Prioritising Publishers in a Time Boxed Diligence

Prioritising publishers in a time boxed diligence is the skill that separates a useful software review from a box ticking exercise. A diligence rarely has time to measure every vendor in a target estate to the same depth, and trying to do so spreads effort so thin that the real exposures go unmeasured. Prioritising publishers in a time boxed diligence means deciding, fast and on evidence, which vendors carry the exposure that can move the deal, and concentrating the available time there. Get the priority right and a two week diligence finds the eight figure risk. Get it wrong and the same two weeks produce a tidy inventory and miss the number that mattered.

This guide explains how to rank publishers under time pressure, as part of the broader software due diligence method and the constraints of a real diligence timeline.

Why prioritising publishers in a time boxed diligence matters

Software exposure is not evenly distributed across an estate. A handful of publishers, typically the large on premises vendors, carry the overwhelming majority of the audit and true up risk, while a long tail of smaller tools carries very little. A diligence that treats every vendor equally wastes its scarce time on low risk software and starves the high risk publishers of the depth they need. Prioritisation is the act of matching effort to risk, so the time box is spent where a finding can actually change a deal term.

Rank publishers on exposure and likelihood

Two factors drive the ranking: how large the potential exposure is, and how likely a publisher is to test it. Oracle, SAP, Microsoft, and IBM score high on both, with Broadcom rising fast through VMware, and increasingly Salesforce and ServiceNow on the subscription side. These publishers run mature compliance functions and treat a change of ownership as a prompt to act. A mid market tool with simple per user licensing and no audit history scores low on both, and rightly drops down the list. The ranking is a product of exposure and likelihood, not a count of contracts.

A publisher prioritisation framework for time boxed diligence
Tier	Publishers	Why prioritise	Diligence depth
Tier one	Oracle, SAP, Microsoft, IBM	High exposure, aggressive enforcement, change of control triggers	Full effective license position
Tier two	Broadcom (VMware), Salesforce, ServiceNow	Rising enforcement, complex metrics	Targeted measurement of key metrics
Tier three	Mid market on premises and SaaS	Moderate exposure, simpler metrics	Contract and entitlement review
Long tail	Small tools and utilities	Low exposure, low likelihood	Inventory and spot check only

Use fast signals to sort the estate

You do not need a full measurement to prioritise. Fast signals do the sorting: total spend with a publisher, the presence of on premises deployments with complex metrics, evidence of virtualisation, a history of acquisitions that may carry inherited agreements, and any sign of indirect access. A publisher that combines high spend, complex metrics, and a virtualised deployment goes straight to the top of the list. These signals are visible early, often in the first data the target provides, and they let the diligence commit its depth before the clock runs down.

Key takeaways

Exposure concentrates in a few publishers. Matching effort to risk is the whole point of prioritisation.
Rank on two factors: potential exposure and the likelihood a publisher tests it.
Tier one is Oracle, SAP, Microsoft, and IBM, with Broadcom, Salesforce, and ServiceNow rising.
Fast signals such as spend, complex metrics, and virtualisation let you prioritise before full measurement.

Concentrate depth where it changes the deal

Once ranked, the time box is spent unevenly on purpose. Tier one publishers get a full effective license position, because that is where an eight figure finding is plausible. Tier two gets targeted measurement of the metrics most likely to bite, such as VMware core counting after the Broadcom changes. Tier three gets a contract and entitlement review. The long tail gets an inventory and a spot check. This is not cutting corners; it is the deliberate allocation of scarce time to the publishers where a number can move a price, an indemnity, or a condition of close.

Document what you did not measure

Prioritisation creates a duty to disclose. A time boxed diligence that goes deep on tier one and light on the long tail must say so plainly, so the committee knows the boundary of the work. An undisclosed gap, where a publisher was deprioritised without anyone recording the decision, becomes a credibility problem if that publisher later surfaces an exposure. State the prioritisation logic, the publishers measured in full, and those reviewed only at contract level, so the committee can weigh residual risk with its eyes open, the same transparency that underpins a defensible diligence report.

Carry the priority into the post close plan

The publishers that mattered most in diligence usually matter most after close as well. The prioritisation that focused the diligence should carry into the license reconciliation plan, so the integration team starts with the tier one publishers rather than working alphabetically. A diligence that ranked exposure and then handed an unranked list to integration has thrown away its own best work. The ranking is an asset, not just a diligence convenience.

Recommendations for buyers

Rank publishers on exposure and likelihood before committing any measurement depth.
Give tier one a full license position, tier two targeted measurement, and the long tail an inventory and spot check.
Use fast signals such as spend, complex metrics, and virtualisation to prioritise early.
Disclose what was not measured, and carry the publisher ranking into the post close reconciliation plan.

Revisit the ranking as new data arrives

Prioritisation is not a single decision made at the start and then frozen. The first ranking is built on fast signals, and those signals can be wrong. A publisher that looked low risk on spend may reveal a complex virtualised deployment once the estate data arrives, and a tier one vendor may turn out to be cleanly licensed and need less depth than expected. A good time boxed diligence revisits its ranking as each new piece of data lands, moving effort toward the publishers where the evidence is now pointing. Treating the initial ranking as provisional, and being willing to redeploy time mid diligence, is what keeps the work focused on the real exposure rather than on the one the team guessed at on day one.

Match the team to the priority

Prioritisation also decides where to put scarce expertise. The publishers with the most complex metrics, typically Oracle and SAP, reward deep specialist knowledge, because the exposure hides in how virtualisation and indirect access are counted, not in the headline contract. Assigning the most experienced reviewers to the tier one publishers, and handling the long tail with lighter process, gets the most out of a fixed team in a fixed window. A diligence that spreads its best people evenly across every vendor, regardless of risk, dilutes exactly the expertise that finds the large exposures. Matching the team to the priority is as important as matching the time.

Why an independent advisor prioritises better

Knowing which publishers to fear, and why, comes from seeing many estates and many audits. An independent, buyer side advisor brings that pattern recognition without the conflict of a party that sells one publisher software over another. The result is a prioritisation built on where exposure actually lands, not on which vendor relationship an adviser wants to protect, which is exactly what a time boxed diligence needs.

Independent and buyer side. We act only for the acquirer. We hold no affiliation with any software publisher or reseller and are paid solely by you. This page is commercial and licensing guidance, not legal advice. Confirm any contractual interpretation with your own counsel.

Frequently asked questions

What does prioritising publishers in a time boxed diligence mean?

Deciding quickly, on evidence, which vendors carry the exposure that can move a deal, and concentrating scarce diligence time there. It matches effort to risk rather than measuring every vendor to the same depth.

Why not measure every publisher equally?

Exposure is not evenly distributed. A few publishers carry most of the audit and true up risk, while a long tail carries little. Treating all vendors equally starves the high risk publishers of the depth they need.

Which publishers usually rank as tier one?

Oracle, SAP, Microsoft, and IBM, which combine high exposure with aggressive enforcement and change of control triggers. Broadcom through VMware, plus Salesforce and ServiceNow, are rising on the subscription side.

What signals help prioritise quickly?

Total spend with a publisher, on premises deployments with complex metrics, evidence of virtualisation, a history of acquisitions that may carry inherited agreements, and signs of indirect access. These are visible in the first target data.

How much depth should each tier get?

Tier one gets a full effective license position, tier two gets targeted measurement of the metrics most likely to bite, tier three gets a contract and entitlement review, and the long tail gets an inventory and spot check.

Why document what was not measured?

Because prioritisation creates a duty to disclose. Stating the publishers measured in full and those reviewed only at contract level lets the committee weigh residual risk, and protects the credibility of the work if a deprioritised publisher later surfaces.

Spend your diligence time where the risk is.

We rank a target publishers on exposure and likelihood, then concentrate measurement where a finding can move a price, an indemnity, or a condition of close.

Request a software due diligence