Hedge Your Bets: The Importance of IT Risk Management in M&A

A Lot to Consider

Information & technology (IT) is a critical component in achieving an M&A strategy; without effective IT risk management, the value of the deal could be threatened or even eroded. IT risk management is a multi-disciplinary undertaking, and covers a variety of functional domains—ranging from data protection to change management. (See “Common IT Risk Management Areas” below) It is also a multi-faceted and complex undertaking that also entails consideration of a wide array of compliance requirements. As such, in a business environment with increasing emphasis on regulatory compliance, the role of IT risk management becomes more important as an enabler of the M&A strategy.

Often, many organizations need to demonstrate compliance with several overlapping requirements. A large financial company may need to meet Sarbanes-Oxley (SOX), Gramm-Leach-Bliley Act (GLBA), Payment Card Industry data security standard (PCI), Health Insurance Portability and Accountability Act (HIPAA), and other mandates such as those from the Federal Financial Institutions Examination Counsil, Office of the Comptroller of the Currency, and Federal Trade Commission; a global transportation company may need to meet SOX, HIPAA, PCI, FTC, and European Union and Asia-Pacific Economic Cooperation data protection requirements. The effort to meet these regulations often further complicates the efforts required to identify an approach and develop a strategy to mitigate risks when consolidating or separating companies.

Although many of these regulations address similar requirements such as data protection, access controls, transaction auditing, data availability and system monitoring; compliance with one set of regulations does not necessarily translate into compliance with another. The specifics of each set of regulations must be carefully evaluated.

Furthermore, international M&A transactions are likely to be much more complex than domestic transactions. In international transactions, companies must not only consider the regulatory compliance concerns noted above; they must also take into account the potential risks to corporate risk governance, employee data rights, customer data expectations, cross-border data flow, as well as the risk and compliance culture of the home countries of all entities involved in the M&A transaction. Failure to adequately address these factors could scuttle the transaction.

In this complex risk environment, it is clear that IT risk management must be effectively implemented to effectively address the myriad legal, regulatory, contract, and compliance requirements; otherwise, IT risk issues left unaddressed could fundamentally affect the overall M&A strategy and desired value creation.

Is the Loss of Business Value Real?

Based on Deloitte’s experience with M&A transactions, when IT risks, especially those risks that are compliance-driven, are not fully addressed, they can completely undermine the expected value creation of an M&A transaction. Generally, IT risk tends to impact M&A deal value in four primary areas: IT cost, EBITDA, technology, and regulatory and governance.

Examples of common IT risk issues that can have a serious negative impact on M&A transactions include:

• Inevitable technology changes occur with disparate systems in combined entities and often create system consolidation delays and increase the security and compliance risks with the existing systems
• The combined entity creates a new state, federal, and/or global jurisdiction operating footprint that often faces potential regulatory and financial risk from the possible compromise of personally identifiable information (PII)
• The listing of IT assets assumed to be acquired during the financial due diligence process does not reconcile with detailed IT-listed assets, which results in lost value transfer
• Unclear legal rights over existing key applications and information often inhibits integration and/or separation of IT systems
• Sensitive information cannot be identified and located, which impedes, and can completely halt, application and system integration and/or isolation
• The merged entities have disparate access management systems, but they have a need for immediate access to information, which often results in poorly consolidated systems that lead to segregation of duty conflicts and improper data access
• Hidden liabilities in licenses and third-party contracts results in lost value and increased legal costs
• Dated technology prevents customization and leads to lost business agility, opportunity and value

So, what is needed to minimize these types of risks from compromising an M&A transaction?

The IT Risk Management Framework

To mitigate the risks described above, M&A due diligance teams should incorporate a comprehensive IT risk management framework and readiness diagnostic into their planning and implementation efforts.

A sound IT risk management framework and readiness diagnostic has several key qualities. First, it is structured, risk-focused, and customizeable to cover small and large organizations. Next, it helps in the translation of information protection and technology issues into business risk impacts that will affect the overall M&A transaction. Finally, it helps address industry standards and regulatory requirements for each of the IT risk areas higlighted earlier in this paper.

The IT risk management framework and readiness diagnostic can be organized around five core components — integrated requirements, technology assessment, information assessment, business assessment, and risk quantification.

Integrated requirements establish the required IT risk management practices to be assessed during the M&A transaction. Assessment practices and criteria are established by identifying and aligning the applicable IT risk-related business requirements for each of the common IT risk management areas (see above). These should include:

• Industry common practices (e.g. International Organization for Standardization (ISO) 27002, COBIT 4.1, Information Technology Infrastructure Library (ITIL), American Institute of Certified Public Accountant’s (AICPA) Generally Accepted Privacy Practices, etc.)
• Laws and regulations (e.g. GLBA, HIPAA, EU Privacy Directive, CA SB1386, FTC Standards for Safeguarding Customer Information, etc.)
• Industry standards (e.g. PCI Data Security Standard, BITS, etc.)
• Acquiring and acquired organizations’ internal IT risk-related policies and standards for each of the common IT risk management areas previously mentioned

This particular IT risk management component is especially benefical to those organizations that worry about compliance such as How does the “new” operating structure comply with SOX quickly?’ By establishing and evaluating integrated requirements early in the IT due diligence process, the acquiring organization should have already identified the SOX related requirements and their impact on the other organization’s operations. Once the M&A transaction has been executed, the acquiring organization should be able to quickly apply their SOX control framework to the acquired organization and assimilate the various reporting entities into the new organization’s compliance testing and reporting process.

A Framework for Value Protection The technology assessment considers core technology development, licensing and integration issues. Generally, this assessment will consider:

• Technology software and infrastructure vulnerabilities that may affect service levels
• Capacity and scalability of key systems to satisfy business requirements
• System backup and power issues that may cause business disruptions
• Unsupported systems and code
• Vendor-owned source code that is not available for changes
• Vendor service-level adequacy
• Non-favorable clauses in vendor agreements that would be affected by change in ownership
• Termination of key employees
• Loss of quality resources required for integration efforts
• Legal rights to existing key applications
• Source code that is not in escrow
• Hidden liabilities in licenses and support contracts

The information assessment considers sensitive data-handling requirements and how well data is protected. Generally, this assessment will consider:

• Systems and data accessible by unauthorized users and how unauthorized access to such data can affect the company’s brand and reputation
• Authorization, development, and approval processes for the records program
• Privacy, intellectual property, and other sensitive information collection, usage, storage and complaints-handling processes
• Third party contractual arrangement adequacy for addressing sensitive information handling

The business assessment considers technology strategy alignment with the business, business process control integrity & automation, and governance & compliance matters. Generally, this assessment will consider:

• IT strategy that is not aligned with the current and future business requirements
• Current systems that are not suitable for business requirements
• Inefficient manual work-around procedures that are required to operate the business
• Level of system automation that does not match the level disclosed by management
• Recently-integrated business systems that have internal control integrity issues
• Internal controls and SOX 404 issues that will impact regulatory compliance
• Insufficient governance of IT system projects that could result in hidden future IT costs or write down of IT assets due to inappropriate system development

The risk quantification translates identified IT risks into financial impact statements and helps prioritize them for consideration in the final M&A transaction decision.

Today’s risk and compliance environment compels organizations that are developing M&A strategies to integrate IT risk management into their M&A planning and implementation processes. Left unaddressed, IT risk issues can fundamentally affect the overall M&A strategy and desired value creation. A properly structured IT risk management framework and readiness diagnostic can provide practical insights into the information and technology risk issues. Including IT risk management from the outset can make the M&A picture complete, rather than an unfinished puzzle. ##

Bill Kobel(bkobel@deloitte.com) is a Principal and John Gimpert (jgimpert@deloitte.com) is a Partnerwith Deloitte & Touche LLP.

This publication contains general information only and is based on the experiences and research of Deloitte practitioners. Deloitte is not, by means of this publication, rendering business, financial, investment, or other professional advice or services. This publication is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte, its affiliates, and related entities shall not be responsible for any loss sustained by any person who relies on this publication.

As used in this document, “Deloitte” means Deloitte Consulting LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.