If you are facing your first due diligence from an investor as a startup, you may wonder what the process will look like. Here are 4 tips to help you understand the tech due diligence process.
The most important thing to understand is why investors perform a due diligence. There are a few reasons for doing a due diligence - not the least being that the investor has to show that they are investing the funds at their disposal in a responsible way. At the heart of it, investors are trying to establish what the risk associated with the investment is. More risk means two things - more costs in the future, and worse return on investment. The job of the team doing the due diligence is therefore to try and quantify the risk.
In the case of a technology due diligence, the risk can take the form of a poorly architected platform, a weak development team, unstructured processes, and lack of operational policies. Of course there are many other potential risk factors - security and operations not the least amongst these . But let's look at the first four as a way to provide you with some tips to prepare for the due diligence. We will address the other risk factors in a future post.
Tip 1 - Be prepared to show that you have a strong development team or IT department.
How do you do this ? You should be able to demonstrate productivity (for example by showing that the team meets targets). Demonstrate team skills - by having resume's for the key people available. Show that the team is well organised and that you have sufficient people for the workload. Lastly - offer to let the due diligence team interview staff members other than the CTO - for example the lead developer. Let the expertise speak for itself.
All of this will help to create a picture of a strong and cohesive team.
Tip 2 - Show that the platform architecture is fit for purpose
It is unlikely that the due diligence team will do a full code level audit of your platform - that simply consumes too much time. But they will definitely ask for architectural diagrams. We strongly advise against providing diagrams showing a generic "micro services" or "n-tier" pattern. You should provide sufficient information to demonstrate the static and dynamic aspects of the architecture you chose - it should be clear from the diagrams what dependencies exists, how data flows, how the platform is deployed, how it caters for scalability, and yes - you must be able to explain why you chose this architectural pattern. Be specific - explain why the architecture works for your business.
Tip 3 - Explain your software development life cycle
We want to know about your SDLC, because it tells us a lot about how well you manage your code, how productive your team can be and how repeatable and reliable your processes are. The one thing we do NOT want, is a copy of a generic diagram you found via a quick google search, showing scrum or agile flows. Also don't go and copy a description of your SDLC straight from wikipedia or the agile manifesto. We will recognise it, call you out on it - and ask you to do a deep explanation of your processes in any case. It's better to provide a clear and succinct description of how you apply scrum or another agile process in your organisation.
Tip 4 - Be upfront about the policies you have in place.
It is a lot of work to create and maintain information security policies, and the associated business continuity, data management, disaster recovery and other policies. It is even more work to create and test the plans that implement the policies. If you are a regulated fintech, or you are ISO27001:2013 certified, then, yes - you will have to have these in place. But we do not expect every startup to have complete coverage of policies. We do, however, expect you to be able to explain to us how you will recover from system failure, and how you make sure that your platform is secure - even if you do not have documentation covering all of that.
There is much more to a tech due diligence than the above - but these four tips should give you a good starting point to prepare. The golden rule is to provide as much information upfront as you can , and to bear in mind that the due diligence team wants to get the bigger picture - and is trying to understand how the risks in the business can be mitigated. A due diligence report should benefit both parties in a transaction.
Rosewood Due Diligence has conducted more than 150 technical due diligences across multiple sectors and in countries spanning the globe. For a personal conversation or to schedule a call contact email@example.com