FW moderates a discussion on integrity due diligence between Leah James, Mike Regan and Arno Robbertse, joint managing partners of G3.
FW: Could you provide a brief overview of integrity due diligence (IDD)? How does it differ from more ‘traditional’ due diligence?
James: Integrity due diligence (IDD) and traditional ‘transactional’ due diligence share the same aim of contributing to informed board level decision-making by evaluating the potential value of a strategic investment. IDD typically comes into its own when organisations and investors want to address opportunities and threats in markets affected by political, social or economic volatility, or conflict and poor governance. This is not a box-ticking exercise. Every IDD mandate should be individually tailored to a firm’s specific needs, providing advice and context that helps them to anticipate and interpret political, legal or regulatory events and trends or risks that could affect their commercial interests. An IDD mandate should also provide informed insights into the propriety of individual targets, their commercial partners and shareholders.
FW: What factors are driving investors to expand their due diligence to include IDD?
James: We have seen significant growth in demand driven by the need for investors to access new and often difficult-to-navigate markets in order to derive shareholder value. The ever-rising tide of regulation and legislation also compels organisations to assess the corporate governance standards of their investment targets. In addition, we have seen a dramatic increase in demand from clients who want to conduct IDD within their own organisations in order to protect themselves and their customers from the growing threat of cyber crime and reputational damage.
FW: What types of financial, reputational and regulatory risks might be identified as part of IDD?
Regan: The scope of work will depend entirely on the individual clients’ circumstances, sector and jurisdiction, but typically an IDD will provide an assessment of the organisation’s exposure to geopolitical, commercial and governance risk. At a macro level, this might involve the evaluation of local geopolitical relations and activist groups, key economic risks, attitudes towards foreign investment, political decision-making processes, potential changes in the legal, regulatory and fiscal environment, corruption and reputational risk, and barriers to market entry and freedom to operate. At a specific company level, IDD aims to deliver an authoritative interpretation, critical assessment and careful corroboration of information surrounding a target’s reputation, ownership structure, board members, affiliates and business partners, commercial ventures and compliance with anti-corruption and fraud regulation.
FW: Could you outline the importance that technology, particularly cyber security, now plays in the IDD process?
Robbertse: Technology now plays a crucial role in the IDD process. With individuals and companies leaving an ever-expanding trail of information online, either purposefully or inadvertently, the internet has become the largest open source database of information. Technology has enabled the efficient analysis of this ‘big data’ set – automating the collection and detection of potentially useful data is key in ensuring no stone is left unturned, and dramatically speeds up the analysis by eliminating repetitive manual processes. From a cyber security perspective, the IDD process should be deployed introspectively to evaluate whether an individual or company may be giving away excessive or unnecessary information online, or has previously been the victim of a cyber attack. In the corporate world, ensuring that corporate data is not being inadvertently leaked into the public domain has become an integral part of every information security officer’s responsibility.
FW: In terms of data management, how can IDD providers assess the nature of IT systems and the ways in which data is stored, accessed, handled and transferred? What bearing can this have on an investment opportunity?
Robbertse: For firms considering an investment opportunity, the sensitive data and intellectual capital inside an organisation is often the crown jewel. Ensuring this information is appropriately safeguarded is paramount in protecting the subject’s reputation and competitive advantage. The protection afforded to a company’s sensitive data and intellectual capital can have a significant impact on the investment decision or the valuation of the target company. IDD providers can offer an independent assessment of IT systems as part of the due diligence process. The process consists of a review of the client’s information and communication networks to benchmark the security measures against industry standards. Furthermore the assessment can identify where sensitive data resides and check that the security protocols are commensurate with the risk of stolen or lost data for that specific organisation.
FW: A target company’s existing third-party relationships can have a huge bearing on the future success of a transaction. How can IDD assist in this regard?
James: We recommend that our clients put all of their suppliers through a ‘know your client’ process. Of course, if you have thousands of suppliers, it is uneconomical to look at them all in-depth, but it is sensible to put them through a red flag check. In conjunction with a thorough audit process, this helps to mitigate against corrupt relationships between employees of the client and suppliers, as well as ensuring that third parties meet the client’s standards. No reputable company wants to be seen to be giving business to third parties who may be involved in criminal activities, having inappropriate relationships, or having low ethical standards in dealing with their workforce.
FW: In your experience, what are some of the main challenges that arise during IDD? How can these challenges be surmounted to arrive at a comprehensive, accurate assessment for the benefit of an acquirer?
James: Many companies start the IDD process too late, so they want answers in unrealistic timeframes, or they decide to make a false economy and not thoroughly check a potential joint venture partner or supplier. Different jurisdictions have different challenges – in some places, public records are almost worthless in that they are likely to be outdated or non-existent. To ensure that an IDD exercise is effective, there is absolutely no substitute for well placed human source enquiries which are then properly analysed by people who know a jurisdiction or sector well. Utilising the expertise of a team that knows how to access and assess information that is in the public domain but not readily accessible can also be productive.
FW: In your opinion, are the additional costs of conducting IDD justified?
Regan: If you are just looking for basic ‘know your client’ advice, this can be done by companies used to providing bulk due diligence work and will cost no more than a few thousand pounds. However, for organisations that are investing in new territories or difficult to navigate markets, the cost of investing in a rigorous IDD exercise is immaterial compared to the value of the downside risk or the upside reward. It can be the difference between the creation of significant shareholder value or the destruction of both value and reputation.
FW: What considerations should an acquirer make when selecting an IDD provider?
James: The crucial elements are experience, expertise and network. Clients should question their IDD provider about the type of work they have done and which jurisdictions they are strongest in. Given that many IDD mandates involve investments in emerging territories, expertise in complex jurisdictions such as Africa, the Gulf, Russia/CIS and Asia may be imperative. It may also be important to assess their track record in relevant sectors, whether this be capital intensive industries such as oil and gas, mining, alternative energy, defence, manufacturing and telecoms, or in highly regulated industries such as financial and professional advisory services. An IDD provider’s ability to draw on analysis from a high-level global network of experts combined with a rigorous assessment of information that is in the public domain but not readily accessible should also be key considerations.
FW: Going forward, do you expect to see an increase in the use of IDD to evaluate potential investments?
Regan: History is littered with well documented examples of deals going wrong with catastrophic consequences in terms of the destruction of corporate reputations and shareholder value. Increasingly, boards of companies and their corporate advisers consider it a necessity, not a luxury, to undertake due diligence not only on a target company’s financial position but also on the range of risk factors that can undermine its reputation, commercial relationships, intellectual property and ultimate value. This is driving the growth of the IDD industry and will continue to do so in our uncertain and increasingly legislative world.
Leah James is a joint managing partner at G3. She previously set up and led the company’s work in the Middle East and Asia, and was subsequently director of operations. She continues to work with clients particularly in the Gulf, India and Pakistan. Ms James joined G3 in 2004 when the firm was founded. Prior to that, she was a political risk adviser working with corporate clients and government departments and agencies primarily on assessing terrorist/non-state threats. She can be contacted on: +44 (0)20 7467 2040 or by email: firstname.lastname@example.org.
Mike Regan is a joint managing partner at G3. After studying Economics at university, he completed a short service commission in the British Army followed by a stint in the City of London. The bulk of his career has been spent in the British Diplomatic Service where, over a 26 year period, he had postings in Afghanistan, Iraq, the Gulf, Zimbabwe and Thailand. Mr Regan lends his skills and experience to some of G3’s most complex cases around the world and leads the management of G3’s global network. He can be contacted on: +44 (0)20 7467 2040 or by email: email@example.com.
Arno Robbertse is a joint managing partner at G3 and has been leading the firm’s cyber team since 2008. He is an information security expert with a detailed understanding of holistic security needs and securing business critical operations. Mr Robbertse is experienced in managing information security engagements for global organisations, specialising in internet investigations and helping clients respond to information leaks or hacking attempts. He can be contacted on: +44 (0)20 7467 2040 or by email: firstname.lastname@example.org.
© Financier Worldwide