Even so, there is always risk whenever two organizations' IT systems are brought together, stresses Michael Lloyd, chief scientist with RedSeal Systems, a Redwood City, Calif.-based company that develops security risk management software for vulnerability management and compliance audits. "The main worry for banks in a merger is whether it's a financial risk," he says. "You look at toxic assets as an acquiring bank. But the same is true in networking. You can take over a toxic network, too. The problem is that the security stance can vary enormously from bank to bank. If you take over a bank with less-mature processes and technologies, you take on their IT risk as well."
To mitigate such problems, Lloyd notes, more and more banks are establishing due diligence teams for the IT side. "IT due diligence has to be looked at in the same way as financial due diligence," he asserts. "If there's a security problem at the acquired bank, then it becomes your security problem." To help customers with these tasks, Lloyd adds, RedSeal offers technology that can map the defenses on a bank's network and automate the discovery of IT risk.
Of course risk assessment doesn't end when the merger is official, notes Bob Metzler, senior consultant and managing director with Charlotte, N.C.-based Project Managers, which provides change management services. "You have to do a continuous risk assessment," he says. "Many times, banks focus on the day they convert, but they haven't allowed sufficient time to understand the risk."
To sharpen their M&A focus, suggests Eric Bass, the lead for the financial services business consulting practice at Devon, Pa.-based SMART Business Advisory and Consulting, organizations should form some kind of merger management office (MMO). "A bank must understand that to gain the benefits of an acquisition in a reasonable amount of time, ... execution on a merger needs to be a core competency of the bank," he says, adding that few banks traditionally exhibit this strength. But even if a bank doesn't come into an acquisition with a long-established M&A department, Bass explains, an MMO is vital to providing a sense of cohesion and leadership throughout the merger process.
Tony Viola, VP with Patni Computer Systems (Mumbai), adds that an M&A team facilitates communication among the various departments involved in the integration. "What we've seen as important with regard to orchestrating these transactions is the M&A team and its ability to communicate with the key constituents in the organization -- business and IT," he comments.
Open communication, however, isn't always possible, notes Fred Cohen, group VP with Patni, who says things can really get dicey for both the acquiring bank and its target during the "quiet period" between the announcement of the merger and the closing. "The most difficult time is the quiet period," he explains. "This is before communication can flow because regulations state that both banks must still operate as separate entities. It's a period of uncertainty and lack of direction."
The prevailing uncertainty during the the quiet period, Cohen continues, can drive employees to begin looking for work elsewhere. "Staff in both banks begin spending time thinking about their careers," he relates. "People tend to leave in shifts: first it's the experts, then it's those people who may not have a huge stake in the merger but have a lot of knowledge. So the faster a bank can produce solid financial information and communicate its plan, the better." Cohen notes that Patni is working on developing tools to streamline the quiet period, but he declines to elaborate.
To minimize this kind of uncertainty, Sterling's Gahagan says, it should be clear from the beginning of the M&A process who is in charge of integration. So in addition to establishing an MMO, it is also wise to install someone to oversee the entire process, he advises. "The CEO will appoint a merger 'czar' who will make big decisions on things like which platform to move to in the future," Gahagan notes. "It's really important for everyone in both organizations to know who's in charge during the merger, especially on the technology side."