With his experience of business developer and capital risker, specialized in IT, Geert Janssen introduces the investor's point of view, to evaluate the quality of a company from an IT perspective throughout the investment life cycle. Une conférence organisée par l'Interface Entreprises-Université de Liège, le 29 avril 2016. Invité : ENTRUST IT

1. © 2014 Deloitte Fiduciaire1
The
value
of
your
‘so/ware
and
IT’-­‐
quality
:
what
about
the
investor's
point
of
view?
Geert
Janssen,
Managing
Partner
ENTRUST-­‐IT
29-­‐04-­‐2015
L'Interface vous donne rendez-­‐vous chaque mois au LIEGE science park, pour faire le point,
avec un conseiller en innova=on, sur une mesure en lien avec vos préoccupa=ons.
Une ini&a&ve de

2. The value of your ‘software and IT’-quality:
what about the investor’s point of view
Geert Janssen
29/4/2016
29/04/16
2

3. Today’s question: what about the quality of
your software and your IT organization?
29/04/16
3
Does it affect the
value of your
company/
investment?
Should you worry
about it?

4. We will cover the following aspects ...
! the need for a consistent approach and tooling to assess the
maturity of the company from an IT perspective
! the added value of quality assurance throughout the investment
lifecycle
! IT risk assurance dimensions and approach
! expressing risk responses in terms of IT objectives
! the use of software quality assurance in practice (examples).
29/04/16
4

5. WHO ARE WE?
A Quick Introduction
29/04/16
5

6. My background
29/04/16
6
[founder & managing partner]
[partner]
[senior manager]
[associate partner]
[Master Applied Economics]
‘95 ‘95 ‘07 ‘08 ‘10

7. 29/04/16
7
Strategy &
Innovation
IT & Project
Management
Governance, Risk &
Quality Assurance
• CIO-As-A-Service
(IT Management)
• PQA-As-A-Service
(Project Management)
• Advisory Services
(Transformation Planning)
(Business Model Design)
(Value Proposition Design)
(Capability Modeling)
(Package Selection)
• IT Risk & Assurance Services
(Quick Scan / Due Diligence)
(Capabilty Maturity Assessment)
(Software Quality Audit)
(Usabilty reviews)
• PQA-As-A-Service
(Solution & Delivery Excellence)
IT-driven Business Transformation

8. THE NEED FOR A CONSISTENT
APPROACH AND TOOLING TO
ASSESS THE MATURITY OF THE
COMPANY FROM AN IT PERSPECTIVE
Why should I worry?
29/04/16
8

9. The Problem – Technical Debt
29/04/16
9

10. The Solution – Holistic Approach
29/04/16
10
Industry benchmarks /
Roadmap reviews
Landscape analysis
Function Point / Feature
Analysis
Maturity
Assessments
Application Audits
Skill
Assessments

11. QUALITY ASSURANCE THROUGHOUT
THE INVESTMENT LIFECYCLE
A continuous exercise
29/04/16
11

12. IT Risk & Assurance - Approach
12
What price should we pay? > focus: value for money
Should we invest? > focus: value assessment, risk mitigation
Assure IT is managed well! > focus: continuous
improvement / quality control, value augmentation
Provide transparancy!
> focus: safeguard value
Similar process across the investment
lifecycle however focus differs!
Dealflow phase
(1) IT Quick Scan
Due Diligence phase
(2) IT Due Diligence
Nurturing phase
(3) IT Risk Assessments
Divestment (Exit) phase
(4) IT Vendor Due Diligence

13. IT Risk & Assurance – 4-Step Process
Scoping
Preparation &
Identification
Research &
Analysis
Report
&
Remedy
29/04/16
13
- Lifecycle status
- Investor focus
- Assess IT Resources
& gather evidence
- Perform a scenario
analysis
- Assess IT Control
Areas
- Generate health
factors
- Identify threats / risks
- Analyze frequency &
impact in terms of Risk
Appetite/Tolerance
- Analyze technical
metrics
- Express Risk
Responses in terms of
IT Objectives
(business terms)
- Define remediation
plan

14. IT RISK ASSURANCE
DIMENSIONS
What should we be looking at?
29/04/16
14

15. IT Risk & Assurance - Dimensions
29 avril 2016
15
Value
Maturity
Risk
• Balance IT risks versus
risk tolerance (continuity,
compliance, …)
• Value to the Company
• Technical Debt
• Organization
• Process
• Product
• Which risks are
acceptable?
• To what extend does IT
contribute to the overall
business objectives?
• What hidden costs are
present?
• Where are we today
and where should
we be?

16. EXPRESSING RISK RESPONSES
IN TERMS OF IT OBJECTIVES
How to communicate?
29/04/16
16

17. IT Resources
29 avril 2016
17
Strategy
Organization
Processes
Applications
Data
Infrastructure

18. Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
18
Agility
Accuracy
Access
Availability

19. Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
19
AccuracyAvailabilityAgility Possess the
capability to change
with managed cost
and speed

20. Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
20
Agility
AccuracyAvailabilityAccuracy
Provide correct,
timely and complete
information that
meets the
requirements of
management, staff,
customers, suppliers
and regulators.

21. Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
21
Agility
Accuracy
AvailabilityAccess
Ensure appropriate
access to data and
systems, so that the
right people have
the access they
need and the wrong
people do not.

22. Strategy
Organization
Processes
Applications
Data
Infrastructure
IT Resources vs IT Objectives (4 A’s)
29 avril 2016
22
AvailabilityAvailability
Keep the systems
(and their business
processes) running,
and recover from
interruptions
Agility
Accuracy
Access

23. THE USE OF SOFTWARE QUALITY
ASSURANCE IN PRACTICE
Examples
29/04/16
23

24. Software Quality Audit Process
29/04/16
24
! We follow a 4-step process.
! Continuous improvement is key.
! A typical exercise requires between 5
and 10 man days of work.
! Maximum 2 à 3 iterations per year,
mostly only 1 per year!

25. Opening IT assurance discussions
29/04/16
25
! Developers
– Most developers have limited
ideas on the quality of their code.
– Hence, a typical eye-opener.
! Management
– Easy to interpret quality
dashboard, also for IT illiterate
resources.
– Sound basis for enabling
discussions on the value of IT
assurance, which are typically
neglected as focus is on creating
marketshare.

26. Linking payment milestones to
improvements
29/04/16
26
! A basis for the
investment manager
to manage the
investment based on
facts & figures.
! A means to agree
upon improvement
actions and
potentially linking
those to payment
milestones.

27. Mitigating Investment Risk
29/04/16
27
! One should typically run the
application audit on a dedicated
machine forcing the development
team to handover all required source
code items (dll’s, certificates, …).
! In most cases compilation is an issue
in terms of missing components,
hardcoding, …
! In one case it took us 2 weeks to get
the platform compiled correctly!

28. Assuring minimum level of documentation
29/04/16
28
! Code documentation is important as change of ownership during startup years is
likely to happen more often than within mature/stable environments.
! Additionally, lack of documentation ‘outside’ the code (e.g. functional design) is
typically higher in startups than in more mature organizations.

29. Assuring minimum level of documentation
29/04/16
29
! Our focus on improving code documentation is especially important for the complex
(McCabe Cyclomatic Complexity) code areas.

30. Identifying organization weaknesses
29/04/16
30
! Code audits often identify weaknesses in the organization.
! As a consequence we agree with the organization to focus on improving their
weaknesses through hiring/training.

31. Assuring continuous improvement
29/04/16
31
! Health factor ‘scores’ as such are relative and often result in discussions.
! More important is to agree upon continued positive evolution and link commitment of
continued evolution into a contractual agreement.
!

32. Being transparent is key
29/04/16
32
! Having ‘red’ scores is not a
shame.
! Knowing where to focus on and
having insight into areas for
improvement is more important.
! Being transparent on weak spots
during exit discussions is more
important than not knowing where
you stand.
!
=> Any weak spot identified during due diligence will jeopardize your negotiation position.

33. A trigger for re-engineering
! Assessing application quality – as opposed to code quality only –
allows to discover a potential ‘spaghetti’ architecture.
! Resulting in revising the entire architecture and identifying modules /
components for renewal.
29/04/16
33

34. Agreeing upon corrective actions
! Added value of having end-to-end view in limited
time compared to manual audits.
! Limited involvement required from development
team.
! Final presentation to present / discuss the results
during a half / one day workshop.
! Goal is to confirm / agree upon corrective actions.
29/04/16
34

35. IS SOFTWARE AND IT QUALITY
IMPORTANT FOR AN INVESTOR?
In Synopsis
29/04/16
35

36. ... Yes, it is!
! If you don’t measure you don’t know
! One reaps what one sows
! Moving in the right direction as of day 1 is key
! A means to professionalize the organization
! ‘Conditio sine qua non’ during exit discussions
29/04/16
36

37. How
to
contact
us?
-­‐
for
discussion
purposes
only
-­‐
37
www.entrust-­‐it.be
info@entrust-­‐it.be
+32
2
50
30
620
entrust-­‐it
CVBA
Keizerinlaan
66
1000
Brussels
Belgium
29/04/16