The IT Governance Maturity Gap in Private Equity

A core component of our IT Due Diligence service at THRDparty Advisors is benchmarking a target’s IT governance maturity. Every target we have ever evaluated has had a gap between the maturity of their IT governance program and our expectations based on their size, sector, and stated objectives.

In this article I’ll give some examples of IT governance maturity gaps, explore the reasons why we have never found a PE target that met our expectations, and what to do with this knowledge in various deal scenarios.

Examples of Common Gaps We Find in IT Governance

As you read through these four examples, remember that gaps are always relative to the size, sector, and stated objectives of a specific target company.

One of the most common gaps we find is in the size and structure of IT teams, especially in security, privacy, and compliance roles. Often these roles are missing completely or people from other IT teams (such as infrastructure) have dual roles to cover these areas. Adding a security role to a team member with a different core responsibility can actually decrease overall security posture compared with not having the role at all. We have seen real world cases where understaffing has been the primary failure in major security incidents mainly for two reasons: 1) IT staff was overworked and spread too thin and 2) the role was added and forgotten because it didn’t become part of someone’s job description or performance evaluations. An important role of IT governance is right-sizing the team.

Related to IT organization size and structure, we find that many companies are not thinking about IT governance at a board or C-suite level which is where all governance should be defined and monitored. When technology leaders are not giving regular briefings at the highest levels, we recommend that our clients perform deeper diligence for all areas of corporate governance such as for accounting, quality, risk management, compliance, etc.

A more downstream gap example is in business continuity. We see many companies with a high-level business continuity plan, but no disaster recovery plan. Even companies with robust backup systems and processes in place will suffer unnecessary losses without a step-by-step disaster recovery plan that shortens time to recovery and that survives employee attrition. The lack of such a plan is a clear indication that IT governance is not being defined and monitored at a high enough level.

The last gap example I’ll give is around IT service management. We don’t expect middle market companies to strictly adhere to a framework such as ITIL, but we do expect to see an organization structure with policies and procedures that addresses the management of internal demand for IT services and measurement of the target IT team’s ability to meet that demand. Many of the leaders we interview are unable to show us even general trends in demand for helpdesk services like incidents and changes or project demand versus a project roadmap. This tells us that reporting on these topics is not happening at high levels because they didn’t simply hand us the latest slide shown to the board.

Every target we have ever evaluated has had a gap between the maturity of their IT governance program and our expectations

Why IT Governance in Private Equity is Often Immature

You might wonder why our expectations remain static even though the targets we evaluate never meet them. There is a simple explanation: Our clients are PE firms seeking to acquire businesses with a history of steady growth. It stands to reason that the sample of targets we tend to evaluate skew toward mission-focused companies with management teams attending to the growth of their businesses. If our clients included all companies active in M&A, rather than just private equity, our expectations would be met at a much higher rate than zero.

The gaps we find are not usually very wide and they tend to be in one or two areas of governance rather than several. In other words, the companies we evaluate typically make a reasonable effort to ensure their IT governance curve matches their growth curve over time. This is simply not easy to achieve and in the next section you’ll learn how to think about these IT governance gaps not as red flags, but as opportunities.

IT Governance Gaps as a Value Creation Opportunity

At THRDparty Advisors we place our negative findings from IT Due Diligence in three categories: Deal Breakers, Red Flags, and Value Creation Opportunities.

The only type of negative finding we would ever report as a Deal Breaker is blatant and evidence-backed deception or dishonesty by the target’s representatives. How many times have we had to report a finding as a Deal Breaker? Zero.

Red Flags are those findings that likely point to deeper systemic issues within an organization. We rarely ever have to report our findings as Red Flags and when we do it usually results in further investigation and devaluation (see below) rather than deal termination.

The most common type of negative findings we report to our clients are Value Creation Opportunities. These are findings that reduce the valuation of the target and lower the sale price (good for our PE clients) and are an opportunity for post-acquisition value creation. We see IT governance gaps as a value creation opportunity because, with our help after the deal closes, they are inexpensively mitigated and will make the company more attractive to future buyers. And when it comes time to exit the investment, THRDparty Advisors helps clients tell their technology value story in part through an IT governance lens.

IT Governance Gaps in Investments with No Controlling Stake

The advice in the section above applies mainly to our clients doing leveraged buyouts. For our clients in private debt, growth equity, or who are otherwise investing with no resulting controlling stake, gaps in IT governance must be viewed more as risks than as value creation opportunities. In these instances, we advise our clients to obtain contractual commitments from the target that these gaps will be mitigated within a certain period post-close and that some follow-up diligence be permitted for verification.

Conclusion

IT governance gaps are a common finding in private equity due diligence, but can usually be viewed as a value creation opportunity rather than a red flag if you work with the right transaction partner.

Daniel Lucas is the founder of THRDparty Advisors which is on a mission to protect private capital from cyber risk, digitally transform portfolio companies, and maximize exit returns. They are IT executives advising PE firms and PE-backed companies through every investment stage. Visit https://thrdparty.com for service details, case studies, and pricing.