Getting ready to complete a DDQ? Don’t sweat it. Due diligence questionnaires may seem intimidating, but all you need to succeed is an intentional approach and a little preparation.

I’ve processed hundreds of DDQs for dozens of clients in my IT career. This explainer distills everything I’ve seen and learned into a handy guide you can refer to before and during your first DDQ request.

What is a DDQ?

A DDQ, or due diligence questionnaire, is one component of the operational due diligence (ODD) process, which helps investors evaluate a business’s risk by assessing its operational readiness, intellectual property, and more.

Whether you’re a biotech company raising your Series A or a VC firm seeking capital from limited partners, DDQs are a critical part of demonstrating that your business is a wise investment.

Who Receives DDQ Requests?

Ten years ago, IT and cybersecurity didn’t play a huge role in DDQs for early-stage companies. A company might not be scrutinized on those aspects until reaching an inflection point like raising a Series A or courting funding from a retail bank, large endowment, or similar.

But over the last 5 years, and even in the last 3 years, the scope of DDQs has changed drastically. We’re seeing more and more of these questions, even for emerging VC firms raising their first funds and for nascent life sciences companies with only 5 employees.

Even outside of the vacuum of DDQs, society is moving toward a world where everyone is concerned about cybersecurity. No matter how small you are, investors and regulators care about your cybersecurity readiness. We’re headed in a direction of increasing scrutiny, making your attention to issues like data security and compliance more critical than ever.

Why DDQs Exist

When investors send you a DDQ, they’re looking for confirmation that investing in you is a sound idea. Are you running a tight ship? Will their reputation be at risk if they partner with you? How likely is it that you’ll get breached? Are you following relevant compliance guidelines?

A DDQ can mean the difference between receiving a check from an investor and getting a polite—but firm—“we’ll pass.” However, this doesn’t mean that investors use DDQs to find reasons to say no.

If you get to the DDQ stage, it’s because they like you and your company; they want things to pan out. They aren’t hunting for the chance to disqualify you on something like a cyber policy. They just have to do their homework first.

What to Expect

→ Every DDQ will look different.

Let’s start with the bad news: Every DDQ you receive will be different, both in terms of format and content. It might arrive as an email, an online form, a PDF, a Word document, or even a spreadsheet or matrix.

Unfortunately, you also can’t expect any two DDQs to phrase every question the same way. In fact, some DDQs might be only 5% related to IT. Some investors may send you a separate questionnaire focusing solely on cybersecurity.

→ Most DDQs will ask about the same topics.

Thankfully, DDQs will—for the most part—ask very similar questions about your operations, compliance, governance, cybersecurity, and your investment thesis (for investment firms) or your intellectual property (for all other businesses).

Though you won’t be able to copy and paste every answer, this silver lining means that DDQs will get easier over time. There may be a few new details, but completing your second, third, tenth, and fiftieth DDQ will primarily involve rephrasing your company’s responses to match each questionnaire and its unique phrasing.

→ It’s a conversation, not a summary judgment.

Submitting your DDQ answers might feel like shouting into the void, but remember that it’s a conversation. The investor might have follow-up questions, allowing you to provide more context as needed, whether in an email or live on a call. If there’s a gap between where you are and where the investor wants you to be, in almost all cases, you’ll have an opportunity to meet in the middle.

The Illusion of the Perfect DDQ “Score”

Working with biotechs, VC firms, and other clients, the biggest misconception I’ve encountered is that every question’s answer must be “yes.”

That’s simply never going to be the case.

Many companies will have one DDQ that they send to every firm, regardless of size, industry, or stage of maturity. There will inevitably be a question that’s phrased in a way that doesn’t apply to you; there will be something you don’t do, but you have a mitigating risk factor. There will be an outdated question that should have been removed years ago, or a question intended for a company much bigger than yours.

Answering “no” to a DDQ question isn’t the end of the world—as long as you have a good reason for your response.

In Pursuit of Thoughtful Answers

When completing a DDQ, it’s less about the right versus the wrong answer and more about giving a thoughtful response. Whether you’re saying “yes,” “no,” or “maybe,” investors want to see responses that show you’ve given careful consideration to each topic.

Sample Scenario: Penetration Testing for An Emerging Fund

Imagine you’re an emerging VC fund with 5 employees, all working out of your homes from personal computers and personal phones. After connecting with a retail bank about funding, they send you a DDQ.

It asks, among other things, if you perform penetration testing on your physical office. (A penetration test, or “pen test,” refers to an authorized, simulated cyberattack designed to find vulnerabilities in a computer system and ensure security controls are working as designed.)

In a scenario like this, there’s no office, no on-site servers, not even a shared printer whose cache could be compromised. If all you’re using is Google Workspace, does this mean the retail bank expects you to pen test Google? At the end of the day, the question just doesn’t apply.

Example Response: Honoring the Spirit of the Question

In the hypothetical above, you might be inclined to just answer “no” and move on. That would technically answer the question, right? Sure. But a better answer—one that shows you’re paying attention—might look something like this:

“Because the firm is cloud-based and has no physical locations or physical assets that stand behind any firewall or network, penetration tests of a physical office are not necessary for our environment. However, we do use single sign-on and work with an external provider to monitor our systems and investigate suspicious activity immediately.”

This response contains two critical elements. It:

– Explains why the answer is a “no”
– Offers supplementary information that addresses the question’s core concern

Giving an in-depth response shows you don’t just understand what the question is asking; it shows you understand why they’re asking it.

How You Can Prepare

Even before you receive your first DDQ, you should prepare a summary of your cyber posture to use as a starting point. This should include:

– A list of all platforms and tools your business is using
– Whether or not they have MFA (multi-factor authentication) enabled
– How your devices and systems stay updated
– A description of your protections against phishing, malware, viruses, and other threats
– Steps you’ve taken to comply with recent SEC rulemaking
– Your planned response in case of a cyber incident
– How you secure your company’s equipment and premises (if applicable)

Opportunity, Not Obligation

The way you complete your DDQ speaks volumes about you and your company. Instead of seeing it as an obligation, think of a DDQ as an opportunity.

It would be easy to treat it like a boring, check-the-box exercise—and many do. But there is the potential for so much more. Make sure your responses embody your attitude toward your work. Demonstrate your capacity for critical reasoning. Showcase your foresight, your attention to detail, and your preparedness for what’s ahead.

More than anything else, seize the opportunity to prove why you, and only you, are the right choice for this investment.

---

Still have questions about DDQs? Book time with our Growth team to find out how Pliancy can support your company through this process and more.