The challenge of ensuring that a client isn’t directly impacted by operational issues, regulatory matters or reputational damage is growing year by year. The investment landscape has grown increasingly complex, and the cost of overlooking operational weaknesses has risen sharply.
Modern ODD must rise to this challenge. It should be a comprehensive and rigorous assessment that scrutinises an investment manager’s operational framework from top to bottom, verifying that the reality and risk culture matches what’s documented. It must efficiently assess the operational risks that can hinder the ability of business leaders to execute their strategy effectively.
The core objective of ODD is to identify and mitigate operational risk. More than that though, it’s to ensure long-term operational sustainability. A strong ODD process supports the ongoing health and stability of a portfolio by verifying that the underlying infrastructure can withstand current and future challenges - thus ensuring the viability of an investment strategy while safeguarding stakeholders’ trust and confidence.
Why better ODD is needed now
Several high-level themes have emerged in recent years, that bring into sharp focus why effective ODD is more important than ever.
1. The rise of alternative investments
Assets that sit outside of traditional classes like stocks, bonds and cash have grown in popularity in recent years as investors diversify their portfolios. However, private equity, credit, hedge funds, and real estate introduce unique operational challenges.
These include complex fund structures, illiquidity risks, and difficulties in verifying the quality and transparency of underlying assets. The operational due diligence required to assess these risks is far more intricate than traditional asset classes.
2. Increased regulatory scrutiny
Global regulators are demanding greater transparency in fund operations, particularly in the wake of the 2008 financial crisis and subsequent regulatory reforms (e.g., Dodd-Frank, MiFID II, APRA’s CPS 230). As regulations tighten, asset managers must adhere to stricter operational standards: failure to comply can lead to fines, reputational damage, and even regulatory sanctions (this includes a move to examine concentration risk and any fourth parties).
3. Cybersecurity threats
The volume of cybercrime incidents continue to grow and fund managers have now become prime targets for cybercriminals. With the increase of hybrid working and expanding use of cloud computing and AI, there’s a larger digital attack surface than at most organisations.
Breaches not only jeopardise sensitive information but can also disrupt operations, damage investor trust and cause potential reputational damage to both the manager and its investors.
4. Increased use of Outsourced CIOs (OCIOs)
With more institutions considering the OCIO model, due diligence on material service providers is essential. Assessing outsourced providers’ operational strength, cybersecurity practices, and business continuity plans, has become a critical element in managing overall portfolio risk.
5. The expansion of digital assets
Digital assets operate in a fast‑moving, technically complex, and highly regulated environment. Operational due diligence that considers important factors in the digital assets ecosystem, such as the markets these assets exist in and the custodians that facilitate their exchange, is important in reducing operational risk and reassuring investors.
Without a robust ODD framework, investors are exposed to potentially significant operational risks. These risks - ranging from fraud, governance failures, and cybersecurity breaches, to ineffective operational controls – can lead to widespread disruption.
Operational due diligence adds value
When a collapse or significant failure happens in the financial services world, the post-mortem always reveals a few steps that could have been implemented in order to mitigate the damage caused. This means that members of risk teams are often left playing catch up on something that’s already happened.
At Thomas Murray, we believe that risk professionals should be spending more time on preventative procedures, questions, and testing before incidents occur - being proactive and not reactive. We know however that currently this isn’t the case at most companies: risk and operations teams spend much of their time processing due diligence reports and the like through their internal systems and not adding value by identifying risks in advance.
Our Orbit Risk AI tool takes the administrative, processing burden away from these teams, freeing up time for them to put in place preventative measures to stop these major incidents before they happen.
Operational Due Diligence: A Playbook for Asset Owners and Allocators
Read our new framework document, designed to help asset owners address the challenge of modern risk management.
Insights
Cyber risk is driving portfolio company valuation in 2026
Learn about some of the factors that will affect PE in 2026, and find out why a strong, proactive cybersecurity strategy can add real value.
Solving the "Scale Paradox": How to Automate Portfolio Oversight with Fewer People
In 2026, private equity technical teams are facing a "Scale Paradox": portfolios are growing in complexity, while in the internal teams responsible for operations and cybersecurity oversight, headcounts remain stagnant.
How Private Equity Hackers Choose Their Targets
Private equity firms sit at the intersection of high-value financial transactions, sensitive deal data, and an expanding portfolio of technology heavy portfolio companies – and it’s this combination that makes PE an attractive target for cyberthreat actors.
Cyber Security Checklist for Private Equity
10 essential steps to improve cyber security, protect portfolio investments, and maximise exit value.