Ask the Expert: Should we perform a risk analysis before a merger or acquisition?
When most companies perform due diligence before mergers and acquisitions, many of the risks that are examined during that audit are financial: contracts, finances, and brand reputation all taken into account during the due diligence process. But financial risk isn’t the only sort of risk a company can carry.
If your M&A due diligence isn’t taking security risks into account, you may have a big blind spot when it comes to your investment. Are all your acquisition’s sites secure? Has the company suffered a data breach? What about their policies? Are the past or ongoing liabilities that this location has been exposed to? Does your acquisition subscribe to a culture that puts security first? All of those elements will affect the value of your investment.
If you don’t know the answers to the above questions, it’s time to perform a risk analysis as part of your due diligence process.
Ask the Expert: How Do I Identify If an Incident Is Probable?
What is a risk analysis?
Often you will see the terms “assessment” and “analysis” used interchangeably when it comes to determining a company’s risk. They aren’t the same thing, however. A risk assessment is just that — gathering information to assess an organization’s (or a site’s) security and risk.
A risk analysis is a comprehensive examination of the data produced by one or more security assessments. When we do a risk analysis, we use the set of data we’ve gathered during an assessment to produce a set of recommendations that will help you make your organizations safer.
When it comes to M&A, a security analysis is a great tool that helps you understand the value of the company you’re purchasing, and also ensures you’re not overpaying for a site that will need a security overhaul, for example. Think of it as an audit of an asset’s security risk.
Ask the Expert: How Can I Improve My Guard Force?
What to look for during a pre-M&A risk analysis
While every company has a different appetite for risk, there are some common items your analysis should include.
- The location of sites: It’s important to understand where each site is, and if those sites are safe. Your assessment should take into account crime data for the area around each site, as well as information about weather patterns and geography. If one site is in a flood plain, that’s a risk you need to know about.
- The infrastructure at each site: What does each of the company’s sites look like security-wise? Is there a guard presence? Are all the security cameras working? Have the fire extinguishers been inspected recently?
- Policies and procedures: What is security like now in the company you want to purchase? Are the policies in place sound? Does management review the policies regularly?
- Cybersecurity: Has the company suffered a data breach lately? What controls are in place to secure the company’s data ecosystem? What about its digital supply chain? Are third parties secure?
- The security culture of the organization as whole: Does the entire company value security, from the top down? (If the security department is in the basement, or there’s no upper management devoted to security, chances are your new company does not currently embrace a culture of risk.)
- Is there a culture of risk with the organization you wish to purchase?
Ask the Expert: How Can I Improve the Performance of My Security Force?
Why is risk analysis so important before a merger or acquisition?
Imagine you’re buying a house. You wouldn’t make the purchase without having the home inspected first, would you? If the foundation is crumbling, for example, you’d want to know, because a bad foundation is a major risk for a homeowner. It’s the sort of risk you might not want to take on in a new investment. Just as you wouldn’t buy a home without knowing all the associated risks, you shouldn’t buy a business without being aware of all of its risks.
Do you need help analyzing the risk of a company you’re about to acquire? Contact us if you need advice about risk analysis and the M&A process.