Mergers and acquisitions are not usually quickie affairs. There's much thought given to M&A synergies, cost savings and value creation. And in the gray zone between "intent to purchase" and finalizing a merger or acquisition comes the critical IT-related due diligence\u2014that period where IT (and other) systems are scrutinized, and buyers can decide to pull out because the company's a mess or there's just too much risk involved. \n\nBut, of course, these are not usual times.\n\n\n MORE ON CIO.com\n \n Financial Industry Mergers, Acquisitions and Meltdowns: What's in Store for IT Execs and Staffers?\n \n Does Your Work in IT Matter to Wall Street?\n \n Financial Meltdown's Silver Lining: Fewer M&As Means Less Stress for Tech Customers!\n\n \n\nThe critical due diligence process of examining the overall state of an organization's enterprise IT systems\u2014the infrastructure, applications, outsourcing deals and vendor contracts in place\u2014can take up to a week, according to industry consultants. \n\nRecently, however, entire acquisition deals in financial services have taken place over the course of one weekend. A few of the biggest deals of late include: Bank of America acquiring a desperate Merrill Lynch; JPMorgan Chase buying a floundering Washington Mutual (WaMu); and Wells Fargo besting Citigroup to purchase Wachovia. \n\nThese so-called "shotgun" M&As are both a testament to the dire circumstances on Wall Street and a test of CIOs' and their IT staffs' ability to analyze, prioritize and integrate systems in a hurry. "The shotgun marriages are being arranged, the companies are at the altars, the ceremonies are being held over the weekend, the ministers are various federal agencies, sort of instructing companies about what they need to do and on what terms, and there is no IT due diligence," says Tom Casey, a VP at Booz & Company. "It's just not happening."\n\nIn M&As, the Heat Is on ITThe prospect of not vetting IT systems before a deal is scary: Unknown security threats and vulnerabilities, and unsecured IT assets and Internet connections are just a couple of the worries for the customers of Lumeta, a network mapping and monitoring vendor, says CTO Michael Markulec. "You can't secure what you can't manage," he says, "and you can't manage what you don't know." \n\nThat type of insight is even more important in financial services, since IT spend typically is a hulking 15 percent of overall revenue, according to Casey, which is an indication of the crucial role IT (and its security) plays in financial institutions. "IT is the backbone of how these banks operate," he adds, "and you're not going to get these major [M&A] synergies without addressing the IT stuff." The mood on The Street.\n\nWhen companies give short shrift to scrutinizing IT systems, M&As become even riskier than inherently they already are. M&As are tricky to get right even in "normal" times with appropriate due diligence, and many don't return the expected value. According to an August 2007 Boston Consulting Group study of more than 4,000 completed mergers and acquisitions between 1992 and 2006, 58 percent of deals actually destroyed value for acquirers, with a net loss of 1.2 percent for all transactions. \n \nNow, in these crazy times, IT teams will be put to an even greater test to try to make these deals work. CIOs and IT departments are tasked with assessing and, ultimately, meshing together dissimilar systems that are expected to provide efficiencies and savings\u2014ASAP. "One of the key factors of very big integrations is the ability of IT to consolidate and streamline the acquisition onto a single platform and gain significant cost savings," CIO Tom Sanzone told CIO in late 2007, when he was CIO of Credit Suisse. (Sanzone took over the top IT spot at Merrill Lynch in 2008. See "Financial Industry Mergers, Acquisitions and Meltdowns: What's in Store for IT Execs and Staffers?" for more on his transition and fate in the new Bank of America.) \n\n"As the head of IT," said Sanzone, who has been through several M&As, "I know what would be expected of me, and that's certainly a type of pressure I have felt." \n\nBut in a heated M&A climate with little if any time for due diligence, pressure on IT intensifies. The difficulty of ensuring smooth systems integration and careful consolidation (with no surprises) is dialed up even more. Unfortunately, said Barry Jaruzelski, VP and lead marketing officer at Booz Allen Hamilton, in the CIO article, companies "don't realize just how hard and expensive it is to consolidate onto one platform."The Importance of IT Due DiligenceIn more tranquil business times, when banks and investment firms aren't teetering on the brink of failure and credit markets haven't collapsed, most companies follow a standard operating procedure for an M&A situation. IT considerations typically enter the discussions after "the primary deal logic" discussions (such as regional footprint, distribution and operational factors) start on the business side, says Tom Reichert, a partner in the Financial Institutions practice of The Boston Consulting Group (BCG). "But then quite quickly technology comes to the table to be part of it," he adds. \n\nAccording to Reichert, there are several technology-related factors that are most important to the M&A decision-making. First is the expected post-acquisition "synergies" to come from the deal. "The synergy value should be 10 percent to 25 percent of the combined technology budgets of the two companies involved," he says. "That is a significant part of the valuation of mergers." \n\nAnother notable factor includes whether there are significant deal breakers in an acquisition\u2014"big security or regulatory issues that the acquirer is getting into in the tech environment that it really needs to get solved," Reichert says, "or big contracts that exist that they really need to solve beforehand." \n\nLumeta's Markulec adds that regulatory and compliance issues such as PCI make it even more imperative that companies know what's out there on their networks. "You have to identify all of the assets on the network that you've just acquired: What's out there? How many routers, servers and end-point stations?" he says. "So, where are all those assets and are there any immediate vulnerabilities that need to be addressed?" \n\n"Companies may be introducing vulnerability that they didn't know exists," Markulec says. "That's the biggest fear on the networking and security side when they go through the acquisitions."\n\nWhich Apps Stay, Which Apps Go?Equally as important to discussions about cost synergies and network security, says Booz's Casey, are considerations such as selecting the core systems and applications that will enable the combined company to grow in the future and where the opportunities are to consolidate infrastructure and contracts. In other words, what things will be left as is, and what IT assets and activities may be too risky for the new company to continue. \n\nTo his surprise, Casey says that on the 10 mergers he's worked, the workforce-related issues (i.e. layoffs) were less of a hassle than the platform and application discussions. "Is it my system or the other guy's system that's going to stay," he says. "There's all this tree-hugging behavior." \n\nCasey surmises that the issue is all about power and turf in these types of deals. "If I'm an IT person or business owner of [that system], then I lose that, I lose that kind of power position," he says. He recalls an acquisition that he worked on in which the acquiree's newly installed SAP system, which the company had just standardized on, was shut down by the acquirer because the executives didn't want to use it. "It was the right decision from an economic perspective," Casey says, "but [the acquiree executives] couldn't believe this." \n\nEven if more and more of these "weekend mergers" keep taking place, Casey and Reichert do point out that these financial services companies have good track records and loads of experience with M&As. "In a number of the institutions that we are talking about," Reichert says, "a lot of the CIOs are very experienced industry figures who have gone through this numerous times." Financial service CIOs usually have insight into other IT shops and "rules of thumb about what to expect on the infrastructure side," he adds, "though it's harder to predict on the applications side." \n\nNevertheless, in this unprecedented financial climate, it appears that IT departments and CIOs just have to make do with what they inherit (IT staff, systems, projects) in a merger or acquisition. As Casey puts it, acquiring companies have "got a formula and recipe that they follow, but what they don't have is the advantage of what they'd usually get in a detailed perspective before they get the assets." \n\nEven with such uncertainty, Casey advises IT staffs to suck it up, if it happens to them. "Complaining about it," he says, "does you no good at all."