Due diligence is a relatively common term. Used in business, it broadly refers to the process of investigating and verifying information about a company or investment opportunity. Specifically for compliance teams, it comes up when you consider relationships with new vendors and third parties. Yet it can be difficult to understand what due diligence really is and how best to incorporate it into your procedures.
The dictionary gives the term 'due diligence' a basic meaning. Depending on the context in which the term is used, it can hold other meanings — especially for corporations, nonprofits and educational institutions.
Merriam-Webster defines due diligence as it pertains to business. The definition cites ‘research and analysis of a company or organization done in preparation for a business transaction (such as a corporate merger or purchase of securities).’
With that definition in mind, you can better understand due diligence. Here, we’ll discuss:
- The definition of due diligence
- Why organizations conduct due diligence
- The three principles of due diligence, plus eight types of due diligence your organization can conduct
- A process for implementing effective due diligence
What Is Due Diligence?
Due diligence is the steps an organization takes to thoroughly investigate and verify an entity before initiating a business arrangement, whether that’s with a vendor, a third party or a client.
In the general business sense, due diligence means vetting issues that affect the business thoughtfully and carefully. Due diligence means being proactive, rather than reactive, in response to problems.
What Is the Purpose of Due Diligence?
Businesses need to have written policies and procedures in place. Certain issues may be better addressed by using a checklist to ensure that groups or individuals are giving the issues adequate time and attention. In addition to having guidance in written form, due diligence calls for boards to cooperate and collaborate with others.
Under certain circumstances, due diligence may mean seeking and obtaining outside expertise from attorneys, accountants, insurance agents, financial experts, tech experts or other individuals with professional or special expertise.
The 3 Principles of Due Diligence
Due diligence is an essential way for organizations to proactively identify risk. But it’s also a potential human rights issue. In 2011, the UN issued its Guiding Principles on Business and Human Rights. This document outlines three principles that organizations can follow to ensure their activities don’t compromise human rights.
While they are human rights-specific, they’re also valuable tenets of any effective due diligence program. These are:
- Identify and Assess: Organizations are responsible for identifying if their activities might have a human rights impact and assessing the extent of that risk.
- Prevent and Mitigate: Then, organizations must act in good faith to prevent those risks and/or mitigate any existing or future impacts.
- Account: Organizations also need to maintain a thorough account of how they will proactively address any potential human rights risks.
Types of Due Diligence
While all due diligence typically takes place at the start of a new business arrangement, what that due diligence requires can vary. A coffee chain considering partnering with a new coffee bean grower will need to take very different steps than a financial institution considering a new vendor for their online banking program.
Depending on the type of organization you work for and the size of its value chain, you might undertake any of the following eight types of due diligence:
- Vendor Due Diligence: Investigating the current or potential risk of new or existing vendors
- Third-Party Due Diligence: Third-party due diligence assesses the risk level of potential third-party partners, including any vendors (or fourth parties) in your potential partner’s ecosystem.
- Enhanced Due Diligence: Enhanced due diligence (EDD) uses a risk-based approach to evaluate specific clients or companies
- Technology Due Diligence: Auditing your IT infrastructure for any potential risks. This is also a common part of M&A due diligence
- Cyber Due Diligence: Cyber due diligence assesses, monitors and mitigates risks within a network, particularly those tied to third-party vendors.
- Supply Chain Due Diligence: Addressing possible environmental and human rights risks by assessing the impact of your entire supply chain
- Financial Due Diligence: Analyzing the organization’s financial performance before completing a merger or acquisition
- Regulatory Due Diligence: Reviewing an organization’s policies, processes and procedures to verify whether they’re compliant with all relevant regulations
- ESG Due Diligence: ESG due diligence determines the impact an organization may have on environmental, social and governance issues and actively takes steps to mitigate that impact
How to Conduct Due Diligence
How you conduct due diligence depends on the type of due diligence your situation calls for. Financial due diligence may require an even deeper focus on financials, whereas IT due diligence will dive into company systems.
That said, most forms of due diligence have some steps in common. To perform due diligence, you should:
- Define Goals for the Relationship: Why are you engaging a new third-party partner, vendor or other business relationship? Understanding how the relationship can benefit your organization will help you define the due diligence process because you can also identify what risks might prevent you from achieving that goal.
- Set Roles & Responsibilities: Due diligence can be a long and complex process. Define who is responsible for what — both within your organization and within the organization you’re assessing — to ensure everyone understands how they’re expected to contribute.
- Audit Company Documents and/or Processes: The documents you audit can vary. Depending on the organization you're auditing and the type of business arrangement you're pursuing, you might look at financial documents, the IT infrastructure, internal controls, compliance procedures, and more.
- Assess Risk Management: How does your potential partner or vendor already approach risk management? Organizations without a risk management policy might be riskier to partner with than those will a well-documented approach. This also gives you insight into how you may need to combine your respective approaches to risk.
- Report on Due Diligence: The report should reflect everything you’ve uncovered during the due diligence process. You’ll typically deliver this to the board or the C-Suite so they can make a decision on whether or not to follow through with that business relationship.
- Monitor and Mitigate Risk: Due diligence doesn’t end after the relationship begins or the merger or acquisition is complete. It’s important that you adopt an always-on approach to monitoring your new third party or vendor’s activities to ensure they’re compliant and so you can mitigate any risks that may arise.
Examples of Due Diligence
Due diligence can be vast, especially for large, global companies with sprawling value chains. Here are some examples of due diligence to help you understand just how varied the due diligence landscape can be:
- A global marketing agency considering a new project management software would assess pricing, reviews from current and past customers, how secure the software is and whether or not it would be compatible with the agency’s infrastructure.
- A company acquiring a smaller, competing company would review employment agreements, compensation plans, any labor disputes, its anti-bribery and corruption standards, compliance with relevant regulations and so on.
- A nonprofit partnering with a third-party technology provider would assess the third party’s cybersecurity infrastructure to uncover any potential risks or compliance issues.
Build a Credible Due Diligence Program
Due diligence intelligence matters. Having an effective due diligence program can make the difference between remaining compliant and secure and — even inadvertently — introducing costly risks into your organization’s infrastructure.
The key is creating a comprehensive program that can provide critical insights to support the types of due diligence you need to complete. Diligent’s global team of analysts and investigators can help you do that by providing the on-screen research and boots-on-the-ground intelligence you need to build a stronger due diligence program. Learn more and request a demo.