This article, by Limor Maayan-Wainstein, a senior technical writer at Cybereason reviews the most critical challenges impeding the performance of technical due diligence during the COVID-19 crisis, and offers possible solutions.

Guest OpEd by Limor Maayan-Wainstein

Technical due diligence is performed for the purpose of evaluating the viability, sustainability, and profitability of a company’s technical posture.

While typical due diligence for investors focuses on financial aspects, technical due diligence evaluates technical factors, like architecture and software licensing, as well as human resources and development roadmaps. 

A technical evaluation of companies is critical for assessing risks, especially when you’re shopping for startups.

Unfortunately, performing technical due diligence during the COVID-19 crisis is far from ideal.

Global social distancing, for example, as well as local restrictions, may prohibit you from performing a comprehensive check. 

This article reviews the most critical challenges impeding the performance of technical due diligence during the COVID-19 crisis, and offers possible solutions.

What Is Technical Due Diligence?

Technical due diligence is a process that evaluates the technological and process aspects of an organization or technological team.

It is often done to ensure that companies aren’t making a poor investment when it comes to acquiring technologies, teams, or whole businesses. 

When performing technical due diligence there is a range variety of aspects that you need to consider.

These include product architecture and infrastructure, organizational processes and policies, team composition and skills, legal requirements and licenses, and developmental roadmaps.

For complex operations, products, and company, technical due diligence becomes even more critical in ensuring every aspect is properly assessed.

Why should you do technical due diligence?

Technical due diligence can help organizations more accurately evaluate their current technological standing.

This enables you to put a justified value on your products and business and to identify any issues that need remedying. 

This verification helps ensure investors that the purchase or investment they are considering is sound.

It helps eliminate surprises and ensures that any technology being considered is reliable, compliant with standards, and scalable.

When done carefully, it can also help negate biases created by personal interests.

Additionally, due diligence may be required by investment partners and failure to perform it can lead to greater liability than just loss of investment.

For example, venture capital (VC) firms often require due diligence evaluations before providing funding.

If it’s later found that you lied in your due diligence reports or that information was hidden you could be sued for fraud.

The Challenges of Due Diligence During COVID-19

Although some aspects of due diligence can be performed remotely, many require physical presence.

Due to COVID-19 restrictions, the shut-down of many industries and borders now severely limits the access to physical locations.

This severely impacts the ability that is needed to properly assess an organizations.

Likewise, altered processes, such as the increasingly adopted remote work paradigm, give poor insight into how any organization typically functions, making it difficult to judge the effectiveness of processes and teams.

This creates a host of issues, including those reviewed below.

Inability to conduct on-site visits

Depending on the type of products being produced and the spread of an organization, numerous site visits are often performed.

However, with travel restrictions in place, many of these visits are not possible.

This is particularly true for organizations with offices or facilities in other countries. 

Inability to meet in person

Like site visits, in-person meetings are a vital part of ensuring the honesty and reliability of due diligence evaluations.

However, even if meeting participants are currently in the same city, restrictions on gatherings and social distancing prevent these meetings from happening. 

Risk of abuse and error

COVID-19 has completely upended the operations of many organizations and many employees are not as well equipped to perform tasks from home.

This means errors are more likely to happen in due diligence, including oversights and review of inaccurate materials.

It also means there is a greater opportunity for untrustworthy actors to withhold information or present false information.

For these actors, the chaos caused by COVID presents plausible deniability if their fraud is discovered.

How to Manage Tech Due Diligence From a Social Distance

While some organizations may be able to delay due diligence evaluations until the current crisis has settled, this isn’t practical for others.

It is currently unknown how long operations will be disrupted and many organizations were in the middle of investment and acquisition processes when restrictions were placed.

Others are seeking investment in newly developed products or to expand into newly created markets. 

If you are one of the organizations that can’t wait, adapting your strategy to meet current limitations is key.

Below are a few steps you can take when implementing these adaptations. 

Set expectations early

Setting or resetting expectations early on can have a huge impact on how smoothly evaluations proceed.

In these expectations, you need to make clear where limitations lie and what can be provided as an alternative. 

For example, potential sellers should be upfront about any information, systems, locations, or people that are currently inaccessible and why.

For those that aren’t available, making best efforts to describe or outline the purpose, impact, and responsibility of those assets may be a suitable stand-in. 

For investors, clarifying what measures are needed to account for limited access is key.

This may mean requiring additional warranties, escrows, or indemnifications against fraud.

It may also mean putting in clauses that require additional evaluations post-restrictions.

Or, it might mean performing more thorough investigations of available assets as a partial substitute for those that aren’t accessible. 

Consider bringing in third-party evaluators

Third-party evaluators can provide the technical expertise that investors may lack.

These providers can also help prevent fraudulent evaluation results since they are invested in their own contract, not the results of the due diligence process.

The technical expertise these evaluators can provide is especially valuable now when codebases are one of the few fully auditable aspects.

These audits can ensure that at minimum a product is feasible and reliable.

Audits can also provide insight into any technical debts or dependencies a product may have. 

Although code audits can’t replace process or team evaluations, these audits can shine some light on the standardization of processes.

The consistency of code quality and the methods implemented can say a lot about the skill level and professionalism of the development, security, and operations teams. 

Leverage legal counsel with tech expertise

Even in the best of times, you should be relying on legal counsel with technical expertise.

They are better able to provide guidance on data compliance risks and requirements as well as on licensing.

They can also better evaluate how well organized and defined legal considerations are within the potential seller’s organization. 

Perhaps more importantly, these advocates can help you ensure that any reported limitations of evaluation seem sound and that modifications to diligence processes can be legally held up.

This way, even if you aren’t able to perform diligence in the same way as you might have pre-COVID, you and your organization remain protected from unnecessary risks.

Conclusion

COVID-19 is a global disruptor, but it does not have to prevent you from performing technical due diligence.

There are options you can consider, which can help you get the information needed to evaluate potential investments.

For example, you can investigate local restrictions, and see if you can arrange for a solo visit to the site. 

You can also use this as an experiment to see how this company is dealing with the COVID-19 crisis, and whether they can arrange for technical due diligence despite national and local obstacles.

Another option is to bring in a third-party evaluator, legal counsel, and technical experts, and delegate this task elsewhere.

Whichever course you choose, be sure to set expectations early on during the process, to ensure that all involved parties are aligned with your overall goals and financial objectives.

About the Author

Limor Maayan-Wainstein is a senior technical writer at Cybereason, and an experience writer on the topics of cybersecurity, big data, cloud computing, web development, and more.

Limor Maayan-Wainstein
Limor Maayan-Wainstein

She is the winner of the STC Cross-European Technical Communication Award (2008) and a regular contributor to technology publications.

Limor has been working in the hi-tech industry as a technical writer and editor for over 13 years, and has authored and edited highly technical software documentation and dev guides in the areas of computer/network security, middleware, mobile development and APIs.

She specializes in wiki editing and design, has done HTML and web-authoring, and is familiar with REST, Java, .NET, Spring Framework, XML schemas, databases (MySQL in particular), SQL, JDBC, networking, middleware and distributed computing, Android.