Building trust through effective oversight

Mergers and acquisitions (M&A) are vital for business development and market expansion, and the Middle East in 2024 has continued to show robust growth. However, M&A transactions also present a complex array of risks, particularly when it comes to compliance, oversight, and portfolio management. A well-designed compliance framework that spans the M&A process from a pre-deal risk assessment to post-deal integration is critical to managing these risks. This has been highlighted in the recently updated U.S. Department of Justice (DOJ) Evaluation of Corporate Compliance Programs that emphasized the important of embedding compliance in the deals process, designing and implementing a post-deal integration strategy, implementing compliance programs and conducting effective monitoring.

Below, we outline how organizations can embed a risk-based compliance approach into their M&A strategy and how KPMG can support the design and implementation of an effective program. Our summary includes how to develop a risk assessment methodology, enhancing the due diligence process and establishing an integrated approach to compliance through effective monitoring. By focusing on these areas, the compliance function can develop into a strategic partner and help mitigate legal, financial, and reputational risks.

A well-structured risk assessment methodology identifies and evaluates potential risks early in the M&A process. The following risk parameters should form the foundation of this assessment:

• Jurisdiction and country risk assessment: detailed evaluation of the target’s jurisdiction is crucial, as each country has unique regulatory environments, legal requirements, and political conditions. In regions with unstable governments or complex regulations, M&A deals can face significant compliance challenges.
• Regulatory environment and horizon scanning: proactively scanning for potential regulatory changes or upcoming legislation in the target's industry ensures that the acquiring company stays ahead of any legislative developments. This approach helps mitigate unforeseen risks that could impact the deal's success.
• Involvement of high-risk third parties: third parties such as agents or channel partners should be assessed for compliance risks. Relationships with third parties that have questionable reputations or a history of non-compliance can present significant legal and reputational risks.
• Associations with government or state entities: targets with associations with government bodies or state-owned entities could trigger regulatory scrutiny, particularly concerning anti-corruption laws and compliance with international trade restrictions.
• Previous incidents of litigation or regulatory breaches: a history of compliance violations or regulatory breaches provides valuable insight into potential future risks.

A robust pre-deal due diligence process is essential for identifying and addressing risks before finalizing an M&A transaction. The following should be considered depending on the risk profile of the target:

• Self-assessment questionnaire: a self-assessment questionnaire should be completed by the target company to assess its current compliance function, structure and framework. The questionnaire should include verification of its independence, policies and procedures and training programs.
• Desktop and onsite testing: a combination of desktop and onsite testing helps verify the target’s responses in the self-assessment questionnaire. Testing the target’s practices around high-risk areas is essential to understand the extent and effectiveness of their compliance program. Key areas for transaction testing include:
  
  • Key systems and accurate books and records: evaluate the systems and accounting records in place to ensure they align with international regulatory standards and industry best practice.
  • Compliance controls: assess the maturity of the target’s compliance controls.
  • Regulatory adherence: determine whether the target complies with local and international regulatory requirements.;
  • Fraud response and mitigation: evaluate the target’s approach to detecting, preventing, and addressing fraud risks.
  • Whistleblowing concerns: test the integrity of the target’s whistleblowing mechanisms and whether concerns raised are appropriately investigated and resolved.
  • Anti-money laundering and sanctions compliance: assess the target's ability to adhere to AML laws and international sanctions.
  • Expense payments: review processes for managing and monitoring expenses to prevent corruption or misappropriation of funds.

Based on the outcome of pre-deal due diligence, transaction testing and to ensure alignment with your compliance program, organizations should consider the development of targeted training for high-risk areas.

Once the transaction is complete, continuous monitoring of the target's compliance program should be conducted on annual basis to enable alignment to company policies and regulatory requirements. This oversight process includes:

• Annual self-attestation: require the target to submit an annual self-assessment to confirm ongoing compliance with policies and regulatory requirements.
• Review of action plans: evaluate the action plans developed to address any identified compliance gaps or process enhancements post-transaction.
• Ongoing monitoring: regular monitoring and testing of compliance programs to ensure that the target continues to remain aligned with relevant policies and best practices.
• Audit and investigation rights: ensure you have the right to audit the target company’s operations, financial records, and compliance programs periodically.
• Compliance maturity assessments: Conduct regular assessments to evaluate how the target’s compliance program has evolved and whether it meets your standards.
• Right to termination: include clauses in contracts that allow termination if significant compliance breaches or risks are identified.
• Compliance KPIs: establish key performance indicators (KPIs) to track the target’s adherence to regulatory requirements and your compliance expectations.

Integrating compliance into every stage of the M&A process—from risk assessment to post-deal integration—is essential for managing potential legal, financial, and reputational risks. By developing a risk-based approach to due diligence, implementing a comprehensive self-attestation process for third parties, and establishing ongoing compliance oversight, companies can ensure that they are not only complying with the law but also fostering a culture of integrity and accountability.

• Developing and conducting compliance risk assessments, including a pre-deal checklist to pro-actively mitigate risk in the deals process. 
• Establishing a tiered approach to conducting due diligence based on the outcome of the risk assessment. 
• Conducting pre and post deal compliance due diligence.
• Developing a process for assessing the maturity of a target’s compliance program and establishing a post-deal compliance integration plan.
• Establishing oversight of compliance programs and adherence to regulatory requirements through monitoring and testing, including but not limited to: self-attestation process, review of action plans to address compliance gaps and process enhancements, and transaction testing on high-risk areas.

Ross Barlow
Associate Director, Forensics

Omar Khilo
Manager, Governance, Risk and Compliance