How do you map out and research the IT estate of an acquisition target?

strategy clinic Our panel of experts offers advice on IT management dilemmas The issue Mapping out the integration of two IT estates for a merger due diligence report The question Our company is researching a major acquisition. As part of due diligence, I have been asked to investigate the target company's IT to find out how compliant they are, and also to determine the cost of integrating their IT organisation with ours. How would you recommend I map out and execute this project?

Communicating with key managers will be crucial

Giles Watkins, partner, technology security & risk services, Ernst & Young

Limited access will mean your task is best approached through interviews with key IT management, led by experienced senior managers.

Mapping future business requirements against existing systems and capabilities in both firms will facilitate the development of a pragmatic integration plan that leverages the best of both organisations.

A level of independence in the team will help facilitate the taking of difficult decisions in a timely manner.

Integration planning and costing should be as holistic as possible, considering key components of IT infrastructure (applications, hardware and networks), the IT organisation (eg, people, service delivery model, key suppliers and contracts) and IT investments (eg, key projects, discretionary and committed spend).

It is vital to work with other business functions to co-develop integration plans, ensuring alignment with the business strategy. The potential for IT to either enable or undermine the realisation of the anticipated value and timing of business synergies should not be underestimated.

Systems "compliance" requirements will need to be clearly defined with reference to external regulatory requirements (eg, Sarbanes-Oxley, privacy legislation) and internal policies and procedures.

The targets approach to IT governance and risk assessment and management processes should form part of the due diligence scope. Results of recent internal or third-party reviews and related outstanding issues should also be considered.

Get a hold on integration costs and future direction

Sharm Manwani, head of information management, Henley Management College

This is a high profile task and you should be congratulated that you have been consulted at the due diligence stage. There are many aspects to an acquisition programme and I will share some thoughts from my experience of different organisations.

The simplest situation is likely to be where you do not retain the systems of the acquired company, but take on the customers and products into your own systems. In that case, the migration costs should be lower and you can provide central services with some local support.

Of course, this depends on the approach that your organisation is taking. It may prefer to retain the company as an individual entity.

If both entities remain then there are likely to be opportunities to reduce costs through a degree of standardisation. If there is compatible hardware, you may be able to provide shared services and negotiate with suppliers as a larger company.

You will be fortunate if the application software is compatible and it could be expensive to achieve full integration. It will be important to calculate a total cost of ownership and assess the payback.

While these are difficult questions, they are at least in the IT domain. I recommend you also start the debate on what is the planned business model for the combined organisation. This can considerably change the target IT environment and organisation.

There are enough complexities in this area to seek advice - perhaps from a fellow IT director who has been through these changes.

Examine five key strands of the target company

Joe Peppard, director of the information systems research centre, Cranfield School of Management

You are lucky! CIOs are often asked to get involved in the due diligence process only after the deal has been done and dusted. And then the CIO is charged with sorting out the issues with the acquired company's IT infrastructure, applications, data and contracts surface. And in quick time!

I would suggest that you initiate five strands of work. The first should be an audit of the technology itself. This should essentially determine the age and condition of the technology platform. If the supply is outsourced to third parties, or a portion of it is, you will have to review contracts and understand what services have been contracted for and any agreed service levels.

There can be significant penalty clauses associated with being taken over that you, as the acquiring company, may have to pay to either transfer or terminate the contract.

The second strand should assess the company's application portfolio. What contribution are current investments making to the achievement of their strategy? Key operational and support applications can probably be migrated to your company's platform. Those providing competitive advantage should be examined for possible execution in the newly merged company.

The third strand should review how enterprise information is protected. Is the organisation ISO 17799 compliant? If the target company operates in global markets, examine compliance with local and international data protection legislation. Are there industry-specific regulations that must be complied with? And of course a review of adherence to Sarbanes-Oxley legislation should also be undertaken.

The fourth strand should look at the IT organisation itself. What are the skill sets? To what extent have they implemented initiatives such as Cobit, IS 20000 or the IT Infrastructure Library? I would also suggest that you speak to business colleagues to get a view of what they think of the IT organisation and its contribution.

The fifth strand is a review of business processes, as these will determine the extent to which you can achieve commonality of IT applications in the longer term.

Only when a complete picture has been built up can scenarios for integration be developed, risks assessed and costs calculated.

Your strategy depends on the business objectives

Roger Rawlinson, director of consultancy, NCC Group

You will need to determine whether the objective for IT integration is to add value or reduce cost. There are a number of strategies you could adopt:

● Stand alone: leaving both organisations to continue on their existing systems. This is potentially the easiest, but does not reduce cost or increase value.

● Absorption: one organisation's systems expand and absorbs the other organisation's. This is the most cost-effective, but does not take advantage of the potential to add value.

● All new: a single system is developed to replace existing systems. Maximum value can be added, but this is not the most cost-effective.

● Best of breed: pick and mix the best components from each side. This scenario considers both cost reduction and value.

You now need to assess both organisations to assess their ability to achieve the strategic vision. Areas that you need to review include applications and systems, network and communications, projects and application development, business continuity and disaster recovery, service and support (including third-party contracts).

You need to evaluate and compare these areas to plan and cost a transition plan. The plan needs to consider short-term tactical logistics, and medium to long-term ambitions.

Involve target company in your planning process

Ben Booth, global chief technology officer, Ipsos

I am assuming that the process has reached the stage where the two businesses are in contact.

Normally in a situation such as this, a small number of staff in the target company will be aware of the impending deal, subject to a confidentiality agreement. Their CIO should be one of this group, and if not you should ask that they be included, so that you can speak to them directly.

By way of background there will normally be an inventory of what is to be included in the deal, in terms of hardware and software licences, and a list of staff. There may also be audit reports from your professional advisers. You should absorb all these and then arrange to meet the CIO off-site.

Your aim is to get an overview of what their IT is like, including synergies, areas of risk, and areas where you will need to invest to integrate the acquisition.

If possible, and this may be difficult, you should also arrange to see their main datacentres and other facilities - you can learn a lot from looking at whether these are in good order.

Get a handle on legal and regulatory compliance

Chris Potts, director, Dominic Barrow

Be specific about what types and levels of "compliance" are essential in your company's merger and acquisition decision.

In particular, consider questions of legal and regulatory compliance separately to those relating to compliance with your company's standards for IT architecture.

You will need to provide whoever is leading the merger and acquisition initiative with specific statements of how compliant you consider the target company's systems to be, the business risks your company would be exposed to and the likely costs of mitigating those risks to a residual level you or your company is comfortable with.

To assess the impact of integrating the two IT organisations, break the target company's IT organisation down into the same activities that your own IT people perform, merge the two sets of numbers on paper and see what happens.

Beyond simply accounting for the costs of integrating the acquired company's IT people, you should be able say how best to organise the company's IT people post-acquisition, and offer new economies of scale and synergies as a result.

You should also do the same for the target company's projects that involve IT investment, and its IT suppliers, neither of which you mention in your question.

Read more on IT legislation and regulation