By Chris Steele, Saggezza
Skydivers and police officers know their daily jobs come with inherent risks. Likewise, private equity firms know that any given deal thesis might not realize the expected return on investment, even after meticulous due diligence.
But some risks, particularly in IT, can be spotted and addressed pre-deal signing. Unaddressed, these four technology-related risks can put a PE firm in a precarious position when it is creating a deal thesis or assessing the potential RoI.
IT security vulnerabilities: While PE firms do financial assessments of potential portfolio companies, they don’t always assess the security vulnerabilities. Many PE firms lack the ability to do comprehensive assessments, so they cross their fingers and hope for the best.
Then, the data breach occurs, costing millions of dollars and hundreds of staff hours, including the ever-rising costs of compensating customers. Without accounting for loss of consumer trust, a data breach costs an average of $3.86 million.
For portfolio companies, particularly those in ecommerce and fintech, mitigating the risk of a cybersecurity breach is an integral part of the PE firm’s due diligence, as well as its active management strategy.
Regulatory noncompliance: Companies must comply with numerous regulations based on industry and specific business. Two examples within a PE portfolio are compliance with the Americans with Disabilities Act and payment-card industry-data-security standards (PCI-DSS).
Noncompliance with these standards carries substantial penalties: A first ADA violation comes with a maximum penalty of $75,000 and a second violation double that.
And for a website, such as when Winn-Dixie was found in violation of the ADA, each individual session or transaction can be treated as a violation, which can generate a fine in seven or eight digits.
Filings of these federal website-accessibility lawsuits tripled from 2017 to 2018, with the majority of cases in retail, food service, travel/hospitality, banking/financial, entertainment and leisure, and self-service industries.
As an investment scales, the financial implications of noncompliance, and the monetary consequences, can grow as well.
Integration difficulties: PE firms often have big ideas for new portfolio companies, like leveraging complementary capabilities of various investments. Such an aspiration may make sense on paper but may not be possible in practice, due to disparate and/or older systems that can’t be integrated with newer infrastructure.
For example, a newly acquired restaurant chain’s payment-processing system might be structured such that the rest of its workflow – order management, reporting, dashboards, CRM, loyalty-program management – is tied to the payment gateway.
A PE firm must thus fully evaluate an investment’s infrastructure before signing a deal, figuring out how flexible the systems are and calculating the potential costs if they are structured poorly.
Scalability issues: A typical PE firm commonly aspires to take a new business to two or three times its current scale. But all the pieces that make up a business’s operations must be able to handle that expansion.
It’s not always simply a matter of adding servers or other hardware; more can sometimes be worse. Scaling infrastructure can be easy, or hard, with much riding on how it was structured to begin with. If the infrastructure was not built to enable scaling, a firm will hit roadblocks when it attempts to scale the business.
These problems can’t be fixed by throwing money at them. Even within the same industry, every deal thesis is different and not every scaling strategy will be effective.
So, with these hidden risks looming over every deal, what can a PE firm do to root them out?
Financial due diligence is only the beginning; technical due diligence is just as essential. A deep dive into every candidate portfolio company’s IT will help firms more accurately assess the future value of a business, as well as how it can most quickly bring the company up to speed and realize a successful investment.