Acquiring a Hotel Property? Compliance Due Diligence Could Save Your @$$.

A client asked me to help them onboard an organization that they were acquiring. Due diligence had been performed by another third party, which influenced the decision to acquire, but I quickly found all sorts of issues that weren’t discovered during due diligence (but should have been). Multiple compliance items that should have been in place were missing, even though they were reported as being present. 

As a result, remediation costs went through the roof, and what was supposed to be a profitable acquisition quickly turned into a money pit. Fortunately, my client was able to turn the situation around, make the necessary improvements, and eventually come out in the black. But the expected financial rewards began as a major loss for some period of time.

This story isn’t unique, and it happens all too frequently when compliance scrutiny is lacking.

Here’s what happened. On the first pass of due diligence, the acquired organization claimed to be compliant with a particular standard, and they produced paperwork that was ostensibly from a quality third party Assessment. To an untrained eye, the documentation would have looked solid. However, a veteran compliance expert would have seen that the organization and their Assessor were essentially paying lip service to the organizational compliance program. 

My client took the assessment at face value, trusting that any assessment report would reflect a certain level of rigor. Unfortunately, that wasn’t the case.

Those assumptions drove decisions to make the acquisition. It was only after the fact that they realized how much wasn’t really in place, and in some cases evidence was missing entirely. 

Avoid the Pitfall That 56 Percent of Mergers and Acquisitions Fall Into

There are several important elements to examine when your hotel organization purchases new properties. Most of the attention typically focuses on financial concerns, but numbers don’t tell the whole story. If the target company’s financials look great, but their compliance program is all smoke and mirrors, the expected investment yield could disappear before you know it.

Let’s examine how to walk into every merger and acquisition with your eyes fully wide open, so you can avoid startling compliance surprises that could put your business investment at risk.

Retain a Trusted Compliance Expert

To avoid unpleasant surprises during a hotel acquisition, make sure you have a seasoned compliance Consultant who can quickly spot signs of trouble. Remember that the property being acquired has an incentive to appear as desirable as possible. The more positively they can present themselves, the higher the sale price. Without a knowledgeable inspector who can find the skeletons in the closet, you could unwittingly purchase a money pit.

A compliance Consultant can help you ensure that you’re asking all the right questions, checking for skeletons in all the closets, and planning an onboarding strategy that fits your needs and goals, with the appropriate costs accounted for in the acquisition price. TCT has performed these types of due diligence engagements across a myriad of industries, and we’re happy to discuss to see how we can assist. 

Part of the review by your experts should be partnered with the financial decision-makers to understand exactly what the company is spending on their compliance program, and which vendors are visible to the Accounting personnel. Anyone with a depth of knowledge in the compliance space will quickly be able to assess whether the investment related to compliance is reasonable or not.

Request Critical Compliance Reports and Documentation

As your hotel organization does its due diligence during discovery, be sure to have a full and complete picture of the acquisition property’s security and compliance program. 

Consider the core elements that drive the heartbeat of the compliance program, such as:

• The device inventory, including the hardware and software list
• The network diagram
• The dataflow diagram
• Firewall rules

These elements drive many of the other compliance controls. If these core elements are incomplete or incorrect, you should expect ripple effects throughout the entire compliance program.

A common mistake is to receive the high level compliance reporting, glance at the executive summary, and file them away. That’s exactly how my client ended up with many months of losses on their books. Instead, it is absolutely critical to dig into your target acquisition’s compliance reports with a fine-tooth comb. 

• Make sure the reports you receive align with the scope of compliance the organization is responsible to meet. 
• Look for any oddities or unusual details that you wouldn’t expect to find.
• Pay attention to any red flags that pop up, no matter how small they appear to be.

Above all, ask plenty of good questions about the standards they comply with and their overall compliance program. Don’t settle for generalized answers. Make sure you understand the scope of the compliance standards that apply to the acquired property. Does the hotel you’re acquiring appear to be in fundamental alignment with those standards? This extends to whether or not they’re leveraging up-to-date tools and technology. 

TCT Portal Solves Hotels’ Most Complex Compliance Needs

Assess Relevant Equipment 

Considering the standards you go up against in the hospitality industry, your focal point will likely be around privacy concerns and PCI DSS compliance. Therefore, the age of the equipment that the acquired company owns (and whether it’s still supported) must be up to the compliance standard’s requirements.

Expect hidden costs to come into play as you discover the true state of things. For example, if the POS system is out of date and no longer supported, you’ll be making a substantial investment into replacing all of their existing POS devices.

Consider Infrastructure Complexities

Often, a new property isn’t just a property that you’re acquiring, but a group of properties that come under your hotel’s family of brands. You may have everything integrated into a single infrastructure, but you will still have multiple cultures and ways of working. This will add complexity to your compliance program.

One of the complexities that your organization has to deal with is the fact that you have an existing list of hardware and software, and you’re bringing in a new organization that has its own hardware and software — devices and systems that are different from what you have.

If you aren’t already familiar with those devices and systems, it will be critical to retain personnel from the other company who can manage and maintain the environment. Otherwise, you could risk losing critical information and technologies that come with the purchase. Not only is this a key business concern, but it also ensures that you can integrate the new entities into your existing scope of compliance.

If you bring in a new POS system with the acquisition, you’ll have several decisions to make. For example:

• Do you need to maintain the acquired system for some period of time?
• Do you want to make an investment into standardization?
• How will you transition from one platform to another?

In some cases, the acquisition introduces your organization to a better solution than the one you’ve been using.

Certainly, it’s easier to maintain one platform across the board, but it isn’t always feasible to do so. And even if you can do it, the effort takes time, careful planning, and gradual rollout. There’s also training needs and other considerations to take into account, such as retaining the right information from the outgoing system to maintain your compliance requirements.

Adjust Compliance Scope As Needed

During the process, you may need to retract or expand the scope of your existing compliance controls to accommodate the target hotel’s unique compliance needs and the increase in compliance footprint. During that evaluation, be sure that you have all of your assets and artifacts up to date. This will require going through the full suite of controls and confirming that you have everything in place.

As you adjust the scope of compliance, you may need to increase or decrease the solutions that you leverage to support your overall compliance program — for example: 

• Updating the scope for external and internal vulnerability scans
• Updating the scope for penetration testing
• Inventorying the assets to include in patching
• Maintaining awareness of patches that are available

Best Practices to Avoid Unpleasant Surprises in Compliance 

Here’s a quick summary of the best practices I’ve just explored. Refer to these steps as you progress through your hotel organization’s M&A due diligence process.

• Engage a Seasoned Compliance Expert. Ensure a third-party expert with deep compliance experience is involved in due diligence, not just finance and legal experts.
• Evaluate Compliance Investment. Review expenses related to the compliance program, and gather a vendor listing for a sanity check of program quality.
• Validate Documentation Thoroughly. Don’t accept compliance certifications or documentation at face value — request evidence and dig deeper into how controls are actually managed day-to-day.
• Review Technology & Support Status. Audit all hardware and software for support status (end of life) and compliance with current requirements.
• Request Inventory & Diagrams. Review current inventories, network diagram, dataflow diagram, firewall rules, and patching sources for full transparency.
• Assess Organizational Knowledge. Retain or absorb personnel who hold crucial systems knowledge to avoid gaps post-acquisition.
• Scope Your Compliance Controls. Update vulnerability scan targets, pen testing scopes, and patching policies to ensure appropriate asset coverage.
• Plan for Integration vs. Standardization. Make a conscious, strategic decision about whether to migrate systems or maintain hybrid support. Factor in transitional risk and training needs.
• Anticipate Hidden Costs. Budget for “invisible” risks like immediate infrastructure upgrades, expired support, and recertification efforts that may not have been visible in the earlier M&A plans.

Managing Compliance in High Turnover Industries

What If You Spot Major Red Flags?

If you’re doing quality due diligence, you may discover some compliance issues that the acquired property hasn’t disclosed. It wouldn’t be unheard of to find one of the following scenarios:

• The target company doesn’t have any third-party assessment.
• They don’t put themselves up against a compliance standard.
• They’ve done their own assessments internally.
• They don’t have recent security testing
• Open or troubling findings on security testing or risk assessment

Should you back out of the deal? Not necessarily, but you should certainly get an objective third party to do a very thorough review before you move forward with an acquisition. Evaluate whether or not the target acquisition company should cover the costs of the review, since they’ll be better off for it whether you acquire them or not.

If you get a bad vibe from the third party review or something in the report just doesn’t feel right — even if you can’t place your finger on the reason — start digging deeper. Ask more questions and follow the trails. Always trust your gut.

Compliance Due Diligence Could Save Your A$$

If you’re in a compliance, audit, or security role that supports M&A activities, insist on direct involvement in discovery and evaluation. Ensure that you’re using resources that have a great depth and breadth of compliance experience to bring to the table. Proactive due diligence may not only save the ROI on the deal, it could save your organization many months of costly surprises.