Mitigating risk in IT integration post merger or acquisition

2016 has already seen the media awash with speculation as to what the biggest business deals of the year will be. Mergers and acquisitions (M&A) are apparently the top choices – but why? It’s simple. M&A are widely seen by big companies as a quick way to import innovation. With start-ups and entrepreneurs continuing to disrupt industries around the globe, innovation is the Holy Grail for established players if they want to maintain their market position, and keep ahead of increasingly diverse competition. And it’s the big companies that either have the cash reserves or are able to leverage low interest rates to explore M&A opportunities.

Creating a higher cumulative shareholder return is an obvious focus for shareholders and executives in any M&A deal. However, this will only come if the acquirer is able to realize synergies from both organizations to its benefit. The acquirer wants to expand its intellectual property, product portfolio, customer base or geographic reach, and ultimately increase its revenue potential. The idea is that functional consolidation will increase efficiency, enhance purchasing power and reduce overheads.

But does this actually happen?

According to a L.E.K. Consulting study which analyzed the performance of more than 2,500 M&A deals between 1993 and 2010, nearly 60 percent of companies ended up destroying, rather than creating shareholder value when they merged with, or acquired, another organization. The 40 percent of companies who DID manage to create shareholder value had a strong focus on integration planning and execution. This enabled them them to combine the organizations at speed. Companies who failed to integrate quickly after a deal closed were much more likely to destroy shareholder value.

So if the speed of IT integration is the secret sauce in M&A success, you would think this would be a focus throughout the M&A process. Actually, this is not the case. In fact, companies have big differences in preparedness. Some view IT integration as an ad-hoc event and do very little pre-planning; others companies have dedicated teams and processes in place as well as framework agreements with key suppliers enabling them to quickly scale up resources, capabilities and geographic reach during the execution of the integration activities.

So what do companies need to look out for when embarking on an integration project? I would suggest that two key elements to consider are mitigating risk and building in agility.

Understanding the risks associated with IT integration is an obvious consideration for any M&A project – but unfortunately one that too often is ignored. The most important rule here is to enter with your eyes wide open. As an acquirer you will want to know for certain that your target company is secure. Has it been breached – and no-one noticed? Are staff PCs harbouring unnoticed Advanced Persistent Threats? Organizations want to avoid integrating Trojan Horses along with core systems, so it is critical that before IT environments are combined, a cyber-espionage health check is performed. If security vulnerabilities are detected, these must be remediated before any IT integration can take place.

Additionally, risk management needs to account for corporate culture. One company may provide its employees with a completely locked down Windows laptop, whereas another may allow users to work on their own notebook, with full administrative rights. Before any IT integration activity takes place, security policies need to be thoroughly examined and compared for differences. Performing a baseline security assessment will provide good insight into potential gaps that need to be closed.

A third challenge to protecting information is, of course, knowing what information is present, and where it is stored. You need to understand what you will need to protect (intellectual property, trade secrets, contracts, confidential customer information, consumer PII, credit card data, etc.) as well as how such information is classified. There are legal restrictions around how some information can be used – for example, healthcare records, credit card information, military classified information or even NATO security-cleared construction site plans. So when looking to integrate data storage systems, it is important to find out whether classification schemes are present and properly used, and if they can be aligned between both organizations. Integrating different IT environments may break internal data classification, segregation and authorization schemes. Before integration begins, it is important to develop or adapt models to ensure that valuable data continues to be safeguarded according to all relevant policies and regulations.

It is also a fact that public announcements about M&A attract high attention from hackers. So the next step in any M&A IT integration is to look at what procedures should be implemented in the event of a data breach. One interesting point to note is that although internal alarms and notifications are automatically triggered in the majority of data breaches, nobody acts upon them. This can also be a significant issue in IT Integration projects, as ‘normal’ job roles are often put to one side, meaning that alarms can go unnoticed. It’s also true that incident response requires people, resources and time to be readily available, all of which are already under heavy pressure during such large scale projects. Pulling security resources into integration projects can actually undermine security readiness. Don’t make that mistake. It is better to be prepared. If you have concerns about staffing for the integration project, make sure you identify in advance a supplier who has the expertise, scale and geographical reach required to support you.

In my next article, I’ll discuss the importance of building agility into IT systems, and how software defined networking can offer a competitive advantage.