Risk and compliance post-merger integration checklists

John Epperson, Tapan Shah
1/30/2023
Risk and compliance post-merger integration checklists

The weight of a bank merger or acquisition can be overwhelming. For chief risk officers (CROs), the job increases from managing risk functions to answering for the combined outcome. This increased pressure can make it difficult to see beyond the challenges of the process, and the organization could miss important opportunities.

How can CROs keep up risk and compliance management while building toward something better?

Are you ready to take control of your governance, risk, and compliance program?
Learn how a connected platform can lead to better, more informed decisions.

Identify opportunities during a bank merger

A merger is an excellent time for CROs to take a step back and consider new approaches for their risk and compliance programs. Three areas of focus include:

  • People. Effective risk and compliance monitoring relies on strong leaders and teams that can make well-informed and strategic decisions.
  • Processes. Making processes more efficient, effective, and proactive can help get organizations where they want to be instead of struggling with processes that no longer work.
  • Technology. An integrated approach to technology can help the combined organization track and prioritize new and existing critical risks with advanced, connected platforms.

This collection of post-merger integration checklists can help CROs:

After all, a merger is not just about getting larger. It’s an opportunity to assess talent, adjust culture, and implement new technology for a new approach to managing risk.

Evaluate the health of the risk program

Evaluate the health of the risk program

Poor customer experiences, potential fines, and reputational damage keep stakeholders up at night. Mergers often mean higher risk complexity, and things can spiral out of control quickly without a vigilant eye.

People

It’s crucial to empower leaders and retain talent because having the right people in place is essential for responding to critical – and sometimes murky – moments.

  • Have we empowered our leaders to make sound decisions in the face of enormous change?
  • Do our leaders share organizational values that can help guide their decision-making?
  • Are our employees equipped with the experience and training to lead programs through change?

Processes

Documented processes and policies are important, but sometimes organizations need to pivot. Being nimble and responding quickly to key risks is crucial.

  • Are our response plans sufficient for addressing various events or risks?
  • If not, do we have a playbook for the team to collaboratively solve problems?
  • Have we prescribed what key risk indicators and metrics we’re using?
  • Do we have enough coverage for an increasing number and variety of vendors?

Technology

It can be difficult to know if a platform can cover everything an organization needs, such as transaction monitoring, customer risk, sanctions screening, and governance, risk, and compliance.

  • Does our technology offer a shared approach that allows us to manage all our risk consistently?
  • Do we know where we’ll need to build out platforms or invest in new technologies?
  • Do we have all the documentation for system requirements and vendor management?
  • Have we decided what elements of technology might help provide value beyond risk and compliance obligations?

Assess new leadership, legacy processes, and technology investments

Assess new leadership, legacy processes, and technology investments

Combining two programs means it’s time to look for overlaps and potential. With the right people, processes, and technology in place, team members can focus on creative problem-solving instead of resolving fire drills.

People

Forward-thinking leaders can change how the organization thinks about risk. Choosing new team leads and communicating goals can help the organization embrace a new way of thinking.

  • Have we appointed and empowered leaders to embrace a novel approach to risk management?
  • Can we redefine roles and responsibilities to create better awareness and accountability within first-line business functions?
  • Do we know how to design reporting structures to help aspiring leaders gain experience?

Processes

It’s important to evaluate risk appetite and risk tolerance across the operations, products, services, and customers of both organizations and to align their related processes.

  • What steps are we taking to make sure we have a complete inventory of new risks and controls within the combined entity?
  • Do we understand what new risks exist and what similar risks can be combined through a consolidated enterprise inventory?
  • Have we established common taxonomies so the combined entity can talk about risk and compliance in the same way?
  • Are we aligned in our separate risk appetite and tolerance statements to support integration and decision-making?

Technology

The first step toward more effective compliance is understanding how technology can support the manual processes in both organizations.

  • Did we determine which technology platforms deliver the best insights using the highest quality information?
  • Have we inventoried the combined risk and compliance technology capabilities and ways they might create value and insights beyond the risk and compliance function?
  • Have we had conversations with both first- and second-line personnel to assess the usability of risk and compliance technology?
  • Did we outline which systems and plug-ins we should upgrade and which we should sunset?

Review the business continuity plan

Review the business continuity plan

Even CROs with a vision still must maintain day-to-day business. New offerings, services, markets, geographies, and customers bring new expectations to be managed through the merger, so a solid business continuity plan is critical.

People

Staffing challenges can crop up in your compliance team as risk management expands.

  • Have we identified risk management and technology skill set gaps that might exist after the merger?
  • Do we know what functions and skills exist outside of the risk and compliance team that could fill those gaps?
  • Have we designed ongoing methods to assess the necessary level of staffing?

Processes

Monitoring losses and incidents, key risk exposures, and early warning indicators take on a new level of difficulty with an influx of factors.

  • Are there conflicting policies and procedures that we need to address for risk mitigation and reporting?
  • Will our combined entity have a set of key principles to apply when conflicting policies or procedures arise?
  • Do we have testing to determine if controls are sufficient to handle the complexity and volume of the combined entity?

Technology

Connecting internal technologies isn’t always smooth. It’s important to know ahead of time where conflicts and gaps could occur.

  • Have we inventoried the data integrations we need to develop because of the differences between systems?
  • Are there interim controls to implement so that system data is accurate and complete?
  • Do we have processes in place to prepare for any potential downtime of our technology platform?
  • Are technology systems compatible until we can make changes or upgrades?

Evaluate risk culture and oversight

Evaluate risk culture and oversight

From methodologies to technologies, CROs will need to find common ways of cataloging and defining risk across different products, services, and audiences.

People

Teams can work better when aligned with updated policies, uniform monitoring, and properly allocated resources.

  • Are there gaps in personnel qualifications or misperceptions in our combined risk program?
  • Is there a strategy in place to help business operations view the risk and compliance team as a trusted adviser?
  • Have we spent time with the first-line business personnel to take ownership of risk and compliance?
  • Is there an organizational understanding of how risk and compliance supports decision-making in the face of change?

Processes

It’s important to understand where risk goals overlap and gaps exist across operations, products, services, and customers.

  • Have we assessed which areas of risk and compliance are highly ineffective or inefficient?
  • Do we know what key processes could benefit from a new or automated process?
  • Are there existing capabilities outside of the risk and compliance function that could solve some of these challenges?

Technology

A merger is an excellent opportunity to assess the maturity of risk management platforms and develop a plan for more collaborative, big-picture compliance.

  • Do we have a plan for challenging risk and compliance workflows to be more effective and efficient?
  • Is there a path for existing risk and compliance technology to provide value in other parts of the organization?
  • Will our technology solution scale beyond second-line efforts into first-line efforts?

Strategize meetings with the board

Strategize meetings with the board

It’s important for stakeholders to know where merger progress stands, so CROs must have up-to-date and accurate reporting to present to the board. Getting buy-in for investments and adjustments relies on hitting benchmarks and supporting progress with data.

People

Showing how a unified approach aligns to the bank’s greater goals can help garner support from the board.

  • Have we defined a desired outcome to all the stakeholders?
  • Do employees understand how individuals can contribute to those larger, strategic outcomes?
  • Who are the aspiring leaders who could take on new roles and functions and inspire the organization?
  • Have we assigned accountability for reporting elements of the merger?

Processes

Process reviews show where improvements could help the board make more informed, effective decisions regarding the merger.

  • Will new approaches to risk and compliance align with the overall strategy?
  • Have we collectively defined and agreed to desired outcomes and performance and risk indicators?
  • How will we measure integration success in the short and long terms?

Technology

Technology can offer transparent reporting with the most up-to-date results and information for board review.

  • Have we identified the most critical reporting requirements to make sure we are focusing on the biggest risks?
  • Have we defined our risk and compliance obligations and decided how our platforms will track and communicate them?
  • Have we outlined a process for testing, assurance, and reporting to support risk and compliance data integrity?
Is your AML program ready for a merger or acquisition?
See how to lay the groundwork for successful integration.

Crowe can help you find the opportunity amid change

We can show you how a bank merger can be an opportunity for program enhancements that improve efficiency and increase effectiveness.
John Epperson
John Epperson
Chief Risk Officer
Tapan-Shah-Social
Tapan Shah
Principal, Financial Services Consulting