Introduction
IT Due Diligence assessments are typically commissioned by investors if the startup is either a SaaS business or one where the technology represents significant value in the business growth plan.
Startups are often lauded for their innovation, creativity, and risk-taking. But these same qualities can also lead to problems in IT and SaaS-driven businesses.
As startups tend to focus more on building new features than on sound processes. This focus on new features can lead to data breaches, tech debt, and other costly problems.
Our role is to assess the value that tech presents in your business, how it’s built and evaluate the team that makes the tech.
Let’s look at what IT due diligence is and how you can prepare for it.
IT Due Diligence isn’t about the tech; it’s about YOU
The investor is investing in you, not just the P&L. They need to understand your vision, what makes you tick, how you make decisions and most importantly – how you manage challenges.
Hence a major consideration is the management team assessment. We won’t be asking you specific questions about your leadership or management style. We will get a sense of both from our conversations about your technology.
For instance, a discussion on how you (or your CTO) decide what goes into the tech stack – and how you manage tech debt will provide a good insight. Note I can give this away as it’s not the type of thing people can fix or lie about – when we marry up what you say with the data we collect, we’ll be able to see a through-line.
But we cannot assess an FTSE 250 team similarly to an early start-up. So, depending on your journey, we will assess your team under different criteria.
Stage One: Churning
During the churning phase, the business is a moving target – hundreds of ideas are tested; people move in and out, and there’s general volatility.
A very early stage company, possibly pre-revenue. We don’t often assess these firms, but it’s worth noting how we would assess them differently. In summary, we have low expectations and are more forgiving. These early-stage startups are churning through new ideas and concepts until they get a glimpse of traction.
From a technology perspective, the tech footprint will likely be small and insecure, and we assess accordingly. We will be looking at data sources and how data is stored as often both can have issues or create longer-term risks.
This uncertainty is exciting for some founders, but some rigour is needed, and we need to understand if management is keen to learn the more ‘boring’ aspect of better governance and controls.
Without either, it is still possible to scale your business, but it often comes at a cost later, so it’s good to nip it in the bud during the early stages.
Stage Two: Learning
This is where things get interesting and usually where investors we work with tend to get involved.
You’ve got product-market-fit or close to it, and you’re looking for help to scale what you have already proven. Hopefully, there is minimal investment/innovation is needed from the technology perspective.
We generally refer to this as a ‘more of the same’ investment.
At this stage, we’re curious to understand the team’s learning capability as they will need to develop new personal skills, which typically means maturing their approach to running their business.
We will put you under more scrutiny regarding how you govern your environment, and there’ll be less acceptance of ‘nuances’ that could extrapolate into bigger issues in the future.
Lastly, we will also assess management’s openness to working with others – as the best-performing teams don’t do it all themselves. They have the humility to understand their strengths and reach out to partners or experts for guidance.
Stage Three: Earning
At this stage, your firm has a healthy number of customers and your technology has proven its worth. Now you have the options of internationalising or growing through innovation.
As you can imagine, this later stage is more complex. How well will the management team ‘keep the lights on’ whilst innovating growth? What cracks will we see in the overall operating model? By this stage, are commercial operations working well with the technology function?
Overall we’ll be assessing your team from an efficiency and operational perspective and ensuring your technology and product roadmaps (which translates to ‘spend’) clearly demonstrate a return on investment. Simply, you need to be better at strategy, operations, cyber, innovation etc. The list goes on.
IT Due Diligence is a collaborative, positive experience
It’s easy for me to say, but IT Due Diligence isn’t something to be concerned about. But there is a sense of nervousness from management when projects commence. That’s understandable. We’re looking ‘under the hood’ of your environment – but we are there as collaborators, not auditors.
Most early-stage SaaS/technology businesses will benefit from a short, rigorous assessment as it typically helps uncover both risks and opportunities for the investor – potentially making your firm more attractive to invest in.
Plus, if an investor recommends IT Due Diligence for your startup, it signals they are serious about the investment opportunity. So, we say, bring it on!
1. What is IT due diligence, and why is it important?
IT due diligence is the process of assessing a company’s IT systems to identify any potential risks and vulnerabilities. This is important for two reasons.
- It helps to protect the investor from inherent, existing risks in your business, such as cyberattacks and data breaches. Or worse, large expenses or liabilities appear after the deal has been completed.
- It helps the firm’s management identify areas where management can make improvements so the company can improve its growth plan and expenditure.
2. Why is IT due diligence important for startups?
IT due diligence is essential for startups because of the inherent risk associated with new businesses. By identifying any potential risks and vulnerabilities in their IT systems and SaaS platforms, startups can take steps to mitigate those risks and protect themselves from costly problems down the road. This, in turn, protects the investor.
Cyber security has become paramount. So, in addition, by having a sound IT security position during IT Due Diligence, startups can demonstrate their business acumen and that they are serious about data security and protecting their customers’ information.
3. The risks of not having IT due diligence in place?
One of the most significant risks of not having IT due diligence in place is that your startup could be vulnerable to data breaches and other cyberattacks.
Hackers are increasingly targeting small businesses, often seen as easier targets than large corporations. And since most small businesses don’t have the same level of security in place as larger companies, they can be more easily compromised.
Another risk of not having IT due diligence is if your deal is announced publicly, it will become a target for cyber-attackers. We’ve spoken to several investors/portfolio firms who were hacked post-deal. So it’s worth doing some upfront work to avoid this by enhancing your security posture before the deal goes through.
4 . What can go wrong if IT due diligence isn’t undertaken?
According to Bain’s 2022 Private Equity Report, most deals (around 90%) don’t include IT Due Diligence. Specifically for early-stage businesses, IT Due Diligence is seen as an expense, especially as the target often has to pay for the exercise. There are two perspectives to consider:
- From an investor’s perspective adding another diligence stream can feel unnecessary when there is such uncertainty within the technology in early-stage businesses.
- And for an early-stage target management team, it can be an unwanted hindrance having people’ auditing’ your tech whilst you’re busy developing your business.
But, in my biased opinion, the decision not to undertake IT Due Diligence is a risky strategy because the risks of not doing IT due diligence include:
- A breakdown in the relationship with your investor. This is the biggest risk – if your startup suddenly becomes more expensive or difficult to grow due to undisclosed technology spending, your startup also suddenly becomes less appealing. And for an investor, who may have invested in a variety of portfolio businesses, your firm may go down the pecking order / you’ll get less attention and which could instigate a spiral to the bottom.
- Data breaches can occur if your systems are not adequately secured. You will see this is a recurring theme; there’s no point in building an innovative product if you don’t also focus on protecting your business and customers.
- Poorly designed systems can be difficult or expensive to maintain and upgrade. ‘Poorly designed’ is subjective, but in the early stages, you may choose a component that is easy to implement but expensive to find key hires to maintain in the future – when a simpler option was available. As one CTO recently stated, it’s wise to steer towards ‘boring’ technology.
This takes us to the next section:
5. How to get the basics right for IT due diligence.
Before you undergo IT due diligence, there are a few key things that you need to work on. Ensure:
- You have a technology strategy and product roadmap.
- There is a financial model that supports said roadmap.
- You have a comprehensive security plan in place.
- Your systems are up-to-date. This means keeping your software, components, open source, etc. up to date.
- You have a disaster recovery plan. This plan should include measures such as data backup and recovery.
Following these steps ensures that your IT Due Diligence will be less stressful. Let’s look a few of ideas in detail:
a. Develop a comprehensive tech and product strategy.
We tend to find a disconnect between plan, forecast, people and tech.
This is demonstrated by an unclear use of funds, and often there is a misalignment between finance and tech (or tech isn’t even involved!). Typically, this is because there isn’t a comprehensive strategy in the first place.
Your IT strategy should include your product roadmap (if you have one) should show how you prioritise development and demonstrate how you determine a return on investment (a.k.a. Value Attribution). It should also include a risk assessment and measures to protect your data and systems.
We can tell if you’ve rushed this exercise, and as it underpins the growth plan and your credibility, allocate time to do this properly.
b. Train your employees on security best practices.
Product features probably feel more important than security in the early stage of business. But if cyber security is within the DNA of your firm, it will look better in our (and therefore investors) eyes.
Your employees are your first defence against cyberattacks, so ensure they know the risks and how to protect themselves.
Investing in this training early can help ensure your team is focused on continual security yet still managing to deploy new tech at a high rate.
c. Implement strong security measures.
Likely, you’re already doing this with your software product.
But the common concern in early-stage firms is their IT estate (laptops etc.). We tend to find they are not using up-to-date antivirus software, firewalls, and password protection. It’s also important to regularly back up your data so that you can recover quickly if there is a data breach.
The best startups we assess often have the CEO taking full responsibility for cyber security until the firm grows and the role is handed to a specialist. If they can afford it, they will outsource this function to an MSP so they can focus on product development and customer service.
d. Improve DevOps
A typical red flag we raise is a lack of tech ops/infrastructure focus. This is particularly prevalent in developer-led tech startups where infrastructure concerns such as resilience, backup and recovery have not been adequately considered. In addition, network-level security protections are not well understood, and general operational rigour is lacking.
Management can often address this red flag by adding a DevOps person, consultancy or fractional resource to the post-deal hiring/investment plan.
e. Have a contingency plan in place.
If your IT systems do get attacked or infected, it’s crucial to have a plan in place for how to respond and mitigate the damage. This might include backup plans for your data and systems and contact information for emergency support services.
What if your product experiences a security breach or data loss?
In both cases, you need a business continuity plan and some form of incident management and reporting. It is critical to ensure the continuity plan isn’t a template; and is actionable. The best companies have evidence of either testing their BCP plan or past reports to hand.
Conclusion
If you’re an early-stage business owner, it’s essential to ensure that you’re well prepared for IT due diligence. Providing a truthful account of where you are today is essential, as most issues uncovered during diligence can be fixed post-deal.
Ultimately I suggest you use your IT Due Diligence report as a benchmark at a specific / pre-deal point in time and use the findings to instigate improvements in your business. By tracking the progress of these issues, you are demonstrating the ability to collaborate with multiple parties and make positive changes.
For instance, in early-stage firms, infrastructure resilience is a common problem. It can often be fixed by adapting the platform to operate from multi-regions. Hence there will be a need to cost, plan, design, test, implement and support said change. All of these steps can be evidenced and presented back to the investor.
Demonstrating technology change or transformation in this manner will help your relationship with your investor and increase their confidence in your ability to scale your firm.
