Risk Management - Mergers & Acquisitions 

Acquisition risk management is a process that helps organizations identify, assess, and manage risks that may arise during the acquisition of another company. By identifying and managing these risks, organizations can minimize the potential for negative impacts on the business.

Risk Analysis

Security risk analysis, otherwise known as a risk assessment, is fundamental to the security of Business. It is essential to reasonably ensure that controls and associated expenditures are fully commensurate with the risks to which Business.  is exposed.

Businesses will regularly review information systems, business systems, document storage and usage, staffing, and facilities (identified as assets) to identify risks to data maintained by the Business and risks to Business operations. The risk analysis will include the following:

  • a review of policies, procedures, and implemented security safeguards,

  • installation and maintenance of information systems

  • review and audit of information systems

  • human resource practices related to hiring, termination, and sanctions procedures

  • facility controls

  • potential for fraudulent activities in the system

  • exposure to identity theft

  • any other relevant areas

A risk analysis will provide the baseline for ongoing information security efforts.

Management shall define specific criteria for critical confidential data.

For any vulnerabilities identified during the risk analysis/assessment process, the Business will determine the associated risks and develop action plans to mitigate those risks including, but not limited to patching vulnerable systems and/or applying other control activities

Risk Analysis

Management’s definitions of applicable criteria for types of data can be found in the “Introduction” section of these policies and procedures.

Businesses will complete a risk analysis of all assets used to collect, store, process, or transmit confidential data. The business will also include an assessment of the risks associated with the usage of non-electronic confidential information. This includes an assessment of information systems, business systems, document storage, and usage, staffing and facilities (including portable devices and media; assets), and existing security safeguards. Businesses will complete a physical risk analysis for all facilities.

Risk Assessments

The risk assessments shall include the steps necessary to analyze assets to determine threats and vulnerabilities and establish security safeguards to determine if they are adequate to protect against identified risks and vulnerabilities.

A formal risk assessment (whether by external or internal means) will be completed at least annually, after a serious incident, or when any major system or business changes occur. The Security Officer is responsible for:

  • Conducting and/or overseeing the assessment

  • Analyzing the results

  • Reporting results to management

  • Assisting management in developing a risk mitigation plan and determining which risks will be accepted

  • Documenting the results of the risk assessment and planning mitigation

All documentation will be retained for a minimum of six years.

The following steps will be followed when conducting a risk assessment:

  • Prioritized inventory of system assets (hardware, software, facilities, etc.)

  • Identification of information owners (electronic and non-electronic data)

  • Identification of workforce members with access to stored data by hardware/software

  • Mapping data flow

  • Conducting an inventory of data storage (including non-electronic data)

  • System characterization (e.g., mission-critical, important, ancillary, etc.)

  • Vulnerability identification

  • Threat identification

  • Security control analysis

  • Likelihood determination (e.g., how likely will an identified threat or vulnerability impact the organization given existing security controls)

  • Identification of relevant patterns, practices, or specific activities that indicate possible identity theft

  • Impact analysis (e.g., what is the cost if an identified threat or vulnerability impacts the organization given existing security controls)

  • Risk determination (based on likelihood and impact)

  • Risk mitigation plans/treatments shall consider industry or organizational laws, regulations or standards, or other priorities, cultural fit, IT policy and strategies, risk strategies, cost-effectiveness, type of protection, threats covered, risk levels, existing alternatives, and additional benefits derived from the treatment.

  • Results Documentation (includes mitigation plan and documentation of risks that will be accepted by the organization such as threats or vulnerabilities that will likely impact the organization and with a low impact cost)