Trends in Mergers & Acquisitions
Corporate dealmakers have been busy in recent years, closing more than $10 trillion in domestic transactions since 2013. These mergers and acquisitions (M&A) are central to companies’ growth strategies, whether fueled by globalization, acquiring new products and technologies, or expanding their customer base. According to Deloitte's most recent “The State of the Deal: M&A Trends" report, 96% of dealmakers expect the current M&A boom to continue, and 75% of corporate executives plan to pursue divestitures this year.
Of course, none of these deals come without downside and risk. That’s why 46% of business executives say that less than half their transactions generated the expected value or return on investment (ROI), with 20% citing effective integration as the most important driver of success.
However, comprehensive integration is a daunting task, usually taking anywhere from six to 36 months and spanning several areas—from integrating workforces, facilities, culture, supply chains, and product offerings, to the technical integration of customer data, corporate networks, applications, and, of course, user identities. Effective business integration relies on equally effective IT integration, yet PwC’s M&A Integration report found 35% of Fortune 1000 companies that completed M&A in the previous three years had still not fully integrated their systems and processes.
Unfortunately, slow or inconsistent IT integration creates risk, since it can lead to unproductive employees, underserviced customers, and security vulnerabilities. This is why, in an Accenture study, 84% of business leaders agreed that CIOs need a seat at the M&A table in the early stages of M&A discussion.
Amidst these realities, strong identity and access management (IAM) is a critical best practice that drives M&A success. When your IT team is able to meet aggressive timelines for merging or spinning off identities and resources, you’ll accelerate ROI, reduce IT redundancy and complexity, and improve the customer experience—all while closing the inevitable security gaps and risks that come with every M&A event. In this paper, we’ll explore how modern IAM platforms can help CIOs and other IT leaders deliver real value during these ever-more-frequent periods of organizational disruption.
Juggling Stakeholder Expectations
As you think about how to increase M&A integration success, it's useful to review the various expectations you’re likely hearing from different stakeholders across the business. For example, while shareholders and executive leadership might focus on costs, employees care about job security and ease of collaboration following a transaction, and customers often hope for product and service enhancements from your newly combined company.
Let’s summarize the top M&A considerations and opportunities for each of these key audiences:
(of both acquiring and acquired entities)
|Executives and shareholders||Customers|
● Seamless collaboration
● Access to productivity tools
● Job security
● Operational costs
● Efficiencies of scale
● Speed of product innovation
● Consistent, personalized user experiences
● Product bundles
● Marketing offers
● Slow onboarding
● Communication barriers
● Learning curve for new apps
● Risk exposure
● Decentralized; overburdened IT teams
● Overspending on redundant tech
● Disjointed customer service
● Duplicate accounts across brands
● Noticeably slower innovation
● Single source of truth
● Day 1 access
● Automated lifecycle management
● Best—of—breed IT strategy
● Standardized security policies and practices
|● Cohesive omni-channel CX with streamlined registration, login, and consent|
Buy-side and sell-side employees
Expectations vary for people who work for the acquiring (buy-side) company, as opposed to the acquired (sell-side) company. Sell-side employees typically face more of a learning curve and an added layer of uncertainty.
That’s one reason fewer than half(45%) of PwC survey respondents said they successfully retained employees through their M&A transitions.
Most employees on both sides of the transaction want the ability to easily work together. So, the faster IT removes roadblocks to collaboration by integrating mission-critical buy-side and sell-side systems and applications, the sooner you’ll bring acquired employees into the fold and drive meaningful engagement.
Something as seemingly small as not being able to look up a new colleague in your email or Slack directory hinders M&A synergies. In today’s digital age, each technical hiccup negatively impacts employee productivity, especially for teams tasked with merging strategic projects between the two companies. Apps like Box, Salesforce, Slack, and Zoom were built to support this kind of coordination between teams, but are useless if user identities and content reside in siloed, entity-specific instances.
Often, IT teams assume the only way to bring everything together is to embark on a tedious identity consolidation project. However, many organizations still rely on legacy IAM platforms, which require a massive effort from multiple IT groups to manage all of the network connectivity, firewalls, server maintenance, and security risks that come with integrations. These headaches and costs continue to increase as you add more legacy identity directories to manage. Also problematic is the fact that, during the consolidation process, employees won’t have access to the tools or resources they need. Let’s face it: legacy IAM was not built to support agile M&A, and the sell-side company (especially in a “techquisition” scenario) might actually bring a more modern, scalable, and resilient identity solution to the table.
Executive leadership and shareholders
To deliver on the promises of their M&A strategy, executives and shareholders always look to complete integrations quickly and with minimal costs so they can accelerate growth and product innovation. Smart execs recognize that IT is a key lever for improving operational efficiency during these transitional periods, but they face a catch-22. If they put off centralizing IT teams and resources to keep developers (who are scarce to begin with) from getting bogged down with time-consuming application and data consolidation, they invariably end up overspending on redundancies. Most IT organizations aim to strike a healthy balance between devoting their development resources to improving internal operations, and continuing to invest in external digital differentiation.
As each individual data breach can cost an organization nearly $4 million, another top priority for execs is minimizing these incidents and intellectual property (IP) or trade secret theft, while ensuring regulatory compliance. An unfortunate truth is that companies undergoing M&A activity are inherently vulnerable to bad actors, due to the public nature of most transactions, disgruntled employees with too much access, and higher-than-usual levels of turnover. When an acquired company has known cyber vulnerabilities, hackers often take advantage of this exposure to attack the buy-side company.
More and more, businesses like Marriott discover pre-existing vulnerabilities they’re forced to contend with following an acquisition. A consulting firm recently reported that
40% of acquiring businesses discovered a cybersecurity problem at an acquisition
after the deal went through, while PwC found that 80% of global dealmakers discovered data security issues in at least one-fourth of their M&A targets (as we saw during the Verizon-Yahoo negotiations). And since the total cost of cybercrime now averages $13 million per company (up 72% over the past five years), shareholders know just how problematic these issues can become.
While many M&A deals are made with the goal of reaching more consumers or deepening share of wallet, improvements to the customer experience (CX) may get deprioritized during the integration process. Just because employee productivity and security might be the first step in an M&A integration, that doesn't mean companies should delay CX initiatives indefinitely. Although customers are not always impacted directly during M&A transitions, they represent valuable opportunities (like creating a seamless omni-channel experience and sharing customer insights across brands) that should not be overlooked.
In PwC’s CX in M&A survey, 65% of customers said that if the combined business used their data to improve offerings, they’d consider the deal a success, and 91% felt it was important for companies to keep customer data safe during M&A.
Customers expect their providers to continuously improve offerings, perhaps by extending successful programs or capabilities from one brand (whether from the buy-side or sell-side company) to other properties.
All of this sounds great in theory, however, most businesses are already dealing with customer data that’s scattered across CRM, e-commerce, marketing, IoT systems, and customer support solutions. When you layer an acquisition or two on top of that, disparate customer directories and duplicate user identities can quickly get out of hand. This all-too-common dirty data problem presents formidable challenges that may prevent the seamless and consistent experiences your customers prefer.
Improving Success of M&A Integrations
Thankfully, there are powerful solutions that help CIOs meet the demands of stakeholders when merging organizations with separate IT strategies, corporate cultures, and customer experiences. Modern IAM cost-effectively alleviates many of the technology-related frustrations that come with M&A. By connecting and empowering employees, securing data and IP, and delighting customers, you’ll ensure the whole becomes greater than the sum of its parts.
Read on for five specific ways IAM can help you accelerate M&A integration
1. Create a single source of truth for identities
The ability to maintain a single source of truth is crucial when M&A activity adds to a large organization’s identity sprawl, often including disjointed IAM solutions (most often AD domains and forests), which store access policies for various user types. Many IT teams want to bring all of this together through a domain consolidation project, which is logical, but very time-consuming and complex. With user information stored in multiple sources and formats, one Okta customer found that such a migration took six months and cost $50,000 per directory.
A more effective and efficient approach to developing and maintaining a single source of trust is through federation. A federated identity approach can help expedite and secure the transition for your employees while still providing visibility and control for the IT team. Robust identity platforms are able to drive each of these outcomes by importing users from an unlimited number of AD or LDAP directories and using data transformation capabilities to convert all profiles and attributes into a common schema. This lets you quickly establish a federated directory of all employee identities, more easily manage AD groups, and grant people access to the appropriate applications from a central admin console.
This graphic shows one possible architecture, but there are many ways to unify identities during M&A events. Your source domains might be kept as-is and managed independently, or you might eventually decommission them and migrate to using the single consolidated domain. No matter the topology you choose, you’ll eventually want to connect all directories and applications of the buy-side parent company with all of its subsidiaries for flexibility and agility.
For example, you could move employees of a sell-side company from their current expense system to the buy-side organization's existing system by swapping the application in your IAM platform. Or, if your corporate strategy is to spin off a brand that was previously acquired, you’ll need an IAM system that can distinguish those users, provide them with a separate set of applications, and help you spin up a cloud-based environment for the divested business.
News Corp saves 1,000 hours annually on M&A domain consolidations
In 2013, News Corp separated into two distinct organizations—21st Century Fox and the new News Corp, which focused on development and expansion of its global publishing assets. In addition to its traditional media brands, such as Dow Jones, The Wall Street Journal, Barron’s, The Times of London, and book publisher HarperCollins, the company diversified into online real estate services, digital ad tech, and marketing solutions.
The Okta Identity Cloud revolutionized the way News Corp onboards newly acquired companies. This saved them over 1,000 hours each year on synchronizing and consolidating domains after M&A activity, helping the business realize the value of an acquisition more quickly. “Before we had Okta, when we bought a new company it took a long time to get that organization onto the same approach around identity and security, and to get them using the same tools. Okta makes it easier for us to roll out capabilities consistently to all our business units, so that we can get brands working together globally wherever we need them to,” said Dominic Shine, CIO at News Corp.
To become more agile and responsive to employee needs, the IT team decided to harness the experience of its most pioneering business units, and use them as a model for modernizing the employee experience through solutions like Google Apps, Amazon Web Services (AWS), and Dropbox. With the help of Okta’s Single Sign-On solution, News Corp now enjoys a set of hero applications that’s common to everyone in the company, as well as ways for individual business units to easily deploy apps specific to their context.
2. Provide employees with access to critical applications on day one
Once you have a single source of truth, the next way to achieve quick wins for employees during an M&A transition is to turn on day-one access to applications—from both companies—that are critical to their productivity. For sell-side employees, having immediate access to the intranet, IT help desk, and other parts of the buy-side technology stack also adds to their sense of belonging and demonstrates the broader organization’s commitment to connectivity and communications.
When you acquire companies that are technological early adopters themselves, the IT integration process can even be an inflection point to advance best-of-breed adoption for the entire business. Most CIOs know the value of moving to a best-of-breed IT stack that allows greater flexibility, functionality, and ease of use.
Businesses @ Work research found 78% of Office 365 bundle customers have adopted one or more best-of-breed apps with the same functionality as the Office 365 suite, and the average company now uses 88 apps (and growing).
An IAM solution with pre-built provisioning integrations for all of the cloud, mobile, and web apps in either technology stack facilitates this best-of-breed IT strategy, since it gives you the ability to bring the acquired company’s systems into your secure environment from day one, rather than spending a month to integrate each one. Or, you might gradually sunset outdated tools as you upgrade the combined IT stack—delivering a digital workplace your users will love, and cost savings your execs will celebrate.
Moody’s speeds M&A integration by 66%
Moody’s Corporation is a financial services company that provides credit ratings, research, tools, and analysis that contribute to transparent and integrated financial markets. The $4.8 billion business employs more than 11,000 people worldwide, and has grown rapidly, in part by making one or two acquisitions every year during the past decade. After one large acquisition that took 19 months to integrate, the IT team decided to transform their M&A process and shift to a cloud-first IT strategy.
In order to more quickly integrate networks and grant sell-side employees access to Moody’s core operational systems and collaboration tools, they leveraged the Okta Identity Cloud. After consolidating user identities from multiple lines of business into a central, unified directory, IT was able to provide federated access to modern tools like Slack, AWS, and the company’s SAP HR system. By doing so, they reduced network dependencies, sped M&A integration to under six months, reduced capex spending by hundreds of thousands of dollars, and can now provide immediate access for employees on day one, even while performing continued security assessments in parallel.
Security is paramount to Moody’s acquisitions, especially as the organization has a reputation and standard to uphold in the industry. At the same time, Moody’s executive team expects to quickly realize value from acquisitions. Okta’s ease-of-use and
ease-of-integration allow Moody’s to rapidly secure and seamlessly onboard new acquisitions.
3. Secure and automate access during times of high turnover
Different parts of your combined organization will require different levels of access and in-app entitlements. And it’s crucial to remember that leaving even a single account of one terminated employee active for too long creates a dangerous security loophole. In a survey by IDG, IT professionals shared that it takes 47 hours on average to manually offboard and deactivate a user who has left the company. In order to avoid unnecessary data loss and protect the valuable IP you just acquired, your IT team must be prepared to manage group access policies—as well as advanced onboarding and offboarding workflows—at scale.
By linking a modern IAM solution with both your buy-side HR system, and the acquired organization’s HR system, you can set prescriptive lifecycle orchestration policies that ensure seamless and timely account provisioning and deprovisioning for all employees. For example, you might configure your identity platform so any termination in the HR platform triggers the immediate deactivation of all accounts for that user, including those across multiple HR systems and downstream apps. You could also customize this process to only take effect for involuntary terminations, to rollover access for key data to managers, or to allow grace periods for certain systems that a user still needs after they leave (e.g., payroll) while removing access to all apps containing personally identifiable information.
4. Standardize security to improve Zero Trust posture
In addition to carefully managing employee offboarding, there are several other critical aspects of IT security to prioritize when your risk exposure is high. In fact, the overall M&A change management exercise can be the perfect chance to bolster your company’s security posture with new zero trust practices. As soon as an acquisition is on the horizon, make sure your IT and security teams start thinking about both interim and long-term plans to create common security policies, technologies, governance, and architecture across the combined business.
For instance, they should be ready to stand up new security policies for the sell-side organization immediately upon the acquisition closing, and treat that entity as an external network with restrictive controls until its security posture is reviewed, validated, and probably upgraded. You might start by rolling out adaptive multi-factor authentication (MFA) with step-up authorization for sensitive apps, and over time add context or risk-based access policies, integration between identity and security information and event management (SIEM) platforms, secure developer access to servers and APIs, frictionless passwordless access, or other advanced zero trust techniques.
Specifically, some key steps companies can take to bolster their security during M&A integration include:
Use modern IAM to secure the buy-side company’s technology
Monitor security posture by feeding logs into a SIEM platform, and integrating that with IAM
Provide buy-side employees with secure access to sell-side apps, but with more strict controls (e.g., MFA for everything)
Begin to sunset older technology to reduce costs
5. Enable omni-channel customer experiences
Every enterprise develops software in some capacity, and that technology is often the very reason for an acquisition. Although it might not be your first area of focus following an M&A event, you should embrace the opportunity to create cohesive omni-channel experiences for customers across various products or brands in your growing portfolio. One way to make rapid progress on these CX initiatives is to adopt a customer identity and access management (CIAM) platform, which can provide an abstraction layer over disparate identity infrastructure from various customer-facing portals until you’re ready to consolidate duplicate user profiles and accounts. This makes it easier to establish a unified customer view, help the business deliver personalized marketing offers and experiences, and manage customer consent and data privacy—all of which encourages customers to do more, not less, business with your company.
Furthermore, CIAM systems increase IT efficiency by giving developers more time to build innovative, delightful digital experiences, as opposed to maintaining custom registration flows and user directories for each of the individual brands, channels, or geographies where you do business. Even better, you might want to standardize on a single identity system for all your user types—employees, customers, partners, and contractors—and all resource types—apps, APIs, and infrastructure—to lay the foundation for every possible identity scenario. With this approach, security and IT teams can easily apply, view, and manage all settings, policies, security, and governance from one place.
Albertsons unifies 19 brand banners with a seamless CX
One of the largest grocers in the United States, Albertsons Companies includes 19 different banners, serving over 30 million customers a week. In such a complex organization, it can be challenging to ensure unique, yet consistent, customer experiences—both within the four walls of each store, and through digital channels. Ramiya lyer, Albertsons’ GVP of IT Digital, Data and Pharmacy, shared, “Albertsons has grown through acquisition over a number of years. Some of our banners are more than a hundred years old, and they have deep local community ties that we don’t want to break. They’re not cookie cutters.”
The company saw unified, scalable customer identity and access management as an opportunity to offer their customers a better experience and strengthen Albertsons’ security posture. Albertsons implemented Okta’s customer identity products and migrated millions of user credentials from its legacy infrastructure built on LDAP and OpenSSO over to Okta, while eliminating duplicate customer accounts. Okta strengthened security in all the right places, added granular policy-driven access management capabilities, and ensured a more seamless customer experience that no longer required users to login multiple times between apps and brands.
Achieving M&A Agility with the Okta Identity Cloud
A common thread that runs through the many dimensions of change during M&A is user identity, since it’s at the intersection of your employees, consumers, and the technology services they utilize. However, each merger is different. For some, one global directory with the same access for everyone might be the way to go, while for other scenarios, a hub and spoke architecture could be more appropriate. By taking control of identity using whatever approach works best for your business, and creating an M&A process that’s both repeatable and efficient, CIOs speed time-to-productivity for employees, unlock greater shareholder value, and delight customers.
Okta was built from the ground up in the cloud to support all of these use cases with a flexible architecture. That’s how we enable 5X faster IT integration following a merger or acquisition, and reduce the time to integrate by six months or more. In fact, by freeing employees’ time, replacing costy on-prem infrastructure, and avoiding security breaches, Okta can deliver $2 million in total value during the first year of automated M&A integration, and more than 300% ROI over three years.
Okta’s deep functionality across identity and access management includes:
Okta provides a federated single source of truth across multiple identity systems and corporate HR masters, as well as a better solution for AD domain consolidation. Our Universal Directory will import your AD profiles, groups, and security policies; reconcile and clean the data; and put everything into a central admin console to bring multiple identity directories into a single pane of glass. Once configured, the cloud-based directory uses remote authentication agents to ensure instant access for all your users to whatever apps they need.
Okta helps you stay on top of identity changes from M&A day one and beyond with prebuilt provisioning and deprovisioning integrations for 120+ cloud and on-prem apps, as well as prescriptive lifecycle orchestration. Using Okta Lifecycle Management, identity managers gain an end-to-end map of who has access to which services, and can simply click a checkbox to automate repetitive tasks—such as creating, updating, or deactivating identities, as well as provisioning standard accounts.
Single Sign-On & Multi-Factor Authentication
Since the Okta Integration Network offers over 6,500 pre-built integrations with cloud, mobile, and web apps, Okta can grant instant access for acquired employees and strengthen your overall security through SSO and MFA. In particular, Okta’s robust MFA solution enables intelligent policies based on login context, as well as comprehensive factor sequencing options.
Okta’s customer authentication and Access Gateway solutions secure your development resources and cloud infrastructure, so you’re able to provide customers with easy access to new products and experiences from the combined company. At the same time, Okta enables omni-channel experiences by helping uncover a 360-degree view of the customer for enhanced customer analytics and better marketing effectiveness across your brands.
To learn more about how Okta helps companies increase agility to exceed M&A expectations, visit our web site.
Okta is the leading independent provider of identity for the enterprise. The Okta Identity Cloud enables organizations to securely connect the right people to the right technologies at the right time. With over 6,500 pre-built integrations to applications and infrastructure providers, Okta customers can easily and securely use the best technologies for their business. Over 7,950 organizations, including 20th Century Fox, JetBlue, Nordstrom, Slack, Teach for America and Twilio, trust Okta to help protect the identities of their workforces and customers.