Achieving Compliance in the Post Acquisition Context – The Key to Which is Building Trust

In a recent article in the Houston Business Journal (HBJ), entitled “Building strong relationships critical to building strong companies”, HBJ Mergers and Acquisitions Columnist Connie Barnaba focused on the nature of trust within a company to posit that “strong businesses are built on strong relationships between the business, its leaders, employees, customers, suppliers, lenders and advisors.” Trust cascades down each level of a company; beginning from the Board of Directors down to employees and then out the door to customers. She believes that this issue of trust is equally important in the Mergers and Acquisition (M&A) context. I believe her ideas are very useful for the compliance practitioner, when integrating a new acquisition into an existing compliance culture.

Barnaba writes that “trusting relationships are developed person to person as individuals in a company gradually develop a network of contacts, associates and advisors inside and outside the company.” But more than this it is “the by-product of responsiveness, reliability and candor or those we reach out to.” Successful companies work to focus on “sustaining and developing new relationships” as a key to the continued growth and successful performance of a business.

I.                   Trust in the M&A Context

In the M&A context, this trust relationship begins with the Letter of Intent (LOI), which should include warranties, representations, covenants and any penalties which might occur if one side pulls out of the transaction. The pre-acquisition due diligence process is designed to “confirm the accuracy of the representations and viability of commitments.” This should lead to a successful merger agreement between the parties and now the work to continue to build trust really begins.

Barnaba notes that the biggest roadblock initially is the element of surprise. Most merger deals are done with some amount of confidentiality. However, one of the hardest issues to manage is the lack of time. There is never enough time to perform all the due diligence that you desire. This is always true in the compliance arena as well. Further Securities and Exchange Commission (SEC) regulations prohibit certain unauthorized disclosures about such transactions and there is usually great sensitivity to timing around any public disclosure regarding the transaction.

This not only impedes the ability to fully vet during the due diligence process but it may impeded company leaders from announcing to their own stakeholders that the company is in such negotiations. This can certainly negatively affect an employee base as top leaders may be confronted with “managing the impact of the (M&A) surprise on stakeholders.” This can also damage the efforts going forward as it can appear as a “top-down imposition of change.”

II.                Compliance in the Post-Acquisition Context

Given the two Department of Justice (DOJ) pronouncements on Foreign Corrupt Practices Act (FCPA) compliance in the M&A context, Opinion 08-02 (the Halliburton Opinion Release) and the Johnson and Johnson (J&J) Deferred Prosecution Agreement (DPA), all of the factors that Barnaba listed may be significantly acerbated and accelerated.

A.     The Halliburton Opinion Release

In this Opinion Release, the DOJ approved Halliburton’s commitment to the following post acquisition conditions to a proposed transaction:

1)      Within ten business days of the closing. Halliburton would present to the DOJ a comprehensive, risk-based FCPA and anti-corruption due diligence work plan which would address, among other things, the use of agents and other third parties; commercial dealings with state-owned customers; any joint venture, teaming or consortium arrangements; customs and immigration matters; tax matters; and any government licenses and permits. The Halliburton work plan committed to organizing the due diligence effort into high risk, medium risk, and lowest risk elements.

a)      Within 90 days of Closing. Halliburton would report to the DOJ the results of its high risk due diligence.

b)      Within 120 days of Closing. Halliburton would report to the DOJ the results to date of its medium risk due diligence.

c)      Within 180 days of Closing. Halliburton would report to the DOJ the results to date of its lowest risk due diligence.

d)     Within One Year of Closing. Halliburton committed to full remediation of any issues which it discovered within one year of the closing of the transaction.

B.    Johnson & Johnson Deferred Prosecution Agreement and Enhanced Compliance Obligations

In the April 2011 released J&J DPA there is a list of compliance obligations J&J agreed to take on in the acquisition context:

7.        J&J will ensure that new business entities are only acquired after thorough FCPA and anti-corruption due diligence by legal, accounting, and compliance personnel. Where such anti-corruption due diligence is not practicable prior to acquisition of a new business for reasons beyond J&J’s control, or due to any applicable law, rule, or regulation, J&J will conduct FCPA and anti-corruption due diligence subsequent to the acquisition and report to the Department any corrupt payments, falsified books and records, or inadequate internal controls as required by … the Deferred Prosecution Agreement.

8.        J&J will ensure that J&J’s policies and procedures regarding the anti-corruption laws and regulations apply as quickly as is practicable, but in any event no less than one year post-closing, to newly-acquired businesses, and will promptly: For those operating companies that are determined not to pose corruption risk, J&J will conduct periodic FCPA Audits, or will incorporate FCPA components into financial audits.

1. Train directors, officers, employees, agents, consultants, representatives, distributors, joint venture partners, and relevant employees thereof, who present corruption risk to J&J, on the anti-corruption laws and regulations and J&J’s related policies and procedures; and
2. Conduct an FCPA-specific audit of all newly-acquired businesses within 18 months of acquisition.

In the J&J DPA, the company agreed to following time frames:

1. 18 Month – conduct a full FCPA audit of the acquired company.
2. 12 Month – introduce full anti-corruption compliance policies and procedures into the acquired company and train those persons and business representatives which “present corruption risk to J&J.”

These very tight time frames, even with the expanded one in the J&J DPA, may well test trust issues in any newly acquired organization. Similarly, the acquiring organization may be under great pressure to uncover and report anything which may even whiff of a FCPA violation. Barnaba concludes her article by warning that if the short term disruption in trust will undermine the long-term changes to the organization; it may not be in either party’s interest to go forward with the merger. Business mergers require linkages at all levels within an organization and this is particularly true with compliance.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2012

You Have a FCPA Compliance Strategic Plan – Now What Do You Do?

One of the things that my colleague Stephen Martin talks about is the need for strategic planning for your Foreign Corrupt Practices Act (FCPA) compliance program. He suggests a 1, 3 and 5 year strategic plan which you should utilize as a road map for your compliance program in these time frames. Equally important, as a former state and federal prosecutor, he believes that such a document would be an important item to produce to a prosecutor, who might be reviewing your compliance program in the event of a voluntary self-disclosure, a Dodd-Frank or other whistle-blower event, which has led your company to receive a subpoena or letter of inquiry or an industry sweep. He believes that such a strategic plan could well lead to the development of credibility for your company and your compliance program in the event of one of the aforementioned eventualities.

With the above in mind I was interested to read an article in a recent issue of the Houston Business Journal, entitled “Strategic planning needs constant follow-up to be successful” by Bruce Rector. In the article Rector sets out steps to assist in utilizing a strategic plan. As with Martin he recognizes that while a strategic plan can serve as guide for your company going forward, it must actually be utilized to garner any use out of it. Rector notes that “if your company and management team have expended the time and resources to pull together a strategic plan, the next logical step is to follow up and keep things on track.” While Rector’s article is not aimed at the compliance arena, I believe that the steps he lays out, translate without difficulty, into steps a compliance officer can take to meet the suggestion laid out by Martin above.

• Review the Goals of the Strategic Plan. This requires that you arrange a time for the Chief Compliance Officer (CCO) and team to review the goals of the Strategic Plan. Rector advises that to the extent possible this should be done in person. The CCO should lead a discussion of the Strategic Plan and determine how this goal in the Plan measures up to its implementation in your company.
• Design an Execution Plan. Here Rector advises that the “Keep it Simple Sir” or KISS method is the best to move forward. This would suggest that for each compliance goal, there should be a simple and straight forward plan to ensure that the goal in question is being addressed. Rector notes that any “plan must be specific with clear tasking and deliverables and a definite timeline for delivery.”
• Put Accountabilities in Place. In any plan of execution, there must be accountabilities attached to them. Simply having a time line is not enough. This means that the persons tasked with the responsibility of performing the tasks be clearly identified, by both the individual so tasked and the actual task they are assigned to complete. Accountability also includes a “follow-up mechanism to ensure that these vital goals are achieved.” This requires the CCO or other senior compliance department representative to put these in place and then mandate a report requirement on how the task assigned is being achieved.
• Schedule the Next Review of the Plan. Most interestingly, Rector recommends a review of the foregoing process on a weekly basis. While noting that this may seem time consuming, he believes that once the group assigned with this responsibility gets “into the rhythm, it can go smoothly.” While I would not necessarily agree that weekly meetings are required, Rector does correctly note that such regularity allows any problems which may arise to be detected and corrected more quickly than if meetings are held at a less frequent basis.

Martin’s guidance that a FCPA strategic plan can be a key part of your overall compliance program is sound advice. However, simply developing a strategic plan is not enough. Rector concludes by stating that “Part of management’s responsibility is to continually reinforce the vision and goals of the company, as set forth in this plan.” This is particularly true in the compliance arena, where assessment and updating are critical to an ongoing best practices compliance program. If you follow the process laid out by Rector, you will put a mechanism in place to demonstrate your company’s commitment to compliance by following through on intentions as set forth in your strategic plan.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011

Evaluating Integration of the Compliance Function in Pre-Acquisition Due Diligence

In an article in the most recent issue of the Houston Business Journal, entitled “Putting a partner through too many changes increases risk”, columnist Connie Barnaba discusses one of the risks often overlooked in a mergers and acquisitions (M&A) transactions. It is the risk inherent with the integration of the purchased entity. Barnaba identifies two types of risks characteristic with strategic deals. The first is the “buy decision” and the second is the aforementioned integration aspect.  She phrases it as “Most companies attempting those types of deals tend to move forward with the deal without an examination of the unknown conditions that could adversely affect post-deal integration.” I would take this a step further and say that most company’s focus on this risk is not limited to strategic deals but with all  M&A transactions. Her column gave me pause to consider such matters in a compliance context.

Barnaba notes that “conventional wisdom” would tell you that when two strong companies merge, the manifestation of the merger will result in a stronger company. Similarly, if there is a merger between a strong company and a smaller, or lesser, company then the culture of the stronger company will prevail. But what happens in the area of compliance? Admittedly the time during any due diligence for an assessment of compliance is limited. This may well lead to a purchasing entity completing a transaction with unknown compliance risks in place. This can have several negative consequences, including successor liability under the Foreign Corrupt Practices Act (FCPA). However, I would like to focus on the issue of compliance integration.

I believe that the Department of Justice (DOJ) would seem to have responded about the time frame to complete compliance due diligence with two public statements. The first was Opinion Release 08-02 (the Halliburton Opinion Release) which provided a time frame of 90 days for high risk third parties; 120 days for medium risk third parties and 180 days for low risk third parties to perform a compliance audit after the closing of a proposed transaction. This time frame was expanded in the Johnson & Johnson Deferred Prosecution Agreement (DPA) last spring to a more manageable 18 months to complete a compliance audit of the purchased entity.

However, how does a company turn to integration of compliance throughout an acquired entity? As Barnaba points out, “if unknown risks are triggered, decisions makers may find themselves in a reactive mode simultaneously attempting to gather reliable intelligence about the unknown conditions, devise stop-loss tactics and minimize the adverse impact to the execution of the business strategy…” In the compliance arena that may well translate into a very public disclosure of material events, and, at the same time, a self-disclosure to the DOJ and/or Securities and Exchange Commission (SEC).

Even if this nightmare scenario is not activated, the more mundane day-to-day issues of merger integration are ongoing. These include the execution of a compliance strategy, the number of changes in the acquired company’s compliance program, or indeed the wholesale adoption of it into the purchasing company’s compliance program and communication to all relevant third parties regarding the changes in these relationships, the complexity of a new compliance policy, the transparency of a new compliance program in the acquired entity and the cost of implementing such changes. Clearly cultural changes are an important part of the implementation of any compliance program.

Barnaba also notes the importance of cultural differences. American companies have run afoul of the FCPA in the acquisition of Chinese companies whose activities, prior to and after being acquired, constituted FCPA violations. Two recent examples are Watt Water Technologies and RAE Systems, Inc. Barnaba advocates that an assessment of post-deal integration risks should be a part of your company’s pre-transaction due diligence. This includes the compliance due diligence to “provide decision-makers with a comprehensive assessment of the [compliance] risk inherent with the deal…”

Barnaba’s article brings up several lessons in M&A transaction due diligence which should be implemented in your compliance due diligence. You may well need to assess the culture of compliance in the entity your company is purchasing. In addition to the “buy decision” there should be an evaluation of the risk inherent with integration of compliance programs into the acquired company. Failure to do so may set up a culture class or other basis which may seriously downgrade the value of the acquired entity.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2011