It’s hard enough to perform M&A due diligence for IT when you’re on-site; imagine, then, the challenges you’ll face when the acquisition target is far away—or totally inaccessible, due to a pandemic lockdown.
In this article, we’ll start with the basics. We’ll review precisely what “due diligence for IT” is. We’ll discuss why it’s so important—and so often overlooked. We’ll talk about how IT due diligence is traditionally performed on-site. And then we’ll conclude with ways to pull it off effectively during a lockdown.
What exactly is “due diligence for IT during M&A”?
First things first. We purposely mis-phrased the above headline a little to help make a point. Due diligence doesn’t exactly happen during M&A; more accurately, it happens before M&A. This is when an acquiring company (we’ll call them “Company A” in this article) seeks to investigate a potential target acquisition (“Company B”), prior to actually striking a deal.
A little M&A 101 here: Due diligence, as its name suggests, is required so that you know the true value of the company you’re seeking to buy. You want to be assured that you can harvest value, as quickly as possible, from the deal. Conversely, you want to avoid potential landmines or hidden costs or delays.
Now drill down to IT. You’ll want to know everything you can about Company B. You want to understand the investments they’ve made. You want to gauge the maturity of their IT operations, their in-flight projects, their cybersecurity posture. You want to identify their star IT players, as well as their not-so-hot players.
Although the reasons for this are obvious, here are three you really need to remember:
Who gets involved in IT for M&A?
That’s a loaded question. Because we can really ask it two different ways:
Let’s start with the first question. In Company A, this would be the C-suite and the board. There will be project managers. Line-of-business leaders. The head of R&D. The person running the sales organization.
And then there will be the advisors. There will be the transaction attorney, who’s there to shore up the needs of Company A’s internal general counsel. Company A’s CEO will have a financial advisory, which does its own portion of due diligence. And then there’s almost always the business management consulting firm, to advise the CEO and his/her team on the potential synergies of the merger, and to guide the PMI. Many of these firms will “go a mile wide and an inch deep”; in other words, they specialize in strategy more than tactics and execution.
So who was missing from this cast of characters? In other words, “Who traditionally gets left out during IT for M&A?”
You guessed it. IT.
IT due diligence and the issue of trust
A big-name consulting firm will certainly include “an IT strategy” for the acquisition as part of the due diligence; they’d certainly be remiss if they didn’t.
At Ensunet, we’ve seen lots of these. We’ll sometimes refer to them, somewhat jokingly, as "the $500,000 PowerPoint." It will look very slick and detailed, but it necessarily lacks executional details. All of that will eventually get dumped onto IT—from both Company A and Company B.
Indeed, the half-million-dollar slide deck will never dive into details: the “as-built architecture” of Company B, a.k.a.its “present-state diagram” or “logical layout” or whatever. That’s crucial information: It includes everything from physical racks of equipment to the tracing of where data resides, how it moves, how it’s secured (or not!), and what systems, people, and applications it touches along the way.
Consider this conundrum: Had the consultancy simply sat down with the IT leaders of Companies A and B, they could have delivered a $150,000 PowerPoint, with far better detail, and much more realistic odds of timely, on-budget execution.
But that almost never happens.
You might want to blame the consultancy, but don’t be so fast. They get their marching orders from the CEO of Company A, who never had sufficient trust in the company’s own IT leadership to give them a seat at the table beyond their quarterly “report-card updates” to the rest of the C-suite. Too often, then, a CIO is “C” in name only.
Trust is a two-way street. The CEO must extend it; the CIO must earn it. So there are failures in both directions; keep that in mind as we now shift to the core topic of this article: remote due diligence.
Traditional IT due diligence
You can’t really discuss “remote” until you understand “on-site.” Very briefly, when Ensunet engages in IT due diligence, it goes something like this:
We’ll provide Company B’s IT leadership with a massive (we’re talking 1,000 items) questionnaire, typically in Excel sheet form. This asks them to inventory all of their hardware, systems, and contracts. We’ll also interview them. We find out how they’re organizing and deploying things. How are they managing their dispersed devices such as laptops and company phones? How are they keeping systems current and patched? How are they validating this?
We’ll also go on-site. We’ll interview leaders and line workers. We’ll not only get information, but opinions and attitudes. Who are the star players, the ones who are eager to help? Who are the ones who push back, who a reluctant (or unable) to answer basic questions?
Similarly, we’ll take a good look around. Basic cable management, for example, is a metaphor for upstream organization. Peek behind those server racks: If all of the cables are neatly routed, labeled, and color-coded, that’s a pretty good indication that they’ve got the rest of their house in order. The opposite, unfortunately, is true, too.
Nontraditional—remote—IT due diligence
If a Company B is across the country, we’ll sometimes recruit a trusted local partner to go on-site for us, and report back their findings.
But things are clearly more complicated than that these days. During a state of pandemic-mandated lockdown, you can’t get into that server room. But there are things you can do.
Simply engage Company B’s IT leaders and staff virtually. Do a video call with them—whether via Microsoft Teams, GoToMeeting, Zoom, or whatever—and ask them the questions you’d ask in person... and also ask them to give you a “virtual tour.”
You’d be surprised how much this can reveal. That person who would be shifty or cagey in-person will act exactly the same on-camera. What if they “take you into” the server room, and suddenly they’re dripping with perspiration? That’s a clue that the air-handling there may not be meeting the needs of the equipment—or the staff! Speaking of dripping, ask them to “look up” and show you the ceiling. Do you see any air conditioning ductwork that’s wet with condensation? That’s not a good thing to have, especially above sensitive electronic equipment.
Ask them about “shadow IT”: the un-official additions that line workers often add, as an end-around without IT’s blessing. This equates to consumer-grade storage drives or devices, stashed under desks... rarely backed up or protected.
Think like a detective. You need to gain the interviewee’s trust, because you’re not sure what they’ll reveal. You can ask an innocent-sounding question, such as “How many Windows 7 devices are on the network?”, and when the answer is anything other than "None!", you've just scored some serious due-diligence points. Similarly, pay attention to details. If you request a document, do they simply email it to you in the open? Do they host Zoom calls without a password? All of these are “tells” that will ultimately impact the value of the deal.
At Ensunet, we understand the nuances of IT for M&A because we’ve supported billions in PMI activity. We can help you, too. Download our free M&A IT Playbook & Integration Checklist. Or contact us today for a free, no-obligation consultation with one of our friendly subject-matter experts.