In business, growth is king.
For many businesses, growth is often achieved through mergers and acquisitions. However, merging your business with another comes with a host of challenges, which, if not managed carefully, can have a catastrophic impact.
With a long list of things to work through in the m&a due diligence process, you might be forgiven for not paying attention to your target company’s IT setup, which could potentially be a mistake that costs you in the long run. Having an IT due diligence checklist to work through could be the difference between an acquisition that takes your company to the next level and one which leads to failure.
Let’s look at why IT due diligence in mergers and acquisitions is critical for any deal you’re considering.
Defining Terms — What Is Due Diligence?
When we talk about mergers and acquisitions or M&A, we’re essentially speaking about any process involving merging two separate business entities to form one new whole. Due diligence is the act of reviewing every aspect of the new business, from how it’s structured to its financial standing, the assets it owns, its client list, its IT systems, processes and more. It's a process that looks at the liabilities of implementing an m&a deal and assessing the risk to the acquiring company.
IT due diligence is an essential part of this process, involving a comprehensive review of the target company’s technology systems and processes to determine their strengths, weaknesses and potential risks. The goal here is to identify any areas of concern, including any regulatory obligations and make recommendations for how they can be addressed before the completion of your deal.
The Three Types of Due Diligence
Broadly, the act of due diligence covers three main areas:
- Legal due diligence – Making sure the merging of two companies is compliant with the law, that who holds the copyright of any assets is established and that there is no legal impediment to the merger.
- Financial due diligence – Checking the company finances and financial statements to ensure all financial data is being accurately reported and that the company is growing, highlighting any economic issues, i.e., debt
- Commercial due diligence – Does the business sit within an area of growth? How is the company viewed by customers and the public? What services and products are competitors in the same space offering? Does merging with this company make sense at this point in time?
However, there are other areas where it is crucial to do due diligence before going ahead with a merger. These include:
- IT systems
- HR
- Taxation and pensions
- Intellectual property
- Partnerships that the target company may be involved in
- Real estate or private equity held by the target company
Every single area of a business needs to be considered in detail before a merger can happen. Not taking the time to consider every aspect of a business means taking on an unquantified risk and potentially negatively impacting your business and upsetting your stockholders.
The Basic Principles of Due Diligence
The process of due diligence has several principles or characteristics that define it, regardless of what aspect of a business is being assessed.
Any due diligence process should:
- Aim to identify, prevent and mitigate any adverse effects of the merger on those involved
- Understand that risk assessment forms an integral part of the process
- Understand that any actions taken will be prioritized by their risk to the integrity of the merger
- Have a very clear business strategy on how the merger will be implemented and managed.
Why Is IT Due Diligence Critical for Mergers and Acquisitions?
When two companies merge, there is a lot to consider. It’s not just about getting the best purchase price or competitive advantage. Some questions that need to be addressed during the merge process include the following:
- How will staff work together?
- What will the new company structure look like?
- Will some staff be made redundant?
- How will two separate IT systems be merged and then managed?
Business owners may not realize how much the target company’s technology systems and processes can impact their business. The merging of two separate IT systems could lead to a range of cybersecurity risks if done without care and consideration.
If a company has outdated systems or weak cybersecurity measures, this can leave the new company vulnerable to cyber attacks. It could increase the risk of data loss, financial loss and damage to your professional reputation.
Outdated systems will also impact productivity. If your business uses the latest machines and technology to provide a service or product, introducing outdated equipment will slow staff down and ultimately mean a loss of revenue while everyone adjusts. Part of the due diligence process is planning how systems will be merged and updated (if necessary) so that there is as little effect on productivity or earnings as possible.
Additionally, IT due diligence can help identify potential compliance issues. It will highlight if there is non-compliance with GDPR or HIPAA regulations. Non-compliance with these laws can lead to significant fines, legal action and loss of reputation. Understanding a company’s ability to manage its data is essential before entering any deal.
What Does Due Diligence Look Like in Practice? Here’s an IT Due Diligence Checklist!
When undertaking an IT due diligence M&A, there are several areas you should be working through. The following is not an exhaustive list but should provide a solid base to develop your review process. and produce a due diligence report that will satisfy your stakeholders, stockholders and senior management team. As with everything in business, do your research and speak with your legal and financial advisors to ensure your m&a due diligence checklist covers everything you need to make an informed decision.
M&A IT Due Diligence Checklist
- Review Their Cybersecurity Measures
This is critical for the reasons already stated in this article. Without adequate cybersecurity measures, you’re open to data loss, legal action and loss of reputation. What software do they use to run their business, and is it up to date and fit for purpose? What security measures do they have in place, i.e., firewalls and spam checkers? What are their policies for data management and protection? How compliant are staff with these policies and processes? What data do they handle, and is any of it confidential?
- Network Infrastructure
Any IT due diligence process should assess a company’s network infrastructure. How are their physical and virtual networks constructed, what internet connectivity do they have and do they use data centers? The security and stability of these systems should be evaluated to ensure they are compatible with the existing systems of the company they are being merged with. If there are compatibility issues, a plan can be made to manage the merging of the two systems that mitigates any risks.
- Evaluate IT Operations
Things to think about and assess include their helpdesk support, how they manage and monitor their network and their disaster recovery processes. These systems need to be efficient, effective and able to support the needs of the merged company and any subsidiaries that exist.
- Software and Applications
What software and applications are they using? What’s essential for running the company, and is there anything that can be cut? Subscription and maintenance costs will also need to be considered. Are there cheaper (but equally effective) alternatives? Do they have in-house bespoke systems and software? How is this managed and maintained? How secure is this software? How do these systems fit in with your existing systems?
- Data Management
This is crucial. All companies handle data in some way, although not all companies hold confidential or private data. What are their backup and recovery procedures? How do they store their data, and what data security measures do they have in place? I’ve already touched on legal obligations when handling data. Still, it’s worth mentioning again — their compliance with data protection laws is vital to assess and understand so that you are aware of any potential breaches or risks and can put processes in place to mitigate these.
- People
When assessing IT systems, assessing the people involved is not necessarily the first thing that comes to mind. However, people are an integral part of any IT system as they run and support that system. Things to think about here include what training processes are in place to train and support staff using these systems. How will these systems be ported across to your newly merged company? Is there documentation relating to these systems, and are there individuals who are single points of failure?
Bringing It All Together — The Importance of Conducting IT Due Diligence
Conducting IT due diligence for a merger can be a complex process. That’s why working with a team with the expertise and experience to assess the target company’s technology systems and processes is essential.
IT due diligence is critical for all mergers, even for the smallest companies. A robust due diligence process will help you thoroughly evaluate the validity of a merger and make sure you know what the risks are before merging the two companies.
A thorough and unbiased assessment of your target company’s technology infrastructure will ensure there are no surprises and help you build a solid transition process that protects and supports all those involved.