DayBlink Consulting translated divestiture contractual obligations into an actionable plan and executed the plan
Read the full case study here: M&A Risk Management for a Leading Digital Media Company
Introduction
A leading digital media company decided to divest a subsidiary of its business in a $5 billion deal. In addition, within the subsidiary, legacy business units were being retained that had not been previously managed. Legal obligations dictated that our client continue to provide cybersecurity services to its former business units and continue to own the cybersecurity risk in its former business units, even though the business units separately had to manage their risk from a technical perspective.
We formed the program management team to help the client reduce risk, avoid unnecessary expenses, and translate contractual obligations into tactical operations and processes that the client should implement. The client’s cybersecurity team relied on DayBlink to manage relationships with the external engineering teams and deliver reporting metrics to both operational teams and executive stakeholders.
In addition, the client anticipated that it would have additional M&A activity in the future, and DayBlink’s team developed materials to enable successful future risk management.
Problem
A large divestiture raised potential cybersecurity risk but our client did not have direct access to manage the risk.
Our client engaged DayBlink to closely manage technical risk that was greatly increasing due to M&A activities in a $5B deal. Our client’s employees had to work on M&A activities outside of their daily job responsibilities and therefore did not have the required dedicated resources to manage the great financial risk from the divestiture. Legal requirements were broadly defined for the cybersecurity team’s security service delivery. However, these requirements had not been bridged to a tactical project plan., and requirements were not clearly communicated. Day one tasks and exit tasks the Governance, Risk, and Compliance department needed to oversee were not fully discovered and well-documented. In addition, our client was newly separating from some of its previous entities but was still required to own the risk while not being able to actively manage the risk. Shortly after the divestiture, lack of engagement from the external teams, both from the executive and operational teams, started to cause breaches in contract that could have severe legal and financial impacts to both companies.
Solution
Our team enabled risk management success through executive and operational engagement and consistent reporting.
At the beginning of program mobilization, we engaged stakeholders to collect qualitative data to discover where the program needed the most support. Initially, we collaborated with the client to solidify processes that were developed to better manage risk. This period was characterized by high turnover at our client, frequent contract analysis, and earning trust with client team members. We supported the team with building a Day One work-plan to ensure all activities were being completed as expected in a period of rapid organizational change.
As we continued to manage the program, some work streams were more mature than our client had initially expected, while others needed more attention, to the extent that active contract breaches were occurring.
We determined the client needed additional support to build relationships with technical SMEs from the separating entities, as these SMEs had the visibility and resourcing to fix the sources of the contract breaches. Delivering the necessary information for remediating and managing the technical risk was crucial in ensuring the contract breaches did not need to be escalated with legal action. Processes were built in case escalation needed to be executed to ensure external teams were prioritizing risk management.
Consistent reporting to both executives and technical teams ensured leadership was aligned with our management decisions and external teams had the information to know where to focus and prioritize their efforts.
Outcome
We achieved over 90% security procedure adherence for external assets without direct control or authority.
After executing processes for escalation, consistently reporting status and metrics, and managing day to day operations, compliance ultimately increased by at least 50% and overall compliance improved to 90%+. Both companies involved were able to achieve cost avoidance by preventing legal action through better compliance. Improved reporting models and metrics to track open security vulnerabilities, program risks and issues, and high priority action items also ensured that executives had the ability to raise concerns early and ensure they were aligned with the program’s status. In addition, after the program was mostly completed, team members within our client’s cybersecurity department were trained on using reporting tools so that they could enable better risk management for future M&A activities that they anticipated would occur at the company in the future.