Five Steps to a Risk-Free M&A
While most Corporate Security Officers will tell you that no two merger/acquisition scenarios are quite the same, they do agree that there are constants that provide a thread throughout. The risks range from the assimilation of corporate cultures and integration of technology systems – both physical and IT. And of course, there are the financial and compliance risks that occupy the C-Suite during the entire process.
Because of the risk and security intricacies involved in a large merger or acquisition, the CSO and senior security team must assume multiple leading roles: consultant, mentor, facilitator and arbitrator.
Between them, Scott Soltis, Director of Global Security for Catalent Pharma Solutions, and Dan Colin, Director of Global Security at Molson Coors have more than 20 mergers/acquisitions under their belt – and experience has taught them several lessons in the process itself. Here are five best practices for integrating a security plan for a newly merged or acquired company:
Step One: Be Proactive with Communication
During his 20-plus years as a senior security executive, Soltis has gone through 17 acquisitions. Currently the Director of Global Security for Catalent Pharma Solutions, he previously served as Senior Global Corporate Security Leader for Teva Pharmaceuticals and Director of International Security for Abbott Laboratories.
While the security landscape during the M&A process has changed through the years, Soltis says the constants remain – chief among them being organizational anxiety. “Communication is so crucial – silence just adds to everyone’s anxiety, creating rumors and putting people on edge,” Soltis explains. “Even when you don’t have anything to communicate from an organizational perspective, you need to communicate something. If you are two months into an M&A process and people don’t hear anything, nothing being said is the worst message to convey.”
Soltis adds that it is important to have a good organizational strategy in place before your team begins sharing information, and not just from the security department’s perspective. “If you come out on day one and say ‘we’re acquiring this company and there are going to be a billion dollars in synergies,’ how are you planning to achieve those synergies,” Soltis asks. “Are you going to achieve them through plant consolidation? If so, then at least have an understanding what plants are going to be affected and when those consolidations will occur.”
The x-factor of a successful communications strategy is the ability of security and risk teams to get their messages across equally to both the C-suite and the rank-and-file employees.
“Communication is the absolute key in any M&A,” Soltis says. “Any M&A can create uncertainty for employees on both sides, so it is essential that you communicate the strategy and purpose early on in the process and as frequently as possible. Engagement of employees and rank and file (to the extent possible) of the integration activities will prove valuable in easing concern that they may have.”
Step Two: Take an Active Role in the Due Diligence Process
A major part of the customary due diligence process for M&A is establishing the assumption of risk – especially when it comes to regulatory compliance, security framework compatibility and the various business risks presented by the target company
“Regulatory compliance and other business risks can negatively affect the acquiring company from day one,” Soltis says. “In my experience in the Pharma world, these risks are typically identified in the due diligence process, but not always. The quality and depth of the due diligence are essential. Negotiating terms of the due diligence and taking time to ensure all systems and processes are exactly what they appear to be can make a big difference in the assumed risk related to that particular acquisition,” he stresses.
Soltis says the acquisition of a public company can become a more robust due diligence process, with an SEC review providing more valuable information and data as opposed to a private company. “Ideally, it all comes down to trust and the relationship you have with the principals of the target company,” Soltis says. “You must be able to trust but verify, and if the target company is showing some reluctance or resistance to full and complete disclosure, that may be a red flag.”
Step Three: Create a Cohesive Physical Security Plan
Colin is also no stranger to M&A. Colin was Director of Corporate Security for MillerCoors for a year until Molson Coors – the third-largest brewer in the world – formally converted MillerCoors into a division of the parent company in Oct. 2016. Colin also went through mergers and name changes when SBC bought Ameritech and AT&T and settled on the AT&T name. While at Abbott Labs, he transitioned to a spinoff company called Hospira where he was Director of Global Security, which was subsequently bought by Pfizer.
“Each M&A has been different,” Colin says. “When we spun from Abbott to Hospira, we were starting a brand new company, so I got to put together a (security) organization from scratch, the way I wanted it – obviously getting buy-in from the CEO and the rest of the executive team. It was an uphill fight, but we got to where we wanted to be.”
Colin built a robust, centralized physical security infrastructure with an access control system at every global site. “When Pfizer came in, they had a totally different model,” Colin says. “They had a game plan and playbook that they use (for acquisitions), so they took what was a centralized approach and dismantled it. There is nothing wrong with that – (Pfizer CSO John Clark) and his crew knew exactly what they wanted and how they wanted to do it, plus, they found jobs for almost every member of our team.”
Two weeks later, Colin took the job at MillerCoors, and set about expanding on his predecessor’s security plan, which meant centralizing many of the processes and upgrading systems. Of course, Colin’s course of action was forced to change again when Molson Coors revealed a different security philosophy – one that was much more decentralized. Working closely with a consultant Molson Coors during the transition process yielded mixed results.
“It has not been an easy integration” Colin admits. “I have had to go back and rethink how we go to business, since as much as we want to build that global organization with standardization and globalization, you face the reality of things being done another way.”
Soltis agrees, noting that in a largely decentralized organization, many systems will remain standalone, while it becomes more of large integration activity in a centralized organization.
“A strict playbook should be established and a strategy in place during your pre-integration planning so you are prepared to execute as part of your integration,” Soltis says. “Most companies experienced in M&A integration will have identified all requirements in advance of ‘day zero’ (or the day the deal closes).”
Step Four: Adopt Changes on a Global Scale
Colin, who now heads up four business units comprised of Molson Coors Europe, Molson Coors International, Molson Coors Canada and MillerCoors, is still working toward his goal of a centralized security model. That means assessing and updating security and procedures and locations scattered around the globe.
“It’s like going back in time when dealing with some of these locations,” Colin says. “We have to take a step back and demonstrate to people what a truly global security program can bring to the table. Some people (in the organization) think we don’t have (security) problems, or prefer they be handled locally. It is an old mindset that is not true to the real world.”
As Colin works towards that preferred model of centralization, he is dealing with outdated security equipment, lack of oversight and KPIs for the various guard contractors and a general lack of policy and procedure.
“You want to implement the best model that fits, ”Colin explains. It is a matter of best practices from both parties, which does not always work. In the end, you do what is best for the organization as a whole – you set the standard for your systems and try to leverage good relationships with your previous technology vendors for as smooth a transition as possible.”
Step Five: Get Buy-in and Assistance from IT
Since almost every high-end physical security system – from access control to video surveillance and beyond – is running on a corporate network, the cooperation between CSO and CISO is invaluable. “CSO and CISO partnership is essential to understanding the enterprise security risks of the target company,” Soltis explains. “The convergence of physical and information security over the years has increased the capabilities of the two organizations to better appreciate each other’s function and role in the organization. Developing a risk profile for the target company’s data and information security compliance early on will only help to better understand the strategy for mitigating risks and allow for a more smooth integration.”
Colin contends that the migration to network-centric physical security coupled with the laser-focused attention of an IT department on those functions makes his M&A transitions easier – if the target company and the acquiring company leverage their respective strengths.
“As we have more network-based and server-based systems and software that is operating in those virtual environments, finding the consolidation and connecting to those servers makes integration easier, but at the same time, it can be more challenging if you are dealing with companies that have big server farms and data centers,” Colin says.
Devising a workable strategy that fits the size and complexity of shared data centers or how security systems are integrated with different networks within an organization is a huge challenge. “It comes down to a prioritization of what works best and what is most cost-effective for the organization to make that integration happen,” Colin says.
Merging physical access control and video surveillance systems, working with IT on consolidation of data centers and cloud functionality, and eventual placement of security operations are the things that keep Soltis up at night.
“Details like this are typically handled during the integration of the company (instead of prior),” he says. “The merging of systems, data centers and functions will depend on the organizational structure of the company.”
Anupam Mehta, a security consultant for software designer Synopsys, says there are five IT-based aspects of security that must be considered by an acquiring company:
- Data security for electronic and physical data: This involves data clean-up, backups and recovery procedures.
- Application security:Much like the integration of various physical security measures, companies tend to need to integrate various COTS (Commercial-off-the-Shelf) and internal IT tools and applications for continuity of the business. Thus, dynamic and static analysis of applications must be conducted prior to integration with current systems; and various mobile applications and services offered by both companies involved in M&A must be integrated.
- Network security: Care must be taken during the integration of workstations, network devices (firewalls, routers, access points, etc.), web servers and remote connectivity for employees.
- Architectural risk analysis:Applications and infrastructure components must be analyzed thoroughly to understand the threats and critical assets that are vulnerable.
- Adopt policies, compliance and standards:Ensure compliance of applications and tools as per applicable standards (NIST, FIPS, PCI-DSS, HIPAA, etc.).