Simply put, it’s doing in your homework. Just look at this sample M&A due diligence checklist.
In IT and the law, of course, the term “due diligence” has considerably more precise meanings. WhatIs.com’s definition for due diligence states it as:
…the process of systematically researching and verifying the accuracy of a statement. In everyday language, due diligence is synonymous with “the degree of effort required by law or industry standard.”
The term originated in the business world, where due diligence is required to validate financial statements. The goal of the process is to ensure that all stakeholders associated with a financial endeavor have the information they need to assess risk accurately.
When due diligence involves the offering of securities for purchase, as in an IPO (initial public offering), specific corporate officers are responsible for the proper completion of the process…
As is the case with so many other things in life, context matters. In general, due diligence includes the careful identification and evaluation of data sources, identification of potential risks and any other issues relevant to the statement or scenario in question.
Civil litigation and real estate law are even more specific, as you’ll read in our definition.
IT, as ever, is its own beast.
[Cartoon Credit: ScienceCartoonsPlus.com]
Due diligence can also be applied to careful testing of data or network security, disaster recovery preparedness, or any other critical infrastructure asset.
Failure to meet proper due diligence in these areas could leave the organization or client in question open to data breaches or malware infections.
In this sense, completing due diligence can be taken to be completing the steps that are “industry standard” in a particular area, like penetration testing or other code validation. Software companies that do not meet these goals may be liable for zero-day attacks, customer data breaches or other losses of mission-critical functions that could have been prevented with more stringent preparation.
It’s might be fair to say, for instance, that if TJX had had a better IT audit that mandated a switch to WAP instead of WEP security, one of the biggest data breaches in history might have prevented.
Or maybe not. Either way, the relevant IT guys probably should have done better due diligence before transmitting customer information over a wireless network protected only by weak encryption.
Any DB that doesn’t do due diligence testing to ensure that a database is recoverable from a major hardware of instance failure is similarly negligent.
There are plenty of examples out there. AstuteDiligence.com hosts a list of more general due diligence horror stories, with specific company and individual names redacted. There are some classic scenarios listed — the acquisition of a software company based upon a flashy demo, good PR and a well-designed website that turns out to be a maker of vaporware.
CFO Magazine ran a feature story back in ’04 about companies that installed safeguards against merger surprises after due diligence failures.
In many circumstances, of course, due diligence works quite well, as Jan Stafford reported in a story about how a bank’s senior systems architect, sought and found a virtualization technology to help facilitate hardware consolidation and operating expenses low during system upgrades.
As Joseph Bankoff, a partner in the intellectual property and technology practice at law firm King & Spalding in Atlanta put it in a 2006 Infoworld article on the topic, “Due diligence is going in and digging a hole in the ground and seeing if there’s oil, instead of taking someone’s word on it.”
After all, you wouldn’t like it if someone else drank your milkshake.