Why Asset Owners and Allocators Need Modern, Automated ODD

Operational Due Diligence (ODD) is no longer a one-off point in time exercise - it should be an ongoing, structured process. Investors and allocators recognise that an annual questionnaire is now too static: this process must address complex challenges and risks, like the ever-growing and changing impact of cybercrime.

Moving to proactive risk management

The shift from reactive to proactive risk management within ODD aligns with the growing recognition that operational failures - ranging from inadequate cybersecurity defences to governance breakdowns - could pose significant risks to institutional portfolios. Numerous cases have emerged in recent years where more effective ODD processes could have saved companies money and considerable trouble.

For example, in March 2021, Archegos Capital Management collapsed due to a default on massive margin calls after using high leverage, through total return swaps, to build a concentrated portfolio of stocks. When share prices dropped, the fund couldn’t cover collateral requirements, triggering a fire sale by banks, and resulting in losses of over $5.5 billion.

Cases like this mean that the modern investment landscape is emphasising the need to assess technology and process vulnerabilities whilst regularly identifying dependencies on external service providers and potential concentration risk in portfolios. Increasingly, this has made ODD a crucial part of every stage of the investment lifecycle, from initial manager selection, through to ongoing monitoring and oversight.

Demands on ODD teams are rapidly increasing

But the reality is that the range of demands on ODD teams is only going to increase - whether that's due to expanded scope, increasing complexity, more frequent oversight of counterparties, or even unpredictable geopolitics. When combined with a highly competitive market for experienced professionals - in this specialised area - this means many ODD teams have been exploring other ways to achieve efficiencies.

Most commonly, these efficiencies can be achieved through increased use of automated technology, but many firms are also considering co-sourcing expertise. Assessing cyber risk is a great example of this because ODD teams aren’t usually IT security experts, and most internal IT security teams prioritise their organisation’s safety rather than assessing the IT security questionnaire responses of multiple external managers. As a result, organisations are turning to specialised third-party providers who can deliver consistent, independent assessments and help bridge the expertise gap within traditional ODD functions.

ESG is now a key consideration

Whilst cybersecurity is assessed as a standalone issue, it can also form part of the framework for a counterparty’s Environmental, Social, and Governance (ESG) assessment. This helps ensure that strong IT and cybersecurity frameworks are embedded within governance practices, reflecting increasingly blurred boundaries with the ESG assessment of counterparties and reinforcing the governance component.

In the current landscape, ESG criteria continue to take on significant weight in the ODD process. Investors are now integrating ESG factors to evaluate both the sustainability of investments and the ethical governance of investment managers. The operational resilience of firms with a strong ESG framework indicates long-term stability, making ESG risk assessments a vital part of ODD. Furthermore, the worlds of cybersecurity and ESG continue to move closer. A number of large asset owners and allocators consider cyber risk management as critical in the assessment of the governance of counterparties within their ESG framework.

The inexorable move towards greater automation

So, ODD is growing more important in terms of safeguarding institutional assets and limiting potential financial and reputational risks. But, as the operating environment becomes more complex, ODD frameworks must evolve too.

The traditional model of periodic reviews and static questionnaires is no longer fit for purpose. Risks are more dynamic, counterparties are more interconnected, and technology dependencies are deeper than in the past. As a result, asset owners and allocators are recognising that ODD needs to be more structured, more consistent, and (where appropriate) more automated.

Automation doesn’t remove the need for professional judgement but, where used appropriately, it can support ODD teams by creating greater efficiency, improving comparability of responses, and enabling more regular monitoring of key risk indicators. And, as noted, this is particularly relevant in areas like cybersecurity and ESG, where expectations are increasing and assessments often require specialist input. A more systematic approach can help ensure that material changes in a counterparty’s operating model or control environment are identified proactively.

Ultimately, modern, automated ODD should be viewed not as a replacement for existing processes, but as an enhancement, helping asset owners and allocators to maintain appropriate oversight across the full investment lifecycle while responding to an increasingly complex risk environment.