ISACA Journal
Volume 1, 2,016 


Evaluating IT Integration Risk Prior to Mergers and Acquisitions 

Deepak Khazanchi, Ph.D. and Vipin Arora 

Corporate mergers and acquisitions (M&A) are considered significant, from both a strategic and an economic point of view, across almost all sectors of the economy.1 M&A is a complex process involving risk that ranges from financial and legal matters to sales and marketing challenges and everything in between. Despite well-established benefits of strategically driven expansion and integration of businesses through M&A, the consolidated organization exposes itself to a number of anticipated, unknown and unintended risk factors. The risk concerns the overall organizational integration of some or all of the previously distinct and interdependent assets, structures, business processes, technologies, systems, people and cultures of the two firms into a unified whole.2

IT capabilities are considered a key strategic asset for contemporary firms.3 In fact, according to the 2013 census report, US nonfarm businesses spent a total of US $330 9 billion on non capitalized and capitalized information and communication technology (ICT) equipment, including computer software. This is nearly 23 percent of all US firms’ capital expenditure in the same year.4 Integration of IT systems and IT management processes is one of the major challenges in the M&A process that affects all aspects of the merged business and is, therefore, crucial to the overall success of the M&A process. Because of the pervasiveness of IT across organizational value chains, the ability to integrate the underlying IT systems and related management processes of the acquirer and target is important for continuing overall business operations without causing major delays or disruptions.5

However, there is ample evidence to indicate that the principal concerns of executives during predeal negotiations continue to be issues focused on statutory and regulatory, financial and tax structuring, and business synergy challenges. No doubt that lawyers, accountants and industry specialists dominate the team supporting the M&A process. Most of them do not recognize the importance and intricacies of IT integration in M&A. Historically, companies have not involved their IT executives and/or chief information officers (CIOs) in premerger integration planning.6, 7 This continuing disconnect can be illustrated through the case of the European Retail Bank’s (ERB) acquisition of another bank:8

To achieve the integration of the two merged banks, ERB’s senior business executives decided to first focus on restructuring, capturing cost synergies and streamlining operations between the two merged banks. However, neither IT nor a CIO was actively involved in the pre-merger due-diligence process or consulted in advance on comprehensive post-merger integration planning. As a result, there was post-merger bureaucratic wrangling between IT and business people from the two relatively equal merged entities. After two years, the integration had not progressed…

It is all the more ironic because IT is expected to play a major role in carrying out a seamless integration between the merging companies.9 In recent years, more importance has been given to IT integration in M&As, but in many instances, risk is ignored or is considered a concern that needs to be addressed postmerger. However, as illustrated by the ERB scenario, there are many examples where postmerger issues relating to IT integration risk have resulted in a major breakdown of services that have far greater ramifications than simply financial losses and/or inefficiencies.

The purpose of this article is to highlight various categories of IT integration risk and the associated costs that must be considered and factored in with the predeal negotiations in all M&As. This is important, especially because of the huge costs involved in integrating incompatible systems and meeting the mandatory regulatory compliance requirements after integration. The assurance framework developed by Khazanchi and colleagues10, 11 has been adapted and specific examples of the costs associated with each type of risk are provided.


A review of recent journal and industry articles (and some books) published in both academic as well as practitioner outlets reveals that a variety of aspects, both general and specific, associated with the issue of IT integration during M&A has been raised over the years. While some focus on postmerger integration of IT infrastructure (including network capabilities and different types of hardware), others address the issues related to data and applications integration. Yet others deal with the integration of IT-enabled business processes.12, 13 On the risk side, COBIT can be considered for managing postmerger integration and associated risk assessment.14

Some researchers talk about the general need for coordination in strategic IT actions of the two merging firms in making decisions on IT, people and business process integration,15, 16, 17 while others highlight several issues related to the integration of IT human resource (HR) management and IT vendor management processes of two merging firms.18, 19

Risk and Benefits Associated With IT Integration in M&A

Researchers have also categorized IT integration issues both in relation to more general “extended enterprise environments” and specifically in M&A.20, 21 Some look at the issues as risk that has to be considered and avoided, while others highlight the benefits of paying due attention to the issues. For example, Khazanchi and Sutton identify IT integration risk that needs to be closely evaluated and monitored,22 while Tanriverdi and Uysal emphasize the importance of the benefits of paying due attention to integrating the IT systems and IT management processes of acquirer and target firms during the M&A process.23

IT-related interorganizational risk can be classified into three broad categories: technical-level risk, application user-level risk and business-level risk.24 These categories of risk are directly applicable to the types of IT integration risk faced by firms involved in M&As. These risk categories also align well with the US National Institute of Standards and Technology’s (NIST) Special Publication 800-39, Managing Information Security Risk,25 which similarly considers three layers: organization (governance), mission/business process (information and information flows) and information system (environment of operation). The IT Assessment and Due Diligence Framework (ITADD) fits well into the proposed framework of risk categories discussed here.26

Describing the Risk Categories

Technical-level risk includes all risk associated with combining or consolidating information systems across the merging organizations. This may include evaluating whether integration with external and internal applications is feasible with available financial and technological resources, selecting one system over another, and the additional costs of systems integration or turnover to the acquiring firm’s systems.27 Additionally, this category of risk might include issues associated with:28, 29

  • Ensuring that appropriate internal applications are selected for integration, mapping and/or streamlining customer/supplier data for direct use in internal applications across organizations
  • Ensuring business transaction processes work and include all electronic transaction sets
  • Implementing appropriate systems, policies and processes to engender confidentiality, integrity and availability of data, technology and systems

Integrating basic infrastructure technologies (mainly networks and hardware platforms) used by the two merging firms is crucial for creating a common IT infrastructure over which different types of business data can be exchanged. But, it is very expensive and sometimes even impossible to integrate incompatible systems. It is not surprising, therefore, that technological incompatibility problems are among the top IT integration challenges in M&A.30 For example, Bank of America faced critical challenges in integrating a number of disparate IT systems during its acquisition of Fleet-Boston.31 Integrating IT applications and data of the two merging firms is also critical for integrating the business processes and operations of the merged firm.32 The migration of large volumes of data from one IT system to another in M&A can be a very expensive and time-consuming process. For example, when Royal Bank of Scotland acquired National Westminster Bank, 4,200 people were involved in transferring 250 GB of data pertaining to 14 million customer records and 33 million direct debit records.33 On the other hand, if the two merging firms are using standard application packages such as Oracle eBusiness Suite or mySAP, the acquiring firm can expect huge savings in IT applications and data integration costs.34

The next category of risk is referred to as application-user-level risk and focuses on areas such as:35, 36

  • Clearly communicating and understanding potential benefits and the additional costs of IT integration across the firms
  • Intentionally planning for integration after M&A
  • Assessing organizational readiness for adopting or changing current systems
  • Establishing a degree of reliance on paper-based transactions for internal processes that might need to be automated
  • Assessing coordination and control procedures for maintaining reliability of transaction processes

Under this category of risk, the adequate preparation of an organization’s staff for new, integrated information systems activities should also be addressed, as should related training initiatives for users and IT staff.37, 38

In M&A, IT integration of the two merging firms can create significant uncertainty and turmoil for IT employees. Some IT jobs may be threatened because of automation such that some IT employees may have to relocate and others may have to upgrade their IT skill sets to serve the IT needs of the merged entity. In such a context, it is not uncommon for IT talent to resist change or seek new job opportunities.39 Thus, IT HR management practices such as the recruitment of new employees, retention, relocation and training of existing employees are critical for the overall IT integration.40

The third category of risk is referred to as business-level risk and relates to an organization’s ability to appropriately reengineer traditional business processes to incorporate practices that will be used going forward.41, 42 These risk may center around a variety of issues including:

  • The appropriateness of extant systems and technologies for an organization’s culture and structure
  • Assessment of direct/indirect benefits of IT integration
  • Adherence to legal requirements (electronic orders, signatures, trading partner agreements, information privacy laws, etc.)
  • Proper planning and systems for ensuring monitoring of data and transmission security/auditability
  • Appropriateness of workflow procedures for achieving efficiency gains

Accordingly, in terms of business-level risk, internal control systems should be assessed for viability in assuring continuous monitoring of controls over privacy of data, reliability of systems and security of electronic transmissions.43, 44

M&A activities generate a number of changes. These changes are inevitable because successful integration of two organizations into one requires corresponding integration of business processes, people, systems and cultures.45 This, of course, is a big challenge. Flexibility and adaptability of both the business processes and the personnel at all levels are key for the merged organization to succeed. A firm with strategic flexibility can reformulate business strategies and reorganize IT and business processes to adapt to M&A opportunities.46 Managerial flexibility allows and facilitates moving business processes from one business unit to another, or moving business processes from the IT infrastructure of one firm to the IT infrastructure of the merged firm. Similarly, operational flexibility enables managers to reorganize business processes and reallocate personnel to different assignments and/or locations. IT integration can play an important role in ensuring that IT and business personnel at different organizational levels are included in the M&A process.

Finally, in M&A, even if the two merging firms have systems in place that are compliant with regulations prior to the merger, the combined postmerger entity may not be compliant because of different factors, such as the resulting change in the financial status of the merged firm. For example, in implementing its strategy of global expansion through acquisitions, Interpublic Group (IPG) had to spend US $300 million in professional fees to comply with the Sarbanes-Oxley Act.47 The anticipated costs associated with achieving regulatory compliance must, therefore, be factored in the M&A predeal negotiation process.

Mitigate the Risk and Reap the Benefits

A study of 141 acquisitions conducted by 86 Fortune 1000 firms found that acquiring firms with high levels of IT integration capabilities results in significantly higher performance within the merged firm in both the short and long terms.48 It can be argued that knowledge and subsequent avoidance or mitigation of the three types of categories of risk discussed in this article can potentially be instrumental in achieving value from integrating the IT systems and IT management processes of the merging firms during the M&A process. The risk categories explained provide a framework for looking at pre- and postmerger IT integration challenges in a systematic way. Figure 1 summarizes, at a high level, the potential costs associated with the different categories of risk that need to be factored into M&A negotiations.


There is no panacea for overcoming IT integration risk in M&A; instead, it requires deliberate planning for integration and assurance against negative impacts of the risk outlined here. It is important that such planning be conducted premerger by analyzing the different dimensions and risk of IT integration. Firms considering M&A will find it advantageous to consider both the risk and the benefits associated with IT integration and factor in the associated costs while making such a deal. This means that there is premeditation in planning for managing IT integration risk prior to an M&A that, at a minimum, assesses the potential technical-, business- and application-user-level risk that is likely to impact the extended enterprise. This can ameliorate any potentially significant financial impact, additional costs and delays in achieving full performance of IT infrastructure and systems and/or loss of productivity. To avoid unnecessary inefficiencies and large expenses, many forward-thinking firms establish an IT M&A team to evaluate integration risk (and associated costs to address it) during the process of considering an M&A with candidate firms. An illustration of the nature of the IT auditor’s role in the M&A process in each phase—predeal strategizing, due diligence activities for the M&A and post M&A activities—is summarized in figure 2.

It should also be emphasized that awareness of the risk and benefits is not only relevant to CIOs, but also critical for other C-level executives (such as chief executive officers [CEOs] and chief financial officers [CFOs]). They, too, should develop a keen awareness of the challenges and importance of IT integration issues in M&A. Equipped with this knowledge, CEOs and CFOs should be more willing to integrate CIOs and/or the IT unit in M&A planning activities. For large M&As involving complex IT infrastructure and systems, a designated M&A team may be set up that includes IT experts to provide input on the additional costs (and potential benefits) of systems integration in the merged enterprise.


The authors wish to thank their colleagues Dr. Robin Gandhi and Dr. Vasant Raval for their valuable comments that helped improve this paper.


1 Tanriverdi, H.; V. B. Uysal; “Cross-business Information Technology Integration and Acquirer Value Creation in Corporate Mergers and Acquisitions,” Information Systems Research, 22(4), 2011, p. 703-720
2 Mehta, M.; R. Hirschheim; “Strategic Alignment in Mergers and Acquisitions: Theorizing IS Integration Decision- Making,” Journal of the Association for Information Systems, 8(3), 2007, p. 143-174
3 Tippins, M. J.; R. S. Sohi; “IT Competency and Firm Performance: Is Organizational Learning a Missing Link?” Strategic Management Journal, 24, 2003, p. 745–761
4 US Census Bureau, Table 1a, Department of Commerce, USA 2013
5 Bauer, F.; K. Matzler; “Antecedents of M&A Success: The Role of Strategic Complementarity, Cultural Fit, and Degree and Speed of Integration,” Strategic Management Journal, 35(2), 2013, p. 269–291
6 Curtis, G.A.; R. Chanmugam; “Reconcilable Differences: IT and Post-merger Integration,” CSOonline, June 2005,
7 Vielba, F.; C. Vielba; Reducing the M&A Risks: The Role of IT in Mergers and Acquisitions, Palgrave Macmillan, USA, 2006
8 Kettinger, W. J.; C. Zhang; D. Marchand; “CIO and Business Executive Leadership Approaches to Establishing Companywide Information Orientation,” MISQ Executive, 10:4, 2011, p. 157-174
9 Op cit, Curtis and Chanmugam
10 Khazanchi, D.; S.G. Sutton; “Assurance Services for Business-to-business Electronic Commerce: A Framework and Implications,” Journal of the Association for Information Systems, (1), 2001, p. 1-5
11 Sutton, S. G., D. Khazanchi; C. Hampton; V. Arnold; “Risk Analysis in an Extended Enterprise Environment: Identification of Key Risk Factors in B2B E-Commerce Relationships,” Journal of the Association for Information Systems, 9(3-4), 208, p. 153-176
12 Op cit, Tanriverdi and Uysal
13 Op cit, Bauer and Metzler
14 Merkel, P.; “IT Governance and Post-merger Systems Integration,” ISACA Journal, vol. 2, 2005
15 Op cit, Tanriverdi and Uysal
16 Op cit, Khazanchi and Sutton
17 Zollo, M.; H. Singh; “Deliberate Learning in Corporate Acquisitions: Post-acquisition Strategies and Integration Capability in U.S. Bank Mergers,” Strategic Management Journal, vol. 25, 2004, p. 233-1256
18 Op cit, Vielba and Vielba
19 Feeny, D.; L. P. Wilcocks; “Core IS Capabilities for Exploiting Information Technology,” Sloan Management Review, 39:3, 1998, p. 9-21
20 Op cit, Kettinger, Zhang and Marchand
21 Op cit, Khazanchi and Sutton
22 Op cit, Tanriverdi and Uysal
23 Op cit, Khazanchi and Sutton
24 Sundberg, B.; Z. Tan; T. Baublits; H. Lee; G. Stanis; H. Tanriverdi; “A Framework for Conducting IT Due Diligence in Mergers and Acquisitions,” ISACA Journal, vol. 6, 2006,
25 National Institute of Standards and Technology, Managing Information Security Risk, March 2011, USA,
26 Ibid.
27 Ibid.
28 Op cit, Cutton, Khazanchi, Hampton and Arnold
29 Op cit, Vielba and Vielba
30 Duvall, M.; “Bank of America: When Systems Don’t Merge,” eWeek, 2003,
31 Op cit, Tanriverdi and Uysal
32 Computing, “Project of the Year Awards: Royal Bank of Scotland,” September 2003,
33 Shearer, B.; “Avoiding the IT Integration Blues,” Mergers and Acquisitions: The Dealmaker’s Journal, 39(11), November 2004, p.10
34 Op cit, Khazanchi and Sutton
35 Op cit, Sutton, Khazanchi, Hampton and Arnold
36 Op cit, Khazanchi and Sutton
37 Op cit, Sutton, Khazanchi, Hampton and Arnold
38 Pikula, Deborah A.; Mergers and Acquisitions: Organizational Culture & HR Issues, IRC Press, USA, 1999
39 Op cit, Vielba and Vielba
40 Op cit, Khazanchi and Sutton
41 Op cit, Sutton, Khazanchi, Hampton and Arnold
42 Op cit, Khazanchi and Sutton
43 Op cit, Sutton, Khazanchi, Hampton and Arnold
44 Barki, H.; A. Pinsonneault; “A Model of Organizational Integration, Implementation Effort, and Performance,” Organization Science, 16:2, 2005, p. 165-179.
45 Robbins, S. S.; A. C. Stylianou; “Post-merger Systems Integration: The Impact on IS Capabilities.” Information & Management, vol. 36, 1999, p. 205-212
46 Op cit, Vielba and Vielba
47 Op cit, Tanriverdi and Uysal
48 Op cit, Shearer
49 Op cit, Pikula
50 Op cit, Kettinger, Zhang and Marchand
51 Ibid.

Deepak Khazanchi, Ph.D., is associate dean for academic affairs, community engagement and internationalization officer, and professor of Information systems and quantitative analysis in the College of Information Science & Technology at the University of Nebraska (Omaha, USA). Khazanchi has served as the president of the Midwest United States Association for Information Systems and is the founding chair of the Association for Information Systems Special Interest Group for IT Project Management.

Vipin Arora is a Ph.D. candidate in IT at the College of Information Science & Technology at the University of Nebraska (Omaha, USA). He is an instructor in the College of Business at Oregon State University (USA). Arora has 10 years of teaching experience in IT-related undergraduate courses and worked professionally in the marketing domain for three years.


Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.