In the realm of corporate governance, non-executive directors (NEDs) play a pivotal role in ensuring effective board composition. These directors bring a wealth of experience, expertise, and independent perspectives to the table, creating a balance of power and fostering sound decision-making processes. By providing oversight, guidance, and a valuable check on executive directors, NEDs contribute to the overall governance, performance, and reputation of companies. Let’s explore the nine significant benefits of having NEDs on your company board, shedding light on their impact on decision-making, risk management, accountability, corporate governance, shareholder value, transparency, communication, reputation, and risk reduction.

1. Improved Decision-making

NEDs offer a fresh and objective viewpoint, leveraging their diverse backgrounds and expertise to enhance the decision-making process. These directors bring a wealth of knowledge and industry insights, enabling them to challenge assumptions, consider all options, and promote critical thinking. By fostering thorough discussions and debates, NEDs ensure that decisions are well-informed and aligned with the company’s strategic goals. Moreover, their role as a conduit between the board and external stakeholders allows them to provide valuable market perspectives, enriching strategic discussions with broader market insights.

Additionally, NEDs’ independent status enables them to offer constructive criticism, encouraging the board to evaluate decisions from multiple angles. This comprehensive approach to decision-making mitigates the risk of groupthink and facilitates a more robust and effective decision-making process.

2. Enhanced Risk Management

Undoubtedly, non-executive directors bring a wealth of experience in risk assessment and management, making them instrumental in identifying and mitigating risks faced by the company. Their expertise allows them to guide the board in developing risk management strategies consistent with the company’s overall strategy. By challenging existing risk frameworks and offering alternative perspectives, NEDs promote proactive risk management practices.

These directors contribute to risk reduction by leveraging their networks and industry knowledge to stay ahead of emerging risks. By thoroughly evaluating potential risks, providing guidance on risk mitigation strategies, and ensuring compliance with relevant regulations, non executive directors play a crucial role in safeguarding the company’s long-term interests. Through their independent oversight, they provide reassurance to shareholders and stakeholders that risks are being properly managed and a great board composition.

3. Increased Accountability

Non-executive directors serve as a crucial element in ensuring board accountability to shareholders and other stakeholders. Their independent status and objective perspective empower them to oversee executive actions and monitor the board’s adherence to legal and regulatory requirements. By demanding transparency and championing ethical practices, NEDs promote a culture of accountability throughout the organization.

These directors actively engage in discussions, scrutinize decision-making processes, and ensure compliance with applicable laws and regulations. By encouraging robust reporting mechanisms and monitoring the integrity of financial statements, NEDs strengthen the company’s credibility and foster trust among stakeholders.

4. Improved Corporate Governance

Non-executive directors play a pivotal role in enhancing the overall corporate governance of the company. Their presence ensures the board is properly structured and operates effectively. They advocate for clear lines of accountability and transparent decision-making processes. NEDs contribute to the establishment of effective risk management frameworks, internal controls, and ethical standards.

These directors promote the adoption of best practices in corporate governance, aligning the company’s activities with the expectations of shareholders and stakeholders. By fostering a culture of integrity, transparency, and responsible behavior, NEDs enhance the company’s reputation and create a solid foundation for sustainable growth.

5. Enhanced Shareholder Value

Companies with non-executive directors tend to experience higher shareholder returns compared to those without NEDs. The presence of independent directors who bring diverse perspectives and expertise to the board contributes to improved decision-making, effective risk management, and enhanced corporate governance. These factors collectively drive long-term performance, attracting investors and increasing shareholder value.

NEDs act as stewards of shareholder interests, ensuring that the board’s actions are aligned with the company’s strategic objectives and long-term sustainability. Their expertise in evaluating investment opportunities and challenging management proposals adds value to the decision-making process, ultimately benefiting shareholders.

6. Increased Transparency

Given a chance, non-executive directors play a vital role in increasing transparency within the company. By attending board meetings, actively participating in discussions, and asking probing questions, they ensure that information flows smoothly between the board and stakeholders. NEDs hold management accountable for accurate and transparent financial reporting, ensuring compliance with accounting standards and regulatory requirements.

Their presence contributes to the integrity of financial statements, providing assurance to shareholders and stakeholders that the company’s financial information is accurate and reliable. By championing transparency, NEDs build trust and confidence in the company’s operations, enhancing its reputation in the market.

7. Improved Communication

In their role, non-executive directors act as conduits between the board and various stakeholders, including shareholders, employees, and customers. Their independent perspective and ability to engage with different groups enable them to bridge communication gaps and foster meaningful dialogues. NEDs ensure that the board is well-informed about stakeholders’ concerns and expectations, facilitating effective decision-making that considers a broad range of perspectives.

Furthermore, NEDs promote open lines of communication within the organization, facilitating the flow of information from top management to employees and vice versa. This transparent and inclusive approach to communication fosters trust, loyalty, and engagement among employees, leading to improved organizational performance.

8. Enhanced Reputation

A company with a strong board of directors, including competent NEDs, is more likely to have a positive reputation in the market. The presence of independent directors who uphold high ethical standards and ensure responsible governance practices enhances the company’s image. Stakeholders perceive the company as trustworthy, reliable, and committed to sound corporate practices.

A positive reputation opens doors to new business opportunities, attracts top talent, and enhances customer loyalty. Moreover, a strong reputation reduces the company’s cost of capital by increasing investor confidence and making it more attractive to lenders and other financial partners.

9. Reduced Risk of Litigation

NEDs play a critical role in reducing the risk of litigation for the company. By ensuring compliance with applicable laws, regulations, and industry standards, non executive directors mitigate the risk of legal and reputational challenges. Their independent oversight contributes to the identification and management of legal risks, protecting the company from potential lawsuits and financial liabilities.

They actively participate in the establishment of robust compliance programs, ethical codes of conduct, and risk mitigation strategies. Their diligence in overseeing corporate activities minimizes the likelihood of legal disputes, protecting the company’s assets and reputation.

Are You Looking to Add Non-Executive Directors to Your Company?

Whether you are considering adding NEDs to your company board, there are a few things you need to keep in mind. First, you need to make sure that you have the right people. NEDs should have the necessary experience, expertise, and independence to be effective. Second, you need to make sure that you have a clear understanding of the role of NEDs. NEDs are not there to run the company; they are there to provide oversight and guidance. Moreover, you need to make sure that you have a process in place for selecting and appointing NEDs. This process should be fair and transparent, and it should ensure that the best possible candidates are selected.

Final Thoughts

If you are looking for NEDs or other c-level executives, you can find them online. There are a number of websites that specialize in executive search and recruiting. These websites can help you find qualified candidates who meet your specific needs.

Adding non-executive directors to your company board can be a great way to improve your company’s governance, performance, and reputation. If you are considering adding NEDs, be sure to do your research and find the right people for the job. By striking a balance between expertise and independence, you can elevate the effectiveness of your board and pave the way for long-term success.

INTRODUCTION

Having a board of directors that is packed with well-known names sounds great in theory. It is often the icing on the cake of a stellar company and a first-class management team.

However, the corporate landscape is littered with companies with top tier boards that still underwent dramatic failure. Examples also proliferate where CEOs report mediocre board performance; ‘we have a great list of directors but they do not really pull their weight or engage with us in a meaningful way. We can’t help but feel disappointed’.

This paper is designed to give board directors and key stakeholders suggestions that might be useful to maximise the performance of their boards. The seven characteristics are drawn from published research from McKinsey Consultants and the Harvard Business Review.

1. Days per year

“A mediocre investment generates a mediocre return”

One of the most obvious distinctions between weak and strong boards is annual number of days served. Does the board meet infrequently and react to proposals brought by the CEO, or is it pro-active; commissioning reports as well as getting out on the ‘shop floor’, meeting staff, customers and stakeholders?

Most of the literature agrees that given the importance of their responsibilities and their personal legal liabilities, the 10 to 12 days a year many board members spend on the job is not enough. Based on a survey of more than 770 directors from companies and non-profit organizations around the world, McKinsey have identified three categories of board effectiveness¹:

• Low Impact
• Moderate Impact
• High Performance

The McKinsey research suggests that the distinction between higher and lower impact turns on the breadth of issues discussed and the time dedicated to them.

In addition to the extra days, High Impact boards had a richer set of priorities. These included regular performance & talent management, as well as extended discussions on strategy, business risk and investment analysis.

TABLE 1 – Annual number of days invested by board members

The McKinsey research showed that High Performance boards are not only more effective, but also more satisfied with their work.

Addressing the issue of mission creep, and whether High Performance boards strayed beyond their remit and into management the report suggested;

“CEOs need not fear that a more engaged board may constrain their prerogative to set a company’s direction. Highly committed boards are not spending the extra time supplanting management’s role in developing strategic options. Rather, they are building a better understanding of their companies and industries, while helping senior teams to stress-test strategies and then reallocate resources to support them.

Some CEOs find that task to be lonely and difficult when they face internal “barons” who protect their fiefs. In short, engaged boards can still be supportive of management”².

2. An explicit commitment to excellence

“For commitments to be real they need to be explicit”

If the board decides to aspire to become ‘High Performing’, this aspiration will only be turned into reality if everyone agrees to consistently bring their A-team performance to the board. No one coasts or is passive. When things go wrong, no one hides behind ‘collective decision-making’ or attempts to ‘pass the buck’. Everyone owns responsibility and agrees to a culture of excellence. Once this is agreed, there should be no turning back.

Regular reviews and accountability are important to ensure the aspiration is transformed into an ongoing reality. This means annual board evaluations. An objective 360-degree review, built on personal interviews (ideally managed by an independent external assessor), is generally a much better option than a box ticking self-evaluation.

3. Increase directors’ exposure to the business

“Do you truly understand what you are managing?”

If you don’t understand your business, you are quite likely to make errors of judgement. In a survey 25% of CEOs reported that board members did not appreciate the complexity of the businesses they oversaw. Boards seeking a constructive, forward looking role must have real knowledge of their companies’ operations, markets and competitors.

Theranos, the $9 billion-dollar blood test company which infamously collapsed as a fraud in 2018 did so partly because its board, although intelligent and representing many of the senior echelons of government, finance and business, were not qualified to understand the basic essentials of blood testing technology.

Similarly in the explosion of the derivatives markets in the 1990s most directors on the boards of banks did not have mathematical skills to understand the more complex products that their huge new profits were so dependent on. One experienced international banker described them as being quite frankly ‘very amateur’ in this respect3.

If there are gaps recruit new directors with the relevant missing skills. If the board is already full, consider establishing Advisory Boards (without formal governance authority) with additional people with the relevant skills.

To supplement industry experience, a pro-active board will develop a programme throughout the year of members visiting the site, meeting key stakeholders and projects.

4. Clear delineation between the board and management

“Agree in advance who does what”

A written protocol should be created to set out the roles of the board one the one hand, and the CEO and senior management on the other. This will mitigate the risk of conflict and help engender trust and mutual respect. Some elements of this may include;

4.1 A written protocol to distinguish between board and management roles

This should clarify where decisions can be taken by management and when they should come to Board. These can include financial delegations (spending limits, contract signing rights etc) and freedom of action within overall policy constraints.

4.2 Delegation of detailed work to sub-committees / advisory groups

Rather than meeting on an adhoc basis, and with no regular reporting, there should be a clear mandate for each group, a timetable of meetings, and a reporting mechanism back to the main board. Some common committees include HR (covering board and management), Finance & Audit, and any others as the organisational requirements dictate.

4.3 Clarification of the board’s role in strategy formulation

The board’s core role is to co-create and ultimately agree strategy. This will take the majority of its time. It doesn’t want to get lost in the weeds of operational decisions or the minutiae of less mission critical projects. It is useful therefore to set the parameters of the board’s engagement in strategy.

4.3.1 The Board owns the long-term vision & mission

McKinsey say that “governance arguably suffers most, though, when boards spend too much time looking in the rear-view mirror and not enough scanning the road ahead. In interviews with 25 chairmen of large public and privately held companies in Europe and Asia they found that directors ‘still spend the bulk of their time on quarterly reports, audit reviews, budgets and compliance – 70 percent is not atypical – instead of matters crucial to the future prosperity and direction of the business’⁴.

Boards need to take a long-term view on the company vision and mission, and ensure that strategy delivers on this. CEO tenures are increasingly short-term. Senior management staff can be less. Boards need to look out further than anyone else in the company.

4.3.2 The board engages in the process of strategy formulation

In many organisations the CEO will present a strategic vision once a year, the directors discuss it and tweak it at a single meeting, and the plan is then adopted. The board’s input is minimal and there is insufficient time for debate or and insufficient information to allow adequate discussion of alternatives.

The solution is a more fluid process where management prepares a menu of options with varying risks and resources. On a special strategy day, board and management debate, refine and agree a single plan.

At the onset of the annual planning process the board’s job is to help management broaden the number of strategy options. Mid-year it is to select a preferred route. Year end, it’s the job to implement.

4.3.3 The board monitors performance

This should be done regularly and systematically. This will include the product, the market, the senior management team, finance and the monitoring of key performance indicators.

Ideally key performance indicators should also be benchmarked against industry norms and rival competitors.

4.3.4 Minimize pet project syndrome

Board members generally don’t get involved in implementation. They advise, they don’t do. However, given that board members are often business leaders themselves and like to be people of action, there is always a risk is that individual directors can become too wedded to a pet scheme that may ultimately be a diversion or a drag on performance.

Sometimes their project may need to be let go, or significantly amended for the benefit of the business. Giving directors a fluid and regular change of focus helps dilute this risk.

4.4 Create an annual agenda

Just like management teams, the Chairman and board members should plan their annual activities. The following diagram is a hypothecated model from McKinsey⁵.

TABLE 2 – Example Annual Board Timetable

5. Regularly review and nurture the senior management team

“Results are only as good as the people that generate them”

Ultimately any brilliant strategy depends on the quality of execution. This means the board needs to ensure that not just the CEO, but also an effective senior management team is in place and working effectively.

5.1 The board oversees the appointment of senior managers

Has the CEO the right appointments under them? Are job roles effectively assigned? Are the senior managers effective and competent? Is the remuneration appropriate and realistic? The scoping, drafting and pricing of senior job descriptions should be a key part of the strategic plan approved by the board. Ideally board members sit in on interviews for new senior appointments.

5.2 Senior managers present and debate with the board

Many forward-looking boards will invite senior managers to present strategy and debate performance issues. According to data compiled by Kathleen Eisenhardt and L.J. Bourgeois, the highest performing companies treat no subject as undiscussable. Directors at these companies scoff at some of the devices more timid companies use to encourage dissent, such as outside directors asking management to leave while they discuss company performance. What is the point of criticizing management, they ask, if management isn’t there to answer the criticism?⁶

5.3 The board engages with talent review and management

Many forward-looking boards hold annual reviews of the top talents, always with an eye on those who might eventually be promoted to key roles.

6. Keep a strong eye on risk and risk management

“Sense and deal with problems in their smallest state, before they grow bigger and become fatal.”⁷

Risk management is typically dealt with through the audit or finance committee, but it can also be applied to strategy and performance. Key business risks should be identified up front and regularly monitored. Apart from a failure to execute a strategy, the emergence of these risks may be the most significant liabilities a company will face.

If board directors lack expertise in particular markets, products or issues they should invite outside experts to board meetings to talk about specific topics. This may even extend to product development or strategy if they are entering a new business space.

7. And the ultimate – openness, candour and respect is sacrosanct

“Communication, communication, communication”

Great companies that suffered sudden meltdowns showed no obvious board pattern of incompetence or corruption. According to an article in the Harvard Business Review⁸, they followed most of the accepted standards for board operations. Attendance was regular; directors had significant equity investments; key committees and codes of ethics were all in place; the boards weren’t too small, too big, too old or too young. And finally, the board make-up (in terms of inside and external directors) was generally the same for companies with failed boards and those with well-managed ones⁹.

It is difficult to tease out the factors that makes one board an effective team and another, equally talented board, a dysfunctional one. ‘Well-functioning, successful teams usually have chemistry that can’t be quantified. They seem to get into a virtuous cycle in which one good quality builds upon another. Team members develop mutual respect; because they respect one another, they develop trust; because they trust one another, they share difficult information; because they all have the same, reasonably complete information, they can challenge one another’s conclusions coherently; because a spirited give-and-take becomes the norm, they learn to adjust their own interpretations in response to intelligent questions’.¹⁰

The key is to effective boards is ultimately not structural – all other factors being equal, but social. What distinguishes exemplary boards is that they are robust, effective social systems.

A virtual cycle of respect, trust and candour can be broken at any point. One of the most common breaks occurs when the CEO doesn’t trust the board enough to share information, or does so only at the eleventh hour.

7.1 It is the board’s responsibility to request full reporting

The board needs to explicitly request adequate information, and potentially the format in which it requires information.

7.2 The CEO ensures controversial or issues or bad news is brought to the fore

It makes a difference when the CEO and senior management are very open with the board on performance, share genuine bad news early and give the board time to collectively brainstorm and produce solutions or mitigating strategies.

The board can encourage this process by regularly requesting information, but also making clear that it will not engage in ‘blame culture’ recriminations when difficulties arise. Healthy boards will appreciate that mistakes can happen, that management needs to be given freedom to experiment and therefore potentially to fail, and that when problems arise the approach is always ‘solutions-focused’, not ‘blame-focused’.

7.3 Avoid back channels and political factions

A sign that trust is lacking is when board members begin to develop back channels to line managers within the company. This can happen because the CEO hasn’t provided sufficient information, but it can also happen because board members are excessively political and are pursuing agendas they don’t want the CEO to know about.

Another common point of breakdown happens when political factions develop on the board – either being driven by the CEO, or by individual board members. To minimize these risks the following actions can be taken:

• The Chairman and CEO ensure that controversial issues are brought to the fore and discussed transparently and openly.
• The CEO distributes reports on time and shares difficult information openly.
• Intermittent polls of board members, ideally anonymously, to see if members are dissatisfied with the CEO or Chairman.
• Similar polls to see if board members distrust outside auditors, internal company reports or management competence.

7.4 The Chair and CEO work together closely and regularly

The board chair sets the performance culture of the board and ultimate helps the board outperform for its shareholders and stakeholders. A key component of this role is the development of a very healthy partnership with the CEO that balances focused oversight and accountability with dedicated support to the CEO so they can excel in driving the organization forward.

Chairs should meet with the CEO regularly. In high performing companies this may occur weekly (in start-up or problem-mode), fortnightly but certainly no less than monthly.

7.5 Foster a culture of open dissent

Perhaps the most important link in the virtuous cycle is the capacity to challenge one another’s assumptions and beliefs. Respect and trust do not imply endless affability or absence of agreement. Rather, they imply bonds among board members that are strong enough to withstand clashing viewpoints and challenging questions.

The CEO, Chairman and board in general need to demonstrate through their actions that they understand the difference between dissent and disloyalty.

This can’t be legislated for but has to be something that leaders believe in and model. Home Depot Chairman Bernie Marcus, for example, notes that, for one simple reason he won’t serve on a board where dissent was discouraged. When he serves on a board, his reputation and his fortune are on the line. A lost reputation can’t be regained, and director’s insurance won’t protect anyone’s fortune, because there always exemption clauses¹¹.

¹ ‘High-performing boards: What’s on their agenda?’, Chinta Bhagat & Conor Kehoe, McKinsey Quarterly, April 2014

² Ibid. p, 5.

³ ‘Bankers: from Pillars to Pariahs’, Ian Peacock, Novum Pro (2018), p. 41

⁴ ‘Building a forward looking board’, Christian Casal & Christian Caspar, McKinsey Quarterly, Feb 2014, page 2

⁵ ‘Building a forward looking board’, p. 3

⁶ ‘What Makes Great Boards Great’, Jeffrey A. Sonnenfeld, Harvard Business Review, Sep 2002, p.11

⁷ Pearl Zhu, taken from: https://www.goodreads.com/work/quotes/52388291-digitizing-boardroom-the-multifaceted-aspects-of-digital-ready-boards , accessed 25th March 2020

⁸ ‘What Makes Great Boards Great’, p.1

⁹ Ibid., p.1

¹⁰ Ibid., p.6

¹¹ What makes Great boards Great, p. 11

“Someday, on the corporate balance sheet, there will be an entry which reads “Information”; for in most cases, the information is more valuable than the hardware or software which processes it.” Rear Admiral Grace Murray Hopper, US Navy (Ret)

As the economy goes digital (and global), competitive advantage is increasingly synonymous with information. More and more organizations are dependent on information systems to store their assets, be it a pharmaceutical company’s novel drug formulations; a music company’s original recordings of artists’ latest albums; or a tech firm’s code for new software applications.

Gaining competitive advantage through a merger or acquisition means that a company acquires the information assets of the target entity. How both acquirer’s and target’s information assets are integrated and shielded from various types of risk during the M&A can play a role in the success or failure of the new entity.

This paper discusses the challenges of managing information risk for several types of M&As and introduces a framework that can be used to address those challenges. The paper also offers a checklist of best information risk management practices for an M&A, based on the author’s experience as a Certified M&A Advisor.

CHOOSING AN INFORMATION RISK MANAGEMENT APPROACH

Companies pursue M&As to enhance their market position, drive growth, or to expand capabilities, products or services. Senior management typically focuses on four major areas during an M&A: brand protection, customer retention, cost reduction, and change management.

A robust information risk management (IRM) strategy supports the areas of management focus while creating value for the new entity. In this author’s experience, managing information risk can be a challenge during an M&A, because it is typically a time of intense change and rapid execution.

Understanding the type of M&A the company is undertaking allows for more effective information risk management. M&As can be broadly categorized by the type of buyer (financial vs. strategic), the size of the deal, and the extent and speed of integration. These factors affect the overall integration strategy and call for different approaches to managing information risk (Figure 1).

The first M&A category are financial buyers who seek targets outside their market that will enable them to create value through transformation. These buyers will usually extend their existing products and services into a new geography or diversify by connecting with large conglomerates or private equity groups. Integrations are usually done slowly so as not to rock the boat for the target or distract people through rapid change.

For these financial buyers, the information risk management strategy should focus on compliance issues, laws and the regulatory frameworks that will impact the business. There is likely to be minimal formal integration and IRM teams must understand the resultant complexities in governance. The policies and procedures, although used to run distinctly different businesses, should be consistent across the two organizations. On the people side, IRM teams must recognize there are two different levels of risk awareness, skills and cultural knowledge. Since there is not full integration, there is little scope to bridge the gap between entities; this increases the complexities of governance. If not managed properly, this can adversely affect the strategic agility of the entities.

Figure 1:

The second M&A category is the strategic buyer pursuing market leadership by consolidating two large entities to eliminate redundancies, improve operations, and leverage economies of scale. These M&As often warrant a full integration and are usually done at a modest pace. Pushing forward at a rapid pace could be risky, jeopardize the full value of the deal, and burn out resources from the sheer size of the effort.

For this strategic buyer, IRM teams should focus on classifying sensitive information to ensure the right people have the right level of information access, and the wrong people do not. The risks of any downtime and availability of information from systems migrations and integration of disparate systems should be well thought through; any downtime could affect customer retention and brand reputation. All obsolete and non-standard systems should be eliminated. Poor migrations and integrations often result in data accuracy and integrity issues, which have a huge impact on an organization’s key business processes.

The third M&A category are those financial buyers who execute a series of “bolt-on” acquisitions to create a new platform for growth. These expansions could be geographic or involve vertical integration. The speed of integration is rapid, leveraging the skills and scale of the platform company. There is likely to be low extent of integration beyond eliminating redundancies and overlaps in corporate functions and the back office.

Here, the IRM teams should focus on compliance with specific regulations. Access risk and residual access risk must be evaluated and acted on quickly. There also needs to be a tight level of integration at the governance level, similar to that needed for the “transformational” financial buyer.

The strategic buyer who is absorbing a competitor – usually of a smaller size – are the final M&A category. This buyer seeks to capture operational synergies by eliminating excess capacity and enhancing efficiencies. This often includes merging sales functions, scrapping product lines or services, or closing offices.

While this is a full integration at rapid speed, extra care must be taken not to alter the risk profile of the target so much that it diminishes in value and takes on too much agility risk. In addition, access risks play a very important role in this kind of a merger, having the same level of impact as consolidation with full integration. The use of non-standard or obsolete systems stand a negligible chance and hence much time and effort is not spent on this area during absorptions thereby reducing accuracy risks.

Frequently the methods used by the acquirer for managing availability risks are adopted by the new entity.

THE ‘4 A’ FRAMEWORK: UNDERSTANDING RISK PROFILES

M&As create environments more complex than steady state operations, and thus should be viewed differently when managing information risk. It is also important to have a common IRM framework during an M&A, so that the integration and IRM teams can ensure changes are visible and controlled.

To manage, mitigate and monitor risk in this highly complex environment, it helps if the framework is robust enough to be customized by the type of M&A. The framework should allow for integration between the tactical tasks that help manage risk and the strategic imperatives of the transaction. Such an information risk framework also aids in building a common language of alignment between business design and the information environment.

Figure 2:

The 4 A Framework is a model that allows IRM teams to look at all aspects of risk. Using this framework for M&As allows IRM teams to customize to the transaction, maintain transparency and connect risk management to strategic goals. Entities undergoing M&A can evaluate the risk profile of the acquirer and the target company, and that of the combined entity based on these parameters:

• Availability – keeping existing processes running and recovering from interruptions, while avoiding negative incidents such as outages and security leaks
• Access – ensuring that the right people have access to appropriate information and that the wrong people do not
• Accuracy – providing accurate, timely and complete information to all relevant stakeholders
• Agility – supporting changes in the business with acceptable cost and speed.

With the 4A Framework, the IRM team can manage top-down, rather than get bogged down in operational details right away. This can simplify execution. It’s important to note that the 4As are not independent of each other. For example, overengineering access can reduce agility, while overengineering agility can increase availability or accuracy risks. Ultimately, balancing the 4As in alignment with business objectives leads to better integration and risk management.

Figure 3:

INTEGRATING RISK PROFILES

Seasoned M&A professionals usually tend to select either the acquirer’s or the target’s IRM approach because similar choices usually work for other functional areas.

Traditional information risk management professionals, on the other hand, tend to lean towards standards or regulatory frameworks during an M&A. While this does work for steady state operations, it often leads to issues during the transaction, because the risk profile of the new entity differs from steady state.

IRM teams also should avoid using either company’s risk profile for the new organization. The best practice approach, the acquirer imposing approach, or a standard approach might work for other areas of integration, but not for information risk management.

An organization’s business architecture revolves around five broad areas: customer segments, scope of products or services, geographic coverage, strategic differentiation, and profit pools. During an M&A, organizations tend to alter one or more of these areas. This impacts the IT strategy needed to support the new structure. As a result, the new entity is likely to have a different risk profile than either the acquirer or target. The information risk profile for the new entity should align with the new business architecture as well as the new IT strategy, thereby creating and protecting value for the new entity.

An example would be if the acquirer’s focus has been historically skewed towards access and availability risks because of the nature of their business, while target’s agility risk management was a competitive advantage for them. By imposing the acquirer’s profile on the target, there will not only be erosion of competitive advantage and loss of value, but also perhaps new exposures for the new entity.

BEST PRACTICES FOR MANAGING INFORMATION RISK DURING AN M&A

Based on the author’s experience, these tactics are best practices for M&As from an information risk management perspective:

1. Get the information risk management teams involved right at the due diligence phase.
2. Form the governance committee upfront and get agreement on the merger imperatives.
3. Understand the risk profile of both organizations and agree on the risk profile of the new entity.
4. Ensure the risk profile, IT strategy and business architecture of the new entity are aligned.
5. Align information risk management with the overall risk management work stream supporting the business rather than have it as a work stream within IT.
6. Understand the strategic intent of the transaction and get a solid handle on the speed and extent of integration.
7. Some mergers are heavily focused on capturing synergies through cost reduction; make sure this does not come at the expense of increasing risk beyond the appropriate threshold.
8. Understand and classify all sensitive information early in the transaction. Know where information resides and ensure adequate controls are in place to protect it during the integration and in transit to the new control structure.
9. Critical skills and knowledge reside with people and both acquirer and target need to retain good people to make integration successful. Loss of key people during the M&A could increase project risk and increase costs while impacting efficiencies in other areas.
10. Understand the regulatory environment. Regulations such as SOX, HIPAA, Basel II, GLBA etc., may come into play. Though some regulatory guidelines might overlap, addressing one does not mean compliance with others.
11. Understand and document all cross border issues with respect to legal possession of systems, applications, transactions, data rights and regulations that might come into play.
12. Use of non-standard technologies can result in loss of agility and affect speed to market, procurement, invoicing, or other critical business processes, thus eroding competitive advantage.
13. Pay attention to all information migrations; most accuracy and integrity risks arise due to poor migration executions.
14. Give immediate access to information on Day Zero. People will need it to do their jobs. Improper integration or poor consolidation of access control systems could lead to access risks, potentially violating SOD rules.
15. Look for hidden liabilities in licensing that can increase costs.