Technical Due Diligence: Basics
Here we discuss the basics of Technical Due Diligence, how we do it, and share a few tips.
written in co-authorship with Borys Omelayenko.
Investor, Target, Future
Technical Due Diligence comes in play when an investor plans to pump money into another company that is called target. Typically, investors perform several due diligence efforts: business, financial, legal, HR, IT. In addition, they also do Technical Due Diligence to investigate computing technology owned or operated by a target. When a target is a technology company then Technical Due Diligence may be the largest of all.
A Due Diligence request typically comes with one or more investment objectives and scenarios:
- Achieving certain profitability driven by the technology, or
- Scaling the technology, or
- Repurposing or extending the technology, or even
- Shutting down some technology development efforts or products,
to name a few.
What is somewhat unusual for the sector,
While Due Diligence in general is about examining the past, Technical Due Diligence is often also focused on the future.
The balance between the effort spent on the past and the future scenarios depends on specific project and client needs: from cases when investors want to leave targets operating independently and share the profits in return for their investment all the way to cases of intrusive investors who want to merge the acquired technologies or reuse them in their own products or even aim more at acquiring the customer base than the technology built by the target.
Is It Not IT Due Diligence?
Technical Due Diligence is often confused with IT due diligence, they are both about computing, right? There is a difference, though.
Technical Due Diligence is focused on key technologies developed by a Target and determining its value, while IT due diligence is focused on technologies used for operational support.
IT due diligence focused on operations, think of office software, communication tools, licenses, servers, security and others. It is mostly about technologies that are developed elsewhere, being operated by a target. And it is of paramount importance for assessing large established companies, but hardly a differentiator itself.
Technical Due Diligence is typically focused on technologies that are developed by a target. They form crucial part of company value, with investors keen on acquiring or scaling it up. Lured by value and potential of the key technologies, investors often forgive and even anticipate some sloppiness on IT.
Both may overlap, with Technical Due Diligence happening under umbrella of an IT due diligence project, or vice-versa. They remain very different in the type of work being done, type of questions being answered, and the folks being involved.
For example, software dependencies are treated differently in both types of due diligence. IT due diligence is focused on licenses, license costs and license legal terms. Technical Due Diligence is focused on the proportion of original technology developed by the target (valuable to an investor) in comparison with purchased or standard technologies, that less interesting to the investor.
Expectations and Scenarios
Due diligence is often seen as an unbiased audit process, with an auditor coming in and searching all possible and impossible closets for skeletons. That is certainly true for, say, financial due diligence, or IT due diligence where you want to have all software licenses counted. It also holds for Technical Due Diligence that needs to discover the real state of target technologies, with investors keen to know if there is anything behind the nice website.
There is a flip side. Technologies are generally less regulated than finance, legal or even IT. Compliance is sometimes important but compliance on its own does not attract many investors. And here we are in a different territory, as
Investors do have expectations, often in the form of clear investment objectives or scenarios.
Typical investment scenarios are:
- Scaling Target technology by pumping money into certain specific areas, such as investing into acquiring and processing new datasets to boost added value;
- Tweaking Target technology to offer new services, such as converting in-house platform used by consultants into a product offered to clients directly;
- Reuse Target technology for investor’s own products, such as acquiring a customer portal to complement investor’s own suite; or
- Employ Target staff (acquihire).
Expectations are always there, when scenarios are not already defined then we need to define them with the Investor before starting a project. Scope, focus and priorities are all determined by these scenarios.
For example, think of an acquisition with the acquihire objective: the true focus of due diligence would be on the ability of Target staff to replicate their success in the Investor company, rather than details of operation of the existing Target products that will be discontinued.
And that differentiates Technical Due Diligence from other types of due diligence: it is not that much about discovery and assessment but about achieving investor objectives.
Due Diligence ‘à la carte’
Of course, a pitch for Technical Due Diligence would mention a 360 degrees assessment, with Target technology being examined from all possible perspectives. But the number of perspectives is not endless.
We group them in six areas as shown in the following figure:
In addition, there is the seventh area: cooperation during the due diligence process. It is not a part of Target technology landscape, but in practice it might tell more about Target technology than some of the other areas.
Questions
Various due diligence questionnaires are abundant and anyone can download hundreds if not thousands of smart questions to ask. Just dress and go! Well, this type of copy-paste due diligence hardly brings any value.
The value of technical Due Diligence sits in knowing what to ask and drawing conclusions supporting the right decision from answered and unanswered questions.
Predefined questions are either generic or irrelevant. It makes sense to maintain template questionnaires for guidance, but not more. Virtually all questions asked in each assessment are adjusted or created to be specific to the occasion.
That is made tricky with the very idea of due diligence: it is a part of sales process. It happens in the course of substantial investment, being managed by the top of the target company. Someone from the target is selling the company, being well-aware of its strong and weak points. He knows what to show, he knows what to hide, and he may be an extremely experienced communicator.
Team and Duration
And here we come to the team. A junior due diligence consultant gazing at a list of predefined questions would not bring much value to the investor. He would quickly end up writing up the seller’s story.
A Technical Due Diligence project should be led by some of the most experienced consultants, who should be present in-person at onsite interviews and lead the conversation. He should not be alone, and a typical team for a startup or SME due diligence consists of 2–5 consultants:
- Leading technology consultant,
- Domain or business expert,
- Technology experts.
It helps that, being a part of SoftServe Inc., a large international vendor employing over 8000 associates at the time of writing, that we can find an in-house expert in virtually every technology area.
Duration of technical Due Diligence projects varies, typically between 3 (Target is a startup owning one or a few relatively small products) and 8 weeks (Target is a well-established technology company with millions of lines of code committed to their code repositories).
Findings and Grading
We look at each finding from two dimensions:
- How important the question is, assigning it one of three priorities;
- How satisfactory the answer is, giving it one of three grades.
These grades are all collected and grouped per-area. Relative distribution of grades is visualized with the following charts:
These charts are never black & white, most targets are primarily ‘fair’, excelling in a few aspects, with some deltas that need to be looked at.
These charts serve as the foundation of a story. In the above example, the target seems to be fairly strong in ‘Architecture and Algorithms’ (a deeper dive may reveal that the strength comes from a great idea, weakened by poor design and implementation), but should improve on ‘Data and Analytics’ that has never got proper attention and funding.
Target Grading
Here we come to grading the whole target company: we put together per-area grades of each product or technology that was evaluated, as follows:
The chart shows three systems that were evaluated (Portal, CRM and Middleware) graded per-area. There is also the Risk Zone that is specially defined for each Target. In the above example it is identified that the Data and Analytics area is of special importance of the Target.
These charts tell the story of the Target. From the example chart above the Investor can see that
- all systems need investment in ‘Privacy and Security’ to get them out of the risk zone, with the CRM in need of more urgent attention;
- Portal and Middleware are not cloud-ready, especially comparing to the CRM (that is probably developed as a cloud solution);
- Investment in Data and Analytics is needed, that is considered important for the Target but not mature enough to get out of the risk zone.
In this way these diagrams should be used to build and tell the story of the Target and the overall due diligence project.
In addition to per-area technology grades, cooperation with the target company during the assessment process is graded. That is done in the same way as the other grades and is presented in the same way.
Despite it is coming last, the cooperation chart should be presented first, as it sets the scene of all other findings: assessment of a cooperative transparent Target is likely to be more accurate than digging into an opaque secretive organization.
Recommendations
Ultimately, the value of the due diligence exercise sits in recommendations. They should be provided at three levels: quality, product, and investment.
Quality recommendations are very specific and may be accompanied with detailed effort estimate, such as:
- Replacing a specific dependency: database, library, platform;
- Enabling security measures: encryption, authorization, etc.
Product recommendations have broader scope than the quality recommendations, such as:
- Identify additional datasets that can be incorporated into a data-driven decisions support system;
- Re-architect a product to support usage growth, etc.
Investment advice would be focusing around technological areas or approaches, such as:
- Investigate the ability to use Machine Learning to automate part of Target operations, if the characteristics of this ‘part’ suggest that it can be done this way;
- Consider offering an internal platform as a client-facing product, with the rationale behind this move and elaboration of the type of necessary effort, etc.
Risks should also be highlighted, such as:
- Reliance on public data or algorithms that allow replication of the target services by competition;
- Regulatory risks coming from HIPAA, GDPR, and other compliance standards, etc.
Finally, a due diligence consultant should never forget that
making the investment decisions should not be attempted during the Technical Due Diligence process.
Decision making is a sole responsibility of the investor, and the recommendations should remain unbiased, even if some options are more appealing to the due diligence consultant that others.
