playbook

The Portfolio IT Playbook: How PE Firms Manage IT Risk Across 5, 10, or 20 Portfolio Companies

PE firms with portfolio companies face shared IT risks: common cloud providers, shared vendors, and concentration risk. Here's the portfolio IT governance framework.

Luna ·
private-equity portfolio it-governance risk m-and-a

A PE firm with 10 portfolio companies has a problem that doesn’t show up in any single company’s IT infrastructure — the portfolio-level IT risk.

If 7 of those 10 companies run their identity infrastructure on the same Azure AD tenant, or use the same managed service provider, or host on the same AWS account structure, a single failure mode can cascade across multiple portfolio companies simultaneously.

This is the portfolio IT playbooks that most PE firms don’t have.

The Portfolio IT Risk Map

The first output is a portfolio IT risk map: for each portfolio company, the critical IT dependencies, and where those dependencies overlap with other portfolio companies.

Shared Vendor Risk: How many portfolio companies use the same IT MSP? If one MSP supports 6 of the 10 portfolio companies, the MSP’s failure or compromise affects 60% of the portfolio simultaneously.

Shared Cloud Risk: How many portfolio companies’ Azure AD tenants are in the same Azure region? If all tenants are in US East, a regional outage affects all companies simultaneously.

Shared Network Risk: Do portfolio companies have any VPN or network connections between them? If a portfolio company gets breached and has VPN access to another portfolio company’s network, the attacker has a pivot path.

Common Vulnerability Risk: Do multiple portfolio companies have the same unpatched vulnerability? If a critical vulnerability in a common component (e.g., a vulnerability in a VPN gateway used by multiple portfolio companies) is discovered, the attack surface is the entire portfolio.

The 5-Company Portfolio IT Governance Framework

Tier 1: Portfolio-Level IT Governance

Quarterly IT Risk Review

  • Review ACQI discovery results for each portfolio company quarterly
  • Track IT risk scores across the portfolio
  • Flag any portfolio company whose risk score has deteriorated significantly (new vulnerabilities, cloud misconfigurations)
  • Monitor shared vendor and cloud risk concentration

IT Due Diligence Standard

  • Require ACQI discovery scan for every new acquisition within 60 days of close
  • Set a minimum IT risk score threshold for all new acquisitions (e.g., ACQI security score > 60)
  • Require ACQI scan of seller-provided IT infrastructure as part of every LOI-stage DD

Incident Response Coordination

  • If one portfolio company has an IT security incident, immediately scan all other portfolio companies for the same indicators
  • Maintain a portfolio-level incident response contact list, updated quarterly
  • Have a portfolio-wide backup verification process (ACQI backup module run across all companies simultaneously)

Tier 2: Portfolio Company-Level Governance

IT Risk Scorecard (Quarterly)

  • Run ACQI discovery scan quarterly per portfolio company
  • Track: security score, number of critical vulnerabilities, MFA coverage %, service account status, cloud waste
  • Assign an IT risk rating: Green / Amber / Red per company

IT Budget Review (Annual)

  • Review IT capex and opex against industry benchmark for company size
  • Identify shadow IT spend (SaaS tools not on corporate IT’s radar)
  • Cloud optimization: identify cloud waste, right-sizing opportunities, reserved instance opportunities

Integration Standard

  • When a portfolio company acquires another company, apply the ACQI M&A integration checklist
  • Track integration milestones post-close: Day 1 checklist completion, 30-day security baseline, 90-day systems stabilized

The Add-On Acquisition Problem

Add-on acquisitions are the most common PE deal type. They’re also the highest-risk from an IT integration perspective.

Why: Add-ons are typically smaller companies with less mature IT environments. They’re often acquired for their product or customer relationships, not their IT infrastructure. The IT environment gets less scrutiny in the deal process.

And then the add-on gets integrated into the platform company’s IT environment — which means any IT risks in the add-on flow into the platform company.

The specific add-on IT risk: Add-on companies often have founder-era IT practices. Personal email accounts used for business services. Service accounts with no password expiration. Vendor contracts in the founder’s name. No documented IT policies.

When the add-on is integrated into the platform company’s Azure AD, those legacy credentials become part of the platform company’s identity store.

ACQI’s contribution for add-ons: A 72-hour discovery sprint specifically for add-on acquisitions — focused on the IT risk items that transfer to the platform company: identity (all accounts, privileged accounts, service accounts), SaaS applications (what is this company actually paying for?), and network connections (does this company have any direct connections to the platform company’s network?).

The Portfolio Vendor Concentration Problem

The average mid-size PE portfolio company uses 15-25 IT vendors. Across a 10-company portfolio, this creates vendor concentration risk.

The MSP problem: If 6 portfolio companies use the same MSP, and that MSP has a breach, 6 portfolio companies are affected simultaneously. The MSP’s security practices are now a portfolio-level risk.

The SaaS problem: If 8 portfolio companies use the same CRM vendor, the CRM vendor’s security posture is a shared risk. The CRM vendor’s outage is a portfolio-wide business continuity risk.

The cloud provider problem: All major cloud providers have multi-region outages periodically. If all 10 portfolio companies run on Azure US East, an Azure US East outage takes down all 10 companies simultaneously.

ACQI’s SaaS discovery module produces a portfolio-level SaaS inventory. This becomes the vendor concentration risk register.

The Portfolio IT Dashboard

The output of the portfolio IT governance framework is a single dashboard:

  • Portfolio risk score (composite of all portfolio company risk scores, weighted by company size)
  • Shared vendor risk concentration
  • Shared cloud risk concentration
  • Security vulnerability trends across the portfolio
  • IT budget vs. benchmark per portfolio company
  • Integration status for any active integration projects

This dashboard should be reviewed by the PE firm’s operating team quarterly, and by the investment committee annually as part of the portfolio review.

Running an integration right now?

The research is clear: discovery-first integrations deliver on time. ACQI has the modules to get you there in weeks, not months.

See ACQI in action Talk to the team