Understanding and Managing IT Risks, Costs and Opportunities During M&A Part 1: IT Risk Assessment

Understanding and Managing IT risks, costs, and opportunities during M&A, is a follow-on series of blogs, from Searchlight’s Guide to M&A, which set out how to maximise your chances of success in M&A.

Searchlight’s – Understanding & Managing M&A Risks, Costs & Opportunities

We at Searchlight have worked extensively in M&A and Private Equity led investment with a wide range of companies, from SMEs to Fortune 500 businesses.  From this experience, we have distilled some lessons learnt that we’d like to share with you over a set of three articles, covering:

  1. Managing IT Risks
  2. Managing IT Costs
  3. IT Opportunity Valuation

PART 1 – IT Risk Assessment

A key outcome from IT Due Diligence is to understand the business risks that might exist in technology platforms, processes, people, and vendor contracts.

How do you quickly identify the critical technology risks, their likelihood & impact, along with the mitigation required?

IT is Inherently Risky

In most organisations IT is only a small part of the business, but it has become increasingly critical to survival and growth.  Consequently when (not if) there are issues with technology, the impact can be disproportionately high.  The main areas of IT risk to consider and assess are:

  1. Responsiveness: Capability & Capacity
  2. Resilience: Controls & Continuity
  3. Reputation: Customer & Compliance

Responsiveness:  Capability & Capacity

Like all business functions, IT exists purely to enable the organisation to meet its strategic goals.  To do this it must provide the business services necessary to achieve the organisations objectives when they are required: Capability.   These services must also be capable of adapting to changing products and markets, and scaling (up and down) to meet business demand: Capacity.

The key risks to look for in IT capability and capacity are:

  • Business Alignment: Are the business goals and objectives clear? What metrics can be used to determine success against the business goals?  How are these metrics supported by the underlying business services, in particular IT-provided or IT-enabled services? Does IT have a clear roadmap to continue to meet business demand?
  • Service Levels: What service level agreements exist between IT and the consuming business functions? Are there clear service levels for availability, capacity, functionality, and security? Do the SLAs contain meaningful metrics and measures to identify and indemnify breaches of service levels?  In many M&A situations, a Transitional Service Agreement (TSA) will be required to ensure the seller of the organisation provides appropriate operational, financial, and legal protection for a period of transfer to the buyer.  These can provide significant risks for the buyer and will be covered in an upcoming Searchlight article.
  • IT Strategy and Roadmap: A key reason to acquire an organisation is the value in the future growth and profitability provided in the sales prospectus. Does the IT strategy and roadmap clearly state how the future business change and growth will be supported by IT? Are the time, cost and quality of future service projects believable and evidenced? How do these plans stand up to market shocks or sensitivity analyses?

Top Tip: Get a better understanding of the true performance of IT by challenging business leaders in the organisation being acquired to describe how IT is either seen as business enablement or business prevention.

Resilience: Controls & Continuity

Assuming there are appropriate SLAs in place between IT and the business, you next need to check how effective they are in providing business resilience.  By this we mean understanding the quality of service (QoS) provided, how the QoS is monitored and managed, how security is defined and governed, and what disaster recovery and business continuity plans are in place.

  • QoS Monitoring & Management: What service management framework(s) does the IT function use – ITIL, COBIT, TOGAF, etc., and what evidence is there to support their claim (policies, certifications, monitor logs, metrics, dashboards)? How effective have their efforts been in providing appropriate business capability and capacity through IT services?
  • Security Strategy & Governance: Is there an Information Security Management System (ISMS) in place? How compliant is the organisation with the ISO 27001 security management framework, and are there any ISO 27001 certifications in place? Review any cyber assessments completed by the company. Ask for details of any major security incident recorded recently, and any formal reports to the Information Commissioner’s Office.
  • Disaster Recovery and Business Continuity: What Disaster Recovery and Business Continuity Planning (DR & BCP) are in place?  Find out how frequently these plans are tested and review the results of the most recent tests.  Walk through the company’s Major Incident Management plan to understand whether the people, processes and technology are in place to recover the business effectively.

Top Tip: Although delivery of service & security controls and continuity can be outsourced, make sure the key resilience responsibilities are owned by internal senior security (e.g., CISO) and IT (e.g., CIO/CTO) leaders.

Reputation: Customer & Compliance

With regular media stories of customer data leaks and organisations paralysed by ransomware attacks, it is imperative that you ensure that the target organisation understands and protects sensitive customer data, and is also following the Governance, Risk and Compliance (GRC) regulations for their market.  You also need to ensure that there are no supply chain issues with customers or suppliers that could damage or destroy the organisations reputation in the marketplace.

  • Data Protection: The Data Protection Act (DPA) 2018, and the UK General Data Protection Regulation (UK GDPR) provide the guidance for organisations to understand and implement data protection for processing of personal data. Does the organisation have a qualified and active Data Protection Officer (DPO)? Are the data protection policies in place and communicated effectively to all staff through training and education?
  • Governance, Risk and Compliance: Is there a current data architecture strategy, along with implemented data governance and ownership policies, overseen by a data governance committee? Are all static data stores adequately protected by encryption and access controls? How is sensitive data in transit kept secure? What data risks are there on the corporate risk log?
  • Supply Chain Management: How does the target organisation perform as a supplier to its customers, in particular against supplier audits of security and data protection? In turn, how often are data and security audits carried out on its own suppliers that have access to customer data and systems?

Top Tip: There can be significant risks associated with data in legacy systems that are difficult to secure to modern standards, so ensure you are shown recent security audits for the whole IT estate.


So, in summary, there are a set of significant risk areas in IT that need to be fully investigated to identify and quantify the risk and mitigation penalty that needs to be factored into the IT Risk Assessment.  Contact us for more information so we can support your merger or acquisition due diligence.

In the next article we will describe how to understand and accurately estimate the true IT costs for the acquisition, for both current and future scenarios.

Many thanks for following this series of articles on M&A. Follow our blog to stay updated! 


Contact us today to learn more about how Searchlight Consulting can help with your digital transformation.

Follow us on LinkedIn for additional insights.

Oliver CookUnderstanding and Managing IT Risks, Costs and Opportunities During M&A Part 1: IT Risk Assessment