Tallinn
Insights
The Importance of Technical due diligence
Clarity, vulnerabilities, and potential: Technical due diligence (or Tech DD) entails a thorough and impartial examination of a product's technical state, code integrity, decision-making rationale, and risk evaluation prior to securing investments. Through technical due diligence, the development team gains insights into the product's capabilities and limitations, while investors ensure they're making informed decisions regarding their investment in your project.
A topic with strategic importance for tech founders and investors alike, Uve Poom, Head of Operations Nordics at Tenity discussed the topic with Agu Aarna, co-founder of Intium Tech, to bring you valuable insights into Technical due diligence (Tech DD), focusing on
- The essence of Tech DD – what is it?
- Compliance and Risk Management
- Intellectual Property
- Red flags during Tech DD and examples: “The four questions”
- Closing gaps & impact on valuation / acquisition strategies
- Investors and Tech DD
- Legacy and Tech DD
Uve Poom (Uve): "Hi, Agu. I’m excited to delve into the tech and investment world with you. To kick off, could you share a brief overview of your background and journey?"
Agu Aarna (Agu): "Absolutely. I started out as a software developer and have held diverse roles – from development and architecture roles in the early days of my career - switching to management, graduating as a CTO and VPE, and eventually consulting. I’ve worked in different roles in Adcash, a digital advertising company, Bang & Olufsen, Ericsson, Crosslake Technologies – and today I serve as a founding partner at Intium Tech, specializing in technology due diligence (“Tech DD”) and value creation for investors, notably private equity (PE) investors.
At Intium, we recognized the need for a standardized approach for Tech DD projects and developed an internal tool—Sonar,— now a cornerstone for our consultancy. This software empowers consultants to conduct comprehensive and uniform technology due diligence, ensuring high-quality, comparable outputs. It's at the core of what we do at Intium."
The essence of Tech DD
Uve: "Let’s start off with a quick dive into the essence of Tech DD. People often associate it with code review and system security. Still, a Tech DD process goes beyond that. What aspects do you examine in the entire process?"
Agu: "Absolutely right. While code, infrastructure, and architecture are vital, technology alone can't sustain a business. The crucial factor lies in the intersection of people and tech. To evaluate this comprehensively, we need a 360-degree view—encompassing software, infrastructure, processes, organizational scalability, leadership acumen, business strategy and roadmap effectiveness.
As such covering software architecture, infrastructure, road mapping practices, development life cycle, organizational aspects, and security, we create a holistic view. Security is woven into each layer, from code vulnerabilities to network and infrastructure security, up to leadership roles like a security ambassador. It's not a standalone element but an integral part of organizational strategy and road mapping, emphasizing its importance in the entire Tech DD process."
Compliance & Risk Management
Uve: "Managing risk, especially in regulated fields like financial services, involves more than checking boxes. It's about cultivating a risk culture. How do you view the role of compliance officers in ensuring this culture and addressing vulnerabilities?"
Agu: "You're spot on. Often, companies have a Chief Information Security Officer (CISO) focusing on extensive compliance documents. While policies are crucial, the challenge lies in ensuring adherence. Too often, security officers shrug their shoulders when others don’t follow their protocols – and this happens when there is a lack of risk culture. In practice, security, like quality, is everyone's responsibility and the organisation’s leadership has to build that culture."
Uve: "In the realm of financial services, the focus on risk management and compliance are crucial, considering a variety of audits from statutory to regulatory, and heightened operational risks, especially in handling client money. How do you see the balance between compliance efforts and value creation for startups that are under pressure to build enterprise value?"
Agu: "Absolutely, risk and compliance management are a major consideration, but dedicating excessive development time to operational risk or AML regulations at the expense of creating value is counterproductive. The good news is that rapidly growing companies can farm out a lot of the compliance work to certified partners – e.g. Stripe or open banking platforms can handle PCI DSS compliance or KYC/AML requirements as part of their solution. Smart companies strategically leverage third-party providers to navigate compliance issues, enabling them to concentrate on the core. The key is finding a balance—knowing what to handle in-house for compliance and being savvy about using external components and vendors to optimize focus on product offerings."
Uve: "Regarding scope of your Tech DD projects, you mentioned auditing internal rules and guidelines, but how deeply do you delve into a company's day-to-day practices, for instance in software delivery?"
Agu: "Documents alone don't paint the full picture. We use them as input but never stop there. Our process involves validating these documents through extensive conversations with key individuals in the company, like CTOs, architects, or team leads. We want to understand the practical implementation of declared policies. For instance, we go beyond a mere code review, often conducting shared screen sessions to assess the actual code quality. While we occasionally gain read-only access for in-depth analysis, this is the exception. Penetration tests and software composition analysis are part of our toolkit, but we often find companies neglect post-penetration action items. That is also one of the all too frequent orange flags."
Intellectual Property
Uve: Let's delve into the intellectual property (IP) aspect of Tech DD. Open-source software plays a critical role in software development, but there are IP risks involved. What could go wrong?
Agu: When it comes to open-source components, they're widely used and quite beneficial in contemporary software architectures. However, what often gets overlooked is the licenses these components carry. Some licenses may impose restrictions, even requiring the company to open-source its code. This discovery becomes quite common during our DDs.
Uve: That's interesting. How does this impact investors?
Agu: Well, if a company is using open-source components with licenses that demand code openness, it exposes the company to legal trouble and consequent penalties. The challenge becomes even more acute when these components are modified for specific use cases without the necessary permissions. Luckily unmodified components are relatively easy to replace.
Investors should pay particular attention to scale-ups – European companies can get into hot water if they look to expand to the US, but don’t have their IP sorted – that’s an invitation to litigation.
Red Flags in the Tech DD process
Uve: Agu, let's look at red flags during tech due diligence. What are the typical sticking points you encounter, and how often do they become deal-breakers or require conditional advice?
Agu: That's an interesting aspect. Red flags vary, and it's not always a straightforward decision. By the time you're in tech due diligence, you've invested time and effort, and simply running away isn't always the immediate solution. It's a bit more nuanced. Typically, we face four key questions during this phase.
Uve: What are these four questions?
Agu: Certainly. The first question is whether to run away or proceed. However, investors frequently have already invested significant time in the prospect, hence leading to the second question: Can something be done for the deal to move forward? This involves identifying improvements the company can make before the transaction. The third question arises post-investment, focusing on shaping shareholder agreements, earn-out plans, retaining key personnel, and navigating potential pitfalls. Finally, the fourth question deals with accelerating results after addressing the previous three.
Uve: Can you provide examples of red flags that might be deal-breakers?
Agu: True deal-breakers are rare. An extreme case would be discovering a lack of technology when the core of the investment thesis revolves around it. An instance we encountered involved a company overhyping its technology, presenting a fully developed solution, but our due diligence uncovered a barely functional minimum viable product. Even in such cases, our role is to devise a plan for investors to navigate around the issues rather than outright abandoning the deal.
Uve: So, it's more about finding solutions than walking away?
Agu: Exactly. Red flags don't necessarily end the deal; they prompt questions about what can be done, how much it would cost, and whether there's an alternative strategy. It's about finding pragmatic solutions to move forward and ensure a win-win situation for both parties.
Closing the gaps
Uve: How can understanding the cost of closing these gaps influence the company valuation and acquisition roadmap?
Agu: When there's a gap between the company’s status quo and where it needs be to fulfil the investor’s thesis, it becomes a matter of strategy. Knowing the cost of closing that gap is crucial, and there are several instruments you can use to build your approach.
Uve: Could you provide examples of these instruments?
Agu: Certainly. One straightforward option is using the knowledge of closing the gap over the holding period, say, the next five years, as a negotiation lever for the price. You could deduct that cost from the price or split it with the seller. Moreover, this information can be integrated into earn-out plans. Typically, the share purchase agreement will include milestones and tie the deployment of capital to the achievement of those milestones.
Uve: Does this tie into keeping key personnel or other aspects of the acquisition?
Agu: Precisely. If you want to retain key individuals, you can attach milestones related to them and link their earn-out to specific achievements. This could be one to two years post-acquisition, providing a powerful incentive. In essence, these instruments act as levers to adjust the deal according to your needs. Even if running away isn't the immediate solution, these tools ensure your investment aligns with your thesis.
Uve: In the realm of post-merger integration (PMI), what factors make or break the transactions?
Agu: When we talk about PMI or, as we term itin a wider sense, value creation, it's crucial to recognize that after acquiring or investing in a company, you have specific goals to achieve. The success of a due diligence project, particularly through the technology lens, not only involves identifying red flags but also providing levers for building enterprise value.
When you acquire a company, there's typically a 100-day period where you initiate value creation activities. The integration team must align on these activities, and dedicate enough resources to seeing them through.
Uve: How does this tie into the creation of a roadmap for PMI?
Agu: We provide a preliminary roadmap outlining necessary activities, risks, and opportunities. This roadmap is presented in a timeline and prioritized manner, considering dependencies. It's a crucial input for the 100-day planning phase. The report not only identifies what needs to be done but also guides the investor on the sequence and dependencies of these actions. This is essential for creating a robust value creation plan and ensuring effective tracking of progress.
Tech DD and the investment process
Uve: There are different types of transactions in equity investing–early-stage VC funds, growth capital, corporate VCs, PEs, etc. When is tech DD warranted and how does it differ across investor types?
Agu: With early-stage software startups, delving into extensive technology due diligence might be impractical. It’s enough to perform a light check to ensure there are no significant issues that could impede the investment.
In growth equity, the game changes. Companies here have identified their target market, and the focus shifts to scaling operations. The tech component becomes critical to support the surge in customers during this growth phase. Unlike early-stage VC, where tech due diligence highlights red flags, in growth equity, it transforms into a driver for value creation.
Corporate VC and M&A teams look at additional dimension – they need to verify the integrability of the target company, from systems extensibility and interoperability to team composition and organisational structures. The focus is often on improving unit economy, whether it’s by eliminating duplicated costs or achieving economies of scale – these opportunities need to be mapped out.
Uve: So rather than just de-risking an investment, a tech DD results in more of a roadmap for potential investors.
Agu: Exactly. The tech due diligence in growth and buy-out situations is really focused on value creation, outlining the necessary steps and investments needed to support the company's expansion plans.
Uve: And now - let's talk about money. Could you elaborate on how investors navigate these costs?
Agu: Certainly. In early-stage VC, management fees and capital from LPs are directed towards investments, and allocating funds for professional tech due diligence can be hard to justify. Often times, when an investor insists on a tech DD, the invoice may be issued to the target company instead of the investor, or the cost is shared with others participating in the round. This again may hinder the applicability of a tech diligence exercise.
When companies are acquired in full for tens or hundreds of millions of Euros, the cost of tech DD is a far smaller fraction of the transaction and can add much more strategic value. However, justifying tech DD is not typically tied to the ticket size, but should rather be a strategic consideration – whether the acquisition can be put to the intended use, and how to do it. For example, if a software company is acquired to furnish the acquirer’s product suite, tech DD helps you understand what developments are required before or after the transaction.
Similarly, it’s important to understand the IP architecture – whether all critical IP is being acquired. It’s easy to miss such things without involving experts and that can be a costly mistake in the end.
Tech DD and legacy technologies
Uve: With regard to technology companies, some come with legacy technologies. How do you navigate such situations, and how can one distinguish what's essential in the array of technologies?
Agu: Legacy technologies are indeed a commonality, especially in established companies, and handling them involves a delicate balance. Let's consider a piece of tech residing on a legacy stack. In this scenario you should evaluate whether this piece of technology has in fact stood the test of time and proven its functionality through years of usage. Think of the level of quality within this component! Hence, if it still serves its purpose, and requires minimal maintenance, why even bother replacing it and introducing quality issues? As an example, in one case we encountered, a legacy component was functioning well, and all it needed was increased throughput. Instead of rewriting it entirely, we opted to wrap it in some modern tech by creating a wrapper around it and scaling it thusly.
Uve: So, preserving legacy systems can be the right thing to do?
Agu: Yes. If a legacy component works and is a critical business asset, there's often little reason to fix what isn’t broken. Familiarity with its quirks and its proven track record can make preserving it a sensible choice. It's about finding the right balance. On the other hand, if a legacy stack lacks critical business value, is end-of-life, and full of vulnerabilities, it might be a red flag. The decision to preserve or replace depends on the overall investment into the company and the risks associated with maintaining or refactoring the legacy component. Again, tech DD can help you avoid costly mistakes.
Uve: Agu, this has been an invaluable look into the art of tech DD. I guess it’s safe to conclude that tech DD shouldn't be perceived merely as an audit focused on past tech choices but, rather, as a strategic tool guiding decisions for future acquisitions.
Agu: Exactly. It's crucial for the investor community to understand that technology due diligence goes beyond the rearview mirror. It's about equipping investors with the insights needed to make informed strategic decisions and I hope our readers take that with them from this discussion.
To sum up
It is evident that the technical due diligence process is crucial for providing valuable insights into the potential of a product, both to development teams and investors.
By thoroughly analyzing its strengths and weaknesses, entrepreneurs can better understand their own competence while investors can make informed decisions regarding their investments. Through this process, risks are assessed, the technical aspects of the product are scrutinized, and potential payback is forecasted. The culmination of this diligence is a comprehensive report that consolidates all findings, laying out the risks, benefits, and prospects for both investors and startup teams to consider.
Ultimately, the technical due diligence process serves as a cornerstone in ensuring that investments are directed toward products with promising potential and robust technical foundations.
