April 14, 2011
GRCS – Volume 1, Issue 1
There is an “S” in M&A
“Part 1 of Series”
During the chaos of a merger, acquisition, or divestiture, the organization’s security tends to be compromised or forgotten about. Too often the focus of merging business practices and the consolidation of the IT infrastructure fails to account for the importance of security within that process.
In September of 2004 a company purchased a data mining company. During the merger integration process, about 32,000 customer accounts were stolen. A newspaper in Virginia reported a leak involving a bank merger where 1000 customer online bill paying accounts were made accessible to other customers. Numerous other examples occur that don’t often reach the media, but there are a vast amount of touchpoints that make security especially important during these important transition phases.
In addition to the reasons listed above, security should be front and center during the pre- and post-merger phases for the following:
Failure to set the strategy and ground rules, which will result in loss of control. Establishing what needs to happen should be accomplished prior to the closing of the deal, and it should be treated as a condition of sale.
Integration of IT and security should be part of the due diligence work involved to not only assess the existing security but to take control of it throughout the integration or divestiture process. Because many companies, unfortunately, do not seize the opportunity to build security into the project plan of the integration of divestiture, there is no proper control over access rights within the project team or by the company’s employees. The loss of focus may lead to two different security philosophies, and the delta of which exposes the firm to risk by malice or neglect.
Failure to budget for security-related efforts mean the work will not get done.
Oftentimes mergers, acquisitions, and divestitures will invest in external auditors to ensure that the organization is compliant and secure. These auditors will look for obvious red flags and identify them to management if it is part of their checklist. Generally, that’s money well spent to ensure that the transition has no flaws. However, lost in this exercise is the lack of oversight to ensure that security is tight throughout the transition.
Inconsistency of access rights may develop. It becomes almost a cliché in today’s corporate environment but frequently there become inconsistencies in access following an integration.
As a result, some users have more access in, say, the target company versus the acquirer. This lack of consistency can result in unnecessary segregation of duties violations and the greater potential for fraud. There are also hidden costs in additional audit expenses and overhead necessary to support additional monitoring controls.
Lack of personnel and infrastructure to support security, especially with divestitures, diverting attention to having control.
One company was being divested from a parent company and did not have any segregation of duties monitoring tools in place, and had one administrative support person in charge of security. Policies were dictated by the parent corporation and there was no infrastructure to sustain the strategic decision making in place. The lack of internal controls put the company at risk, and there was no budget in place to address this. Putting this infrastructure in place prior to a divestiture would have solved the potential risks of employee fraud.
Accounting for the types of personal data in multiple systems.
This concept, which should be manifest and widely understood by all, details the importance of security. Employee Social Security numbers, credit card information, personnel files, salary information, and proprietary customer information is stored in both systems that will be integrated. Information could be breached by disgruntled employees, competitors, or criminals, but it is triggered often by the careless handling of information or the lack of overall strategy.
Accounting for this information in advance and building it into the overall strategy and security plan can greatly mitigate the risk that this information will go into the wrong hands.
Failure to miss the opportunity that the IT security organization provides a wealth of organizational data.
The security organization lets know who has access to what, and sometimes they may even have information on who has used what. In conjunction with the company’s history of transactional or master data, organizations can consolidate and dissect these pieces to build a more cohesive future state that not only contains consistent security practices, but allows decision makers drive business reorganization and cost consolidation efforts.
Many opportunities are avoided for numerous reasons, and a key root cause of which often is a lack of cross-functional applied knowledge.
How can boltonconsulting help?
We can provide clarity in what is often an opaque world of information by engaging the right resources and building bridges between departments.
Building a security roadmap.
We can help construct a security strategy during the pre- or post-merger phases that are integrated with the M&A team to deliver results. By using our proprietary methodology we can not only help protect the assets of the company but also make security an integral part of the M&A process.
Integrating our security with the M&A team.
The M&A team can use the IT and security resources to their advantage in laying the foundation for an efficient and secure future state.
Incorporating best business practices and lay the foundation for improved business processes.
boltongroup brings in resources with years of experience that understand both business and IT best practices. This can lay the groundwork for future improvements in a well-integrated team.
Providing experts with depth of experience.
Clients unwittingly pay for inexperienced staff requiring training on the job in many implementations. boltonconsulting brings in-house experts with years of experience that can quickly step in and get the job done.
Using boltonconsulting can help give your organization the big picture and the confidence that comes with increased knowledge of business practices, controls, and risks to help prevent and detect any internal and external threats. Find out from us how your organization can benefit.
If you are interested or need additional information please feel free to call us at 404.228.4280 or email us at boltonconsulting@boltongroup.com.
boltonconsulting
boltonconsulting is an Accounting, Finance & IT professional services firm focused on assisting clients through major c-level strategic initiatives and individual project based services. We work with visionary CFO organization business leaders on tackling opportunities, challenges and items never encountered before. Innovative and proven solutions allow us to assist our client in transforming their business.
boltonconsulting goal is to assist our clients from not having to ask “Are we there yet?” We strive to assist our clients in their journey by working closely with them on designing, managing and executing lasting beneficial innovation and transformation.
For an in-depth consultation and an opportunity to learn how boltonconsulting can assist your organization in addressing Enterprise Wide Security Strategy, please contact Michael Dunne, President / Managing Director, boltonconsulting at 678.539.4793 or Brian Ziegler, Practice Director / Governance, Compliance, Risk & Security, boltonconsulting at (404) 228-4280 ext. 1011.
______________________________________________________________________________
Michael Dunne
President / Managing Director
boltonconsulting
Michael Dunne serves as President / Managing Director for boltonconsulting, with more than 15+ years of diversified industry experience in mergers and acquisitions; turnarounds and restructurings; business process improvement; system integrations; the design and implementation of operational and technological infrastructures; and project management. Prior to joining boltonconsulting, Michael consulted with one the world’s largest general use car rental brands, assisting them through numerous strategic acquisitions and initiatives. One of the acquisitions, Michael was instrumental in assisting a struggling national car rental brand through the bankruptcy process which was eventually sold through the 363 bankruptcy process. Prior to his rental car experience, Michael served as a Practice Director of Business & Technology for Accretive Solutions, a national consulting firm. During his tenure at Accretive Solutions, Michael was part of the Shared Services integration leadership team for a Fortune 150 energy company, which made two simultaneous acquisitions in January of 2007. The total purchase price was approximately $2 billion and included a 100,000 bpd refinery, four pipelines, one terminal and approximately 500 convenience stores. The two transactions included the integration, the development of the new combined company structure, and the development of a long-term strategic plan for all of the shared services areas. Immediately prior to joining Accretive Solutions, Michael served as CEO/President of a mid-sized transportation and logistics company for seven years. He led the company through 15+ acquisitions and grew the company to one of the largest within Central and South Texas and facilitated the sale in 2006. He has also held positions as Corporate Controller and Director of Customer Accounting for a publicly held financial services company. Earlier in his career, Michael was with Arthur Andersen in various audit and consulting roles, and oversaw projects including process and financial analysis; national and international mergers and acquisitions; and the conversions of financial accounting systems.
Michael holds a Bachelor of Business Administration in Accounting and Finance from St. Mary’s University and a Finance Certification from Southern Methodist University.
Brian Ziegler
Practice Director – Governance, Risk, Compliance and Security
boltonconsulting
Brian Ziegler brings over fourteen years of experience in business process transformation, data analysis, and evaluating appropriate and effective controls. He spent seven years working for a manufacturing company, spending his first three years in business, profitability analysis, sales support, and advertising. Next, he worked on an international SAP implementation, working with manufacturing personnel in four European countries on the shop floor in sales and distribution, security, and the design of global profitability analysis standards. Afterwards, he worked for Accenture’s consulting workforce, implementing security models and developing internal controls for Accenture internally following Sarbanes-Oxley initiatives, as well as for manufacturing, financial services, and pharmaceutical clients. His next project was working as an hourly contractor for Accretive Solutions, where he transformed the security model for an oil and gas company, in the process developing a governance and monitoring organization with strong internal controls that moved responsibility for IT and the business. He then went on to work as an independent contractor for recommending best practices for a food processing company, an insurance company, and built a security model for a manufacturing company. In addition he has had experience in building project plans, developing strategies, and leading process redesign efforts that lead to increased efficiencies and risk reduction. Brian combines technological innovation with hands-on business process understanding to add value to a multitude of a number of large and medium-sized businesses on a strategic and tactical level.
He has a bachelor of business administration degree from the University of Wisconsin-Whitewater in 1992 and a master of business administration degree from College of William and Mary in 1997.
About b 