Organizations undergoing merger face challenges during integration in managing costs and risks and in providing long-term business value. Failure to address risks and appropriate control around IT security may escalate costs and incur higher risks.
To ensure that organizations achieve the maximum benefit during systems integration, an effective approach is to:
- Involve IT security, audit and compliance professionals early in the integration planning along with the business owners. Our experience is that this generally a reactive effort.
- Create an Integration team that involves people with prior M&A experience working closely with the IT Integration, IT Security and Compliance teams.
- Focus early on IT security, risk and control along with IT integration to save cost and time while minimizing risk.
The multidisciplinary team will be better equipped to make informed decisions and move towards realistic targets of integrating people, processes and technology and minimize risk.
Though from an SOX compliance perspective , the SEC does allow organizations acquiring a company to take advantage of a one-year waiver to assess the internal control of the acquiring company, early focus on compliance while integrating IT systems, processes and people will help the combined entity to reduce the cost of compliance and minimize risk.
For the four challenges identified above, this is our approach:
1. To address compliance requirements and establish effective and efficient internal control and risk environment for the combined entity
- Identify key risk and control owners for the combined entity.
- Engage experienced finance and audit personnel for maintaining compliance during transition
- Perform a top-down risk assessment to identify the risk profile of the combined entity and gaps existing in the risk and control environment
- Develop a remediation work stream to fix deficiencies
- Determine which entity’s compliance processes are the most efficient, or what needs to be modified to form a new compliance process
- As units, functions, geographies, and processes merge, remove redundant controls, while keeping key controls to address the risks
- Develop risk-based test plans that direct effort and resources to the controls that are related to the highest levels of risks
2. To manage access rights for employees, customers, affiliates and third parties in an integrated environment
From an access management perspective, a merger brings multiple users, applications and legacy systems to be integrated for simple, faster and secure access to data. During a merger, various applications are consolidated, restructured or rebuilt and managing appropriate access to the information resource is a challenge. Security issues related to unauthorized access to data, information leakage, and regulatory requirements for protecting privacy of personnel information, need appropriate access management:
- Inventory all regulatory requirements for access control and normalize them to get the common regulatory requirements for data access
- Derive access policy for employees, customers, affiliates, and third parties for the combined entity
- Identify all the applications that need to be consolidated on Day One (e.g., ERP, email system, customer portal, payroll) and the access requirements for the data in the respective applications
- Ensure a common account termination process is in place as rogue accounts pose serious risks to business data
- Plan and implement the unified strategy for the combined entity for data access during transition and after Day One
3. Addressing privacy requirements of the combined entity
- Develop an integrated privacy compliance strategy for the combined entity
- Evaluate business processes for potential high risk privacy areas
- Develop and implement the privacy program strategy, components, policies, standards and procedures
- Design and establish a privacy organization to govern privacy program operations
- Develop and deploy a set of rationalized privacy controls and privacy operational processes
- Establish privacy training, communication and awareness processes
4. To manage business continuity during transition phase while integrating different IT systems, operations and people
- Identify the business critical applications and data for both the entities
- Develop change control and fallback procedures for the business critical applications
- Create an incident response plan
- Identify people involved in change management, incident response and emergency changes and ensure their availability as per the plan with contact details.
- Develop a communication plan
In today’s environment of public scrutiny, companies cannot afford non-compliance with privacy and regulatory requirements, nor to have an event because of inappropriate access. While some companies have included compliance in their 10K as a key risk after M&A transactions, there are ways to avoid public scrutiny and minimize risk of non-compliance.
So, how do you know that the M&A process includes all the right steps to address Compliance, Risk and IT Security?
- Plan early
- Execute as standard post-merger integration activities
- Address all components of Risk, Security and Control
- Monitor and evaluate throughout the process