What’s Old is New: Corporate Acquisitions are (Almost) Always Resiliency Problems

Mergers and acquisitions are a part of life in today’s business climate, even in the world of business resiliency. (Although there is some debate as to whether struggling economic times are less favorable for mergers and acquisitions overall.) They’ve also been a part of business for hundreds of years — at times they’ve even shaped the course of history. This is the fifth blog in my “What’s Old Is New” blog series.

One inescapable fact about a merger or acquisition is that you’re going to have different corporate cultures that are forced to coalesce into a single culture, and it’s been that way for decades. Naturally that will include a merger of corporate command structure, policies, and financial structures, but that’s also going to necessitate some sort of consolidation of IT infrastructure.

I have personally been a part of six or seven different mergers at various companies that I have worked at, and each one has presented its own unique set of problems (and random expenditures). In one acquisition I worked through, my company acquired 300 employees from my competitor, and I had to deal with converting over their NetWare file server and Lotus Notes to Microsoft-branded equivalents in a months long project. Another acquisition I worked on involved a coincidental multimillion-dollar purchase of 400+ secure check form printers to meet the current bank standards. I even had to spend an entire weekend in a datacenter babysitting a cantankerous DLT tape library, re-importing data from a company that my employer had acquired.

The point is that whenever an acquisition happens, there is a need to ingest the data from the acquired company, and turn it into something that’s usable by the new parent company. Sometimes the acquisition is small enough that you can “flip a switch” and start running the acquired company on a new system, but most of the time it’s not that easy.  In order to maintain relationships with previous customers and suppliers, there is usually some sort of transition time where legacy systems need to continue to be available at the acquired company.

The big problem with all of this from a resiliency point of view, however, is that these changes can put systems at risk and increase the odds of downtime. The process of converting data often brings with it the risk of losing data (whether through human error or some other cause). The process of converting file systems, databases and applications over also increases the risk of system downtime.  Users need to be trained on new systems. More maintenance windows need to be scheduled, and more changes need to be made in systems. All of this activity can put stress on the ability systems to continue to function. It’s so complex that Harvard offers a course on it.

Systems are also put at risk because accommodations usually need to be made to facilitate data transfers and record conversions. Companies routinely relax security requirements or increase the number of people with privileged access to systems to remove potential roadblocks to the consolidation effort. That combination of more administrators and relaxed security can make a company twice as vulnerable to many sorts of attacks.

Resiliency Program Recommendations for Mergers and Acquisitions

I would make the following Resiliency Program recommendations to any company that finds himself in the middle of a merger or an acquisition:

1. Do Your Due Diligence– While I understand that an assessment of IT Systems and IT security protocols is not ordinarily a part of requisition negotiations, it’s something that should definitely be examined. (Ideally, you’ll examine the supply chain too.) The cost of securing a company with poor security protocols as a part of an acquisition could add a tremendous (and potentially unexpected) expense to bringing the new company on board.

2. Perform a Gap Analysis– once you have documented all the work that needs to be done, perform a gap analysis against the parent company policies and audit procedures, including any requirements that might come from outside regulators. You should also do a gap analysis on your Data Recovery requirements, because both companies probably bring their own set of standards and SLA’s to the table. Once you have these items documented, identify the risks associated with fixing (or not fixing) any of those inconsistencies.

3. Perform a Maturity Assessment of the Resiliency Program– it’s not unusual for companies to be somewhat out of alignment with best practices in the world of resiliency, or to have somewhat immature programs in some areas. The problem with an acquisition, however, is that those misalignments from best practices tend to be different in every single company. In addition to the general gap analysis with policies and governance listed above, doing a gap analysis of the new company against Business Resilience best practices can provide much needed clarity on areas that need improvement while the rest of the business changes coalesce. As a part of whatever cohort of projects that are created as a part of consolidating the companies, a maturity analysis of the business resiliency program is essential.

4. Stakeholder Engagement– One of the key pieces to having a successful resiliency program (regardless of which set of best practices you adhere to) is that the stakeholders are in the program are identified and take an active role in ensuring the program’s success. This is especially true following some sort of merger or acquisition, because the roles of the stakeholders will almost inevitably change from what they were prior to the merger. Stakeholders need to be verified, their rules clarified, and policies updated to ensure that the Resiliency Program and gets the support it needs going forward. If an effort is not made in the process of an acquisition to ensure the stability of the resiliency program, it will often founder.

5. Continuous Monitoring and Improvement– Once these wheels have been set into motion, it’s important to monitor progress towards the listed goals, particularly from the standpoint of resiliency. Monitor to ensure that policies are created, revised, and followed to ensure the success of the residency program. Make sure that Change Control Processes are rigorously adhered to, so as to minimize the risk of system downtime while applications and data sets are consolidated. Continually monitor any changes that were made to the information security infrastructure to make sure that temporary vulnerabilities created to ease data transfer are not being exploited.

Find yourself facing an acquisition aren’t sure what steps to take to protect yourself in the process? Sayers is here to help. Our team has decades of experience in helping companies like yours navigate the risks associated with data conversions, corporate consolidations, and restructuring IT security.