Managing Regulatory and Reputational Risk in M&A Transactions

Merger and acquisition (M&A) transactions come with business-defining risks and responsibilities. From legal to financial, operational to regulatory, acquiring another company carries a heavy load of liability and demands proper due diligence before and after the deal closes. This article will cover the regulatory and subsequent reputational risks of M&A transactions, as well as how to mitigate those risks with well-structured due diligence.

Why M&A Reputational Due Diligence is Important

After an acquisition, the acquirer takes on more than the target company’s assets and operations. Any company that completes an M&A transaction also assumes the liabilities of the target company—aptly named successor liability.

The concept of successor liability is particularly noteworthy when it comes to liabilities associated with regulatory compliance obligations: the purchaser absorbs any regulatory transgressions of its target company, such as anti-bribery corruption (ABC), anti-money laundering (AML) and sanctions violations, even if they occurred before the sale, unless explicitly agreed with the regulator prior to close. Violations can result in regulatory penalties, such as fines and imprisonment, which the market will react to, potentially leading to reputational fallout, hurting the purchasing organization’s brand and leading to a downswing in sales and stock prices.

In one recent case, failure to conduct proper M&A regulatory due diligence cost a U.S. medical device company more than $30 million in regulator-imposed fines. To illustrate how regulatory damages are just the tip of the iceberg, a recent study found that reputational penalties cost organizations 4.5 times more than the related regulatory penalties; when an organization is investigated for corruption, the market reacts in a not-so-positive way. Hereafter, we will bundle the terms regulatory and reputational into simply, “reputational.”

All this is to say that involving the compliance function, and specifically conducting reputational due diligence, at the earliest stages of an M&A transaction can significantly aid your company in reducing unforeseen liabilities—or preventing them altogether.

Conducting Pre-Transaction Due Diligence

Reputational due diligence should begin early in the M&A process. Deadlines should provide enough time for the seller to gather the necessary information and for the buyer to commit the appropriate resources and outline a plan of action based on the findings.

For instance, if due diligence uncovers activities that expose the purchaser to additional reputational risk, it could warrant a new valuation, restructuring or altogether reconsideration of the deal. This could be a crucial opportunity to reassess and adjust acquisition costs to better align with costs required for risk mitigation measures. Keep in mind that the risks that arise from investigating an acquisition target can sometimes derail a deal entirely. It’s wise to plan for this reality.

As the organization dives into the acquisition target, it is important that their reputational due diligence encompasses the following categories:

• Market sentiment toward the company’s history and reputation;
• Background of executive leadership and board of directors, including past behaviors and possible conflicts of interests;
• Shareholder and ownership structure, which includes the ultimate beneficial owner(s) and their relationships with any sanctioned individuals or politically exposed persons;
• Existence of a compliance program or lack thereof—if there is no compliance program in place, it should be an explicit red flag;
• Open litigation or regulatory or compliance investigations that could impact the value of the company or materially impact the transaction in any way;
• Third-party risks, which should consider any industry or jurisdiction-specific risks or sanction exposure;
• Geopolitical environment and risks of the region.

Based on the information identified during the initial phase of reputational due diligence, the acquiring company should strategize its next steps, such as the determining whether any additional due diligence is needed, conducting tailored discussions and negotiations with the target company and creating a detailed compliance plan as the transaction proceeds.

Conducting Post-Transaction Due Diligence

Post-transaction due diligence should begin immediately after the transaction closes. After the deal is inked, the acquiring company now has full access to the target company and its inner workings that may not have been available pre-transaction. This means they can (and should) engage in a more detailed examination of reputational risks associated with the acquisition. Mitigating newly identified risks and remediating any misconduct identified should be a major focus of post-transaction due diligence.

Here are some factors to consider when conducting post-transaction due diligence:

Existing Risk Assessment and Compliance Measures

The acquiring company should have inquired about an existing compliance program in pre-transactional due diligence, but with greater visibility into the newly acquired company, it’s important to re-ask, “are existing risk assessment and compliance measures in place?” If they aren’t, it should stand out as a red flag and be addressed immediately. If there are measures in place, test and verify systems to make sure they meet regulatory standards.

Regulatory Compliance Program Integration

As an organization’s post-acquisition operations take shape, it’s important to integrate and tailor your compliance policies and controls to the new company’s risk profile. This includes testing and reassessing as the target company’s operations become clear. Throughout the process, the compliance manager who is assigned to the transaction should take the lead and assign action within a reasonable timeline.

Third-Party Risks

Third-party risks are the primary source of reputational risks. Be cognizant of the possibility that the acquisition target may not have processes in place to monitor and assess their third-party risks. The acquiring company should leverage internal resources—if they exist—to bolster the target company’s third-party risk management program. Alternatively, they should consider an external partner that has experience building programs that meet regulatory scrutiny.

Newly Identified Regulations

As the organization considers evolving regulatory standards, they should put measures in place to mitigate new risks that might arise as a result. Having dedicated resources to identify and adapt to new regulations is a good first step.

Ongoing Monitoring

Just because no risks were apparent at the acquisition’s onset doesn’t mean new risks won’t surface months or years down the road. Organizations should perform ongoing monitoring to account for evolving risks such as new third-party relationships and leadership changes.

Disclosing Potential Violations to Regulators

In the event that post-transaction due diligence surfaces some illicit activity or misconduct, it’s critical for the acquirer to act right away. When dealing with government regulators, the old adage is best considered in reverse: it is better to ask for permission than forgiveness.

Acquiring companies should disclose any corrupt or illicit activity discovered as part of the due diligence process up front. Although applicable laws and regulations do not provide a formal grace period for self-reporting of violations, the Department of Justice and the Securities and Exchange Commission have given meaningful credit to companies who do so, and, in appropriate circumstances, may consequently decline to bring enforcement actions.

Practical Considerations for M&A Reputational Due Diligence

As a whole, reputational due diligence is a necessary element of the M&A due diligence landscape. The business benefits speak for themselves:

• Knowledge of who you are bringing under your brand;
• Ability to leverage findings to renegotiate or reconstruct the deal;
• Identify unacceptable risk before the deal is complete;
• Plan for proper time and resources to further mitigate risks;
• Form a proactive defense should misconduct be found after the sale.

Acquirers should take their reputational due diligence as seriously as they take financial, operational and legal due diligence. Whether it is a large or small M&A transaction, the earlier compliance is involved and reputational due diligence is conducted, the better the chance the company has at mitigating present and future reputational-related risks. Remember, once an organization’s reputation is compromised, it’s difficult to undo the damage to the post-acquisition brand and share price.

If you’re interested in understanding the reputational risks of an M&A transaction, contact one of our M&A reputational due diligence specialists to confidentially discuss how to identify risks and use them as a business accelerator rather than an inhibitor.