By Michael Kauffman, Tech DNA
The technology risks uncovered by technology due diligence fall into three main risk categories: hidden liabilities, increased downside risks, and decreased upside risks.
These risks are often the largest liabilities. They include:
- Cybersecurity / Privacy Risk: By now most professionals understand the reputational risks of being hacked. A potentially greater concern, though, is increasing regulatory risk. With the passage of Europe’s General Data Privacy Regulation, which has jurisdiction over many U.S.-based businesses, privacy penalties could end up exceeding the value of the deal itself. The reason? Penalties will be based on the revenue of the acquirer, not the target. Tech due diligence assesses how well a target guards against such hacking, and how well it complies with relevant data-protection regulations (GDPR, HIPAA, etc.).
- Downtime Risk: This is the risk that the target’s technology may go offline for hours, days or weeks. Tech due diligence assesses a target’s technology’s resiliency, and how long it would likely take to get it back online — as well as data-loss magnitude during downtime.
- Open Source License Risk: Open-source usage entails many risks. Among them is the risk of violating an open-source license, especially so-called viral licenses. The bigger question, though, is how central open-source tech is to a target’s competitive position in the marketplace. Tech due diligence assesses both the license risk and the competitive risk, either in terms of feature impairment or the cost to code around a viral license.
Increased Downside Risks
These risks derive from technology that has lost its competitive advantage. While from the outside code may appear fully functional, latent risks are often brewing under the hood. These risks can manifest either as the declining ability to compete against those with up-to-date technology, or increased near-term OpEx to bring that lagging technology up to date. The increased downside risk is most concerning for longer-term buy-and-hold deals, and less an issue for quick, go-to-market bridge deals. This risk stems from three technical causes:
- Obsolescence: This is a two-factor test: Is the target’s technology older than the industry standard? And does that obsolescence materially affect functionality, security, etc.? Be careful of reflexively connecting the two. Older technology is often just fine, despite what “real” techies might say. Good tech due diligence models the actual risks and costs of obsolescence.
- Commoditization: Some technologies have more active open-source movements than others. And a target company can’t easily command high prices for functionality that the open-source movement provides “free.” There is also so-called wrapped commoditization when the target’s hyped technology is little more than a thin wrapper around well-known, free, open-source libraries. Tech due diligence assesses the width of a target’s technology moat based on open-source commoditization.
- Legacy Drag: This occurs when targets have allowed customers and/or clients and/or partners to remain on legacy systems. The results can be twofold: 1) a doubling or tripling of labor every time new features and security updates are released because such updates often must be built, deployed, managed and supported for each legacy version, and 2) new features and other business priorities take a back seat to maintenance imperatives as tech teams struggle to maintain multiple legacy systems. Most tech teams trumpet the latest version of their product/service to potential acquirers while glossing over the heavy drag extracted by legacy maintenance. Tech due diligence uncovers the full extent and cost of legacy drag.
Decreased Upside Risks
These are upside blockers. While the target’s technology may be fully functional, the company’s ability to add new features or expand into other industries is impaired. Many valuations assume that if the code is currently doing X, it can easily pivot to a very similar Y — though that is not always the case. There are four common upside blockers:
- Scale: B2C typically needs to scale along a single, overall-throughput data axis. By contrast, B2B often needs to scale along two axes: total scalability per client, and scalability related to onboarding each business client. Tech due diligence assesses the technical and manpower barriers to scale on all relevant axes.
- SaaS Pivot: A software-as-a-service pivot requires the technology to track user activity and bill accordingly. Old technology built on a pay-once upfront basis often lacks this tracking ability, frustrating attempts to pivot to SaaS. Tech due diligence assesses the time and costs of rebuilding systems to support various SaaS pricing models, including the metrics technologies needed to further refine pricing models for maximum ROI.
- Cloud readiness: Cloud readiness is not binary: there are a range of risks here, specifically, a) architectural barriers to migrating the target’s technology to the cloud at all; b) cloud knowledge of the target’s tech team, which is sometimes a bigger barrier than the tech itself, and c) target knowledge, and technical exploitation, of cloud provider pricing models to keep (the often significant) cloud provider fees under control.
- Globalization: Assesses the target technology’s ability to work with multiple languages and currencies in support of new markets and audiences.
Like the risks for private equity, listed above, the risks for venture capital and strategic investors are similar, but they emphasize different elements. For example, venture capital places more weight on team and roadmap than tech-as-built (because, well, not much has been built yet), while strategics often emphasize integration barriers, effort and timelines.
Ultimately, each deal and each target’s technology brings its own constellation of liabilities and risk, but it’s the rare technology risk that can’t be distilled to non-technical language in support of financial modeling and overall acquisition strategy.
Michael Kauffman is a principal and chief legal officer at Tech DNA, a global leader in technology due diligence on behalf of private equity, the Global Fortune 500, venture capitalists, lenders and other investors. The above observations and categorizations are based on assessments of over $15 billion in technology acquisitions. He can be reached at firstname.lastname@example.org or +1 206-939-1289.