First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

The missing link in future-casting M&A due diligence


You don’t just marry your spouse; you marry a family. The same holds true in corporate mergers and acquisitions. You don’t just buy a company, you acquire their culture, risk, and future potential of both. And just like in a marriage, some things don’t come to the surface until that third or fourth family reunion. Throughout an M&A process, ethics and compliance’s job is to eliminate those surprises or at the very least ensure we are prepared for them.

At its base, M&A due diligence is an exercise in determining valuation and actualizing liability. Risk and compliance’s role often focuses on the latter, but can also play a part in future valuation when the right intelligence is uncovered.

As a matter of course, most M&A due diligence processes perform a thorough evaluation of the compliance program, its policies and procedures, its code of conduct, and its ethics and compliance training curriculum. Just as in an external audit of your own internal compliance programs, no stone should be left unturned – no program outcome left unreviewed. This process generally results in a narrative for liability to be weighed against risk tolerance; however, there is always ways to improve. The one gap in the M&A due diligence practices that can definitely be improved is corporate culture – the accurate assessment of the target’s corporate culture today and, more importantly, tomorrow.   

Corporate culture is hard enough to evaluate in our own organizations, let alone trying to assess the culture of an entirely different company. This is where I believe we could turn to aggregate, unfiltered internal hotline reporting data as a complementary stream of due diligence intelligence. And I’ll emphasize “aggregate” and “unfiltered.” Internal whistleblower hotline and incident management data is most likely already part of most M&A due diligence processes, but this is usually relegated to substantiated case reports.

According to NAVEX Global’s 2019 Ethic & Compliance Hotline Benchmark Report, 42% of internal reports were substantiated. Those reports, cases and resolutions are important. While that is a very relevant data point, I also want insight into the 58% of reports that were not substantiated. Who made them? What part of the organization did they come from? Why were they unsubstantiated? 

Future-casting state of due diligence

This is where we get into the future-casting state of due diligence. The facts we could drive from process review and the substantiated facts we could see from aggregate incident management records may help determine the target’s corporate culture and risk at time of purchase. Corporate culture, however, informs future risk. One could get a hint at that culture through substantiate case files, but it is a curated view of the culture prepared by the target. That is not to say there is anything suspicious about that curation, but it will always be an interpretation. And I am positive that compliance officers out there prefer to make their own interpretations.

Furthermore, aggregate hotline data may show you what the speak-up culture is like at the target. Do employees feel empowered to report misconduct? Are they properly trained on values and expectations for the corporation? Does the company really know what risk looks like and is the culture equipped to support enterprise-wide hygiene? Or is their potential cynicism or distrust brewing beneath the surface?

Aside from the cultural intelligence that aggregate hotline data provides, the volume of reports can be just as informative. Recent research out of George Washington School of Business provides empirical evidence that internal hotline reporting activity and business performance are positively correlated: the more reporting activity, the better the results. While the long list of performance indicators included in the research is impressive, I am most intrigued by the finding that, “firms that actively utilized their hotlines received, on average, 46% fewer negative news stories than businesses with low or infrequent internal reporting use.”

The last thing one would want during post-acquisition phase is a reputation damaging news cycle, so the first thing a compliance officer should be looking at is whether he/she can have a clear-eyed view of our future liability that is embedded within the corporate culture he/she is integrating.

Internal whistleblower hotline data is one of the most elucidating information streams we have at our disposal when assessing and cultivating our own corporate cultures. Now that we are seeing the predicative benefits of that data, there is no reason compliance should not be incorporating it as a standard part of M&A processes, in addition to just “digging” at substantiated reports.

By Fernanda Beraldi

Follow me

Ethics &Compliance Matters ™, Navex Global ®

Ethics & Compliance Matters™ is the official blog of NAVEX Global®. All articles posted on the Inside Internal Controls blog originally appeared on NAVEX Global’s Ethics and Compliance Matters Blog. The blog leverage the news, insights and best practices you find here to stay ahead of GRC trends, and take your compliance program to the next level. Read more
Follow me

, , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.