Carve-out IT, separating systems from a Fortune 1000 parent

A carve-out from a Fortune 1000 parent is one of the most demanding transaction types in PE. The target operates inside a shared-services environment where dozens of systems, hundreds of integrations and an embedded workforce of corporate IT staff support the business unit. On the close date, the target has to operate as an independent company using an IT environment it does not yet have.

The transition services agreement bridges the gap. For 6 to 18 months after close, the parent continues to provide services to the carved-out business under contract. During that window, the new standalone company builds its own IT environment, migrates off parent services and exits the TSA. The quality of that build and migration work is a material determinant of whether the transaction earns out as modeled.

We support a lower-middle-market PE portfolio company we carved out from its publicly-traded industrial-services parent operator, building the standalone IT and cybersecurity environment, operating as the post-close MSP and producing the reporting cadence sponsors expect. Our direct experience is at that mid-cap scale; the workstreams and TSA mechanics described below apply to Fortune 1000 carve-outs similarly, at larger volume.

What a carve-out actually inherits, and does not

A Fortune 1000 business unit inherits its parent’s IT capabilities through three mechanisms, each of which exits the target on close.

• Corporate IT services. Email, collaboration, ERP, HR, finance, authentication, remote access. All operated by the parent’s IT organization on infrastructure owned by the parent.
• Shared applications. CRM, document management, specialized tooling. Often licensed enterprise-wide by the parent.
• Corporate IT staff. The people. Engineers, help desk, security operations, architecture. All employed by the parent.

At close, these services and people are gone, or available only through the TSA for a limited time and at a premium rate. The new company has to rebuild.

What the target does inherit, and has to operate from day one:

• The physical facilities and their local infrastructure
• Any systems genuinely dedicated to the business unit (not shared enterprise systems)
• The employee population (minus corporate IT staff who typically stay with the parent)
• The commercial relationships, customer contracts and supplier agreements

The IT organization in a Fortune 1000 business unit often has 0 to 5 people before the carve-out. The post-close company needs the equivalent of 10 to 40 full-time IT and cybersecurity capabilities, depending on scale. That gap is the carve-out IT project.

The TSA, where the work is actually scoped

The transition services agreement is the contractual bridge. Its contents determine the practical shape of the carve-out work.

A well-written TSA covers:

• Services in scope. Every service the parent will continue to provide, at what service level, for how long.
• Pricing. Usually cost-plus or fixed-fee, typically at rates significantly above what the replacement service would cost on the open market.
• Exit mechanics. Notice periods, data export obligations, cooperation commitments for migration work.
• Termination dates. Per-service end dates, usually staggered.
• Support scope. What help the parent will provide during migration (often less than the new company hopes).

The carve-out IT project plan is essentially the plan to exit each TSA line item before its termination date, at a lower run-rate cost, without losing operational capability.

The four-workstream model

A typical carve-out IT program organizes around four parallel workstreams.

Workstream 1, foundation

Building the baseline environment the company will operate on.

• Identity and access. A new corporate directory, a new identity provider, MFA from day one, conditional access policies.
• Email and collaboration. Microsoft 365 or Google Workspace, provisioned for the full workforce.
• Endpoint management. A managed endpoint platform, rolled out across the company-owned device fleet.
• Network and connectivity. Internet circuits, VPN or identity-aware access, SD-WAN if multi-site, WiFi at every facility.
• Security baseline. EDR on endpoints, email filtering, MFA on everything, conditional access, baseline monitoring.

Foundation work typically runs 60 to 120 days from signing (ideally starts before close).

Workstream 2, applications

Replacing shared parent applications with carve-out-owned equivalents.

• ERP. Often the longest lead-time workstream. Mid-market ERP implementations run 6 to 18 months. Sometimes the choice is to stay on the parent’s ERP via TSA for an extended period and deploy the new ERP after the standalone environment is stable.
• CRM and customer systems. Salesforce, HubSpot or similar, with data migration from the parent’s instance.
• HR and payroll. A new HRIS and a new payroll platform.
• Finance. Accounting system, expense management, procurement.
• Specialized tooling. Any business-specific systems the parent provided.

The application workstream is typically where TSA extensions happen. ERP carve-outs in particular often extend TSA by 6 to 12 months beyond the original plan.

Workstream 3, data

Moving the data out of the parent’s environment and into the carve-out’s.

• Historical data. Email archives, document repositories, financial history. Must be exported, reformatted and loaded into the new systems.
• Live data. Customer records, employee records, operational data. Migrated in a cutover window at the appropriate TSA exit date.
• Retention obligations. Regulatory and contractual retention requirements that travel with the data.
• Access rights. Reconstructing appropriate access controls in the new environment, not just copying the parent’s permissions.

The data workstream is where most carve-out projects underestimate effort. Parent-era data is almost always messier than documented, and the discovery work alone often takes 2 to 4 weeks per major system.

Workstream 4, cybersecurity and compliance

Building the cybersecurity program the new standalone company needs.

• Framework alignment. Usually NIST Cybersecurity Framework 2.0 for the general case.
• Regulatory posture. Industry-specific compliance regimes that applied to the parent now apply directly to the carve-out.
• Cyber insurance. New policy, new application, new broker relationship if the parent’s carrier is not willing to quote the standalone.
• Incident response plan. A standalone plan, since the parent’s plan will not apply after TSA exit.
• Documentation. Policies, procedures, evidence library. Built from scratch.

The cybersecurity workstream runs through the full carve-out timeline and becomes the foundation for the 100-day plan after close.

Timing realities

A realistic timing model for a carve-out of a 200 to 500-employee business unit from a Fortune 1000 parent:

• Pre-signing. Diligence identifies the carve-out complexity. Often the transaction terms (purchase price, TSA pricing, exit timelines) reflect the complexity the diligence surfaces.
• Signing to close. Usually 60 to 120 days. The carve-out IT plan is scoped here. Foundation workstream begins if the parent permits.
• Close to month 6. Foundation environment operational. Email cutover. Endpoint management deployed. Cybersecurity baseline in place.
• Months 3 to 12. Application migrations per TSA termination schedule. ERP implementation running in parallel.
• Months 6 to 18. Data migrations per application cutover. Final TSA exit.
• Months 12 to 24. Steady-state operation on carve-out-owned environment. Program maturity building.

Budgets for carve-out IT programs at this scale typically run $2 million to $8 million, depending on the complexity of the application stack and the size of the ERP implementation. The TSA run-rate the company is exiting usually justifies the spend, because post-close parent service pricing is almost always materially above market.

Where the MSP fits

In most carve-outs, the new standalone company does not build an in-house IT organization comparable to what the parent provided. A smaller in-house team (2 to 8 people, depending on scale) handles business relationships, vendor management and escalation, and an MSP operates the day-to-day IT and cybersecurity functions under a managed services contract.

The MSP role in a carve-out is unusually demanding for a few reasons.

• Pace. The TSA exit dates drive the timeline. The MSP is operating at project velocity for the full carve-out period, not at steady-state velocity.
• Scope breadth. Every layer (endpoints, network, identity, security, cloud, applications) has to be stood up, documented and operated.
• Stakeholder complexity. The sponsor, the in-house CIO or IT director, the parent’s corporate IT, the business leadership and multiple vendors all have opinions and constraints.
• Reporting cadence. Sponsors expect monthly reporting on carve-out progress, with TSA exit tracking and post-close cybersecurity posture both visible.

A carve-out MSP engagement looks different than a typical managed services contract. The engagement model, the staffing, the project management and the reporting rhythm are all calibrated to the transaction rather than to an IT-operations run rate.

Where we fit

We support a lower-middle-market PE portfolio company we carved out from its publicly-traded industrial-services parent operator, building the standalone IT and cybersecurity environment, operating as the post-close MSP and producing the reporting cadence sponsors expect. The engagement includes all four workstreams and extends through TSA exit into steady-state operation.

For sponsors evaluating a carve-out transaction, or for operating partners scoping the post-close IT program for an add-on acquisition that involves carve-out complexity, the IT workstream is usually the largest single post-close project and the most important to get right. Under-scoping it is the most common way a carve-out transaction misses its modeled returns.

If you are a sponsor, operating partner or carve-out CFO scoping the IT workstream for a Fortune 1000 carve-out transaction, schedule a discovery call. We can walk through the specific deal profile, TSA structure and post-close environment requirements.