© 2014 Deloitte Fiduciaire 1

The  value  of  your  ‘so/ware  and  IT’-­‐  quality  :    what  about  the  investor's  point  of  view?  

Geert  Janssen,  Managing  Partner  ENTRUST-­‐IT  29-­‐04-­‐2015  

L'Interface  vous  donne  rendez-­‐vous  chaque  mois  au  LIEGE  science  park,  pour  faire  le  point,    avec  un  conseiller  en  innova=on,  sur  une  mesure  en  lien  avec  vos  préoccupa=ons.    

Une  ini&a&ve  de

The value of your ‘software and IT’-quality: what about the investor’s point of view

Geert Janssen

29/4/2016

29/04/16

2

Today’s question: what about the quality of your software and your IT organization?

29/04/16

3

Does it affect the value of your

company/investment?

Should you worry about it?

We will cover the following aspects ...

!   the need for a consistent approach and tooling to assess the maturity of the company from an IT perspective

!   the added value of quality assurance throughout the investment lifecycle

!   IT risk assurance dimensions and approach

!   expressing risk responses in terms of IT objectives

!   the use of software quality assurance in practice (examples).

29/04/16

4

WHO ARE WE? A Quick Introduction

29/04/16

5

My background

29/04/16

6

[founder & managing partner]

[partner]

[senior manager]

[associate partner]

[Master Applied Economics]

‘95 ‘95 ‘07 ‘08 ‘10

29/04/16

7

Strategy & Innovation

IT & Project Management

Governance, Risk & Quality Assurance

•  CIO-As-A-Service (IT Management)

•  PQA-As-A-Service (Project Management)

•  Advisory Services (Transformation Planning) (Business Model Design) (Value Proposition Design) (Capability Modeling) (Package Selection)

•  IT Risk & Assurance Services (Quick Scan / Due Diligence) (Capabilty Maturity Assessment) (Software Quality Audit) (Usabilty reviews)

•  PQA-As-A-Service (Solution & Delivery Excellence)

IT-driven Business Transformation

THE NEED FOR A CONSISTENT APPROACH AND TOOLING TO ASSESS THE MATURITY OF THE COMPANY FROM AN IT PERSPECTIVE

Why should I worry?

29/04/16

8

The Problem – Technical Debt

29/04/16

9

The Solution – Holistic Approach

29/04/16

10

Industry benchmarks / Roadmap reviews

Landscape analysis

Function Point / Feature Analysis

Maturity Assessments

Application Audits

Skill Assessments

QUALITY ASSURANCE THROUGHOUT THE INVESTMENT LIFECYCLE

A continuous exercise

29/04/16

11

IT Risk & Assurance - Approach

12

What price should we pay? > focus: value for money

Should we invest? > focus: value assessment, risk mitigation

Assure IT is managed well! > focus: continuous improvement / quality control, value augmentation

Provide transparancy! > focus: safeguard value

Similar process across the investment lifecycle however focus differs!

Dealflow phase (1) IT Quick Scan

Due Diligence phase (2) IT Due Diligence

Nurturing phase (3) IT Risk Assessments

Divestment (Exit) phase (4) IT Vendor Due Diligence

IT Risk & Assurance – 4-Step Process

Scoping Preparation & Identification

Research & Analysis

Report &

Remedy

29/04/16

13

-  Lifecycle status -  Investor focus

-  Assess IT Resources & gather evidence

-  Perform a scenario analysis

-  Assess IT Control Areas

-  Generate health factors

-  Identify threats / risks

-  Analyze frequency & impact in terms of Risk Appetite/Tolerance

-  Analyze technical metrics

-  Express Risk Responses in terms of IT Objectives (business terms)

-  Define remediation plan

IT RISK ASSURANCE DIMENSIONS

What should we be looking at?

29/04/16

14

IT Risk & Assurance - Dimensions

29 avril 2016

15

Value

Maturity

Risk

•  Balance IT risks versus risk tolerance (continuity,

compliance, …)

•  Value to the Company •  Technical Debt

•  Organization •  Process •  Product

•  Which risks are acceptable?

•  To what extend does IT contribute to the overall

business objectives? •  What hidden costs are

present?

•  Where are we today and where should

we be?

EXPRESSING RISK RESPONSES IN TERMS OF IT OBJECTIVES

How to communicate?

29/04/16

16

IT Resources

29 avril 2016

17

Strategy

Organization

Processes

Applications

Data

Infrastructure

Strategy

Organization

Processes

Applications

Data

Infrastructure

IT Resources vs IT Objectives (4 A’s)

29 avril 2016

18

Agi

lity

Acc

urac

y

Acc

ess

Ava

ilabi

lity

Strategy

Organization

Processes

Applications

Data

Infrastructure

IT Resources vs IT Objectives (4 A’s)

29 avril 2016

19

Acc

urac

y A

vaila

bilit

y A

gilit

y Possess the capability to change with managed cost

and speed

Strategy

Organization

Processes

Applications

Data

Infrastructure

IT Resources vs IT Objectives (4 A’s)

29 avril 2016

20

Agi

lity

Acc

urac

y A

vaila

bilit

y A

ccur

acy

Provide correct, timely and complete information that meets the requirements of management, staff, customers, suppliers and regulators.

Strategy

Organization

Processes

Applications

Data

Infrastructure

IT Resources vs IT Objectives (4 A’s)

29 avril 2016

21

Agi

lity

Acc

urac

y

Ava

ilabi

lity

Acc

ess

Ensure appropriate access to data and systems, so that the right people have the access they need and the wrong people do not.

Strategy

Organization

Processes

Applications

Data

Infrastructure

IT Resources vs IT Objectives (4 A’s)

29 avril 2016

22

Ava

ilabi

lity

Ava

ilabi

lity Keep the systems

(and their business processes) running, and recover from interruptions

Agi

lity

Acc

urac

y

Acc

ess

THE USE OF SOFTWARE QUALITY ASSURANCE IN PRACTICE

Examples

29/04/16

23

Software Quality Audit Process

29/04/16

24

!   We follow a 4-step process.

!   Continuous improvement is key.

!   A typical exercise requires between 5 and 10 man days of work.

!   Maximum 2 à 3 iterations per year, mostly only 1 per year!

Opening IT assurance discussions

29/04/16

25

!   Developers –  Most developers have limited

ideas on the quality of their code. –  Hence, a typical eye-opener.

!   Management –  Easy to interpret quality

dashboard, also for IT illiterate resources.

–  Sound basis for enabling discussions on the value of IT assurance, which are typically neglected as focus is on creating marketshare.

Linking payment milestones to improvements

29/04/16

26

!   A basis for the investment manager to manage the investment based on facts & figures.

!   A means to agree upon improvement actions and potentially linking those to payment milestones.

Mitigating Investment Risk

29/04/16

27

!   One should typically run the application audit on a dedicated machine forcing the development team to handover all required source code items (dll’s, certificates, …).

!   In most cases compilation is an issue in terms of missing components, hardcoding, …

!   In one case it took us 2 weeks to get the platform compiled correctly!

Assuring minimum level of documentation

29/04/16

28

!   Code documentation is important as change of ownership during startup years is likely to happen more often than within mature/stable environments.

!   Additionally, lack of documentation ‘outside’ the code (e.g. functional design) is typically higher in startups than in more mature organizations.

Assuring minimum level of documentation

29/04/16

29

!   Our focus on improving code documentation is especially important for the complex (McCabe Cyclomatic Complexity) code areas.

Identifying organization weaknesses

29/04/16

30

!   Code audits often identify weaknesses in the organization.

!   As a consequence we agree with the organization to focus on improving their weaknesses through hiring/training.

Assuring continuous improvement

29/04/16

31

!   Health factor ‘scores’ as such are relative and often result in discussions.

!   More important is to agree upon continued positive evolution and link commitment of continued evolution into a contractual agreement.

!

Being transparent is key

29/04/16

32

!   Having ‘red’ scores is not a shame.

!   Knowing where to focus on and having insight into areas for improvement is more important.

!   Being transparent on weak spots during exit discussions is more important than not knowing where you stand.

!

=> Any weak spot identified during due diligence will jeopardize your negotiation position.

A trigger for re-engineering !   Assessing application quality – as opposed to code quality only –

allows to discover a potential ‘spaghetti’ architecture.

!   Resulting in revising the entire architecture and identifying modules / components for renewal.

29/04/16

33

Agreeing upon corrective actions !   Added value of having end-to-end view in limited

time compared to manual audits.

!   Limited involvement required from development team.

!   Final presentation to present / discuss the results during a half / one day workshop.

!   Goal is to confirm / agree upon corrective actions.

29/04/16

34

IS SOFTWARE AND IT QUALITY IMPORTANT FOR AN INVESTOR?

In Synopsis

29/04/16

35

... Yes, it is! !   If you don’t measure you don’t know

!   One reaps what one sows

!   Moving in the right direction as of day 1 is key

!   A means to professionalize the organization

!   ‘Conditio sine qua non’ during exit discussions

29/04/16

36

How  to  contact  us?  

-­‐  for  discussion  purposes  only  -­‐   37  

www.entrust-­‐it.be  

info@entrust-­‐it.be  

+32  2  50  30  620  

entrust-­‐it  CVBA  Keizerinlaan  66  1000  Brussels  Belgium    

29/04/16