Most investors and allocators would struggle to name the last time a due diligence questionnaire predicted a fund manager's operational failure. That's not a coincidence.
The questionnaire became the backbone of operational due diligence for understandable reasons. When the ODD function was formalised across institutional allocators in the years following the 2008 financial crisis, teams needed a structured, repeatable framework they could apply consistently across a growing roster of external managers. A standardised questionnaire covering governance, operational controls, technology infrastructure and business continuity offered exactly that. It was auditable, comparable, and defensible to investment committees. For a relatively new function operating with lean resources, it was a pragmatic starting point.
The problem is that it largely stayed there.
Across the industry, the due diligence questionnaire has evolved from a starting point into the primary deliverable. Teams spend months chasing completion rates, reconciling version histories, and formatting responses into summary reports, and then file them away until the next annual review cycle. That cycle typically runs to 12 or 18 months. A lot can change in that time.
What the Questionnaire Cannot See
Self-reported data has an obvious limitation: it reflects what a manager chooses to disclose, framed in the way they choose to disclose it. Most questionnaire responses are accurate in the narrow sense, factually correct at the point of completion. But operational due diligence is not an exercise in verifying what managers tell you. It is an exercise in understanding what is actually happening inside their operations, and increasingly, what is about to happen.
Consider three categories of risk that a questionnaire will reliably miss.
Financial stress rarely announces itself. A manager under pressure from redemptions, key person departures, or a deteriorating fee base will not typically flag that in a DDQ. Some of these pressures may become visible in audited accounts and other financial disclosures before they emerge through a formal review process. Revenue concentration, unusual related-party transactions, thinning cash positions relative to operational expenses: these are the signals that precede the more visible problems. By the time a manager discloses a material operational issue in their next questionnaire cycle, the stress that caused it has often been visible in their financials for a year or more.
Cyber posture is another area where the questionnaire falls short, and where the gap has widened significantly over the past five years. A manager can describe their information security framework in detail: policies, controls, incident response procedures, and still be running systems with unpatched vulnerabilities, exposed services, or third-party suppliers with poor security hygiene. Understanding cyber risk increasingly benefits from independent technical evidence alongside manager self-assessment. What a manager says about their security controls and what their external attack surface actually looks like are frequently different things. We have seen this gap repeatedly, and it is not always the smaller managers where you find it.
Reputational and personnel risk sits in the same blind spot. Key person changes, regulatory enquiries, litigation, adverse coverage in trade media. These signals often emerge and develop between review cycles. An allocator relying solely on a 12-month questionnaire cadence may be reading about a problem in the Financial Times before they see it in their ODD process.
The Case for a Multi-Signal Approach
None of this is an argument against questionnaires. Structured questionnaire data remains foundational to any credible ODD process. It provides the documentary baseline, establishes accountability, and creates the audit trail that regulators and investment committees require. The argument is against treating it as sufficient.
Fund manager risk is not a static condition. It changes continuously, driven by market conditions, personnel movements, technology vulnerabilities, regulatory developments, and the ordinary operational pressures of running an investment management business. A monitoring framework that updates once a year or once every eighteen months in practice, is not monitoring. It is periodic documentation.
A multi-signal approach layers additional data streams on top of the questionnaire foundation. Financial statement analysis provides an independent, quantitative read on a manager's operational health that sits outside the manager's control of the narrative. Cyber risk intelligence provides continuous visibility into the external attack surface, drawing on technical scanning rather than self-attestation. News and media monitoring flags emerging reputational issues, personnel changes, and regulatory actions in close to real time.
Each layer answers a different question. The questionnaire asks: what does the manager say about their operations? Financial analysis asks: what do the numbers suggest about their operational sustainability? Cyber monitoring asks: what does their actual technology posture look like from the outside? Media surveillance asks: what is the world saying about this firm that they have not yet said to us? Operational risk monitoring becomes considerably more informative when these signals are viewed together, because the most significant warning patterns tend to involve deterioration across multiple dimensions simultaneously.
Practically, this means the technology supporting ODD teams can increasingly add value beyond questionnaire management alone. The market has produced a number of capable tools for streamlining the questionnaire workflow, and they have genuine value. But workflow efficiency is not the same as risk intelligence. An ODD team that has automated its questionnaire process has solved an operational problem. It has not necessarily improved its ability to identify manager stress early.
Moving from Review to Monitoring
Making this shift is not straightforward, and it is worth being candid about that. Most ODD teams are not under-motivated, they are under-resourced. Adding three new data streams to an already demanding annual review programme sounds like more work, and without the right infrastructure, it is.
The practical answer is integration. Financial statement analysis, cyber monitoring, and news surveillance are only operationally viable at scale if the outputs are aggregated into a single view alongside the questionnaire record, with alerting that flags material changes rather than requiring analysts to scan raw data feeds. Continuous counterparty risk monitoring should reduce analyst workload on routine reviews by focusing attention where it is warranted, not increase it across the board.
Regulatory direction is also worth noting here. The FCA, ESMA, and their counterparts in other jurisdictions have been moving steadily toward expectations of ongoing, evidence-based due diligence rather than point-in-time review. Pension fund trustees and investment committees are asking harder questions about the frequency and depth of operational oversight. The allocators who will find themselves best positioned are those who have already moved their ODD process from an annual documentation exercise to something closer to genuine, continuous monitoring.
The questionnaire is not going away. Nor should it. But the managers who present the most serious operational risk to allocators are rarely the ones whose DDQs raised obvious concerns. They are the ones whose problems developed quietly, between cycles, in areas that a questionnaire was never designed to see.
For those looking to go deeper on how to build and stress-test an ODD process fit for the current environment, Thomas Murray has published a practical guide for asset owners and allocators.
Operational Due Diligence: A Playbook for Asset Owners and Allocators that covers the fundamentals of what a comprehensive ODD process should examine. From governance and personnel risk through to cybersecurity assessment and financial health monitoring, alongside a detailed look at how technology is reshaping what continuous oversight actually looks like in practice. It is written for ODD teams, investment committees, and trustees who want a clear-eyed view of where the function is heading and what best practice looks like today.

Operational Due Diligence
Automate your operational due diligence with Orbit Risk technology.
Get ongoing monitoring of your investment managers, track adverse media, and receive cyber risk alerts as they happen.
Insights

ODD Is More Than Questionnaires
Most investors and allocators would struggle to name the last time a due diligence questionnaire predicted a fund manager's operational failure.

Common Operational Red Flags Investors Miss in Due Diligence
Operational failures rarely come with warning signs until you know what to look for.

The Hidden Costs of Spreadsheet-Based Due Diligence
For decades, spreadsheets have been the default tool for operational due diligence. But the costs of this approach are becoming impossible to ignore.

Top 5 Things Investors and Allocators Should Look for in Technologies Streamlining Operational Due Diligence
Our work at the intersection of institutional risk and market infrastructure has shown us what makes ODD technology truly impactful.

