5 Best Practices For IT and Operations Diligence

Methodical preparation, combined with an explicit understanding of value drivers can minimize effort and maximize the return on IT & operations diligence.

Operations Diligence

While negotiations usually begin following the review of attractive financials indicating growth, the core value of a company is uncovered by understanding its health through Operations diligence. A team can uncover possible challenges to a carve out or combination, and make sure these are underwritten in a final bid. Also, by knowing the numbers and reviewing KPI’s (key performance indicators), a team can understand how adept the target is as an operator, and any opportunities for operational uplift. Operational uplift can be thought of as possible gains a company may see in EBITDA should it move from below average in a certain measure to a top quartile performer. Operational uplift can help to inform out ‘best case’.

IT Diligence

From an executive level, IT may be commonly understood as “R&D”, a somewhat biased view. In reality, IT encompasses a wide range of scattered technology activities. We can define technology activities as all the activities related to development, purchase, and deployment of the technology. The diligence team must take of global view of IT’s role in the organization’s operation, and understand the sometimes significant cost that can be incurred. Carving out companies IT footprint, combining, or dealing with disparate ERP systems spread across 50 countries can lead to meaningful expenses that need to be underwritten. Sizing these expenses and considering them as part of the actual acquisition cost of the target will often lead an investor to pass on a company that had otherwise seemed attractive based on an EBITDA multiple.

1. Everyone on the team should understand the investment thesis.

While it is important for each due diligence work stream to aggressively work towards ‘getting to an answer’ for their specific area of responsibility, they must also understand the broader investment thesis, how the target fits, and how their specific analysis supports the plan. Often times functional teams are assigned a specific task – determine the pension liability due at close or assess one-time-costs from previous 3 years – with minimal (if any) understanding of why the deal is even being considered. Starting with an understanding of the thesis will help the team focus on the most important information in interviews and supporting industry research. Everyone on the team should at least have a basic understanding of the following areas:

  1. Market – Who are the customers, how large is the market, and what are the trends in customer preferences?
  2. Industry dynamics – Who are the key players in the industry? What margins are often achieved? What are the patterns of new entrants / exits? Do consolidation opportunities exist? Do barriers to entry exist?
  3. Potential synergies – How does this transaction increase the value of the operating company? Revenue and cost synergies? New products or Management?
  4. Business model – What are the key value drivers for the Target? How does the company perform across best case and worst case scenarios during periods of growth and downturns? What are the core assets and what shape are they in? What improvements are anticipated during the investment life-cycle?

By beginning with the end in mind, and understanding the underlying thesis driving your team’s evaluation of the target, you will achieve greater efficiency during a fast-paced process. Starting with the thesis will allow you to begin with the right branches on your issue tree, and ensure you have a plan to be exhaustive, yet focused in your diligence. Furthermore, framing your mindset around the investment thesis will guide your interview conversations and allow you to make the most of your time with experts and company personnel.

2. Get some context

Many times, the investment thesis for a transaction weighs heavily on the value of the synergies present in the transaction. Common synergies include cost savings from eliminating redundant functions, or revenue enhancements that result from having a larger customer list.

The due diligence team must also focus on the possible dis-synergies or other negative consequences of a transaction. For example, there may be capital expenditures required to achieve both cost and revenue synergies, brand value may be diminished, customer service may decline during the integration. In addition, new infrastructure and applications may be required to integrate the acquisition, or follow compliance guidelines for a larger enterprise.

Day 1 is a key event that your team should evaluate for implications following legal close and new ownership of the target. IT system continuity is critical to a successful acquisition, and should be evaluated properly. Many times this can be a significant expense not called out in a pitchbook or Confidential Information Memorandum. Day 1 implications for IT require analysis and sizing across IT, functional, country integration, and divestments.

When conducting your IT diligence, make sure you are addressing the four key areas below. Work to establish a value representative of preparing your target acquisition for Day 1 of ownership.  This should be underwritten as part of the cost of completing the transaction. This can be a significant expense that will impact the expected ROI, some times causing the investment committee.

  • IT Integration – Maintain/reinforce stability of acquirer and target systems as well as the IT team. Ensure security on Day 1.
  • Country Integration – Provide all customers a smooth Day 1 experience regardless of specific country priorities.
  • Functions Integration – Ensure compliance with regulatory and statutory entities. Support the business and protect customer/ supplier linkage. Set the basis for process optimization.
  • Divestments – Ensure smooth coordination with carve-outs and guarantee business continuity.

Addressing these four areas, and determining follow on implications and solutions will require not just interviews, but also documentation and contract review. The IT diligence team should request purchase agreements and other contracts related to the ERP and other enterprise software to define proper requirements and understand liabilities. There also can be significant implications for working capital when making a system change. These need to be reviewed by someone with expertise so the actual outcome is understood.

3. Do your homework ahead of time

Prior to beginning operational and IT diligence, access to the data room should be obtained. Be sure to also obtain a copy of the confidential information memorandum (CIM) and vendor due diligence (VDD) early on. When beginning your review of the data room, become familiar with the file structure and index. The data room is populated with the target’s key documents, including:

  • Contracts and purchase agreements
  • Intellectual property
  • Employee information
  • Financial Statements
  • Capitalization Table

When dealing with a well-structured index, documents should easy to find and stored in a logical place. If you’re not finding what you need, submitting your request earlier to the seller’s team will be beneficial.

Common issues with historical documents

Due diligence investigations by buyers often find problem’s in the target’s historical documentation process. A few of the below items will be critical to the IT diligence to assess actual ownership of intellectual property. Key items to look for:

  • Contracts not signed by both parties
  • Contracts that have been amended but without the amendment terms signed
  • Missing or unsigned board minutes or resolutions
  • Incomplete/unsigned employee-related documents, such as stock option agreements or invention assignment agreements
  • Incomplete patent documents
  • Incomplete capitalization table
  • Missing stock purchase agreements or investor rights documents

If major deficiencies are uncovered, the investment team may want to require certain matters to be remedied as a requirement to closing.  Matters can be further complicated if ex-employees need to be located to sign invention assignment agreement. Knowing the data room inside and out is critical to identifying risks, and what the possible remedies may be.

4. Know the numbers

An organization’s strategy is based on selected value drivers. What follows below is a list of standard indicators typical to a manufacturing or shop floor environment to provide an example of possible KPI’s or metrics to evaluate when undertaking an operational diligence. Just as we are providing a set of KPI’s related to a specific industry, manufacturing, a due diligence team should have an expert with real world industry experience to know what questions to ask. Building your team with professionals that have a relevant circle of competence is critical to due diligence success.

It is important to set up a balanced and structured approach for operations due diligence so the analysis does not skew focus onto 1 area (e.g., cost) at the expense of another (e.g., equipment integrity). Once this structure is defined, the most appropriate measure in each “bucket” can be defined at each level of the organization. The most important thing is that a limited set of KPI’s is defined at each level. Keep this set as small as possible – the aim is to give the investment committee the right information to make decisions and understand trade-offs between measures. It is very easy to define too many measures which can lead to information overload – if they have to figure out how to synthesize across 20 measures, they are unlikely to find the results of this analysis useful. A good rule of thumb is 4-5 measures maximum at any level.

In the following example, we provide a few standard KPI’s / metrics around costs, customer satisfaction and health (asset and workforce).

Costs – Manpower productivity (opex) and capital productivity (capex).

  • Units/hour
  • Units/person/day
  • Overtime hours/employee
  • Labor cost/unit
  • OEE (%)
  • Scrap rates (% of total material consumed)
  • Time/units lost to changeovers
  • Time/units lost to breakdowns
  • Mean time to repair
  • Mean time between failures

Customer satisfaction – Quality and delivery

  • Right first time (%)
  • Defects (ppm)
  • Lead time from order to delivery
  • On time in full (%)
  • Customer downtime as result of late delivery (% or hours)

Health – Asset health and workforce health

  • Maintenance work order backlog
  • Maintenance plan attainment
  • Absenteeism
  • Staff satisfaction
  • Injuries (or incidents) per 1,000 employees per year
  • No. of grievances lodged per employee
  • No. of suggestions implemented per employee

Analysis should be completed using multiple approaches, including:

  • Financial (e.g., value generation)
  • Customer (e.g., customer satisfaction)
  • Opportunities/innovation (e.g., new product generation)
  • Operational (e.g., vendor management)
  • Organizational health/strength (e.g., sales force effectiveness)
  • External world (e.g., community standing)

Once the KPIs have been defined – 1 or 2 supporting metrics (sometimes called drivers or leading indicators) can be defined. The purpose of these is to help an investment committee understand what is underlying KPI performance and what the possible value for operational uplift would be if performance improved.

5. Use checklists the right way

Checklists are a set of steps to execute. But, you need to know how to execute them correctly. Airline pilots, surgeons, investment managers are all increasingly relying on checklists to improve professional performance. Yet, it is key to remember checklists are only as good as the person performing them (Can a pilot perform a surgery with a surgeons checklist?)

Checklists are helpful to focus the efforts of your team, and also make sure that most major items are covered. Checklists can be very helpful when dealing with process that must follow a variety of rules including ERP license terms, international integration, and divestments that may be mandated by regulatory requirements. For strategic acquirers to meet anti-trust requirements, divestments are often required as part of a significant acquisition. Separating IT systems of the maintained and divested company parts include all systems from infrastructure to application landscape with special focus on security. Divestments typically follow strict timeline and need to be prepared for Day 1. Having a thorough checklist is critical to success in any separation. As stated before, reviewing purchase agreements and other ERP licensing terms will be important to gain an accurate picture.

Due to parallel timing, preparation of systems for Day 1 and divestment frequently overlap. System changes required can be overlapping or even contradicting if not managed.

IT Diligence Checklist – Day 1 Readiness

Functional Integration

  • Create outside in assessment of IT requirements for all functions
  • Agree on scope, priority and high-level implementation roadmap between functions and IT team
  • Ensure suitability to architecture guidelines
  • Define a reasonable Day 1 project plan including
    • Budget
    • Solution definition
    • Milestones
  • Evaluate special legal situations might require changes for Day 1, e.g., rebranding of customer/supplier portals in countries with joint venture


  • Conduct country risk assessments outlining:
    • Impact of divestments
    • Legal situation
  • Assess risk via standardized templates and in focus interviews with IT representatives
  • Based on IT diligence assessment, prepare draft country-specific action plans, and approximate a dollar value for any changes required

The above checklist is abbreviated compared to what would actually be used on an actual assignment. While starting with a collectively exhaustive checklist will increase the chances of a successful IT and operations diligence, a lack of organization, or lack of experts identify risks, can at times lead to massive unforeseen liability.

On an IT diligence, experts with backgrounds in software and computer science should be brought in to lead code review and security assessment. During code review, the diligence team wants to make sure the target actually owns their intellectual property, while paying close attention to any use of open source code. During a security assessment, an expert should work to validate the current security infrastructure and also investigate the existence of any past data breaches that could have a material impact on valuation.

An example: The recent acquisition of Yahoo

Following Yahoo shareholder approval, Verizon announced on June 13, 2017 that it had finally closed on Yahoo, and intended to form an entity together with AOL called Oath, covering 50 media brands. The deal was originally announced in 2016 with a price tag of $4.8 billion, but later pushed back and renegotiated for $250M less following the disclosure of two separate hacks, affecting 500 million and 1 billion users respectively.

Following the first hack disclosure, reports indicated Verizon had already asked for a $1 billion dollar discount. Following the second hack, Bloomberg reported that Verizon considered killing the deal. The SEC later investigated why Yahoo did not disclose its hacks sooner. Yahoo later admitted that some employees knew of the incident as far back as 2014. The two breaches in question are thought to have occurred in August 2013 (1 billion users) and late 2014 (500 million users). Yahoo did not make any disclosures regarding these events prior to executing its agreement with Verizon in July 2016. That same month, 200 million accounts had been posted to the “dark web” by a hacker who had previously been selling them privately.

Had the Verizon team been working with a security expert to evaluate and monitor the conditions of Yahoo’s systems and accounts, they could have factored this into their decision to enter into an agreement. If this security expert would have had the chance to interview key personnel, and possibly conducted some type of monitoring of information being sold, Verizon would have had more complete information.

While Verizon did go on to later receive a $250M discount for the late disclosed breaches, they initially wanted a $1 billion discount.  Underwriting Yahoo properly, and asking for this discount prior to the initial execution of the agreement in July 2016 would have been greatly advantageous. While it seems a data breach would be an obvious material adverse change and allow Verizon to walk away, this would be something decided in court. Walking away when they discovered the breaches could have still left Verizon liable for breakup fee, not to mention all of the M&A, legal, and other professional service fees it had encountered up until that point. Having a solid IT and operational diligence process could have helped Verizon to uncover this risk in time to pass entirely, or at a point where they could have used it as leverage to get the actual $1B discount they desired.

A due diligence team cannot assume their job is done simply because a standard checklist is complete. Industry experts need should be used in addition to checklist to ensure proper coverage. There probably wasn’t an item on Verizon’s checklist that said “Check the dark web for any posted sales of Yahoo’s user data.” Verizon followed a standard due diligence process that probably didn’t include deep security expertise, but missed a key detail. Yahoo’s data was posted publicly on the dark web in July 2016, the same month the merger agreement was signed.

At Greenwood, we’ve built our expertise through doing, with a long track record of IT & operations diligence execution. We have experience in bringing context, identifying key metrics, and knowing when to bring in experts to complement our efforts. Finding someone with deep experience who has successfully guided due diligence processes is the real differentiator.