For private equity and corporate acquirers, identifying and assessing technology that can affect capital allocation and growth potential is critical during the diligence process. Technology risks can consume significant post deal investment or impair long term revenue gains.
On the buy side of a deal, this information can validate the asking price for an acquisition, or open one or more avenues for negotiating a better price (e.g. weak cyber defences that need investment). On the sell side, this process ensures that tech can be presented in the strongest possible light (e.g. a scalable and secure core platform). In fact, a sub-standard technology due diligence effort can increase the risks, reducing the value of any transaction.
Quality technology due diligence doesn’t happen by accident. RSM Australia’s team has both the operational and technical skills, combined with real-world business experience and tools to identify risks and quantify remediation needs. We can also highlight investment opportunities and target revenue or margin growth areas.
Could you benefit from technology due diligence?
Technology due diligence is valuable when technology and data are a source of value creation and it should be considered alongside the following factors:
Technology and data underpin core business operations.
For example: Consumer finance lender.
Business plans require technology to scale (e.g. product or market diversification).
For example: Technology start-up.
Technology differentiates the business from its competitors.
For example: Industry disruptor.
Technology relies on key staff or third parties to design, build, maintain and support.
For example: Platform business.
Loss of commercially sensitive business or personal data could cause significant damage.
For example: Insurance broker.
Digital transformation is planned or ongoing, and ties to future revenue and cost projections.
For example: Online retail.
For technology businesses or businesses that make use of highly-customised applications and platforms (e.g. financial services and retail), we can examine the product management, application architecture, infrastructure, development processes and operations, and technology team to identify deficiencies or strengths, while recommending remediation options or commercial software alternatives.
For market-facing technology, we assist with differentiation analysis to identify the commercial opportunity and relative cost to replicate, helping buyers understand the company’s defensibility.
Once an investor understands the value of the assets and has an idea of the threats, it’s important to identify the different means through which they can do damage to the business value. Finally, an investor should assess what controls the business has already implemented to manage those risks. IT due diligence will help buyers and sellers alike to answer the following questions:
- What are the critical assets from a data, infrastructure and brand reputation perspective?
- What threat actors may be motivated to damage the company?
- What are the quantified and prioritised IT risks associated with the company’s critical assets?
- What is the financial loss exposure from identified risks, including the regulatory penalties if a risk event occurred?
- What does the road map to addressing IT concerns and the pricing for remediation efforts look like?
Our buy and sell side approach to technology due diligence accounts for deal timing, deal rationale, and specific focus areas. Technology due diligence is progressed using a phased approach to reflect findings:
Fast start – We provide a high-level overview of the technology environment (core systems through to strategy, organisation and governance), and identify potential areas of risk and investment opportunities.
Deep dive – We provide a detailed assessment and deep dive into specific areas of focus, such as identifying the commercial opportunity of a platform, business capabilities, and alternatives available.
Cyber and privacy – We deliver a detailed assessment to reveal the risks and potential costs that insecure systems, immature security processes, or inadequate data handling may have. Cyber due diligence involves a quantitative risk assessment to estimate the financial loss exposure of a target and develop an appropriate mitigation strategy.
There’s no question that IT due diligence is paramount, but private equity firms need to make sure they are prepared to deal with threats and potential issues on a go-forward basis as well. Immediately after closing the deal, the buyer should execute the plan developed through IT due diligence and remediate those risks that could be exposing the company to significant losses. Unfortunately, cyber security is not a one-time investment that can then be forgotten. A trusted third party should be engaged to set up an enterprise-wide risk governance program to provide visibility into cyber security risk throughout the holding period and beyond.
RSM Australia can mobilise quickly and work closely with our financial due diligence colleagues to provide an integrated diligence report.