Ten Steps for Mitigating Data Risk During a Merger

Merger and acquisition activity stands to increase as global markets struggle to stay afloat during the worst economic slowdown in decades. What will you do when you find out you’re about to acquire or consolidate with another firm or division? Are you aware of the risks you may be inheriting? What data is going to demand the highest availability? What IT regulations will you have to address and how do you know if existing controls already address them?

Below are 10 “data health” checks a CIO can conduct to answer these questions before giving a green light to a merger, acquisition or consolidation.

Step One: Assess your data

From a data perspective, the first step needs to be an assessment of the independent data assets of each organization participating in the merger. If you do not know what data exists before the acquisition, gaining this understanding after combining the data, if it can be combined at all, will be extremely difficult. The task at hand will be simpler if both organizations practiced strong data governance. This is rarely the case though.

Step Two: Plug the governance gaps

After completing an honest assessment of where each organization stands in terms of data governance, the next step needs to be plugging the gaps. Work toward creating a definition of data that is not well understood or undocumented. Do not turn this into a long process; define what data you have and where it is stored. Consider using tools like data dictionaries and repositories and consult the subject matter experts (business users, programmers, data architects, etc.) at each organization for this information.

Step Three: Leverage the M&A for governance improvements

Use the acquisition as a springboard for instituting new or stronger data governance policies and procedures. Lack of insight into important business data can be a strong motivational tool for implementing improved data management practices.

Step Four: Plan for increased workload and capacity

The basic premise behind mergers is that the combined companies can conduct the same, or more, business more efficiently than two separate companies. Will you need more powerful hardware? Will the new combined business require more uptime, which translates to higher data availability? Existing hardware, transactions, applications, databases, and data maintenance processes may need to be overhauled to meet the new requirements. For mainframe shops, perhaps you can better utilize cheaper specialty engines like zIIP, zAAP, and IFL processors. And look into more efficient software and utilities for performance management, change control, and backup and recovery.

Step Five: Evaluate backup and recovery plans

A simple question, such as “Is everything backed up?” can be a crucial starting point. In the clamor of an acquisition, evaluating recoverability is often forgotten or ignored. The on-going health of those backups must be checked periodically.

A systematic method of reviewing recovery health, include examination of backups, evaluation of IT hardware and software specification, and matching objectives to reality is helpful.

Step Six: Determine your new exposure to IT regulations

If the acquisition brings new types of business, even if it is related to your existing business, be sure to allot time and resources to examining and ensuring compliance with required IT regulations, such as PCI DSS, HIPAA and Sarbanes Oxley. Tools are available to help reduce the cost and complexity of compliance programs and processes, such as the Unified Compliance Framework (UCF), which provides spreadsheets broken down by individual areas of compliance.

Step Seven: Implement a database auditing solution

Because of the hectic nature of mergers and acquisitions, many last minute requests and requirements can fall through the cracks. A database auditing solution will routinely monitor data activity and keep an audit trail of users and changes in content.

Additionally, database auditing can be used to keep an eye on your privileged users, such as DBAs and system administrators, who have unfettered access to critical data. Some can even track data access patterns to look for anomalous activity and raise alerts when it occurs.

Step Eight: Plan personnel to cover combined systems

During most acquisitions, dual systems and applications need to be supported. Plan for the proper personnel and support to protect and manage all of the data while redundant systems are required. In other words, don’t pull the switch too soon on systems or personnel.

Step Nine: Identify and eliminate the redundant

Inventory and eliminate redundant system software and utilities to reduce cost post-acquisition. For example, if the majority of your most functional applications use DB2 as the DBMS, but a few use a different DBMS, choosing a less functional application that uses DB2 instead may allow you to eliminate a costly DBMS license. However, such decisions need to be made in an informed, business manner and not simply with an eye toward reducing system software cost.

Step Ten: Intelligently automate your data management solutions

The more you can automate maintenance tasks, the fewer problems that may stall the integration of your systems. Using software to automate and conduct on-going health checks on your data and data management activities can improve the overall responsiveness of IT to business needs.

The Bottom Line

Getting a handle on all of the data in your post-acquisition organization requires time and effort. But it need not be fraught with risk. With proper planning, tools, and resources, along with realistic expectations, you can reduce the risk to your valuable business data.

Craig Mullins works as a corporate technologist for Neon Enterprise Software in Houston, Texas. Read his blog at http://www.neonesoft.com/blog/blogs/cmullins.