Technology risk
Not just the software: the business
strategy must be robust too
Following the strategy review comes a technology review. In the case of a software-driven enterprise, the focus is typically on the ability of both the software and the development team to deliver on the product roadmap in line with the investor’s timelines. There will be a detailed review of the software architecture, code quality, software engineering quality, scalability, and robustness.
If the company is a software start-up, an expected pre-requisite is that software development leverages open source software. There may well be valid reasons why a start-up would use open source software but, in the due diligence of a deal flow, the start-up will need a clear and strong justification as to why open source software has not been used.
The reality is that many young companies do not understand the value of intellectual property and risks that can be engineered into software applications. The types of risks that investors will look for are:
- Software architecture, scalability, and extensibility
- Exposure to third-party platforms
- IP value: an objective view of the software’s unique value in the market
- IP and patent evaluation – are there any patent infringements?
- Third party dependencies
To identify these technology risks, typically a third party specialist will be contracted to perform a source code review. This review can be initiated by the technology organisation before seeking investment, by the VC or private equity organisation as part of the due diligence process, or both. If the organisation goes into a funding exercise without visibility of the quality of their code and associated risks, there is a good chance that investors will view the investment as risky, regardless of the functionality of the technology in question
- Open source software risk exposure
Why due diligence should include an independent source code review
Apart from identifying current issues in the source code, such as licensing irregularities, problematic intellectual property, or potential security vulnerabilities in software components, which typically can be remedied, reviewing the source code can identify inefficiencies and flaws in the development process. It can also identify the need to have a proper code inspection process during the development cycle, thus eliminating problems before they arise.
It may be appropriate to create an open source software adoption process with proper tooling, which can help lower compliance costs, not to mention minimising disruptions during key transactions. Similar to bugs in software, it is far more efficient and cost-effective to catch issues early.
Before discussing source code reviews it is important we are clear what we mean by “source code.”
What is source code?
Source code is a set of programming language statements and commands a software developer creates that becomes part, or all, of the applications that use website or device runs. There are a plethora of languages used by developers such as C, C++, C#, Java, or scripting languages such as JavaScript, PERL, Python, or PHP. The source code is compiled into an executable which the target device will execute.
What is a code review or audit?
A code review or audit should be performed by an independent third party specialist. VC and private equity firms are unlikely to have these skills in-house. A software company seeking investment is however likely to have somebody in-house with the skills needed to perform the review – but that person may not be able to produce a reliable and objective report.
Why is a code review imperative?
Developers today rarely code a complete application from scratch. Applications are made up of components of code from a variety of sources which are stitched together to create the finished application. This makes for dynamic and agile development, but with it comes a number of inherent risks. Each component will have a number of attributes, such as how it is licensed and its version.
Outside of the function of the application(s), investors need to have details of the make-up and provenance of the code components in the following areas:
- Intellectual property and licensing
- Security of the software
- How the software be maintained and supported
- The capabilities and maturity of the components being used
- Ability to integrate with other applications
- Quality of the components that make up the application
- Innovation – if the application be evolved over time
Fundamentally, the review boils down to assessing the overall quality and consistency of the code. The source code is an indicator of the quality of the organisation seeking investment. Software development is a creative exercise and developers should be allowed to express their personal style and approach, but in line with the organisation’s standards which all developers should follow.
- Viability of the open source community around the components being used
The code audit process
First, a non-disclosure agreement (NDA) must be in place between the reviewer and the organisation. Once the NDA is in place, the reviewer will question key stakeholders in the organisations to ensure there is a clear understanding of the reasoning behind the audit and the organisation’s environment, such as the size of the portfolio, languages, and tools in use particularly any automatic code generators. A Statement of Work is then produced and agreed upon. This includes:
- A breakdown of the software portfolio into audit segments
- Full automated source code scanning, analysis, and reporting
- Resolve copyrights, standard headers, and author tags discovered in the portfolio
- Analyse, verify modules, and issue regular audit progress reports
- Quality review and sign off of licensing and copyright attributes of every software file in the software portfolio
- Delivery of audit report(s), review of the reports.
 |
| If only ... |
What should be included in the due diligence process?
The rapid pace of innovation in the technology sector attracts both venture capital (VC) and private equity investment into UK companies, with the bulk of investment in London-based organisations. The first quarter of 2015 saw London technology smash previous funding records. The amount raised by London companies comprises 80% of all UK companies with a value of $856.7m.With the technology sector being so buoyant, investors are inundated with deal flow, which influences the way investors exercise risk assessments. Early stage investors would review a few good companies each week. With such a competitive landscape, the challenge for technology entrepreneurs is getting the attention of investors. Key to this is clearly presenting the company’s strategy. A solid business plan is important but, if the overall strategy is weak, investment is unlikely to result.
Risk versus reward
VCs are cautious with their investment money with good reason. Generally, they take enormous risks on untested ventures which they hope will eventually transform into the next big thing. With mature organisations, the process of establishing value and the prospect of a sound investment is reasonably straightforward, as there is a track record of sales, profits and cash flow with early stage ventures, VCs will delve deeper into the business, the opportunity, and the underlying technology behind the business.
Key considerations by late round investors include
- Management: who is the team behind the organisation and what is its track record?
- Size of market: demonstrating the target market opportunity which will indicate the returns investors might expect from any investment.
- Product quality: investors want to invest in a great product with a competitive edge that is long-lasting and sustainable.
- Current revenue status of the early stage company.
- Generation of actual and pipeline sales prior to any investment.
- The risks: VCs take on risk; their skill as investors is understanding all risks and making fully informed decisions for a successful outcome.
The entrepreneur needs to understand that not all money is the same and not all funding sources are equal. The entrepreneur must carefully consider the implications which may follow from the investor and other requirements of various financing sources. Some examples:
- Require board member status for investors.
- Require the employment of advisors.
- Require the creation of an advisory board.
- Investor invests and observes, but does not play an active role.
Business risk
The business risk investors look at will depend on whether it is an early stage investment or a late round investment.
The skill of early stage investment funds is being able to identify the potential of a technology even if the product (today) is not right or needs significant evolution to become successful. This way allows an early stage investor to maximise its return while minimising its initial investment.
Outside of the technology, early stage investors will view the current revenue status of the early stage company to decide which investment fund(s), if any, the company would fit into.
Late round investors would, by nature of the investment, seek clarity in the company’s business plan, which would include:
In response to Aritra’s Chaterjee’s excellent guest post on the use of intangible assets as loan collateral, I would like to add the following U.S. perspective.
Those of us that have been looking at IP collateralisation over the past several years recognize that valuation challenges are at the heart of the “problem". However, it is of critical importance to recognize that the valuation uncertainty varies considerably with the type of IP under consideration. More specifically, the risk profile impacting liquidation value uncertainty in the event of default differs materially depending on the type of IP involved. Most of the IP-backed finance that occurred from 1995 to 2005 involved “brands" (trademark IP) and “content” such as music and film (copyright IP) which carry much less legal risk — in terms of validity, scope of rights, and infringement — than do patents. This is even more true today in light of
What patents are all about?
(1) the recent U.S. Supreme Court patent-related decisions (e.g., Alice, Nautilus, Octane);
(2) the new America Invents Act-based administrative procedures for challenging the validity of issued patents in the USPTO;
(3) the practical unavailability of injunctive relief for patent infringement after eBay; and
(4) the rapidly changing Federal Circuit and District Court case law affecting the calculation of reasonable royalty damages for patent infringement, the net effect of which is to lower the expected return from enforcing patent rights in court.Thanks, Ron!
Bottom line: in this area as in others, one should be careful in talking about “IP” as if it were a homogeneous class of rights.
A recent press release from the parent company of Cambridge nanotech company Owlstone serves as a useful reminder to IP managers that IP risks represent only a fraction of the risks facing the IP-dependent technology business. The footer to the press release reads:
The November 2008 issue of Patent World, published ten times a year by Informa, features a piece entitled "Keeping Costs Low: how to hedge the risk of expensive litigation" by James Delany. James is a director of specialist brokers TheJudge, described in the journal as the largest independent litigation risk transfer broker in the UK. After reviewing the concepts of after-the-event insurance (now usually referred to as "ATE") and third party funding ("TPF") his article concludes: "If a client has a good case there is a good chance that client can offset anywhere from 50-100% of the cost risk, typically at no upfront cost and at no cost if the case loses. Once that's the accepted principle an exploration of what is potentially available for that particular client can be made, taking into account the client's financial position and their appetite to take risk".
I'd very much like to receive comments from readers who have direct experience of ATE or TPF -- and I'd also like to know what happens when, in terms of risk assessment, the dispute coming up for litigation is a real 50-50% call. Do let me know, by posting a comment below or emailing me here.
