Managing risk with effective IT technical due diligence

March 2022  |  TALKINGPOINT | MERGERS & ACQUISITIONS

Financier Worldwide Magazine

March 2022 Issue

FW discusses IT technical due diligence with Jason Ewing and Matt Van Itallie at Sema.

FW: How would you describe the appetite for technology driven deals in today’s M&A market? To what extent are acquirers focused on obtaining valuable technology assets?

Van Itallie: Demand for technology driven deals is at an all-time high across almost all investment categories. M&A levels are at an all-time high, driven by a need for digital transformation. For private equity (PE), according to Hg Capital, 2021 was “the year that software ate PE”. And it is not just late-stage investments – investments in early-stage start-ups doubled in 2021, with software deals leading the way. The reason for so much tech in M&A is that almost every company is a software company now, even ones you might not traditionally think of, such as distributors of medical products or baseball card companies. Despite the prevalence of great enterprise software products, most organisations create software as part of their ‘special sauce’.

Ewing: In today’s market, the appetite for technology driven deals is growing rapidly as every industry has recognised the pivotal role technology plays in future proofing and scaling up an organisation’s reach and capabilities. Incidentally, even for deals where technology is not the target’s core offering, technology diligence is a requisite. Regarding the assets themselves, the focus is either on the technology standing on its own or potentially integrating with other systems to produce new synergies. The plethora of solutions technology acquisitions offer contribute to a more valuable product offering for end users.

FW: Could you explain the potential risks around negative synergies arising from tech debt? What steps can be taken to identify those negative synergies, and evaluate the risks using synergy models?

Ewing: Technical debt presents itself throughout an organisation’s codebase stemming from decisions made at its inception related to the technology’s architecture and design to present day decisions around build and deployment practices. Being unaware of a codebase’s risks and weaknesses endangers stable systems and the application’s overall functionality. Moreover, the lead time to remedy extensive technical debt may outweigh the value of acquiring the target in the first place. For this reason, it is prudent to conduct a comprehensive codebase scan that evaluates factors like security, coding practices, developer metrics and intellectual property risk, among others, prior to the deal closing. This data can then be used to gauge the relative technical debt, such that deal teams can roadmap and prioritise immediate remediation efforts against less urgent focus areas.

Van Itallie: If almost every company is a software company, then the corollary is that almost every tech M&A deal comes with software levels of risks. And those risks are large. Code with security risks can create huge reputational risk. Code with intellectual property risks, due to the misuse of third-party code, presents substantial legal risk – even though this practice is common and rarely intentional. Perhaps most importantly, having low code quality or not having the right team can bog down the product roadmap, slowing down the product by months or years. The opportunity cost of this is enormous. It is not uncommon for a software deal that goes wrong to cost more than two or three times to remedy than that of the transaction, just based on the software alone. Code is complex and often the necessary experts are unavailable. As a result, technical due diligence (TDD) – understanding the risks, strengths and costs of remediating software assets – is included in the vast majority of software M&A. TDD is carried out by in-house or external specialist consultants. In the past two years, software that supplements team-based TDD has exploded. Comprehensive codebase scans, which analyse multiple components of a codebase including security, core quality and team, have grown from $0 to $150bn of deal volume in under two years. The good news is, with the right TDD support, evaluating tech risks can be treated just like other components of the diligence process. Code risk and cost of remediation can be translated into financial implications. The ‘key person’ risk assessment associated with coders is no different than for other departments, except that software development may have more, and more unexpected, key people who extend deeply into the organisation. What is essential, however, is that the TDD consultants and software solutions are able to translate between the worlds of tech and non-tech.

If almost every company is a software company, then the corollary is that almost every tech M&A deal comes with software levels of risks. And those risks are large.
— Matt Van Itallie

FW: In your experience, do acquirers or investors abandon deals due to problems found in a codebase?

Van Itallie: About 10 percent of deals are abandoned due to software risks, although our proprietary data indicates that this number may be rising – December 2021 was the highest month on record for deals abandoned. The most common reason for a deal to be abandoned due to tech is the exit of the subject matter expert coders. Think back to the analogy of the financial model – not having the creator of the financial model is quite costly and painful. When a TDD reveals that many of the most important contributors to the code are no longer at the company, this is a frequent reason to decline the deal – the risk is too great that the codebase cannot continue to be maintained and improved. The second most common reason is when a codebase gets low scores across the board, not only engineer retention, but also code quality, security, intellectual property risk and the process of software development. In situations like this, there is usually a larger issue at play – typically not due to the engineering team but because of broader companywide or sales and financial issues.

Ewing: While codebase issues typically do not result in an abandoned deal, technical diligence can bring to light weaker areas of a target business that may otherwise be overlooked. The actual underlying architecture and source code are only a piece of the solution provided to a customer. If these areas exhibit significant shortcomings, we have repeatedly found evidence that there are more than likely significant problems spread across the rest of the organisation.

FW: In tech-driven deals, how important is it to retain key talent to maximise value? Is it now possible to craft retention agreements that adjust based on the quality of individual engineers?

Ewing: It is crucial to understand an organisation’s talent retention to forecast how well they will be able to maintain, upgrade and extend their codebase. Technology reports provide detailed analytics exploring a target’s knowledge distribution. By analysing multiple aspects of an organisation’s knowledge coverage, the risk associated with specific team members leaving the company can be quantified. Many deals involve a ‘golden handcuff’ clause for key contributors to be retained for their extensive knowledge of the codebase, the languages used, the architecture of the application and, especially, their industry experience. Equally important in discussions of talent is the extent to which a third-party development shop was utilised in the product build.

Van Itallie: Not having the subject matter expert coders around is a major risk factor for the health of a business. Technology innovations now make it possible to identify ‘highest importance’ developers. Specifically, automated solutions can look through the history of the applications – which can stretch back five, 10, 20 years or more – to identify the critical knowledge keepers. Software is a good balance to the perceived wisdom of who matters most, which is fraught with all of the usual human biases about recognising performance. Once identified, there is nothing magic about the nature of the retention agreements, just that the important developers are rewarded and encouraged to stay regardless of their title or level in the organisation.

FW: Given the significant rise in cyber security risks, are you seeing more representations specifically address this issue? In your opinion, how should cyber security risks be assessed and managed before closing?

Van Itallie: The clearest example I see of the rising importance of security representations in the diligence process is the rapid expansion of representations and warranties insurance (RWI), which in turn has led to a doubling of RWI rates. In my experience, RWI insurance always includes provisions for cyber security risks. Risks are assessed through specialist consultancies and automated software that identify major risks, including whether the code is written in a way that lends itself to being hacked. I do think that software has an integral role to play in the security component of TDD – it is not feasible to review hundreds of thousands, much less hundreds of millions of lines of code in the few days or weeks provided for diligence in a manual manner. Automated software produces a summary of the size and scope of those security risks that is not possible to generate another way. As for managing those risks before closing, we always advise those planning to seek an exit or funding that today is always the right day to start improving your security posture in advance of a future diligence process, even if the expected M&A event is months or years away. But the good news for code owners is that significant security issues are not necessarily dealbreakers. Every codebase comes with some security risk. It is not possible to ship code on a regular basis without generating some security risk. If the code were perfect it would never be released. As a result, security risks on their own are rarely dealbreakers. Identified security risks, if not too severe, can be managed through contract provisions and insurance, and the remediation plan can be agreed to be carried out in the months after a deal closes.

Ewing: Cyber threats have had material impacts on the valuation of deals, particularly if sufficient risk mitigation is not attainable prior to closing. I would recommend a two-pronged approach involving both a code security scan and a penetration test. These practices identify line level issues and accurately assess how exposed the codebase is to external threats. Ultimately, I advise having a plan of action for dealing with risk and enacting remediation prior to the deal closing to ensure everyone agrees on next steps.

Understanding how the technology of an organisation is used to support its customers, or how that technology is used by customers directly, should be a staple of M&A diligence going forward.
— Jason Ewing

FW: What essential advice would you offer to acquirers on undertaking effective IT technical due diligence to manage associated risks?

Ewing: Effective technology diligence requires a combination of quantitative and qualitative data to provide a comprehensive overview of an organisation’s codebase. Starting with a data-driven approach provides deal teams with metrics around how an organisation functions, but more importantly may identify trends across the business. Leveraging this data to ask more knowledgeable questions makes discussions with the code owner even more valuable and exhaustive.

Van Itallie: Finding or teaching the right TDD consultants, whether in-house or through external consultancies, is essential. Great consultants are worth their weight in gold, given the rarity of the skillset – those who can quickly identify codebase risks, triage them based on business impact and explain them to non-technical audiences – and the business impact of getting deals right. Also, the best practitioners of software M&A rely on software to augment their consultants’ work. I use the analogy of sales diligence. During a diligence process, the potential buyer will interview sales team members, hand-review contracts and talk to customers – essential, qualitative work that is interpreted by subject matter experts. But in 2021, and now 2022, it would be unheard of for a sales consultant to only rely on qualitative assessment and not use the quantitative results of the sales data itself from a customer relationship management system. Qualitative and quantitative data together is a must have. This trend is also happening in tech diligence. TDD led by consultants and enhanced by software has exploded. We expect within two years that deals without a quantitative, software-based scan will be in the small minority.

FW: Going forward, as more deals are focused on technology aspects, do you expect to see a rise in demand for IT technical due diligence? To what extent is it likely to become an integral, indispensable part of the M&A process?

Van Itallie: Demand for TDD consultancies is at an all-time high, which I expect to continue in 2022. If you have great consultancies already, guard them at all costs. In turn, this demand has led to a significant increase in automated software-based scans to supplement the scarce resource. We expect that automated codebase scans will continue to grow as a percentage of deals – though if codebase quality is a ‘medium’ or ‘high’ level of importance in their deals, however they would define it, then TDD is a must have. And the number of deals that fit these criteria continues to rise as software eats the world.

Ewing: As technology penetrates every sector and industry in the modern market, the growing need for technology diligence is undeniable. Companies are leveraging technology either directly through proprietary code development or indirectly through software tools that simplify processes and workflows. Understanding how the technology of an organisation is used to support its customers, or how that technology is used by customers directly, should be a staple of M&A diligence going forward.

Jason Ewing has over 20 years of enterprise SaaS experience, with a technical focus in development and product management. He has led implementation efforts and implementation teams serving numerous Fortune 500 companies. He currently serves as Sema’s general manager of Codebase Solutions where he and his team have written and delivered hundreds of technical diligence reports. He can be contacted on +1 (512) 789 1148 or by email: ewing@semasoftware.com.

Matt Van Itallie is the founder and chief executive of Sema. Prior to founding Sema, he was an operating executive for Vista Equity Partners portfolio companies, the chief analytics officer for a $1bn public sector agency, and a McKinsey consultant. He can be contacted on +1(202) 309 8703 or by email: mvi@semasoftware.com.

© Financier Worldwide

THE PANELLISTS

Jason Ewing

Matt Van Itallie

Sema

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.