You won't get full value from a transaction unless you manage cultural change with robust risk management, warn Fiona Gilvey and Jenny Jones

Surveys suggest that at least 50% of mergers, acquisitions and buy-outs fail to deliver expected increases in shareholder value. While there are many reasons for this, a robust risk management process can increase the likelihood of success. You need to consider the ways in which you can embed a risk management process throughout the organisation after a merger or take-over and how you should modify your existing risk management processes to accommodate the new business.

It is well known that there has been substantial merger, acquisition and buy-out activity over the past few years, although activity has slowed recently. Perhaps 2002, as a post-merger period, is the time for merged companies to begin leveraging the benefits promised by their merger. In this context, companies may wish to consider thinking creatively and using risk management as a means of generating value.

As an illustration of deal volumes we can look to the figures for Management Buy-Outs in 2000 and 2001. Total buy-out activity in 2000 was £23.9bn, with the value falling to £19.3bn in 2001. (Statistics supplied by the Deloitte & Touche Centre for Management Buyout Research conducted in conjunction with Barclays Private Equity.)

Are all these 2000 and early 2001 deals beginning to show signs of creating increased shareholder value? If not, why not?

Transactions themselves generate extensive risks. The company's financial health, reputation, and quality of management are all at stake. Your company should therefore be making full use of its risk management resources during the period of the transaction. Companies are well aware of this, and risk identification and assessment are an integral part of any due diligence process. One of the keys to the success of a deal is continuing to use risk management in the post-transaction period.

Risk management as an aid tothe integration process
Risk management used well should help to focus management attention on the most significant issues arising from the integration process. One of the key features of many post-transaction companies is that they are likely to be focusing on cost control. A risk identification and assessment exercise will help your company to focus on the key controls it needs to have in place and to identify any redundant or low-value controls. These are key issues in the streamlining process.

Risk management should also help the company to identify other areas on which to focus, so that no one area receives too much management attention to the detriment of others. For example, you need to consider revenue generation as well as cost reduction.

This is an ideal time to review the risk management processes the two companies had in place and cherry-pick the best aspects of each. While the previous processes may be scaleable, a total re-design may be the best solution. A particular consideration is the required size and composition of a merged risk management department. A bigger company may not in fact require the total combined resource of the two separate companies.

Thought may also be given to the structure of the department. Perhaps, within the newly merged companies more risk representatives will be based within the business lines rather than as a totally centralised function. This could be a benefit when it comes to embedding the process throughout the organisation - someone on the ground is likely to have more success gaining buy-in within a business unit than if they are a remote head office figure.

Major pitfalls
The key pitfall is likely to be the failure to fully follow through the implementation of change. In the short term, great efforts are likely to be focused on integration, including the roles of management and employees within the newly merged organisation and the products to be manufactured. But, in the longer term, the on-going requirements of the transaction fall by the wayside and are forgotten. Continuous monitoring of the integration process is required for months or years following a deal.

If you formally recognise the issues faced in the integration process as risks (as in fact integration generates a whole new sphere of risks), a robust risk management process should help to keep management attention focused on the integration issues over those months and years, and the issues should continue to be monitored.

The opposing linked pitfall is if too much emphasis is given to the integration process, or if there is a failure to focus on the key issues. The danger lies in the potential distraction of management attention away from the usual business and from the controls and revenue generation required. As always, a balance must be struck, but this should be easier to achieve if the risk management process is in place and is working effectively.

A further hazard is failing to identify or consider new risks post-deal, or conversely identifying too many risks, which leads to an unmanageable work-load for the risk management team. As before, the key is to find a balance and to identify only the significant risks to the achievement of the joint company objectives.

A key element for the risk identification process after a deal should be the due diligence exercise, and the issues that arose from it. Failure to recognise this could lead to missed risks and opportunities.

A further pitfall for the organisation would be a failure by the newly merged management teams to fully understand the new business, and hence the failure to identify the pertinent risks. This should be mitigated by the involvement of parties from all the pre-deal companies, although this is not always possible. A culture that encourages learning and a management team that is willing to learn is the best answer.

Modifying existing processes
It is imperative to recognise that existing risk frameworks must be expanded to take account of integration risks as well as other new categories of risk. Consideration should be given to the combined company's risk appetite, bearing in mind the likely differences in opinion of the members of the board and senior management team in terms of the risks they are prepared to take. The newly merged companies are likely to be willing to take a differing amount of risk to that which they were willing to take as single entities.

It is worth bearing in mind that, in a climate of cost reductions, the cost benefit of the controls in place must be carefully assessed, and this will be driven by the agreed risk appetite. If your company feels able to take more risks, it may be able to cut its cost base by stripping out some of the controls.

The modification to risk appetite also translates into the need to review the measurement scales used within the organisation for assessing risk. The definition of a significant risk may change considerably in the enlarged organisation.

The risk reporting structure is likely to require redesign, to map to the combined management information reporting processes. Risk information should not place an unnecessary burden on the personnel involved, so the more closely the risk information required maps to the regular management information being reported, the more likely the process is to succeed. System changes are likely to be needed when combining the information reporting processes of two organisations, so it is worth bearing in mind the added requirements, such as risk reporting, when redesigning the system.

A key sticking point is likely to be the failure to obtain buy-in to the risk management process at the very top of the newly merged organisation. If the senior executives cannot be convinced of the benefit of such a process, it will be an uphill struggle for the risk management team to embed the process throughout the rest of the organisation. Encouragement from the top needs to be supported by a suitable communication, awareness and training programme for all employees in the organisation, especially for those involved in the process.

Overall, companies should aim to create a climate that is friendly to effective risk management. Managing cultural change is essential to a successful merged business, and potential changes in culture should be uppermost among key risk considerations in the post-deal risk framework. The climate that a company should be aiming for must include a commitment to risk management, a no blame culture, and a pro-active attitude toward risk.

Fiona Gilvey is a director in Deloitte & Touche's financial services practice, Tel: 020 7936 3000. Jenny Jones is an ACA qualified senior consultant in the risk consulting practice of Deloitte & Touche in the UK

Airmic Comment
Clive Smith says that the way your organisation and its decision takers consider risk in its management decision making processes is an essential component for the future success of the organisation.

Prior to the application of the Turnbull guidance and the subsequent profile attached to risk management, risk in many decisions was an implicit assumption and given limited consideration. Since Turnbull, much effort has been given to designing and developing the processes for the identification, assessment and risk reporting requirements set out by the guidance. This is to provide the management information to the board for the assurance process and the subsequent statements made in the annual report.

The way we manage risk however, has far greater impact than the assurance process. It is the way people within organisations take risk and how the organisation maximises its risk taking by utilising experience and expertise in a decision making process which provides consistent transparency. The transparency means that decision taking criteria and their application are clearly articulated, understood and applied throughout the organisation.

For commercial organisations, the objectives of managing risk are likely to reflect the desired balance between minimising negative impacts from risk (risk control) and maximising opportunities (risk taking) to generate profitable revenue streams. In the AIRMIC guide to developing a risk process, we set out the planning stage to incorporate:

1 Where are we now?

2. Where do we want to be?

3. Gap analysis (differences from 1 and 2) = your organisation's to-do list.

Some of the issues that are central to changing the risk management culture include:

  • the objectives of the organisation's risk management.
  • its risk appetite
  • which areas will facilitate the assurance process?
  • how will support functions provide expertise and support to decision takers?
  • what systems are to be used in the assurance process and what is their impact on the way decision takers consider risk
  • management support for risk management
  • engaging and involving people in the development and implementation of decision taking processes
  • developing common approaches, language and agreed ways that risk will be understood and managed
  • the impact of the controls regime
  • development of common goals with risk taking areas of the business
  • reducing the impact of functional bias in risk taking
  • building in consideration for the long term consequences of risk in decision taking
  • ensuring risk management is not confined to the negative aspects of risk.

    Our objective in risk management is not restricted to the identification and assessment activity. We want to ensure that our organisations take the right risks and manage them so that we achieve desirable outcomes. In other words, risks are managed for success.

    Changing the culture of risk taking within an organisation is no mean feat. It requires the translation and implementation of organisational objectives and risk appetite from the board through to organisation-wide acceptance, and then having the assurance process in place to match the organisation's risk strategy to the implementation of that strategy.

    To achieve a culture change in the way your organisation manages risk, you need a plan and support, as well a great deal of enthusiasm. While this process is challenging in the extreme, the results of getting it right are extremely worthwhile.

    Clive Smith is risk manager for Orange plc and chairman of AIRMIC's special interest group which prepared The AIRMIC Guide to Developing a Risk Management Process