Due diligence in its current form is a bit like commissioning a report before buying or leasing a second-hand machine. It makes sense if you’re purchasing or renting something massive. No one wants to be lumbered with a stolen jet plane or a server farm laced with malware. But, what about these situations:
There’s little reliable (or even available) public information
The $ amount isn’t much
You’re buying in a market where some wear and tear is expected
What should you do when you receive a DD report with big gaps, caveats, and vague references to possible issues? Maybe a simple triage system might help.
For the remainder of issues, and especially in longer-standing relationships – investments, partnerships, key suppliers – due diligence 2.0 might be necessary.
DD 2.0 is including your key third-parties in training and upskilling you’re already doing. We’re seeing impact investors, healthcare organisations, and increasingly those in infrastructure extending training, knowledge sharing, and resources to third-parties. The folks pioneering these approaches seem to find it a more scalable solution (the more “compliance kit” content they develop, the quicker and easier it becomes to upskill third-parties).
If you’re not already “commodifying” your risk & compliance content (policies, training, guides, checklists, tracking tools, etc.), try it (or get an intern!). I did, and it’s revolutionized the speed and efficiency of implementation support.
DD 2.0, in essence, is an expert (you) looking under the hood and a chance to fix those wear and tear issues that could prove very hazardous down the road.