Recently, I had the chance to lead a panel discussing Open Source Software (OSS / Open Source) and its impact on M&A. In the course of preparing for this discussion, I was surprise to find:
- How ubiquitous Open Source is in modern software development,
- Its use, documentation and management have a major impact on financial transactions – both in terms of successful completion and in terms of valuation and,
- Many financial professionals have not been exposed to this topic in sufficient detail.
What particularly caught my attention was that OSS is not seemingly on many executive’s radar as they conduct the due diligence process. This struck me as odd, because, as you will read, 1) open source is nearly everywhere and 2) like any other material omission, not knowing your organization’s OSS will have a negative, possibly fatal, impact on a deal. Since Merrill is a steward and evangelist of the best practices of M&A dealmakers and I feel obliged to raise this topic.
As a background, Open Source Software represents, in a sense, a third method to develop technology. They are: property based development where a firm internally creates a product, an outsourced model where a company contracts to have the software developed for them or what Yochai Benkler (Harvard Law Professor focusing on the legal aspects of computing and author of the 2002 Yale Law Journal article, “Coase’s Penguin, or Linux and the Nature of the Firm”) calls the “commons-based peer production” model.
Open Source harnesses the power of distributed peer review and transparency of process. The promise is better quality, higher reliability, more flexibility, lower cost, and an end to predatory vendor lock-in.” The author of the definitive treatise on the subject, David Wheeler, puts it succinctly: “Open Source are programs whose licenses give users the freedom to run the program for any purpose, to study and modify the program, and to redistribute copies of either the original or modified program (without having to pay royalties to previous developers).”
There are significant benefits to utilizing open source software and by some estimates, 80% of modern code contains some element of Open Source. What this means is that, my earlier statement about 3 methods of development, should be modified to recognize that Open Source is not really a separate development process, but is (nearly) inherent to all modern software development.
Open source security and management challenges are formidable and most organizations lack visibility into the open source they’re using. And, unlike with proprietary software, organizations are on their own for updates, patches and documentation. It is difficult to control what you can’t see.
It is very important to recognize and manage the risks. An organization needs to think about the impact on workers who may not have the skill set to operate or navigate custom software, or adhere to de facto standards like Microsoft office suite. Then you have issues like support, product documentation, hardware compatibility, or warranties and liabilities. There are also operational risks, potential license violations, changes in enforcement trends and the growing presence of trolls amongst us, in this case preying on copyright issue.
The risks can be significant – financial loss, customer defection, legal issues, brand erosion – and can have an impact on an organization’s valuation and transaction success in the context of an M&A event. Top acquirers such as Microsoft and Google will not go further unless the code is well understood.
Below I list 7 things this think about to reduce the risk and to ensure a successful M&A outcome. By no means is this list exhaustive or the only things to think about, but I hope it get the wheels turning. is to consider the following:
7 Things to Remember About Open Source Software
- Ask Questions.
- There are many M&A implications on both the buy-side and the sell-side. Smart buyers and sellers ask a lot of questions.
- Actively manage your Open Source.
- Develop an automated process for securing and managing open source.
- Know what you have.
- Do your Apps contain Open Source? Ensure you have an accurate, real-time inventory of the Open Source components in use
- Be proactive.
- Enact policies use and processes for selecting, approving, and tracking.
- Be Secure
- Put in place processes to identify and remediate known open source security vulnerabilities and to monitor for new vulnerabilities.
- Be in Compliance.
- Ensure open source license obligations being met, including those associated with code acquired from third parties.
- Train your team.
- Ensure developers are trained on the importance of managing open source and your company’s specific policy and processes?
I’ve only scratched the surface here, but hopefully this gives you something to think about. If questions or want to discuss the topic further, I am always available. Thank you for reading and I wish you every success in your endeavors.