Why IT Integration Determines Whether M&A Creates or Destroys Value

The deal team focuses on commercial terms, financial projections, and legal structure. Technology appears on the risk register as a line item, not as a workstream with its own plan. The result is that Day 1 arrives before anyone has decided how email, ERP, network access, or security controls will work across the combined business.

Poorly scoped data migration is consistently the most delay-prone workstream in post-merger integration. Both ENISA and the UK NCSC identify the period of partial network integration as one of the highest-risk windows for cybersecurity incidents, with security controls from two separate organisations not yet unified across the combined estate. TSA (Transition Services Agreement) durations average 12 to 18 months and frequently run to 36 months because the IT exit plan was never properly scoped. The cost of these failures is almost always a multiple of the cost of appointing a dedicated IT integration lead before exclusivity.

“The time to appoint an IT integration lead is before exclusivity, not after close.”

The Five Phases of Post-Merger IT Integration

Starkhorn structures every IT integration across five phases. The phases are sequential but overlapping: Phase 2 begins before Phase 1 is complete.

Phase	Timing	Focus	Key output
Phase 1: Technology Due Diligence	Pre-sign / pre-exclusivity	IT and security risk assessment across the target; integration complexity scoring	Deal-shaping intelligence for price and conditions
Phase 2: Day 1 Readiness	Sign to close (typically 4-12 weeks)	Minimum viable integration for Day 1: email, network, access, critical systems	48-hour Day 1 readiness protocol
Phase 3: Stabilisation	Close to 90 days	Operational continuity; stop the risk bleeding; quick-win cost savings; security baseline	IT risk register; 90-day roadmap
Phase 4: Rationalisation	90 days to 12 months	System consolidation; vendor renegotiation; target operating model design; data migration	Technology roadmap; cost savings realised
Phase 5: Optimisation	12 months onwards	Full integration of systems and data; cultural alignment of IT teams; technology platform for growth	Integrated technology estate; capabilities for next acquisition

IT Carve-Outs: When You Are Separating, Not Integrating

A carve-out presents the inverse problem: separating shared IT systems, licences, infrastructure, and data from a parent company in a way that leaves both entities operational.

The complexity is often underestimated because carve-outs involve shared services that were never designed to be separated. Every shared system needs a decision: replicate it, replace it, or negotiate continued access via TSA. Every shared data set needs GDPR-compliant separation with ICO notification assessed for each category.

Starkhorn applies the same five-phase structure to carve-outs, adapted for the reverse direction: what does the carved-out entity need on Day 1 to operate independently, and what does the TSA need to cover while the permanent solution is built?

TSA Exit Planning: The Most Underestimated IT Workstream

A Transition Services Agreement allows the acquired or carved-out entity to continue using the seller’s IT systems under a paid arrangement for a defined period. TSA exit planning is the sequenced programme to replace each shared service with an independent one.

TSA exit is routinely underestimated because:

• Systems that appear simple to separate turn out to share databases, identity systems, or network infrastructure
• Vendor contracts require renegotiation or new agreements for the separated entity
• Data migration projects take longer and cost more than estimated
• The TSA cost clock is running while the exit is delayed: extended TSAs routinely cost GBP 500,000 to GBP 5m or more in incremental fees

Starkhorn designs TSA exit plans with sequenced dependencies at Phase 2, so the exit programme is running in parallel with Day 1 readiness, not started after close.

The CISO Dimension: Security During Integration

Integration creates security risk. Two organisations that have managed their own security postures are now sharing network access, systems, and data before either has assessed the other’s controls. A breach in the acquired entity propagates to the acquirer. A compromised credential from the selling organisation maintains access to the combined business.

The 72-hour ICO breach notification window does not pause during integration. A data breach that spans two entities across a partially integrated network is the most complex incident to manage, and the most difficult to notify correctly.

Starkhorn holds both the CIO and CISO mandates in every integration engagement, which eliminates the seam between technology integration and security governance where these risks accumulate. At VetPartners, this covered 14,000 staff and 850+ sites across nine countries. At Jardine Motors Group, it covered two major M&A transactions totalling over GBP 700m with zero FCA regulatory findings.

Post-Merger IT Integration Checklist: Phases 1 to 5

The 40-item checklist below covers the critical workstreams across all five phases. Use it to audit your integration plan.

Phase 1: Technology Due Diligence

• IT infrastructure and architecture assessed
• Cybersecurity posture reviewed
• Enterprise applications and ERP mapped
• Data protection and regulatory compliance reviewed
• IT team, vendor contracts, and MSPs assessed
• Technology spend and cost trajectory analysed
• Integration complexity scored
• Security and data risks documented for deal team

Phase 2: Day 1 Readiness

• Email and identity access plan agreed
• Network connectivity between entities designed
• Critical system access confirmed for Day 1
• TSA scope defined and agreed with seller
• Day 1 security baseline established
• Key vendor and supplier communications planned
• IT integration lead appointed with mandate
• 48-hour readiness protocol tested

Phase 3: Stabilisation (Days 1-90)

• IT risk register established
• Quick-win cost savings identified and captured
• Security vulnerability assessment completed
• Data classification and GDPR separation assessed
• Vendor consolidation opportunities identified
• Team structure and reporting lines confirmed
• Board IT risk reporting format agreed
• 90-day technology roadmap delivered

Phase 4: Rationalisation (90 days to 12 months)

• System consolidation plan approved
• ERP rationalisation scoped
• Data migration programme designed
• Vendor contracts renegotiated
• Target IT operating model designed
• TSA exit programme running to plan
• Security architecture documented for combined estate
• IT team structure finalised and operating

Phase 5: Optimisation (12 months onwards)

• Full system integration completed
• TSA fully exited
• Combined technology roadmap delivering value creation
• Data lake or single reporting platform operational
• ISO 27001 or equivalent certification programme active
• Security operations normalised across combined estate
• IT capabilities ready for next acquisition
• Benefits realisation review completed

How Starkhorn Leads Post-Merger IT Integration

Starkhorn provides interim or fractional CIO and CISO leadership for the full integration lifecycle. Daniel Jacobs has led technology across GBP 700m+ of M&A integrations across M&A integrations and carve-outs, including VetPartners (GBP 1.2bn, BC Partners) and Jardine Motors Group (GBP 2bn, two transactions).

The combined CIO and CISO mandate is the defining credential: technology integration and security governance in the same engagement, with the same person accountable to the board for both. No seam between them where risk accumulates.

Frequently Asked Questions