In this first blog of our technical due diligence series, we explain why IT and business process assessments are essential to due diligence and should be part of your standard due diligence protocols in any acquisition.

---

Part of a blog series.

Today's rapidly changing business environment creates opportunities for mergers and acquisitions. It's no secret that due diligence is a critical part of the merger and acquisition (M&A) process. Used to vet companies for potential investments, the due diligence process allows an organizational buyer to ensure the goals, culture and strategy of a future combined business closely align for their success.

Increasing company valuations and uncertainties to changes in corporate tax rates are driving a rise in mergers and acquisitions. Equipping the people in your organization with the right talent, capabilities and capacity is essential to a successful growth initiative through acquisitions.

Why Should Business Process and IT Be Part of Due Diligence?

Due diligence, business process and IT protocols are as important as the review of general company information, company management and employees, financial statements, legal matters, products and services, and competitive analysis. A common misconception is that if a company is operating profitably today, they have the appropriate processes and IT systems in place to sustain the business and support future growth opportunities. Often, this isn't the case, and an early evaluation can help the acquiring company avoid deal-ending pitfalls or high unforeseen expenses. Understanding the relationship between key business practices and IT is crucial in evaluating whether merger discussions should move forward, as some process and system gaps may be too costly to achieve targeted returns. Further, understanding a target company's IT risk posture will uncover potential investments needed to shore up weak security defenses. Buyers should identify, evaluate and confirm business practices and the company's IT infrastructure early in the technical due diligence process to assess potential risk and value, if any, to the proposed business merger. Additionally, executives should think about a high-level integration plan to help lay out the transition to a new, combined company.

Due Diligence Business Process and IT Evaluation Activities

Several evaluation activities can help ensure a successful merger. This includes an understanding of:

• Business process and IT system compatibility
• Time available to complete the review
• Technology opportunities
• Merger data room availability
• Nature of business relationship (friendly or adversarial)
• Resources available (internal and external).

Taking a deeper dive into the process will help shape the nature and scope of the due diligence evaluation plan.

Compatibility Between Acquiring Company and Target

There are a few questions to ask yourself before merging.

• Do manual or automated solutions support their critical business processes?
• Does the company use spreadsheets, or do they manage processes with something more automated?
• Do they manage their databases in-house or through a third party?
• What is the makeup, quality and accessibility of data?
• What are their cybersecurity and other IT risk vulnerabilities?

It's important to note that even if businesses have the same or similar systems, it doesn't always equate to compatibility. Frequently, a business highly customizes solutions to suit their specific needs. It's also important to understand how a company deploys its IT systems to meet your company goals, whether those come through scaling, automation, synergies or other growth activities. Creating a transition plan for how you will integrate and share information post-merger and for how you will standardize best practices will be important to the merger's overall success.

Conducting an In-Depth IT System Evaluation

By proactively identifying critical issues and risks, an acquiring company is in a better position to strategize and develop a thorough mitigation plan. In addition, an assessment's findings can often prove helpful in negotiations. A comprehensive technical due diligence assessment weighs the following questions:

• How effective is the IT infrastructure to business architecture and operational performance?
• What documentation of current IT systems and hardware infrastructure exists?
• What are the licensing requirements?
• What do the IT governance protocols and documentation encompass?
• What cybersecurity protocols exist?
  • Is there a regular testing protocol in place?
• Does a Business Continuity Plan exist?
  • How comprehensive is it?
  • Has it been tested?
  • Is there a periodic testing process?
• Is there a dedicated IT capital budgeting process?
  • How robust is the budget?
  • Does a backlog exist on open capital projects? If so, what are the implications?
• What are data center and cloud environment implications?
  • Is the data center located on-site, remotely, or both?
• What is the server structure?
  • Is the company using virtual servers?
• How old is the IT hardware and software?
  • Are there any defined replacement or upgrade plans?
• What backup, recovery and disaster recovery protocols exist
  • When was the last time they were used or tested?
• Are there any propriety IT systems that require a carve-out of value during due diligence?
  • Do they require specialized skills to support?
• What is the level of customization to IT systems?
• What is the frequency of IT software updates?
  • What testing protocols exist?
  • Is there documentation of test results and approvals?

Be Thorough in Business Process Documentation Analysis

Similar to IT system evaluation, taking stock of business processes is a critical step in the due diligence process. You should place particular emphasis on this step when companies are required to follow regulatory or other compliance rules, such as Sarbanes Oxley (SOX), GDPA, HIPPA and more. Another key analysis centers around the company's handling of business process write-ups, process flow documentation, integration of business processes with its existing systems and infrastructure and how they maintain documents. Understand the business process testing frequency and the associated documentation of testing results or findings.

People Are an Important Part of Due Diligence

While financial implications are often the central focus of due diligence, it's a mistake to underestimate the significance of one of the most critical assets to most organizations — the people within a company. This step in due diligence will help your leaders make decisions about leadership, capability gaps, skills retention, culture and potential friction points to address. Structure your human due diligence around answering questions related to organizational structure, a skills assessment, key personnel identification, flight risks and personnel overlap. Organizational culture alignment will help the new company avoid employees leaving and long-term attrition due to a cultural misalignment. In many mergers or acquisitions, there are costs associated with retaining key employees, as well as severance implications for those in redundant positions. Identifying and planning in the early stages of your assessment will help you create a clearer picture of the investment's organizational fit and long-term return.

Risk is Part of Any Business Deal

As executives know, risks come with all mergers and acquisitions. When you acquire a target company, your company assumes its liabilities, as well as its assets. When it comes to IT and business processes, evaluate whether the systems are sufficient to continue to operate the business today and allow for the scale and growth you want to achieve. The company may also have something unique that adds value to the business proposition, and you could transition it to other parts of your current business operations. Leveraging these positive attributes will prove valuable in the post-merger integration. Companies are taking a closer look at the impact a critical event, such as a pandemic, could have on the overall company, especially as IT plays a more integral role in defining its internal processes. Business continuity and outside forces that impact it are becoming an increasing part of due diligence. Evaluating key risks helps determine if the combined company can withstand a worst-case scenario. In IT risk assessment, look for internal resources available, compatibility and gaps in IT, security, potential loss of key resources or data, outside vendors and areas where you can create more efficiency. To better understand the risk to the combined company, create a comprehensive list of technology or operational gaps that may impact the transaction or post-deal integration and other potential pitfalls that might present themselves. Each element should answer a question about business or system processes and how it affects the company overall. The answers to these foundational questions may reveal other due diligence questions. While the CIO is the primary player in IT due diligence, this leader will have to work closely with other company stakeholders, those on the IT team, and third-party vendors.

A World of Potential

Evaluating IT and business processes is a critical step in a comprehensive due diligence process. Armed with the right questions and the right team, it will help determine if a combined organization will be a sound, profitable business decision.

---

Ready to get started with IT due diligence? Ask yourself these questions first.

DOWNLOAD OUR ASSESSMENT