technology strategies or building learning cultures in their product and engineering teams.
Table of Contents
As an investor in or acquirer of a technology company, you have many aspects of due diligence to consider as part of the valuation and informing the decision-making process on the target investment. You’re going to do financial diligence on the target, and likely market diligence as well that will provide you with the information and guidance needed to model the opportunity. Technology due diligence, when done right, provides you with unique and often critical insight that can inform your approach and actions before, during, and after the deal closes.
The Value of an Assessment
- Know where the risks are, whether they are existential, and what to do about them.
Uncovering these risks requires an assessment methodology structured and designed to the unique goals and needs for investment-grade due diligence. This requires operationally seasoned experts that have seen and know how to address the various types of risks that might exist. You’ll want to make sure the person or firm you hire to perform the technology assessment has both of these capabilities.
- Know what impact the risks have on the investment.
There are always risks, the key is to know what they are and how this affects the investment capital needs. There are many different types of technology-oriented risks that an investor or acquirer needs to care about. Beyond knowing about the risks themselves, you need to know how much it will cost and how long it will take to mitigate or eliminate any of the existential and critical risks.
- Risks are contextualized to the investment objectives.
A solid technical diligence exercise will start with the business and investment objectives and an overview of the overall operation. This frames and provides context for the exercise, and ultimately which risks matter and which might not be as important. The entire assessment needs to be conducted with this context in mind, else the findings and recommendations will lack suitability to purpose.
What are the Risks?
A well-formed technology assessment will break the risks down into categories as follows:
- Intellectual Property Risk: Is there any IP in sight? Is what the target claims as the unique advantage defensible or can anyone do what they’ve done relatively easily? If they’ve claimed things like machine learning or artificial intelligence, what exactly do they have?
- People Risk: Are the product and technology teams capable, stable, and skilled? Or are there critical flight risks, missing skills, etc.
- Process Risk: Are the processes used to create, evolve, and operate the technology assets solid, repeatable, and scalable?
- Data Risk: What kinds of data does the target manage, and what risks does this pose (i.e.: PHI->HIPPA). What is the level of governance and maturity for managing data assets?
- Technology Risk: Is the technology itself sound? Are the correct architecture and technology selections in place to support the stated business goals?
- Scalability Risk: Is the technology and the organization capable of scaling as more customers are added, as new markets are entered?
What to do about the Identified Risks
But just having the risks identified and categorized is not enough. You need to know which ones, across categories, need to be prioritized. This is similar in nature to medical triage, where life-threatening issues are dealt with before all others.
Generally, you can think of the priorities as having 3 segments:
- Do now: These are the existential and critical risks. If something is not done about these pretty soon, major and potentially unrecoverable failures will ensue. Risks that show up in this category might be things like insecure sensitive data, inability to recover from a production failure, or issues that will lead to loss of key resources. It’s safe to say that no matter how big or costly these are, it will be less expensive to address them now than it will be after the fact.
- Do next: Once the Do Now risks have been addressed, you can safely turn your attention to this category. These risks represent a real potential for future and finite non-existential loss. Examples of these items might include ad-hoc or manual processes, outdated technology components, or missing skills within the team.
- Save for later: This segment represents areas for improvement of items that might be creating opportunity cost, unrealized sunk cost, or dragging down the efficiency of the operation. Items that often show up here are technical debt, inefficient processes/methodologies, and optimization opportunities.
Within each of these segments, the well-formed assessment will provide clear guidance on what order to attack these risks and what the impact assessment of not doing them is. And while estimation in the technology world is a cruel mistress, a rough order of magnitude level of effort needs to be provided so that you know where the early dollars will need to go in order to safeguard the overall investment.