The Hidden Risk of GRC in Mergers and Acquisitions

The process of bringing two organizations together often starts between leaders. The motives vary as do the dynamics; a large organization absorbing a smaller organization to expand its market share, two similar organizations joining forces in order to make their mark on their industry.

The logistics are unique, but a frequent refrain for M&A (mergers and acquisitions) processes is that both sides of the transaction expect surprises along the way. Attorneys are armed with retainers and red pens. Timelines, formerly rigid, are made flexible to facilitate execution of the deal. Public relations experts are on alert, ready to guide narratives and soothe stakeholder concerns.

It isn't dissimilar to two families coming together; each with their own belongings and histories. Their own stories and proclivities. Their own unique attributes and worldviews. Where there were two homes, now there's one – do we need two couches? Which should we keep?

Those involved in the due diligence phases of an M&A process do their best to identify all material details which might impact the decision to proceed. The lion's share of the attention, of course, is on the financials – but also on the value of each party, which might be measured in anything from the size of the geography owned and/or maintained to the number of customers, the amount of investable capital, present and future receivables, or the assets under control. Whatever makes either party worthy of the agreement has to be verified and re-verified to ensure the veracity and viability of the relationship.

There is always risk, the experts will say, and all parties are ready to pull the alarm and reverse the process at the first sign of a need to step away from the table. Except, perhaps, the risk itself.

Financial audit programs gave rise to information technology audit programs more than two decades ago, but information technology and security risks are rarely given sufficient attention in M&A. If Company A, actively pursuing the purchase of Company B and its assets, had reason to believe that B had no chance of passing their next financial audit, A would be pumping the brakes – but what if B had no chance of passing their next IT audit? What if B had potentially devasting technical debt in their environment? What if B had been operating for years with a skeleton crew of professionals who operated on tribal knowledge and a staggering amount of caffeine but were one reasonable competing offer away from finding the door?

Whether it's aging network infrastructure, outdated policies and governance processes, or willful ignorance of sound risk management processes, poor GRC hygiene has as much destructive potential as hamfisted bookkeeping. The challenge is that these conditions are often ignored or outright obfuscated in the face of purchase or divestiture.

Diligence processes must include a deep, careful analysis of the technologies, processes, and culture of both parties pushed through the lens of risk and given due prioritization. While this adds time and resources to the process, the alternative of finding materials concerns after it's too late to reverse the deal is significantly greater.

When two houses are merged, once the move has been completed, 'I' becomes 'we' and 'mine' becomes 'ours' – including GRC risk.