A technical due diligence is a process that leads to an evaluation of the technology and related assets belonging to a business. The process evaluates software, people, processes and infrastructure. The purpose of the evaluation is to identify risks, and to propose ways to mitigate the risks.
(Photo by Dakota Roos on Unsplash)
A technical due diligence is often performed on behalf of investors, but sometimes it is performed on behalf of the executive team or the board of a company.
According to wikipedia, a "due diligence is the investigation or exercise of care that a reasonable business or person is normally expected to take before entering into an agreement or contract with another party or an act with a certain standard of care."
This description really gets to the heart of the matter - the purpose of a due diligence is to make sure that the investor (or the management for that matter) gets what they think they are paying for.
A due diligence process can mean a lot of work for the target company. If the due diligence is being done by an investor, you will be expected to participate in numerous workstreams, including a commercial, legal and financial due diligence process. These are typically led by the CEO, CFO and executive team. A technical due diligence is most often led by the CTO (Chief Technology Officer), or sometimes the CIO, with some involvement from the CEO and the head of product.
At Rosewood we are very aware that the work can be disruptive. We try to minimise the disruption, by supplying our target companies with a comprehensive request for information - this allows you to get all the relevant information together at one time - and also allows you to indicate to us if you do not have the information available.
You may ask what type of information you will be required to supply. It can be a lot, depending on the maturity of your business and the type of business.
For example, fintech companies, especially those that are PCI compliant, will have some of the documentation we request at hand - such as disaster recovery plans, information security policies, and the rest. Other types of startups may struggle to produce formal documentation. In this case we will engage with you via face to face meetings to understand the processes you do have in place. We will never require you to produce documentation that you have not created yet.
Other documentation you can expect to be asked for include at least some of the following:
Organograms of the technical/IT/development department
Lists of key staff members
Product roadmaps, and technical roadmaps
Project management metrics - for example burndown charts or task management statistics
Operational metrics like uptime and resource consumption.
Architectural diagrams.
Descriptions of CI/CD processes and QA processes.
An inventory of infrastructure - even if it is in the cloud.
Cost breakdowns of infrastructure expenditure.
Formal certifications, where applicable. An example is PCI-DSS certifications.
Security related reports like penetration test results and vulnerability assessments.
(In a future post, we will provide guidelines to help you prepare for a technical due diligence)
All of the data that you supply will be collated by us into a single report that gives a comprehensive assessment of the state of technology in the business.
A technical due diligence can (and should) lead to a positive outcome for both the investors and the target company. Investors will obtain the level of insight they need to make the investment, and the target company will gain an objective, non-critical view of their platforms and processes.
We look forward to helping you with your technical due diligence, whether you are an investor, or a company preparing for an investment.
Rosewood Due Diligence has conducted more than 150 technical due diligence's across multiple sectors and in countries spanning the globe. For a personal conversation or to schedule a call contact partners@rosewoodd.com