editione1.0.0
Updated October 9, 2023Definition Due diligence is the process whereby an organization will assess the risk of an activity before it begins. It’s the business equivalent of checking the temperature of your coffee before you take that first sip.
There are two main types of due diligence your company is likely to encounter, customer due diligence and financial due diligence. While they share the same objective, they work slightly differently. We will cover financial due diligence later when we talk about fundraising, acquisitions, and IPO.
If you are selling your products or services to other organizations (a B2B, or business-to-business, company), you will no doubt encounter customer due diligence at this stage.
Definition Customer due diligence is the systematic process of verifying the security maturity of an organization you plan to buy from. This form of due diligence focuses on the risks your organization may encounter by interacting with this organization as their customer. It can be used for both product and service transactions. These risks may cause your company, people, systems, or data harm.
Due diligence is often carried out at the following stages in a customer relationship.
| Why are they doing this? | What are they asking? | |
|---|---|---|
| Pre-purchase | A purchaser may require you to complete a security due diligence process as part of their assessment of your offering. This allows them to understand what the impact would be if there were a security incident and if they can meet their security obligations by using your solution. | Can I use this? |
| Annually | Just as your security program will require you to assess your risks on a regular basis, your customers probably have a similar requirement. Smaller, lightweight due diligence processes may be used annually to check that nothing has changed in your organization since they last reviewed you. | Is it still safe for me to use? |
| On significant change | Sometimes we buy a tool for one job and we notice it can be applied to other situations. Your company’s offerings are no different, and often, happy customers will find other ways to use your solutions within their organization. This diversification of usage can change the risk—by changing the data held within the tool or changing the environment it is deployed into. Customers will often reassess due diligence if they choose to use a tool for a purpose outside of its original intended scope or if their internal/external circumstances have changed. In this case, “it’s not you, it’s them” and they are attempting to understand the impact of their usage decisions and circumstances. | Can I use this in another way? |
Our businesses operate as part of an ecosystem. This system is made up of organizations of all shapes and sizes connecting to each other to share information, collaborate, and transact. No organization can operate alone, each of us needs other companies and organizations to provide the products and services we need to get the job done (but they are not part of our core business model).
This ecosystem is vast and densely coupled. Each organization connects to dozens if not hundreds of others in an interconnected network.