If you are reading this article, excitement likely awaits. Your company has decided to grow through a merger or acquisition. Wealth, fame, and happiness are just around the corner! Well, maybe not. Nothing is ever as rosy as it seems, and buyer’s remorse can certainly set in.
Your job as a compliance professional is to help minimize that buyer’s remorse by taking reasonable steps to ensure that your company does not “buy” into somebody else’s mistakes. This article will provide some practical steps and tips that can be taken to give your company stronger assurance that its new toy is at least nontoxic and safe to use.
Reasons for Ethics and Compliance Due Diligence
A buyer should take steps to know what they are buying through a process commonly referred to in the mergers and acquisitions (M&A) world as compliance due diligence. Ignoring or minimizing this important process can certainly have disastrous consequences for the buyer in both the short and long term.
The example of Goodyear Tire and Rubber Co. and the company’s failure to perform compliance due diligence,[2] along with many others, have led governments throughout the world to require M&A compliance due diligence as part of an effective ethics and compliance program. (“Goodyear did not detect or prevent these improper payments because it failed to conduct adequate due diligence when it acquired Treadsetters and failed to implement adequate FCPA compliance training and controls after the acquisition.”) For example, the U.S. Department of Justice issued insights in June 2020 specifically calling out mergers and acquisitions as important considerations when evaluating the effectiveness of a company’s ethics and compliance program:
A well-designed compliance program should include comprehensive due diligence of any acquisition targets, as well as a process for timely and orderly integration of the acquired entity into existing compliance program structures and internal controls. Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
The extent to which a company subjects its acquisition targets to appropriate scrutiny is indicative of whether its compliance program is, as implemented, able to effectively enforce its internal controls and remediate misconduct at all levels of the organization.
-
Due Diligence Process – Was the company able to complete pre-acquisition due diligence and, if not, why not? Was the misconduct or the risk of misconduct identified during due diligence? Who conducted the risk review for the acquired/merged entities and how was it done? What is the M&A due diligence process generally?
-
Integration in the M&A Process – How has the compliance function been integrated into the merger, acquisition, and integration process?
-
Process Connecting Due Diligence to Implementation – What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post-acquisition audits, at newly acquired entities?[3]
Brazil has also required similar actions as part of its anti-corruption law, which requires “due diligence in corporate and M&A transactions” as one of the elements of an effective compliance program.[4]
It is clear from these recent developments that any company contemplating an M&A transaction now and in the future can no longer ignore its responsibility to conduct meaningful due diligence as a part of its overall efforts. Not only is it becoming a common enforcement consideration, but more importantly, it just makes good business sense.
The compliance and ethics professional serves as an invaluable partner in the organization to help bring the compliance due diligence process to life and make it meaningful.
Prepping Your Internal Partners
Ideally, you will be notified in advance when your company has decided to go shopping. Many companies form specific M&A teams who do nothing but evaluate and execute potential deals. You need to know that team.
If, for some reason, you are not notified, do not worry. This article addresses how to conduct due diligence after the fact in the “Post-Acquisition Integration” section. Since due diligence after the fact mirrors pre-acquisition due diligence, however, you should definitely keep reading.
You also may not be invited to join the M&A team. Do not wait for an invite. Approach the M&A team and ask for a meeting. As will be explained, a business case exists for compliance due diligence.
Assuming that your company has an M&A team, schedule a brief training session with the M&A team before the deals start pouring in. Brief the team on the need for compliance due diligence and the basic process for performing that due diligence. An easy way to do that is to consider leveraging the business case and talking points set forth in this article as a potential outline for your training.
Your company may not have a formal M&A team. There will likely, however, be a point person running the deal. There is also often a member of the legal department assigned to the deal. If there is no formal M&A team, approach those two individuals and ask for a meeting to explain your role in the process and how it will assist their efforts. I recommend using that opportunity to push for a formal M&A team to conduct due diligence. At the very least, the core employees running the deal should be treated as an M&A team for purposes of compliance due diligence. You may require assistance in building this team. I have found that both internal audit and legal departments can be great allies in this process.
Buy-in from the M&A team often requires exerting some influence and providing education on the objectives and overall benefits of compliance due diligence. Importantly, it may also include providing examples where compliance failures have arisen with other companies along with the impact that those failures had to the bottom line.
The following outline is a good example of some key topic areas and considerations to include in your training materials.
Objectives of Compliance Due Diligence
-
Define the target company’s compliance risk profile.
-
Uncover red flags.
-
Uncover past or ongoing violations in key areas, such as:
-
Anti-bribery laws
-
Antitrust regulations
-
Data protection rules
-
Trade regulations
-
Worker safety requirements.
-
-
Determine the impact of any potential issues and either address the issue or recommend exiting the deal.
-
Once consummated, integrate the new company into your company’s ethics and compliance program.
Do not expect the M&A team to just roll over and do what you want. Corporate dealmakers tend to be tough. You will likely get pushback and difficult questions. Be tough right back. If you wilt, you will fail. Respect matters, and the M&A team will likely not respect you if you don’t stand firm for your right to be involved. You are not asking permission. You are telling the M&A team that you have a job to do, and here is how they will help you do it. Do not make this seem optional.
Typically, M&A teams have enough experience and aversion to risk that they quickly adopt the idea of ethics and compliance due diligence. If that does not happen, you may need to seek assistance from executive management or other ethics and compliance champions in your organization to influence the M&A team. If that fails as well, please see the “Post-Acquisition Integration” section of this article regarding due diligence after the deal closes. You also may want to check out the SCCE Job Board[5] to see if there are any openings with a company that is more invested in ethics and compliance.
Once the M&A team better understands the objectives and benefits, the next step is to establish who on the M&A team will be assisting your team—the ethics and compliance, or E&C, team—with ethics and compliance due diligence efforts during the M&A process. Remember, you cannot quit your day job. Members of the M&A team are typically relieved from their regular duties to focus exclusively on M&A. You, however, will likely still be expected to carry out your normal day-to-day role. Unless you have a large and heavily resourced E&C department, your team cannot be the arms and legs of this endeavor. Instead, the E&C team’s role should be focused on oversight and analysis. The grunt work of ethics and compliance due diligence needs to be performed by others for this process to succeed. Identify contacts within the M&A team and other functional groups in the organization (human resources, information technology, etc.) that can partner and help to gather needed information, assist in serving as an interface with the target company when needed, and serve as a liaison between the M&A and the E&C teams. These strategic partners are essential to the overall success of your efforts and should be leveraged throughout the process.
At this time, you should also partner with the member of the legal department assigned to the M&A team to address any legal issues that may arise throughout the ethics and compliance due diligence process. Companies engaged in M&A typically manage the process, including due diligence, under attorney–client privilege. Ensure you are partnering with counsel as appropriate to properly maintain privilege throughout your engagement. If for some reason the M&A transaction is not being directed under privilege, you should ask your company’s general counsel for further guidance on your activities.
As potential legal issues become visible during the ethics and compliance due diligence process, the legal liaison should be immediately contacted to provide legal advice regarding that issue. Not only does that ensure that the company is protected from a legal perspective, it will also likely allow privilege to apply to those communications so that a proper discussion and analysis of the issue can occur without harming the company.
Bottom Line: Failure to conduct meaningful ethics and compliance due diligence could turn a profitable deal into a disaster for your company. Even if the issues found during the ethics and compliance due diligence process do not create legal concerns, there could be ethical, reputational, branding, or other concerns that might harm your company. It is far better to know before you buy than to suffer the consequences and be forced to pay for it later.
Know the Deal
Once the deal has been identified, the E&C team should work with the M&A team, the legal team, risk management, and others (internal audit, human resources, information technology, etc.) within the company to determine the risk profile. Key factors typically considered to determine those risks include:
-
Nature of transaction:
-
What is the end goal for your company in this deal?
-
Is your company paying in cash or stock?
-
Is your company assuming any particular liabilities?
-
What risks have been identified so far regarding this type of transaction?
-
-
Industry:
-
Is your company already in this industry, or is it a new area?
-
Is the industry highly regulated?
-
Is the industry currently a target of government scrutiny?
-
-
Target specific:
-
Is the target a competitor?
-
Has the target been known to have issues?
-
What is the target’s history?
-
These questions help determine what kinds of risks your company will assume. Your team needs to identify both known problems and potential sources for unknown problems. For example, purchasing stock typically means purchasing all the liabilities that existed before the target company was bought. Many deals specifically include/exclude certain liabilities. Those need to be known. If the target is known by your company (such as a competitor), that can also prove helpful in identifying known or potential risks.
Also, entering into a new industry can add greater risk to the organization. New industries present new risks that may not be evident when conducting due diligence. If this is the case, specialized help may be necessary to ensure that your team knows exactly what questions to ask and/or materials to review.
Once the risk profile has been established, the team that helped develop the risk profile should conduct a risk assessment. If possible, leverage an existing risk group/risk committee within your company to assist with this process. The purpose of this assessment is not to mitigate the risk. Instead, the assessment determines the probability and potential impact of the identified risks of the target company to the organization, prioritizing those risks, and including these considerations as part of the M&A transaction. This assessment may change based on information obtained from the target company through the use of due diligence checklists.
Due Diligence Checklists
Once the risk profile and risk assessment of the target company have been completed, the next step is to develop due diligence checklists from that risk assessment. These due diligence checklists allow the M&A team to gather the information the E&C team needs to assess the ethics and compliance risks associated with the merger or acquisition. A separate due diligence checklist will need to be prepared for each identified risk, along with general due diligence checklists to determine the nature and scope of the target company’s ethics and compliance program.
Simple is always preferred over complex. As stated earlier, the M&A team will be carrying the laboring oar during this part of the ethics and compliance due diligence process. Do not expect your M&A team to be compliance nerds. Due diligence checklists allow the M&A team to obtain information from the target company and return it to the E&C team in a format that allows for quick evaluation. Due diligence does not end at checklists, but they are a great place to start. Due diligence checklists also provide a uniform, repeatable, and consistent format to gather information and spot potential ethics and compliance issues.
|
Instructions: M&A Transactions—Ethics and Compliance Due Diligence Checklists | |
|---|---|
|
Purpose: |
During the due diligence phase of a merger or acquisition (M&A), this checklist should be used to determine and identify specific ethics and compliance risks that should be investigated further for the categories indicated in the table of contents. |
|
Instructions: |
For each category listed below, request responses and related materials from the potential M&A target (target company) for each of the questions and inquiries set forth in the checklist. When a specific response references and/or requires additional documentation to validate it, request those additional materials from the target company as applicable. After completing the checklist and obtaining any requested documentation, forward the materials to the chief compliance officer, or any appropriate designee, for review. The E&C team will review the checklist and follow up with the M&A team should any issues arise that require further review or information gathering |
Very few professionals are experts in every area. It is important to leverage expertise across your team and functional partners in the organization to ensure checklist responses and materials provided are properly reviewed and evaluated. When outside expertise is needed, don’t be afraid to seek out and leverage this support. To help control costs, it is recommended that the E&C team prepare the initial draft due diligence checklist for each risk area. Doing so will allow the E&C team to control the tone, structure, and depth of the due diligence checklists. Then, once the initial draft is complete, ask an outside expert for that specific risk area to review for gaps, omissions, and errors.
|
General ethics and compliance program | ||
|---|---|---|
|
1. |
Does the company have a code of ethics? |
Yes (if yes, ask for copy) No |
|
2. |
Does the company provide code of ethics training to its employees? |
Yes No |
|
3. |
If yes, how often does the company provide training? | |
|
4. |
Does the company keep records of its training? |
Yes (if yes, ask for copies of attendance records) No |
|
5. |
Does the company provide a hotline for its employees to report concerns or ask questions? |
Yes No |
|
6. |
If yes, how many hotline reports were received in each of the last three years? | |
|
7. |
If yes, how does the company publicize the hotline? | |
|
8. |
If yes, is the hotline accessible in all countries where the company has employees? |
Yes No |
|
9. |
If yes, is the hotline available in all languages spoken by the company’s employees? |
Yes No |
|
10 |
If yes, do the employees have the option to report anonymously? |
Yes No |
|
11. |
If no, what other mechanisms exist for employees to report concerns or ask questions? | |
|
12. |
Obtain copies of all compliance risk assessments conducted during the past five years. | |
As stated above, completing the due diligence checklist just starts the process. Once completed, someone from the E&C team should review the checklist responses and related documentation for each risk area and determine what follow-up activity is needed.
The M&A team is not likely to know the potential impact and likelihood of a given response. For example, not having an anti-corruption policy does not mean that the target company bribes foreign officials. It does mean, however, that the target company likely does not know whether such corruption occurs in its organization. Further investigation will likely be necessary to obtain an appropriate comfort level before pulling the trigger on the deal. The E&C team will need to lead those efforts and leverage the appropriate experts when needed.
Once all due diligence checklists are completed and evaluated for each risk area, the E&C team needs to conduct a review and assessment of the response. Further information and/or investigation may be required. Additionally, the legal liaison should be involved in any response that implicates a potential legal concern, as discussed earlier. This will allow the E&C team to understand any potential legal risks while, in most cases, simultaneously protecting those discussions under the attorney–client privilege.
The E&C team should report all responses, findings, and considerations to the M&A team. This reporting should include final recommendations on options available, which typically include:
-
closing the deal;
-
requiring remediation before the deal closes;
-
closing the deal with a mitigation plan ready to be enacted once the deal is complete; or
-
canceling the deal.
The M&A team, in conjunction with the E&C team, should then present these findings and recommendations to the appropriate decision makers within the acquiring company.
It can certainly be difficult when the final recommendation is “no deal,” but sometimes there is no other option to ensure the company is protected. In many cases, however, appropriate mitigation and/or remediation of the identified risks may cure the related challenges and allow the deal to move forward. If mitigation and/or remediation is a viable and acceptable option, the E&C team needs to ensure that post-acquisition integration efforts include such activities as a priority.
Post-Acquisition Integration
Everyone loves opening presents. No one loves picking up all the wrapping paper strewn about the room, installing batteries, and throwing out all the packaging. Typically, the broader M&A team considers its job done once the present is opened. Most of them have moved on to the next deal or perhaps are back in their previous roles. The E&C team does not have that option!
As a quick side note, your company may be at the integration stage without having conducted pre-acquisition due diligence. Do not panic! Due to certain business situations, such as a bankruptcy auction, distressed deal, etc., pre-acquisition due diligence may not have been possible. That does not mean you get to ignore it. Instead, you must conduct post-acquisition due diligence similar to the pre-acquisition due diligence described previously in this article.
Since you already own the target company, you likely now also own any associated risks that the target company had before the purchase. Because of those new potential consequences, it is especially important to keep your legal liaison involved to address any legal concerns that may arise and to maintain the attorney–client privilege to the greatest extent possible.
Assuming that the pre-acquisition (or post-acquisition) due diligence has been completed, the next step is to integrate. Integration involves three basic steps:
-
Integrating the acquirers’ ethics and compliance program into the newly acquired entity.
-
Mitigating and/or remediating any issues identified during the pre-acquisition (or post-acquisition) due diligence process.
-
Documenting completion of the first two steps.
Integration, Mitigation, and Remediation
If at all possible, work with your company to have a businessperson designated as the integration manager. That person will act as overall supervisor for the integration process, including any ethics and compliance issues. Sometimes that person is a member of the M&A team who is directed to complete the integration before moving on to the next project. In other cases, the person who will become the head of that new division or entity is designated as the integration manager, since that individual has the most to gain from a successful integration.
Either way, there needs to be one person who can be pointed to as responsible for ensuring the effective integration of the newly acquired entity into your organization from an ethics and compliance perspective.
Once the integration manager and their team (if any) is established, the next step is to develop integration checklists for both the general ethics and compliance program as well as for any particular risks that need addressed, such as antitrust, anti-bribery, etc.
Integration checklists provide a simple way to ensure integration activities are consistent and occur in a timely manner and help to ensure any required risk mitigation and/or remediation efforts are put in place and managed.
When creating the integration checklists, two cautions should be considered from the onset:
-
Be reasonable with your timing. In Opinion Procedure Release No.14-02, the U.S. Department of Justice stepped back from fixed timelines applicable to every deal:
The Department expresses no view as to the adequacy or reasonableness of Requestor’s integration of the Target Company. The circumstances of each corporate merger or acquisition are unique and require specifically tailored due diligence and integration processes. Hence, the exact timeline and appropriateness of particular aspects of Requestor’s integration of the Target Company are not necessarily suitable to other situations.[6]
Like most ethics and compliance professionals, your team will want quick turnarounds. That may not be possible. The employees of the newly acquired entity may be overwhelmed by the business side of integration as well as all the uncertainty and angst that tend to appear after a company is bought. The integration checklist must take this into consideration and impose reasonable time limits along with a certain measure of flexibility.
-
Culture matters! The culture of the newly acquired entity likely differs from the acquirers’ culture. Oftentimes, established companies acquire start-ups or big companies acquire small companies. The workplace dynamics will likely be dramatically different. These differences often appear in the dress code, the formality of the workplace, and the bureaucracy associated with the business. Those differences must be taken into account during the integration process.
Ethics and compliance integration requires face time. You cannot learn the culture of the newly acquired entity via email. You also cannot develop the necessary networks required for good integration until you know the people who comprise those networks. If the newly acquired entity is in a location different from yours, set aside time and funds for travel. If you’re not there, it may appear that you don’t care or are not interested.
Culture change requires trust and acclimation. Here are some simple ways to affect culture change as you work to integrate the newly acquired entity into your company:
-
Listen more than you talk.
-
Keep a positive attitude.
-
Be approachable.
-
Take the lead to move things forward.
-
Be inclusive and collaborative.
-
Look and act like a professional.
-
Be patient and give grace as needed.
It also doesn’t hurt to provide food at your meetings. Nothing draws a crowd like free pizza or donuts.
Integration Checklists
When developing an integration plan, step one involves getting everyone on the same page. The acquirers’ ethics and compliance program needs to be implemented throughout the newly acquired entity in a timely and effective way. That integration must also be documented. The integration checklists help provide a simple method for doing both. The instructions for the integration checklists are similar to those for the due diligence checklists. Here are sample instructions:
|
Instructions: Ethics and Compliance Integration Checklists | |
|---|---|
|
Purpose: |
Helps ensure appropriate ethics and compliance actions are taken within the newly acquired entity to educate new employees on established ethics and compliance standards, expectations, and guidelines and to address any mitigation and remediation activities needed to complete the integration in a timely and effective way. |
|
Instructions: |
The integration manager assigned for the acquisition shall work with the chief compliance officer, or any appropriate designee, for the acquisition to ensure that the actions listed below are completed within the target timelines set forth below. Within days of the closing date, the integration manager and the chief compliance officer, or any appropriate designee, shall complete the attached attestation. |
Please note that this company process may take more or fewer than 120 days. Do your best to remain both flexible and reasonable throughout this process. The integration checklists should be fairly straightforward. Here are two examples to consider:
|
ACTION |
TIMING | |
|---|---|---|
|
1. |
Determine compliance officer(s) for company. |
Within first 60 days |
|
2. |
Provide copy of code of ethics to all employees. |
Within first 60 days |
|
3. |
Communicate hotline information to all employees. |
Within first 60 days |
|
4. |
Place ethics and compliance posters in company’s facilities and offices. |
Within first 60 days |
|
5. |
Schedule and provide code of ethics and other ethics and compliance training to all employees. |
Within first 90 days |
|
6. |
Review the risks identified during the due diligence process for this area, take action to remediate and/or mitigate those risks, and document the actions taken for each identified risk. |
Within first 90 days |
|
ACTION |
TIMING | |
|---|---|---|
|
1. |
Provide ABAC policy, procedures, and applicable training to all employees. |
Within first 60 days |
|
2. |
Provide supplier code of ethics, ABAC policy, and handbook to all third-party agents. |
Within first 90 days |
|
3. |
Review the risks identified during the due diligence process for this area, take action to remediate and/or mitigate those risks, and document the actions taken for each identified risk. |
Within first 90 days |
As you can see, the integration checklist also includes a step for mitigating and/or remediating risks and other issues discovered during pre- and post-due diligence activities. Ideally, each integration checklist will have an attachment listing the risks for that particular area that require remediation and/or mitigation as identified during completion of the due diligence checklists. Remediation and mitigation activities will likely take some effort. Do not expect a miracle—be reasonable about your target timelines and be sure to assign ownership to key members in the organization that will be accountable for managing the mitigation/remediation plans. Most importantly, ensure you are documenting progress on what has been accomplished, status, and completion dates. As with any activities of this type, follow-up and monitoring are essential to maintain ongoing effectiveness. This requirement is another good reason to be on-site during integration and to provide ongoing monitoring and support.
Attestation
Integrating well does not matter if you cannot show documentation to support such a process. Attestation completes the circle from due diligence, to mitigation, to remediation, to completion of any findings and open issues related to ethics and compliance. A separate attestation should be completed for each integration checklist. There may be circumstances where the ethics and compliance integration is considered complete, but not all remediation and/or mitigation has been completed. In those hopefully rare instances, all open items should be set forth on the attestation. Ideally, there will be none. In reality, there will likely be some. If so, make sure that someone is responsible for completing and documenting that open item at a later date.
|
Attestation for the Attached Integration Checklist Except as otherwise listed below, we have completed the items on the attached integration checklist: |
|---|
|
Open Item(s) Plan to Resolve ________________________________________ |
|
Integration Manager Date ________________________________________ |
|
Chief Compliance Officer Date (or appropriate designee) ________________________________________ |
Attestations should not be used as “gotcha” documents. Instead, attestation provides an opportunity to establish clear ownership for resolving open issues and managing/mitigating any risks inherited from an acquired entity as it integrates into the larger organization. It also serves the important purpose of documenting and helping to ensure that all reasonable measures have been taken before officially closing the integration process.
Parting Thoughts
Checklists are invaluable tools that help provide a simple, documented method for conducting compliance due diligence and integration as part of larger M&A transactions.
At the end of the day, however, a successful merger and acquisition comes down to the people involved. Here are some key thoughts to keep in mind as you conduct due diligence and integrate your newly acquired entity:
-
Communication is vital: You can’t resolve an issue until it is known.
-
Be flexible where you can and firm where you have to be.
-
Patience, repetition, and shared values are essential to integrating culture.
-
Documentation is the key to an effective defense should something go wrong.
Most of all, do not lose sight of why your company bought the target company in the first place. Due diligence and timely integration are essential, but they are not the reason for the acquisition. Ideally, you can show through your ongoing engagement that the value the E&C team brings to the process will serve to protect the company as it grows and have a lasting impact on the bottom line and the company’s continued success.