The other day I was reading a post by Alan Calder who referred to a presentation overview covering mergers and acquisitions entitled IT Governance and Mergers. This topic has interested me for sometime. It is a very complex situation for two organizations to merge information environments, and one that I feel must be strongly considered by all practitioners and executives alike. A few considerations about how we are defining M&A:
- The blending of two information systems can be two separate public companies that are merging through some financial arrangement
- In other cases, and much more common, the organization may be centralizing the technology environment after years of organic regional self governance
- A third case to consider is the re-development of the information environment (i.e. cancel the BPO and bring technology systems back in house)
The convergence of information environments covers all aspects of an organization, its controls, the processes, and people at once. In the article the author does an excellent job highlighting the results of a conference session he hosted on M&A. He breaks down some great points to consider and pitfalls to be wary of when technology centers merge together (the focus is on Law firms but wholly transferable to any organization). I would strongly recommend reading his full post, as he had access to numerous high level CIOs.
While a full breakdown of M&A best practices is a worthwhile topic, this post focuses on the PCI DSS and general compliance issues that arise, and highlights some points that must be understood:
- Merging organizations creates a single entity – this applies for everything from taxes to compliance requirements. An organization that once was excluded from specific disclosure laws may now be obligated.
- PCI DSS levels of attestation are determined based on each card association’s total accounts processed by a single entity. Two organizations that merge as Level 2 Merchants may soon become Level 1 Merchants. This leap greatly increases the operating technology budgets to ensure greater controls are in place, and initiates a need to develop a plan to achieve compliance.
- Polices and Procedures of each organization are different, and as these systems are merged together – which is considered best practice, there must be a full revamp of the document evidence.
- The merging of backbone infrastructure from an organization also introduces larger numbers of access points to sensitive data, and/or increases the scope and applicability of compliance safeguards. These may require a full evaluation of technology architecture and information flows through the system.
The effects of M&A in organizations is an exciting problem to solve, but it may only be addressed efficiently by achieving the basic following steps:
- Develop a consensus on the business direction after the merger through a management level session
- Identify all systems that manage the information environment and map BOTH environments to the controls, business requirements, contractual obligations, and regulatory mandates of the post merger business
- Prior to “flipping the switch”, consolidation and expunging of unnecessary systems should be achieved
- Finally institute performance monitoring thresholds throughout the environment to further improve the organization’s information systems.
- A decision should be considered prior to every merger – should this merger happen? A strong question that must be weighed where technology environments are competitive advantages.
Other experience on M&A? Please add comments and how they effected your PCI compliance efforts.
James DeLuccia IV