The Mergers & Acquisitions Loop for Compliance Programs

Banner artwork by TierneyMJ / Shutterstock.com

Cheat Sheet

  • Framework guidance. M&A loop framework guides compliance programs through development, diligence, and legacy program integration steps.
  • Tripartite structure. Three stages — develop, describe, and decide — facilitate seamless program evolution and integration post M&A.
  • Team building. Compliance stakeholders can identify and build teams for high quality deliverables at each M&A loop stage.
  • Versatile adaptability. M&A loop allows adaptation for individual laws, subsets, or entire compliance scopes across various business units.

As every physicist (not me) and fan of the sitcom The Big Bang Theory (like me) knows, the Large Hadron Collider (LHC) is a gigantic loop located in Switzerland used to study physics by colliding protons into each other. By thinking about compliance programs in the same way (i.e., as moving through an LHC-type loop), compliance stakeholders can better understand how compliance programs evolve, identify the deliverables that are required at each stage, and build compliance teams that have the capabilities needed to produce high-quality deliverables.

The M&A loop is comprised of two sets of components:

  • The stages – Develop stage (S1), Describe stage (S2), and Decide stage (S3).
  • The connectors – Develop-to-Describe connector (C1), Describe-to-Decide connector (C2), and Decide-to-Develop connector (C3).


Figure 1: The three stages (S1, S2, S3) and connectors (C1, C2, C3) of the M&A loop.

Three stages of the compliance program

A compliance program is the organization’s ongoing effort to identify the compliance laws that apply to its business and operations, assess the risks of noncompliance with each applicable law and decide how to mitigate its noncompliance risks. Every organization is required to comply with one or more compliance laws, which can include laws that apply to all organizations regardless of industry (e.g., privacy, employment, anti-trust laws), as well as those that are industry-specific (e.g., GLBA, FCRA, and other laws and regulations that only apply to organizations within the financial services industry).

Noncompliance with any applicable law exposes the organization to myriad risks, including legal risk (lawsuits, investigations, and fines), financial risk (investor worries and lost shareholder value), business risk (lost opportunities to grow the business), and reputational risk (damage to the brand). Each compliance program enters the M&A loop at Stage 1 (Develop stage, S1).

Stage 1: Develop the organization’s compliance program

During Stage 1, the organization develops its compliance program. One way to think of program development is with a compliance maturity model. Figure 2 is a five-level model in which program maturity is measured from lowest (Level 1) to highest (Level 5).

Figure 2: Five-level model for compliance program maturity.

At any time during Stage 1, the organization may consider an M&A deal as either the seller or buyer, sign a letter of intent (LOI) with the counter party, and engage in discussions and negotiations about the deal. The M&A engagement will proceed until:

  • The deal fizzles out: Discussions and negotiations end before an M&A contract is signed, in which event the compliance program will remain at Stage 1 of the M&A loop; or
  • The deal is inked: Discussions and negotiations lead to the execution of an M&A contract. This event is represented by the Develop-to-Describe connector of the M&A loop.

Once the M&A contract is signed, the compliance program moves to Stage 2.

Stage 2: Describe the organization’s compliance program during diligence

During Stage 2, the target organization (i.e., target) and buyer organization (i.e., buyer) will engage in diligence about myriad aspects of the target’s business and operations, including its compliance program.

The diligence process entails the buyer requesting — and the target providing — information about myriad aspects of the target’s compliance program. Buyer will use the diligence information it receives to make important decisions about the deal, including whether to revalue the deal (lower) and whether to proceed with the deal altogether. Typical areas of inquiry are identification of the risk mitigation efforts with respect to each applicable compliance law and the maturity level of the program (Figure 2).

Upon completing the diligence phase of the M&A deal, the target and buyer will conduct additional negotiations based on the diligence provided by the target and, finally, decide whether to close (subject to applicable contract contingencies). If the deal fails to close, the target’s compliance program will return to Step 1 of the loop. If, however, the deal does close, as represented by the Describe-to-Decide connector, the compliance program moves to Stage 3.

Stage 3: Decide how to integrate the two legacy compliance programs after close

Once the M&A deal closes, the two compliance programs — the target program and the buyer program — are referred to as legacy programs. At Stage 3, the buyer will determine the best way to integrate the two legacy programs. This results in the formulation of a strategy for integrating the legacy programs and creating a new, post-acquisition, compliance program.

The tasks underlying the Decide-to-Develop connector must be completed upon formulating the integration strategy. The objective of this final connection is to bridge the so-called strategy-to-execution gap, which is the “lack of connection between where the enterprise aims to go and what it can accomplish.”

There are numerous theories and approaches for addressing and accomplishing this critical objective. For example, strategy and leadership expert Jeroen Kraaijenbrink proposes a three-part solution:

  1. Make the strategy understandable by clearly describing it to its stakeholder groups.
  2. Make the strategy desirable by including myriad stakeholders in its design.
  3. Review and make the strategy feasible by ensuring that it has appropriate resources and leadership support.

Once the buyer takes actions it deems necessary to bridge the strategy-to-execution gap, a full cycle around the M&A loop will be completed and the post-acquisition entity’s compliance program will move to Step 1 and a new M&A cycle will begin.

Key deliverables required at each stage

The M&A loop is a tool that compliance leaders can use to determine, confirm, arrange, and communicate the deliverables required at each stage of the compliance program. Below is a list of key deliverables arranged by type.

Stage 1 deliverables

Every organization, regardless of whether it may be a party to one or more M&A deals in the future (as target or buyer), will always need to produce the following Stage 1 deliverables:

  • Prepare – Formulate the program’s compliance strategy, prepare the proposal for the strategy, present the strategy to leadership, and defend the strategy. Determine legal applicability of the compliance laws; assess the organization’s risk tolerance level; and vet, select, and implement technology solutions for the program.
  • Install – Determine the requirements for each applicable compliance law (referred to as the “compliance requirements”); install the compliance requirements for each applicable law; prepare the policies and procedures for each compliance law; train the compliance team and the organization’s team members to properly implement the program’s policies and procedures.
  • Maintain – Monitor existing compliance laws, which can change through amendments and court decisions; monitor the organization’s risk tolerance, as changes to its risk tolerance level can impact prioritization of compliance tasks, availability of resources for the program and leadership’s expectations about the program; conduct gap and maturity assessments; monitor program performance using KPIs and other metrics; administer performance testing of the compliance program.
  • Respond – Investigate and respond to data-related internal and third-party incidents; respond to internal and third-party audits and inquiries.  

Stage 2 deliverables

After the execution of the M&A contract, but before the deal closes, the buyer and target will enter the due diligence phase of the M&A deal. The deliverables required at the second stage can be divided into two groupings: deliverables for the buyer and deliverables for the target.

Stage 2 deliverables for the buyer

The buyer organization’s key deliverables for Stage 2 include:

  • Prepare – Assemble the diligence team; review the laws applicable to the target; determine the diligence strategy, including the diligence topics and line of questioning and how the target will be required to respond (in writing, in person, by audio or by video) to the diligence requests.
  • Interview – Conduct the initial interviews of the target’s diligence team and conduct follow-up diligence interviews (as needed).
  • Analyze – Conduct assessments of the target’s compliance program (e.g., gap and maturity assessments); generate and analyze the KPIs and other metrics of the target’s compliance program.
  • Determine – Prepare a report of the diligence provided by target and buyer’s assessments and analyses. Then, present and defend the findings.

Stage 2 deliverables for the target

The target organization’s key deliverables for Stage 2 include:

  • Prepare – Assemble the diligence team, determine target’s response narrative and strategy, and prepare an overview of target’s compliance program and its responses to buyer’s diligence questions.
  • Respond – Present an overview of the target’s diligence program; present — and defend — the target’s responses to buyer’s diligence questions.

Stage 3 deliverables

The post-close organization’s key deliverables for Stage 3 include:

  • Stabilize – After the M&A deal closes, the post-close organization will stabilize the two legacy compliance programs to ensure compliance with all applicable laws. Program stabilization must continue until integration of the two programs is completed. The time immediately after closing is hectic, as there will likely be staffing changes as people on both sides may be terminated, repositioned within the company, or quit. An example of stabilization is continuing to properly respond to data subject requests received by both legacy programs after close.
  • Prepare – Assemble the strategy integration team and compare/contrast the buyer/target programs, including gap analysis and maturity assessment.
  • Strategize – Decide how to effectively integrate the two legacy compliance programs by preparing the proposal for the integration strategy, presenting the integration strategy to leadership, and defending the integration strategy.

These key deliverables are summarized by stage in Figure 3.

Figure 3: Key compliance deliverables required at each stage of the M&A loop.

One seminal takeaway is the relative uniqueness of the deliverables required at each stage of the M&A loop: some deliverables are only required at one of the stages (e.g., the install deliverables for Stage 1); other deliverables are required at two of the stages (e.g., the respond deliverables are required for Stage 1 and the target side of Stage 2); and still others at required at all three stages (e.g., the prepare and strategize deliverables are required at all three stages).

Building teams with the right capabilities

The M&A loop is also a tool that informs the individual capabilities (the combination of an individual’s skills, experience, and expertise) that are needed by the compliance team to produce the deliverables at each of the three stages. This is valuable information for the key compliance stakeholders:

  • Leaders – Leaders can conduct gap assessments to determine areas in which their teams’ organizational capabilities are deficient or abundant, ensure adequate resources are budgeted to build teams with the required capabilities, and provide their teams with opportunities to develop their individual capabilities by attending and speaking at seminars and conferences; attaining compliance-related certifications (e.g., CIPP/US, CIPP/E, CIPM); and authoring or co-authoring topical articles and books.
  • Specialists – Individual team members can use this information to develop the capabilities needed by their compliance leaders and specialize in areas of need, interest, and aptitude.
  • Experts – Law firms and compliance consultants can offer expertise to organizations’ compliance programs in areas in which they lack the required individual capabilities by providing training and seminars to organizations’ team members on each M&A stage, tailored for each type of deliverable.
  • Recruiters – Compliance recruiters can precisely determine the needs of their client organizations by screening for candidates that meet those needs and distinguishing top talent from the rest of the pack.

Plasticity through versatility

There’s another benefit of the M&A loop — it is highly versatile. It can be adopted and tailored for an individual compliance law (i.e., the organization’s GDPR program), a subset of all compliance laws (i.e., all the organization’s data privacy laws), or all the organization’s compliance laws (i.e., all applicable data privacy laws + all other applicable compliance laws).

The loop can also be used for other business units and programs within the organization (e.g., its IT or marketing departments). This versatility arises because all business units and programs move through the same three M&A stages — develop, describe, and decide. They do so regardless of which side of the M&A transaction they are on. In other words, the M&A loop is a generic tool that provides scope, scale, and timeline value for the organization.