But, before you ring the bell on Wall Street, there's an immense amount of work that goes into getting ready for that moment. While preparations are felt across the entire organization, there are some things you need to do to get your research practice ready.
When we were preparing to go public at Auth0, we didn’t have a playbook or blueprint for making our research practice IPO-ready. Hopefully, this can help point you in the right direction when you get to that exciting (and slightly terrifying) moment.
Before we get into what it takes to be IPO-ready, let’s discuss why it matters.
Say you're a startup, fresh off your Series A. You're moving fast and breaking things. You’re not really worried about your exit because you're trying to build the plane while flying. I get it: how do you justify spending time and resources on something that seems so far in the future, let alone may never even happen? There are two key reasons to start thinking about (and taking action on) this now:
The first point is actually the irony of what happened at Auth0: I joined the company to build a mature, IPO-ready research function. And (literally) the day after my one-year anniversary, we announced we were being acquired by Okta, a publicly-traded company. There’s no doubt this acquisition was made more likely by the company's efforts to become IPO-ready, but there's more than one way to go public.
While it may add some overhead, being IPO-ready will make your research practice more ethical, more scalable, and more reliable. A lot of the scrutiny companies face when preparing to go public involves governance, compliance, and operational excellence. Basically, you want to make sure you aren't exposing your organization to any potential trouble and make it easier for investors to predict and forecast long-term performance. This increased transparency puts pressure on your company to follow consistent and repeatable processes, handle customer data responsibly, and operate a mature research function.
Convinced? Great. Let's first take a look at what IPO readiness entails in general. Then we'll dive into how it can and will impact your research practice in particular.
If you’re unfamiliar with what’s involved in an IPO, check out Pitchbook’s interactive guide.
For companies transitioning from private to public, the required level of transparency can be a complete shock to the system. If you’re used to toiling away in relative obscurity in your corner of the organization, be prepared to handle questions you've never even considered. If you’re creating a process or writing a new guide, assume the need for transparency, and err on the side of being verbose and robust.
Transparency takes many forms: from budgeting and forecasting to processes and best practices to even vendor relationships. If you aren’t already keeping track of expenses, start. If you don’t know the security posture of your tools, find out. If you haven’t documented how your research function works, make it a habit. Documentation is key.
Proper documentation is the foundation of repeatable processes. This applies as much to your process:
As it does to your team:
Documenting everything will help you increase consistency. It will also help you identify where your gaps are. If you’re trying to write out your entire process and realize you’re missing a guide for how to recruit participants for research, you first need to figure out what you can and can’t do before you can make decisions about how you want it to happen. This probably involves conversations with your partners in marketing and customer success as well.
When in doubt, write it down. There’s an added bonus of keeping things DRY. Instead of typing out a response to every DM you get, send them to the docs. 💁 People will catch on.
If there’s a recurring theme here, it’s that there are things you will be asked to do that you haven’t done before and weren’t expecting. One of those things at Auth0 was helping to define data classification. Next time you’re bored, grab some popcorn and ask your nearest compliance team member for a deep dive on personally identifiable information (PII). 🍿
Data classification is a way to identify how sensitive certain types of information are. By creating a limited set of overarching classes (e.g. Essential, Sensitive, Private, Public), it makes it much easier to determine and enforce a data governance policy.
That data governance policy will cover a lot more than data classes. Data governance includes what information is being kept, where it’s being kept, who has access to it, how and when it gets accessed or transferred, how long it’s kept, and if, when, and how it’s disposed of. An organization’s policy will cover the entire company and govern all types of data, whether it’s company financials, sensitive HR topics, sales interactions before a contract is signed, or how your research team handles data.
The more involved you can be in the data governance discussion, the easier it will be to comply and the more likely you are to have a policy that works for you. Make friends with legal and compliance. 🤝
Another unexpected, but nontrivial debate we had when going public was which individuals and teams were impacted by material nonpublic information. There’s certainly an argument to be made that anyone working in an intelligence function (research, data science, competitive intelligence, pricing, strategy, etc.) will, by the nature of their job, encounter MNPI. This may be true for sales and customer success team members in certain instances as well.
In this instance, the debate centers around what the company considers “material”. The question is whether knowledge has the ability to impact the stock price. If a major sale (or churn) is happening, that could impact the stock price. If there are general trends you’re observing that might have long-term effects on your business, that can also impact the stock price.
Hopefully, the research your team does has some level of impact on product direction. Does this count as MNPI? How soon are the changes going live? Are you working on a new feature or product line that isn’t public knowledge yet? This also impacts what you can and can’t share when giving talks at meetups or conferences. Once something is discussed publicly, it’s out there forever.
When your organization prepares to go public, there are a few key areas that will impact your research function, each with its own special considerations:
Data governance might sound like a foreign concept to researchers, but it looms large in the eyes of public companies — even more so if you operate internationally and need to consider the impact of local regulations such as GDPR. When selecting vendors, sometimes the ideal tool is no longer an option for a variety of reasons. And last but not least, research operations is a crucial piece of making a scalable and repeatable process. It's also the way to ensure you're checking every box to become IPO-ready.
We discussed general data governance above, but if you don’t already have policies around where data is stored and how long it’s kept for each classification, talk to your compliance and legal teams and get something drafted. The easiest way to start is to pick:
Where you store data and who has access to what also matters. Does everyone at the company need to be able to view raw data (survey responses, recordings, etc.)? Probably not. Does everyone need access to your research summaries, or your insights repo? That’s a bit easier to stomach. And yes, it’s completely okay for someone to read a summary or an insight, click on a link for more data, and get an "access denied" screen. They can always ask for temporary permission.
When in doubt, err on the side of caution. It’s much easier to give permission later than it is to take it away.
The same goes for auditing access to data and tools. How do you keep track of who has access to what? What happens when someone leaves the company? How often are you checking and revoking access that is no longer needed? If your company doesn’t have a system for this, set something up ASAP, even if that means checking the employee directory every quarter.
This also applies to the agreement you have with your participants with respect to the use of their data. Some companies prefer to customize their agreements for each study, but it might be easier to produce a single agreement form that all participants sign. Make sure this includes what types of data will be collected (names, recordings, etc.), how that data is being handled, and what rights they have as participants. If you’re looking for inspiration, you can find Auth0’s here.
For startups, typically the most important factors when it comes to vendor and tool selection are feature set and price. Basically, does it do the things we need it to do and can we afford it? In a public company, you also need to be very mindful of their security posture, their privacy policy, and any brand associations different vendors may have. Yes, your company may refuse to work with another company simply based on how they’re viewed in the public — anything that can impact your stock price.
This will vary slightly by industry, but in general, publicly traded companies care a lot more about things like GDPR, HIPAA, PCI, SOC, and ISO compliance. Auditability becomes a key feature, as well as advanced permissioning. These are actually some of the things Great Question had to go through when Auth0 was procuring them.
Be mindful of GDPR’s definitions for "data processor" and "data controller", as well. They fall under different levels of scrutiny, but I guarantee any tool you use will be at least one of them.
At this point, you might be a bit overwhelmed. How am I supposed to make sure everyone who does research is doing everything right? ResearchOps, to the rescue.
Mature and effective research operations is an integral part of any IPO-ready research function. Repeatability, scalability, predictability: these are all things that ResearchOps can help you with. Ensuring data is handled properly is another key win, and the easiest way to do that is to enforce consistent processes. Auditability is another important piece of going public, and ResearchOps can help with that as well.
Investing in research operations is investing in IPO readiness. Documentation and consistency are key. Making changes to improve data governance is much more difficult if everyone is doing things differently. By centralizing processes, it becomes much more practical to enforce best practices. Automation can also help tremendously here, but even if you have to do things manually, having a standard process and a checklist can be a lifesaver.
Like most things in the research world, the answer to how to become IPO-ready is "it depends". Every company’s situation is different, and factors like your bylaws, your legal team, your industry, and your organization size will change the way you approach this.
One of the most valuable things you can do as a researcher is to make friends with your legal and compliance teams. The better your relationship with them and the better they understand your work, the easier this will be.
Dig the well before you get thirsty: start building that relationship now, and let this guide the conversations you have leading up to the big day.
Brad (they/them) is a UX Leader, User Researcher, Coach, and Dancer who's been helping companies from early-stage startup to Fortune 500 develop engaging, fulfilling experiences and build top-tier Research & Design practices since 2009. They have helped launch dozens of products, touched hundreds of millions of users, managed budgets ranging from $0 to $10M+, and coached hundreds of Researchers. Born in Buffalo and currently based in Brooklyn, NY, Brad dances with the Sokolow Theatre Dance Ensemble and Kanopy Dance Company, co-organizes the NYC User Research meetup, and served on the Board of ResearchOps from 2018-2021.