Information Technology is an integral part of any organisation and enables the operations of enterprises. Through supporting business operations, IT collates and analyses business data to provide the management information required in making timely and effective decisions. IT can even be the product/service around which enterprises are built. Information is a key business asset. But IT can also be the skeleton in the closet. Technology assets can turn into liabilities costing more and/or introducing risks that are not anticipated. This makes IT a key priority consideration in strategy development, corporate governance and business risk mitigation as well as merger and acquisition (M&A) transactions.
Despite the obvious importance of IT within any organisation, do business executives, who are mostly more focused on the financial and legal aspects, often overlook it. The appropriate attention is not given to the IT diligence as part of corporate governance or during the due diligence in M&A initiatives. This might be due to the continuous limited understanding of the technology discipline amongst business executives and/or the absence of the right expertise within an organisation to conduct the needed IT review. Another contributing statistic is that IT due diligence rarely is the make or break factor in business deals, which in a lot of cases, result in unwanted surprises presented to directors. That is why IT should be part of the scope of business strategy development and be one of the key contributors in M&A negotiations, influencing the deal and price.
The key reason for IT due diligence is to ensure visibility to the directors of concerns relating to IT operations in order to develop addressing strategies and mitigating actions. Investors should also use this information in assessing a potential business asset and it’s associated opportunity versus risk.
A due diligence exercise will cover at least the following main IT considerations: Systems, Projects & Change, Data, Security and IT Service Provision. Each of these considerations should be reviewed covering at least the following four elements: People, Process, Technology and Value.
Meaningful IT due diligence can be accomplished by practitioners who can ask the right questions stemming from the appropriate industry experience and domain knowledge. The art of due diligence is in formulating the right questions around key investment and/or corporate success drivers and interpreting the answers to inform the true state of affairs and it’s associated business enablement ability, future opportunity contributions and the associated business risk. Mostly, this diligence informs on the present and future role and influence of IT assets within the overall business success, for example:
- Product, service and information Ownership – does the business really own what IT claims to be the property and assets of the business in relation to it’s true value and the balance sheet?
- Reliability – can the business rely on its technology, now and in the future?
- Sustainability – does the business have the ability to sustain its IT asset and visa versa?
- Scalability – can the technology assets keep up with the business’ growth plans?
- Adaptability – how easy can the technology asset integrate or be adapted to integrate with other systems and new emerging technologies in the future?
- Compliance – does an IT asset introduce unwanted risk through non-compliance? For example, the introduction of new legislation to address the continuous increase in cyber and information security concerns might have a significant impact on the legality of an IT asset that might result in serious financial risk and penalties, if not addressed.
- Finance – how much are IT assets likely to cost the business and what contributions will these expenses have on the financial success of the organisation?
A typical IT due diligence exercise could cover the following areas of IT operations (Some of these areas might not always be applicable in all organisations.):
- Clarity on the Business Value Chain
- IT Staff
- IT Organisation Structure
- Qualifications & Skills
- Certifications & Standards i.e. ISO9001 (Quality), ISO17001 (Security), ITIL (Service Management) or ISO20000 (ITSM)
- Products and Services
- Software Development Processes & Methodologies
- Service Management
- Software applications and Services utilized
- IT Infrastructure
- IP Network Infrastructure
- Hosting Environments
- Business Continuity
- Service Availability
- Systems Up-time
- Backup and Recovery
- Disaster Prevention & Recovery
- Cyber & Information Security
- Network Security
- IT Services & Systems Access
- Physical Access
- Operating Model
- Risk Management
- Performance & KPIs
- Projects & delivery methodologies
- Supplier & 3rd party Service/Support Agreements
- Intellectual Property
- Quality Assurance & Improvement
- Client and/or Customers
Understanding this information is vital in corporate governance, strategy formulation and capital investment decisions ensuring business critical assets are sustained and developed appropriately for a viable ongoing business concern.
The content of an IT due diligence report should focus on the objectives of the due diligence review, outlining priority findings with recommendations that present a clear call to action addressing the key issues found. A typical report should contain:
- The objectives of the IT due diligence review
- An executive summary with the key take aways
- Key findings and the associated risk
The review findings and recommendations should be acted upon through appropriate remediation projects and a clear transition & support plan with inclusion into IT & business strategy. The business benefits can only be realised if these post review projects and transition, are successfully integrated into the organisation.
Let’s Talk – Are you looking to achieve your goals faster? Create better business value? Build strategies to improve growth? We can help – make contact!