In addition to digital technology, Tech Due Diligence must look at the ‘boring’ areas of risk and governance. This means assessing key documents such as a risk register, risk mitigation plan, business impact analysis, incident response plans, etc.
There are numerous reasons why:
- It’s good practice.
- Historical decision-making helps us understand the future.
- Investors want to be reassured and be aware of risks.
One trend we tend to see is that firms and tech teams are not running a risk register. This red flag indicates no one is considering risk, discussing it, or securing the business. And extrapolating that, the question is, ‘What else are they not talking about?’.
If Tech DD is about anything, it’s indicative behaviour pre and post-deal.
So continually moving forward with no regard for the present-day risks is a major, you got it, red flag.
Why a Risk Register Matters
- Adherence to Best Practices: Ignoring risk and governance is not just an oversight; it’s a lapse in sound business practice. These areas form the bedrock of any sustainable enterprise.
- Informative Historical Context: A company’s past governance and risk management behaviours often serve as predictive indicators of future conduct and success. Thus, understanding these aspects can offer invaluable insights.
- Investor Assurance: Investors are not merely seeking returns; they are also looking for a level of assurance that their investments are safe. Understanding the risk landscape and governance protocols provides that essential comfort.
The Absence of Risk Registers: A Warning Signal
We consistently notice a glaring absence of risk registers within firms and their technology departments. The lack of such registers is a glaring red flag, signalling that neither risk management conversations are happening nor are there any concrete measures in place to secure the business.
ISO 27001 Is Not Enough
Holding an ISO 27001 certification is not a universal fix. Many teams possess what they call a risk “spreadsheet,” but the absence of scheduled risk assessment meetings and demonstrable action points belies the ineffectiveness of these initiatives. An ISO certification devoid of an active risk register is like a car with a powerful engine but no steering wheel.
What Should Investors and CxOs Do?
- Integrate Risk and Governance Checks: Make these areas integral to your due diligence checklist.
- Demand Transparency: Ask for evidence of active risk management practices and governance protocols.
- Implement Risk Registers: Create one if your firm lacks a risk register. Make it live, operational, and subject to regular reviews.
- Prioritize Governance: Governance is not a one-off task but an ongoing commitment. Make it a part of the corporate culture.
In summary, technology due diligence should be a comprehensive assessment that balances both technological prowess and foundational aspects like risk and governance. By giving these ‘boring’ yet vital areas the attention they deserve, investors and CxOs alike can make more informed, secure, and ultimately successful decisions.