Skip to content.

This post was originally published by Spark Compliance Consulting on the Compliance Kristy blog.


“Our company is proud to announce the acquisition of the New Company!” reads the press release. The Compliance Officer looks on in shock. Why weren’t they told? Why weren’t they involved in the pre-acquisition due diligence? Why are they hearing about it after it’s already happened? And, most importantly, what are they going to do now to manage the risk?

It shouldn’t be this way

The regulators have been crystal clear. Compliance should be involved in mergers and acquisitions. They should come in prior to the acquisition, be a key contributor during due diligence, and assist throughout the decision-making process.

But frequently they’re not – even with the new safe-harbor provision giving a company six months to self-report bad acts found in their shiny new acquisition with the assumption of a declination, Compliance isn’t always in the room.

If you’re not invited

If you find out about a merger or acquisition after the fact, you can still perform a risk assessment to get yourself up to speed before the initial meetings with the new company.

The internet has created a treasure trove of information on companies, most of which is easy to access and find. Here’s how to do it.

Company website

Start on the company’s website by checking the basics:

  • What country is the new company headquartered in?
  • In which countries does it do business?
  • In which countries do they manufacture products?
  • What does the company say about itself in the “about” section?

Next, assess the likely maturity of the company’s governance and compliance and ethics program.

  • Is the company publicly traded, and if so, on which exchange?
  • Does the company have a publicly available code of conduct?
  • Does it have any compliance-related policies available?
  • Does it have any board or governance-related documents available or board member profiles online?
  • Does it have a speak up hotline or portal for submitting reports of potential misconduct?
  • Is there a supplier code of conduct?

Next, look for reports.

  • Is there a 10K or other SEC-related reports?
  • Is there an annual report?
  • Is there an ESG or sustainability report?
  • Do they have any modern slavery statements? U.K.? California Transparency in Supply Chain? Australia? Coming up – Canada?

Soon, you’ll also be able to look to see reports from companies complying with the EU’s Corporate Sustainability Reporting Directive (frequently known as CSRD) and Corporate Sustainability Due Diligence Directive (frequently known as CSDDD), as well as the SEC’s climate disclosure rules. But in the meantime, many companies have reports already available.

You can also look for press releases or news about the company posted on the site, as well as the names and bios of the most important executives.

Other search results

Go through each of the types of media listed on major search engine tabs.

  • Review the first several pages of the search results. Are the articles positive or negative? Do they describe how the company does business? Are there any red flags?
  • Review the videos made by the company or posted about them
  • Review any shopping sites selling their products if they sell direct to consumers
  • Review any scholarly articles referencing them

Search for feedback

Next, review sites like Glassdoor to find out what employees think of working for the company. Are they generally satisfied? Are there any locations that are named as problem places within the reviews?

If the company sells direct to consumers, look up product reviews. Check out Yelp!, Amazon, and specialty sites devoted to the industry (e.g., Tripadvisor for travel-related businesses) to get a sense of the quality of the products and consumer sentiment about the company.

Social media

Check the company’s social media sites. What type of information do they share about themselves? Which sites are they active on? Do they post frequently? Do they respond to complaints? What is the tone of the content? Do they comment on or share others’ posts?

LinkedIn for executives

Use LinkedIn’s search functions to look up the most senior executives at the new acquisition or merging company. Look at their backgrounds. Have they been in the industry a long time? Is there a new CEO who was brought in to facilitate a turnaround? Is the original founder still in charge? How long have the senior managers been at the company?

Due diligence reports

Purchase an enhanced due diligence report on the acquisition/merged company and the CEO as soon as possible to get more information.

Putting it together for a risk assessment

This review should give you a good starting place for your risk assessment. For instance…

Bribery

If you know the countries in which the company operates and sells, you can risk-rank for bribery risk using the Transparency International’s Corruption Perceptions Index scale.

If the company’s products or services lend themselves to government use or purchasing, that informs the risk profile.

Trade compliance

Knowing the countries in which the company operates will give you a good sense of likely trade sanctions exposure.

You will also know whether the product lines are likely to be subject to export control or if they may be deemed dual use and therefore subject to trade controls.

Modern slavery

If you know the countries from which materials are sourced or where the company manufactures products, you can use the Transparency in Persons report to judge the likelihood of modern slavery in the supply chain. Details from the ESG or sustainability reports can help you to recognize how well risk is being identified and managed.

Antitrust

Your market review should have identified the major competitors to the new acquisition and given you some sense of market share. You’ll have a good idea of whether there may be monopoly or dominant market position concerns.

You may have even been able to discover whether the company sponsors industry events or is otherwise active in organizations where competitors may gather and create collusion risk.

Data privacy

The company’s products and services can give you information about how much personal data is likely needed. Were you asked to give your personal information on the website? Is personal information a prerequisite for using the product or obtaining the service?

Countries of operation and sales are important in this review as well. Does the company operate or sell in the European Union, and is therefore subject to the General Data Protection Regulation (GDPR)? Does it sell into places like Singapore and Argentina that have strict data privacy regimes? Does it sell into or operate from Russia or China, and therefore may be subject to data localization laws?

Using your initial assessment

By using publicly available information, you’ll be able to identify a significant amount about the acquired or merged company. Your initial risk assessment can be a great kicking-off point when you meet the executives and counterparts at the new company. They’ll be impressed with the knowledge you’ve already developed, and you’ll feel confident in asking insightful questions from the get-go.

Should you be invited to the M&A party before it starts? Absolutely. But if you’re not, don’t despair. Much can be done on your own, which will lead to a smoother risk-based integration of the compliance program.


Among our many other capabilities, NAVEX has solutions to help your business automate risk management. If you’re ready to learn more, follow the link below for more information about NAVEX business risk governance.

Tell me more!