Compliance and Integrity Risk
Getting M&A pricing right
Ongoing economic and business performance pressures increase the likelihood that fraud, corruption and related activity may pose heightened risk to realizing acceptable returns on acquisitions. In a weak market, intense pressure to meet performance targets, accompanied by head count reductions and pay cuts, can increase performance pressures and opportunities for fraud in acquisition candidates.
At the same time, the attractiveness of targets in high growth potential emerging markets carries risks in the form of weak legal and regulatory regimes, lack of transparency and, in some markets, an ingrained culture of corruption. Increasing complexity of supply chains and capital sources also contribute to greater risk. In addition, regulation and enforcement activities aimed at fighting corruption and money laundering and enforcing economic and trade sanctions requirements have also grown in scope and scale, not only in the United States but also globally.
Compliance-and integrity-related risks are often found working in concert. For example, a fraud may be committed to create a slush fund that will, in turn, fund corrupt activity. Understanding the interrelationship between different risk factors can yield insight that may not be visible in isolation. History has shown that failure to identify compliance and integrity issues pre-closing has resulted in unintended consequences post-closing, including:
- Maintainable earnings below expectations
- High-risk businesses or relationships that must be discontinued, and therefore, revenue streams that evaporate
- One-time investigative or remedial costs or ongoing compliance costs and monitoring costs
- Losses related to undetected fraudulent activity
- Investigations and required disclosures to regulators
Simply put, contemplating compliance and integrity risk can be an important aspect to getting deal pricing and economics right and to avoid integration surprises.
Strategies for Conducting Effective Compliance and Integrity Due Diligence
Acquirers that are fluent in compliance and integrity risk areas and consider them as a central part of Merger and Acquisition (M&A) decision-making have a higher likelihood of avoiding pitfalls.
A holistic, tailored and flexible approach to assessing compliance and integrity risks is essential. Unfortunately, there is no one-size fits-all solution — leading practices vary depending on the characteristics of the target and the nature of the deal — but a framework that puts compliance and integrity risk into perspective at the outset of the transaction, alongside financial, tax and commercial risk, can focus effort on areas of primary concern.
The starting point is an assessment of risk factors in order to develop an initial risk profile of the target and to calibrate diligence scope, focus and depth. Although fairly subjective in nature, certain key indicators tend to imply a higher level of apparent risk and can be assessed in a fairly disciplined manner.
These indicators include:
- Industry practices: Industry structure and practice can increase risk. For example, energy’s and pharma’s connections to government sales increase the potential for corruption. Financial services firms may be more vulnerable to money laundering and economic sanctions violations. Defense and technology firms are exposed to greater risk related to potential breaches of trade sanctions and export controls.
- Sales and distribution: The excessive or unusual involvement of sales agents, intermediaries and consultants implies heightened risk, as does the degree of interaction with and dependence on government, particularly in emerging markets.
- Legal and regulatory environment: It is important to understand the compliance and integrity related legal and regulatory requirements that apply to a target’s operations. This provides both an indication of the degree of scrutiny applied to a target’s operations by regulators as well as potential vulnerability to local regulatory issues — important as corruption, sanctions and money laundering enforcement is increasing globally.
- Geography: Generally, higher risk jurisdictions lack transparency, requisite standards of corporate governance and strong enforcement of legal and regulatory requirements. In jurisdictions with lower levels of transparency, it can also be difficult to identify integrity and reputational issues with key principals and parties associated with a deal.
- Stressed or distressed situations: Excessive use of leverage may heighten risk due to the increased pressures on management to service debt.
- Legal issues: The target’s historic and pending legal issues can help to reveal significant risks the entity faces and issues that might require immediate advice from counsel.
Armed with this initial assessment, effective acquirers are then in a position to make initial decisions about the nature, scope and depth of diligence appropriate for the circumstances and risk profile of the target.
Key questions to be addressed include:
- What is the potential for any given risk factor to pose a material risk to the acquirer or target’s reputation, operations, sales or profitability?
- How should apparent risk factors be prioritized? Do certain businesses, operations or geographies require more rigorous diligence?
- How important is an assessment of local compliance programs and controls?
- What is the appropriate level of involvement of internal and external legal counsel?
- What is appropriate degree of on-site review of documentation, interviews and analysis and testing of client controls and transactions?
- To what extent are background checks on key individuals and entities appropriate?
Based on this assessment, the diligence process can be calibrated to the specific risks identified and managed to deeper levels of detail as the deal progresses. For example, a high level and relatively limited diligence process at the front-end of a deal may reveal insights that influence the underlying business case, deal process and timing and can be followed up by more comprehensive diligence, as appropriate, as the deal progresses.
Effective compliance and integrity due diligence has both a top-down and bottom-up component. The top-down risk assessment is investigative in nature, aimed at identifying critical risk issues related to the target, key people, operations, relationships and customers. The bottom-up analysis examines the environment in which the target operates: its legal and regulatory framework, industry structure and practices, internal controls and any related compliance programs. By comparing the critical risk areas with the environment and controls in place at the target, the diligence team is able to estimate the impact of compliance and integrity risk on company performance and deal pricing.
It is also important that the diligence work plan address the holistic set of compliance and integrity risks that are applicable in the context of the deal. As detailed in the chart below, there are commonalities across compliance and integrity risks that are well suited to an integrated diligence work plan. While each risk area has a different driver, each starts with an assessment to identify high-risk businesses, clients, transactions and individuals.
Similarly, diligence should encompass risk areas at common “extended enterprise” sources of risks related to clients, agents and intermediaries. While diligence may focus on government touch points and agents with respect to corruption risk, or high-risk client segments for money laundering or sanctions violations, the work that is conducted is similar, and an integrated plan can afford an opportunity to detect risk that a siloed approach may not.
Next, it is important to look at transaction activity and any monitoring programs and controls that serve to identify and detect any suspicious activity. These may be accounting controls around gifts and entertainment, for example, or sanctions screening systems or anti-fraud controls.
Of course, you will also want to assess any compliance programs, culture and training, as well as internal audit and regulatory examination reports that touch on any compliance and integrity-related subjects.
Quantifying the impact of compliance and integrity risk in the transaction
Finally, the results of the diligence process can be distilled down into practical deal advice. This can impact value and deal pricing decisions but also informs approaches to mitigating risk discovered during diligence to protect value.
Assessing the Implications
Each finding, individually and in combination, is then assessed for the potential to impact the deal model and fundamental business case behind the transaction. For example, compliance and integrity diligence findings may lead a deal team to modify key assumptions in financial models and have a direct impact on deal pricing and expected returns:
- Quality of earnings and other adjustments (one time and recurring)
- Relationships with high-risk clients or intermediaries may be discontinued adversely impacting sales and profitability
- Exiting certain acquired high-risk businesses
- Slower expected growth as management takes a more cautious, conservative approach to growth post-closing
- One time remedial or recurring compliance costs
- Potential for fines and other penalties
- Red flags that require further investigation or potential disclosure to regulators
- Weaknesses in risk management data quality requiring improvement
- Risk and compliance systems that require upgrade or additional integration-related costs
- Cost associated with ethics, regulatory and other training for acquired employees and managing cultural transformation of the target
In the event significant issues are identified during diligence, an acquirer must ask whether the risk factors uncovered are material enough to present a risk to the reputation, brand and culture of the acquirer. If the answer is yes, an acquirer should consider approaches to mitigate risk. In extreme circumstances, the buyer may need to decide if alternative targets exist or whether to walk away from the transaction altogether. Generally, this is only the case in the event the issues are found to be endemic across the organization or the risk cannot be mitigated or actively managed.
Addressing risk and protecting value
A wide range of approaches to mitigating risk exist and can be considered as an essential part of the deal maker’s toolbox in the event compliance and integrity risks are identified. Some examples include:
- Structuring around potential liabilities: The deal may be structured to avoid significant legal or remedial liabilities. For example, certain high-risk business units or individuals might be excluded from the deal
- Defining conditions to close: Where problems are potentially resolvable by the target, closing can be conditioned on completion of appropriate actions
- Indemnification's, representations and warranties: If limited time rules out rigorous investigation, indemnification's, representations and warranties can mitigate risk, as long as they are provided by an entity with the financial wherewithal to satisfy potential future claims
- Purchase price adjustment mechanisms: Providing a mechanism to adjust purchase price post-closing in the event financial statements are restated or certain accounts adjusted
- Contingent consideration: Making a portion of the purchase price contingent on future performance targets being met
- Strengthening controls: To ensure compliance and to prevent and detect malfeasance
Compliance and integrity due diligence should be a normal part of acquisition due diligence and the M&A decision-making process in the same way financial due diligence has become common practice. Potential red flags cannot be identified without asking the right questions and there is no one-size-fits-all solution: executives need a holistic and flexible approach.
Obtaining the kind of information needed at each stage of the deal process if critical in making well-informed investment decisions as the transaction progresses. Knowing what to look for can reduce the risk of post-closing surprises, enhance relationships with regulators, protect value, and better position the target for success and to deliver expected results.
As used in this document, ‘Deloitte’ means Deloitte LLP (and its subsidiaries). Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
Subscribe to receive periodic publications from the Deloitte Forensic Center.