Operational due diligence (ODD) is an in-depth check of a target company’s operations and internal procedures. It usually happens during M&A , capital raising, or private equity transactions.
The ODD process looks past big promises and focuses on day-to-day operations, like people, systems, as well as customer and supplier relationships.
Unlike financial due diligence (checking a company’s financial statements) or commercial due diligence (testing the validity of its market position), operational due diligence gets to the heart of whether a business can actually deliver on what it says it can.
This guide is for teams, consultants, investment managers, and leaders who want to spot potential risks early, before they turn into expensive problems after the deal is done. Here, we explore the key documents to look at during the due diligence process and what questions to ask to see if the business can actually deliver on its plans.
What is operational due diligence and w& Why execution risk is hard to see
Deloitte identifies operational due diligence as the process of reviewing how a business runs. It checks whether daily operations are stable, repeatable, and able to scale.
ODD is different from other types of due diligence. Financial diligence confirms the numbers and looks if there are any financial risks of this investment. During commercial due diligence, the buy side looks at the market value of the target company.
Operational diligence asks one question: Can this company deliver what it promises, consistently? Because when it can’t, execution risk shows up — often late, and usually after the deal is already done.
The problem is that execution risk is hard to spot early because it rarely appears in one document or metric. It usually shows up between teams, systems, and suppliers.
And that’s why many businesses pass financial and commercial reviews but struggle after the deal closes:
- Growth can hide weak operational processes.
- High margins can mask reliance on a few people.
- Systems that work today may fail under higher volume.
These are the aspects that are hard to spot if not knowing where to look at. To identify operational risks, companies should rely on an operational due diligence framework that uses documents to show real behavior over time. That’s basically a simple checklist that can be tailored based on your industry standards, deal size, and region.
How to use the operational due diligence checklist
Management teams can describe aspirational processes in presentations, but the documents mentioned in this ODD checklist show a real picture for the potential buyer.
One thing to keep in mind is that during this due diligence phase, a company unlocks its sensitive information, such as:
- IP, system vulnerabilities
- Supplier pricing
- Personnel details
- Cash flow info
- Company’s business plans, etc.
All this data requires controlled access and ongoing monitoring.
To protect their documents, the sell-side can use a structured due diligence data room. This is a software that allows them to control who can see or change documents and keep a clear record of all activity, so nothing gets lost or disputed later.
Operational due diligence document checklist
Use the checklist as a working tool for risk assessments:
- Start with core documents to form a baseline view of execution.
- Flag inconsistencies, gaps, or outdated materials.
- Use follow-up questions to test whether operational risks are isolated or systemic.
- Prioritise issues that affect scale, integration, or regulatory exposure.
Now, let’s move to the list of documents that will help investors make informed decisions during operational due diligence.
Process & Delivery documents
| Document | What it reveals | Execution risk signals | Follow-up questions |
| Standard Operating Procedures (SOPs) | Whether critical processes are documented & consistently followed | SOPs don’t exist Documents are outdated (>2 years) Actual practice differs from written procedure | How often are SOPs updated? Who owns process changes? What happens when procedures aren’t followed? |
| Process Maps / Workflows | How work flows across functions. | Processes rely on informal communication Multiple workarounds Unclear ownership of steps | Where do delays typically occur? Which steps require manual intervention? How do exceptions get handled? |
| Quality Manuals & Control Plans | Whether quality is designed into processes or inspected in after the fact | Quality checks are retrospective only Rework rates are high Customer complaints aren’t tracked systematically | What triggers a quality hold?How are root causes identified? What’s your defect trend over 24 months? |
| Incident Logs (Production, Service, Delivery) | Frequency, severity, and root causes of operational failures | Incidents repeat without resolution Root cause analysis is absent Escalation paths are unclear | What % of incidents are repeat issues? How long does resolution typically take? Who decides when to escalate? |
People & Organisational dependency
| Document | What it reveals | Execution risk signals | Follow-up questions |
| Org Charts (Current + Planned) | Reporting structure, span of control, and whether roles are clearly defined | Flat structures with 10+ direct reports Overlapping responsibilities Undefined roles | Who makes final decisions when there’s ambiguity? How many open positions are critical paths? |
| Key Person Dependency Analysis | Which individuals are single points of failure for critical functions | Revenue, operations, or compliance depend on 1-2 people No documented succession plan | What happens if this person is unavailable for 30 days? Who else understands this function? |
| Training Records & Onboarding Documentation | Whether knowledge is institutionalized or held by individuals | Training is informal or on-the-job only No onboarding documentation High early-tenure turnover | How long until a new hire is fully productive? What’s your 90-day turnover rate? |
| Incentive Structures & Retention Agreements | Whether compensation aligns with operational goals and whether key talent is locked in | Incentives reward volume over quality Retention agreements expire at close Unvested equity concentrates in critical roles | Are any key employees unvested or without retention? Do metrics drive the behavior you need? |
Systems & Technology
| Document | What it reveals | Execution risk signals | Follow-up questions |
| ERP / CRM System Documentation | Whether core systems support current operations and can scale | Systems are heavily customized Reliance on unsupported versions Manual data entry is pervasive | What % of transactions require manual intervention? When was the last system upgrade? |
| System Architecture Diagrams | Integration points, data flows, and technical dependencies | Point-to-point integrations Reliance on end-of-life platforms No disaster recovery architecture | What’s your RTO and RPO for critical systems? How many integrations would break in a migration? |
| Access Controls & User Permissions | Whether system access is appropriately restricted and auditable | Admin access is shared Former employees retain access No periodic access review process | How often are access rights reviewed? Who can approve permission changes? |
| Cybersecurity & IT Incident Reports | Maturity of security controls and frequency of breaches or near-misses | No penetration testing Incidents aren’t logged Patching is inconsistent | When was the last security assessment? What’s your average time to patch critical vulnerabilities? |
Supply chain & Third parties
| Document | What it reveals | Execution risk signals | Follow-up questions |
| Supplier Contracts (Top 80% of Spend) | Terms, pricing stability, termination rights, and change-of-control provisions | Month-to-month terms for critical inputs Auto-termination on ownership change No price protection | Which suppliers require consent for the transaction? What’s your longest lead time if you had to re-source? |
| Supplier Concentration Reports | Dependency on single or few suppliers for critical inputs or services | >50% of a critical input from one supplier No qualified alternatives Geographic concentration | Have you dual-sourced this input? What would disruption cost per day? |
| Service Level Agreements (SLAs) | Whether third-party performance is contractually defined and monitored | SLAs are informal Performance isn’t tracked No penalty clauses for non-performance | How often do suppliers miss SLA targets? What’s your remedy when they do? |
| Business Continuity & Contingency Plans | Whether the business has planned for supply disruption | No contingency plans Single-source dependencies with no backup Plans are untested | When did you last test this plan? How long can you operate if your primary supplier goes down? |
Compliance & Operational governance
| Document | What it reveals | Execution risk signals | Follow-up questions |
| Certifications (ISO, SOC 2, Industry-Specific) | Whether the business meets third-party operational standards | Certifications are expired or in jeopardy Recent audit findings are unresolved No recertification plan | When is the next audit? Are there open corrective actions? |
| Internal & External Audit Reports | Control effectiveness and management’s responsiveness to findings | Material weaknesses unresolved for >1 year Management disputes findings without remediation | What’s the oldest open audit finding? Who owns remediation? |
| Regulatory Correspondence | Relationship with regulators and outstanding compliance issues | Warning letters Consent orders Frequent inquiries Pending investigations | Are there any ongoing regulatory matters? What’s your history of violations or fines? |
| Health & Safety Records | Workplace safety culture and liability exposure | High incident rates OSHA violations No safety training | What’s your TRIR and DART rate trend? When was the last safety audit? |
Common operational red flags found in diligence
Despite the fact that every deal is unique and operational aspects may differ, the same execution risks appear again and again. The thing is that these risks rarely show up as a single failure. More often, they emerge as patterns across documents and raw materials, interviews, and data.
M&A consultant firms, such as the M&A Leadership Council, identify the following red flags in the initial assessments of a target company’s operations to be aware of:
- The bottlenecks that can’t be avoided.
Processes are counting on one person who has all the intellectual capital and/or access to systems. The procedures might be even documented, but, in reality, no one else can step in without disruption. - Performance metrics that don’t quite add up.
Different teams are tracking success using numbers that don’t add up or just don’t seem to fit together. For example, the sales team reports a 25% increase in closed deals, while finance shows that financial performance was flat for the same period. This is often a sign that data management is a bit of a mess, and it gets harder to find relevant actionable insights. - Doing things on instinct.
People are getting work done based on what they’ve learned over time rather than following a set of written down steps. Teams will often explain things in a casual conversation, but the written down procedures for those tasks are either seriously out of date or not even there. - The documents that just get left behind.
Important documents get left to gather dust, or people aren’t sure who’s been looking after them, or there just isn’t a clear record of changes made over time. So it’s hard to be sure if you’re actually implementing some controls or just going through the motions.
How a data room supports operational due diligence & risk management
Operational diligence works best when documents are organized and easy to trace. When files are shared through emails or open folders, execution risks are easier to miss.
A structured data room is a type of operational due diligence software that is used to keep sensitive operational documents in one place and showing how they are used during the review. This helps teams spot risks early and plan practical operational improvements. Here are the key features of VDRs that help teams:
- Permission control matters because not every reviewer should see every document. Incident logs, system access records, and employee data often require limited access based on role.
- Audit trails show who opened which files and when. This creates accountability and helps deal teams confirm which risks were reviewed before close.
- Document protection, such as watermarking or view-only access, reduces the risk of sensitive operational data being shared outside the diligence process.
- Version control is critical during fast-moving deals. Operational documents change often. Reviewers need to know they are working with the latest version, not outdated information.
Together, these controls support a cleaner, more reliable deal diligence process and reduce confusion during review.
To choose a reliable data room provider, start with this data room reviews guide that goes through the top-rated solutions.
How to evaluate data rooms for operational due diligence
Not every data room is suited for operational reviews. Some work well for financial files but struggle with complex operational documentation.
When assessing platforms for operational due diligence, focus on a few practical points:
- Can access be limited by role and document type?
- Can you clearly see document access and activity?
- Are watermarking and download limits available?
- Can questions be tracked and linked to documents?
- Is it easy to see what has been reviewed?
- Can the data room mirror your operational due diligence framework?
These criteria help teams choose tools that support execution analysis instead of slowing it down. Independent comparisons can help teams evaluate options objectively.
Key takeaways: Operational due diligence done right
The goal of operational due diligence is to understand how the business really runs and if there are any problems in operations that will become bottlenecks in the long run. During the diligence, buy side checks the current and past performance of key processes.
This stage is a part of the bigger due diligence process, and it plays a huge role in identifying operational risks that may affect valuation or integration.
To make the whole process more secure and controlled, teams use tools like virtual data rooms. There, they can share and review sensitive deal-related documents. Features like clear access control and traceability improve the quality of operational due diligence and reduce post-close surprises.
If your team is looking for a VDR provider for the next deal, independent resources like this offer a useful starting point.