All three authors
represent PwC US
Power and Utilities. Alan
Conkle is risk assurance
leader, David Sands and
Eloisa Diaz-Insua are
risk assurance directors.
Managing Risk During M&A
Integration—A Focus on Internal Controls
By Alan Conkle, David Sands and Eloisa Diaz-Insua, PwC US
Increased economies of scale, changing generation
landscape and a national slowdown on consumption are
among the macro forces driving significant merger and
acquisition (M&A) activity in the power and utilities sector. In
this constantly shifting landscape, M&A can be a crucial tool
for the long-term survival and strategic growth of businesses
in the sector. Whether a utility is seeking exposure to higher
growth markets or selling assets to fund other investments,
the ability to extract maximum value from a transaction can
make or break the company’s success.
As highly regulated and asset-intensive businesses,
transactions in the power and utilities industry can require
long-term planning and strategic integration to optimize
returns. The integration of two companies or divestiture of a
part of the business is a significant undertaking from not only
an operational standpoint, but also from an internal controls
perspective. These transactions change the risk profile of the
company as new risks emerge and existing risks evolve during
the integration process and within the new organization.
It is critical to proactively manage the identification and
mitigation of risks related to people, processes and systems
as a core project component—it cannot be an afterthought.
All too often, companies are overwhelmed with the intricacies
and magnitude of the integration process, focused on technical
complexities and assume the control environment will be
properly addressed. While the legacy organizations are often
equipped with effective risk management and internal control
structures are rarely designed to effectively meet the needs of
the new organization. In particular, one of the main reasons
utilities can’t achieve their synergy goals is the lack of focus
on integrating and “right sizing” the control environment.
The integration process provides a unique opportunity
to take a fresh look at risks and controls, evaluating the
risk of changes across people, process and systems and
implementing controls to address these risks.
So how do successful utilities companies go about managing
integration risks? Here are the three key steps:
1. Create an organization that has the right team and
skillsets to develop and execute a risk and controls strategy.
To reduce the likelihood for overlooking risks during a
transaction, successful companies embed a controls team
within the overall project team and develop an M&A
integration strategy for risk and controls transformation.
The controls work stream is comprised of dedicated risk
and control resources with each person assigned to specific
business process and technical work streams. A risk and
controls strategy is developed to provide a guideline to govern
key decisions related to risk and controls for the resulting
organization, making it less likely for decisions to be ad-hoc and muddied by influences throughout the organization,
driving consistent decision making.
2. Allow controls team to develop and refine a risk assessment
to account for new and evolving risks and changes in
processes, embedding risk evaluation in the integration.
This risk assessment is enriched and refined during the
design process by involving key business contacts
from both companies along with dedicated
control resources (i.e., contacts from internal
audit and controls organizations) during
design workshops. This collaboration
facilitates gaining an up-front understanding
of what risks need to be addressed and how
best to build that into the future design. In
addition, it allows for risks to be treated as
other business and technical requirements. For
example, given the integration, some areas that
were previously considered immaterial might increase
in magnitude, requiring additional controls to address risks
and compliance at both the registrant and integrated company
levels. Embedding risk evaluation from the start uncovers
potential blind spots so that they are addressed, enables the
development of “built-in” control processes and facilitates