Managing Risk During M&A Integration-A Focus on Internal Controls

By Alan Conkle, David Sands and Eloisa Diaz-Insua, PwC US

Increased economies of scale, changing generation landscape and a national slowdown on consumption are among the macro forces driving significant merger and acquisition (M&A) activity in the power and utilities sector. In this constantly shifting landscape, M&A can be a crucial tool for the long-term survival and strategic growth of businesses in the sector. Whether a utility is seeking exposure to higher growth markets or selling assets to fund other investments, the ability to extract maximum value from a transaction can make or break the company’s success.

As highly regulated and asset-intensive businesses, transactions in the power and utilities industry can require long-term planning and strategic integration to optimize returns. The integration of two companies or divestiture of a part of the business is a significant undertaking from not only an operational standpoint, but also from an internal controls perspective. These transactions change the risk profile of the company as new risks emerge and existing risks evolve during the integration process and within the new organization.

It is critical to proactively manage the identification and mitigation of risks related to people, processes and systems as a core project component-it cannot be an afterthought. All too often, companies are overwhelmed with the intricacies and magnitude of the integration process, focused on technical complexities and assume the control environment will be properly addressed. While the legacy organizations are often equipped with effective risk management and internal control structures, these structures are rarely designed to effectively meet the needs of the new organization. In particular, one of the main reasons utilities can’t achieve their synergy goals is the lack of focus on integrating and “right sizing” the control environment.

The integration process provides a unique opportunity to take a fresh look at risks and controls, evaluating the risk of changes across people, process and systems and implementing controls to address these risks.

So how do successful utilities companies go about managing integration risks? Here are the three key steps:

1. Create an organization that has the right team and skillsets to develop and execute a risk and controls strategy.

To reduce the likelihood for overlooking risks during a transaction, successful companies embed a controls team within the overall project team and develop an M&A integration strategy for risk and controls transformation. The controls work stream is comprised of dedicated risk and control resources with each person assigned to specific business process and technical work streams. A risk and controls strategy is developed to provide a guideline to govern key decisions related to risk and controls for the resulting organization, making it less likely for decisions to be ad-hoc and muddied by influences throughout the organization, driving consistent decision making.

2. Allow controls team to develop and refine a risk assessment to account for new and evolving risks and changes in processes, embedding risk evaluation in the integration.

This risk assessment is enriched and refined during the design process by involving key business contacts from both companies along with dedicated control resources (i.e., contacts from internal audit and controls organizations) during design workshops. This collaboration facilitates gaining an up-front understanding of what risks need to be addressed and how best to build that into the future design. In addition, it allows for risks to be treated as other business and technical requirements. For example, given the integration, some areas that were previously considered immaterial might increase in magnitude, requiring additional controls to address risks and compliance at both the registrant and integrated company levels. Embedding risk evaluation from the start uncovers potential blind spots so that they are addressed, enables the development of “built-in” control processes and facilitates achieving the right control mix. This investment in the beginning of the project helps eliminate controls that are no longer needed in the new environment or are not required by a regulator after further diligence.

Embedding controls from the design phase supports the effort to further standardize, streamline and automate business processes across the organization and, ultimately, lowers the overall cost of implementing controls. The longer companies wait to implement controls, the more costly it can be. Building controls in during the design phase can be the most cost-effective. When you get to the point of go-live and system operation, implementing controls can involve retrofitting existing functionality, retesting and retraining users on new functionality and controls-all of which increases the cost.

The controls team continues to leverage internal controls throughout the integration process by testing controls as part of the overall testing process and training users in controls operation and oversight as part of the overall training effort.

Overall, risk evaluation and embedding of controls in the process from day one allow the utility to develop a more efficient and effective control environment, which drives greater achievement of synergies and successful integrations while balancing the need for speed in the transaction and transformation processes.

3. Ensure controls team proactively addresses areas requiring special attention during the integration process by considering their impact to people, processes and systems.

“- People: The controls team must understand the power of culture. They must understand that different cultures, risk tolerances and internal control processes can affect integration speed and the effectiveness of resulting business process, including adoption of new processes and controls to address the new risk profile. The controls team analyzes these differences, clearly defines risk and control objectives and develops an approach to turn “you” and “I” into “we”, therefore, facilitating the integration process. Ultimately, the risk and control resources help eliminate some of the common cultural differences and identify what needs to change in the organization to bring cultures together, driving better control execution and effectiveness for the resulting organization.

Knowing the importance of data, and the challenges that impact the user community and data integrity when data cleansing and conversion are not performed correctly, the controls team must focus on involving key business contacts who understand the data and can help develop processes for the to-be environment. Appropriate controls are implemented over cleansing, conversion and validation processes. Key business contacts provide insights on differences that affect conversion. For example, for work orders (a key input to the asset unitization process), data elements are usually different among the companies being merged. This requires cleansing existing work orders to fit the to-be data model prior to go-live to reduce issues with asset unitization down the line.

If key business contacts and control specialists are not involved and control processes are not set up outlining validation processes, these differences would not be identified until after go-live. Rectifying them at that point would be more costly and cumbersome.

“- Processes: Given the importance of certain processes (e.g., reporting) and the impact of the integration on these processes, the controls team must evaluate how key inputs are different between the companies, how these are being changed in the to-be environment and determine control requirements to deal with these during the integration and for the to-be environment. The controls team collaborates with the finance organization to develop an accounting policy playbook that evaluates differences and their impact to data conversion, transaction recording, and operational and financial reporting. Key questions the controls team asks during design to understand these differences include: How are meters classified when first recorded; are they inventory or assets? How are purchase requisitions (PRs) and orders (POs) maintained in the system? What PRs and POs need to be migrated? What is the level of detail used to make purchasing decisions, investment decisions, etc.? The controls team understands the differences between the companies and assists in the creation of harmonization routines to bridge these differences. In addition, the controls team enables the development of to-be processes based on the integrated entity’s policies and reporting requirements. Ultimately, this leads to a streamlined design of subsequent processes such as account reconciliations and automated and manual journal entries. In addition, it provides the foundation to achieve completeness and accuracy of information and reporting that management can use to make decisions.

“- Systems: The controls team must ensure that risks are addressed not only for the to-be processes but also throughout the integration by designing and implementing interim/bridge controls that leverage system functionality. Between day one and system integrations, financial and other key data from the different systems needs to be fed into the general ledger to create financial statements and other key reporting. The controls team develops system-enabled controls around account mapping and interfaces to detect and resolve issues with account mapping and data transfers, ensuring the reports are accurate and complete.

It is important for the controls team to provide the right access to systems while also restricting this access appropriately and ensuring conflicting duties are segregated during the transformation. In addition the team must integrate organization design. For these reasons, the controls team must consider access early in the process. This is achieved by developing user monitoring processes to address the risk of broad access during transition and stabilization and by resolving existing issues as part of the new process and system design. General computer controls for the transition and to-be environments are redesigned to address new and changed risks.

As a result, successful utilities can maximize value by dedicating resources to evaluate risk aligned with changes to people, process and systems dimensions, identifying unaddressed risks and mitigating actions prior to go-live.

In summary, the benefits of proper planning and embedding a controls team in the integration process can be countless. Developing a risk and controls integration strategy can drive consistent decision making. Ensuring risk evaluation and mitigation processes are in place during the integration can provide the greatest value at the lowest cost. Consider risks and controls early on in the process to define an adequate control environment for the organization during transition and after the integration. Do not allow common pitfalls to become your pitfalls. Instead, unleash the power of culture, drive adequate business involvement, understand key differences in processes and develop clear guidance to address the to-be processes. In addition, leverage system functionality and access to enable controlled processes from day one. In the end, you will have effectively managed risk and developed a strong foundation of effective controls to make the transaction a long-term success.


All three authors represent PwC US Power and Utilities. Alan Conkle is risk assurance leader, David Sands and Eloisa Diaz-Insua are risk assurance directors.

Previous articleThe Rise of Targeted Demand Management: How DR Can Reduce Need for New T&D Investment
Next articleThe Qualities That Growing Companies Share

No posts to display