Mergers and Acquisitions are commonplace occurrences in today’s business world, and chances are if you are not planning one today, it is because you just concluded one. Compounded by the amount of third party supplier and partner relationships that are part of the make-up of many companies today, a growing concern arises with the level and history of merger and acquisition activity – ensuring that there are no sub-level surprises from previous events within your target company or their extended “family” of suppliers and partners. It does not matter if the source of a data breach or other major breakdown or failure in the marketplace came from a company you acquired last week or last year. Your reputation and company’s image and reputation is on the line.

We all know there are key elements of any merger.

• • A reason to desire the target company, be it they have a great product you want to add to your stable of offerings, or to eliminate competition, or to expand your market reach – there is always a reason.

• Coming to terms with the target company. Based on current value of the company, or projected value of the result of the merger, there will be agreement, even if that agreement has to be taken directly to the shareholders as is the case in hostile takeovers.
• Due diligence to ensure you are getting what you expected. This is where peeling the acquisition onion comes into play.
• Honeymoon stage where everyone is making nice shortly after the deal is approved. Getting to know new co-workers, learning new procedures, merging processes and coming up with the best of both worlds.
• Steady state, when business is focused again on running the business, but now with new assets.

So due diligence should already be baked into any merger and acquisition process, but here is the issue. The results of your due diligence is in part going to be based on the quality of previous due diligence efforts by others. And as a chain is only as strong as it’s weakest link, your due diligence is only as sound as all predecessors it is based upon. A simplistic example would be as follows;

• • Five years ago, Company T (your target company) acquired Company Z who had a third party relationship with Supplier Z.

• During their due diligence, Company T did not uncover a vulnerability inherent in Supplier Z’s product or processes, or determined it was an acceptable risk.
• Supplier Z is still in play, supplying Company T with a key product or service, which will continue after you acquire Company T.
• Now during your due diligence investigation of Company T, if you do not trace back through all the third party and vendor relationships supporting Company T, you are at risk of bringing the same vulnerability into your business.

Now consider the reality that your target company probably has layer upon layer of previous mergers and acquisitions in their history, as well as third party partners who likely also have their own history of mergers. You can quickly see how it becomes imperative that your due diligence effort go beyond just the target company, and you need to peel back even more layers to ensure you are not adding unnecessary and unexpected risk to your existing business and clients. The goal of risk management is not always the absolute eradication of risk, but at least awareness and management of risks that cannot be eliminated. While financial risk can be addressed in the terms of the merger, there is no way to insulate against reputation damage if your newly acquired company is the source of a major data breach.

Herein lies the challenge. How far does one peel back the layers, versus determining the yet undiscovered risks and vulnerabilities fall within the bounds of normal and acceptable risks of doing business? This will largely be driven by the nature of your business and the risk appetite you are comfortable with. But keep in mind that was also the case for your target company’s previous merger and acquisition events, although they may have had a very different tolerance level than you. There are a number of factors that can influence this risk tolerance which can change dramatically from previous merger events. For example, if your business is HIPAA or FFIEC regulated, but your target company has not been in the past. Not only do regulatory bodies require different controls, but they tend to have an impact on what is viewed as “acceptable” risk.

So while performing your due diligence, be certain you gain a complete understanding of not only the current state of your target company, but also their history in relationship to previous mergers and acquisitions they have been involved with in the past. And give appropriate consideration to examining third party and vendor partners that you will inherit, including their previous merger and acquisition activities, as they could have a material impact on your merger. Finding issues and dealing with them from a position of knowledge, whether you plan to eliminate, mitigate or accept the associated risk, will help ensure success for your merger or acquisition.