The M&A Playbook (Part 7): The Diligence Gauntlet (Part 3 - People, Compliance, & Regulatory)
By Ryan Wentzel
4 Min. Read#M&A#Compliance#HR#Regulation
Table of Contents
- Introduction
- Labor & Employment Diligence: The People Problem
- Regulatory & Compliance Diligence: The Skeletons
- The Output: The "Diligence Report" (The "Red Flag Report")
- Conclusion: You Now Know the Real Price
Introduction
In Part 5 and Part 6, we ran the financial, commercial, and legal diligence gauntlets. We've vetted the numbers, found the "Change of Control" clauses, and kicked the tires on the IP.
Now we enter the final, and often most complex, phase of diligence. You are not just buying assets or code; you are inheriting a workforce, a culture, and a compliance history. A mistake here won't just cost you money; it can lead to lawsuits, massive government fines, and a mass exodus of the very talent you thought you were buying.
Labor & Employment Diligence: The People Problem
Your HR team and employment counsel will conduct a detailed review of all employment-related liabilities. This is not a "soft" diligence stream; it has hard, financial consequences.
Contracts & "Golden Parachutes": We review all executive employment contracts. We are hunting for "Golden Parachutes"—clauses that trigger substantial severance payouts (e.g., 2-3x salary and bonus) in the event of an acquisition. This is a direct, and often hidden, cost to the deal that must be added to your financial model.
Non-Competes: We review all existing non-compete agreements. Are they enforceable? In many states, they are increasingly difficult to enforce. If you are buying a company to get its key salespeople, you need to know if they can legally walk across the street to your competitor on Day 2.
Union Agreements: Is the workforce unionized? If so, we must review the Collective Bargaining Agreements (CBAs). We pay special attention to the "successor" clauses. Depending on the deal structure (Part 3), you may be forced to inherit the union and all of its obligations, including underfunded pension plans.
Worker Misclassification: This is a massive hidden liability. Has the company been classifying its "employees" as "independent contractors" to save money on payroll taxes and benefits? The IRS and Department of Labor can (and will) come after you, the new owner, for all those back payroll taxes, benefits, and penalties. This is a multi-million dollar skeleton we find all the time.
Regulatory & Compliance Diligence: The Skeletons
Here, we look for compliance with the specific rules that govern the target's business.
Industry-Specific: For a healthcare deal, is the target fully compliant with HIPAA? For a financial services deal, are they compliant with FINRA and SEC regulations? A history of violations is a giant red flag for a weak corporate culture.
Environmental: For any deal involving physical real estate or manufacturing, this is non-negotiable. We commission a Phase I Environmental Site Assessment. If there is hidden contamination on a property you buy (even from a previous owner), you are responsible for the cleanup, forever.
Data Privacy (GDPR/CCPA): This is the new "environmental" risk. For any company that holds customer data—which is every company today—this is paramount. We assess their compliance with laws like Europe's GDPR and the California Consumer Privacy Act (CCPA). We review their public-facing privacy policies and their internal data collection methods.
You must be prepared for the fact that the customer data you think you are buying as a key asset is, in fact, a toxic liability. If that data was collected illegally (i.e., without proper consent under GDPR), you cannot use it. And worse, you (as the new owner) are now responsible for the massive fines and penalties associated with that past non-compliance, which can be a percentage of your global revenue. If this diligence is not done correctly, the "value" of the target's data can be a net negative.
The Output: The "Diligence Report" (The "Red Flag Report")
All the findings from Parts 5, 6, and 7 are now consolidated by your bankers and lawyers into a single, comprehensive "Diligence Report," which I call the "Red Flag Report."
This report is your single source of truth. It lists every risk we have quantified:
- The $5M in "normalized" EBITDA we cut from the seller's numbers (Part 5)
- The two "Change of Control" clauses from key customers (Part 6)
- The IP risk from the five engineers who never signed IP agreements (Part 6)
- The $3M potential liability from worker misclassification (Part 7)
- The poor data privacy practices that will require a full systems overhaul (Part 7)
This is your "Go / No-Go" document. More importantly, it is your re-negotiation document.
Conclusion: You Now Know the Real Price
Diligence is complete. The LOI price is no longer relevant. You now know the real risks and the real value of the company. The real price is the LOI price minus the cost of all these risks.
You have your Red Flag Report. You've decided to proceed.
Now, you must codify everything you've found into the final, binding "Marriage Contract"—the Definitive Purchase Agreement. Continue to Part 8 where we'll explore how we build the fortress.
Previous: Part 6: The Diligence Gauntlet (Part 2 - The Legal Deep Dive)
Next: Part 8: Forging the Purchase Agreement
About Ryan Wentzel
Ryan previously served as a PCI Professional Forensic Investigator (PFI) of record for 3 of the top 10 largest data breaches in history. With over two decades of experience in cybersecurity, digital forensics, and executive leadership, he has served Fortune 500 companies and government agencies worldwide.
