Oyster IMS develops a structured M&A due diligence information management assessment programme for a leading Irish pharmaceutical specialist.
Overview
Uniphar is a trusted global partner to pharma and medtech manufacturers, working to improve patient access to medicines in Europe and around the world, providing outsourced and specialised services. Headquartered in Dublin, Uniphar’s continued growth comes through strong relationships with 200+ of the world’s best known pharmaco-medical manufacturers across multiple geographies.
The growth has been supplemented by a regular cadence of acquisitions since 2015 whereby in recent years, multiple new businesses each year have been acquired and integrated into the Uniphar business to a greater or lesser extent.
While a structured due diligence process has been in place, there was a growing understanding of the risks being introduced by the varied information management landscapes that were being integrated with Uniphar’s processes and infrastructure.
Challenge
Uniphar recognised the need to improve their information security stance and maturity, to demonstrate active compliance while mitigating information risks. They concluded that they needed an information risk framework and structure, and felt that an iterative approach would be more effective than undertaking a single large project.
Solution
After agreeing scope with the Uniphar team, Oyster IMS performed a small sequence of workshops with the executive team from that target company to obtain copies of all existing information management related policies and procedures and to talk through the application of these policies.
The company was assessed at a high level against GDPR and against best practice information security guidelines (as appropriate for the company size) and a report was prepared, shared with and presented to the due diligence team in Uniphar. For the initial acquisition target, no follow-up was needed from the initial report.
When risks and issues are identified and detailed in the Assessment report, Uniphar discuss and review before deciding if a more focussed analysis is required. These pieces of work are entirely dependent on the specific risk or issue that needs more attention but are ideally attempted before the deal closing, or have an approved justification for carrying over into the post-close process.
Future acquisition targets will be analysed and assessed using a more developed methodology designed and agreed by the Uniphar and Oyster IMS teams working together. This methodology will include the utilisation of an information security framework that can extend to verification of granular details if the size and type of the acquisition target justifies it.
Uniphar also requested support around ISO 27001 for a previously acquired business. Oyster IMS performed a Gap Analysis of the business over a four-week period, providing a report that included an initial plan to progress towards certification.
Oyster IMS were subsequently contracted to assist the business in achieving ISO 27001 certification and worked closely with the executive team to drive and support the internal work required to prepare for this.
Results
“Oyster IMS are the subject matter experts we needed, giving us sound and articulate advice, that was relatable to our business audience.
We were presented with concise and measured reports, that clearly outlined the risk impact of any issues, and allowed us to have board level conversations with the right analysis to make valuable and informed decisions.”
HUGH MCDONNELL, Chief Technology Officer, Uniphar
InfoSec improvements will deliver huge efficiencies for Uniphar’s due diligence processes, giving these valuable benefits to their system of acquisition assessments:
Uniphar now have a data privacy and information security assessment process built into their broader due diligence process, from where they can request deeper examination of any identified specific risks or risk areas, or they can factor the analysis into their acquisition integration plans.
This process is triggered for every new acquisition that Uniphar are preparing to purchase, or for organisations that they need to assess in greater detail before deciding to acquire the business.
They have undergone a full ISO 27001 assessment and implementation on one of their recent acquisitions. When certified, this will significantly increase the speed of due diligence processes carried out by potential customers, and the time taken for the business unit to respond to RFT questionnaires for new opportunities.
From an internal perspective, this improvement in their processes, procedures and controls, also hugely reduces the business’ exposure to operational information risk.