Aujas US

An IDG Ventures Company

Information Risk Management and M+As Part 2

M+A and business data accessPart 2 Implications- Unavailability of business critical applications preventing access to business data.

Approach

Organizations undergoing merger face challenges during integration in managing costs and risks and in providing long-term business value. Failure to address risks and appropriate control around IT security may escalate costs and incur higher risks.

To ensure that organizations achieve the maximum benefit during systems integration, an effective approach is to:

  • Involve IT security, audit and compliance professionals early in the integration planning along with the business owners. Our experience is that this generally a reactive effort.
  • Create an Integration team that involves people with prior M&A experience working closely with the IT Integration, IT Security and Compliance teams.
  • Focus early on IT security, risk and control along with IT integration to save cost and time while minimizing risk.

The multidisciplinary team will be better equipped to make informed decisions and move towards realistic targets of integrating people, processes and technology and minimize risk.

Though from an SOX compliance perspective , the SEC does allow organizations acquiring a company to take advantage of a one-year waiver to assess the internal control of the acquiring company, early focus on compliance while integrating IT systems, processes and people will help the combined entity to reduce the cost of compliance and minimize risk.

For the four challenges identified above, this is our approach:

1.      To address compliance requirements and establish effective and efficient internal control and risk environment for the combined entity 

  • Identify key risk and control owners for the combined entity.
  • Engage experienced finance and audit personnel for maintaining compliance during transition
  • Perform a top-down risk assessment to identify the risk profile of the combined entity and gaps existing in the risk and control environment
  • Develop a remediation work stream to fix deficiencies
  • Determine which entity’s compliance processes are the most efficient, or what needs to be modified to form a new compliance process
  • As units, functions, geographies, and processes merge, remove redundant controls, while keeping key controls to address the risks
  • Develop risk-based test plans that direct effort and resources to the controls that are related to the highest levels of risks

 

2.      To manage access rights for employees, customers, affiliates and third parties in an integrated environment

From an access management perspective, a merger brings multiple users, applications and legacy systems to be integrated for simple, faster and secure access to data. During a merger, various applications are consolidated, restructured or rebuilt and managing appropriate access to the information resource is a challenge. Security issues related to unauthorized access to data, information leakage, and regulatory requirements for protecting privacy of personnel information, need appropriate access management:

  • Inventory all regulatory requirements for access control and normalize them to get the common regulatory requirements for data access
  • Derive access policy for employees, customers, affiliates, and third parties for the combined entity
  • Identify all the applications that need to be consolidated on Day One (e.g., ERP, email system, customer portal, payroll) and the access requirements for the data in the respective applications
  • Ensure a common account termination process is in place as rogue accounts pose serious risks to business data
  • Plan and implement the unified strategy for the combined entity for data access during transition and after Day One

 

3.      Addressing privacy requirements of the combined entity 

  • Develop an integrated privacy compliance strategy for the combined entity
  • Evaluate business processes for potential high risk privacy areas
  • Develop and implement the privacy program strategy, components, policies, standards and procedures
  • Design and establish a privacy organization to govern privacy program operations
  • Develop and deploy a set of rationalized privacy controls and privacy operational processes
  • Establish privacy training, communication and awareness processes

 

4.      To manage business continuity during transition phase while integrating different IT systems, operations and people  

  • Identify the business critical applications and data for both the entities
  • Develop change control and fallback procedures for the business critical applications
  • Create an incident response plan
  • Identify people involved in change management, incident response and emergency changes and ensure their availability as per the plan with contact details.
  • Develop a communication plan

 Conclusion

In today’s environment of public scrutiny, companies cannot afford non-compliance with privacy and regulatory requirements, nor to have an event because of inappropriate access. While some companies have included compliance in their 10K as a key risk after M&A transactions, there are ways to avoid public scrutiny and minimize risk of non-compliance.

So, how do you know that the M&A process includes all the right steps to address Compliance, Risk and IT Security?

  • Plan early
  • Execute as standard post-merger integration activities
  • Address all components of Risk, Security and Control
  • Monitor and evaluate throughout the process
Advertisements

November 22, 2010 Posted by | Mergers and Acquisitions | , , | Leave a comment

Information Risk Management Concerns in Merger & Acquisition – A Point of View

Integrating Risk, Compliance and Security Components into the Post-Merger Integration Process

M+AOver last few years, the Merger and Acquisition space has witnessed high growth. However, as experience shows,  getting a deal executed is only half the job done. Capturing the actual value in M&A comes from appropriate and timely post-merger integration of people, operations, processes, information systems, and culture.

Historic data indicates that most M&A deals failed to realize value due to ineffective post-merger integration. This has forced companies to look at post M&A integration activity as a program with set milestones. Companies today create separate integration teams with a Project Management Office and clear reporting structure. While companies look at retaining customers and key employees, integrating finance and IT functions, and addressing tax and other operational issues, they often fail to identify and address the risk and control environment. This can affect a company’s security and internal control environment.  Appropriately addressing security, risk and control issues can save time and compliance cost while minimizing business and legal risk for the combined entity.

Key Security, Risk and Control Challenges

1.       How to address compliance requirements and create an effective risk and control environment

When two companies merge, their separate compliance requirements need to be integrated. With different structures, processes, geographies and separate applicability, it becomes difficult to remain compliant, especially during post-merger integration.  Further, the risk profile of the merged entity might be different from the pre-merger entities, as there are significant changes in materiality, processes, supporting technology, and control owners.

Implications- Non compliance, ineffective and inefficient internal audit functions, lack of key risk and control owners, and a higher cost of compliance are some of the common implications.

2.       How to manage access rights for employees, customers, affiliates and third parties in an integrated environment

Mergers bring new users, applications and legacy systems to be integrated for simple, faster and secure access to data.  Therefore managing appropriate access to data is critical from both risk and compliance perspectives.  Inappropriate access to confidential data can lead to information leakage and loss in competitiveness along with non –compliance penalties.

Implications- Failure to manage access rights to business critical applications and data can lead to a) Unauthorized access to critical business data; b) No access to authorized users; c) Excess privileges to some/all users; d) Fewer privileges to authorized user; e) Operational ineffectiveness due to inappropriate access management.

3.       How to address privacy requirements of the combined entity

Two companies storing Personally Identifiable Information (PII) for employees, business partners and customers are managed through separate privacy programs, processes and systems. 

Implications– Disclosure of private information to unauthorized users can lead to regulatory and legal implications.

4.       How to manage business continuity during transition phase while integrating different IT systems, operations and people

Consolidating ERP, CRM, and other business, combining complex infrastructures of two organizations and changing how people access organization data and critical business applications warrants a robust and updated business continuity plan for recovery and continuity in the event of any disaster or malfunction of IT system or access infrastructure.

Implications- Unavailability of business critical applications preventing access to business data.

Next Week – Part 2 – Approach

November 15, 2010 Posted by | identity and access management, IT security, Mergers and Acquisitions, Risk management | , , , , | Leave a comment