Thomas R. Fox
Many compliance practitioners are aware of the Johnson & Johnson (J&J) Deferred Prosecution Agreement (DPA), which contained “Enhanced Compliance Obligations” including those around mergers and acquisitions (M&A). While many have focused on the ‘safe harbors” of compliance training within 12 months and a full Foreign Corrupt Practices Act (FCPA) audit within 18 months, there are other requirements that the compliance practitioner needs to consider, in the compliance context, in the post-acquisition phase. Today we consider the post-acquisition risk assessment and note that the above quoted ancient adage holds true today, particularly in the area of risk assessment related to the integration of compliance in an acquisition. This issue was recently explored in the Houston Business Journal by Connie Barnba, in her Mergers & Acquisition column, in an article entitled “Risky details are the devil when marry business operations”.
In her article Barnba advises, “When it comes to integration plans, the devil is always in the risk-related details with one or more overlooked items starting an accelerating chain of events that results in significant destruction of value.” She goes on to state that the “nail that is frequently mission is an assessment of the integration risks involved” in attempting to execute the business strategy of post-acquisition integration. Nothing could be truer that in the anti-corruption compliance component of M&A transactions.
Barnba recommends a pre-acquisition assessment of risk. Further, such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a “lens through which to view the feasibility of the business strategy” and help to value the potential target.
Thereafter, this pre-acquisition risk assessment can be used by company management to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision making calculus.
Recognizing that there is never enough time for perform adequate, pre–acquisition due diligence, there are nevertheless several key areas of risk which you should attempt to assess from the compliance perspective. These areas include:
1. Review high risk geographic areas where your company and the acquisition target company do business. If there is overlap, seek out your own sales and operational people and ask them what compliance issues are prevalent in those geographic areas. If there are compliance issues that your company faces, then the target probably faces them as well.
2. Obtain from the acquisition target company a detailed list of sales going back 3-5 years, broken out by country and if possible obtain a further breakdown by product and/or services. You do not need to investigate de minimis sales amounts but focus your compliance due diligence inquiry on high sales volumes in high risk countries.
3. If the acquisition target company uses a sales model of third parties, obtain a complete list, including Joint Ventures (JVs). It should be broken out by country and amount of commission paid. Review all underlying due diligence on these foreign business representatives, their contracts and how they were managed after the contract was executed; your focus should be on large commissions in high risk countries.
4. You will need to interview the acquisition target company personnel who are responsible for its compliance program to garner a full understanding of how they view their program.
5. You will need to review the travel and entertainment records of the acquisition target company’s top sales personnel in high risk countries. You should retain a forensic auditing firm to assist you with this effort. Use the resources of your own company personnel to find out what is reasonable for travel and entertainment in the same high risk countries which your company does business.
6. While always an issue fraught with numerous considerations, there may be others in the M&A context such as any statutory obligations to disclose violations of any anti-bribery or anti-corruption laws in the jurisdiction(s) in question; what effect will disclosure have on the target’s value or the purchase price that your company is willing to offer.
7. While you are performing the anti-corruption due diligence, you should also review issues for anti-money laundering and export control issues.
From this preliminary list, develop the risk assessment as a base document. If the transaction moves forward you will then need to integrate the compliance function of the acquired entity into your company. Here Barnba believes that if your company’s “leadership team has candidly debated the pros and cons” of a business integration strategy, in the light of a pre-acquisition risk assessment, and is “unified around a risk mitigation strategy”, then consistent messages should be delivered by management going forward. Conversely she believes that if senior management is divided and the specific details of an integration plan cannot be provided in a reasonable short time frame after acquisition, one of two negative outcomes will occur. Whether “there will be an inform vacuum” which will lead to disinformation being circulated. Equally plausible is that decisions may well be made without a “genuine shared commitment by the leadership team to implement them.”
Barnba’s article is a good reminder that it does not matter under which anti-corruption or anti-bribery regime you operate, whether it be the US Foreign Corrupt Practices Act (FCPA), the UK Bribery Act, or other, your program should all flow from, or be informed by, your risk assessment. This is certainly true in the M&A context and it is also true moving forward into the next step of compliance integration. You should assess these risks and build upon your pre-acquisition risk assessment. If you do not, you may well be in the situation described by Barnba, “engaged in firefighting” with your competitors being handed a strategic advantage.