The Joys of Pre-Acquisition Due Diligence
Few issues can exasperate a compliance officer as much as pre-acquisition due diligence for a business your company wants to acquire. So when I was moderating a webinar last week on compliance issues and conversation turned to that very subject, I took notes. What if, fellow compliance enthusiasts, there’s a better way to look at this challenge?
First let me set the scene. Our webinar was on major compliance events in the second half of 2024, and one unquestionably major event was defense contractor RTX Corp. paying a total of more than $1 billion in penalties for violations of export control law (announced in September) and of the Foreign Corrupt Practices Act and the False Claims Act (announced in October). Altogether the cases involve misconduct going back more than 10 years, across three separate businesses that were eventually acquired and merged into the company known today as RTX.
Clearly all that is a tale of pre-acquisition due diligence either gone wrong or simply ignored. So on the webinar, I asked: How on earth do these situations come to pass? A listener then chimed in with a perceptive answer.
“Corporations might skip pre-acquisition due diligence for highly strategic acquisitions,” this person wrote into the comments section. “Like, there was only one Collins Aerospace, and if RTX didn’t buy them, someone else would. The deals are done in the CEO suite; the due diligence (if it even occurs) begins after the deal closes. This is an example of the risk of that handshake approach.”
OK, I’m with you so far; And how should compliance officers cope with that reality?
“Due diligence people (I’ve been one) dive in looking for everything, including lots the executive team doesn’t care about,” the person continued. “Better to begin by asking ‘What would it take to keep this deal from proceeding?’ Establish the materiality threshold. Then collect everything else and prepare an action plan to address things after closing.”
Now we’re getting somewhere.
Risk-Based Approach to Pre-Acquisition Due Diligence
That listener’s answer is so perceptive because it frames pre-acquisition due diligence just about perfectly: as a risk to be documented, rather than a series of issues to be resolved.
That is, it’s not the compliance officer’s job to identify all the compliance risks within a merger target, and then save the day by rectifying those issues or warning senior management that it needs to abandon the deal. Unless they’re dumb, most CEOs already know that compliance risks are lurking somewhere in the deal that they want to close. They still want to close the deal anyway because the business objectives (more revenue, entry into new markets, and so forth) outweigh those compliance risks.
The compliance officer’s role is simply to help the senior management team accurately understand those two competing interests of business objectives versus compliance risks. Then that fully informed management team can make its decision anyway.
So when our listener above talked about defining a materiality standard for M&A — “What would it take to keep this deal from proceeding?” — he really was saying compliance officers need to understand their audience. The management team is interested in achieving business objectives, not addressing compliance issues. Management only wants to hear about those compliance issues that are so significant they could derail the business objectives and make the whole point of the acquisition fall apart. That’s how you hold management’s attention even with a lucrative acquisition waiting there, and prevent a handshake deal from running roughshod over your compliance efforts.
That does mean compliance officers should understand the business rationale for the acquisition, so you’ll know what those deal-breaker risks are. You’ll also need access to the acquisition’s records and personnel so you can discover what’s truly going on in that target; and you’ll need effective compliance tools and processes to digest and analyze all that information once the acquisition target does provide it.
Not every compliance officer can take those things for granted — and if they’re not present in your organization, that’s a sign that your compliance team isn’t properly resourced or empowered.
That, however, is a separate problem from how you should approach pre-acquisition due diligence. You should approach it by taking a risk-based approach (again, “What would it take to keep this deal from proceeding?”) and then presenting your findings to management so that they can own the risk of whether or not to proceed.
Don’t Forget the Guidelines
We also have the Justice Department’s guidelines for an effective corporate compliance program, which includes a section about mergers, acquisitions, and due diligence. What does that document have to say about pre-acquisition due diligence?
Well, nothing that would contradict our listener’s advice to focus on the big stuff first and the smaller stuff second.
The relevant section of the guidelines start with this preamble:
Pre-M&A due diligence, where possible, enables the acquiring company to evaluate more accurately each target’s value and negotiate for the costs of any corruption or misconduct to be borne by the target. Flawed or incomplete pre- or post-acquisition due diligence and integration can allow misconduct to continue at the target company, causing resulting harm to a business’s profitability and reputation and risking civil and criminal liability.
The point buried within those words is that your pre-acquisition due diligence needs to find corruption and misconduct within the target and then have some plan to address those issues after the deal closes. The guidelines stress the importance of your compliance program’s diagnostic capability (finding risks within the target) and your remediation capability (fixing issues post-acquisition so they won’t continue). So long as your program has those two things, you’re in good shape.
Indeed, let’s also remember that in 2023 the Justice Department amended its policies to offer a window for remediation of compliance violations discovered at acquisitions. So long as your company discloses those violations within the first six months of the deal closing, the company will receive the presumption of a declination to prosecute. The company will also typically have one year from the deal closing to remediate the control failures.
That’s the Justice Department’s way of saying it doesn’t want fear of compliance risk to kill acquisitions; it only wants companies to understand the compliance risks in a deal and devise a plan to fix them. Then you can proceed as planned.