Mergers and Acquisitions

Effective Ethics and Compliance Due Diligence during Mergers and Acquisitions

By Kasey T. Ingram, JD, CCEP[1]

If you are reading this article, excitement likely awaits. Your company has decided to grow through a merger or acquisition. Wealth, fame, and happiness are just around the corner! Well, maybe not. Nothing is ever as rosy as it seems, and buyer’s remorse can certainly set in.

Your job as a compliance professional is to help minimize that buyer’s remorse by taking reasonable steps to ensure that your company does not “buy” into somebody else’s mistakes. This article will provide some practical steps and tips that can be taken to give your company stronger assurance that its new toy is at least nontoxic and safe to use.

Reasons for Ethics and Compliance Due Diligence

A buyer should take steps to know what they are buying through a process commonly referred to in the mergers and acquisitions (M&A) world as compliance due diligence. Ignoring or minimizing this important process can certainly have disastrous consequences for the buyer in both the short and long term.

The example of Goodyear Tire and Rubber Co. and the company’s failure to perform compliance due diligence,[2] along with many others, have led governments throughout the world to require M&A compliance due diligence as part of an effective ethics and compliance program. (“Goodyear did not detect or prevent these improper payments because it failed to conduct adequate due diligence when it acquired Treadsetters and failed to implement adequate FCPA compliance training and controls after the acquisition.”) For example, the U.S. Department of Justice issued insights in June 2020 specifically calling out mergers and acquisitions as important considerations when evaluating the effectiveness of a company’s ethics and compliance program:

A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.

The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.

  • Due Diligence Process – Was the company able to complete pre-acquisition due diligence and, if not, why not? Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?

  • Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?

  • Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?[3]

Brazil has also required similar actions as part of its anti-corruption law, which requires “due diligence in corporate and M&A transactions” as one of the elements of an effective compliance program.[4]

It is clear from these recent developments that any company contemplating an M&A transaction now and in the future can no longer ignore its responsibility to conduct meaningful due diligence as a part of its overall efforts. Not only is it becoming a common enforcement consideration, but more importantly, it just makes good business sense.

The compliance and ethics professional serves as an invaluable partner in the organization to help bring the compliance due diligence process to life and make it meaningful.

Prepping Your Internal Partners

Ideally, you will be notified in advance when your company has decided to go shopping. Many companies form specific M&A teams who do nothing but evaluate and execute potential deals. You need to know that team.

If, for some reason, you are not notified, do not worry. This article addresses how to conduct due diligence after the fact in the “Post-Acquisition Integration” section. Since due diligence after the fact mirrors pre-acquisition due diligence, however, you should definitely keep reading.

You also may not be invited to join the M&A team. Do not wait for an invite. Approach the M&A team and ask for a meeting. As will be explained, a business case exists for compliance due diligence.

Assuming that your company has an M&A team, schedule a brief training session with the M&A team before the deals start pouring in. Brief the team on the need for compliance due diligence and the basic process for performing that due diligence. An easy way to do that is to consider leveraging the business case and talking points set forth in this article as a potential outline for your training.

Your company may not have a formal M&A team. There will likely, however, be a point person running the deal. There is also often a member of the legal department assigned to the deal. If there is no formal M&A team, approach those two individuals and ask for a meeting to explain your role in the process and how it will assist their efforts. I recommend using that opportunity to push for a formal M&A team to conduct due diligence. At the very least, the core employees running the deal should be treated as an M&A team for purposes of compliance due diligence. You may require assistance in building this team. I have found that both internal audit and legal departments can be great allies in this process.

Buy-in from the M&A team often requires exerting some influence and providing education on the objectives and overall benefits of compliance due diligence. Importantly, it may also include providing examples where compliance failures have arisen with other companies along with the impact that those failures had to the bottom line.

The following outline is a good example of some key topic areas and considerations to include in your training materials.

Objectives of Compliance Due Diligence

  • Define the target company’s compliance risk profile.

  • Uncover red flags.

  • Uncover past or ongoing violations in key areas, such as:

    • Anti-bribery laws

    • Antitrust regulations

    • Data protection rules

    • Trade regulations

    • Worker safety requirements.

  • Determine the impact of any potential issues and either address the issue or recommend exiting the deal.

  • Once consummated, integrate the new company into your company’s ethics and compliance program.

Do not expect the M&A team to just roll over and do what you want. Corporate dealmakers tend to be tough. You will likely get pushback and difficult questions. Be tough right back. If you wilt, you will fail. Respect matters, and the M&A team will likely not respect you if you don’t stand firm for your right to be involved. You are not asking permission. You are telling the M&A team that you have a job to do, and here is how they will help you do it. Do not make this seem optional.

Typically, M&A teams have enough experience and aversion to risk that they quickly adopt the idea of ethics and compliance due diligence. If that does not happen, you may need to seek assistance from executive management or other ethics and compliance champions in your organization to influence the M&A team. If that fails as well, please see the “Post-Acquisition Integration” section of this article regarding due diligence after the deal closes. You also may want to check out the SCCE Job Board[5] to see if there are any openings with a company that is more invested in ethics and compliance.

Once the M&A team better understands the objectives and benefits, the next step is to establish who on the M&A team will be assisting your team—the ethics and compliance, or E&C, team—with ethics and compliance due diligence efforts during the M&A process. Remember, you cannot quit your day job. Members of the M&A team are typically relieved from their regular duties to focus exclusively on M&A. You, however, will likely still be expected to carry out your normal day-to-day role. Unless you have a large and heavily resourced E&C department, your team cannot be the arms and legs of this endeavor. Instead, the E&C team’s role should be focused on oversight and analysis. The grunt work of ethics and compliance due diligence needs to be performed by others for this process to succeed. Identify contacts within the M&A team and other functional groups in the organization (human resources, information technology, etc.) that can partner and help to gather needed information, assist in serving as an interface with the target company when needed, and serve as a liaison between the M&A and the E&C teams. These strategic partners are essential to the overall success of your efforts and should be leveraged throughout the process.

At this time, you should also partner with the member of the legal department assigned to the M&A team to address any legal issues that may arise throughout the ethics and compliance due diligence process. Companies engaged in M&A typically manage the process, including due diligence, under attorney–client privilege. Ensure you are partnering with counsel as appropriate to properly maintain privilege throughout your engagement. If for some reason the M&A transaction is not being directed under privilege, you should ask your company’s general counsel for further guidance on your activities.

As potential legal issues become visible during the ethics and compliance due diligence process, the legal liaison should be immediately contacted to provide legal advice regarding that issue. Not only does that ensure that the company is protected from a legal perspective, it will also likely allow privilege to apply to those communications so that a proper discussion and analysis of the issue can occur without harming the company.

Bottom Line: Failure to conduct meaningful ethics and compliance due diligence could turn a profitable deal into a disaster for your company. Even if the issues found during the ethics and compliance due diligence process do not create legal concerns, there could be ethical, reputational, branding, or other concerns that might harm your company. It is far better to know before you buy than to suffer the consequences and be forced to pay for it later.

Know the Deal

Once the deal has been identified, the E&C team should work with the M&A team, the legal team, risk management, and others (internal audit, human resources, information technology, etc.) within the company to determine the risk profile. Key factors typically considered to determine those risks include:

  • Nature of transaction:

    • What is the end goal for your company in this deal?

    • Is your company paying in cash or stock?

    • Is your company assuming any particular liabilities?

    • What risks have been identified so far regarding this type of transaction?

  • Industry:

    • Is your company already in this industry, or is it a new area?

    • Is the industry highly regulated?

    • Is the industry currently a target of government scrutiny?

  • Target specific:

    • Is the target a competitor?

    • Has the target been known to have issues?

    • What is the target’s history?

These questions help determine what kinds of risks your company will assume. Your team needs to identify both known problems and potential sources for unknown problems. For example, purchasing stock typically means purchasing all the liabilities that existed before the target company was bought. Many deals specifically include/exclude certain liabilities. Those need to be known. If the target is known by your company (such as a competitor), that can also prove helpful in identifying known or potential risks.

Also, entering into a new industry can add greater risk to the organization. New industries present new risks that may not be evident when conducting due diligence. If this is the case, specialized help may be necessary to ensure that your team knows exactly what questions to ask and/or materials to review.

Once the risk profile has been established, the team that helped develop the risk profile should conduct a risk assessment. If possible, leverage an existing risk group/risk committee within your company to assist with this process. The purpose of this assessment is not to mitigate the risk. Instead, the assessment determines the probability and potential impact of the identified risks of the target company to the organization, prioritizing those risks, and including these considerations as part of the M&A transaction. This assessment may change based on information obtained from the target company through the use of due diligence checklists.

Due Diligence Checklists

Once the risk profile and risk assessment of the target company have been completed, the next step is to develop due diligence checklists from that risk assessment. These due diligence checklists allow the M&A team to gather the information the E&C team needs to assess the ethics and compliance risks associated with the merger or acquisition. A separate due diligence checklist will need to be prepared for each identified risk, along with general due diligence checklists to determine the nature and scope of the target company’s ethics and compliance program.

Simple is always preferred over complex. As stated earlier, the M&A team will be carrying the laboring oar during this part of the ethics and compliance due diligence process. Do not expect your M&A team to be compliance nerds. Due diligence checklists allow the M&A team to obtain information from the target company and return it to the E&C team in a format that allows for quick evaluation. Due diligence does not end at checklists, but they are a great place to start. Due diligence checklists also provide a uniform, repeatable, and consistent format to gather information and spot potential ethics and compliance issues.

Each due diligence checklist needs to include its purpose and short instructions on how to use it. Table 1: Sample due diligence checklist

Instructions: M&A Transactions—Ethics and Compliance Due Diligence Checklists

Purpose:

During the due diligence phase of a merger or acquisition (M&A), this checklist should be used to determine and identify specific ethics and compliance risks that should be investigated further for the categories indicated in the table of contents.

Instructions:

For each category listed below, request responses and related materials from the potential M&A target (target company) for each of the questions and inquiries set forth in the checklist. When a specific response references and/or requires additional documentation to validate it, request those additional materials from the target company as applicable. After completing the checklist and obtaining any requested documentation, forward the materials to the chief compliance officer, or any appropriate designee, for review. The E&C team will review the checklist and follow up with the M&A team should any issues arise that require further review or information gathering

Very few professionals are experts in every area. It is important to leverage expertise across your team and functional partners in the organization to ensure checklist responses and materials provided are properly reviewed and evaluated. When outside expertise is needed, don’t be afraid to seek out and leverage this support. To help control costs, it is recommended that the E&C team prepare the initial draft due diligence checklist for each risk area. Doing so will allow the E&C team to control the tone, structure, and depth of the due diligence checklists. Then, once the initial draft is complete, ask an outside expert for that specific risk area to review for gaps, omissions, and errors.

Table 2: Sample ethics and compliance due diligence checklist

General ethics and compliance program

1.

Does the company have a code of ethics?

Yes (if yes, ask for copy)

No

2.

Does the company provide code of ethics training to its employees?

Yes

No

3.

If yes, how often does the company provide training?

4.

Does the company keep records of its training?

Yes (if yes, ask for copies of attendance records)

No

5.

Does the company provide a hotline for its employees to report concerns or ask questions?

Yes

No

6.

If yes, how many hotline reports were received in each of the last three years?

7.

If yes, how does the company publicize the hotline?

8.

If yes, is the hotline accessible in all countries where the company has employees?

Yes

No

9.

If yes, is the hotline available in all languages spoken by the company’s employees?

Yes

No

10

If yes, do the employees have the option to report anonymously?

Yes

No

11.

If no, what other mechanisms exist for employees to report concerns or ask questions?

12.

Obtain copies of all compliance risk assessments conducted during the past five years.

As stated above, completing the due diligence checklist just starts the process. Once completed, someone from the E&C team should review the checklist responses and related documentation for each risk area and determine what follow-up activity is needed.

The M&A team is not likely to know the potential impact and likelihood of a given response. For example, not having an anti-corruption policy does not mean that the target company bribes foreign officials. It does mean, however, that the target company likely does not know whether such corruption occurs in its organization. Further investigation will likely be necessary to obtain an appropriate comfort level before pulling the trigger on the deal. The E&C team will need to lead those efforts and leverage the appropriate experts when needed.

Once all due diligence checklists are completed and evaluated for each risk area, the E&C team needs to conduct a review and assessment of the response. Further information and/or investigation may be required. Additionally, the legal liaison should be involved in any response that implicates a potential legal concern, as discussed earlier. This will allow the E&C team to understand any potential legal risks while, in most cases, simultaneously protecting those discussions under the attorney–client privilege.

The E&C team should report all responses, findings, and considerations to the M&A team. This reporting should include final recommendations on options available, which typically include:

  • closing the deal;

  • requiring remediation before the deal closes;

  • closing the deal with a mitigation plan ready to be enacted once the deal is complete; or

  • canceling the deal.

The M&A team, in conjunction with the E&C team, should then present these findings and recommendations to the appropriate decision makers within the acquiring company.

It can certainly be difficult when the final recommendation is “no deal,” but sometimes there is no other option to ensure the company is protected. In many cases, however, appropriate mitigation and/or remediation of the identified risks may cure the related challenges and allow the deal to move forward. If mitigation and/or remediation is a viable and acceptable option, the E&C team needs to ensure that post-acquisition integration efforts include such activities as a priority.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 

About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings