Merger and Acquisitions Technology Due Diligence

IT capabilities are key strategic assets for virtually all modern companies. The integration of IT architectures, systems, and management structures is one of the major challenges in the M&A process. The planning and execution of an IT integration plan is critical to the overall success of the M&A transaction.

Historically, the lawyers and accountants that have led M&A teams do not recognize the risks, complexities, and costs related to creating technology solutions necessary to achieve the business and financial goals used to price the transaction. Ultimately the integration of IT during an M& A transaction consists of due diligence assessment completed prior to deal finalization and the post deal assessment of integration follow through.

The steps used during an M&A engagement include:

Understanding the Technology Architectures

The technology architecture for each company is unique. A detailed understanding of the composition and design of the technology solutions for both entities involved in a merger and acquisition transaction is required before starting the detailed due diligence assessment. The factors that need to be evaluated include:

• Use of cloud-based services
• In-house, locally hosted solutions
• Proprietary software

• Software licensing for key business application and infrastructure software

• Service agreements with third parties
• Identity authentication and management
• Access provisioning solutions

Using the information gathered during this initial phase a technology risk assessment should be completed.

Evaluating Technology Risks Presented by Proposed Transaction

When evaluating the merger of distinct technology architectures risk can be classified into three broad categories:

Technical level

Integrating the foundational layers of the application stack (networks, storage, virtualization software, operating systems, etc.) is critical for creating a technological solution that seamlessly meets the combined business needs of both companies.

A second area of risk that needs to be evaluated is whether any data will be mitigated between environment during the transition and on an ongoing basis. The secure transition of large volumes of data can be complex, time consuming and expensive.

Application user level

Evaluating the feasibility of integrating business applications based on the financial and technological resources required. For example, the ability to exit a cloud-based solution used by one of the companies to leverage an in-house solution could not be feasible.

This area of risk includes issues associated with:

Incomplete or flawed evaluation and selection of applications for integration of business function support across organizations
Incomplete identification and evaluation of business transaction data sets
Connection and integration of identity and access management solutions to provide adequate information security

Business level

Business level risk relates to the need to reengineer business processes to incorporate the new technology solutions that will be deployed in the combined entity. As with any new business application deployment the most important key to the success of that implementation is whether the system must be modified to meet current workflows, or the workflows are modified to leverage the functionality of the application. The later choice has a significantly higher success rate.

Post Deal Technology Architectures

A key deliverable of the due diligence phase is to make preliminary decisions regarding which of the following potential post deal technology architecture solutions will be incorporated into the integration plan.

Absorption

The full integration between the parent and target company’s technology architectures to create a single solution that will meet the current and future requirements of all business operations. This model requires the most research, planning, and follow through to achieve a stable, cost efficient technology solution.

Additionally, this model creates the most turmoil and stress within the IT organizations of both companies which must be acknowledged and directly addressed as close to the deal closing as feasible.

Back office integration

This model maintains two separate architectures to support the frontline business operations while integrating back office applications such as Human Resources, Accounting/Financial, and Accounts Payable systems. Additionally, the leverage of favorable service contracts or other third-party agreements would be included within the integration plan.

Partial integration with separate architectures

This architecture is the middle ground between full integration and full autonomy. The target and parent company will integrate wherever doing so would provide a clear advantage to aid in the ability to meet future business strategic and operational goals. The commonly occurs when the target or parent company’s technology architecture is outdated or does not provide the capacity to meet growth goals for a specific business function. The remaining functions and business applications remain separate and distinct. The secure integration of the connection between these two separate architectures requires detailed, technical planning and implementation.

Separate architectures

In this model the IT operation of each company remains a separate entity. This is the simplest integration model. The primary focus of the integration plan will be focused on the capital and effort required to reduce any gaps that require mitigation to bring the target company technology risk profile into compliance with the parent company policies, procedures, and standards.

Delaying the architecture solution decision will adversely impact the granularity and specificity of the final deliverable from the due diligence consultation efforts, the detailed integration plan.

Integration concept. Industrial and smar

Detailed Integration Plan Development

The integration plan is dependent on the post deal technology architecture selected. The key information included in an integration plan should include:

Detailed inventory of what technology components will be integrated and what components will remain separate
Address identified vulnerabilities in components that will remain separate

Establishment of structures, commitments, and timelines to ensure follow through on plans

Post Deal Assessment

The development of a detailed, comprehensive integration plan does not directly result in the achievement of the desired or required technology structure for the success of an acquisition. Key is creating the structure necessary to ensure that the time and resources necessary to complete all the activities outline in the integration plan. A post deal gap assessment would evaluate the risk mitigation progress related to –

System/environment integration activities identified during due diligence
Corrective actions for risk deficiencies identified in due diligence

If the post deal technology architecture solution is any model other than the full absorption into a single, consolidated architecture then a comprehensive vulnerability assessment needs to be completed. The additional access and visibility of the target company technology environment allows for a more comprehensive vulnerability assessment across all layers of the architecture than could be completed during due diligence. This additional detailed examination should be completed in a timely manner to ensure that the company is not exposed to unacceptable levels of risks that could adversely impact the confidentiality, integrity, and availability of information within the target company.

Why Engage CTSA?

CTSA personnel have hands-on experience in technology due diligence consultation and post-deal gap assessments of mergers & acquisitions of various sizes and complexity. Through these projects CTSA has developed a project model which uses a proven technology due diligence framework to complete an organized assessment of the technology portion of a merger and acquisition project.