Before you sign anything: a complete operational due diligence guide

Whether you're an investor evaluating a target company, a buyer running pre-close checks, or an advisor managing a complex transaction, operational due diligence is the process that tells you whether a deal is actually worth doing.

What is operational due diligence?

When most people hear "due diligence," they think about financial statements, tax filings, and legal contracts. But there is another layer that matters just as much, sometimes more. That layer is operational due diligence (ODD).

Operational due diligence is the process of examining how a business actually runs. Not just what it earns, but how it earns it. It covers the internal systems, people, processes, technology, supply chains, and risk controls that make a company function on a daily basis.

Think of it this way: financial due diligence tells you what the numbers say. Operational due diligence tells you whether those numbers are real and whether they can be sustained.

It's used across private equity, mergers and acquisitions (M&A), venture capital, and even real estate transactions. Any time money is moving based on the promise of a business continuing to perform, operational due diligence is the check that validates that promise.

Why operational due diligence is critical

A deal can look excellent on paper and still fail in execution. That gap between what a company presents and how it actually works, is exactly where operational due diligence lives.

Here's why it matters so much.

It catches what financials miss. Financial statements show results. They do not show you that the company is completely dependent on one key employee, or that its core software hasn't been updated in four years, or that three of its top ten clients are quietly unhappy. Operational due diligence surfaces these issues before they become your problem.

It protects the value you're paying for. If you're acquiring a business at a multiple of its EBITDA, you're betting that performance continues. Operational gaps like poor processes, weak management, technology debt, can erode that value quickly post-close. ODD helps you understand what you're actually buying.

It informs negotiation. When operational issues are identified early, they become leverage. You can negotiate a lower price, ask for specific representations and warranties, or structure earnouts that protect you against underperformance.

It prevents post-acquisition surprises. The most expensive problems are the ones you discover after the ink dries. Operational due diligence is your best tool for reducing the likelihood of those surprises.

In short, skipping or rushing ODD is one of the most common and most costly mistakes buyers make in any transaction.

Types of operational due diligence

Operational due diligence is not a single checklist. It adapts based on the type of deal, the industry, and what risks matter most. Here are the main types:

Commercial due diligence

This looks at the market position and commercial viability of the business. Are customers loyal? Is the sales pipeline real? How competitive is the market? What does growth actually look like?

Technology and IT due diligence

A review of the company's systems, infrastructure, software, cybersecurity posture, and technology debt. In today's environment, this is almost always a critical workstream.

Human capital due diligence

This examines the people side, leadership quality, key person dependency, culture, compensation structures, and employee retention risk.

Supply chain and vendor due diligence

Evaluates how exposed the business is to third-party risk. Are vendors reliable? Are there single-source dependencies? What happens if a key supplier fails?

Regulatory and compliance due diligence

Reviews the company's track record with regulators, licenses, industry-specific compliance requirements, and any pending or historic enforcement actions.

ESG and sustainability due diligence

Increasingly important for institutional investors. This looks at environmental practices, governance structures, and social responsibility.

Most serious transactions will run several of these in parallel, especially for larger or more complex deals.

Operational due diligence framework

A strong ODD process isn't a freeform investigation. It follows a framework that keeps the work organized, consistent, and defensible.

A solid operational due diligence framework typically follows four pillars:

1. Scope definition

Before anything else, define what you're looking at and why. What are the highest-risk areas given the industry, deal size, and structure? What questions need to be answered for the investment thesis to hold? This step stops teams from spending weeks on low-priority areas while material risks go unexamined.

2. Information gathering

This is where document requests come in. The target company provides financial records, operating data, contracts, org charts, system documentation, and more. A secure, well-organized virtual data room is essential here, more on that shortly.

3. Analysis and verification

The information is reviewed, cross-checked, and tested. Management interviews are conducted. Site visits may occur. Advisors and subject matter experts are brought in where needed. This phase is where the real findings emerge.

4. Reporting and recommendations

Findings are consolidated into a report that clearly identifies risks, their materiality, and how they should be addressed, whether through deal structure, pricing, representations, or other protections.

Risk assessment and deal customization

Not every risk is equal. Part of what separates good ODD from a box-ticking exercise is proper risk assessment, understanding the severity, likelihood, and manageability of what you find.

Operational risks typically fall into a few categories:

Dealbreaker risks

Issues so fundamental that no pricing adjustment or warranty can adequately address them. A regulatory license that cannot transfer, a critical contract that terminates on change of control, or a pattern of data security breaches would fall here.

Pricing risks

Issues that don't kill the deal but warrant a lower purchase price or specific adjustments to deal economics.

Transition risks

Risks that are manageable if handled proactively, but could cause real disruption post-close if ignored. Examples include technology migration complexity, key employee retention, and customer communication plans.

Monitoring risks

Lower-priority items worth tracking post-acquisition but not material enough to affect deal terms.

Good risk assessment also means customizing your ODD to the deal. A $5M acquisition of a local services business needs different depth than a $250M carve-out of a manufacturing division. The framework scales and so should the rigor of each workstream.

One thing that should never scale down, regardless of deal size: the security of your document review process. Sensitive deal documents, management presentations, and confidential data need to stay in controlled environments. Tools like Ellty are built specifically for this, giving buyers, sellers, and advisors a secure space to share documents, track who has reviewed what, and maintain a clean audit trail throughout the process.

Step-by-step: operational due diligence process

Here is how a typical ODD process flows from start to finish:

Step 1: Kick-off and scoping

The buyer and their advisors define the deal thesis, key risk areas, and the scope of the ODD workstreams. A document request list (DRL) is prepared and sent to the target.

Step 2: Data room setup

The seller organizes documents in a virtual data room, structuring folders by topic area such as financials, legal, operations, HR, technology, contracts, and so on. Access is granted to the buyer's team with appropriate permissions.

Step 3: Document review

The buyer's team works through the data room, reviewing and analyzing materials. Questions are logged, and follow-up requests are made for missing or unclear items.

Step 4: Management meetings and interviews

Formal sessions are held with the target's leadership team. These are critical for understanding things that documents alone can't tell you like culture, team capability, and how management responds under pressure.

Step 5: Expert analysis

Depending on scope, external experts may be engaged, cybersecurity assessors, HR consultants, supply chain specialists, or commercial advisors who can benchmark the business against industry peers.

Step 6: Finding synthesis

All workstreams consolidate their findings. Issues are categorized by severity and type. The deal team begins translating findings into deal implications.

Step 7: Reporting

A final ODD report is produced. This typically includes an executive summary, workstream-by-workstream findings, a risk register, and recommended deal actions.

Step 8: Deal finalization

The ODD report feeds directly into final negotiations - pricing, representations and warranties, indemnities, and post-close integration planning.

How long does the commercial due diligence process take?

There is no universal answer, but here is what most deals look like in practice.

Small transactions (under $10M): Two to four weeks for a focused ODD process, assuming the data room is well-organized and the target is responsive.

Mid-market transactions ($10M–$200M): Four to eight weeks is typical. More workstreams, more documents, more interviews.

Large or complex transactions ($200M+): Eight to twelve weeks or more, especially for businesses with multiple geographies, complex regulatory environments, or fragmented technology systems.

A few factors that extend timelines: incomplete or disorganized data rooms, slow response from the target team, deal complexity, regulatory overlaps, and the need for specialist advisors.

A few factors that compress timelines: a well-organized data room with pre-indexed documents, a clear document request list from the buy side, and experienced advisors who know what to look for.

This is one of the most underappreciated reasons to get your data room right from the start. A messy data room adds days, sometimes weeks to a process that is already time-pressured.

Ellty Room and Room Plus plans are built for exactly this kind of high-stakes document management with granular permissions, NDA gating, and real-time activity tracking so you always know where things stand.

Virtual data rooms: the backbone of operational due diligence

If the ODD process is the engine of a deal, the virtual data room (VDR) is the chassis everything runs on. Without a proper VDR, the whole process becomes harder, slower, and more prone to mistakes.

Here is what a good VDR does for operational due diligence:

Controls who sees what. Not everyone on a deal team needs access to everything. A VDR lets you set folder-level and document-level permissions so different reviewers only access what's relevant to them and nothing else.

Tracks everything. When did each reviewer open a document? How long did they spend on it? Did they forward it anywhere? This audit trail is not just useful - in many deals, it is required.

Protects sensitive materials. With dynamic watermarking, NDA gating, and restricted visitor access, a VDR ensures that confidential information stays confidential throughout the process.

Accelerates review. A well-organized data room means fewer follow-up questions, faster review cycles, and a shorter overall timeline.

Creates accountability. Both sides of a deal benefit from knowing that the document review process is documented and traceable.

Why Ellty is the right choice

Ellty is a secure document sharing and analytics platform with full VDR functionality, built for anyone running a professional deal process without the overhead of an enterprise contract.

Here's what sets Ellty apart:

Transparent, flat pricing. No per-user charges. No per-page fees. No custom quotes that take weeks to negotiate. You pick a plan and know exactly what you're paying, whether your review team has 3 people or 30.

Ellty plans for due diligence:

• Free ($0/month): Document tracking, real-time analytics, and secure sharing. A good starting point for early conversations when you want to see who's opening what before setting up a full data room.
• Standard ($69/month): Unlimited documents, advanced analytics, eSignatures, custom branding, and data room features. Works well for smaller deals and ongoing investor communication.
• Room ($149/month): Granular permissions, NDA gating, dynamic watermarking, and restricted visitor access, everything you need to run a controlled document review for due diligence, property transactions, or client deliverables.
• Room Plus ($349/month): Group visitor permissions, full audit logs, up to 4,000 assets per data room. Built for heavier document loads and multi-party deals with structured access control across different reviewer groups.

For most M&A and investment due diligence processes, the Room or Room Plus plan is where serious deal teams start.

Quick setup. You don't need an implementation team or a training session. Ellty is designed to be set up quickly, so you can start sharing documents and tracking activity on day one.

No surprises. Unlike legacy VDR platforms that quote low and charge high, Ellty pricing is what it says. No overage fees as the deal team grows.

Operational due diligence checklist

Use this checklist as a starting framework for your ODD process. Customize it based on deal type, industry, and risk profile.

Business operations

• Overview of core business processes and workflows
• Key operational dependencies and single points of failure
• Capacity analysis - can the business scale?
• Operational KPIs and how they are tracked

Technology and systems

• Inventory of key systems and infrastructure
• Technology debt and maintenance backlog
• Cybersecurity posture and recent incidents
• Software licenses and renewal dates

Human resources

• Organizational chart and headcount
• Key person dependencies
• Employee turnover data (last 2–3 years)
• Employment contracts and non-competes
• Compensation benchmarking

Commercial and customer

• Customer concentration analysis
• Sales pipeline and conversion rates
• Customer satisfaction and retention data
• Key contracts and their change-of-control provisions

Supply chain and vendors

• Key vendor list and contract terms
• Single-source dependencies
• Vendor performance history
• Contingency plans for supplier disruption

Regulatory and compliance

• Applicable licenses and permits
• Regulatory correspondence and any enforcement history
• Industry-specific compliance requirements
• Data privacy practices (GDPR, CCPA, etc.)

Financial operations

• Accounts receivable aging
• Working capital cycle
• Budgeting and forecasting processes
• Internal controls and audit findings

FAQs

What is the difference between operational due diligence and financial due diligence?

Financial due diligence examines the historical and projected financial performance of a business such as revenue, margins, debt, cash flow, and so on. Operational due diligence looks at how the business runs: its people, processes, technology, and systems. The two are complementary - financial due diligence tells you what has happened; operational due diligence helps you understand why, and whether it's sustainable.

Who conducts operational due diligence?

ODD is typically conducted by the buyer's team, often with support from specialist advisors. Depending on the scope, this can include management consultants, HR specialists, cybersecurity experts, and commercial advisors. On smaller deals, the buyer's internal team may handle most of it. On larger transactions, multiple external workstreams run in parallel.

At what stage of a deal does operational due diligence happen?

ODD typically begins after a letter of intent (LOI) or term sheet is signed, during the exclusivity or confirmatory due diligence period. However, some buyers start high-level commercial assessments earlier in the process to inform their initial bid.

What documents are typically shared during operational due diligence?

Common documents include organizational charts, employee contracts, technology inventories, customer contracts, vendor agreements, operational KPI reports, compliance records, audit reports, and internal process documentation. These are usually shared through a virtual data room with controlled access.

How is operational due diligence different for private equity versus strategic buyers?

Private equity buyers tend to focus heavily on operational efficiency, scalability, and management quality, because they are typically planning to grow and eventually exit the business. Strategic buyers may focus more on integration risk, synergy validation, and culture fit, since the acquired business will be merged into their own operations.

What happens if operational due diligence reveals significant problems?

It depends on the severity. Minor issues may be addressed through price adjustments, representations and warranties, or indemnity provisions. More significant issues may lead to a restructuring of deal terms, a requirement for management to resolve certain items before close, or in serious cases, a withdrawal from the deal entirely. Finding problems during ODD, not after closing, is exactly what the process is designed to do.

Can a virtual data room really make a difference in the due diligence process?

Yes, significantly. A disorganized document review process adds time, creates confusion, and increases the risk of sensitive information being mishandled. A well-structured VDR with proper access controls, NDA gating, and activity tracking keeps the process on track, protects confidential information, and provides the audit trail that serious deals require. Platforms like Ellty are specifically built for this without the complexity or cost of legacy enterprise VDRs.

Final thoughts

Operational due diligence is not a formality. It is one of the most important things you can do to protect value in a transaction and one of the most frequently underestimated.

Done well, ODD does three things: it confirms the investment thesis, surfaces risks before they become your problem, and gives you the information you need to negotiate a smarter deal. Done poorly or skipped, it leaves you exposed to exactly the kind of post-close surprises that destroy returns.

The process is not complicated. It requires a clear scope, organized information, the right people asking the right questions, and a secure environment where documents can be shared, tracked, and reviewed without risk of leakage.

That last part is where Ellty fits in. Whether you're running a small acquisition, managing an investor data room, or handling a complex multi-party transaction, Ellty gives you the core VDR functionality that matters, at a price that makes sense, with no surprise fees and no unnecessary complexity.

Start with the free plan, set up your first data room, and see how much smoother your next deal process can be.