A guide to compliance due diligence

Compliance or due diligence?

Compliance and due diligence are closely linked but there is a subtle difference between them. Compliance is clearly defined by legislation and can be achieved by following a set of pre-determined rules and regulations. The consequences of being non-compliant are equally well-defined.

Due diligence is not defined in terms of legal duties and consequently can be harder to achieve. It is anticipated that everyone in the supply chain will act ethically respecting human rights, but in practise monitoring this can be challenging.

Business acquisition due diligence

Although business acquisition is commonly used to acquire new products or expand into new territories it can also bring with it considerable risk. It is recommended that due diligence takes place regardless of business size.

If due diligence is not followed, the results can be catastrophic. A lack of due diligence can result in limited investment opportunities and ultimate business closure. Anyone associated with the business is also likely to face a difficult future.

Conducting compliance due diligence

Due diligence involves the assessment and evaluation of risks. Typical areas considered include bribery, International data protection regulations, procurement law and anti-corruption regulations. Due diligence may appear to be very complicated but can be broken down into three simple steps.

Step 1 – Risk investigation

This involves the collation of any information which is available publicly. Specific business activities, the structure of the business, country embargoes, the World Bank’s blacklist and the company’s location should also be considered. If the business is in a country on the Corruption Perception Index (CPI), an in-depth corruption assessment is recommended.

Companies trading on an international basis are usually exposed to greater risks than those based locally. Joint ventures can be high risk, as the UK Bribery Act mutually attributes any compliance infringements of a joint venture partner.

Step 2 – Risk assessment

Based on the information obtained, a risk assessment of the potential risks is undertaken. If any potential risks are identified, further information is sought from the potential acquisition. This will highlight any previous non-compliance incidence as whilst assessing the potential acquisition’s compliance management systems.

Stage 3 – Risk evaluation and management

The overall benefits and risks of the transaction are evaluated. If the compliance due diligence process has discovered serious compliance risks, the purchase may still go ahead provided that the purchase price is adjusted accordingly, and strategies are put into place to minimise the risks.

Managing due diligence compliance risks

If due diligence procedures highlight serious compliance risks, the risk can be managed by including the risks in the purchase agreement.

When the risks are known, an indemnification clause should be included, but a compliance guarantee clause is required if compliance due diligence revealed a potential but unquantifiable risk. Adding an arbitration clause will ensure that any legal disputes arising from this can be settled speedily.

If there is a risk of insolvency, this risk can be protected by a warranty and indemnity insurance policy. This will also provide cover for any compliance guarantees which may arise in connection with corruption and bribery.