This year marked the four-year anniversary of Operation Car Wash in Brazil and its impact continues to reverberate throughout the country, as corruption remains a constant risk. The series of new corruption investigations that have surfaced this year alone should serve as a warning to investment managers that risks and heightened enforcement by domestic and international regulators are the “new normal.” In the current climate, companies that are not continually enhancing their compliance programs are exposing themselves to significant risk. Therefore, investment managers involved in M&A activity within Brazil (either for a private equity firm or a parent company) can no longer view compliance as a peripheral risk requiring limited focus or delegation to the attorneys and consultants. In order to be successful in today’s landscape, investment managers must adopt a more focused “compliance mindset” that makes compliance risk central to the overall investment management process, throughout the entire acquisition lifecycle.
To start, it is imperative to understand the complexity and function of a compliance program in a target’s organization so that it can be examined closely and accurately before and after an acquisition. From a structural standpoint, a compliance program is simply an internal control structure that prevents and detects violations of laws, regulations, and internal company policies. For a compliance program to be effective, the company’s compliance, risk management, and internal audit areas should work closely together to design and implement a system of effective controls that work across the entire organization.
When contemplating an acquisition, investment managers should also know that compliance risk cannot be mitigated solely by the due diligence procedures performed at the outset of the investment management process. Investment managers cannot expect their pre-acquisition due diligence to uncover all risks or potential wrongdoing related to a target –because, while many companies’ compliance programs appear to be effective on the surface, they may have large gaps when put under a microscope. As an investment manager, you do not want those gaps to be identified by regulators as part of an investigation, when they could have been uncovered and remediated internally if more focus was placed on reviewing and enhancing the target’s compliance program earlier in the process.
Once the transaction has closed, investment managers should take a bottom-up approach to developing a compliance program that is customized for the facts and circumstances of the acquiree’s unique situation. While this may be contrary to the conventional wisdom of taking a top-down approach, this strategy has clearly not prevented serious cases of corruption violations at established companies within Brazil. The bottom-up approach, while potentially more time consuming and costly, can provide a better and more complete understanding of the compliance risks within the business since internal stakeholders have greater visibility into areas of risk within the organization.
Furthermore, when reviewing the acquiree’s compliance program, one thing investment managers must understand is that the “compliance mindset” should not be viewed narrowly from the lens of only corruption. The reason for this should be clear – any area under the scope of a compliance program can result in a serious adverse impact to the company. Do not let the headlines solely drive the focus of the company’s compliance program.
Finally, investment managers should work to enhance the ongoing testing of the acquiree’s compliance program and associated internal controls on a regular basis to uncover any deficiencies or risks. One way to understand if the compliance program is operating effectively is to perform transaction testing. As part of this process, areas of high risk would be identified and specific transactions and controls within these areas would be tested, on a sample basis, to determine whether there are any internal deficiencies – or worse – regulatory or legal violations. In this way, transaction testing may help to uncover areas of misconduct, both large and small, that would have not been otherwise known. This will also help ensure that any material issues are uncovered in a timely fashion to the extent they impact the terms and conditions of contractual agreements between buyer and seller.
Ultimately, compliance risk is a complex area that requires the involvement of many skill sets and stakeholders within the company. Therefore, investment managers should not play the role of de-facto compliance officers for a company they acquire. Instead, investment managers should have regular, ongoing discussions with the target’s chief compliance officer and other relevant stakeholders, from the start of contemplating a transaction through completion of the acquisition and beyond. This allows them to better understand the compliance risks within the business and the ways in which they can provide the same support that other members of management may already receive. Implementing this type of strategy will serve as a great first step to achieving the “compliance mindset” needed in today’s “new normal” that will ensure associated risks are being evaluated and managed appropriately.