One of the clearest themes from the 2012 FCPA Guidance was around the importance of your pre-acquisition work in any merger or acquisition on a target company. In the section on Declinations, the 2012 FCPA Guidance provided an example of a company which had received a declination in large part because of its pre-acquisition work, which then served as a basis of its post-acquisition remediation. I find it appropriate to think of the process as a straight line, directly from the pre-acquisition phase through to closing and then to remediation, integration and self-reporting in the post-acquisition phase.

It should all begin with a preliminary pre-acquisition assessment of risk. Such an early assessment will inform the transaction research and evaluation phases. This could include an objective view of the risks faced and the level of risk exposure, such as best/worst case scenarios. A pre-acquisition risk assessment could also be used as a mechanism through which to view the feasibility of the business strategy and help to value the potential target.

The first step is to develop the risk assessment as a base document. From this document, you should be able to prepare a focused series of queries and requests to be obtained from the target company. Thereafter, company management can use this pre-acquisition risk assessment to attain what might be required in the way of integration, post-acquisition. It would also help to inform how the corporate and business functions may be affected. It should also assist in planning for timing and anticipation of the overall expenses involved in post-acquisition integration. These costs are not insignificant and they should be thoroughly evaluated in the decision-making calculus.

One of the difficulties in the pre-acquisition phase is that there is never enough time or resources to do all the assessment and analysis that you might desire. This means that if you do not have the time, resources or support to conduct a worldwide risk assessment, you must take a different approach. You might try assessing other areas through a more limited focused risk assessment.

Some of the areas that such a pre-acquisition risk assessment could begin with an inquiry into the following areas:

  • What is being sold, to whom and where?
  • Are the target’s resources adequate to sustain a culture of compliance?
  • How are the compliance risks being addressed in the C-Suite and the Boardroom?
  • What are the compliance risks related to the supply chain?
  • How is risk being examined and due diligence performed at the vendor/agent level? How is such risk being managed?
  • Is the documentation adequate to support the compliance program for regulatory purposes?
  • Is culture, attitude (tone from the top), and knowledge measured?
  • Disciplinary guidelines – Do they exist, have they been publicized at the target and has anyone been terminated or disciplined for a violating policy?
  • Are escalation protocols appropriate?

There are a variety of materials that you can review from or at a company that can facilitate such a Pre-acquisition Risk Assessment. You can review the target’s policies and written guidelines by reviewing anti-corruption compliance policies, guidelines, and procedures to ensure that compliance programs are tailored to address specific risks such as gifts, hospitality and entertainment, travel, political and charitable donations, and promotional activities.

You could assess the target’s senior management support for the target’s compliance efforts through interviews of high-level personnel such as the CCO, CFO, General Counsel, Head of Sales, CEO and Board Audit or Compliance Committee members to assess “tone from the top”. You can examine resources dedicated to compliance and also seek to understand the compliance expectations that top management is communicating to its employee base. Finally, you can gauge operational responsibilities for compliance.

Such a review would lead to the next level of assessment, which is how well does that target communicate about compliance within its organization and to key third-parties such as sales agents. You can do this by assessing compliance policy communication to company personnel but even more so by reviewing such materials as compliance training and certifications of employees and third-parties. You should also take consider statements by senior management of the target regarding compliance, such as actions relating to terminating employees who do business in compliance but do not make their quarterly, semi-annual or annual numbers set in budget projections.

A key element of any best practices compliance program is internal and anonymous reporting. This means that you need to review mechanisms on reporting suspected compliance violations and then actions taken on any internal reports, including follow-ups to the reporting employees of the target. You should also assess whether those employees who are seeking guidance on compliance for their day-to-day business dealings are receiving not only adequate but timely responses.

As there is no dispute that third parties represent the highest risk to most companies under the FCPA, as assessment of the target’s third party due diligence program is certainly something that should be a part of any pre-acquisition risk assessment. But more than simply a review of procedures for due diligence on third party intermediaries; there should be an assessment if there has been management of the third-party after the contract is signed.

Another area for review in any pre-acquisition risk assessment is to consider the target’s employee commitment to its compliance regime. But just as you look at the carrots to achieve compliance, you should also look at the stick, in the form of disciplinary procedures for violations. This means you should see if there have been any disciplinary actions for employee compliance violations and then determine if such discipline has been applied uniformly.

The pre-acquisition risk assessment can be a critical element in any M&A work for compliance. Use this opportunity to see where the target might stand on compliance. Your risk assessment can evolve as you obtain greater information. Finally use this pre-acquisition risk assessment as a base document to plan, resource and budget for your post-acquisition remediation, integration and reporting. 

Three Key Takeaways

  1. One never has enough time to engage in all the pre-acquisition review you might want to do, so optimize your time and resources.
  2. Consider what you can review to put together a preliminary risk assessment on the target.
  3. As with most compliance initiatives, you are only limited by your imagination so if you are limited in time and scope try something new and different.


 This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to