There are more mergers and acquisitions showing up in the news.
What are the top actions that organizations need to take to increase the probability that the joining of two or more organizations will be successful? Where do you start once you get the deal on paper? How much of those activities should have started before the official joining of the organizations? I guess I am asking (myself) what needs to be done and in what order?
I think that it really depends on how much of the acquiring organization will be used versus how much of the acquired organization will be used. Having a small sample size of experience (one “merger of equals”, three acquisitions) I have some thoughts on what needs to be considered no matter what. This is especially true in highly regulated businesses.
A clear path for three major areas needs to be developed and communicated:
- Identify which parts of the business may change regulators;
- Identify who will lead the audit function and which external auditor will be used; and,
- Identify the path to a unified risk management process.
The first two are straightforward, the last is more complex. The blending or converting systems are generally understood because the systems are currently running and, one hopes, well documented. All of the user documentation represents what is actually happening. What is often lost is where do you start with the risk management process, especially in the information security space.
Start with a unified security policy. This is actually more than just general statements but a comprehensive view of what needs to be used as changes are made to the underlying systems. That policy needs to be influenced by who will be your regulators, which regulations apply to which parts of the business, your technology infrastructure, and the strength of the current organizations. If you start with a solid, comprehensive, security policy, you possibly may avoid problems as you combine the organizations.
Just what is a security policy? I think that it consists of several layers. Having a detailed policy available as changes are being made can prevent many problems.
| Policy | General statements | Every user will have unique User Id. |
| Standard | More specifics about how to meet the Policy | A User Id will consist of the individual’s initials and a, non-duplicate, randomly generated number |
| Requirements | Defines how the Standard will be implemented on specific operating environments | Top Secret will be used to manage the creation and management of User Ids on Mainframe environments |
Well that all nice and good but how do you go about creating this policy? I think there as products and services out there that possibly can. Given the complexity of highly regulated businesses, they can combine the existing current policies, regulatory environment, the diverse operating environments that exist in complex organizations, and other non-technical requirements that can influence decisions. What makes these products and services is their ability to utilize AI to do much of the heavy lifting.
My observations are not the answer, but a starting point for the organizations to prepare for the merger of activities.