Skydivers know that there is a risk their parachute won’t open. Police officers know their daily jobs come with the inherent risk of danger. And private equity firms know there is a risk they won’t realize the expected return on investment in any given deal thesis – but even with that understanding, and the standard due diligence a firm will perform prior to a deal, hidden IT risks may lie within an investment company.
These five technology-related risks can put a private equity firm in a precarious position when it comes to realizing a deal thesis or accurately assessing a portfolio company’s return on investment.
1. IT security vulnerabilities
Many private equity firms know to perform a financial assessment of a potential investment company. Yet not every company thinks to assess security vulnerabilities within the same company – even though the financial implications of a cybersecurity breach can be massive. Some firms realize the risk, but lack the capability to perform a comprehensive assessment, so they cross their fingers and hope for the best.
And then, one day, it’s too late: The portfolio company suffers a data breach, and the implications are widespread. Fixing a cybersecurity issue can cost millions of dollars and take hundreds of man-hours, and the cost of compensating customers continues to rise as businesses are forced to offer services like a free year of credit monitoring, gift cards and more.
Meanwhile, the business has lost its customers’ trust – further impacting revenue – and still must face the regulatory music. Data must be secure and confidential to meet a variety of compliance standards; if organizations don’t comply, fines can be in the millions. All told, a data breach can cost an average of $3.86 million.
Especially for portfolio companies involved in ecommerce or financial transactions of any kind, mitigating the risk of a cybersecurity breach must be an integral part of the private equity firm’s initial due diligence, as well as its active management strategy.
2. Regulatory noncompliance
This risk spans multiple categories, as a company must comply with numerous regulations based on its industry and specific business. Two examples pertinent to many companies within a PE portfolio include compliance with the Americans with Disabilities Act (ADA) and payment card industry-data security standards (PCI DSS).
Noncompliance with either of these standards comes, of course, with financial penalties – for example, a first violation of the ADA comes with a maximum penalty of $75,000, and a second violation will run a business $150,000.
And those are just Department of Justice penalties; legal action can be much costlier. Forms of noncompliance are no longer related only to lack of physical structures like wheelchair ramps and Braille signage: A judge found the grocery chain Winn-Dixie in violation of the ADA because its website was not accessible to users with low vision.
With ADA noncompliance for a website, a “violation” can comprise each individual session or transaction – which, for an enterprise or medium-sized company, can generate a fine in seven or eight digits. Filings of these types of federal website accessibility lawsuits tripled from 2017 to 2018, with the majority of cases in retail, food service, travel/hospitality, banking/financial, entertainment and leisure, and self-service industries. Many companies settle rather than go to court, especially with massive organizations like Target setting this precedent.
Apart from an actual regulatory body or individual plaintiff bringing legal action against a business for noncompliance, some less-than-reputable organizations exist for the sole purpose of finding the regulatory blind spots in a company and going after the company to strong-arm it into paying settlements via lawsuit or demand letter.
As a business scales – for example, if a PE firm invests in a chain of quick-service restaurant and opens several new locations – the financial implications of noncompliance can grow. The larger the business is, the greater the risk of getting caught, and the higher the penalties will be.
3. Licensing misuse
This refers to licenses for code, software or plugins being misappropriated or allowed to lapse without renewal, and it usually only becomes a problem when a private equity firm has reached the end of the deal cycle and is trying to sell.
Perhaps at one time, a developer at the investment company pulled open source code with licensing terms that indicated it was not for commercial use and pasted it into the backend of the company’s website, or perhaps the company was using plugins that were free for personal use, but not at an enterprise level.
Especially with blocks of code, these misuses can remain so buried within a company that they’re nearly impossible to detect within the course of day-to-day operations, but surface when a buyer performs a scan of enterprise software or a code analysis. It can break entire deals if the buyer realizes the cost of using the company’s software will skyrocket because the buyer will need to renegotiate terms to right the wrong.
4. Integration difficulties
Private equity firms often have big ideas for a new investment company. For example, a firm may see an opportunity to leverage complementary capabilities of various investments within a portfolio – an aspiration that makes a lot of sense on paper, but may not necessarily be possible in practice. One of the reasons for that is due to disparate and/or legacy systems that are unable to integrate with newer or more efficient infrastructure.
For example, a firm may have invested in a chain restaurant without realizing that the chain’s payments processing system was structured in such a way that every other piece of the business’s workflow – order management, reporting, dashboards, CRM, loyalty program management, etc. – is tied to the payment gateway. If the firm has negotiated a better deal with a different, more modern payments processing system and wants to migrate the chain to a new system – thinking it will be a quick, easy win – it would soon become clear it would be neither simple nor inexpensive, because of all the other systems tied to payments.
Another example is the opposite problem. A portfolio company may have too many disparate systems within its workflow, all with their own databases. Is the data duplicated across multiple systems, or does some data exist in a CRM that does not exist in the web order management system? Can the firm scrap one vendor without losing data? Will one system go down, because it’s not clear how each system’s data is integrated?
The risk of integration difficulties make it critical for a firm to evaluate the feasibility of any plans to update or revamp an investment’s infrastructure before signing a deal, and figure out how flexible an investment company’s systems are, and what the costs could be if they are structured poorly – otherwise, a deal thesis could be much harder to realize.
5. Scalability issues
It’s not unusual for a PE firm to aspire to take a business beyond its current scope to two or even three times its current scale – yet all the pieces that combine into a business’s operations need to be able to handle that expansion.
It’s not always simply a matter of adding another server or more hardware, because sometimes that can actually create more problems (see risk No. 4: integration difficulties). Scaling infrastructure can be easy, or it can be hard, and a lot rides on how it was structured to begin with.
If the infrastructure was not architected in a way that enables scaling, and if the components that run on the infrastructure were not designed properly, a firm will run into roadblocks when it attempts to scale the business, and not all problems can be quickly remedied by throwing more money at them.
Nor is every deal thesis the same, even within the same industry. Just because the last time a firm bought a retail company and was able to scale it to triple its prior iteration does not mean the firm should assume the same costs for another retail company – because the first company’s infrastructure may have been better set up to scale.
So with these five hidden risks looming over every investment, what can a private equity firm do to rout out and account for them?
Solution: Deep-dive technology audit
Financial due diligence is only the beginning; technical due diligence is just as essential.
Without a full audit into all of the potential investment company’s technical assets and processes, a private equity firm is setting itself up for one or more of these hidden risks to pop up in the future. Understanding the risks will help a firm see the current and potential future value of a business, as well as how it can bring the company up to speed and realize a successful investment.
Delineating where technology risks reside within a company and what areas need to improve will help a private equity firm define its approach to technology in its target company. Once a firm understands the context of any shortcomings, it can make better decisions on where to focus the investment, bringing portfolio brands up to speed and reaping the most value out of acquisitions – and ensuring technology is never the bottleneck in achieving investment goals.
Including a third-party advisor can be key. Formerly, private equity firms had to evaluate their investments on their own, but a shift in perspective is driving more firms to partner intimately with both target companies and third-party advisers early on to perform a technology audit. A dedicated, proven framework for assessment, interview and examination will allow external assessors to find hidden pitfalls and risks, and to look at things in a different light.
Once technological risks have been identified and classified, a firm and its target company and partners can determine which to address first, and formulate a strategy for how to address them, based on the organization’s specific business case.
Audit now, audit always
Failure to perform technology audits has influenced many a deal for both buyers and sellers, which makes it critical for PE firms interested in investing in a company to take a pre-deal deep dive in order to mitigate or plan for these five risks.
And as important as it is to do points-in-time assessments at various milestones during a deal (before acquisition, before a firm signs off on the business case to launch a major initiative, etc.), firms must also perform continuous assessment and active monitoring and mitigation of risks, because sometimes these risks crop up slowly and organically. Either a third-party advisor or in-house experts should be deployed to ensure these risks don’t arise in the future, or return.
It’s unnerving to think that these types of risk exist within a deal, but the unfortunate truth is that many companies have hidden IT risks that can negatively impact a private equity firm’s return on investment. Yet it’s better to know and take action than remain in the dark – and with the right strategy, a firm can still see return on investment from even the riskiest deals.