M&A, Business Models and Ecosystems in the Software Industry

Karl´s blog

Posts tagged due diligence
Best practices for commercial use of Open Source

Open Source best practices

Today, all software vendors make use of open source.

  • They strive for excellence in leveraging using open source software in commercial software products while ensuring licensing compliance and governance.

  • They strive for excellence in using open source based business models for commercial success.

  • They strive for excellence in leveraging development models that are used in open source communities in adapting these for in-house use at commercial software vendors.

  • They analyze usage of open source software during due diligence in acquiring software companies.

To reach excellence you have to be equipped with knowledge about best practices for open source. This blog is meant to provide you with the latest knowledge about open source, esp. open source licensing in commercial software, to reach excellence in open source matters. Please find more information in the book “Best practices for commercial use of open source software”.

Open Source  and Open Source Licensing for commercial software

This page shows you why you should carefully consider using open source software in commercial software: Advantages and disadvantages of open source usage, why open source is used in commercial software and how to manage open source licensing and to control open source usage.

Most important is professional management of open source usage by defining an open source policy for your software company and by following structured processes for open source licensing approval and control. Rest assured that attorneys, consultants and tool vendors are there to assist you.

Advantages of Open Source usage

Simple and fast access to open source are often named as key advantages. Low cost and high quality are additional reasons to consider open source. For a software vendor, there might also be a strategic advantage to use open source software to provide the "non-competitive" part of a solution, while the developers care for the competitive part of the solution.

Motivation for open source usage in commercial software

Usually there are numerous open source components used in commercial software. It makes sense to use open source in commercial software if and only if you can comply with the open source license attached to that open source software. If you do so, you can leverage open source to quickly create functionality and to build on trusted functionality that is provided by software vendors or the open source community.

Relevance of Open Source Licensing

Open source components like the International Components for Unicode, ICU,or Hibernate are used in many commercial software solutions. Non-compliance with the license terms can have dramatic consequences. To avoid these open source licensing consequences, a software vendor has to install an open source licensing policy and practice. But what are the negative aspects and side effects of open source licenses? Open source licensing is also a relevant part of due diligence efforts in the software industry as explained in this book:

Potential disadvantages of open source usage

Use of open source in commercial software can show the following disadvantages:

  • Missing commercial services, like support and service level agreements impact the ability to run in commercial environments;

  • Commercialization of software might be blocked;

  • Missing or incomplete license attributes, like e.g. for sublicensing software or running software in an on demand environment;

  • Missing warranty and liability;

  • Non-compliance with license terms might lead to litigations.

Open Source licenses and software supply chains

Usage and licensing rights are transferred between players in the software supply chain. Software passed along the supply chain might contain open source software, too. Due to the copyleft effect in certain licenses, the non-compliance of one supplier might impact all other software companies down the supply chain.
So software vendors should diligently check which open source components are contained in the software supplied to them and which license terms apply.
The use of tools eases the work on this problem. You can use open source scanners to find open source code and the corresponding license terms. Please find more information in the book “Best practices for commercial use of open source software”.

Open Source Software License Due Diligence

Often, commercial software contains open source components. In the due diligence for acquiring a commercial software company, you have to check if the company complies with the licenses for open source software contained in their products (open source due diligence). The following figure shows typical components of commercial software that are analyzed during due diligence. They are coming from service providers, from suppliers for OEM software, freeware and open source software and they are created by employees, too.

Next in due diligence we look at the utilization of open source software. In the following figure the software vendor distributes the software products to resellers and to direct customers. The key fact that triggers open source license compliance is often distribution. With the distribution, the open source license terms apply and have to be complied with. Often open source license terms require that the source code is revealed and/or the software has to be provided free of charge. This is of course a critical issue in the due diligence of commercial software.
Software vendors´ core business is monetization of usage rights granted to customers. Open source software and corresponding licenses have to be diligently analyzed in open source due diligence.

You have to ensure that

  • all current and planned utilizations of open source software are covered and that

  • no open source license terms are violated.

Open Source Software Governance

Open Source Governance is the risk management process for using open source software in commercial software products. So what is the risk in using open source software?

Open source usage has several risks, like:

  • Operational risk: Missing commercial services, like support, might impact the ability to serve customers well in commercial environments;

  • Commercial risk: Monetization of software products might be blocked by open source licenses; Missing warranty and liability terms for software increase the warranty and liability risk for the commercial software vendor; Limitation of business models and delivery models might occur if the open source license does not explicitly allow or even forbid them.

  • License attribute risk: Missing or incomplete license attributes, like e.g. for sublicensing software or running software in a cloud environment; Non-compliance with license terms might lead to litigations.

  • Patent litigation risk: open source software might violate intellectual property rights like patents and this poses a legal risk.

Establishing open source governance

Proactive management of open source usage and open source licensing is paramount for commercial software vendors. From design to shipment of software solutions, open source governance is demanded. Please find more information in the book “Best practices for commercial use of open source software”.

Before you start with open source governance, you have to define your open source policy containing:

  • Strategic topics:

    • Risk level accepted by the management

    • Overall investment in organization, processes and tools for open source compliance

  • Tactical topics:

    • Level of management to approve open source usage

    • Frequence and intensity of governance

    • Software license tracking: Open source scan tool selection

    • Size of open source governance functions

  • Operational topics:

    • List of acceptable open source licenses based on risk level

    • Budget for Open Source Scan Tools

    • A process for governance of used open source components.

We see two types of open source governance: reactive and active. Reactive open source governance just reacts to open source components used in a commercial software and provides an evaluation if an open source use is acceptable or not. As a result, the open source component can be used or has to be removed from the product.

An active approach to open source governance is to provide access to open source componentsfrom within development tools. The development tools allow open source components, that the company allows under the open source policy. Please find more information in the book “Best practices for commercial use of open source software”.

Ensuring merger integration success with innovative due diligence

Merger integration success based on innovative due diligence

We introduce merger integration due diligence as a new type of due diligence that arises from the objective “Maximize likelihood of integration success”.

Definition of merger integration due diligence

Merger integration due diligence has the goal to review the merger integration project and plans. 

All aspects of merger integration are being reviewed for viability and for likelihood of success. Viability relates to the work breakdown structure for the integration to be consistent and complete. It also relates to resources (employees and budgets) that have to be sufficient and available. The objective of the task is to maximize the likelihood of merger integration success.


Based on the decomposition of the merger integration task we can define the corresponding decomposition of the merger integration due diligence task.

Review of the design of the new entity

The design of the new entity has to be reviewed for consistency and completeness. We start with the business strategy and plan layer and review the defined business strategy for the new entity. Then we enter the second layer and ask questions like: will the business processes work? Are the business processes compliant with compliance rules? Is governance of the business ensured?
In parallel, we have a look at the business resources and at the questions: Are enough qualified resources planned and available? Are the assignments of resources to tasks sufficient? Are sufficient resources planned and available?

Review merger integration plans

Next we review merger integration plans. Keeping in mind the design of the new entity and the resource situation, we review the schedules and the steps of the merger integration plans. We ask questions like: Can the merger integration plan be executed the way it is defined? Will sufficient resources and budgets be available at the right time to execute the merger integration plan successfully? What happens if we run late or we have resource shortages?

Review merger integration project

This is the part of the review that is often neglected in practice. We review the structure and behavior of the merger integration project.
It is important to keep in mind that the word “project” implies that we have a professional management of the integration leveraging professional project managers, experienced with complex projects and equipped with skills of a certified project manager. We should also have a project steering committee in place that has wide competencies and can drive and take decisions quickly.
We also focus on getting answers to questions like: Do we have the right assignments of resources to merger integration tasks? Are the resources capable of executing their assigned tasks? Do the resources have appropriate social competences to lead people and convince them the integration is the right thing to do?

With the results of the merger integration due diligence, you are well prepared to have the right budget, business plan and integration approach.

M&A Digitalization: where should data reside?

In past years, there always was a dichotomy: either companies were only on premise, storing their crown jewel data on site, or companies ran certain applications in the cloud. Now, hybrid clouds are on the rise.  This means there are three options now.  

In M&A, data rooms are typically private cloud based storage of highly confidential data during due diligence. Data from other phases are usually stored on site. With all these changes happening and the clear need to manage M&A processes,  where should company store their data about  all phases of the M&A process ?

On premise?

The safest way to store mission critical data is to store them on premise.  locked up.  This is perfect for a the early phases. As soon as more people get involved from inside and outside the company, during due diligence and post merger integration, this approach is not perfect. 

in the cloud? 

Cloud storage makes perfect sense for trustfully giving restricted access to people from different companies. For most companies, this is needed during due diligence and following phases. But many companies also interact with third party companies even before due diligence. 

Requirements for M&A process tools

Customers rule. An end-to-end process tool must respect that. No matter if  customers choose on site, private cloud or public cloud, vendors of end-to-end process tools should give customers a choice. The customer should decide where to store data. 


Welche Auswirkungen haben Länder auf die Integrationsaktivitäten von Unternehmensfusionen? Wenn Sie an einer transnationalen Merger-Integration arbeiten, sollten Sie über Kenntnisse dieser Faktoren verfügen.

Multinationale Zielfirmen erstrecken sich über mehrere Länder mit Tochtergesellschaften in jedem der Länder. Es gibt viele Faktoren in einem bestimmten Land, welche die Integration von Fusionen beeinflussen, die auf überregionaler, nationaler und lokaler Ebene stattfinden. Hinzu kommen soziale und kulturelle Faktoren, die sich je nach Land oder Region unterscheiden, wie Arbeitstage innerhalb einer Woche, nationale Feiertagskalender, das politische Umfeld sowie die Präsenz und der Einfluss von Gewerkschaften.

Diese Faktoren sind:

  • Rechtlicher Rahmen

  • Soziologischer Rahmen

  • Kultureller Rahmen

  • Politisches Umfeld

  • Technologisches Umfeld

  • Ökologische Umwelt

  • Lokales Umfeld des Unternehmens

Hier ist mehr Hintergrund zu einigen der Faktoren:


Jedes Land hat eine spezifische Reihe von Gesetzen und Vorschriften, die für die Integration von Fusionen gelten. Diese betreffen z.B. die Übertragung von physischem und geistigem Eigentum, Compliance- und Berichtspflichten des Unternehmens, das Verhalten in Wettbewerbssituationen, Vorschriften und Verfahren zur Beschäftigung und Unternehmensübertragung sowie die Berechnung und Zahlung von Steuern.

Für die Verschmelzung setzt der Rechtsrahmen Grenzen und regelt Integrationsaktivitäten wie die Integration von Unternehmen in eine einzige juristische Person sowie die Umstrukturierung. Manager von Merger Integrationsmaßnahmen müssen über Kenntnisse dieser rechtlichen Rahmenbedingungen verfügen, um die Auswirkungen zu ermitteln.


Nationale Kulturen können sich unterscheiden, wenn es um Religion, Ethnizität und Klassenstrukturen geht. Nationale Kulturen definieren laut Hofstede aber auch die Gleichheit/Ungleichheit in der Gesellschaft, die individuellen und kollektiven Aspekte, die Geschlechterrollen sowie die Vermeidung von Unsicherheit und Angst in einer Gesellschaft. Für die Integration von Fusionen müssen Sie sich dieser kulturellen Aspekte bewusst sein.


Wie wirkt sich das politische Umfeld auf die Integration von Fusionen aus? Aus aktiver Sicht treiben die Politiker Gesetze und Haushaltsentscheidungen voran. Sie werden mit dem Erwerber zusammenarbeiten, wenn die erwarteten positiven Auswirkungen der Fusionsintegration hoch sind und dem Politiker von Nutzen sind.

Aus passiver Sicht müssen Politiker auf mögliche negative Wahrnehmungen und Ergebnisse oder Nebenwirkungen von Fusionsintegrationsaktivitäten wie Streiks der Belegschaft im Falle von Umstrukturierungen reagieren. Für die Integration von Fusionen müssen Sie sich über das politische Umfeld in jedem Land im Klaren sein, das von der Integration betroffen ist.


Verschiedene Branchen haben unterschiedliche Anforderungen an das Vorhandensein oder die Verfügbarkeit von Technologie in einem bestimmten Land. Dies könnte sich auf die nationale technologische Infrastruktur wie Verfügbarkeit von Strom, Kühlung, Wärme, Transport sowie auf lokale Lieferanten mit der richtigen Technologie, Kompetenz und Versorgung beziehen, aber auch auf die Verfügbarkeit qualifizierter Mitarbeiter.


Ein Unternehmen ist immer in sein lokales ökologisches Umfeld eingebettet. Natürliche Ressourcen, Ökologie sowie Umweltschutzanforderungen sind Beispiele für die ökologische Umwelt. Die Ergebnisse der Due Diligence können zu Arbeitsaufgaben für die Fusionsintegration führen, wie z.B. Umweltsanierungsaktivitäten.


Neben den oben beschriebenen makroökonomischen Faktoren ist jedes lokale Unternehmen in einen mikroökonomischen Kontext mit lokalen Wettbewerbern und Lieferanten und Mitarbeitern eingebettet und muss sich mit den lokalen Finanzierungsbedingungen und den lokalen Gesetzen und Vorschriften auseinandersetzen.