Investment decisions can be attributed to a broad array of objectives, but unleashing scalable and efficient growth can be one of the most significant ways to optimize the investment. One way to accomplish this is via a buy-and build model, which combines add-on acquisitions with organic growth, but to create a consolidated business. What are the hallmarks of a successful buy-and-build strategy? For starters, a well-developed platform vision, strong management team, and a sound infrastructure.
What’s part of a sound infrastructure? An integrated IT and cybersecurity strategy that aligns with the strategic vision of the investment. While people in your organization might differ on prioritizing your IT and cybersecurity roadmap, the fact is, it’s crucial for your success. Your business depends on it — especially when you could potentially face failures related to a disjointed million-dollar or multimillion-dollar investment. A successful IT and cybersecurity strategic plan ensures you can respond to change, enables you to provide optimum services across your enterprise, as well as protects your assets, data, reputation, and staff. Do you know where to begin?
When you’re considering building out a platform, we recommend a straightforward process that begins with defining your strategies — both the platform growth strategy as well as your IT/cyber strategy. Next, understand the critical IT and cybersecurity elements related to platform investing. Finally, you’ll want to implement an IT and cybersecurity risk mitigation strategy. Let’s take a closer look at those processes and how they’ll work within your investment.
Define your strategies
Undoubtedly, your vision for your company includes growth, but before any vision can be achieved, there must be a plan. The strategy is that critical foundation that helps determine how you want to achieve scalable growth (through revenue, profit, market share, etc.) while identifying ways to optimize resources and manage cost. An effective vision will roadmap how you intend to get from where you are today to where you want to be in six months, one year, and five years when you prepare to realize the investment.
Platform growth strategy
Set the platform growth strategy before focusing on the IT and cybersecurity aspects. Typically, we see two forms of growth from a platform investment. There’s organic growth, such as building out your existing sales base, and then there’s planned growth through add-on acquisitions.
Determine the particular add-ons and your intended direction. Where will these add-ons be? Will you be expanding nationally with offices in three different time zones? Are you building a wider product/service offering or acquiring competitors for greater market share? Will your growth come from vertical add-ons? For example, if you bought a distributor and started building a platform there, but you eventually want to buy into the manufacturing supply chain, that choice will impact the IT/cyber tools required to support your broader, long-term needs. Each of these approaches can significantly impact how to deploy resources for the platform.
Another consideration is human capital. If you’re adding on multiple units, you might be centralizing the accounting department and your management office but not sales or customer service. Some changes will call for multisite platforms whereas others won’t.
IT/cybersecurity strategy
After you start mapping out your growth plan, the next step is identifying the gaps. In order to support the platform, you need an overarching IT and cybersecurity strategy. Consider these key components:
- Define the program. If it’s not formally defined and well-documented, you won’t be able to repeat it. Your business and IT objectives need to be aligned as well as your appetite for cyber risks and business risks.
- Structure leadership and PMO. You need buy-in from the leadership team in order to effect change. Identify where you may not have specific skill sets so that you can leverage third parties to build those skill sets. Even if your needs don’t warrant a full-time C-level position over cybersecurity, there’s still a need for some portion of cybersecurity management. A third-party service can support that. Also, remember that not only is the project management office valuable in driving change, it often helps your organization adhere to your defined strategy.
- Centralize business applications. You’ll want to “share” centralized applications, such as ERP and HRIS. Keep in mind that the cost of integrating disparate systems can far exceed the cost of a new, central platform.
- Governance. Determine how you’re going to manage this process and, more importantly, how you’re going to measure it. Can your current structure support add-ons? Your current governance structure might be adequate for a $40 million individual portfolio company but not when adding on multiple units.
- Perform infrastructure and cybersecurity gap analysis. Define the initial set of formal controls, assess the organization, both the platform and the add-ons, and document gaps in adherence to those controls. In a perfect world, that gap assessment would be done at due diligence, providing you with a good understanding of any cost issues that may be associated with bringing that add-on in.
- Formalize IT/cyber policies and procedures. The controls are one thing, but policies and procedures are key when bringing in an add-on organization. It’s important to provide them with documentation to help streamline the assimilation. Whereas a policy can be something high-level with encrypted sensitive data, a procedure goes deeper, describing the how and the necessary tools.
- Develop a detailed assimilation plan. Simplify the assimilation process for new acquisitions. This will shorten a lot of gaps associated with bringing on the new entity(ies).
- Seek counsel. While your current business resources might be capable of reviewing these recommendations, applying and deploying them in a meaningful way typically require the expertise and experience of outside resources.
IT and cybersecurity considerations
Now, that your strategy is set, the next step is to look at IT and cybersecurity aspects. These are, in fact, two distinct areas with their own challenges and solutions. Let’s first address the IT considerations when building out a new platform:
- Current tools and resources. When moving down this path, consider what your existing tools can support. It’s pretty rare that a business is actually built to scale for moving to multiple locations from a single site environment. If you plan to acquire up or down the supply chain, that will also typically constrain your current resources.
- Future people and tools. Leaders often hire staff or purchase tools based on the business as it stands today when they need to be looking at the future. For example, if you’re working with a $30 million company where the expectation is $800 million through a couple of add-ons and organic growth, then take that into consideration when planning investments and executing on technology selections. Most likely, that type of large-scale growth would happen in stages. Balance hope for the future with pragmatism.
- Cloud technology. How does your IT strategy fit into the business strategy? If you plan on experiencing significant growth, there will be peaks and valleys along the way. Adopting elasticity, or elastic IT, will help you leverage cloud tools. Elastic IT allows for your assets and your services to expand and contract in tandem with the business as it grows and acquires add-ons. Other considerations with the cloud include working in different time zones, the location of your headquarters regarding potential network disruptions, and if the add-on uses an on-premise solution, which could present integration challenges.
Now, let’s address cybersecurity. After all, it’s not if you’ll experience a security breach but when. Therefore, it’s vital for the acquirer to conduct cyber due diligence to fully understand both the value of the information assets it’s looking to acquire (for example, intellectual property) and the level of cyberthreats and vulnerability facing the target add-on. However, cyber resilience isn’t simply preventing the loss of data but rather continuing to operate in the event of a cyberattack. Remember, a cyber event that doesn’t result in data loss can still cripple the ability of the business to operate. Here are a few other cybersecurity considerations:
- Regulatory compliance. What new challenges might the add-on bring to the platform? Consider privacy, regulatory, and compliance issues. Will you face FDA or SEC requirements? What about HIPAA? Must you adhere with the EU’s new GDPR? Ignoring compliance requirements of the data you’re responsible for can be a critical and costly misstep.
- Fraud/insider threats. Integrations carry a host of challenges, including disgruntled employees. It’s key to protect against internal threats especially when those disgruntled employees have access to sensitive information, thereby exposing the entire organization to additional security risks.
- Potential devaluations. Due diligence means identifying the type of data you have (e.g., employee data, intellectual property, or personal health information). The more sensitive the data, the greater need for expanded due diligence. We’ve seen devaluation events occur because of immature cyber programs and cyber risks, such as noncompliance with the GDPR. This is especially true with healthcare service organizations as well as high-tech software companies that handle significant amounts of intellectual property.
Mitigate risk
You’ve set your strategies and are aware of key IT and cyber considerations. How do you, then, manage risk within your platform? While you should solicit an external firm for help, there are proactive steps you can take internally to support the development of a security plan.
- Build a strong team. Funnel key people from the organization who understand the strategy and are on board with the direction the platform is going. Let them be dedicated to the assimilation effort. Additionally, when you can rely on internal staff who understand your culture and your people, they’ll be particularly adept at driving change in an effective way. Also, determine who owns the assimilation. How will they achieve buy-in? Who will manage it? You need to have the right people and processes in place.
- Forego cookie-cutter approaches. If you take someone else’s strategy and try to adapt it to your people or your processes, you’ll be limited. Decide your own approach and how your people and technology can make that succeed. The add-ons won’t assimilate themselves. The platform has to provide the vision, the leadership, and the guidance for your assimilation to be successful.
- Invest upfront. You could have a cost discussion around ROI for everything. However, the investment upfront will help, especially if you’re integrating less mature platforms. The goal is to avoid a reduced value when the firm begins its exit strategy. Too often we see businesses that purchase consumer grade solutions to manage enterprise security issues. That approach is akin to using a Ford Tempo for mass transit.
Finally, how do you quantify the payback?
Building a strong platform is a complicated — and, often, costly — process. It’s natural to wonder, is it worth it? You’ll likely bring on more staff and spend more on technology investments, and that makes the calculation of ROI a bit murky. Look at it this way: How have you obtained value from IT? Have IT and cybersecurity platforms enabled you to increase the scalability at which you can grow the business? That’s the goal. Hopefully, your investments have given you a foundation with scalable growth capabilities.