Understanding how to assess risk during a merger, acquisition or other business combination or separation can provide insights into an organization’s true value.
Overview of M&A RIsk
Today’s volatile business environment, including the growing presence of disruptive technologies, continues to drive organizations to seek a competitive advantage through mergers and acquisitions (M&A). These business combinations seek to capitalize on synergies that an acquired organization may unlock through its superior technology, operations, and people. The success or failure of an acquisition depends on many factors, but organizations are now ensuring they have a clearer picture of risk within the target organization to understand how that risk may impact brand value in the short and long term. Information security, privacy, and compliance must now be paramount for organizations in all industries. Acquiring a company that lacks adequate controls and capabilities in those areas may jeopardize financial or reputational well-being. As due diligence requirements for organizations in the M&A space continue to evolve, we look at several techniques for evaluating target organizations that should be employed to understand risk and make value adjustments accordingly.
Understanding Risk
Any organization that targets another for a merger, acquisition, or other combination will spend significant resources to estimate the target organization’s valuation. This will include a thorough analysis of traditional metrics such as assets, liabilities, and equity. However, understanding risk is a critical input for any measure of valuation. There are many types of categories of risks that may impact a business valuation. However, as information governance continues to be a growing concern for organizations, consumers, and regulators, it is increasingly important that a thorough analysis of information risk be carried out to understand the likelihood that these negative risks are realized by the newly formed organization. Below are common risk areas that can be considered when evaluating an organization:
Data Security: Has the organization fallen victim to a data breach in the past? If so, how was the event handled and what enhancements have been made since? Understanding security controls is nonnegotiable for any acquirer.
Privacy: What types of privacy compliance obligations does the organization face, based on the markets in which it operates? How well is the business currently meeting those obligations with its current privacy program?
Data Ethics: Does the organization gain consumer trust by operating in a transparent manner? Are there practices that, if exposed, would yield a significant erosion of trust in the marketplace? A strong commitment to data ethics may be positioned as a competitive advantage as the concern over data handling practices continues to grow.
How Assess Risk in a Target Organization
Each of the risk areas in the previous section may require a different guide for assessing risks. For example, there are many well-known frameworks for assessing organizational security controls, including NIST 800-53, ISO 27002, and CIS Critical Security Controls, among many others. Leading organizations should select a comprehensive framework and perform the assessment against that framework to provide a common means to understand, assess, and report on risks. Given the impact that significant findings may have on the acquisition process, an industry standard framework can remove ambiguity in determining findings and communicating them to stakeholders. This will give greater weight to assessment results and give an indication of where the security program ranks among industry peers.
Assessors should use advanced techniques, wherever possible, to assess the risks within those frameworks. For example, performing vulnerability scans, penetration tests, and on-site or remote audits will yield more information than questionnaires, self-assessments, or documentation review. The higher upfront assessment costs may yield longer term gains by avoiding bad investments.
Certain risks around data privacy and ethics may be more ambiguous and require alternative approaches. A key first step is scoping the compliance obligations and ensuring that the organization has put in place what the applicable regulations may require. Certain frameworks, such as the NIST Privacy Framework or 800-53 rev5 include elements for assessing a privacy program but may not address specific needs for global privacy compliance. Once compliance obligations are understood and met, a larger assessment of maturity can be conducted. One risk area that requires particular attention is breach response. Even in the absence of regulatory guidance on breach response, organizations should be able to demonstrate controls that protect against breaches and a thorough breach response and remediation process for the worst-case scenario. This includes formalized roles and responsibilities, technological means to detect breaches, reporting channels and processes, and a means to incorporate lessons learned into the breach management process.
M&A Next Steps – Incorporating Risk into the Roadmap
The outcomes of the assessment activities may be used as an input in valuation, but their value and use does not end there. Identified risks must be incorporated into the integration plan so that changes can be made to people, process, and technology. There are several ways in which information security and governance risk may be rolled into the change management process:
Technology Roadmap: The integration of two technology portfolios is a significant challenge but can also present the opportunity to build in security and privacy by design from the start. Where security and privacy capabilities are deemed insufficient, new capabilities can be acquired in the natural course of upgrading, purchasing, or building new technologies.
Failure to carry forward risk assessment information into the actual merger of two distinct organizations is a shortcoming of organizational change management. It can also lead organizations to build in deficiencies from the start. While there are many priorities to manage as part of an integration, not accounting for risk remediation can increase costs in the long term.
Conclusion
As the rate of M&A activity continues to increase along with the risks of inadequate security and privacy governance, organizations must have a plan to thoroughly vet target organizations. Having a standard assessment methodology that is built on leading risk frameworks and executed by risk and compliance subject matter experts can uncover blind spots in certain areas while highlighting the value of certain existing capabilities. While data breaches may be a common and public indicator of strengths or weaknesses, underlying controls and governance practices must be solid in order to meet the growing demands in the marketplace.
Interested in talking with Myna about security and privacy for M&A? Reach out to us.