The Missing Link in Future-Casting M&A Due Diligence

beraldi-fernanda.png

Throughout an M&A process, ethics and compliance’s job is to eliminate those surprises or at the very least ensure we are prepared for them.

You don’t just marry your spouse; you marry a family. The same holds true in corporate mergers and acquisitions. You don’t just buy a company, you acquire their culture, risk, and future potential of both. And just like in a marriage, some things don’t come to the surface until that third or fourth family reunion. Throughout an M&A process, ethics and compliance’s job is to eliminate those surprises or at the very least ensure we are prepared for them.

At its base, M&A due diligence is an exercise in determining valuation and actualizing liability. Risk and compliance’s role often focuses on the latter, but can also play a part in future valuation when the right intelligence is uncovered.

As a matter of course, most M&A due diligence processes perform a thorough evaluation of the compliance program, its policies and procedures, its code of conduct, and its ethics and compliance training curriculum. Just as in an external audit of your own internal compliance programs, no stone should be left unturned – no program outcome left unreviewed. This process generally results in a narrative for liability to be weighed against risk tolerance; however, there is always ways to improve. The one gap in the M&A due diligence practices that can definitely be improved is corporate culture – the accurate assessment of the target’s corporate culture today and, more importantly, tomorrow.   

This is where we could turn to aggregate, unfiltered internal hotline reporting data as a complementary stream of due diligence intelligence. 

Corporate culture is hard enough to evaluate in our own organizations, let alone trying to assess the culture of an entirely different company. This is where I believe we could turn to aggregate, unfiltered internal hotline reporting data as a complementary stream of due diligence intelligence. And I’ll emphasize “aggregate” and “unfiltered.” Internal whistleblower hotline and incident management data is most likely already part of most M&A due diligence processes, but this is usually relegated to substantiated case reports.

According to NAVEX Global’s 2019 Ethic & Compliance Hotline Benchmark Report, 42% of internal reports were substantiated. Those reports, cases and resolutions are important. While that is a very relevant data point, I also want insight into the 58% of reports that were not substantiated. Who made them? What part of the organization did they come from? Why were they unsubstantiated? 

Future-Casting State of Due Diligence

This is where we get into the future-casting state of due diligence. The facts we could drive from process review and the substantiated facts we could see from aggregate incident management records may help determine the target’s corporate culture and risk at time of purchase. Corporate culture, however, informs future risk. One could get a hint at that culture through substantiate case files, but it is a curated view of the culture prepared by the target. That is not to say there is anything suspicious about that curation, but it will always be an interpretation. And I am positive that compliance officers out there prefer to make their own interpretations.

Furthermore, aggregate hotline data may show you what the speak-up culture is like at the target. Do employees feel empowered to report misconduct? Are they properly trained on values and expectations for the corporation? Does the company really know what risk looks like and is the culture equipped to support enterprise-wide hygiene? Or is their potential cynicism or distrust brewing beneath the surface?

Aside from the cultural intelligence that aggregate hotline data provides, the volume of reports can be just as informative. Recent research out of George Washington School of Business provides empirical evidence that internal hotline reporting activity and business performance are positively correlated: the more reporting activity, the better the results. While the long list of performance indicators included in the research is impressive, I am most intrigued by the finding that, “firms that actively utilized their hotlines received, on average, 46% fewer negative news stories than businesses with low or infrequent internal reporting use.”

Internal whistleblower hotline data is one of the most elucidating information streams we have at our disposal when assessing and cultivating our own corporate cultures.

The last thing one would want during post-acquisition phase is a reputation damaging news cycle, so the first thing a compliance officer should be looking at is whether he/she can have a clear-eyed view of our future liability that is embedded within the corporate culture he/she is integrating.

Internal whistleblower hotline data is one of the most elucidating information streams we have at our disposal when assessing and cultivating our own corporate cultures. Now that we are seeing the predicative benefits of that data, there is no reason compliance should not be incorporating it as a standard part of M&A processes, in addition to just “digging” at substantiated reports.  


Our authors offer expertise and content based on their deep and diverse experiences but do so in a personal capacity. Thoughts and ideas do not represent those of the organizations they work with or for.


Chat with a solutions expert to learn how you can take your compliance program to the next level of maturity.


What Will 2020 Risk & Compliance Benchmarks Look Like?

It’s that time of year again when risk and compliance professionals from around the world contribute to an industry-defining resource – the annual Definitive Risk & Compliance Benchmark Report. Regardless of your job level, company size, industry or geography – share your perspective on the important work you do.

Previous/Next Article Chevron Icon of a previous/next arrow. Previous Post

CCPA: Understanding Data Privacy’s Pandora’s Box

The challenges with CCPA data privacy requirements goes beyond just being in compliance. It’s a regulation that opens up organizations to multiple areas of risk due to its reach and scope. As a result, CCPA impacts processes for IT, information security, third parties, identity management, vulnerability remediation, and incident response. Let's discuss the extended implications of the regulation. 

Next Post Previous/Next Article Chevron Icon of a previous/next arrow.

Comments

Email Signup