Worldwide mergers and acquisitions (M&A) result in about 40,000 deals per year. While some corporations eat up companies like Pac-Man chasing blue ghosts, most firms are not involved in enough M&A deals to develop in-house expertise. These occasional buyers rely heavily on seasoned consultants, lawyers, and specialists who focus on integrating primary business units—the accounting department, distribution, finance, IT services, marketing, office services, and the sales force. These experts will typically depend on proprietary, executable integration plans that address from a few hundred to thousands of areas of concern. 

However, history reveals that most companies will not spend funds to engage true security integration experts. Rather, the C-suite will depend solely on the resident security professional to handle something that requires strong business acumen. 

If both companies have an established security program, an upfront decision is how to integrate the two. No matter how that happens, usually only one security director will be charged with leading the new or enlarged department. Once this is decided, the new security director faces the challenge of merging or integrating two similar but distinct security programs to create one operational security team.

The security leader, predictably, may struggle to perform his or her regular duties, as well as deliver a fully integrated solution: namely, a work product that matches the outcome achieved down the hall in business units that are assigned an experienced consultant who is able to focus completely on the integration mission.

In a perfect world, when companies merge into one, every part of the enterprise should ultimately reflect the best business practices identified. For instance, the best accounting, facilities, IT, office services, and sales practices should be embraced by both companies. Yet, sometimes the CEO’s message to use integration to improve processes gets lost in translation. Egos and resistance to change habitually win out, and true improvement opportunities are missed.

As the security leader, don’t get lulled into these needless traps. Check your ego at the door and use the security integration as an opportunity to create a robust, comprehensive security program that truly reflects the best of what each company offers and, more importantly, what the new business entity needs.​

CULTURE SHOCK

No matter how similar two companies look from the outside, internally the M&A integration process is a culture shock across all departments. The first step in the process is to understand this dynamic.

During the official integration period—and for many months afterwards—there is a hit on morale and a loss of productivity. Anyone who has ever been through an M&A knows that rumors run rampant. Employees at risk of losing their livelihood become anxious and emotional during the integration process and will believe rumors until those whispers are proven wrong. Within the security group, the demand for personnel safety and asset protection measures will spike at the same time the department is absorbing its own M&A related changes.

The second step in the process is learning to approach an integration project by removing your corporate security ball cap and donning your consultant hard hat. Consultants establish clear goals, time lines, and budgets while relentlessly following up with any employee or third party necessary to accomplish the mission on time. They are not wired to make excuses, and failure is not an option. Consultants know that nobody else wakes up thinking about their engagement project or cares about the result or deadline. Embrace this mindset as you integrate the security and investigations program. 

If you exist in a mostly reactive security world, the proactive nature of a successful integration project may catch other department heads off guard, so one tip is to ask an executive to send out an internal e-mail to all the business unit leaders indicating that you are handling the security integration and requesting timely responses to security-related questions.

The third step in the process is to know your target. Security professionals are trained to collect intelligence, so this is an easy step for most. Some common information about the target company you may want to collect includes the history of the company, corporate structure, ownership, strategic relationships, information about any labor disputes for the last five years, and relevant regulatory and environmental information pertaining to properties.

A working knowledge of these variables will help you align the security practices and raise your own awareness, as well as identify weak processes that could be fertile ground for internal fraud or external kickback schemes. This knowledge could also help you identify glaring physical security problems, such as outdated business practices and substandard security systems.

The final step in the process is to identify all the security and investigative areas that need to be merged and formulate a plan with deadlines and a budget. This typically includes a variety of security responsibilities, such as policies and procedures, access control systems, and guard force management.​

POLICIES AND PROCEDURES

Security policies and procedures establish the security culture. The first step of the M&A process is to identify and collect all of the policy and procedure documents from the target company. Ideally, this information is attained during the due diligence period, but such documentation is frequently unavailable until after the M&A. 

Reviewing policies written in technical or legal jargon can be difficult, so keep on your consultant hard hat and focus on answering key questions: what policies does the company have, when and why did it put the policies into place, what policies are missing, and how are employees and contractors put on notice about the policies? Knowing the answers to these questions will help you develop a plan to roll out the new policies and procedures across the entire organization.

Many companies—especially small or family-owned ones—never get around to codifying protection policies or procedures, and a sudden influx of new security protocols can be a shock. Take, for example, a recent acquisition of a global company by a hedge fund. The main problem facing the hedge fund’s security team was ensuring that the existing security policies and procedures were expanded to cover the strict compliance, regulatory, and legal requirements of customers and government agencies worldwide. 

The solution was to embark on a comprehensive assessment and master planning project to account for the expanded footprint of the M&A. Several issues emerged, including cultural differences, foreign laws, environmental concerns, joint venture partners, language barriers, law enforcement liaisons, outsourced relationships, and supply chain vulnerabilities.

Key to this process was identifying all of the relevant business areas covered by security policies and procedures, and prioritizing those that posed the most risk to the brand, employees, physical property, and proprietary assets.

M&As like this allow the security team to gain the respect of the newly added employees by diplomatically introducing the security culture and procedures in a user-friendly way. These types of difficult situations also allow the security team to explain how well-written policies and procedures protect all employees.

In many integration projects, the approval process is streamlined for efficiencies. Use this temporary time-out from bureaucracy to prepare and achieve chain-of-command approval for policies and procedures that have been on the sidelines waiting to get into the game.

If the thought of integrating physical protection and investigative policies and procedures feels overwhelming, remember the critical role you play as the security gatekeeper. The key is to make sure that your company has the documentation in place that keeps all the assets and employees safe.

At a minimum, use the opportunity to carefully read all the policies and procedures like an editor looking to make the story better, so all employees can better understand what security does and why. If you have not completed a comprehensive review of your security policies and procedures in more than three years, you may be surprised how a fresh review will identify areas for evolution and improvement.​

ACCESS CONTROL

Assuming that the post-M&A company will require an access control solution, the goal is to create one that reflects the real and near-future needs of the company. Like most popular technologies, improvements are made so frequently that even the most vigilant security leader often feels that the existing system is inadequate compared to the systems coming online.

Don’t get caught up in the vendor-driven hype and confuse wants with needs. The appropriate access control system is cost effective, reliable, and scalable; meets your realistic needs; and is user-friendly for the security team, IT staff, and all end users. 

Additionally, the vendors behind the hardware, software, and service contract should have a worthy reputation and proven capability to respond in a timely manner. These essential needs should be identified during the procurement process and agreed upon in the terms and conditions portion of the final service contract.

In most M&A scenarios, the buying company simply scales up its current system to add the new company into its envelope. An example of this was an acquisition of a Toronto-based company by a New York-based corporation. Both had access control, but were using different systems. 

The New York company had a robust, top brand, fully integrated system, but the Toronto company had a basic, off-brand system. A due diligence assessment identified the multiple areas for improvement, including alert features, badge protocols, and relevant policies, such as requirements to wear badges at all times and user-friendly procedures for lost, stolen, and replacement badges. 

A deeper dive also revealed that the Toronto company had been on the market for a long time and was having cash flow and leadership issues. These realities translated into deferred maintenance and significant budget cuts for security expenses. 

As a result of the findings, the New York company decided to spend $300,000 to bring the Toronto company online with its existing security practices, instead of replacing the entire access control system for both companies at a cost of $750,000 to $1.2 million. 

During an integration, you are operating with less bureaucracy and, therefore, may have the only chance in your career to make a business case to put in an access control platform the company can use for the next generation. Your primary business case assumption is that when you add more access points and more users at more locations, your hardware, software, and service needs will go up—not down. 

Additionally, access control areas need to be reviewed and assessed for improvement, including auditing and reporting features, authentication requirements to meet all relevant regulatory requirements, biometric solutions, CCTV integration, identity access management, mobile solutions, remote access to the system, tracking individual badge holders, and visitor management.

Remember that your system should be expandable and scalable to meet future needs. For instance, if and when technologies such as facial recognition and real-time criminal background checks prove relevant and economical, security should be ready.​

GUARD FORCE

The new footprint of the post-M&A company will require a comprehensive review of the guard force and a revised plan to manage that force. When you merge or acquire another company, you may suddenly discover that you gained a physical presence in another part of the world, another city in your own country, in leased space managed by third parties, or in a unionized environment. Depending on the type of companies being merged, an increased legal or regulatory risk could result. 

For example, specific areas of concern that may have stricter requirements for assessment include the hiring process, drug screening, licensing, training, compensation, working conditions, scheduling issues, and post orders. 

Because a human resource and legal department that is based in only one geographic location will not understand the dynamics of the security field in another location, the security director should seek advice from contract guard firms in these new geographic areas. However, make sure you confer with at least three reputable firms to avoid making an ill-advised decision based on misinformation from a single source.

Information can also be provided by networking with other security professionals through professional associations or through social media. Ask these contacts to provide relevant information about the area and then double-check the material through relevant administrative code, customs, laws, regulations, statutes, and, if applicable, local union requirements.

The last piece of the puzzle is a review by your legal department, which will hopefully go smoothly when you provide a concise game plan with the appropriate citations. For instance, a manufacturing company in Charlotte, North Carolina, purchased a distribution company in Memphis, Tennessee. The distributor leased all of its distribution and assembly locations from a single real estate group that had a contract with a guard force management company to provide exterior security. The distribution company piggybacked off of the real estate group to temporarily staff up to 30 posts on 24-hours shifts.

As part of its due diligence process, the security director at the manufacturing company reviewed the contracts, pricing, post orders, and duties. The security director interviewed the guard vendor, met with the existing contract security team, vetted reputable competitors, and used a request-for-proposal process to better understand options and site-specific needs.

During this process, the manufacturer outlined all the options—maintain the status quo, establish a new relationship with a contract security company, roll out a proprietary guard force, or create a hybrid response. Ultimately, given the varieties of functions security guards would be required to fill—concierge service, unarmed patrol, first responders with CPR training, and armed response—the manufacturer chose a hybrid solution.

The manufacturer hired a full-time supervisor and shift supervisor who worked directly for the company; renegotiated the contract with the existing security guard vendor to improve the quality of the security officers in terms of training, experience, licensing, and first responder capability; and modified the post orders to align with the manufacturer’s practices.

The company also created a proprietary management team to provide on-site supervision. Using an outside vendor to staff the security team also made the solution cost-effective and scalable throughout the year based on business demand.

The easiest path in an M&A is to simply roll out your existing security programs, policies, and procedures across the new enterprise. But while that makes life easier in the short term, improving the security environment and identifying talent helps your company in the long run.  

--

Thomas R. Stutler, Esq., CPP, is the manager of security, safety, and investigations for Raymond James Financial, Inc. He is the vice chair of the ASIS International Investigations Council and the chairman of the ASIS Memphis Chapter.