The global market for mergers and acquisitions reached new heights last year, and many expect the frenzy to continue in 2022. The latest annual survey from Pitchbook estimated there were 38,000 merger and acquisition (M&A) transactions in 2021, with just shy of US$5 trillion in deal value.
That’s a lot of activity. But despite the lofty goals and growth projections that drive M&A decision making, history shows these transactions don’t always convert into corporate value. In one study, for example, Deloitte analyzed 116 M&A deals that were explicitly “growth-oriented,” and found that only 27% helped those companies grow faster than their historical rate.
POST-DEAL INTEGRATION AND SYNERGIES
There are of course, many reasons why companies fail to realize the cost or growth synergies anticipated for a deal; economic and political issues and “people” and cultural differences are often cited.
Some companies simply fail to manage the huge operational complexity of acquiring or selling a business. This can include failing to manage the risks inherent in the buyer’s or seller’s data. This is a significant issue when you consider that global data volumes double every three years or so and more than 80% of the world’s data is unstructured, such as emails, making it harder to manage and understand.
Challenges in managing corporate data can lead companies to struggle with issues such as:
Identifying and retaining the company’s commercially sensitive information and intellectual property
Identifying compliance risks in the target company’s data
These struggles can have dire consequences down the track. Highly priced intellectual property may turn out to be kept haphazardly across multiple storage systems, making it hard to consolidate and extract value from. In the case of a divestiture, it may get left behind with the parent entity or inadvertently sent off with the buyer. The acquiring company can also inherit compliance risks – in the current environment, especially privacy risks – which lead to regulatory action or litigation when things blow up post-acquisition.
RETAINING VALUE, MINIMIZING RISKS
How can companies avoid leaving value on the table or acquiring unforeseen risks? Over many years of working with companies and their advisors on M&As, Nuix has developed a robust approach to understanding and addressing these data governance and risk issues.
In one example, Nuix worked with a global pharmaceutical company to avoid it sending off its critical intellectual property along with the subsidiary it was divesting. To achieve this, Nuix had to search the subsidiary’s datacenters for the parent’s intellectual property. This meant finding IP across millions of emails, documents and other unstructured records and then remediating the data, all under tight commercial deadlines.
Our process, in broad strokes, is detailed in the diagram below.
The main advantages of using Nuix technology and workflows, for the buyer or selling company, include:
We can find and collect data (such as critical intellectual property) from local and remote repositories, including laptops and desktops, email servers, file shares and cloud sources
Our efficient and scalable processing turns more than 1,000 file formats into meaningful and searchable information by capturing the content and metadata
Our browser-based review software enables fast and efficient collaboration for merger teams to analyze, classify and report on findings
Once you have classified data, you can defensibly move or delete it, copy it or flag it for further action.
Just as importantly, in M&A transactions the parties need to review huge amounts of data under the shadow of commercial and regulatory deadlines. Most of our customers say that compared to competitors, Nuix has the fastest data processing, can review the widest variety of file types and can handle the largest volume of data.
Equally exciting is that this workflow is not just a one-off exercise. Once you’ve gone to the trouble of setting it up, it can deliver ongoing value for the merged entity. The target company and its acquirer can scan for changes up to the merger deadline and proactively monitor to maintain compliance and deliver data and cost efficiencies afterwards.
The Covid pandemic has shown many organizations how much they rely on third parties in their supply chains, to help them deliver services and products to customers. At the same time, the growth in environmental, social and governance (ESG) concerns has forced many organizations to re-visit the commercial relationships they have with third parties whose behaviors may create risks for the organizations’ ESG goals and commitments.
Deloitte recently surveyed the third-party risk management practices of over 1000 organizations in more than 30 countries. It found that since COVID-19 became a global pandemic on 11 March 2020, just over half (51%) of respondents faced one or more third-party risk incidents. These incidents created regulatory, reputational or strategic issues for respondents in areas such as:
Cybersecurity and privacy issues in third parties
Failure by third parties to meet their contractual obligations to those organizations
ESG issues in third parties, such as environmental pollution, modern slavery, bribery and corruption.
Unsurprisingly, the experiences of the past 24 months have also sharpened regulators’ interest in businesses’ arrangements with their third-party vendors. Regulators have often been quick to remind those businesses that they remain ultimately responsible for meeting their obligations to customers and regulators, and where they rely on third parties, it’s their job to manage the third parties to ensure those obligations are met. Some regulators have gone as far as to require businesses to include in their third-party contracts, rights for the business to conduct ongoing audits and continuity assessments of their external vendors. The reasons for doing this are borne out in a recent McKinsey study which showed that while most third-party disruptions occur lower down in the supply chain, two-thirds of companies say they can’t confirm the business continuity arrangements with their non-tier-one suppliers.
STEPS TOWARD BETTER RISK MANAGEMENT
An important foundational step towards managing these increasing third party risks for any organization is to have an up-to-date and comprehensive management system for all the contractual arrangements the business has with these external parties.
Our experience though, is that this is not always as easy as it sounds. Particularly for large organizations, contracts aren’t always where they should be.
Even if you are organized enough to put all your contracts in one place, can you say for sure the document in your central repository is the final version? Or is that the contract the vendor sent a couple of days later after final negotiations with the legal team? Is it the computer-readable Microsoft Word version or the signed-and-scanned PDF emailed back to the other party?
FINDING CONTRACTS, WHEREVER THEY’RE HIDDEN
Nuix recently worked with a large bank in the United States that was grappling with this challenge.
The bank needed to improve its risk management of third-party vendor contracts. Over time, each business unit had developed its own practices for managing third parties which led to considerable differences across the bank on standard contract language, different approaches to third-party risk management and material variances in approaches to ongoing due diligence. Different approaches in the contracts to pricing was also an issue, with the situation almost certainly leading to commercial value being left on the table.
To deal with this, the bank was looking to centralize all its contracts into a single third-party management system. But over time, many contracts had been stored by staff amongst terabytes of data in difficult to search locations such as employees’ inboxes or shared drives.
The bank’s contract management team knew it couldn’t just run a search for “contract” across all employees’ emails, file shares and other data repositories. Instead, it used the Nuix Data Finder plugin to run a series of detailed search queries relating to common contract terms across each business unit’s systems.
Nuix Data Finder rapidly trawled the bank’s systems – running optical character recognition to capture scanned documents – and extracted text and metadata from items across the network. This allowed the contract management team to analyze responsive items in real time and flag any real contracts for further analysis.
Real-time search results helped them fine-tune their search queries to improve the accuracy of detection for each system they analyzed. The bank then extracted the most recent versions of each confirmed contract and migrated it into the management system for ongoing administration. In doing so, Nuix helped the bank rapidly take steps to start dealing with its operational and strategic third-party risk exposure.
RE-ENERGIZING THIRD-PARTY RISK MANAGEMENT
Managing third-party risks is a growing concern. Over half of Deloitte’s survey respondents agreed that because of recent and ongoing global events, they need to increase their focus on third parties and make at least some major investments to re-energize their third-party risk management programs. In similar findings from a recent global study by KPMG, 77% of the 1263 risk professionals surveyed believed overhauling their third-party risk management model was overdue.
Re-energizing third-party risk management can take many forms. There is, for example, an increasing appetite among business to have much more real-time data on the performance of their third-party vendors. These are longer term goals for businesses and the technology to deliver these outcomes is still at an early stage. A key stage along this journey is for all businesses to have a complete understanding of the current arrangements they have with their third parties and there’s a readily available technology to help handle that key foundational step.
In the movies, investigations are clear-cut and fast. Look for a body with bullet wounds and expended shell casings nearby. Look for the gun; there’s no need to look for a knife (no stab wounds) or a hammer (no evidence of blunt force trauma). The reality of digital investigations is more like looking for a body buried somewhere in a 5,000-acre junkyard with a mountain of debris on every acre. Forget the ‘needle in the haystack’ (that’s too easy); you’re looking for a specifc needle in a stack of needles.
Nuix specializes in tackling this kind of problem, expanding beyond investigations to include eDiscovery and data governance. It enables users to swiftly reduce the scope of a case from hundreds of systems to just the relevant ones. How? The Nuix engine is blazingly fast. It eats terabytes of data for lunch, thoroughly unpacking, processing and enriching the most complex data types — including unstructured and semi-structured text, mobile phone images, videos, files nested in PST or NSF files, social media data and forensic images. Other tools may silently fail on difficult files, but not Nuix.
Nuix then enriches data with normalization, concept grouping, deduplication and other programmatic analytics that empower analysts to ask questions (Where’s the body?) in order to ask better, targeted questions (Where’s the gun, what type of round was used, where else have similar rounds been found, is there pattern?). Nuix boasts of a 90% reduction in turnaround time for various types of investigations quickly reducing data to only what’s relevant and necessary to answer the questions being asked.
ROSETTE MEETS THE MULTILINGUAL CHALLENGE
We sought a partner to meet the surge of data that was becoming increasingly multilingual. Without proper language support, relevant data could be missed or erroneously excluded from a case. For Nuix, the multilingual text processing also had to be fast, thorough and accurate because:
In eDiscovery, multilingual documents need to be searchable such that a paragraph-long, English email footer doesn’t obscure the crucial one-sentence Japanese email body where the critical evidence is located.
In investigations, all bad actors do not communicate in English. Investigators without multilingual capabilities need a tool that overcomes the language barrier.
In data governance, the data containing names and personally identifiable information needs to be identified and securely stored, regardless of the language it is written in.
For example, languages without spaces between words — e.g., Chinese, Japanese, and Korean — need the words to be segmented to be accurately searched. Complex languages like Arabic add affixes before, in the middle and at the end of words. Thus the stems and roots of words must be identified to enable a comprehensive search. An exact match search in Arabic for “book” (kitaab) will not match the plural “books” (kutub), unless you know that the root of both words is k-t-b.
Rosette-enriched text also enables Nuix to apply its own analytics.
In data governance or eDiscovery, you don’t want to give out personally identifiable information (PII) when you have to show data. Being able to understand PII in multiple languages quickly, accurately and at scale are essential.
Rosette also stood out to Nuix for its track record powering mission-critical systems for government intelligence, border security, financial compliance and eComms surveillance, as well as customer feedback analysis.
THE PROOF IS IN THE RESULTS
By integrating Rosette, Nuix strengthened its offerings in three key areas:
For eDiscovery, Rosette detects different language regions in a single document, so that text in each language section is properly processed to be searchable. One pass with Rosette produces a report on what proportion of a corpus of evidence is in which languages before early case assessment even begins. Every full-text search will be thorough and comprehensive, uncovering the most relevant information quickly.
In an investigation, the language used in communications can provide valuable clues. If Rosette reveals that one actor only speaks his native tongue with his mother, but then starts using it in another conversation with another person, that could be an anomaly that warrants further examination. This is particularly important in cases of human trafficking and crimes against children, where speed is essential to save lives.
Finally, with governance, understanding where your company stores sensitive data — such as unencrypted credit card numbers, electronic personal healthcare information (ePHI) or PII, is of critical importance. If a data breach occurs, you need to quickly know what the hackers found. Accurate search across languages is an indispensable tool.
AN ECOSYSTEM OF CAPABILITY TO MEET FUTURE NEEDS
Nuix has already encountered cases on the scale of hundreds of terabytes. Data volumes are increasing at an unbelievable rate, especially if you add in social media and chat messages. To think that any individual is going to go through all that data is unrealistic. There needs to be a programmatic way to cull it down.
The need to cope with astronomical data volumes is already appearing outside of traditional knowledge-based tasks. The COVID-19 pandemic has only accelerated the massive move to digital data.
“Basis Technology and Nuix are empowering legal technologists, intelligence analysts and law enforcement to cope with the information avalanche they face every day,” said Carl Hoffman, CEO of Basis Technology. “We support Nuix’s vision of building a capabilities ecosystem that combines solutions from multiple partners to meet these challenges.”
We need to be prepared for what is going to happen, and working with Basis Technology helps us do just that for our customers. We don’t yet know the shape of the data, but it definitely isn’t all going to be in English, which is why Rosette is such an essential piece. The ability to meet the future needs of our customers will enable and empower them to continue to do their jobs; uncovering waste fraud and abuse, prosecuting the guilty and exonerating the innocent. This requires constant vigilance, and a collaborative pushing of the envelope of what’s possible.
The sea of cubicles is quieter than normal. All eyes seem to be turned toward the conference rooms at the far end of the room, where strangers in suits approach carrying cases of computer equipment. They enter the appointed spaces and close the door, where a sign printed on plain white paper is taped.
“This room is reserved indefinitely.”
This isn’t fiction; it’s a scene I witnessed firsthand working inside the financial services industry. While the silence and anxiety were more centered around the fact that one of our most precious resources – a 10-person conference room – was likely out of circulation for months, there was definitely a sense of trepidation as the regulators went to work.
I recalled that scene several times as we worked on the 2021 Nuix Global Regulator Report alongside Ari Kaplan Advisors. How valuable would the insights in the report have been for our business unit during those months of meeting our obligations to the regulators? How much anxiety would have been put to rest? Most importantly, how quickly would we have gotten that conference room back?
RESPONDING TO REGULATORS MORE EFFECTIVELY
During a Q&A webinar about the report, chief report author Ari Kaplan and Stu Clarke, Regional Director – Northern Europe at Nuix, addressed the topic of corporations working more effectively with regulators.
Based on their conversations with regulators, it became clear that regulated corporations should take control of their environment. “Holistically, it makes life much easier when an inquiry kicks off,” Stu said. “They have a much better understanding of where risks lie and where employees are working inside the organization,” making it that much easier to respond to inquiries.
It also helps to look at regulators as guides who are there to advise the company, not just punish it when it goes astray. Summarizing some of the comments during the webinar, regulators have a role to inform and guide the organizations they are responsible for. There’s a desire amongst the regulators to work more collaboratively and build an ongoing relationship, not just swoop in during a one-time event.
It also helps to understand where the regulators are coming from. “The regulators are incredibly savvy and have experience in private industry,” Ari said. “They are well-versed in the various tools and they talk to each other.”
HANDLING A CONSTANTLY CHANGING ENVIRONMENT
The regulatory environment adapts as the realities of day-to-day business change. “Things change rapidly,” Stu said. For example, “we weren’t talking about Microsoft Teams two years ago, and we can’t stop talking about it or using it now.”
Those changes are just another set of reasons to better understand what the regulators are looking for. Download the 2021 Nuix Global Regulator Report to learn more about regulators’ approaches to their respective industries, preferred technology and enforcement practices, all of which can help you work more efficiently during a regulatory inquiry.