+49 [0] 69 25 73 75 264 info@catuslaw.com

Compliance Management
Episode 11: Due diligence and integration into M&A processes

“I check every offer. It could be the offer of my life.” (Henry Ford)

Due diligence plays a major role in the transaction business. It should enable a risk assessment of the target company and put the purchase decision on a firm footing. This applies to commercial and financial aspects, as well as legal and compliance risks (e.g., corruption risks). The latter is explicitly stipulated in both the Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act (UKBA). It doesn’t always have to be a big deal. Investments or joint ventures also require a close look at the compliance issue.

Compliance as spoilsport?

However, reality sometimes offers quite a different picture. A systematic recording of compliance risks in the run-up to an acquisition according to the given possibilities is rarely performed and usually not in the required depth. It often seems as though you don’t want to let compliance issues jeopardize a promising deal. Accordingly, compliance officers are rarely involved in this phase – a risky undertaking, because errors at this key stage may have far-reaching consequences.

Action plan in the course of due diligence

Due diligence cannot be a full compliance audit, and the absence of abnormalities does not guarantee that problems will not arise later. Nevertheless, a critical examination of the compliance status of the target is extremely important in order to provide for a realistic assessment of both the deal opportunities and its risks.

In addition to the assessment of the compliance risks inherent in the business model, the evaluation of the target company’s compliance management system (CMS) also plays a key role.

Business model evaluation

The evaluation of the business model basically follows the steps that are similar to those of the compliance risk analysis (see Episode 3 of the ’12-Month Compliance Challenge’). The key question is: What factors that pose significant liability risks or company damages can actually be identified? Such factors in the target could be (select):

  • Importance of licenses and permits for a company (e.g., as a condition for the operation of plants)
  • Degree of regulatory oversight and control
  • Involvement of business partners (such as distributors, consultants)
  • Special features of the industry (e.g., high regulatory requirements in the pharmaceutical or medical device sector)
  • Geographical aspects (unfavorable Corruption Perception Index,[1] political instability)
  • Specific problems, i.e. administrative investigations carried out in the past or, as the case may be, ongoing investigations and/or proceedings against company managers, negative press coverage, etc.

Of course, risks may sometimes give rise to business opportunities, and risks are often inherent in business activities and cannot be eliminated. Example: If there is a strong dependency on official decisions, there will almost always be a risk of corruption. However, it could be controlled in the best possible through the implementation of targeted measures such as advice, training, or compliance audits. Accordingly, the aim of Compliance Due Diligence should be to ensure a realistic assessment of the existing compliance risks in the target company.

Compliance program assessment

The critical assessment of the compliance program (see the overview in Episode 1 of the ’12-Month Compliance Challenge’) provides an insight into the status of the risk control and the associated probability, so that these risks will be realized in the form of administrative investigations and the associated financial damage in the foreseeable future. Example: A compliance program is only included in the target for the sake of form. However, there are no guidelines or instructions for employees on how they should deal with requests from consultants for freely available funds, which they “need” to obtain official approvals in China. Such grievances also give a foretaste of the effort that the buyer can expect after the acquisition with the reorganization of the CMS in the target company and the compliance integration. The way in which the target has dealt with indications of irregularities and findings has proven to be a fairly reliable indicator of the CMS condition. Has the information been collected and processed in a comprehensible manner? Have any improvement measures been taken?

Compliance integration

The work really gets underway when the buyer has decided to make the acquisition. The integration of a CMS (if any) is usually a tough job. Above all, it takes a good deal of tact and sensitivity. Different approaches to compliance issues are mostly based on corporate cultural factors: How competitive are the companies in comparison? Is there a high level of oversight and control or are employees given greater leeway in decision-making? Compliance is all about convincing and building trust, rather than doing some things right or wrong.


Compliance aspects must be taken into account in M&A processes in order to prevent damage to the company. Compliance officers should know what kind of investments play a role in their company and work towards being involved in the relevant processes at an early stage. The arguments are on their side.

What’s next

Our ’12 Month Compliance Challenge’ is drawing to a close. Last but not least, our last episode is about Monitoring & Review.

If you are unsure how to set up and run your compliance project successfully, please feel free to contact me.