The expanding definition of due diligence
If one looks at the original due diligence case, the decision of the court was that the securities firm was liable for the losses of its customers in the fraud because it did not exercise appropriate due diligence in investigating the claims of the company for whom securities were being issued. Because of this, when most of us think of due diligence, we think of financial due diligence. Financial due diligence is the verification of claims made during a business transaction and the uncovering of what (if anything) has not been disclosed. This is done largely in order to cover your corporation in a lawsuit in case the transaction turns out to be fraudulent.
This is fine as far as it goes, but we believe that the concept needs to be expanded to include all areas in which you may be exposed to civil liability for negligent action. Due diligence is the obligation to offer protection if there would be risk if the actual circumstances differ from those anticipated.
What areas might be included in this expanded definition? Well, if you have a Web site which allows e-commerce or which accesses customer data, the likelihood is that, in spite of your best efforts, the site is insecure, either from the outside or from the inside. If you do not make a “best efforts” attempt to see if the site can be compromised through physical penetration, subornation, and hacking, and if customer data or sales are compromised, then you may be liable for failing to exercise due diligence.
If you have a parking lot that is not adequately secure and if an employee or visitor is attacked and harmed, then you may be liable for failing to exercise due diligence.
If you have an employee who is the victim of domestic violence and if, because you do not have adequate access control, the spouse wanders into your building and injures someone, then you may be liable for failing to exercise due diligence.
If you hire a child-care provider in your company’s day care center and the new employee turns out to be a convicted child molester, then you may be liable for failing to exercise due diligence.
If you hire an employee who turns out to have invented his past history and this causes a problem, then you may be liable for failing to exercise due diligence.
If you suffered from a predictable natural disaster and made no plans to deal with it, then you may be liable for failing to exercise due diligence.
If you have offices in a country where there is risk to the employees and if something bad happens to one of them, then you may be liable for failing to exercise due diligence.
If an employee of yours throws out papers which someone takes from the garbage and if this causes a loss for your company’s shareholders, then you may be liable for failing to exercise due diligence.
If you hold a conference in which proprietary information is discussed in a room that has not been swept for listening devices and the room is bugged, then you may be liable for failing to exercise due diligence.
If you discuss sensitive information on a line without using encryption devices and if the conversation is overheard by someone else and made public, then you may be liable face liability for failing to exercise due diligence.
If you are a manufacturer that ships and receives from the same loading dock, thus assuring your shareholders a higher-than-necessary theft rate, then you may be liable for failing to exercise due diligence.
If you are in a business which lends itself to misrepresentation and you do not have an active testing policy, then you may be liable for failing to exercise due diligence.
And the list goes on…. How can you protect your company from these risks? It is a four-step process.
The first step is to undertake is an independent risk audit. As a rule of thumb we do these audits independently of — albeit in conjunction with — the in- house staff. This is not because we are smarter or better looking than the internal staff, who are undoubtedly aware of gaps. Rather, it is because an audit, financial or otherwise, must be independent of whatever company or organization is being audited. In addition, while we can establish known risks in conjunction with internal staff, as outsiders we can often see risks that are not visible internally.
Once problems are identified and solutions proposed, the second step is to implement the proposed solutions.
The third step is to regularly test the implemented solutions, often through dynamic scenarios.
The final step is to conduct a periodic re-audit, to assure that conditions have not changed and that what is being done is appropriate for the environment.
By doing this, you will not only reduce the likelihood that bad things may happen, but will also reduce liability if a bad thing does happen in spite of your best efforts.