Assessing an Acquisition’s IT Capabilities: “What’s in Your Portfolio”

Why do I need to think about assessing the IT capabilities of an acquisition?

So you just acquired a company as part of your growth, diversification, or some other strategy. The new company along with its LOB (line of business) expertise comes with an entire IT infrastructure that was thus far responsible for supporting the acquired company’s information needs only. While a great deal of due diligence goes into understanding the viability of the business and its value the same level of rigor is typically not applied to evaluating its IT infrastructure and support staff. In order for the two companies to work together well it is important to understand the capabilities of the two IT infrastructures and how to best integrate or not integrate them. If a detailed and careful plan is not put together to understand the capabilities and assets of the new acquisition you risk inheriting a vulnerability that can spread throughout the larger organization or risk stifling a capability that really should be promoted to the larger organization.

Why you need an independent perspective?

Sometimes companies use their own internal staff to assess the target or recent acquisition. The problem with this approach is that these assessments can be tainted by hidden agendas, lack of impartiality, and departmental politics. Entrenched interests can also slant information one way or the other as it passes up and down various departmental hierarchies.  I was part of a software company which wanted to acquire another software company with similar technology. Our own internal research and development department was tasked with the assessment of the company’s technology. Quite understandably the leaders in the R&D group thought it was inferior to what was developed in-house even though that was far from the reality. The key decision makers involved in the deal, including the CEO and the board of directors, were getting conflicting accounts of the reality and did not know whose version of truth to trust. This is where an independent perspective from external consultants can come in handy. They often face less resistance when digging around and are able to see beyond the personal bias and the “ugly baby” syndrome. A fresh perspective can also help see the forest from the trees which can sometimes be missed by the people who are working on the trees on daily basis. I came across another post acquisition assessment where the management was told that acquired company’s technology and custom developed software was topnotch. Upon further investigation we discovered that the most of the custom software was developed in a little known RAD development environment and less than a handful of people in the company knew how to maintain it. While this creates tremendous job security for some it creates a significant risk for the company. In another situation credit card numbers and all other consumer related information was stored in a database unencrypted!  Stories like these are all too common and point to the need for an independent perspective.

Is it too late to do an assessment after the deal has been signed?

During my days as a consultant I have primarily come across two types of assessments: pre-acquisition and post-acquisition. Pre-acquisition assessments are important where IT infrastructure is a primary part of the value of the business being acquired (software companies, online businesses, etc.). The focus of a pre-acquisition IT due diligence assessment is primarily on ensuring that the IT assets are as good as they have been portrayed,  that they are capable of supporting the business objectives associated with the acquisition, and that there are no hidden risks that will require significant expense to remedy after the buyer takes ownership. For example can a wildly successful but local online service be introduced in a new geographic region with a new language, currency, tax and privacy laws, etc? Post-acquisition assessments are important when the prime value of the acquisition is derived from the LOB (e.g. selling insurance policies, financial management, etc.). The focus of this type of assessment is typically ensuring that IT infrastructure is solid enough to continue to support the business; there are no vulnerabilities that can jeopardize the combined entity, finding areas of excellence to propagate, finding redundancies, and figuring out an integration plan. It is always good to get an outside assessment done before the deal is inked however, if that doesn’t happen it is still very important to at least get the post-acquisition assessment and planning done.

What kind of acquisitions can benefit from an assessment?

These days even small companies whose business does not directly intersect with information technology rely on some sort of back-office IT infrastructure to run their day to day operations. A back-office infrastructure may contain email servers, phone/fax servers, internet gateways, website servers, database servers, LOB applications, etc. A front-office infrastructure may contain client facing applications, online portals, CRM applications, LOB applications, etc. As the number of servers and employees grow the need for proper management and use of sound practices to manage them become more important. If access to IT infrastructure such as LOB applications, databases, email, website, etc. is essential to the daily operations of your business it is vital to ensure that proper assessment of the potential risks is done and the IT assets are managed properly.

What are some of the key aspects that should be examined during an assessment?

Start with creating an overall blueprint of the IT assets and how they interact with each. You would be surprised to learn how often such a fundamental document does not exist. Look at the hardware/software redundancy needs to provide the needed uptime to the business. Determine what disaster recovery plans exist, when they were last tested, and what kind of situations they can handle. Examine the security risks and ensure that the security practices match or exceed the required level of protection warrant by the business. Does the infrastructure have the capacity meet or exceed the demands placed by the peak loads and growth in the business? Examine the hosting environment for security, redundant power, redundant internet, redundant cooling, proper fire suppression, etc. Ensure that hardware and software assets are not so old that they are longer supported and can’t be upgraded. Is the technology stack compatible with the umbrella company’s technology stack? Are they any strange or esoteric practices or standards that could introduce risk? And never forget to identify practices, technology, and people (centers of excellence) that can benefit the entire organization and should be propagated to the entire company.

Reviewing security policies and procedures is another key aspect of the assessment. The risks associated with a weak security structure are obvious and too numerous to describe here. You need to not only think about electronic and online security (firewalls, virus and spam filters, internet intrusion attacks, etc.) but also about physical security. Most companies tend to neglect one or the other and sometimes both. In today’s environment the physical as well the data security should be considered a top priority for any IT assessment. The risks are high no matter what business it is, including legal consequences and public embarrassment.    At a fortune 500 company where I once had the privilege to work became a victim when half the office noticed that there computers were running slower than usual. Upon further examination it was discovered that each computer was missing half the memory chips that they had. Someone had simply walked in after hours before the lock-down, removed memory, and walked away. At another client site we discovered that they have neatly documented their security policies and key passwords but the passwords for all the accounts were exactly the same!

Depending on the industry you work in you may also have to worry about compliance and regulatory issues. For health care industry you have to worry about HIPAA compliance. All personal information and medical records have to be protected according to the guidelines of the HIPAA act. All publicly traded companies have to be in compliance with Sarbanes-Oxley act (SOX). Even though the SOX act never mentions the word software the audit trails and record keeping required by the act ensures sizeable investment in IT infrastructure and processes to manage it. There are various other acts and standards like the Patriot act, DOD 5015.2, SEC regulations, ISO standards (9000, 15489), etc. that may apply based on the industry and business practices. Sometimes the process may be even more confusing and harder when acquiring companies in different countries or different states where the local laws are not the same. All of this means that you must ensure that your new acquisition does not expose you to compliance issues that you didn’t have to worry about before.

How do we plan for the joint future?

Now that you have good handle on what you just acquired you need to plan how you are going to move forward. You need to think about cost saving opportunities by consolidating sites, hardware, and other resources. You need to think about standardization of software, hardware, and operational practices. You will have to decide how want to handle common branding and identification issues such as email domain names, website, central call-in numbers, etc. You will need to examine what support contracts and license agreements exist and how they need to be modified as part of the larger organization. The integration with the umbrella organization needs to phased in and timing needs to be planned carefully to minimize impact to the business. A combined successful and seamless existence doesn’t happen on its own it needs to be planned and carefully executed. If your company is planning to grow through acquisitions you may want to create a process for assessing and integrating new acquisitions based on your current experience.

If the business you are acquiring is being carved out of a larger parent company, you also need to plan for a migration plan off of the services that the parent company is offering during the transition period.  There are further complications if you intend for your new acquisition to be platform company to which you will add other newly-acquired companies over time.

Some interesting M&A Stats

I just took a look at a news item that arrived in my daily  PEHub Wire news roundup: Gotham Consulting Partners’ private equity survey on value creation.  While I’ve only had time for a quick read, three things jumped out at me immediately.

• 6% of the time spent on due diligence is spent on IT systems. This seems low, especially in light of what the rest of the survey says about value creation. A figure of at least 10% would make much more sense for PE firms that are serious about driving operational value creation initiatives.
• Post-merger integration does yield greater than expected results, according to survey respondents. A logical extension of this thought would be to begin integration planning early, to achieve those results as quickly as possible after the close.
• Most firms are relying on standard financial and operational reporting as tools for managing their portfolios.  However, among the more active methods of portfolio management cited, shared purchasing /shared services is the least used among the respondents.  However, a followup question listed shared purchasing/shared services as one of the two active management techniques that yielded better than expected results.

There is a lot of great information in this survey, but at a high level, it points to the need for further changes in approach both before and after deals close. More time spent vetting out risks at a deep level within operations and IT, rapid integration, and new approaches to active portfolio company management could drive these results in a different direction when the 2010 survey rolls around.

IT Due Diligence: Human Factors

A key task during IT Due Diligence is assessing the strength of the IT leadership team. Martha Heller, in her recent article in CIO, defines the SVP of Technology and Operations as a cool new role and career path for CIOs. 

We’re always a bit relieved when we see this role on the org chart as we begin an IT Due Diligence investigation, but of course we do a bit of probing to determine if the wearer of the title truly has what it takes to lead the organization through the 12-18 months of rapid business change that should follow any M&A deal.

Several clues to the real quality of the SVP of Tech and Ops leadership can be found by:

1. Asking for and reviewing the business case or strategy document for any recent significant technology initiative. Big red flag if they can’t produce one at all.
2. Determining if the overall architecture is documented, and under change control from all required perspectives: software, hardware, information, and business process perspectives.  The SVP loses points if the documentation doesn’t exist or doesn’t account for planned future implementations of business and technology changes.
3. Snooping around for departmental application or information silos. This usually takes some field work, as the IT leadership’s architecture documentation may not reveal what all the business units are hiding in remote offices.

Other factors come into play as well, but these are the top three, because they are the most important ways an effective technology and operations leader can turn IT from a cost center into a true business asset and an engine of growth.

Convergence

Over at The Enterprise, there is an interesting report on the recent Alliance of Mergers & Acquisition Advisors Summer Conference. It brings into convergence two categories of interest here at the Edgewater blog.

On the M&A side, the summary points to a current climate that demands more rigorous due diligence. It has a caveat for buyers concerning deffered capital expenditures, and this is certainly something we look for (and found on some of our recent IT due diligence engagements) when analyzing the IT landscape for hidden risks.

The more interesting content in this article concerns the convergence of M&A and Web 2.0, however. The post cites Web 2.0 and social networks as a means to bring together buyers and sellers and reduce transaction costs by making it easier to find specific talent to work on an acquisition. We’ve certainly noticed this trend on sites like LinkedIn, where buyers and sellers are trying to connect on the M&A Answers forum.

IT Due Diligence for Distressed Acquisitions

For many deals, IT Due Diligence resembles a home inspection. The goals are to identify and mitigate risks prior to closing and to develop cost estimates for addressing risks.  The IT Due Diligence Team looks to see if disaster recovery plans are in order, the com­pany is in compliance with software licenses, and whether internal controls exist.  With a distressed acquisition, there are larger risks that must be addressed.  Acquirers don’t want to be saddled with an IT organization that dooms the corporate turnaround before it starts. Before moving forward, the deal team needs answers to questions such as:

• Where do opportunities exist to streamline, consolidate, and optimize IT operations?
• Which IT expenditures are aligned and which are not aligned with business objectives?
• Which pending projects and expenditures are of questionable value?
• What’s the order of priority of pending projects and expenditures?
• How do IT costs benchmark against industry standards and how can they be driven below benchmarks to spending levels more appropriate for the turnaround period
• Are investors paying too much for IT assets?
• Are non-tangibles (like data repositories) properly valued — can they be monetized?
• Are service level agreements and contracts with vendors adequate and enforced?

After the deal closes, there will be new opportunities to improve the effectiveness and alignment of IT operations — improvements any future buyer will likely view as table stakes in evaluating corporate value.  One example is management dash­boards for better performance visibility and fact-based decision-making.  Just the sheer presence of such tools says much about the quality of the management.  But what they enable management to do has an even greater bearing on corporate value — monitoring key performance indicators that show how well management’s turnaround initiatives are actually succeeding day-to-day.  Moving forward without such tools puts the turnaround at risk, because there are no tools in place for fact-based decision making within short timeframes.