Mitigating Data Risk During an Acquisition

What will you do when you find out you're about to acquire or consolidate with another firm or division? Are you aware of the risks you may be inheriting? What data is going to demand the highest availability? What IT regulations will you have to address and how do you know if existing controls already address them?

Here are 10 "data health" checks you can conduct to help answer these questions before giving a green light to an M&A or consolidation.

Step 1: Assess your data - From a data perspective, you first should conduct an assessment of the independent data assets of each organization participating in the merger. If you do not know what data exists before the acquisition, gaining this understanding after combining the data, if it can be combined at all, will be extremely difficult. The task at hand will be simpler if both organizations practice strong data governance. This is rarely the case though.

Step 2: Plug the governance gaps - After completing an honest assessment of where each organization stands in terms of data governance, the next step should be to work toward creating a definition of data that is not well understood or undocumented. This should not be a long process; define what data you have and where it is stored. Consider using tools like data dictionaries and repositories and consult the subject matter experts (business users, programmers, data architects, etc.) at each organization for this information.

Step 3: Leverage the M&A for governance improvements - Use the acquisition as a springboard for instituting new or stronger data governance policies and procedures. Lack of insight into important business data, such as can occur during an acquisition, can be a strong motivational tool for implementing improved data management practices.

Step 4: Plan for increased workload and capacity. - The basic premise behind mergers is that the combined companies can conduct the same, or more, business more efficiently than two separate companies. Will you need more powerful hardware? Will the new combined business require more uptime, which translates to higher data availability? Existing hardware, transactions, applications, databases, and data maintenance processes may need to be overhauled to meet the new requirements. Consider implementing more efficient software and utilities for performance management, change control, and backup and recovery.

Step 5: Evaluate backup and recovery plans - A simple question, such as "Is everything backed up?", can be a crucial starting point. In the clamor of an acquisition evaluating recoverability is often forgotten or ignored. The on-going health of those backups must be checked periodically.

A systematic method of reviewing recovery health, include examination of backups, evaluation of IT hardware and software specification, and matching objectives to reality is helpful. The process of assuring recoverability is exacerbated due to the hectic nature of a merger or acquisition, and recoverability will certainly be impacted if it is ignored.

Step 6 Determine your new exposure to IT regulations - If the acquisition brings new types of business, even if it is related to your existing business, be sure to allot time and resources to examining and ensuring compliance with required IT regulations. Tools are available to help reduce the cost and complexity of compliance programs and processes (for example the Unified Compliance Framework

Step 7: Implement a database auditing solution - Because of the hectic nature of mergers and acquisitions, many last minute requests and requirements can accrue. A database auditing solution will routinely monitor data activity and keep an audit trail of users and changes in content. Additionally, database auditing can be used to keep an eye on your privileged users, such as DBAs and system administrators, who have unfettered access to critical data.

Step 8: Plan personnel to cover combined systems - During most acquisitions, dual systems and applications need to be supported. Plan for the proper personnel and support to protect and manage all of the data while redundant systems are required. In other words, don't pull the switch too soon - on systems or personnel.

Step 9: Identify and eliminate the redundant - Inventory and eliminate redundant system software and utilities to reduce cost post-acquisition. For example, if the majority of your most functional applications use DB2 as the DBMS, but a few use a different DBMS, converting those to DB2 (or choosing a different application that uses DB2) may allow you to eliminate a costly DBMS license. However, such decisions need to be made in an informed, business manner and not simply with an eye toward reducing system software cost.

Step 10: Intelligently automate your data management solutions - The more you can automate maintenance tasks the fewer problems that will occur that can stall the integration of your systems. Using software to automate and conduct on-going health checks on your data and data management activities can improve the overall responsiveness of IT to business needs.

The Bottom Line

Getting a handle on all of the data in your post-acquisition organization requires time and effort. But it need not be fraught with risk. With proper planning, tools, and resources, along with realistic expectations and these steps, you can reduce the risk to your valuable business data.