M&A Risks: Buyers Beware

The pressure to grow sales and profits is translating into a need for speed. But acquirers play a risky game if they cut corners on due diligence.
Lauren MuskettSeptember 13, 2019
M&A Risks: Buyers Beware

In 2018 the value of mergers and acquisitions worldwide was a cool $3.9 trillion, according to the Institute for Mergers, Acquisitions, and Alliances. Companies very much like to make deals, which ideally provide strategic synergies, operating efficiencies, and a fast path to growth.

Yet it’s equally certain that some transactions are the product of wishful thinking. After analyzing 2,500 deals, L.E.K. Consulting found that more than 60% of them destroyed shareholder value. What’s more, many companies are flailing about with no vision: In a survey of 400 top executives by Grant Thornton, only 31% of participants said they had a clear, well-understood M&A strategy.

A Better Way to Do Ecommerce

A Better Way to Do Ecommerce

Learn how Precision Medical leveraged OneWorld to cut the cost of billing in half and added $2.5M in annual revenue.

In short, combining companies is a risky proposition. Acquirers may misread economic conditions. Expected sales may not materialize. Effectively merging disparate corporate cultures is notoriously difficult. Same for IT systems. Failure to retain key employees is common.

That’s problematic because when it comes to M&A, the pressure on companies to grow sales and profits is translating into a need for speed.

“Companies are moving fast,” says Margaret Carlson, CFO of health care consultancy Alira Health, which has acquired two small companies over the past two years. “Some may figure a deal offers enough profitability and synergies to cover costs that might have been of more concern five years ago.”

Haste does provide opportunity, in a sense. “The good news is that the speed at which you can get to closing is one way to win at deal-making,” says Curt Gendron, practice leader for operational transaction advisory at professional services firm Crowe. “The bad news is that it can drive some negative behaviors.”

Compliance Glitches

First on that list is insufficient due diligence. In the best of worlds, acquirers would conduct every element of the process thoroughly. Today, they’re more likely than before to cut corners. Crowe calls it the “shrinking report syndrome.”

Shockingly, a big failure on the due diligence front is investigating whether the target company is compliant with applicable regulations. In a recent study by law firm Baker McKenzie, based on interviews with more than 300 corporate leaders and legal advisers, 56% of them expressed regret that they had dedicated too little effort to the task.

“Compliance due diligence is the stepchild of many transactions,” says William Devaney, co-chair of global compliance and investigations at Baker McKenzie. “It’s often paid attention to late, and sometimes not at all.”

The United States and most other Western countries enforce laws and regulations more effectively than do many others, according to Devaney. When a U.S. company acquires a target from a jurisdiction with a low level of enforcement, there’s “a very good chance” that the target won’t have well-developed compliance programs, policies, and procedures, he says. “Under U.S. law, you are buying that problem.”

Such research has always been a key element of due diligence, but it may be even more important in today’s volatile trade environment, in which more countries are targets of tariffs and trade sanctions. Companies that are adept at due diligence make liberal use of scenario modeling, says Gendron. For example, what implications might Brexit have for the acquisition of a U.K. company?

Similarly, for a target with significant manufacturing or supply chain operations in China, modeling would shed light on the potential costs of keeping those where they are versus moving them to another country. And that likely will be a moving target. “With the trade wars, things can change with a tweet,” says John Falcon, CFO and treasurer at Ross Controls, a maker of valves and systems for the fluid power industry that has made several acquisitions in the last two years.

If the target is in a country that’s subject to trade sanctions, it’s especially important to set up appropriate governance. The U.S. Treasury’s Office of Foreign Assets Control has increased its enforcement of such sanctions on deal-making companies, announcing four penalties in the first half of 2019 ranging up to $1.8 million.

Cyber Diligence

For obvious reasons, the importance of evaluating a target’s technology is surging, with no end to the trend in sight. That applies not only to IT infrastructure but also to software and apps used in operations.

A target’s data privacy and cybersecurity profile should, of course, be a due diligence priority. As data breaches continue to make big headlines, investigating a target’s data protections and its compliance with data privacy laws is crucial.

One of the latest and largest breaches is a cautionary tale. The U.K.’s privacy regulator—the Information Commissioner’s Office (ICO) — in July fined Marriott International $123 million for a breach of Starwood Hotels & Resorts’ guest reservation database, in violation of the European Union’s General Data Protection Regulation (GDPR).

The ICO said Marriott hadn’t conducted proper due diligence when it acquired Starwood in 2016. Even though the hackers had breached Starwood’s systems two years before the acquisition, Marriott didn’t discover it until 2018.

Despite nightmare headlines, data privacy and cybersecurity are often neglected. The category of data protection, privacy, and information governance was ranked fairly low on the list of M&A risks in the Baker McKenzie study. Only 43% of participants found it to be among the most challenging compliance risks in recent M&A deals, while 35% said the same about cybersecurity.

Respondents expected that to change, however: 78% believed data privacy risk would increase in the next 12 to 18 months, and 73% expected cybersecurity risk to do so.
Small companies may be in the greatest danger. “Security doesn’t come cheap, and usually small firms are moving fast without a ton of infrastructure,” says Carlson of Alira Health, a 100-employee company with offices worldwide.

Privacy compliance is somewhat of a moving target in the United States, where there are no federal data privacy regulations. However, California’s Consumer Privacy Act is set to take effect in January 2020, and other states are working on their own data privacy laws. “These are rapidly changing domains,” says Gendron. “It’s not something that most companies’ IT managers are going to be able to adequately assess on their own.”

For example, last year Alira acquired a small research organization that manages clinical trials. The target obviously handled highly sensitive health care data, so Alira hired an outside IT security expert to inspect the company’s systems. Such an expert can not only make sure systems are locked down and compliant, but also, if issues are found, they can quantify the cost of bringing the company into compliance, says Carlson.

Part of security-related due diligence is a hard look at all insurance that’s in place, she adds. That could include errors and omissions insurance, representations and warranties insurance, and special cyber-insurance policies. “You need to look at how the contracts are worded and understand what would be covered and what would not be covered should something from the past arise,” says Carlson, as in the Marriott-Starwood case.

Another precaution is to delay the integration of IT systems, especially if the acquirer hasn’t had the time to thoroughly vet the acquired ones before transaction close, says Joseph Castelluccio, a partner at law firm Mayer Brown. Acting too quickly could, for example, risk malware infection of the buyer’s software.

When the value of data is a major driver of an acquisition, buyers need to do an especially deep dive into the target’s privacy policies, Castelluccio adds. “If the policies under which that data was collected don’t permit you to [monetize it the way you intend], you may have a very hard time realizing that value,” he says.

Booming-Economy Risks

The “people” aspect of due diligence has taken on added importance. That is particularly so in small companies and highly specialized industries. “The low unemployment in all of our markets is impacting us dramatically,” says Carlson. That puts a premium on making sure the employees of acquired companies will be happy in their new and different environment.

Making assumptions about retaining key employees, for example, has become far more problematic, according to Gendron. “We are seeing many companies pushing to get access to key employees in advance of closing to increase the level of confidence that they will be retained post-close,” he says. That key salesperson who has critical relationships with the target’s five largest customers, for example, might make or break the deal’s success.

Meanwhile, the longest economic expansion in U.S. history — 121 consecutive months of GDP growth through July 2019 — is starting to give some companies jitters.

“The question becomes, from a risk standpoint, how is this business that we’re looking at going to fare during that next downturn?” says Gendron. In response, acquirers are expanding their financial modeling during due diligence. Rather than looking at only the trailing 12 months and the two prior full years, he says, some companies look for reassurance by going all the way back to 2008 to see how the company performed during the Great Recession.

Perils and hazards lurk in every potential deal. But, with thorough due diligence, CFOs and M&A teams can minimize post-close surprises or even steer the organization clear of a disastrous, value-destroying purchase. Speed in analyzing targets is essential in the current climate, but there are no shortcuts to a transaction that outperforms and produces real value.

Tam Harbert is an award-winning journalist specializing in technology, business, and public policy.