Manage Learn to apply best practices and optimize your operations.

M&A and compliance: Call ahead for CIOs

Mergers and acquisitions produce many layers of challenges for CIOs, from integrating systems, to allocating budgets and staff. And of course, compliance.

It's all too familiar: When it comes to mergers and acquisitions, IT is rarely at the top of the agenda. CIOs are invited to the table late in the game, if at all, experts say. But in this age of compliance, keeping IT at arm's length can be costly.

Just ask Ron Maillette, CIO of Pacer International Inc., a logistics and transportation provider headquartered in Concord, Calif. The former CIO of Coca-Cola's fountain division, Maillette joined Pacer in 2004 as chief information security and compliance officer. The $1.7 billion company had been gobbling up businesses since 1999, becoming one of the industry's largest players. Publicly traded, Pacer was also subject to numerous regulations, including Section 404 of the Sarbanes-Oxley corporate reform act.

"The work that we had to do last year to get ready for audit was largely because we did grow through acquisition. Integration was only partial, and common ground for operation was spotty, which meant that getting consistent, repeatable processes in place was a huge task," Maillette said. "We basically lived by the mantra that we had to do in 10 months what many companies do in 10 years."

A CIO's M&A compliance to-do list

Compliance regulations come in all shapes and sizes, and in certain industries they can be all-encompassing. If the acquired companies are complex, the new owner must make accommodations to ensure their processes are solid and controls are working. AMR Research's John Hagerty offers this "to-do" list for CIOs:


Be prepared. For the acquired firm: Have all documents or independent assessments available for review by the buyer. For the acquirer: Have your checklist ready for what you want to see.


Get a SWAT team ready. Much of this work may need to be done quickly. Assemble a team that can quickly assess whether to raise red flags sooner rather than later.


Create a rapid integration plan. Variability within the company can lead to increased expense for compliance; the more ways that key processes get done, the more time and effort you'll need to expend to test that these processes are working as designed. The faster the companies come together, the better off you'll be.

Things could get just as hairy at Coca-Cola, Maillette added. "I can tell you that Coke was notorious for ignoring IT in acquisitions, and then in the 11th hour we had to scramble to make sure we didn't get clobbered with unplanned costs for integration."

Dean Lane, CEO of Varitools, a compliance server provider, has seen his share of acquisitions during a career that includes jobs at Symantec, Allied Signal and Thiokol. Lack of communication between business and IT during a merger can result in costly mistakes, he agreed, recounting the experience of a client that acquired a company to assist on its government contracts. After the deal was struck, the employer discovered that the IT operations of the acquired company were located in Canada, making it ineligible for the government work.

"They didn't do due diligence, didn't understand the IT was offshored and ended up spending $1 million to move the Canadian IT operations back into the United States," Lane said.

Mergers and acquisitions are by their very nature a secretive process directed by a trusted few, says Kathy Burkle, director, advisory services-IT effectiveness, at PricewaterhouseCoopers LLP. "Many times dealmakers don't want to get too many people involved. But what they fail to recognize is that there can be significant costs due to IT."

Indeed, the integration of IT systems is typically a company's biggest one-time expenditure after a merger or sale, according to Burkle. "When companies fail to achieve the value they had hoped from the deal, many, many times it can be directly attributed back to IT integration," she said. "You have to factor the complexities of IT integration into the ultimate offering price, because this is an investment you will be making after the sale."

AMR Research analyst Kevin O'Marah drove that point home in his Aug. 3 note on the acquisition of Canton, Ma-based Reebok by Adidas. While the takeover of Reebok positions the German footwear maker to better compete with industry leader Nike, O'Marah cautioned that technology hurdles loomed. The two companies use very different systems for product development. Mismatched product lifecycle management systems "is no reason to hold up a deal," but the companies will have to mesh these systems or pick a winner to capitalize on the deal, he wrote.

"Being able to manage a consistent compliance framework is just as important as business processes, and it can be a real problem," said O'Marah.

O'Marah has not seen a merger unravel strictly because of compliance, but he believes part of the reason so many deals go south is because they fail to realize the complexity of merging IT systems. "Yes it may look good on a financial basis and on a strategic basis, but does it work underneath the covers—not always so well. Integrating these processes is a hidden cost," said O'Marah.

Companies that maintain two parallel compliance systems not only carry the costs of both but also increase their risk of making a mistake, added O'Marah.

Is the merger glass half full?

CIOs tend to fall into two camps when facing a merger or acquisition—the forward-looking and the ones who wait for orders, said Michael Rasmussen, an analyst at Forrester Research who has written extensively on compliance. "It is a benefit to be proactive. You may not have the influence to say, 'Look, this is a bad idea,' but at least you can prepare for it well ahead of time." His advice: "Get your compliance ducks in a row."

An acquiring CIO should have a documented compliance program in place. The CIO must also find out if the acquired company has one.

"Any company that doesn't have good documentation is not managing compliance. They are reacting to crises or trying to use smoke and mirrors," said Rasmussen.

Acquiring CIOs should ask to see the actual operational incidents—cases where legal discovery was implemented, compliance fines, regulatory gaps, audit findings in IT, theft of personal or financial information—but realize that very few companies have good incident case management systems, Rasmussen said.

"There's a lot of learning that has to happen," he said, and if the deal is between companies in different industries, "you've got even more homework to do."

AMR Research analyst John Hagerty agrees, stressing that CIOs of acquiring companies have their work cut out for them. "For those firms doing the acquiring, the merging of business systems and processes becomes a much stronger imperative, especially for financial processes relating to SOX," said Hagerty. "CIOs are on the hot seat to get this done sooner rather than later and with tremendous precision. His advice for the acquired CIO: "Have as pristine an environment as possible so as not to slow negotiations."

Dig Deeper on IT spending and budgeting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.