Integrating Risk, Compliance and Security Components into the Post-Merger Integration Process

M+AOver last few years, the Merger and Acquisition space has witnessed high growth. However, as experience shows, getting a deal executed is only half the job done. Capturing the actual value in M&A comes from appropriate and timely post-merger integration of people, operations, processes, information systems, and culture.

Historic data indicates that most M&A deals failed to realize value due to ineffective post-merger integration. This has forced companies to look at post M&A integration activity as a program with set milestones. Companies today create separate integration teams with a Project Management Office and clear reporting structure. While companies look at retaining customers and key employees, integrating finance and IT functions, and addressing tax and other operational issues, they often fail to identify and address the risk and control environment. This can affect a company’s security and internal control environment. Appropriately addressing security, risk and control issues can save time and compliance cost while minimizing business and legal risk for the combined entity.

Key Security, Risk and Control Challenges

1. How to address compliance requirements and create an effective risk and control environment

When two companies merge, their separate compliance requirements need to be integrated. With different structures, processes, geographies and separate applicability, it becomes difficult to remain compliant, especially during post-merger integration. Further, the risk profile of the merged entity might be different from the pre-merger entities, as there are significant changes in materiality, processes, supporting technology, and control owners.

Implications- Non compliance, ineffective and inefficient internal audit functions, lack of key risk and control owners, and a higher cost of compliance are some of the common implications.

2. How to manage access rights for employees, customers, affiliates and third parties in an integrated environment

Mergers bring new users, applications and legacy systems to be integrated for simple, faster and secure access to data. Therefore managing appropriate access to data is critical from both risk and compliance perspectives. Inappropriate access to confidential data can lead to information leakage and loss in competitiveness along with non –compliance penalties.

Implications- Failure to manage access rights to business critical applications and data can lead to a) Unauthorized access to critical business data; b) No access to authorized users; c) Excess privileges to some/all users; d) Fewer privileges to authorized user; e) Operational ineffectiveness due to inappropriate access management.

3. How to address privacy requirements of the combined entity

Two companies storing Personally Identifiable Information (PII) for employees, business partners and customers are managed through separate privacy programs, processes and systems.

Implications- Disclosure of private information to unauthorized users can lead to regulatory and legal implications.

4. How to manage business continuity during transition phase while integrating different IT systems, operations and people

Consolidating ERP, CRM, and other business, combining complex infrastructures of two organizations and changing how people access organization data and critical business applications warrants a robust and updated business continuity plan for recovery and continuity in the event of any disaster or malfunction of IT system or access infrastructure.

Implications- Unavailability of business critical applications preventing access to business data.

Next Week – Part 2 – Approach