Technology companies encounter various specific risks that can have real impact on their operations, ranging from cost inefficiencies and productivity problems to susceptibility to security breaches. A Technology Due Diligence (Tech DD) is crucial for identifying these individual risks and devising strategies to mitigate their impact
These are the risks that are seen most often, that are covered as part of a Tech DD:
Organizational structure and processes inhibiting efficiency in development
Effective yet efficient communication keeps teams aligned and aware without constantly interrupting them with details. Unnecessarily complex collaboration models and organizational structures result in procedural resource waste, which ultimately demotivates and lead to talent churn.
Efficient processes typically rely on goal definitions and road mapping, explicit models of collaboration between the teams and a clear organizational structure that is tailored to the company’s goals. The multitude of different options when it comes to structuring “Product and Development” departments makes finding the sweet spot of optimal team size, collaboration model, and reporting hierarchy anything but trivial.
In very early company stages, when the team is mostly the founders, there is no need for sophisticated structure. However when business picks up, this changes fairly quickly. Experience shows that more than 8 members per team come with significant drawbacks, which would also be the typical limit for direct reports a team lead or manager can handle (this “rule of thumb” limit is higher for a team of very homogenous roles of course).
At scale, this means that some level of distribution (we’re deliberately not saying “hierarchy” here) of staff into groups of contributors is required. Larger organizations often struggle with strong dependencies between teams, regularly blocking each other’s work. Often, this is caused by teams who are assembled around skill sets, not domains, which ultimately leads to significant improvement potential in collaboration efficiency.
Limited access to existing knowledge impacts autonomy
As teams grow, knowledge tends to accumulate among the most active, ambitious or experienced engineers, resulting in knowledge silos. If knowledgeable engineers leave the organization at a later stage, progress on building the product will likely slow down, while service stability and availability may be affected as well.
The effect is unfortunately self-reinforcing: poorly distributed knowledge in the heads of a small number of senior tech staff makes it increasingly hard to mitigate that risk itself, as significant dedicated efforts will have to made (instead of a constant, manageable effort built into the processes). Even in early stages of a company, a structured, minimal documentation allows for quick understanding of key concepts, components, and algorithms - but is often neglected in favor of creating a product.
While that may be a valid trade-off, the price normally becomes evident once trying to scale development teams, when documentation needs to be created to get new staff up to speed as quickly as possible. So documentation should not be seen as a pure accountability obligation, but rather as a productivity lever that is used to not block experienced engineering staff too much once growth kicks in.
Later-stage businesses often face the same problem, it just manifests differently: over time, a lot of documentation on various topics is created, sometimes even using multiple different systems (e.g. Wiki systems, email lists, personal notes). In absence of a clearly defined structure that applies for all teams and a constant review of the key pieces being up to date, it becomes virtually impossible to distinguish important pieces of knowledge from “noise”. The effect is ultimately the same: new hires have a hard time figuring out how things work and rely on resident staff to get help, ultimately leading to two (or even more) blocked engineers.
To avoid this knowledge access trap, it is vital to choose a documentation systems and set a clear structure on how to use them. It helps a lot to establish a clear culture of documenting what’s important in the right type of system e.g.
- technical docs in git,
- text in a wiki,
- diagrams in a suitable tool
To support the companies we assess, we provide an example structure, containing bare minimum items we consider essential to every tech company’s documentation.
Security vulnerabilities
Security incidents may compromise the confidentiality, integrity, or availability of information assets or systems. The effects of such incidents range from downtime and data loss to exposure of sensitive information or loss of intellectual property. The ultimate impact will manifest as customer churn, damage to reputation, or even legal action - which all stakeholders would like to avoid of course.
Even in environments that are considered highly secure, some residual risk always remains, as new vulnerabilities and attack vectors are constantly being found. So even though most companies consider security a crucial factor to protect their business, practically every Tech DD uncovers improvement potential.
It pays off quickly to include solutions for dependency management and monitoring to avoid missing an important update to third party libraries, potentially fixing security-relevant bugs. Regular penetration tests by experts to increase resilience of systems deliver great value for the investment, considering that unavailability of high-load components quickly leads to lost revenue that exceeds the cost of regular penetration testing.
Especially larger systems with outdated dependencies may suffer an upgrading deadlock caused by version incompatibilities, leaving the company in a state where it cannot fix publicly known vulnerabilities in time. It is vital to leverage tools for dependency monitoring and regularly set aside time to stay up to date.
A general understanding of common issues when building web based applications must be established in development teams to keep up with the latest threats. Following OWASP and registering for security mailing lists of core components is a very good start.
Data privacy issues, GRPR non-compliance
The General Data Protection Regulation (GDPR) is a regulatory requirement of the EU that mandates certain protections are in place to safeguard personal information. Companies are required to take regular GDPR compliance audits, especially when business grows and customers become larger, as enterprise clients often require suppliers to be GDPR compliant.
Non-compliance can result in monetary penalties and especially in environments with large amounts of data, the effort required to establish compliance at later stages can be enormous. Countries all over the world are creating legislation quite similar to GDPR, increasing the pressure on businesses as regulation lets service users keep ownership of their personal data.
Service providers must disclose what types of data they collect and use, why they do it, and who they share the data with. Any user can request information on the personal data that has been stored about them, service providers must provide that information within a short amount of time. After contracts end and data is no longer required, users can request the deletion of all associated data. The responsibility for being GDPR compliant is assigned to a company’s Data Protection Officer (DPO).
Even though GDPR has come into effect in May 2018, many companies are still behind on implementation and the list of potential fines is growing. Quite regularly, the role of the DPO is either missing entirely or the role assignment leads to a conflict of interest and is considered illegal (e.g. the DPO is also a director).
Ventures at later stages usually have the role assignment covered, yet lack proper ability to provide information on user’s rights in due time or aren’t able to state what type of data needs to be deleted or anonymized upon account termination. Often it is a good starting point to outsource GDPR basics to a specialized service provider.
They will take care of training employees regularly to provide an auditable log, act as a DPO, and have everything available to help businesses focus on their core product. These specialists are also able to identify special requirements (e.g. for ventures that heavily rely on personal data and need to do more than just “basic compliance” work).
When growing further, consider implementing Information Security Management Systems (ISMS), or even get certified (e.g. ISO 27001) to increase trust from clients.
Technologies used just to push valuation
Prioritise essentials over ‘vanity’ technologies. In the competitive tech landscape, it’s crucial to maintain a minimal tech stack, focusing on needs as opposed to wants. Adding unnecessary ‘vanity’ technologies to inflate valuation or to satisfy developers can be a resource drain. These funds could be better used on other more worthy pursuits.
Moreover, many of the latest tech trends, such as artificial intelligence (AI) fall short of their expectations, leading to significant asset devaluation. Likewise investing in deep tech solutions unless they’re essential for your business can lead to wasteful expenditure.
Ensure all tech investments are strategically aligned with business outcomes, rather than being swayed by market hype. Streamlining your tech stack will maximise the impact of your investment whilst minimising risks.
Mismanaged data strategy
Effective data management techniques present an opportunity to unlock your business potential. A poorly defined data strategy hampers your ability to understand your customers and market effectively, leading to the increase in customer acquisition costs.
Embrace a data-driven approach to uncover opportunities and make informed decisions, ones that are based on facts and data as opposed to gut feeling.
Implementing centralised access to data gives it its value, propelling your business forward with a strategic approach to data management.
Hiring risk: Talent adverse environment
In today’s competitive market, top tech talent is hard to come by. If your product is built on an unattractive tech stack, your ability to attract top talent diminishes. This may necessitate offering pricey premiums to hire a top talent.
Moreover, a poor tech stack can contribute to high levels of technical debt. Whereby short-sighted tech choices sandbag future development, this accumulation of tech debt can lead to employee churn and decreased motivation.
Hiring risks can derail your growth. Investing into your tech environment to create a magnet for talent, positions your company for success in the future.
Conclusion
The risks outlined here represent a fraction of the complexities that are faced by technology companies today. The dynamic nature of the space ensures that each company is uniquely positioned, influenced by many contributing factors such as its age, stage, industry, team culture, market fit, and competition.
A comprehensive technology Due Diligence (Tech DD) is indispensable in the mitigation of these risks, creating transparency in the investment process or M&A dealings. Depending on the scope of the project, some risks may be unseen or not manually accessible. This is when data-driven software is required to identify and manage these risks, such as detecting open source licences or sensitive credentials in source code.
Integrating Tech DD with Legal, Finance and Business Due Diligence ensures a holistic understanding of potential risks and opportunities. By streamlining these processes and leveraging a multidisciplinary approach, investors can navigate the complexities of the landscape with clarity, enhancing their chances of success.
