THE RFPIO BLOG

Start Responding Like a Pro

The RFPIO blog is full of insights and best practices, giving you the tools you’ll need to streamline your process and respond with confidence.

Featured Post

How to respond to a DDQ

How to respond to a DDQ

Selling & Enablement

Entering into a business relationship, whether it includes making a large purchase or even a merger or acquisition, is complicated. […]

Category: Tag: DDQ

How to respond to a DDQ

How to respond to a DDQ

Selling & Enablement

Entering into a business relationship, whether it includes making a large purchase or even a merger or acquisition, is complicated. With today’s security challenges, it is riskier than ever.

When a company receives a DDQ, the document shouldn’t be taken lightly. Lack of due diligence on the part of the responder can risk future deals, future partnerships, and even the company’s reputation.

What is a DDQ?

DDQ stands for due diligence questionnaire. While that sounds somewhat vague, a DDQ is all about mitigating risk by determining whether the company receiving the DDQ complies with the issuer’s standards and regulations.

A DDQ could be a precursor to an RFP, a merger or acquisition, or an audit from an existing customer. It could even be a way of creating a list of “safe” companies for future dealings.

Naturally, DDQs are as varied as the companies, and especially the industries, that issue them. Tech companies, for example, emphasize security and privacy compliance. Financial institutions want assurance that vendors won’t put them in hot water with the Securities and Exchange Commission, among other regulatory agencies. And those in the healthcare industry need to verify HIPAA compliance.

Naturally, it’s not that simple. There’s a lot of overlap. Every industry, for example, is concerned with security and privacy. Nearly every DDQ, regardless of sector, probes companies about their history, investments, organizational structure, etc.

In short, the job of a DDQ response team is to paint a picture of a company that is stable and compliant.

A DDQ is not a sales document. Most DDQs will not ask about product functionality, market share, hiring practices, etc., although they might ask about major new product releases, as they could affect financial forecasts.

Who issues DDQs?

While any organization could issue a DDQ, they’re primarily issued by technology companies, financial services companies, and government agencies.

DDQs can have dozens, hundreds, and even thousands of questions, but even the simplest DDQs require input from multiple stakeholders. If you’re in charge of responding to DDQs, you may need input from the following roles:

  • Financial – You could receive questions regarding your company’s financial health. These may include questions about anything from investors, to financial statements, to liens, to the amount of taxes your company pays, etc. If you work for a privately held company, you might not choose to answer those questions, but the issuer will ask.
  • Legal – Most legal questions fall under the purview of RFPs. However, you may see DDQ questions related to legal compliance.
  • Mergers and Acquisitions – Companies must issue DDQs before entering into mergers or acquisitions.
    Analysts – While raw data might be enough to answer some questions, many will need a deeper understanding and even forecasting.
  • Compliance – Gauging compliance is the core function of a DDQ.
  • IT – IT departments are at the front line of enacting and maintaining security protocols.
  • Procurement – In many companies, procurement departments are DDQs’ project managers. It’s rare, however, to see questions related explicitly to procurement.

Why do companies issue due diligence questionnaires?

Issuing a DDQ simplifies the collection and delivery of vital information needed before engaging in or continuing a business relationship.

A DDQ enables the issuer to learn about current or prospective partnerships’:

  • Financial status – It’s easy to understand why a company might want to learn about a potential vendor’s financial position. A financial misstep from a vendor could have reverberations down the line. However, many, if not most, privately held companies will not open their books to people outside their organization. Publicly traded companies are another story; their financial statuses must be public.
  • Business holdings – Business holdings are part of financial due diligence and could reveal debts and potential tax liabilities.
  • Compliance standards – Compliance requirements are numerous and deep. If a vendor is out of compliance with an issuer’s obligations, the issuer could find themselves out of compliance,

A DDQ helps a company measure risk in a variety of types of business transactions. Reasons for issuing DDQs include:

  • Completing a merger – A merger is a marriage, so to speak, between two companies. It’s a legally binding agreement that essentially states, “what’s mine is yours and what’s yours is mine.” It would be irresponsible to enter into a merger without knowing what the “yours” that will be “mine” is.
  • Assessing an acquisition – An acquisition is much like a merger in that transparency is critical, and a DDQ will reflect that.
  • Considering an investment – Large investors want to vet their potential investment before writing a check.
    Third-party vendor risk management – Even if a company is 100% compliant, their vendors could put your customers at risk. Risk assessments have to dig below the surface.

Responding to a DDQ

An effective DDQ response provides enough information to empower buyers, prospective investors, or business partners to confidently move forward.

A DDQ response process has a lot in common with an RFP response process, but there are some differences. Here are the key steps for responding to a DDQ:

1. Define your response strategy

Just as responding to an RFP requires a strategy, so should a DDQ response. First, you must determine:

  • Whether the SLA (service level agreement) is defined and available.
  • Who to put in charge of intake.
  • When you will be ready to start answering questions.
  • Who will answer the DDQ.
  • How long the DDQ will be in question/answer mode.
  • When the DDQ will be ready for review.

2. Assign tasks and due dates

A typical DDQ will have several SMEs and stakeholders. Make sure everyone knows their precise roles and responsibilities and expected timelines.

3. Answer commonly seen questions

Most questions on a DDQ, or for that matter, an RFx, are identical or nearly identical to questions you’ve answered before. A well-developed Content Library should automatically provide those repeatable answers, enabling you to accept them as is or edit them as needed.

4. Consult with collaborators

Once you’ve answered all the common questions, it’s time to turn to the experts. Consult with your response team and SMEs (subject matter experts) to complete the DDQ.

5. Review

Go through the DDQ with a fine-toothed comb to ensure there are no errors or missed (answerable) answers.

6. Submit the Questionnaire to the issuer

On time, right?

Due Diligence response best practices

Even though companies send DDQs with different goals in mind, and they are as varied as any other type of document your proposal team may see, there are a few best practices you should follow for all your submissions.

Understand your position in the sales funnel

Your latest DDQ may or may not be part of the sales process. If it leads to a potential sale, you’ll typically see a DDQ high up in the funnel, perhaps as a way of selecting compliant vendors before issuing an RFP.

Occasionally you might see a DDQ after responding to an RFP and as the prospect is nearly ready to select a vendor.

Sometimes, though, the DDQ is so far removed from the sales process that it’s nothing more than information gathering, either on current vendors or maybe-one day-in-the-future vendors.

No matter where the DDQ is in the sales funnel, if it’s in the sales funnel at all, it’s not a good idea to set the document aside. Maybe it will lead to future deals, or perhaps it will expose some of your own vulnerabilities.

Aim for a consistent and systematic approach

Some DDQs have thousands of questions, which might feel intimidating, and your instinct might be to answer each question as succinctly as possible. While that approach might save you time, proving compliance requires a detailed and consistent response.

Still, you can take steps to ensure that you don’t skip questions and to help you manage the time required to provide complete answers. They include:

  • Prepare a customized checklist – Create a customized checklist of the types of information you might need, preferably categorized by industry. You could require an organizational chart, financial information, legal documents, and of course, governance, risk, and compliance documents. Here’s one you can download right now.
  • Create due diligence questionnaire templates – Consistency saves time. If you upload your DDQs into a customized template, each stakeholder will know precisely where to locate what they need.
  • Leverage RFP response management softwareRFP response management software also works for DDQs. Intelligent response management software will help you create and store both checklists and templates.

Centralize response information

Most of the questions on a DDQ are very similar to questions you’ve answered in previous questionnaires. Storing your responses and documents in a single source of truth for information can save hours, days, and sometimes even weeks on your response process. Beyond saving time, a Content Library:

  • Ensures accuracy – A company is legally bound to their answers, so accuracy is critical. The Content Library will hold on to the company-approved answers, enabling users to produce accurate responses.
  • Supports transparency – Transparency is critical for both trust and employee morale. When all the necessary information is right there for authorized users to see and use, it creates trust among the rest of the response team and potential customers.
  • Improves knowledge access – Anyone with the proper credentials can access the knowledge they need.

Automate the response process

You may not be using automation in your response process, but your competitors and many—if not most—of your customers and clients are. There are several reasons leveraging automation improves the DDQ response process, including:

  • Tracking real-time vendor completion progress – Automated response software has (or should have) project management built right in. It tracks each stakeholder’s progress.
  • Streamlining response time – Automation can answer up to 80% of your DDQ with just a few clicks.
  • Scaling ability to respond to DDQs – Automation helps determine the size and scope of the ideal response team as well as timeline estimates.
  • Efficiently managing tasks and deadlines – Define and manage tasks and expectations with automation.
  • Improving collaboration – Automated responses value and save SMEs’ time, creating more willingness to collaborate.

Due diligence checklist

While all transactions differ, a DDQ checklist facilitates a more thorough response through better organization and time management.

Common materials collected during a DDQ response include general corporate information, financial information, compliance certifications, licenses, legal documents, etc.

Organization and ownership

A DDQ might be a potential vendor’s first encounter with your organization, which means they need a proper introduction. The DDQ could ask for:

  • An organizational chart
  • Partnership/profit sharing agreements
  • Records of shareholder meetings
  • Senior leadership information (e.g., age, tenure, promotions, etc.)

Human resources

DDQs don’t generally dive too deeply into human resources issues, but you can learn much about a company’s long-term viability and potential problems from the HR department. DDQs might ask HR about:

  • Projected headcount (by function and location)
  • Benefit plans
  • Key employment agreements
  • Personnel turnover data
  • Incentive stock plan overviews
  • Employee litigation

Financial

DDQs are common in financial service organizations. Also, because DDQs might precede a lengthy business relationship, the issuer will want to know your organization is financially stable. It is important to note, though, that many privately-held companies will not provide financial documents. Requested financial records might include:

  • Annual and quarterly financial information
  • Accounts receivable
  • Capital structure
  • Summary of all debt instruments
  • Financial projections
  • Revenue (by product type, customers, and channel)
  • Major growth drivers and prospects
  • Summary of current tax positions
  • Schedule of financing history (equity, warrants, and debt)

Fund information

DDQs are necessary for mergers, acquisitions, or business partnerships. It probably goes without saying that fund information is crucial for financial or investment partner due diligence. The document might request information about:

  • Fund strategy
  • Product and fund descriptions
  • Market share
  • Timing of new products
  • Cost structure
  • Profitability

Governance, risk, and compliance

Assessing governance, risk, and compliance is the primary purpose for issuing a DDQ. Be prepared to offer documentation for:

  • Policies
  • Code of ethics
  • Fund exposure
  • Service provider risk
  • SEC communications

Legal

Legal documentation helps issuers determine whether a company is in good legal standing. You may be asked to provide information on:

  • Pending and past lawsuits
  • Environmental and employee liabilities and safety
  • Intellectual Property
  • Insurance coverage details
  • Summary of material contacts
  • History of regulatory agency issues

Streamline your DDQ response process with RFPIO

Issuing and responding to DDQs can be repetitive and time-consuming, and not just for dedicated response teams. RFPIO’s automated response software saves time, improves quality and accuracy, and helps foster good working relationships.

Due diligence software offers several features to help optimize the DDQ response process, including:

Knowledge library

RFPIO’s AI-powered Content Library is a centralized knowledge source—a single source of truth—that enables streamlined responses by intelligently answering most of a DDQ’s questions and providing the corresponding documents without asking SMEs to reinvent the wheel each and every time a similar question arises.

Answer intelligence

Using machine learning, RFPIO response management software understands the questions and knows how to respond to routine (and some not routine) requests based on previous answers. All you have to do is edit or accept the suggested responses.

Collaborative integrations

RFPIO offers best-in-class integrations with all the productivity, sales enablement, communication, and CRM tools you already use.

*Put your best answers forward with RFPIO*

Learn how RFPIO can help your company respond to DDQs with accuracy, efficiency, and expedience. Schedule a free demo – RFPIO, DDQ management software.

Understanding due diligence questionnaires

Understanding due diligence questionnaires

Selling & Enablement

The internet allows consumers to easily arm themselves with information that may influence their buying decisions. Before spending money at a restaurant or hair salon, for example, they might consult Yelp or Google Business reviews.

When a business enters into an agreement with another company, whether it’s a large purchase or even a merger or acquisition, making informed decisions is a little—okay, a lot—more complicated than just checking Yelp reviews. Before entering into a business relationship, buyers must do their due diligence, or there could be severe repercussions.

What does doing “due diligence” entail when entering into business agreements? In this blog, we’ll talk about when you can expect a DDQ (due diligence questionnaire), what to expect from it, and how to make filling one out a whole lot easier.

What is a due diligence questionnaire (DDQ)?

A DDQ is a formal document and request from a company looking to have a set level of understanding of a specific topic from a potential vendor. A DDQ enables the issuer to vet prospective partnerships.

It is worth noting, however, that DDQs vary between industries and types of products or transactions. Also, unlike an RFP, a DDQ is not a sales document and may not even be a precursor to a sales document.

Although, similarly to how many (if not most) companies run background checks on new hires, a DDQ might be that “background check” before signing an official deal. DDQs are most commonly sent from highly-regulated companies, such as those in the financial services industry.

Some DDQs are product-focused, asking, for example, what the product capabilities are. However, a DDQ is not a sales document, so it generally won’t get into specific product features, pricing, or logistics.

DDQs include:

  • Financial status – Businesses make large purchases to help them fulfill their customer obligations. Suppose they choose to do business with a company that isn’t on good financial footing and could go bankrupt. In that case, the purchasing organization risks financial loss, potential legal problems, damage to credit, and a hit to its reputation. This isn’t to say they’ll always receive the answers they’re looking for; we’ll get to that in a moment.
  • Business holdings – Asking an organization to disclose its business holdings is part of the financial vetting process. It could reveal potential red flags that expose the vendor—and potentially, by extension, the purchaser—to legal and tax vulnerabilities.
  • Compliance standards – Does the vendor meet the purchaser’s industry standards and applicable government regulations? These questions might arrive via a separate security questionnaire.

Due diligence core areas

Many people confuse DDQs with RFPs and security questionnaires, but they are quite different. As mentioned earlier, an RFP is a sales document. A security questionnaire has more in common with a DDQ than an RFP but security questionnaires are generally straightforward yes/no questions.

A DDQ might contain some narrative questions, similarly to an RFP. But a DDQ is strictly about vetting a company, not making a sale. The core areas include:

  • General organizational information (business credentials) – Typically, DDQs only ask about surface business credentials, such as company name, company legal name, year founded, primary products, number of customers, etc.
  • Financial review – Financial due diligence is one of the primary purposes for DDQs, especially in financial services. Customers may want to see the last three years of financial statements. Privately-held companies are not legally required to release financial information—and as a matter of course, they won’t. As an alternative, the vendor might suggest a phone call to discuss concerns.
  • Human resources – HR questions are generally more characteristic of an RFP than a DDQ. There might be some surface-level questions, such as “how many employees,” etc., but granular questions about HR are left to the RFP.
  • Funding – A DDQ issued to a startup company might ask about funding. A DDQ may also ask about a fund manager’s strategy.
  • Governance, risk, and compliance – This is a core piece of DDQs.
  • Legal – Legal questions are usually categories under compliance. Legal agreements are generally more RFP-focused.

What does a DDQ include?

While DDQs might have some narrative questions, most are yes/no. DDQ questions might cover several categories.

They might include:

  • Company questions – Company questions might include some narrative questions, such as, “tell us about (company history, organizational structure, subsidiaries, majority stakeholders, investments, etc.).”
  • Financial information – Financial information includes income, balance sheets, accounts payable and receivable, tax returns, credit reports, etc. Many privately held companies will not answer these questions.
  • Employee information – Employee information is generally part of an RFP. However, a DDQ might ask high-level questions such as the number of employees, types of non-compete and non-disclosure agreements, etc.
  • Legal overview – A DDQ is not a legal contract, but that doesn’t mean incorrect answers won’t get you in legal hot water in the future. You may see questions about litigations, permits, licensing, etc.
  • Financial and debt statements – It’s common for a DDQ to ask for financial and debt statements. However, while that information is public for publicly traded companies, privately held companies may not, and often do not, provide those answers.
  • Consumer/customer information – Customer questions are generally not part of a DDQ. However, it might include questions about security surrounding customer records or any litigations.
  • Industry and market insights – Industry and market insights are not common DDQ subjects.
  • Intellectual property – Intellectual property questions are common on DDQs. You could be asked how many patents your company holds, whether your products are intellectual property or crowdsourced, etc.
  • Operational information – Like HR questions, operational questions are typically high-level, such as about network security. However, in manufacturing, operational questions tend to be far more complex and in-depth.
  • Regulatory compliance – Regulatory compliance is generally the most critical part of a DDQ, especially in the tech, financial, and healthcare industries. You can expect several questions about whether you comply with an issuer’s regulatory requirements.
  • Data security and privacy – In most cases, data security and privacy fall under regulatory compliance. Some issuers might want to know whether you go above and beyond to meet stringent compliance requirements.
  • Contractual obligations – Contractual obligation questions are typically in an RFP instead of a DDQ.
    Reputation and publicity reports – Reputation and publicity report questions are not generally part of a DDQ. However, you will find them on RFPs and RFIs (requests for information).
  • Information technology systems – It’s common for a DDQ to ask about existing software and hardware.
  • Tax history – Tax history typically falls under financial questions. Most privately held companies won’t answer.

Why do organizations issue DDQs?

While DDQs are not a direct part of the sales cycle, they can help facilitate it. A company may issue a security questionnaire before an RFP or even compile a list of compliant vendors for future use.

It’s also prevalent for companies to issue DDQs to existing vendors to address significant organizational changes and maintain standards in their vendor pool.

  • Mitigate risks – Risk mitigation is the fundamental reason to issue a DDQ. Risk mitigation is a common concern in investment management. DDQs are often issued for existing relationships to ensure up-to-date compliance.
  • Guarantee compliance – This falls under risk mitigation.
    Streamline disclosure process – A comprehensive DDQ is designed to streamline information collection and disclosure.
  • Enable efficient gathering of large amounts of data – DDQs can collect large amounts of data, within limits. Large response teams can provide more data than smaller teams, although advanced response software helps level the playing field.
  • Accelerate transactions – Generally, DDQs do not accelerate transactions. However, they can make choosing vendors in the short or long-term future much simpler.

Understanding DDQ responses

An effective DDQ response provides enough information to empower transactions to proceed with assurance. Quality responses can help:

  • Demonstrate strengths with compliance – Demonstrating compliance can set you apart from some of your competitors, but again, DDQs are not sales documents. It’s essential to follow the issuer’s guidelines and never fudge or exaggerate your compliance.
  • Confirm historical performance – A DDQ may ask about past performance trends, especially in investment and financial firms. Other industries might be asked about overall growth, etc., although that’s usually not a focus.
  • Investment and asset management – A DDQ might also ask about investments and asset management. However, privately held companies might not answer the questions.
  • Disclose risks – From the buyer’s perspective, a DDQ is about disclosing any risks before entering into or maintaining a business relationship. Vendors might be tempted to gloss over risks, but it’s critical to be honest about your limitations and hopefully create a plan to address them.
  • Grow revenue – DDQs are not specifically revenue-generating documents, but in many cases, they are a necessary piece of housekeeping, so to speak, before entering a sales cycle.

Types of due diligence questionnaires

DDQs are about as varied as the industries they come from and their ultimate purposes. Some industry-specific or situational questions you might find are:

Mergers and acquisitions due diligence

Not surprisingly, DDQs issued before a merger or acquisition are highly detailed. Nothing is off the table, although a DDQ will commonly ask about financial history and obligations, security compliance, legal matters, contract obligations, etc.

It is worth noting that since mergers and acquisitions are typically not public knowledge within a company, the vendor should limit project access to executives and others involved in the query.

Vendor due diligence

Not all customer/vendor relationships begin with a DDQ; it depends on the industry. For example, purchases in the investment and management realm must include DDQs. Vendor management is about standardization to take any surprises out of future business arrangements. Overall, the goal is to reduce risk and inform decision-making.

Business relationship due diligence

DDQs can be a critical part of ongoing business relationships. Have regulatory requirements changed? Have you kept up? Has your business made any structural changes?

Investment due diligence

A DDQ is extremely important in vetting companies before investing. It is worth noting, once again, that the types of questions asked on an investment DDQ ask for sensitive information, so it’s unlikely that they’ll be answered by response teams.

Due diligence questionnaires: Best practices

Unlike the RFP process, which focuses on features, pricing, onboarding processes, etc., the DDQ process elicits details and insights that may be overlooked.

Define your strategy

Your DDQ strategy should begin long before you receive one. Response managers should determine:

  • Whether their SLAs are defined and available.
  • Who is going to intake the DDQ?
  • How long will it take before you start answering questions?
  • Who will answer the questions?
  • How long will the DDQ be in question/answer mode?
  • When will the DDQ be ready for review?

Address vulnerabilities

It’s easy to assume that a DDQ mitigates risks for the issuer with little benefit to the company responding. However, it’s not that simple. An accurate and thorough DDQ response strategy can identify vulnerabilities within your organization.

As for the issuer, failure to issue a comprehensive DDQ can result in:

  • Security breaches – If a company fails to properly vet vendors for compliant security protocol, they risk breaches that are out of their control, and the vendor risks fines and litigation when they fail to deliver or try to gloss over risks.
  • Failed revenue goals – If a purchase is tied to your company’s revenue and you’ve failed to do your due diligence, it could have revenue ramifications for several quarters.
  • Falling out of compliance – Even if all of your company’s systems are compliant, a non-compliant vendor could knock you out of compliance.
  • Breached contracts – If you choose a vendor who fails to adhere to their agreement, your customers will blame your company, not the vendor.
  • Fraud – Fraud in B2B (business to business) sales is rare, in no small part because the vetting process is far more rigorous than with most consumer purchases.
  • Mismanagement – DDQs help protect against the mismanagement of funds or data.

Clearly articulate core DDQ objectives

Why did you receive the DDQ? Is it a precursor to a sales process, or will it be an ongoing quarterly or yearly review or audit?

Employ a consistent and systematic approach

An effective DDQ response process requires thoroughness, accuracy, and consistency. Advanced response management software, such as RFPIO, is the tool that creates time-saving repeatable processes.

  • Prepare customized templates – Create a branded answer template that easily imports information from whatever format a DDQ appears in.
  • Identify and quickly access SMEs – Are the questions in their area of expertise, and do they have the time?
  • Leverage RFP response management software – RFP response management software helps ensure that your answers are accurate and on-brand while saving time and resources.

Work from due diligence checklists

Checklists are built into nearly every project management software. Checklists keep you on time and on track.

Super-organized issuers might even build checklists into their DDQs.

A checklist:

  • Enables easier comparisons – Think of a DDQ as an opportunity to check your company’s compliance as it compares to yours and your issuer’s standards.
  • Effectively collects information – A checklist helps ensure that you aren’t missing anything and aren’t gathering the wrong information.
  • Prevents missed deadlines – A checklist will help ensure that your response is complete and on time.

Centralize organizational knowledge

DDQs aren’t known for originality; however, two issuers rarely ask similar questions in identical ways. Can you make the answers repeatable? Can you store answers in a single source of truth to accelerate future DDQ responses? Whether a DDQ has 20 or 2,000 questions, having content in place is by far the biggest time saver.

A single source of truth:

  • Ensures accuracy – All information stored in a company’s knowledge library should be verified accurate through regularly scheduled audits.
  • Supports transparency – With pre-approved answers, a comprehensive AI-powered knowledge library does much of the work for you.
  • Improves knowledge access – In a perfect world, every DDQ stakeholder would have access to their single source of truth. RFPIO’s unique project-based, rather than user-based, pricing structure gives access to any authorized person without having to purchase additional licenses.

Leverage automation

Because DDQs arrive via a myriad of formats, it’s crucial to have software in place that helps you standardize them. Intelligent automation goes several steps further by doing up to 80% of your work.

Benefits of DDQ response automation include:

  • Tracking the completion process in real-time
  • Streamlining the response time
  • Scaling the ability to respond to DDQs
  • Efficiently managed tasks and deadlines
  • Improved collaboration

Due diligence example questions

Not surprisingly, a DDQ’s questions are industry-specific. Below are some common industry-specific examples:

Organizational due diligence questions

Organizational due diligence questions can be a part of any DDQ, but in-depth organizational due diligence questions are more common in mergers and acquisitions than in vendor DDQs.

Questions might include:

  • What is the organizational structure of your company?
  • Can you provide professional bios for senior leadership?
  • Can you offer diagrams and charts of your corporate structure?

Financial due diligence questions

DDQs are most common in the financial services industry. Expect DDQs to ask:

  • What are your operating costs?
  • Can you provide income statements and balance sheets?
  • Can you provide accounts receivable information?
  • Can you give a breakdown of sales and gross profits (by Product Type, Channel, and Geography)?

HR due diligence questions

HR due diligence questions are uncommon but not completely unheard of. You may have to answer questions such as:

  • What do current employee contracts look like?
  • What are historical and projected head counts, both by function and location?
  • What are your benefit plans?
  • Can you provide incentive stock plan overviews?

Investment fund information

Investment and hedge funds, of course, are an arm of the financial services industry, so you will generally see DDQs. Questions might include:

  • What are your fund strategies and goals?
  • What are your historical and projected growth rates?
  • What is your market share?

Governance, risk, and compliance

A DDQ’s most basic function is to determine and mitigate risk. Governance, risk, and compliance questions include:

  • What are your organizational policies?
  • Can you provide an organizational code of ethics?
  • Can you provide a breakdown of service provider risk?
  • Can you provide your SEC communications plan?

Legal due diligence questions

Legal questions generally fall under RFPs rather than DDQs, however there are some cases where an issuer might include legal questions, including:

  • Have you been involved in any litigation?
  • Are you currently involved in any litigation?
  • What trademarks and patents do you currently have?
  • Can you provide insurance coverage details?
  • Can you provide your history of regulatory agency issues?
  • What are your compliance programs and policies?

Simplify due diligence with RFPIO

Repetitive, manual due diligence efforts are inefficient and cumbersome. RFPIO is a response platform and a project management platform. Simplify your DDQ response processes with:

Standardize importing – Whether your DDQ arrives as a spreadsheet or a Word document, import it into RFPIO for standardized, highly-searchable, formatting and functionality.
Project management – RFPIO will let you set project goals and timelines, helping ensure your answers will arrive on time.
The ability to choose your SMEs – Your SMEs are very busy and have varying degrees of expertise. RFPIO will show you the SMEs who’ve answered similar questions in the past, and show their availability.
Repeatable answers – DDQs can have thousands of questions. RFPIO’s Content Library stores approved answers to previous questions, letting you auto populate and edit as you see fit.
Standardize exporting – RFPIO lets you customize templates to match your brand and impress the issuer.
Responding to DDQs

RFPIO is the number one response management platform, and not just for RFPs. Leverage RFPIO throughout your entire DDQ response process to provide professional, accurate, and on-time responses. RFPIO’s AI-powered response platform provides:

  • A single knowledge library (RFPIO’s Content Library) – Add answers to any DDQ from anywhere within the company
  • RFPIO® LookUp– Provides access to the Content Library to any authorized person with a browser.
  • Recommendation Engine – Automatically suggests the best responses
  • Project management functions – Assign, manage, and track workflow tasks and deadlines.
  • Scalability to respond to DDQs – While most SaaS (software as a service) products have a per license pricing model, RFPIO allows for unlimited users with project-based pricing. Your capabilities will grow as you need and scale back when your response team can take a little breather.

RFPIO also enables collaboration with seamless integrations with all of the most popular communication applications. Keep in touch with teammates from anywhere in the world using Slack, Microsoft Teams, Google Hangouts, or Jira to:

  • Ensure accuracy – It would be tough to answer a DDQ without help from some SMEs. Real-time communication and fact checking helps you submit accurate answers.
  • Efficiently manage tasks and deadlines – Stay in touch with each stakeholder to ensure each task is completed on time.
  • Streamline response time – Better communication enables faster response times.

Explore a better DDQ solution

RFPIO isn’t just for RFPs. Our comprehensive response management platform makes responding to DDQs fast, secure, scalable, accurate, and on time. If you would like to learn how RFPIO can help you demonstrate compliance, schedule a free demo.

DDQ vs. security questionnaire

DDQ vs. security questionnaire

Selling & Enablement

From content to timing, confusion often surrounds the differences between a due diligence questionnaire (DDQ) and a security questionnaire. Read on to learn the nuances of each document to improve your responses and win that next deal.

What is a DDQ?

A DDQ stands for due diligence questionnaire. Organizations send them to mitigate risk before entering into an agreement with another company. It is a formal document designed to establish whether a vendor complies with industry and/or customer standards or needs, including how the vendor manages its own network and cybersecurity protocols.

Unlike an RFP, a DDQ is not as much about competitive evaluations. A DDQ is all about compliance and business practices.

What is a security questionnaire?

Much like it sounds, a security questionnaire is sent to potential vendors to determine whether their security protocol meets the issuer’s standards and legal requirements. Security questionnaires are technical and usually highly complex, however most questions are “yes” or “no” rather than narrative.

Note that neither DDQs nor security questionnaires are sales documents.

DDQs vs. Security Questionnaires

Now that you know the definition of a DDQ, let’s get into how security questionnaires are unique, along with a few similarities they share with DDQs.

Common industry

Any organization can issue a DDQ, but we see them most in the financial services industry. Security questionnaires are primarily used by organizations operating in technology—either hardware or software.

Market evaluation

Much like a DDQ, a security questionnaire will not be used as a method of evaluation between vendors. Although, if an organization throws an RFP (request for proposal) into the mix, then both questionnaires play a role in market comparison.

Because a security questionnaire is not a competitive evaluation, the issuer won’t spend time performing a security review with more than five potential vendors. It’s completely different from responding to an RFP, which may be sent out to tons of vendors to cast a wide net.

Issuing departments

Usually, a security questionnaire comes from a security department (infosec, IT security, cloud security, etc.). While a DDQ will not necessarily come from that department—marketing, client services, or compliance teams frequently send these documents to responders.

Sales timing

Security questionnaires and DDQs typically show up early in the sales cycle. They may come in when an organization is trying to set you up as the vendor of choice or before it’s time to renew. Before you can become their new vendor, they need to make sure you’re compliant. If you’re an existing vendor, they might need to ensure you’re still compliant.

Even when you become their vendor partner, you might see a due diligence questionnaire again and again. Especially in the financial services industry, DDQs are sent to vendors annually—even quarterly—so make sure you’re up to speed on industry regulations.

Document types

A security questionnaire is predominantly an Excel spreadsheet. A DDQ could be a spreadsheet, but about 70% of the time, this questionnaire lives in a Word document.

Question types

Security questionnaires tend to be a standard set of questions, where you answer some variation of a yes/no answer in a drop down. You might need to add some commentary to back up your answer. While there will be some black or white questions in a DDQ, there is also room for interpretation and creating a narrative.

Succeeding with Security Questionnaires and DDQs

To knock content out of the park with security questionnaires and DDQs, naturally, the best technique is accuracy. With that top of mind, here are other tips to help you succeed as a responder.

Security Questionnaires

You have a lot less room to knock this content out of the park. Your data is encrypted or it’s not. You either have the firewall or you don’t. It’s not about how you implement the firewall, it’s simply: Do you have the firewall set up?

Stick to the facts

Obviously, one thing you don’t want to do is lie. Let’s say you are asked if you check your disaster recovery plans every 60 days. If your process is checking disaster recovery plans once a year, don’t say “yes.” They will find out 60 days later when you don’t meet their requirements.

Time to completion

Time to completion is a really good thing to shoot for with security questionnaire responses. You’re usually still in an evaluation process where you might be the vendor of choice or you’re one of two choices.

DDQs

Similar to an RFP response, there is more room for creativity with your DDQ content. However, don’t respond to a DDQ exactly as you would to an RFP. Before you respond, consult with the correct SMEs (subject matter experts).

Early stage advice

If you receive a DDQ in the early stages of the sales cycle, this document might be their vendor filtering method. DDQs are not the time for a sales pitch. Instead, consider showing your strengths with compelling and (most importantly) accurate narratives showing compliance.

Late stage advice

During the late stage of the cycle, your DDQ might be a recurring document you respond to with an existing client, or it could be in addition to a DDQ you’ve already answered. Get straight to the point and ensure accuracy to show you are still in compliance.

Next steps

If due diligence questionnaires are a regular part of your sales process, response software for DDQs, such as RFPIO, makes answering them a whole lot easier. Your RFPIO Content Library can answer many of a DDQ’s questions with a few clicks.

RFPIO can help you increase DDQ and security questionnaire accuracy and efficiency.  Demo RFPIO today to support your sales process.

See how it feels to respond with confidence

Why do 250,000+ users streamline their response process with RFPIO? Schedule a demo to find out.