From: Forbes By Bob Conlin, President and CEO of NAVEX Global
As the market heats up for mergers-and-acquisitions activity, it’s time to evaluate and re-engineer the typical business framework used for due diligence.
Business models continue to transform, social norms evolve and laws and regulations continue to change. There is no shortage of risks facing the average business, and we need to apply new frameworks for evaluating M&A targets. The hard truth is, when you acquire a company, you are also purchasing all of its liabilities — some of which are far less obvious than others.
The due diligence process hasn’t kept up.
I’ve been on both sides of the M&A equation over the years, and I’ve found the process reasonably standard. Buyers request to see three years of financial statements and ask questions such as: How robust is the sales pipeline? What are the revenue and gross margins related to your largest customers? Is the product/technology sound? What’s the plan for keeping or migrating customers? And then there’s the cursory look at legal, IP and human resources to make sure there aren’t any hidden warts.
Here’s the issue: The standard due-diligence process is engineered toward making the deal happen. The problem with the traditional box-ticking exercise is that businesses’ underlying risk profiles are changing, but the due diligence model hasn’t kept up.
This uncertainty spells trouble whichever side of the business transaction you’re on. As mentioned before, you are not just acquiring assets; you are also taking on responsibility for both past and future liabilities. Consider Hewlett-Packard’s $11 billion acquisition of Autonomy back in 2011: The company that was found to have cooked its books to massively boost its valuation. HP wrote the purchase down as a nearly $9 billion loss.
Whether you’re corporate M&A or private equity, you need an updated diligence framework that looks closely at ethics, compliance and risk-management practices. A company without formal programs and reporting capabilities is ripe for issues that grow exponentially with size and geography. In today’s environment, we need more than a legal scan for pending lawsuits or IP infractions. Don’t ask for the box to be checked. Ask for the reporting and metrics behind how the target company manages risk. Specifically, I recommend asking for:
• A year’s worth of incident hotline reporting data. Additionally, ask about the reporting and investigation process the company follows; the number of unresolved issues; and the average time to resolution. What does this reporting tell you about the corporate culture and ethics? Use this data to dig deeper into issues that could bubble up significant reputational, financial and legal risks.
• Crisis management and business continuity plans. How recently have they been updated? When were they last used? Who owns the process within the business? This information will give you insight into how mature the company is and whether it could handle a significant disruption. If 2020 has taught us anything, it’s that risks come in new and unexpected dimensions.
• Company policies and codes of conduct. What are the company’s documented policies on issues such as workplace behavior, data protection, conflicts of interest, health and safety, non-discrimination, etc.? What is the company’s code of conduct? Make sure these policies are centralized and shared and employees are trained regularly.
• Risk management assessment. What formal reviews have been done on the business to prevent and thwart risks? What regulatory violations have occurred — especially those that have been resolved? How did the company change its policies or operations to address the issue? What systems do they use to manage risk, train employees, investigate issues, evaluate third parties/suppliers and report trends? How active are these processes? A company that has done this level of diligence sets itself apart as a well-run business that is resilient and prepared to handle uncertainty.
For those on the sell-side, use compliance and risk management programs to your advantage. Show that yours is a well-run company. By demonstrating maturity in managing risk exposure, acquirers will have even greater confidence in your financial reporting and other key metrics they examine.
As business risk continues to evolve, so should M&A practices. Due diligence might not be the most exciting part of deal-making, but it’s the only way to avoid a massive flop. If your goal is to increase shareholder value through M&A, you need to put risk and compliance at the forefront of future deals.