Today I want to look at what you should do with the information that you obtain in your pre-acquisition compliance due diligence. Jay Martin, Chief Compliance Officer (CCO) at BakerHughes, a GE company. suggests an approach that reviews key risk factors to move forward. Martin has laid out 15 key risk factors of targets under a FCPA analysis, which he believes should prompt a purchaser to conduct extra careful, heightened due diligence or even reconsider moving forward with an acquisition under extreme circumstances.
- A presence in a high risk country, for example, a country with a Transparency International CPI rating of 5 or less;
- Participation in an industry that has been the subject of recent anti-bribery or FCPA investigations, for example, in the oil and energy, telecommunications, or pharmaceuticals sectors;
- Significant use of third-party agents, for example, sales representatives, consultants, distributors, subcontractors, or logistics personnel (customs, visas, freight forwarders, etc.)
- Significant contracts with a foreign government, state-owned or state-controlled entities;
- Substantial revenue from a foreign government, state-owned or state-controlled entity;
- Substantial projected revenue growth in the foreign country;
- High amount or frequency of claimed discounts, rebates, or refunds in the foreign country;
- A substantial system of regulatory approval, for example, for licenses and permits, in the country;
- A history of prior government corruption investigations or prosecutions;
- Poor or no anti-bribery or FCPA training;
- A weak corporate compliance program and culture, from legal, sales and finance perspectives at the parent level or in foreign country operations;
- Significant issues in past compliance audits, for example, excessive undocumented entertainment of government officials;
- The degree of competition in the foreign country;
- Weak internal controls at the parent or in foreign country operations; and
- In-country managers who appear indifferent or uncommitted to U.S. laws, the FCPA, and/or anti-bribery laws.
In evaluating answers to the above inquiries or those you might develop on your own, you may also wish to consider some type of risk rating for the responses, to better determine is the amount of risk that your company is willing to accept to do so you will need to both assess risk and subsequently evaluate that risk. Risks should initially be identified and then plotted on a heat map to determine their priority. The most significant risks with the greatest likelihood of occurring are deemed the priority risks, which become the focus of the post-acquisition remediation plan going forward. A risk-rating guide similar to the following can be used.
|Likelihood Rating||Assessment||Evaluation Criteria|
|1||Almost Certain||High likely, this event is expected to occur|
|2||Likely||Strong possibility that an event will occur and there is sufficient historical incidence to support it|
|3||Possible||Event may occur at some point, typically there is a history to support it|
|4||Unlikely||Not expected but there’s a slight possibility that it may occur|
|5||Rare||Highly unlikely, but may occur in unique circumstances|
‘Likelihood’ factors to consider: The existence of compliance internal controls, written policies and procedures designed to mitigate risk, leadership capable to recognize and prevent a compliance breakdown; Compliance failures or near misses; and/or Training and awareness programs. Product of ‘likelihood’ and significance ratings reflects the significance of a particular risk universe. It is not a measure of compliance effectiveness or to compare efforts, controls or programs against peer groups.
The key to such an approach is the action steps prescribed by their analysis. This is another way of saying that the pre-acquisition risk assessment informs the post-acquisition remedial actions to the target’s compliance program. This is the method set forth in the 2012 FCPA Guidance. I believe that the DOJ wants to see a reasoned approach with regards to the actions a company takes in the mergers and acquisitions arena. The model is a reasoned approach and can provide the articulation needed to explain which steps were taken.
It is also important that after the due diligence is completed, and if the transaction moves forward, the acquiring company should attempt to protect itself through the most robust contract provisions that it can obtain, these would include indemnification against possible FCPA violations, including both payment of all investigative costs and any assessed penalties. An acquiring company should also include repsentations and warranties in the final sales agreement for the entire target company that its participation in transactions is permitted under the local law where the transaction took place; that there is an absence of government owners in company; and that the target company has made no corrupt payments to foreign officials. Lastly, there must be a representation that all the books and records presented to the acquiring company for review were complete and accurate.
To emphasize all of the above, the DOJ stated in the Pfizer Deferred Prosecution Agreement (DPA), in the mergers and acquisition context, that a company is to ensure that, when practicable and appropriate on the basis of a FCPA risk assessment, new business entities are only acquired after thorough risk-based FCPA and anti-corruption due diligence is conducted by a suitable combination of legal, accounting, and compliance personnel. When such anti-corruption due diligence is appropriate but not practicable prior to acquisition for reasons beyond a company’s control, or due to any applicable law, rule, or regulation, an acquiring company should continue to conduct anti-corruption due diligence subsequent to the acquisition and report to the DOJ any corrupt payments or falsified books and records.
Three Key Takeaways
- Create a list of key risk factors in your protocol.
- Create a forced risk ranking, but remember it is simply that, a forced risk ranking.
- Your pre-acquisition team should include a suitable combination of legal, accounting, and compliance personnel.
The evaluation of your pre-acquisition due diligence and your response thereto are critical components in compliance M&A.Click to tweet
This month’s podcast series is sponsored by Oversight Systems, Inc. Oversight’s automated transaction monitoring solution, Insights on Demand for FCPA, operationalizes your compliance program. For more information, go to OversightSystems.com.