Technical Due Diligence – Dogma Isn’t the Way

Introduction

Cyber and digital transformation are hot markets right now. The cyber security market is predicted by many to grow at more than 10% Compound Annual Growth Rate (CAGR) over the next 5 year period, with some specific market verticals (like mobile application security) expected to grow at over 20% CAGR over the same period. Digital Transformation is much the same, expected to grow at a rate of 18.5% CAGR between now and 2024, when it will be worth a whopping USD462b per annum globally. If you’re a venture capitalist or manager of a private equity fund, you’ll be looking at those numbers with a serious grin on your face, as they represent potential portfolio-topping investments in the coming period.

But as with any investment, there is always a risk to the investor:

• Does the potential acquisition/investment target have a differentiated technology offering that has the potential to capture a decent size of the markets I described earlier?
• Is the market better-served by a second-to-market follower rather than a trailblazer?
• Is the company or technology in question under threat by significant competition or substitution?
• Does the investment target rely on a very specialised supply chain that holds significant selling power over the buyer?
• Etc…

To manage and mitigate this risk, any investor needs good technical due diligence to identify, characterise, and qualify any risks in acquisition or investment.

A Tale of Two Approaches

There is no perfect way to undertake technical due diligence; technology is too broad and varied a topic to completely remove every risk to the acquirer/investor. But all technical due diligence approaches aren’t created equal; we at Red Maple believe that some approaches are better than others.

Approach 1 – Dogma

Technical due diligence is hard. Technology now sits at the heart of society, and that core place in our lives drives an incredible volatility and pace of change in the technology marketplace. So it’s unsurprising that many companies that offer technology due diligence to PE and VC firms use an established framework for undertaking due diligence. For example, one company I know well uses the International Organisation for Standardization (ISO) 27001 framework to identify technology risk in investment. In this, they draw together a standard set of questions drawn from 27001 into a spreadsheet to be used in every technical DD project they undertake. And when contracted to undertake a technical due diligence project for an investor, they arm a moderate-to-well skilled consultant with the spreadsheet of questions for the consultant to interview the potential investment target with; dogmatically following the spreadsheet. The consultant will have been instructed not to actually use their pedigree, knowledge or experience to go off-piste when “in the room”; they are simply there to ask the questions, collect the evidence, and record their answers in the hallowed spreadsheet. At the end of the engagement, the consultant will come “offline”, and score each question on some seemingly objective scoring system, like a 1-5 score, or maybe a Red-Amber-Green (RAG) score. Then, armed with a nuance-killing score for each possibly-relevant question, the spreadsheet will run an overly-simplistic algorithm, which will spit out a “risk score” for the investor. That’ll be ￡27000 please.

I see all kinds of problems with this approach. Firstly, the ISO27001 framework wasn’t designed to identify investment risk; it was designed to enable organisations to develop an information security regime, and to assess that regime against established best practice. Don’t get me wrong; part of technology investment risk analysis revolves around information security, but as topics they are Venn-ish, not synonymous. So straight out of the starting blocks, this due diligence approach is using a flawed framework to answer the question “what are my risks in investment?”.

The second problem I have with this approach is that like any business, risk is organic. And even though contemporary technology is usually digital in nature and thus underpinned by a binary bit of code, technology risk is organic as well. With this in mind, I just don’t believe that a canned set of spreadsheet questions will in any way answer the exam question “what are my risks in investment” with anything other than a poor degree of fidelity. Risk is organic, it will look different in every business out there. Organic risk cannot be boiled down to an integer, or worse, a RAG score, after pouring some flawed data into an Excel spreadsheet. Investors don’t need low-fi answers to high-fi questions. They need more.

Approach 2 – Engage your Brain

If risk is organic, I believe the best way to identify, characterise, qualify and mitigate any risk to the acquirer / investor is to have an organic approach to technical due diligence. I believe it’s best to build a specific and bespoke set of questions relevant to the technology or company in question. I also believe that the bespoke set of questions is to act as nothing more than a framework for a dialogue and an aide memoir, not a product to be filled out. The set of questions is nothing more than a catalyst for conversation and analysis, the focus of which is identifying risk for the investor. And the person leading the technical due diligence project shouldn’t just be a technologist; they have to be somebody who is fluent in both technology and business. And once you’re in that dialogue, the person leading the technical due diligence needs to be an investigator, not a data input specialist. He or she needs to have a good analytic intuition and needs to be able to follow that intuition to ferret out risks. Open-mindedness, lack of bias, and agility of thinking are critical. I can’t tell you the number of times I went into a room to undertake a technical due diligence exercise and left the room with a set of risks that I could in no way have predicted ahead of time, and which I never would have found had I been reading from a spreadsheet and not thinking with agility and following my intuition.

Risk is organic, and the approach to the identification of risk needs to be organic in the pursuit of truth.

Conclusion

Cyber and digital transformation are going to be incredibly attractive markets for investors to break into, but only investors who have tailored answers to tailored challenges will be best able to maximise their profits and minimise their investment risk in those markets.

Red Maple Technologies specialises in agile and bespoke technical due diligence projects. If you or your business are thinking about breaking into the cyber, digital transformation, or ANY technology market and would like to help maximising your effectiveness and minimising your risk, please visit us at www.redmaple.tech , or email us on [email protected].