Know what to look for, and what questions to ask
Any company in your acquisition crosshairs has its own IT environment. But beware: that’s the very part of the deal that can hide the most risk. Even the most seasoned due-diligence pros can overlook the subtle warning signs that may be hiding in plain sight, to the detriment of the deal, the to-be-combined company, and to shareholder value.
In this article, we’ll take a look at some of the things to look for, the risks they represent, and—importantly—how to mitigate them. It’s based on our experience in supporting over $4 billion in mergers and acquisitions in this field.
(Want a quick cheat-sheet? Download our free post-merger integration, or PMI, checklist now.)
How secure is their security?
You won’t be shocked to learn that “cybersecurity” is the paramount issue when it comes to buying a company. But the devil is in the details. You have to know where to look, and what to ask. For example:
- How mature—or immature—is the target company’s enterprise risk management program? What about the protection of their assets and data?
- How far along are they in terms of implementing a cybersecurity program? Can you trust what you’re being told?
- Has there ever been a cyber breach? Do they even know? If so, would they admit it to you? And if there was a breach, what was the impact?
- Vitally, how well have they informed their employees of all cybersecurity issues?
You might be surprised to learn that cybersecurity isn’t so much a technical challenge as it is a cultural one. Every rank-and-file member of the target company is a vital link in the chain of custody of their (and soon your) crucial data. How are they protecting it as it moves from place to place? Are they simply sending attachments in the clear? Are they using encrypted email? How are these policies being promulgated and enforced?
And that’s just the tip of the iceberg. If they’re putting a connected device out into the marketplace, it might represent an unrecognized chink in company’s armor. We’ll talk more about that in an upcoming blog.
What are the risks?
Certainly, if you’re in the due-diligence phase of an acquisition, you’ll be thinking of the possible IT risks. But many have spillover effects. Consider:
- The ticking clock. There may be a breach that no one even knows about yet. The company’s data may have been exfiltrated to China years ago, for all you know. You don’t want to buy a company that’s already relinquished its data to a competitor. In other words, you need to sniff out and uncover any possible breaches now.
- The compliance pitfall. We recently worked with an industry-leading device-maker whose ERP (enterprise resource planning) system was government-regulated. Yet we discovered that they hadn’t properly documented recent changes and updates to the system. The risk? The government could have, had they wanted, come in and shut down the business. We quickly cleaned up the end-to-end processes and instituted an audit-able working model that would satisfy regulators.
- The costs. If you’re caught unaware by IT issues in a company you’re acquiring, the problems can translate to warranty issues. Costly IT fixes. Delayed integration and loss of value. Lost productivity. And reputational risk, to their brand—and yours.
Where the truth hides
You may have the good fortune to be buying a company whose CIO is candid and forthcoming: “Here are our last ten years’ worth of opportunities, successes, failures, lessons learned, and outcomes.” Wouldn’t that be nice?
More common, however, is an effort to hide the truth—at multiple levels within the organization. We’d mentioned cultural implications; this is a “me” issue. Amid the whirlwind and rumors of a possible company sale, rank-and-file employees often fear for their futures. They won’t want to tell you, for example, that R&D’s efforts have been siloed from internal IT. In other words, you’ll have to find out for yourself.
Typical IT due diligence includes an inventory of hard and soft assets: people, hardware, software, systems. But you want to dive deeper. You’ll need to understand processes and culture. This level of investigation typically doesn’t happen during an acquisition. But it should.
You’ll want to conduct an audit, at different levels of the company. Most due-diligence teams only speak to the CIO. But that’s just one perspective. You’ll want to talk to line-of-business managers and individual employees, too. Scared that they’ll hide their “me” issues? Here’s how to get around it: Ask them for a “test drive” of their typical day and efforts. This will reveal the development lifecycle process, along with any gaps therein.
Similarly, ask the leadership what they’ve done, cybersecurity-wise, in the last 24 months. How many training sessions? Lunch-and-learns? What’s on the company intranet? How are they serving their user community and educating them? If you get lots of good info, great. If not, the silence will be deafening.
In a perfect world, you’ll find complete alignment at the C-level, middle-management level, and rank-and-file level.
But the world’s not perfect. Forewarned is forearmed.
Do you have questions or concerns about IT issues in the acquisition or integration process? Contact Ensunet today for a free, no-obligation initial consultation. And be sure to download our PMI checklist right now.
What are the top IT risks you should be aware of if you’re acquiring a medical-device maker? The answers may surprise you. Find out more in this new article from the IT M&A experts at Ensunet.
#acquisition, #IT, #cybersecurity, #cyber, #post-merger integration, #PMI, #due diligence, #development lifecycle, #corporate culture, #M&A