#1 in M&A Technology due diligence checklist - Application Portfolio Analysis

by

With a constant carousel of businesses buying or integrating with other organizations, mergers and acquisitions (M&As) have become common practice for large enterprises in this dog-eat-dog world. Whilst lucrative, M&As present a multitude of risks such as financial stability, cultural fit and customer retention all have the potential to bring an M&A to a sudden halt. However, are these considerations exhaustive enough?

Technology due diligence checklist - why do we need one?

In recent years, a new element of risk has been introduced during the M&A due diligence process: technology integration feasibility. Technology has seeped into every aspect of organizations and this is no different for M&As. Now, organizations’ software plays a big part in the success of integration. Accenture Merger Strategy research shows 40% M&As fail due to IT integration issues. When completing M&A due diligence, software can be a black hole, with companies often unaware of the quality of the other party’s software which can dramatically impact the accuracy of valuing a target and the post-acquisition integration costs. This increases software risk as the applications could be riddled with technical debt, include vulnerabilities or be incompatible in its current state for integration. These risks can cause problems to arise during the M&A process, which could leave the businesses in a stagnant, or even failed merger, or vulnerable to malicious actors who can take advantage of the poorly integrated IT systems through the installation of malware or exfiltrating data. 

Examples of M&A Failures due to lack of Technology due diligence

Listing here two articles that highlight the lack of comprehensive technology due diligence leading to failed integrations:

Poor IT integration leads to M&A failures - This article talks of Banco Sabadell - TSB,  Unilever-Alberto Culver transactions and Santander-Williams & Glyn transactions

Marriott's cybersecurity nightmare: A lesson in M&A risks - talks of the Marriott - Starwood merger

These examples clearly point out the need for technical due diligence or a comprehensive technology due diligence checklist for a successful, risk-free M&A.

#1 in Technology due diligence checklist - Application Portfolio Analysis

To prevent software mistakes being made, organizations need a non-invasive way to shine a light on the dark matter software businesses possess, ensuring there is software quality transparency for all parties involved in the deal. The torch which can help businesses achieve this is Application Portfolio Analysis (APA).


Application-portfolio-analysis-dashboard-measuring-software-resiliency-business-impact

 Fig 1 - Application Portfolio Analysis dashboard measuring application software Resiliency along with Business Impact to help identify/prioritize applications with the highest risk

 

Make sense of software’s black hole with Application Portfolio Analysis

APA analyzes a portfolio of software by looking at individual components and measures the risks associated with the IT system. This is accomplished by scanning application source code to gain objective, actionable insights about the health, security, complexity, and cloud readiness of the application portfolio. Combined with qualitative business context data captured via surveys, APA provides a holistic picture of the software estate.

This comprehensive analysis includes critical information such as:

  • Inventory of all the software technologies deployed across an organization
  • Identification of legacy technology ill-suited to integration which will be costly to maintain
  • A software bill of materials (SBOM) detailing all 3rd party and/or open source components in use; and
  • An analysis of any potential security vulnerabilities which could lead to IT problems for the newly formed business’ IT applications.

Application Portfolio Analysis is also able to assess which licenses will be incompatible with the company’s intended usage of software and recognize components containing poor code which may require attention and money to restore.

For example, some open source software (OSS) components commonly used within custom enterprise software applications include restrictive licensing such as the GNU GPL family of licenses. Using a 3rd party component with this type of license could result in requiring the organization to make the entire application open source. If this is a mission critical software system, this could pose a significant legal risk and understanding IP licensing implications should be part of any technology due diligence.

Application-Portfolio-Analysis-dashboard-applicaton-security-vulnerabilities-IP-licensing risks

Fig 2 – Application Portfolio Analysis dashboard showing app security vulnerabilities and IP licensing risks


Measuring these technology risks and their potential impacts are key to decision making. If two companies want to merge and become cloud-native, but one side is still grounded on-premise, Application Portfolio Analysis can identify how this will impact the M&As progression, providing visibility as to whether the integration is viable given the intended strategy. This then allows the buying firm to adjust the value of the M&A based on the amount of effort and investment it would need to integrate the target technologies together. This prevents companies from being left in the dark about how much money and effort potential software risks could take to resolve.

Application Portfolio Analysis also makes the due diligence process more efficient by making it an autonomous and non-invasive process. Target organizations are able to scan application source code using a local analyzer within their environments without needing to transfer the source code outside the premises. A simple results file including encrypted metadata is the only artefact that needs to be provided to the team performing the due diligence. APAs allow fact-based decisions to be made and to be made quickly. Often IT teams will assess technology manually, a long and tedious process, whereas an Application Portfolio Analysis can speed up the process through automation. This not only speeds up the process but provides accurate precision, which eliminates any inevitable human errors which would be incurred through a manual assessment.

Automated Application portfolio analysis - a guiding star in this M&A tale

CAST’s APA technology, CAST Highlight, has provided visibility to many mergers, with a recent customer success story being of a very large financial services (FS) firm, which looks for technology-driven acquisitions as part of it’s a wider business strategy.

The FS firm had recently shown interest in acquiring a technology company which claimed its systems only contained 25% legacy technology, something the FS firm was uninterested in maintaining due to costs.

To assess the accuracy of this claim, the FS organization utilized CAST Highlight to perform the automated application portfolio analysis in three hours, which was significantly quicker than the IT team’s initial prediction of three months. From the APA results, the buying firm discovered the true amount of legacy technology within the IT systems was 45%, posing a greater risk for the buying FS firm.

By completing this technology due diligence checklist’s #1 and most important item - Application Portfolio Analysis, the buying company was able to negotiate a more favourable deal in light of the new discovery, a more realistic price given the investment required to maintain and integrate the new system with the legacy codebase.

Interested in checking out CAST Highlight’s Application Portfolio Analysis for your technology due diligence? Sign up for a free trial!

Get the Pulse Newsletter  Sign up for the latest Software Intelligence news Subscribe Now <>
Open source is part of almost every software capability we use today. At the  very least libraries, frameworks or databases that get used in mission critical  IT systems. In some cases entire systems being build on top of open source  foundations. Since we have been benchmarking IT software for years, we thought  we would set our sights on some of the most commonly used open source software  (OSS) projects. Software Intelligence Report <> Papers
In our 29-criteria evaluation of the static application security testing (SAST)  market, we identified the 10 most significant vendors — CAST, CA Veracode,  Checkmarx, IBM, Micro Focus, Parasoft, Rogue Wave Software, SiteLock,  SonarSource, and Synopsys — and researched, analyzed, and scored them. This  report shows how each measures up and helps security professionals make the  right choice. Forrester Wave: Static Application Security Testing, Q4 2017  Analyst Paper
Making sense of cloud transitions for financial and telecoms firms Cloud  migration 2.0: shifting priorities for application modernization in 2019  Research Report
Greg Rivera
Greg Rivera Vice President
As Vice President of CAST Highlight, Greg leads product strategy for the CAST SaaS platform helping customers and partners accelerate app modernization / cloud migration, rationalize their app portfolios, and reduce open source risk. He has worked with Fortune 1000 companies such as Microsoft, IDG Communications, and Arrow Electronics for over 20 years in technology and media, helping them make successful digital transformations. Greg has a B.S. in Electrical Engineering and an M.S. in Management of Technology and is passionate about applying technology to improve business and our everyday lives.
Load more reviews
Thank you for the review! Your review must be approved first
Rating
New code

You've already submitted a review for this item

|