Mergers and acquisitions are among the most highly profitable strategies for growth, but they don’t come without risks. Some well-known pitfalls include culture clash, overpayment for the target company, and misjudgment of synergies.

However, there’s another, less understood risk involved in acquisition that brings both short term and long term ramifications: Governance failures. Missteps in governance can cause financial and reputational downfall, legal consequences, chaos, fraud, and the ultimate collapse of the merger.

Within the context of IT, “governance” is a concept that can be applied to two completely different elements of acquisition – but both are equally important to a successful merger.

Governance as Project Planning

The first meaning of “governance” involves creating a structure to allow for an on-time, in-budget integration that achieves the organization’s goals while recognizing cost savings opportunities. It’s a highly complex process that relies on a critical balance between thinking everything through carefully, but not getting stuck in the kind of over-analysis that slows the merger to a halt.

In fact, while 10 or 20 years ago the thinking was to take it slowly and integrate painstakingly, today’s organizations know that faster integrations are likely to be more successful ones. The first 100 days after closing the deal are especially important – that’s when employees are most likely to embrace new ways of thinking and be open to the possibilities of the merger. These early days are a perfect opportunity for leadership to capitalize on the excitement in the air, boost morale, increase productivity, and minimize uncertainties.

On the other hand, when the integration drags on for months (or even years) negative feelings can solidify, and change becomes harder and harder to embrace. According to PwC, the longer the integration takes, the less likely the chances of success.

With that in mind, it’s important to create a governance strategy very early – ideally, as soon as acquisition is on the table – and build integration into a rapid timeline.

Effective, timely strategic governance requires the following:

  • Understanding the organization’s vision and goals
  • Creation of integration principles
  • Distinct roles and clear responsibilities
  • Key planning deliverables
  • An objective and disciplined approach
  • Leaders who model key behaviors, not just talk about them

PwC reports that integrating technology systems is at the top of the list of M&A challenges, according to the leaders surveyed: Nearly 60% of respondents identified IT integration as a difficult issue to solve. Even more significant, 45% point to IT integration problems as causing moderate to significant delays in meeting deal goals.

A solid governance structure can help prevent these problems by creating a step-by-step roadmap, as well as aligning IT with the business goals. With the proper planning and oversight, such as an IT steering committee, integration can be achieved quickly and successfully.

To improve the chances of creating a successful governance structure related to IT, the following best practices should be applied:

  • Identify IT integration leadership from the very beginning of the acquisition process.
    This is key to minimizing organizational uncertainty and designating clear responsibilities. A critical part of this role is to define initiatives and mobilize the IT resources required for supporting them.
  • Recognize and resolve cultural differences between IT and business functions.
    We’re all familiar with the cultural issues that can arise on either side of an acquisition. However, it’s also important to understand that cultures may clash within the same company. Stakeholders must regard IT as a key factor in the success of a merger, not just as order-takers who merely need to plug a few things in to get everyone up and running. By the same token, IT needs to move beyond a technical focus to determine how they can strategically support an organization’s big-picture goals.
  • Communicate clearly and frequently.
    Mergers are typically stressful for all involved, but honest and transparent communication can go a long way. Ensure that the vision and rationale behind the merger are fully articulated, and that governance principles set the tone for moving forward. In addition, don’t shy away from difficult conversations. Risks, trade-offs, potential problems – all must be discussed candidly so the team understands decisions and can quickly react to support them.

While there are many factors that go into the ultimate results of a merger, a strong governance plan and ongoing IT involvement are non-negotiable factors for success.

Governance as Security

The second important way to approach governance is through the lens of security. “Security governance” refers to an organization’s strategy for protecting data, complying with regulations, safeguarding customers’ personal information, reducing the risk of unauthorized system access, and preventing fraud.

Due diligence during the pre-acquisition phase is vital to discovering any potential issues with the target company’s security. But even when these problems are uncovered and addressed, the post-merger process itself can increase security risks.

In the short term, problems occur as a result of a rapid increase in the scope of requirements, varying control systems and procedures between companies, and in many cases, a new set of regulations to comply with.

Part of the reason security can become compromised during a merger is employee confusion. People are often unsure what the new security protocols are, and how to follow them. Management has their hands full with new and stressful responsibilities, and aren’t always able to closely monitor their subordinates. Sometimes, employees aren’t even sure who to report to or who to approach with their questions. (Of course, all of these problems are mitigated or avoided by creating an effective integration plan from the start.)

In the long term, the effects of weakened security and internal controls can be devastating, including data breaches and internal fraud. This is most likely to happen when the acquiring company has less robust control systems and policies, which they typically pass on to the target company.

Even when the target company has stronger and better security procedures, the acquiring company implements their own polices 76% of the time, according to research from Northwestern University’s Kellogg School of Management. This oversight results from a lack of due diligence, and perhaps a lack of open-mindedness. The solution is a comprehensive and objective pre-deal assessment of both companies’ security governance policies, and a commitment to making them as strong as possible.

Finally, as more and more acquisitions occur internationally, organizations must wrangle with the added security complexity of differing laws and privacy regulations.

One of the surest ways to maintain and strengthen security – throughout an acquisition and beyond – is to prepare a corporate governance report for both sides of the deal. This report should include an assessment of each company’s security systems and controls, any gaps that need to be addressed, and their policies on ethics, security, and anti-fraud.


Acquisition is a significant undertaking, and success relies on numerous factors. However, there is no doubt that organizations have the best chance of meeting their goals when they commit to both kinds of governance: strategic planning and strong security.

Leave a Comment

Your email address will not be published. Required fields are marked *