The transition of mergers-and-acquisitions due diligence from a disjointed, siloed process focused on short-term questions to a holistic, integrated enterprise risk management approach is long overdue. The vigor of the past year's mergers and-acquisitions market, with billions being put to work by financial and strategic buyers alike, has increased the emphasis on due diligence to protect the ever-increasing amounts of capital at stake, maximize returns and improve the long-term success rate of these transactions.
Risk managers can help drive this change with a trained look at risk from a broader perspective. By inserting themselves into the due-diligence process, risk managers can add considerable value and drive the strategic thinking of the enterprise.
Using ERM processes and methodologies derived from recently accepted standards--such as the Committee of Sponsoring Organizations of the Treadway Commission framework for due diligence--can not only improve the due diligence itself, but they can also provide a roadmap for defining business objectives, identifying and mitigating risks, and enhancing the value of the enterprise long after the transaction is closed. In addition, the use of ERM pays dividends during merger integration, as findings can be prioritized in order of risk magnitude.
ERM DUE DILIGENCE
Traditional due diligence tends to focus on return on investment and valuation, taken at a single point in time, without considering how the business's various components work together in a continuum. Conversely, ERM applies a methodology built around three common high-level steps-- the three M's of measuring, managing and monitoring--to the risk management process, and considers each element of risk--both positive and negative--in light of its interdependencies throughout the organization. In addition, ERM defines how those risks may be mitigated, how they rank in terms of potential severity and how they can be managed against known objectives.
Here's an example: A business executive is attending a risk management symposium. One morning, he wakes up to a beautiful day, and thinks about playing golf at the five-star course next to the conference center, instead of listening to the featured speaker.
First, he measures the positive impact of playing golf. There are many factors to consider: his personal enjoyment; the possibility that he will make a good business contact in his foursome; then the negative impact of the possibility that his boss will be upset that he didn't attend the seminar.
He then manages that risk. He could choose to play golf but be certain to collect business cards from each of the other participants in the foursome and to follow up on any business opportunities once he returns to the office. Or, he could choose to attend the conference, as the dramatic downside potential of angering his boss outweighs the upside potential of four hours on the golf course.
Finally, the risk is monitored by the boss, who determines where the risk executive was, what he did and what next steps are required.
If the executive had taken a singularly negative approach to risk management, he might have headed to the first tee without considering all the factors involved. But thanks to his process-based approach to risk management--a cornerstone of ERM--he instead concludes he should go to the conference--the three M's in action.
The same risk management methodology can be applied to key areas in the due-diligence process. We'll look at two: information technology and vendor relations.
In traditional due diligence, we might explore the topographical map of the system architecture, the quality of the company's computer systems, the training and know-how of the IT work force, and the amount of dependency on outside vendors or consultants.
However, the framework utilized in an ERM environment looks more in depth at the potential risks to the enterprise as a result of its systems and how those risks are related to other areas of the company.
Let's look at a specific example again. A research-and-development-driven firm is using the most advanced computer-aided design/computer-aided manufacturing, or CAD/CAM, technology for product development available today. Its R&D department consistently announces product upgrades and new products that are absolutely right for the market, and this is a key factor for the company's growth.
Using an ERM framework, the risk management team can walk through a predetermined process to identify, evaluate and rank risks and their impact on the entire organization, and to develop a post-acquisition action plan.
This provides a broader view of this situation, as well as an action plan for mitigating these risks in the future. This also allows scenario analysis based upon future possible events, actions or inaction. Some risks and analyses in the aforementioned situation could include:
* Internal environment: Cutting-edge IT systems, but IT not willing to look at other CAD/CAM technologies to support R&D efforts, leading to no cross-pollenization of new technologies.
* Objective setting: Is the goal cost/expense minimization in the short term, or revenue maximization in the long term? What, in monetary terms, are the opportunity costs and potential outcomes of either approach? By aligning the two to defined risks and evaluating both positive and negative outcomes, the decision is more easily made because the information is readily available.
* Event identification: Software vendor loses competitive edge, goes bankrupt, is acquired and is de-emphasized by its new owner.
* Risk assessment: Moderate.
* Risk response: Begin cross-training the R&D team on competitive CAD/CAM systems.
* Control activities: Monitor human resource efficiencies in role-changing environment, and monitor the use and application of employee resources.
* Information and communication: Gain written buy-in from R&D team leaders.
* Monitoring: Within six months, the goal is to have 20 percent of R&D staff cross-trained on competing technologies.
This ERM approach considers the thinking behind the business, the planning and strategy that goes into selection of systems, and the acknowledgement of the interdependence of systems. In the example, there is a discrete risk to the R&D department that the technology used to develop new products becomes obsolete. More obvious is the risk of inefficiencies and loss of human resource expertise. But these risks spill into every area of the company, from sales through finance through strategic planning.
Most organizations use annual vendor assessment questionnaires to evaluate key vendors' health. Traditional due diligence examines these to assess vendor relationships, and gauge dependencies on potentially troublesome supply sources. It might even go one step further in interviewing key suppliers and determining their attitude and disposition to the company.
However, this approach can completely overlook critical factors, such as a vendor's brush with bankruptcy, missed shipments or recent transitions at any time between the annual assessments. If the vendor was performing well, and was creditworthy when they completed the questionnaire, no issues are raised. The deal goes forward.
Here, the ERM model can be applied for more reliable results. But again, the key in an ERM model is the three M's--measurement, management and monitoring--on a continuous basis. With vendors, monitoring is particularly important, because each missed shipment, each quality excursion and each shift in the vendor's credit quality increases risk to the enterprise. And because the risk associated with vendors links to so many other areas in the company--manufacturing, sales, quality and even R&D--it is critical to apply a more proactive ERM-based approach to due diligence. A point-in-time analysis of vendors provides a baseline measurement from which to build and can provide a good snapshot of the state of the enterprise's vendor base, but it doesn't go far enough for this critical area.
Again, an ERM framework approach provides a broader view of the risks, as well as a risk remediation plan for the future. Another example:
* Internal environment: Purchasing department manages vendor relations with input from the manufacturing team.
* Objective setting: Vendor supply continuity and product specifications meet quality assurance criteria.
* Event identification: Ongoing vendor-assessment questionnaires completed.
* Risk assessment: High. Three key vendors supply 90 percent of components for manufacturing.
* Risk response: Broaden vendor base; bring in at least three more suppliers of key components.
* Control activities: Monitor vendor credit rating, financial performance and product-delivery timelines.
* Information and communication: Provide written goals and objectives with time frames for implementation to purchasing department within 60 days of closing.
* Monitoring: Implement real-time vendor-tracking database.
In the vendor-relations arena, this approach can help manage and monitor vendors going forward, and track key metrics such as deliveries, quality, price, rework and returns. It can also monitor qualitative factors about the vendor's creativity, the extent to which they bring new solutions to the table and turnover in the sales team assigned to an organization's account. Each metric speaks to overall health of the vendor relationship, and helps guide time-sensitive business decisions.
OBJECTIVITY IS THE KEY
The business landscape is littered with companies that grew through acquisition but ultimately failed because they either failed to properly integrate those acquisitions, or made a bad acquisition. A more detailed ERM-based due-diligence plan, combined with a solid risk-remediation action plan once the deal closes, can improve the chance for success in the M&A game.
The critical difference between traditional due diligence and ERM is in the evaluation of the interdependencies of the risk, examination of the control components of risk, ranking and prioritization of various risks against each other, and, ultimately, the management of those risks over time. An ERM approach to mergers-and-acquisitions due diligence ultimately helps managers make good decisions by providing the essential in-depth information.
Tools are available to help with the implementation. Software solutions can automate all of the major components of ERM. In such a system, risk elements can be tracked and ranked, interdependencies catalogued and action items tied to specific dates on the calendar for completion. Changes to the overall risk profile of the organization can then be aggregated, providing senior executives with a snapshot of the company's risk management activities, highlighting areas that are substandard and informing them of areas that need to be improved.
Finally, with ERM as the framework, buyers can have a structured, repeatable process enabled by tools that provide them with a detailed integration plan once the transaction has closed.
After the process, acquisitive organizations will have developed a due-diligence program that can be replicated in successive mergers as a best practice.
is president and chief technology officer of Keane Business Risk Management Solutions.
May 1, 2007
Copyright 2007© LRP Publications