We hear this phrase mentioned a lot in dealings between businesses. Whether your organisation is procuring a service, entering into a partnership or purchasing another organisation questions need to be asked to ensure requirements and expectations are going to be met.

Often there will be a section of the due diligence process relating to Business Continuity and I’ve seen several different approaches and models in use. This article offers thoughts on what should go into a due diligence process.

I can always tell whether the person who has prepared the Business Continuity questions in a due diligence process is a subject matter expert or not. The wording or even the type of questions presented offer a valuable insight to both the individual but also into the seriousness with which the organisation treats the topic.

Of course the criticality of the service under scrutiny will determine the level of detail and rigour required. The more critical the service, the more guarantees rather than assurances need to be sought.

Firstly, there’s some basic skills around using open and closed questions that need to be grasped. For instance a common question is ‘Does the organisation have a Business Continuity Plan?’ to which the obvious answer is ‘Yes.’ What the answer doesn’t explain is that the plan was written last night and it’s never been validated, used or tested but at least we’ve given the answer we need to give. Tick in the box.

Faced with this answer the consequence for the investigating organisation is that more questions need to be asked, possibly as a second, time consuming follow up iteration of the original questioning. My point is that such a question is worthless.

So what is it that we are really seeking from this question?

We need assurances. We need evidence and proof. We need guarantees.

If the answer to any of your questions leads on to subsequent questions it means you are not getting the evidence you need.  If you are about to issue a due diligence questionnaire go back over it and consider the possible responses – especially if you have asked closed questions.

Let’s take a step back for a minute. If I am purchasing a service I am interested in the performance, reliability and quality of that service. I want to know that it’s going to be delivered to my requirements whatever happens.

Often the performance delivery expectations and requirements are stipulated in the contract between the organisations but somehow seem to get overlooked when the Business Continuity questions are put together. There is a direct correlation between required performance and nailing down questions on aspects such as Recovery Time Objectives. The two need to work in tandem but unfortunately there’s still a lot of silo mentality. If I was putting the Business Continuity questions together I’d be talking to the operational areas to understand their requirements.

My final point is about whether, as the enquiring organisation, you are happy to simply receive answers to your questions – think about the one mentioned above – or whether you want evidence. This can take many forms and may even extend to site visits and witnessing key activities.

The whole point of due diligence is to be sure the organisation on whom you are relying satisfies your requirements. It’s definitely worth investing time in getting your due diligence approach right so if you need my help on this just let me know.

October 23, 2013 at 11:35 am
Return to All News
Category: Governance & Standards, Suppliers
Tags: , ,