Mergers with or acquisitions of other companies, the outsourcing of key business processes to vendors, and other strategic alliances may align external organizations with the reputation and well being of your company. What would Security’s participation in the due diligence process bring to the risk management table?
Objective: To perform a pre-engagement review of the external relationship to identify potential areas of business risk that may be missed by a less comprehensive and knowledgeable examination.
Results Sought: Provide senior management with an additional set of potentially important inputs to the engagement decision.
Risk Management Strategy: Scratch the surface of any major business today and you will likely find not one homogeneous, wholly owned structure, but a set of interdependent alliances based on contracts, ownership shares or other ties to the mother ship. Long before the press conference or public notice of these alliances, auditors, M&A magicians, purchasing specialists and a gaggle of lawyers are at work (at huge expense) assuring your company’s executives that this arrangement equates to a 1 + 1 = 3 result. Is Corporate Security on the team?
This process isn’t about selecting an ad agency or real estate company. It is about business activities that are at the core of the business and shareholder confidence. These marriages or outsource relationships may provide external entities with virtually free access to proprietary business methods, trade secrets or sensitive customer information. They may be in high-risk locations with notoriously unreliable infrastructures. The list of risks is directly proportionate to the criticality of the product or service sought in the proposed relationship. The awareness of those risks is directly proportionate to the degree to which qualified sources are engaged to proactively identify them. Security needs to be an integrated member of the due diligence team.
The chart above examines the potential risks involved in an acquisition being considered by a fictional company. What Can We Learn from This Examination?
The chart displays eight evaluative factors that the security organization has vetted in its evaluation of the prospective business alliance. The following conclusions were formed by an on-site security review team formed specifically as an integrated part of the due diligence team. Management recognized that this aspect of risk analysis was a critical element of the decision on this project. The target company had no choice but to allow a complete and honest review and, as a result, emerged from the process with several vulnerabilities addressed.
1. Personnel risk was evaluated through benchmarking with security colleagues with a presence in the area of the targeted business. Location risk is nominal.
2 & 3. The resilience of internal controls and objective analysis of risk are keys to reputational risk management and are the best defense against wrongdoing and poorly managed business processes. These aspects of the assessment show a lack of knowledge on the adequacy of controls and are clear red flags for this potential acquisition.
4 & 5. Not surprising given the apparent status of the last two factors, Security also has serious concerns for management’s understanding of and commitment to high ethical standards. The lack of strong probing on the adequacy of controls combined with this apathy makes it clear why managers are not well informed on risky behavior.
6 & 7. The information risk management infrastructure appears sound, with strong, up-to-date controls in place. A knowledgeable team manages the business continuity program.
8. Finally, it shouldn’t be surprising that this company’s security organization lacks influence and access.
This examination indicates significant risk in this potential acquisition. Due to the criticality of those factors of highest concern, Security’s recommendation will be to walk away. There is far too little concern for doing the right thing in this target.
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the Security Executive Council Web site, www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.
George Campbell
George Campbell is emeritus faculty of the Security Executive Council and former CSO of Fidelity Investments. His book, “Measures and Metrics in Corporate Security,” may be purchased through the Security Executive Council Web site. The Security Executive Council is an innovative problem-solving research and services organization that works with Tier 1 Security Leaders™ to reduce risk and add to corporate profitability in the process. A faculty of more than 100 experienced security executives provides strategy, insight and proven practices that cannot be found anywhere else. Through its pioneering approach of Collective Knowledge™, the Council serves all aspects of the security community. To learn about becoming involved, e-mail [email protected] or visit www.securityexecutivecouncil.com/?sourceCode=std. The information in this article is copyrighted by the Security Executive Council and reprinted with permission. All rights reserved.