Dr. Jim Kennedy, MRP, MBCI
Ensuring adequate business continuity and disaster recovery should be one of the foremost activities of any company today. However, those companies that are preparing for or are in the middle of a corporate merger or acquisition will need to address some formidable and distinctive business continuity / disaster recovery challenges and opportunities.
Because the overall business landscape seems to point to increased merger and acquisition activities over the next few years (just look at the rate of mergers and acquisitions of telecom carriers, banks and healthcare providers in the last two years) business continuity departments could be severely challenged.
Once it has been announced, and before the legal ink has dried on the paperwork, the managers responsible for business continuity will have to begin their work. They will need to ensure that the technologies and infrastructure utilised are properly protected and adequately backed-up. Based on experience with several acquisitions over my twenty-five years in business continuity and disaster recovery I offer some suggestions for those who are about to be engaged or are already engaged in merger or acquisition support.
Establish necessary budget
Merger and acquisition work will definitely stretch any organisational budget and manpower, and business continuity is no exception. Make sure that there is enough monies in the M&A budget to provide for all of the work required for evaluating and integrating business continuity into the newly formed business. Include outside consultants and IT experts, if necessary, to aid in the planning and developing of technical solutions.
Perform due diligence
Perform the due diligence before merger activity actually begins. Evaluate the business continuity and disaster recovery policies, practices, and procedures of the firm to be acquired to determine how well protected it is. Find out results of recent testing efforts and establish how well trained the new firm’s business continuity team members are. Find out if the risk assessments and business impact assessments are up-to-date and whether plans are current and fit for purpose. As the Business Continuity Institute recommends: “learn as much as possible about the business.” Work closely with your business continuity counterparts to determine, at a high level, what processes, systems, or locations are mission critical to the operation and learn how business continuity and disaster recovery are implemented in those areas. The more that you can learn about the new organization’s business continuity programs the better prepared you will be in converging the two businesses planning and recovery efforts together. Remember, the very first thing that the new entity will want to do is to communicate verbally and via e-mail and to access critical databases of financial data, customer data, and manufacturing processes. Those systems should be quickly identified and reviewed, and business continuity managers should be a part of the implementation effort, to ensure proper continuity of services.
If the company being acquired lacks adequate business continuity and disaster recovery practices something needs to be done immediately to protect both organisations as of Day one. Utilise the best business continuity subject matter experts (SMEs) that you have to help to implement initial, short-term practices, while identifying gaps and developing plans for post-merger or acquisition business continuity work. If these SMEs are already taxed to their limits then bring in consultants to evaluate and validate the state of the business continuity posture and to develop interim steps to shore up the environment until permanent policies, procedures, and technologies can be implemented.
Evaluate third-party providers or business partners
Review the business continuity practices of critical third party providers or business partners of the company about to be merged with or acquired. Investigate to ensure that the recovery objectives of these third party providers and partners align with the business goals of the company you are about to merge with or acquire, as well as, your organisation. If possible, obtain copies of recent audits, especially SAS 70 audits. If there are severe issues with the availability capabilities of these third-parties it should be brought to the attention of senior management immediately as it could affect operations post-merger.
Anticipate failures and unplanned incidents
When joining the complex infrastructures of two business organisations together failures occur, errors are made (both by accident and sometimes on purpose by disgruntled employees), and technology is stretched to breaking points. It is imperative that initially a complete incident response and communication plan is in place and tested prior to day one of the merger or acquisition. This will allow the new organisation to address problems even though it may utilise business continuity and disaster recovery plans developed pre-merger. Make sure that each organisation’s business continuity team is fully aware of what is expected of it pre-merger, during the first 90 days post-merger, and during full convergence of the two organisations. The more rapidly the two organisations’ teams begin to interact and share information the quicker the protection umbrella of business continuity will be opened and available to protect the new business.
Begin post-merger or acquisition planning
Post-merger a business continuity steering committee should be organised and staffed by key subject matter experts from both of the joining business operations. They should review the policies and practices of the two companies and they should select the ‘best of the best.’ That is selecting the best practices from each entity and integrating it into the overall business continuity management framework of the new corporation. The “Not invented here” mentality, which often comes from the acquiring entities personnel, should not be tolerated. The author has seen firsthand that an entity being acquired actually had much superior policies, processes, and procedures in both the security and business continuity and disaster recovery areas to the company that was acquiring it.
Communicate, communicate, communicate
Lastly, the most important issue is communications. A clear understanding of the importance of an effective business continuity program from day one must be communicated by senior staff and re-iterated by the managers at each operating level. As each business unit is evaluated, and new business continuity and disaster recovery plans or solutions are put into place, the reason needs to be communicated to the employees to emphasise that the reason is to strengthen the organisation and to protect it from unforeseen events.
Dr. Jim Kennedy is Distinguished Member of Consulting Staff in the security and business continuity practice of Lucent Worldwide Services. Dr. Kennedy has over 25 years experience in the business continuity and disaster recovery fields and holds numerous certifications in network engineering, security and business continuity. He has developed more than 30 recovery plans, planned or participated in more than 100 BC/DR plan tests and has helped to coordinate three actual recovery operations.
•Date: 21st July 2005 •Region: World •Type:
Article •Topic: BC general
this article or make a comment - click