The 90-day playbook
M&A has a peculiar talent for turning perfectly rational plans into a fog machine. On Day 1, the deal is done. On Day 10, people cannot access what they need. On Day 25, someone discovers that “temporary” workarounds have become the new normal. On Day 60, the business starts asking why productivity dipped. On Day 90, everyone is tired, and the integration story is already being rewritten as “more complex than expected.”
I try to keep one idea front and center: in the first 90 days, the goal is confidence, not elegance. Most of the value you will ever create later depends on whether people can work, whether access makes sense, and whether risk is being reduced rather than redistributed.
Michael Watkins says it better in The First 90 Days: “Early wins excite and energize people and build your personal credibility.” For tech integration, “early wins” have a very concrete meaning. They are not shiny product launches. They are boring, visible stabilizers that remove uncertainty from daily work.
The boring part is also the expensive part. Integration itself costs real money, and companies have been spending more on it. PwC’s 2023 M&A Integration Survey notes that 59% of companies spent 6% or more of deal value on integration in 2022. That spending only makes sense if the first 90 days prevent value leakage, because a surprising portion of synergy capture depends on IT execution. McKinsey has long pointed out that 50% to 60% of synergy initiatives are strongly related to IT. So here is the playbook I fall back on, structured around four foundations: identity, workplace, security baseline, and communications, with a cadence that keeps decisions moving.
Days 1–30: Stabilize access and reduce ambiguity
The first problem to solve is identity. Who can log in, to what, from where, and with which level of assurance. If identity is unclear, everything else becomes a mess, and the mess spreads fast. People will create their own solutions, which usually means shared passwords, shadow accounts, and a security team quietly losing sleep.
I aim for a pragmatic target: a minimum viable identity bridge. Single sign-on where possible, federated access where needed, and a clear rulebook for admin accounts. If you do nothing else in the first month, make access predictable and auditable. In parallel, I focus on the workplace layer, because that is where friction becomes visible to everyone. Mail, calendar, Teams or equivalent collaboration, and basic file access. If daily collaboration is painful, the organization starts narrating the integration as failure, even if the backend work is excellent.
This is also where I enforce a basic principle: no one should be wondering which tool to use for the same action depending on which legacy entity they belong to. People tolerate change. They do not tolerate arbitrary inconsistency.
Days 31–60: Establish the security baseline and decision rights
This is the phase where security cannot remain a side topic. M&A expands the attack surface by definition. New endpoints, new networks, new suppliers, new habits, and plenty of well-meaning improvisation. Trying to “harmonize everything” at this stage is unrealistic, but establishing a baseline is not optional.
Baseline means a few non-negotiables: patch posture, endpoint protection, privileged access controls, logging coverage, and segmentation priorities. It also means visibility. You cannot manage what you cannot see, and early visibility buys time.
This is also the moment to make decision rights explicit. During a crisis, the most dangerous thing is hesitation caused by unclear authority. Who can isolate a region. Who can disable an integration. Who can shut down an app that is bleeding data. Who owns external communications when facts are incomplete.
Watkins has another line I like because it is painfully true in integration work: “Secure early wins. Early wins build your credibility and create momentum.” In month two, credibility often comes from making a few hard calls quickly and explaining them clearly, rather than letting uncertainty drag on.
Days 61–90: Make it feel like one company, at least in how it works
This is where communications stop being “updates” and start being integration infrastructure. Silence creates speculation. Overconfidence creates distrust. What works is a predictable cadence that tells people what is stable, what is changing, what is temporary, and what is not decided yet. It sounds simple. It requires discipline.
I also push for a light operating model statement early, because it prevents endless debates later. PwC’s work on successful integrations notes that long-term operating models were planned during deal screening in 40% of successful integrations versus 27% for others.
That delta is not about theory. It is about avoiding drift and conflicting interpretations of “who owns what now.”
By day 90, the goal is not full harmonization. The goal is that people have stopped asking basic questions like “which identity do I use,” “which device rules apply,” “who approves access,” and “who do we call when something breaks.” When those questions disappear, productivity returns and trust starts compounding.
What this playbook deliberately postpones
I usually delay the big rationalization debates. Application consolidation. Data model harmonization. Process redesign. Those are real, valuable, and often politically explosive. They belong to the next phase, when the foundation is stable and people are no longer operating in survival mode. The first 90 days are for building confidence through visible reliability.
If you get identity right, stabilize the workplace, define a security baseline, and run communications as a system, you create the conditions for the harder work to succeed. If you skip those, you will still do the harder work, but you will do it while firefighting, and the bill will be higher. And yes, that is the boring truth of tech integration. Boring is good. Boring is what allows a merged company to actually move.
