Thinking M&A or Divestiture? We’ve Got Answers in Our M&A FAQ

Jim Ryan low resby
Jim Ryan
Managing Director – Leader, Protiviti’s Mergers & Acquisitions practice


We recently published our M&A FAQ Guide and the timing could not be better. M&A activity, including carve-outs and divestitures, is on the rise around the globe as organizations sharpen their strategic focus. Yet, as noted repeatedly in articles in Forbes and the New York Times, among other media, the majority of companies fail to realize the desired value of their transactions. Why? Simply put, organizational responses are not comprehensively designed to match the complexity of an integration or separation.

Our M&A Guide offers considerations that may better prepare your organization. Mergers and acquisitions tend to be corporate-wide initiatives that, by their very nature, are sprung on employees with little analysis of people, process and technology interdependencies. Additionally, planning is rushed, runways for execution are shortened and key personnel become overcommitted. Our guide can accelerate your M&A activities by providing insights for many of the key challenges that organizations must solve to meet expectations.

For a glimpse at the guidance we offer, consider five questions to ask about your M&A activity:

  1. What is a typical deliverable of the due diligence team?
  2. Have we sufficiently defined the scope and change control process?
  3. How do we structure the team without detracting from daily business demands?
  4. What are the unique issues facing Finance, IT, Marketing and Sales?
  5. What are the key risks?

To make a merger or divestiture succeed, you must align the growth strategy with your corporate strategy; identify the right markets and targets; define and execute thorough, fast due diligence; prepare a detailed plan by phases; and follow up with well-resourced execution.

While nothing replaces focused thought and aggressive action, the information in our guide can help sharpen your focus while reducing risk, improving your chances of realizing desired value – and maybe get a little sleep.

Just-Released Insights on IT Security and Privacy – Board Engagement, Cyber Threats and More

I am pleased to announce that Protiviti released the results of its 2014 IT Security and Privacy Survey today. Our report contains some highlInfographic-2014-IT-Security-Privacy-Survey-Protivitiy noteworthy findings that we’ll be discussing in greater detail in future entries. For now, let me share the key highlights with you:

  1. Board engagement is a key differentiator in the strength of IT security profiles.
  2. There remains a surprising lack of key “core” information security policies.
  3. Organizations lack high confidence in their ability to prevent a cyberattack or data breach (which isn’t a surprise given previous entries we’ve posted on this blog!).
  4. Not all data is equal: Companies can’t protect everything – designating a subset of their data deemed most critical will help with their data security measures, yet many aren’t doing this.
  5. Many are still unprepared for a crisis.

Visit for more information and to obtain a complimentary copy of our report. And view our video below.

Mobile Health Apps

Pretty much everyone I know – and I’ll bet everyone you know – uses a mobile device of some kind. In fact, more than 130 million people in the United States own smartphones, and almost half have slept with a phone next to the bed (hopefully they don’t put it under their pillow!). It’s also estimated that half have used them to obtain health-related information, and that about 20 percent have installed a health-related app (so-called mHealth, a term used for the practice of medicine and public health with the help of mobile devices). In fact, I’ve read reports that five years from now, 100 million people will be using mHealth and various mobile fitness apps. And we’re not just talking about application for industrialized nations; the mHealth field has emerged in recent years largely as an application for developing countries, where mobile phone penetration is increasing rapidly. In developed and developing countries, mHealth is rapidly becoming a means of providing greater access to larger segments of the population, as well as improving the capacity of their health systems to provide quality care. Thus, mHealth is a big deal.

Protiviti’s recent white paper, “mHealth: How Mobile Apps Can Help Health Plans Improve Consumer Engagement and Facilitate Behavior Change,” recently took a close look at the mHealth space and identified multiple opportunities for health plans to use mobile app technology. Our research confirms that member engagement via mobile telephony can improve member satisfaction, loyalty and retention. It also can be a key strategic weapon against rising medical and administrative costs and reform uncertainty, and facilitate interaction with health exchanges and accountable care organizations.

I’d like to make a couple additional points about mHealth apps:

  • The federal government is already deeply invested in mHealth and patient engagement. The Department of Health and Human Services set up a Text4Health task force to provide mHealth recommendations directly to the secretary. It also established a SmokefreeTXT program for smoking cessation, and TXT4Tots, a text messaging library with evidence-based information on nutrition and exercise.
  • In the private sector, Aetna, Humana, Florida Blue and Kaiser Permanente are among several high-profile examples of health plans maximizing mHealth apps.
  • mHealth vendors are already servicing payers which need engaging mobile content for users – but too often use communications written by clinical staff using clinical terminology. Sensei Health stands out in this; it uses writers with diverse backgrounds – including comedians, in some cases – to compose several versions of a standard message, then tracks users’ response rates to each and sends future communications in the most popular style.

I note all this to give you an idea of the potential of mHealth apps for better member engagement. But organizations have to put some effort into it. To be successful, mHealth programs must get personalized information into members’ hands when their members want it – and not use mobile apps only to reduce administrative costs. They’ll need a comprehensive mHealth strategy in order to do this right. Companies don’t want to do it poorly and alienate the members they’re trying to engage.

Ask the senior management in your organization:

  • How can our plan maximize mHealth to optimize member engagement and facilitate behavior change?
  • How can we provide a secure environment for the exchange of sensitive personal information?
  • How can we integrate mHealth information into existing workflows?

The Protiviti white paper on mHealth apps provides details on key issues like patient privacy and data security. I encourage you to check it out.


Cloud Data Security – The Risks Are Real But Don’t Fear

Cal Slemp


by Cal Slemp
Managing Director and Leader of Protiviti’s Security Program, Strategy & Policy Practice

I’m concerned that recent articles might be giving the wrong impression about the risks that accompany data storage in the cloud. When I see headlines like “Cloud Security Concerns are Overblown, Experts Say,” I worry that companies may see “overblown” and perceive “non-existent.” Such stories are part of the news cycle. For example, the same question was posed in this Forbes article back in 2012, and was followed shortly thereafter by a number of very-high-profile retail and financial data security breaches.

Wherever there is risk, there are bound to be stories questioning whether the perception of risk is exaggerated. And while it is true that a few data security breaches do not an untrustworthy cloud make, it is also true that there’s no such thing as secure data storage. Offsite, and thus “out of sight,” should not equal “out of mind.”

Risk is risk. It doesn’t matter if you keep your data in-house or in the cloud; your responsibilities for data security remain the same. You can’t afford to leave anything to chance because you remain responsible for customer data loss – even if the data was lost by a third-party vendor. All the customer cares about is you and the trust he or she placed in your brand. And while you may have a financial recourse in the event of third-party data loss, the reputational damage will all be on you. That is the business reality.

In a Flash Report Protiviti published earlier this year, we summarized the federal government’s cybersecurity framework and how it will help organizations get a handle on securing their information. I feel it’s a helpful document for companies that haven’t spent much time and effort on information security; for those that have, it’s consistent with the efforts we’ve seen in our work in the security and privacy space.

Remember that whichever framework or approach you select, mitigating cybersecurity risk introduces new investment costs that need to be considered by management, and that insufficient data security mitigation plans can cause revenue and customer loss and severe reputation damage that can be detrimental to your bottom line.

The cloud’s vulnerabilities affect your vendor risk management efforts as well. My colleague, Rocco Grillo, noted recently that a company “can have all the security in the world inside its four walls, but all it takes is a compromise at one third-party vendor that’s connected to it. That creates a bridge directly into the organization.” And as our colleague Brad Keller from the Shared Assessments Program states, if you’re relying on a third party, “you can’t just shut the door and say it’s someone else’s problem. You can outsource the function, but not the risk. In effect, you ultimately own the risk.” That’s why Protiviti and the Shared Assessments Program developed the first comprehensive Vendor Risk Management Maturity Model. This model sets forth best practices for developing a comprehensive third-party risk program and allows a company to evaluate its program’s maturity against development goals. It’s worth taking a look to see how well your company stacks up.

Are cloud data security fears overblown? Maybe. Ripples on a pond do tend to grow as they travel outward from the source. But overblown does not mean minimal or nonexistent. The risks are real, and organizations need a solid vendor risk management policy and procedure in place to ensure that those risks are adequately considered and addressed.

IT Transformation: Five Strategies to Manage Change

Boardrooms are abuzz over big data; mobile applications are the order of the day; the first wave of enterprise resource planning systems is due for an upgrade. Without a doubt, information technology (IT) is in the crosshairs of change. Seems like it’s always been that way!

The pressure is on for IT departments to design, source and implement new systems incorporating all the latest bells and whistles. I offer the results of Protiviti’s 2014 IT Priorities Survey, which I have mentioned here previously, as proof of the scope of the drivers for change.

In leaping forward, however, organizations tend to embrace the future at the expense of the status quo. This can be a costly and crippling mistake when dealing with mission-critical systems. Service and performance continuity is as important to change management as change itself. In making change happen, it is essential to ensure that everything already in place runs smoothly while you build and implement the new technology. Also, it is important to achieve acceptable returns on prior IT investments. There has to be appropriate balance when embracing change.

For many companies, IT transformation can mean deploying heavily customized software; “re-architecting” existing networks; establishing interconnectivity with new business partners; adopting specialized technology; and investing further in web and mobile capabilities. So what are the best ways to manage an IT transformation? Here are five strategies and approaches that we have found work best:

  1. Understand – and communicate! – your priorities. This means introducing them with the assistance of relevant functional leaders across the enterprise. Paint a picture of what you have now, what you hope to have after the transformation, and what needs to be done to maintain the technological status quo during the change.
  2. Prepare a prioritized task list, in consultation with the organization’s executive management and business owners.
  3. Make sure you understand which core activities cannot fail during the transformation and develop appropriate timelines to address them.
  4. Organize your IT transformation projects according to your priority list.
  5. Make sure you have the right skills and people in place to get the job done.

Companies know too well how difficult it is to maintain current systems as new systems are being developed and put in place. Indeed, “IT infrastructure change management” and “operating system change management” both ranked very high as critical priorities in our survey. Planning and managing the technical infrastructure are key elements to the success and resilience of the business.

Here are some questions to ask prior to initiating an IT change:

  • Which systems are in immediate need of upgrading and which ones can wait?
  • Which are the mission-critical systems that need to be maintained during the change?
  • How will you maintain IT security during the change?
  • How and when will your IT policies be updated?
  • Do you have the resources to accomplish the transformation efficiently, effectively and with minimal disruption?

The breathtaking pace of technological change greatly complicates IT management processes, and the need for new technologies will continue to command the attention of CIOs and IT leaders. While you can’t stop progress, maintaining current systems and operations to ensure a smooth transition can spell the difference between IT that supports and moves the enterprise forward, or periodically disrupts it.