Preserving Deal Value in the Face of Increasing Complexity
How Non-financial Due Diligence is Mitigating Risk
-
March 24, 2023
DownloadsDownload Article -
Private equity has a reputation for buying underperforming or undercapitalised businesses and rapidly turning them into high-value assets. But in today’s decarbonising, digital economy, yesterday’s promising target can turn into a liability. Assessing where tomorrow’s growth will come from has become increasingly complex, requiring a wider range of risks and opportunities than ever before to be scrutinised during transactions.
Beyond legal and financial due diligence, other factors need to be considered prior to the commencement of a transaction as they can have a significant impact on deal value and risk exposure to the acquirer. With climate change at the top of the risk agenda and growing financial incentives to decarbonise, environmental, social and governance (ESG) considerations are shaping assessments of future value. At the same time, both value and risk are increasingly found in digital assets – from proprietary or personal data to game-changing platforms and digitised operational models.
Due diligence has never been more complicated. Especially in competitive deals, where time is of the essence, it can be challenging to know where best to focus due diligence resources. At FTI Consulting, we’re seeing more and more dealmakers prioritise new areas of focus.
Material ESG Factors
The shifting expectations of regulators, financiers, investors and consumers mean dealmakers are conducting more in-depth reviews of ESG risks and opportunities. At FTI Consulting, we have observed investors and financiers placing increasing pressure on organisations to incorporate ESG factors into investment decisions and provide credible and measurable reporting on their portfolios. All of this is elevating the need to conduct specialised ESG due diligence prior to transactions.
The breadth of possible considerations that fall under the ESG umbrella can seem overwhelming, with environmental and social issues varying by industry and often being company-specific, depending on the exposures to different risks.
ESG issues have the potential to impact acquisition value, as they can shed light on previously unforeseen risks or opportunities, and thus may impact whether deals go forward. ESG-related due diligence will look different for each acquisition, depending on factors such as the sector, business model, regulations and acquirer’s reporting requirements
Some common considerations in ESG due diligence extend to evaluating the maturity of a target’s ESG program compared to peers; assessing value and risk when a target lacks an ESG program and alignment of the target entity’s ESG initiatives with the acquiring company.
Sources of Digital Value and Risk
For example, customer information databases can be attractive acquisition targets with promising future value. However, privacy laws may constrain how they may be acquired, and may also limit their use post-acquisition. Further, consideration must be given to how to preserve and build customer trust during the acquisition process, or that valuable intangible asset may be compromised or destroyed entirely. In addition, if the target has over-retained personal information in breach of privacy laws, acquiring that information may also bring additional compliance risk and related financial exposure.
In addition, the systems of the target may have previously been hacked, leading to ongoing risk from attackers who have stolen corporate data. If the target’s systems have poor or inadequate security, this will need to be managed during integration to avoid introducing new vulnerabilities to the acquirer’s own network, which may bring associated costs. Being able to assess information governance and cybersecurity risks as early as possible in a transaction allows risks to be factored into the value of the acquisition.
One of the key aspects to focus on is the growing patchwork of privacy and cybersecurity regulations, especially in deals involving multiple jurisdictions. One of the toughest data protection laws, the European GDPR,1can impose fines of up to EUR 20 million or 4% of global turnover, whichever is the greater.2 In 2022, China’s cybersecurity regulator levied a RMB 8 billion fine (AU$ 1.7 billion) for breaching the country’s cybersecurity, data security and personal information laws.3 And in Australia, the Government has recently passed legislation to enable the privacy regulator to levy significant civil penalties of up to AU$ 50 million, up to 30% of revenue in the period of non-compliance, or based on the benefit gained through the breach of privacy laws.4 It’s essential to understand the target’s compliance posture, potential exposure and preparedness to comply with these regulations. Does the entity have adequate privacy and data governance frameworks to meet current and future obligations in its compliance landscape?
Since the COVID-19 pandemic, we have seen a significant increase in malicious cyber attacks and data breaches, resulting in substantial financial and reputational damage. Due diligence must enable dealmakers to understand how digital assets are being protected and the ability of the cybersecurity program in place to identify, defend and mitigate against the cyber threats faced by the target.
Reputational Investigation
Private equity investors understand the markets and the financial potential of target organisations, but it can often be reputational risks that cause headaches for deal teams after completing a transaction. Issues such as dysfunctional management team, a legacy of corrupt practices or poor relationships with suppliers can be uncovered pre-transaction through reputational due diligence
Most reputational due diligence investigations begin with a thorough review of the public record in relevant jurisdictions to identify infringement notices, disputes, sanctions and directors involved in insolvency proceedings. But, in some transactions, the most valuable reputational due diligence goes beyond what is available on the public record.
They should be targeted to elicit feedback on the areas of greatest concern; for example, dysfunction within the management team, rumours of unethical behaviour or concerns about financial performance. In some cases, discreet monitoring or digital forensics investigations may be required to ensure personnel are not misappropriating key data assets.
The required level of investment in due diligence depends on the nature of the M&A transaction – competitive or exclusive, private or public.
With more time and budget, more sources of information can be analysed to greater depths. The most important thing is to have clear objectives so due diligence teams can target resources where they have the most impact on value and to run an efficient process that still surfaces red flags
In successful deals, acquirers should also consider continuing due diligence in the first 100 days as part of its integration program. Often, it’s not until buyers get in the door that critical information emerges. Revisiting due diligence inquiries after you have access to internal data and information can help identify risks and opportunities and accelerate time to value creation.
About FTI Consulting
Due Diligence and Corporate Intelligence
Whether your potential business partner is a government entity, listed company, private firm or entrepreneur, it’s crucial to consider the reputational, legal and compliance risks when assessing the value of any investment. This can involve investigating the potential partner’s reputation, history, business acumen and market influence.
FTI Consulting is uniquely positioned to support you with your non-financial due diligence. Our multidisciplinary senior experts take a hands-on approach, bringing a strategic business perspective and deep understanding across:
- investigations
- privacy
- ESG
- research methodologies and sources
- forensic accounting
- data analytics
- digital forensics
- cybersecurity
Footnotes:
1: What are the GDPR fines? gdpr.eu/fines/
2: GDPR Fines & Data Breach Penalties gdpreu.org/gdpr-compliance/fines-and-penalties/
3: bbc.com/news/business-62248513
4: Parliament of Australia, Bills and Legislation – aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6940
Published
March 24, 2023
Key Contacts
Senior Managing Director, Head of Australia Cybersecurity
Managing Director
Senior Director
Senior Director