Technical Due Diligence–Safeguarding your IT Startup Investment

le 11/12/2020 par Sylvain Fagnent
Tags: Software Engineering

Or, how to invest then add value to your startup portfolio

Translated from French by Natalie Schmitz. Original French article : Due diligence technique – sécuriser son investissement dans des startups IT

Introduction

While many companies are still reeling from the ongoing coronavirus crisis, startups are taking the hardest blows. The French government injected 4 billion euros into the sector to help keep them afloat. For BPIFrance, the talk of the season is on which horses to bet.

The pandemic has bred frailty and imposed changes in course or even accelerations. These upheavals have, in turn, generated investment and buyout opportunities. Short- to medium-term positions can be leveraged, especially for firms and investors whose liquidities haven’t made like an iceberg and melted. Lockdowns have forced some startups to mutate and investments in equity to evolve while still retaining momentum.

Digital transformation by necessity

We’ve written 2 articles that try to give the best answer to how to safeguard an investment in a startup where IT is an integral part of the asset. And, more specific to investor companies, we’ll also talk about how to boost returns on startup portfolios and assets; how they can be accelerated; and how to get a leg-up in the day-to-day.

To address these topics we’ve capitalized on our intelligence analyses and on our expertise gained during years of audits and technical due diligence reports.

Before you invest, be sure to do your (technical) due diligence

Before committing, investors—companies, Venture Capitalists—first look into business models and legal trappings (patents, field of business, territory of application) before focusing on a startup’s technical and digital competencies. This means verifying the startup has the technical capacity to scale up and to hedge the investment as much as possible.

As we’ve gained experience and technical, methodological, UX, and product expertise over the years, we’ve also learned to get quick assessments during our audits and other technical DDs (Tech DD for startups) by conducting our broad spectrum interviews (from operations and management to development teams) while performing a code audit.

“Our main goal is to avoid financial commitments in companies that are at risk from a technical standpoint. To put it in IT terms, we say GO/NO GO on the investment.”

Our 360° analysis includes everything from product roadmap to IT infrastructure, without bypassing organization, development industrialization, or security (as detailed below).

This means we’re lightning fast at detecting macro trends that indicate whether an investee is or is not technically “robust” and whether their IT system is capable of scaling up.     We go into what we call “red flag mode”. As you know, a red flag is a warning signal that, in this case, tells us whether there might be something that could hinder the startup’s development down the line.

In a nutshell, doing proper due diligence means:

  • Detecting technical red flags, especially in terms of software production
  • Checking that the startup is prepared to scale up
  • Increasing value of the IT asset: “Build or Buy IT Asset”
  • Providing a substantiated opinion complete with recommendations for the startup.

An illustrated overview of technical due diligence.
-- OCTO's Due Dil Deal : Check a startup for roadworthiness before you invest --
- CEO : "Our "Startup" revolutionizes transatlantic travel thanks to the gig economy and our peer to peer blockchain dinghies. We only need 10M€ to get to the States. You in? "
- VC : ?
- The seagull : ?_
- Developers team : "But…Will it float ?"_

Our Audit Framework

We’ve split our Framework into 13 criteria that cover everything from roadmap to security, including documentation, team organization, code, and resilience.

These criteria not only overlap but are interdependent. We broach them broadly during our interviews—all but the code audit which stands alone and can be operated independently. The code audit will occasionally hinder our post-interview analyses but most often it bolsters them or provides better accuracy. The combination of both code audit and interviews ultimately means our final diagnosis is reliable, and that we can be confident in the transparency of the teams we’ve met.

While the end product of the audit process is a substantiated opinion submitted to the investor, we typically (and with the investor’s consent) also provide recommendations for the startup that was audited. These recommendations are then shared and can be included in a co-created roadmap between investor and startup.

We’re under NDA (Non Disclosure Agreement) during these audits, which means there are strict requirements around the deletion of documents and audited source code, and that contracts are rife with IP (intellectual property) protection, non-compete, and anti-poaching clauses.

And now, a detailed look at the Framework’s key themes

Roadmap

We always start by meeting the startup’s executives to hear their story: where they’ve been, why they started this company. Then we ask them where they want to go; which, in practice, means we ask to see their short- and medium-term roadmap. This step is crucial if we are to accurately gauge whether the startup is adequately sized and equipped to handle its roadmap from an organizational and technical point of view. Finally, we make sure that the startup’s technical teams are aligned with this roadmap.

HR risks, methods & organization, development standardization

Our years of technical DDs have taught us that the best startups have the most talented IT teams. They’re comprised of good organization, autonomy, and the ability to deliver quality software that is well-architected (state-of-the-art), well-mastered and in line with business objectives. These technical teams are usually also in line with the startup’s objectives and business goals. The most mature teams seem to be more humble and better equipped to adapt to a shifting environment. They also tend to be aware of the limitations of their organization and of their software (technical debt), constantly on the lookout for ways to improve them by consistently seeking out learning processes.

“High levels of technical and organizational know-how means the team will be able to resolve any difficulties as they arise.”

As we’ve said, the best startups have the most talented teams. It is therefore crucial to make sure, especially during the seed stage, that key individuals are properly incentivized (company equity, performance-based bonuses…) to keep them on for the next few years, at least.

We’ve also found that a DIY approach, and automated operational processes and software delivery are strong drivers for success that allow development teams to regularly, frequently, and safely deliver code that goes straight into production. Automated testing is part and parcel of their dev cycle and we increasingly see QA-type profiles that contribute to raising the bar for software quality.

Over the years, as we’ve gained experience and measured ourselves against some of the better teams we’ve come across, we’ve continuously improved our benchmark.

Software architecture and code, IS management

When performing a software audit, we usually combine automated (using tools) and manual (by core sampling the code) methods. Quick reminder: we’re still under NDA at this point, of course.

Software source code is audited using automated tools, like SonarQube, that provide objective quality metrics. We then have expert software developers manually review and audit the code. During the code review analysis, depending on which technologies were used, we call on software development experts that have completed OCTO’s “software craftsmanship” training framework.

Performance & scalability, resilience & recovery

To evaluate a startup’s capacity for scaling up, we start by gauging whether its IT system can follow suit and at what cost. We measure whether the architecture, the components/the platform are able to technically withstand a load increase and what cost this will have on the infrastructure down the line (cloud infrastructures and/or partner and third-party service solicitations in particular). When necessary, we see whether performance testing should be implemented and inquire on a monitoring strategy to keep close tabs on costs and performances.

In terms of architecture, we evaluate monitoring and automation practices—they should give teams the ability to quickly understand, respond, and adapt the platform should the need arise (scalability of infrastructure, on-the-fly management of services, unplugging components, absorbing peak loads, etc.).

If need be, we evaluate all performance test protocols—we especially check the thoroughness of the measurement protocol and any related upgrades. As for resilience, we make sure to look into setting up and testing a BCP (Business Continuity Plan) and/or a BRP (Business Recovery Plan). PRA/PCA

Data management and integration

Where data is concerned—beyond the usual ponderings on technical/application integrity management, hosting, or backups—we take a look at the protocols set up around GDPR and, when applicable, question their seaworthiness: conditions for accessing data, processing, cross-referencing and consent, the right to be forgotten, GDPR reference persons within the startup, or GDPR-compatible API design

Security

We don’t perform a security audit per se. We run thorough checks by evaluating management of data flows (data exchange, API security, analysis of incoming requests to detect attacks, etc.), of IS access (internet, databases, etc.), and by monitoring the obsolescence of embedded frameworks along with any relevant updates.

If necessary, we can perform a quick audit by following OWASP recommendations (using ZAP, for example) which we typically supplement with a static code scan (Checkmarx) and manual analysis (see above).

We can also call into question the security measures that are applied to employees—access to the premises, laptop encryption, use of password managers, whether a guest WIFI is available….

Conclusion

The goal for any investing company is to avoid becoming financially committed to a technically risky startup. Our audit means we can properly assess the technical sustainability and risk of the startup. Our assessment relies on our 360° due diligence framework, whose main purpose is to provide an accurate look at the startup’s technical and organizational ability to scale up, so as to provide reasonable reassurance that the investment is secure.

Doing due diligence means you can:

  • Detect technical red flags, especially in and around software production
  • Make sure the startup is prepared to scale up
  • Increase the value of the IT’asset: “Build or Buy IT Asset”
  • Provide a substantiated opinion complete with recommendations for the startup

You might have heard there’s been a pandemic. In the wake of the crisis, we put our analysis framework under internal review and made some changes. We’re now able to assess a startup’s capabilities for evolution during this time of particular turmoil, with particular focus on its ability to adapt its product, IT, or organization. This type of crisis really brings the deep-rooted elements of a company’s DNA to the fore—its culture, its executives, its employees. We keep our position as legitimate experts on “software production” and how it, and organizations in general, have been affected by Covid.

So...What now?

Once they have received investments, it befalls us to help support startups on their path to growth. The next article will focus on investing companies, and try to provide answers to issues such as: how to add value to a startup portfolio, how to add value to those assets, and how to help with acceleration and be of general assistance day-to-day.