Industry
Banking
Banking Services Transformation: Unlocking Exponential Value
Highlights
- The CRO plays a crucial role throughout the stages of a mergers and acquisitions (M&A), helping manage risk and ensuring the transaction aligns with the organizations overall business strategy.
- In the pre-transaction stage, the CRO examines the agreement to ensure that all the potential risks are thoroughly assessed and appropriately addressed.
- During the execution of M&A, CRO involvement is essential in maintaining a robust enterprise risk management framework.
On this page
Introduction
Up until the global financial crisis (GFC), mergers and acquisitions activity were fairly common among many large financial institutions.
A steady stream of deals led to organizations developing a competence in the execution of M&A delivery, including robust due diligence and strategic assessment of the proposed transaction.
The hiatus in large scale M&A following the GFC continued into the late 2010s/early 2020s exacerbated by a weaker economic environment and the impact of the global pandemic.
In recent times, there has been a significant rise in M&A activity, as organizations make competitive moves designed to drive growth, going beyond acquisition activity related to rescue of a failing institution. However, whatever the type of acquisition, whether a discrete portfolio or full business takeover, there are questions to be asked about an organization’s capability to execute it successfully. Essentially, have organizations retained the memory and muscle to competently execute M&A?
In this article we specifically explore the role of the CRO and risk function in successfully executing M&A transactions, with a focus on acquisitions. Without commenting on the likelihood of M&A activity or future trends, look at the role of risk post the deal announcement, i.e. in the lead up to transaction completion and in the early days of a combined organization – when the real work begins.
The expectations of Risk – Strategic direction and objectives
The decision to pursue merger and acquisition is made after evaluating various factors.
A merger or acquisition agreement are reached, in part, based on the commitments made by executives, which, in turn, owners have bought into. Personal reputation are at stake with pressure to deliver on commitments. Given this, risk should be part of the initial strategy setting to assess the feasibility of the deal and CRO engagement must continue with robust oversight throughout delivery as the businesses are integrated.
The expectations of Risk – Pre-Transaction Agreement
A strong and strategic CRO must be an effective and collaborative member of the executive team.
This results in the CRO being well connected and informed of possible M&A transactions being considered.
In many organizations, potential M&A deals (both acquisition and disposal) would be reviewed by an Acquisitions & Disposals Committee which formally assesses all material aspects of the deal. Key areas that a CRO and the risk team will want to examine pre-transaction agreement, include:
Strategic fit: To check whether the deal is aligned with the current announced or planned strategy of the organization e.g. a UK centric bank would potentially be moving off strategy if it acquired an EU insurance business. If the deal fails this test, then the CRO should be urging caution on proceeding without a review of the strategy.
Financial resilience: The pertinent question is, does the deal result in an unacceptable change to the financial resilience of the acquiring organization. This can be particularly important if the acquired business has a materially higher risk profile than the acquiring business, e.g. a bank with a predominantly secured credit balance sheet acquiring an unsecured credit business. Financial resilience can often be tested via stress testing a pro-forma version of the combined organization and assessing whether the new organization is acceptably financially resilient e.g. level of capital post stress test would meet both internal and regulatory capital constraints.
Operational resilience: With threats from cyber, failure of material third parties or other non-financial risks, all having potential to compromise the viability of the combined organization, operational resilience is as important as financial resilience. Also, unlike financial resilience mitigants such as capital, operational resilience mitigants are not easily fungible across the combined organization.
Warranties/liability insurance: Most businesses carry a legacy of unresolved issues and vulnerabilities. These can relate to earlier business practices, product design or legacy approaches that may no longer meet internal or regulatory requirements. Such matters can result in significant additional costs including remediation, customer compensation and regulatory fines. Given this, it’s vital that the acquiring organization carries out comprehensive due diligence and as far as possible receive warranties or secures liability insurance for such vulnerabilities. The CRO and risk team can play a key role in both identifying such liabilities and assessing the effectiveness of any mitigation measures.
The expectations of Risk – During Transaction
Even in business-as-usual times, the expectations of the CRO are high.
During the execution of an M&A transaction, with a period of extensive organizational transformation ahead, those expectations grow exponentially and require a strategy and response on multiple fronts to provide protection for an organization. We explore these expectations of the CRO from six perspectives.
Figure 1: Diverse M+A expectations for Risk
Six Expectations of the CRO
While full integration of organizations can be a lengthy process, accountability is immediate on deal closing. From that moment, the CRO will need to be able to report on the overall risk profile and priorities of the combined organization, particularly on themes arising through due diligence work. Many mechanisms will be required to support this, and the highest priority should be given to critical regulatory reporting like capital and liquidity, financial resilience assessments like stress tests and operational resilience KRIs.
Complementing the provision of risk information, a timely review of the risk governance approach will be vital in ensuring the combined organization is appropriately governed.
The CRO plays a key role in delivering the integration of the acquired business by rapidly transitioning towards a single enterprise-wide risk framework and defining the risk appetite for the new organization.
Creating a Single Enterprise-wide Risk Management Framework may not seem like a high priority, but early work to align the standards, policies and risk management is key. Critically, this extends to risk appetite for the new organization, setting the frame for what is tolerable, both in integration decisions and the new BAU.
In addition, a change program to integrate key risk systems and migrate risk data will be key enablers of an effective risk organization.
Resources might need to be ringfenced to focus exclusively on integration, rebuilding capability so that it becomes a more natural instinct for the organization. As outlined below, integration brings significant complexity and that is difficult to manage effectively from the ‘side of the desk’, alongside existing BAU.
Alongside this, it will be critical for the CRO to establish a new operating rhythm and new risk organization ensuring that it is proactively managing all the material risks as new business and governance structures take effect.
Transformation creates risk, and in an integration scenario where anticipated benefits are likely to be dependent on transformation, there can be a tough balancing act in managing that risk against the desire to deliver quickly. The internal and external stakeholder spotlight will be intense, often with competing priorities, so the CRO will need a strong and independent say in how the organization integrates safely. This can often result in moving more slowly on combining businesses and functions than desired by the CEO and other executive colleagues.
In addition to managing the many complex and competing issues associated with an acquisition, CROs will also need to be alert to a number of threats that become more prominent. These can vary in size and speed of occurrence, however without proper risk management they have the scope to undermine all the targeted M&A benefits.
M&A benefits will often be drawn from rationalizing the technology estate, as organizations seek to optimize existing infrastructures and reduce costs. However, they are often hampered by the extent of legacy technology usage, a challenge that can be exacerbated by the second organization having,
- Multiple technology systems, each critical to material processes that are subject to heightened operational resilience regulations
- Configurations with multiple workarounds and add-ons over time, that can make system rationalization very challenging
- Reliance on a small number of individuals that fully understand legacy systems and their embedded complexities
Associated with the legacy technology threat and stretching beyond, is the organization capacity to execute the transformation. Systems integration brings heightened threats around the extent of change required, the pressure to deliver it and the ability to do it in a way that stays within risk appetite. Understanding new architectures, testing, available release slots and fix forward/reverse out strategies bring complexities, and are against a regulatory and reputational backdrop that can be unforgiving if resilience issues arise.
With comparatively less M&A activity seen in recent years, many organizations have lost the ‘M&A muscle’ previously seen. As a result, the capability may not exist to successfully execute M&A activity in any but the largest global players. This means that the majority of colleagues working on a deal are fitting this work around their day job. In addition, as M&A deals are infrequent, in many organizations the capability to efficiently execute such deals is undeveloped and patchy. It’s important that the CRO and risk team assess this capability across all relevant teams and identify any key gaps. A typical mitigant for identified gaps is the use of specialist third parties who can provide increased confidence in the execution of the deal.
Inevitably, M&As can create a period of instability, so regulators will be watching closely and intervene quickly if they don’t believe that is being managed effectively. Additional scrutiny is expected and right, but it requires effective management to prevent it from diverting focus of delivering the expected value from the transaction. This management of regulators should be proactive and regular, ensuring the key regulators are well informed of expected timelines, can highlight any concerns and are involved in any changes of approach or timing relative to initial plans.
Acquisitions can see priorities change overnight. What was once a top project can quickly be deferred, cancelled or deprioritized. That re-prioritization is natural but there are both practical and cultural angles for leaders to manage. Practically, it is important other deliverables or milestones are not missed. Culturally, without proactive communication, management teams not directly engaged in integration activity can feel sidelined. It’s vital that management are clear with their messaging to all employees, ensuring those keeping the BAU business going are just as critical as those involved in the integration efforts.
Naturally, the extent of these perspectives and expectations will be rely on the strategic direction for integration, for example, where businesses continue to run separately, but invariably there is a desire to get on with integrating and creating the new organization.
Two final thoughts for CROs
CROs will be pulled in many directions.
They will be central to the confidential work ahead of an M&A announcement, and as transactions complete and a new organization takes effect, their role is even more critical. In addition to the priorities detailed above, we highlight the following two points -
Culture: Combining two businesses inevitably results in some impact on the culture of the organization. The CRO can play a key role in ensuring the cultural dimension of change is handled proactively, identifying any likely areas of conflict or issues.
Board Engagement: In more material M&A and integration activity, it’s likely the Board will play an explicit oversight role (with potential regulatory attestations). They will look to the CRO for assurance, who in turn becomes a critical point person between the Executive and Non-Executive teams.
In conclusion, it’s imperative that CROs play a key role both before, during and after M&A transactions. Such deals can be transformative in driving the strategy of a business. Equally, they bring a range of risks and challenges unlike those managed on a day-to-day basis. Given this a CRO needs to have an explicit plan on how to play their part in making the deal successful.
