Evaluating Integration of the Compliance Function in Pre-Acquisition Due Diligence

In an article in the most recent issue of the Houston Business Journal, entitled "Putting a partner through too many changes increases risk", columnist Connie Barnaba discusses one of the risks often overlooked in a mergers and acquisitions (M&A) transactions. It is the risk inherent with the integration of the purchased entity. Barnaba identifies two types of risks characteristic with strategic deals. The first is the "buy decision" and the second is the aforementioned integration aspect.  She phrases it as "Most companies attempting those types of deals tend to move forward with the deal without an examination of the unknown conditions that could adversely affect post-deal integration." I would take this a step further and say that most company's focus on this risk is not limited to strategic deals but with all  M&A transactions. Her column gave me pause to consider such matters in a compliance context.

Barnaba notes that "conventional wisdom" would tell you that when two strong companies merge, the manifestation of the merger will result in a stronger company. Similarly, if there is a merger between a strong company and a smaller, or lesser, company then the culture of the stronger company will prevail. But what happens in the area of compliance? Admittedly the time during any due diligence for an assessment of compliance is limited. This may well lead to a purchasing entity completing a transaction with unknown compliance risks in place. This can have several negative consequences, including successor liability under the Foreign Corrupt Practices Act (FCPA). However, I would like to focus on the issue of compliance integration.

I believe that the Department of Justice (DOJ) would seem to have responded about the time frame to complete compliance due diligence with two public statements. The first was Opinion Release 08-02 (the Halliburton Opinion Release) which provided a time frame of 90 days for high risk third parties; 120 days for medium risk third parties and 180 days for low risk third parties to perform a compliance audit after the closing of a proposed transaction. This time frame was expanded in the Johnson & Johnson Deferred Prosecution Agreement (DPA) last spring to a more manageable 18 months to complete a compliance audit of the purchased entity.

However, how does a company turn to integration of compliance throughout an acquired entity? As Barnaba points out, "if unknown risks are triggered, decisions makers may find themselves in a reactive mode simultaneously attempting to gather reliable intelligence about the unknown conditions, devise stop-loss tactics and minimize the adverse impact to the execution of the business strategy..." In the compliance arena that may well translate into a very public disclosure of material events, and, at the same time, a self-disclosure to the DOJ and/or Securities and Exchange Commission (SEC).

Even if this nightmare scenario is not activated, the more mundane day-to-day issues of merger integration are ongoing. These include the execution of a compliance strategy, the number of changes in the acquired company's compliance program, or indeed the wholesale adoption of it into the purchasing company's compliance program and communication to all relevant third parties regarding the changes in these relationships, the complexity of a new compliance policy, the transparency of a new compliance program in the acquired entity and the cost of implementing such changes. Clearly cultural changes are an important part of the implementation of any compliance program.

Barnaba also notes the importance of cultural differences. American companies have run afoul of the FCPA in the acquisition of Chinese companies whose activities, prior to and after being acquired, constituted FCPA violations. Two recent examples are Watt Water Technologies and RAE Systems, Inc. Barnaba advocates that an assessment of post-deal integration risks should be a part of your company's pre-transaction due diligence. This includes the compliance due diligence to "provide decision-makers with a comprehensive assessment of the [compliance] risk inherent with the deal..."

Barnaba's article brings up several lessons in M&A transaction due diligence which should be implemented in your compliance due diligence. You may well need to assess the culture of compliance in the entity your company is purchasing. In addition to the "buy decision" there should be an evaluation of the risk inherent with integration of compliance programs into the acquired company. Failure to do so may set up a culture class or other basis which may seriously downgrade the value of the acquired entity.

Visit the FCPA Compliance and Ethics Blog, hosted by Thomas Fox, for more commentary on FCPA compliance, indemnities and other forms of risk management for a worldwide energy practice, tax issues faced by multi-national US companies, insurance coverage issues and protection of trade secrets.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

For more information about LexisNexis products and solutions connect with us through our corporate site.