13 May 2021 –
The SAP enforcement action was certainly a game-changer in trade sanction enforcement. It was the first Justice Department (DOJ) National Security Section enforcement action under the under the Justice Department’s Export Control and Sanctions Enforcement Policy. Mike Volkov, channeling his inner Grace Slick, called it “a New Dawn”. Moreover, although the enforcement action was in the realm of export control and trade sanctions, it provided numerous lessons for all compliance professionals. I want to explore the issue of post-acquisition integration in this blog post.
Matt Kelly noted these failure in export control compliance, largely in acquisitions. The target companies acquired were “Ariba, Concur, and Success Factors, collectively dubbed the “cloud business group” (CBGs).” OFAC found the pre-acquisition due diligence was not the problem, as the OFAC order stated, “Pre- and post-acquisition due diligence on the CBGs found that they generally lacked comprehensive export controls and sanctions compliance programs, and in some instances had no sanctions compliance measures at all.” The problem was that “SAP permitted the CBGs to continue operations as standalone entities without fully integrating them into SAP’s existing compliance measures.” Finally, the OFAC rather ominously noted, “The U.S.-based export compliance team was not resourced or empowered to manage these processes appropriately. These processes, moreover, were not consistent across all the CBGs due to technological challenges and encountered resistance from some CBGs that did not view sanctions compliance as necessary.”
I recently visit with Tom Pannell, Managing Director in K2 Integrity’s Investigations and Risk Advisory practice on integration issues after an acquisition closes. Pannell believes you need to move quickly in the area of integration of policies, procedures, and internal controls, even if you are inclined to give an acquired entity a pass in the first year or provide no stringent oversight of the integration. He went so far to say that it’s a “big mistake”. Here we only need to look at the recent SAP trade compliance enforcement action to see at a lackadaisical attitude on integration led to a huge financial penalty. In the anti-corruption arena, a company has 18 months to fully integrate the acquired company into its compliance regime under Department of Justice (DOJ) guidance.
Pannell noted that any red flags which appeared in pre-acquisition due diligence need to be cleared or remediated. He said, “I cannot put it more simply than just follow up on the red flags sufficiently.” He used this point to emphasize that a business “must have a resourced integration team that has time and experience as this is critical to a transaction’s long term success. This integration team must have supportive senior management to drive the integration, focusing not just on synergies, but actually helping the new acquired entity integrate into the acquirer.” The bottom line is it is a lot less costly to do the work upfront than to have to remediate an issue down the road.
The red flags may be in the area of legal, financial, IT, reputational or any other area you have assessed. From clearing red flags, you should move on to monitoring the newly acquired entity. Customize your monitoring program based on your integration approach. Pannell noted, “if the subsidiaries are a hundred percent on your financial and accounting systems, you can do a lot remotely. However, if you have only partially integrated, you’ll really need to send an in-person team to follow up on the activity.”
We turned to the issue of cultural integration as culture clashes are a big reason M&As fail. As people are the lifeblood of any organization, this should be a primary focus of the integration process. When bringing businesses together, leadership spends time to understand what the similarities of the new operation are and what are the differences and how will these be bridged? Here Pannell said that the key is “really middle management as they will be the ones who are crunched between the teams doing the work and senior leaderships sort of vision for the future. Their motivations and the way they work needs to be understood and embraced and brought into the integration process is critical.” He further cautioned, “I think we’ve all seen the mentality of us versus them in an acquisition. This can be toxic to the deal because talent can be resistant and leave, or even worse than just leaving, taking your critical assets with them.”
Interestingly, Pannell said it is not simply international acquisitions where this problem occurs but simply in different geographies and different cultures. It can be operations in New York versus Pittsburgh versus Houston, as they all have different styles of work that can lead to a culture clash in the way business is done. This can turn “into a hot button issue down the road, creating riffs so addressing these kinds of challenges upfront is critical to a deal success.”
Pannell closed with some key points which are applicable to the SAP integration. First, he said, “do not skip on diligence just because it seems like it may slow things down which are in a fast environment. The risks that you take on by not conducting thorough diligence can really come back to create major problems down the road.” Second, the job of an investigator is to give you as much relevant information as possible. You can make informed decisions, knowing information upfront does not necessarily kill a deal, “but it prepares you for outcomes that you may not be expecting. This additional information can help you plan to deal with these issues when they pop up.” Third and finally, follow up on potential issues as “during integration an ounce of prevention is worth a pound of cure. Making sure you have a handle on what could be problematic down the road can make the difference between success and failure.”
The OFAC Order found that SAP “permitted its U.S.-based CBGs to operate as standalone entities despite pre- and post-acquisition due diligence and reports from its U.S.-based Export Compliance Team notifying SAP headquarters of significant compliance deficiencies.” The Order went on to state, “This enforcement action also emphasizes the importance of conducting sufficient pre- and post- acquisition due diligence to identify and promptly remediate compliance deficiencies in newly acquired subsidiaries. Compliance efforts in such circumstances should be sufficiently resourced and empowered to undertake thorough examinations of risks and to implement appropriate controls, including, if needed, any stopgap measures.” [emphasis supplied]
The SAP enforcement action should be studied by every compliance professional of every stripe to understand the need for adequate pre-acquisition due diligence, coupled with a robust remediation of not simply red flags uncovered in the pre-acquisition phase by also timely integration of the acquired company into your compliance regime.