Savonarola And The Need To Evaluate Compliance In Pre-Acquisition Due Diligence

by Thomas Fox

I have always found one of the most fascinating figures of the Florentine Renaissance to be Girolamo Savonarola, who effectively ruled Florence from 1494-1498. While not the first person to try and create a ‘City on the Hill’, he was able to bring his heavenly vision as the spiritual and temporal leader in Florence for a short time after Medici rule. It was Savonarola who inspired the original ‘bonfire of the vanities” where his supporters burned luxury clothes, musical instruments and artwork on the day that Carnival was formerly celebrated on. Savonarola fell from power when his foreign policy of allying with the French did not bring the promised economic benefits to the city. He was burned at the stake for his troubles.

I thought about Savonarola’s downfall, ordained by his lack of economic foresight, in the context of the compliance function in mergers and acquisitions (M&A). Most companies understand the need for post-acquisition integration of their compliance regime into an acquired entity. Such integration is also coupled with focused training for high risk employees and a detailed forensic audit to see if there are any problems under the Foreign Corrupt Practices Act (FCPA), UK Bribery Act or other anti-corruption laws. This post action conduct has been discussed by the Department of Justice (DOJ) extensively through both the Opinion Release procedure (Opinion Release 08-02) and several Deferred Prosecution Agreements (DPAs) including those involving Johnson & Johnson, Data Systems & Solutions and Pfizer.

However, many companies have not put the same effort into the pre-acquisition due diligence around compliance. This may have started to change with the release of the FCPA Guidance last November. In this document, there was a substantive discussion of what should go into pre-acquisition due diligence from the compliance perspective and a nod towards the tangible benefits of such work through the example in the FCPA Guidance of a company which received a declination to prosecute.

The subject of M&A made it to the list of ‘Ten Hallmarks of an Effective Compliance Program’ articulated in the FCPA Guidance. Under the final listed Hallmark, entitled “Mergers and Acquisitions: Pre-Acquisition Due Diligence and Post-Acquisition Integration”, the Guidance states that “A company that does not perform adequate FCPA due diligence prior to a merger or acquisition may face both legal and business risks. Perhaps most commonly, inadequate due diligence can allow a course of bribery to continue—with all the attendant harms to a business’s profitability and reputation, as well as potential civil and criminal liability.”

The Guidance goes on to detail a quite specific example of pre-acquisition due diligence in the compliance context. It provided a hypothetical situation where a US company was purchasing a company which was not subject to FCPA jurisdiction. Prior to acquiring this entity, the US company had engaged in extensive due diligence of the foreign entity, including: (1) review by the US company’s legal, accounting, and compliance departments of the foreign entity’s sales and financial data, its customer contracts, and its third-party and distributor agreements; (2) performing a risk-based analysis of foreign entity’s customer base; (3) performing an audit of selected transactions engaged in by the foreign entity; and (4) engaging in discussions with foreign entity’s general counsel, vice president of sales, and head of internal audit regarding all corruption risks, compliance efforts, and any other corruption-related issues that have surfaced at foreign company over the past ten years. All of this was done with an goal towards determining if there were any payments which might violate the FCPA, whether the foreign company had appropriate anti-corruption and compliance policies in place, whether target’s employees had been adequately trained regarding those policies, how the foreign entity ensures that those policies are followed, and what remedial actions are taken if the policies are violated.

While the FCPA Guidance focused on the legal risks for failing to perform pre-acquisition due diligence on a target, there is also the business risk. Therefore, the steps suggested in the Guidance can be of great benefit to allow a company to understand the culture of the company it is targeting. This message was driven home by Connie Barnaba in a recent article in the Houston Business Journal (JHBJ), entitled “One of the costliest risks is acquiring an unknown culture”. One of the reason to engage in such extensive pre-acquisition due diligence is because “culture clashes may contribute in a significant way to the poor performance of businesses” after post-acquisition integration. Straight-forwardly, any business valuation will depend on variables taken into account at the time of the valuation. But Barnaba argues that “Since the valuation of the target company is usually conducted prior to the deal close, it does not take into account operational changes that are required to merge the two operations. It’s at this intersection that risk is created.”

Barnaba posits two scenarios which are interesting from the compliance perspective. Consider that an acquiring company is considering two targets. Both companies are in heavily regulated corporate environments and both take compliance with those regulations quite seriously. However Target A has chosen to treat each employee as a stakeholder with personal responsibility for compliance. It communicated this tenet beginning with the hiring process and then continuing throughout an employee’s tenure with the company, through training, promotion and compensation. These compliance values were so embedded in Target A that it was largely the employee base that prevented and then detected any compliance violations.

She contrasted this with Target B, which is also dedicated to regulatory compliance. However this entity believed that no matter how much you train on policies and procedures, “human errors and negligence” will always create compliance risk. To that end, Target B robustly engaged in monitoring and auditing of its financial systems and employees to ensure compliance and to try and prevent/detect non-compliance. Target B relied less on the human elements of training and communication and more on the technology dedicated to stay in compliance.

In Barnaba’s piece, the acquiring company is more similar to Target B in its approach to compliance but decides, for financial reasons, to acquire Target A. She believes that only after the post-acquisition process begins will the strategic error be apparent. She opines that the cultural differences in the approach to compliance could well lead to high turnover among the newly acquired employees, difficulty in creating high-performance work teams and lower morale, all leading to the destruction of the value of the acquired entity.

In today’s legal climate, the results for the failure to access a company’s compliance culture are not as severe as the fate which befell Savonarola. However, just as he tried to change the cultural norms of Florence through robust austerity, a company which does not assess how an acquired company’s culture will be successfully integrated can also lead to disaster. Barnaba ends her article with the observation “The marriage that was made in heaven becomes just another statistic of a marriage that ended up on the rocks.” Just as the FCPA Guidance notes, compliance related due diligence in the M&A context makes more than good legal sense, it makes good business intellect.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Thomas Fox, Compliance Evangelist | Attorney Advertising

Written by:

Thomas Fox

Compliance Evangelist on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.