How Should Companies that Acquire Firms Deal Involve Risk Management Teams as Part of M&A (Merger and Acquisition) Deals

Abstract

Firms irrespective of the sector they are in or serving (Financial Services, Technology, Manufacturing etc.) look into Merger and Acquisitio,n (M&A) prospects, there are varied reasons to it but most of the times it’s to stay competitive and have an edge over competitors. As part of the M&A, there are different steps involved between the firms involved in the deal. In addition to those steps evaluating security posture and getting context on risks is very important to avoid future business impact. There have been a many papers and articles around the importance of involving cybersecurity risks in M&A discussions, as part of this research, its advised to understand the basic security posture of the firms, vendors , BC/DR, Physical security and policies etc. but there are some areas that are overlooked, however, the key problem is the absence of an overarching Risk management team in these deals, that helps keep tabs on all the risks in the register, tracking, monitoring etc. Presence of Risk management teams ensure risks identified through the process don’t slip through the cracks, especially the Moderate and low rated ones since everyone is busy solving the Critical and Highs, crucial terms like the Risk appetite and tolerance of the acquiring firms can be brought into the conversations. Risk teams are more often than not, playing catch-up, as a result, they can’t function to their full potential for risk reporting that in ideal conditions, helps the senior leadership understand the story. This article aims to shed some light on the M&A process and how involving the Risk management teams early onto these deals, can not only favor these M&A deals for the firms involved in the long run but also ensure there is no business impact down the road.