Beyond the Balance Sheet

Financial audits tell you whether the numbers add up. Operational due diligence tells you whether the business behind those numbers is built to last. For trading firms, the distinction is critical: a firm can be financially sound today while harbouring operational weaknesses that make tomorrow's crisis inevitable.

Operational due diligence — ODD — is the systematic examination of how a firm actually runs. It looks at governance, technology, compliance, risk management, and the countless operational details that determine whether a firm can deliver on its commitments to traders, partners, and regulators. This guide covers what ODD encompasses, why it matters, and how firms can prepare for a thorough review.

What Operational Due Diligence Covers

ODD examines the infrastructure that supports a firm's activities. While financial due diligence asks "how much?" and "how profitable?", operational due diligence asks "how?" and "what could go wrong?" The scope is deliberately broad because operational failures can originate from any part of the business.

Governance and Leadership

Governance is the foundation of operational integrity. An ODD review examines:

  • Board composition and independence: Whether the firm has appropriate oversight at the highest level, including independent voices that can challenge management
  • Decision-making processes: How key decisions are made, documented, and communicated. Are there clear authorities and approval chains?
  • Organisational structure: Whether reporting lines are clear, whether segregation of duties is maintained, and whether the structure supports rather than undermines control
  • Key person dependencies: Whether critical knowledge or authority is concentrated in individuals without adequate backup or succession planning
  • Culture and tone from the top: Whether leadership demonstrates and reinforces a commitment to operational integrity in practice, not just in policy documents

"Governance failures rarely announce themselves. They manifest as a gradual erosion of standards, a slow drift from documented procedures, an accumulation of exceptions that become the rule. ODD is designed to detect these patterns before they crystallise into crises."

Technology and Infrastructure

For trading firms, technology is not a support function — it is the operational core. ODD technology reviews are correspondingly thorough:

  • Platform reliability: Uptime records, incident history, and the firm's track record of maintaining system availability during market stress
  • Data security: Access controls, encryption practices, data classification, and the overall security posture of the technology environment
  • Change management: How system updates, patches, and modifications are planned, tested, approved, and deployed. Poor change management is one of the most common sources of operational incidents
  • Disaster recovery and business continuity: Whether the firm has tested, documented plans for maintaining operations during technology failures, and whether those plans reflect realistic scenarios
  • Vendor management: How critical technology vendors are selected, monitored, and managed. Concentration risk in vendor relationships receives particular attention

Compliance Framework

Compliance in the ODD context extends beyond regulatory requirements to encompass the firm's entire framework for ensuring adherence to internal policies, external obligations, and industry standards:

  • Regulatory mapping: Whether the firm has identified all applicable regulatory requirements and mapped them to specific policies, procedures, and controls
  • Monitoring and testing: How the firm verifies ongoing compliance, including the frequency and scope of compliance testing programmes
  • Training and awareness: Whether staff receive adequate compliance training and whether training effectiveness is assessed
  • Reporting and escalation: How compliance issues are identified, reported, escalated, and resolved
  • Record-keeping: Whether compliance records are complete, accurate, and retained in accordance with applicable requirements

Risk Management

While risk management overlaps with other ODD areas, it warrants specific examination as a function:

  • Risk identification: Does the firm have a systematic process for identifying emerging risks, or does it rely on ad hoc awareness?
  • Risk measurement: Are risk metrics appropriate, consistently calculated, and meaningful to decision-makers?
  • Limit structures: Are risk limits clearly defined, monitored in real time, and enforced consistently?
  • Breach management: What happens when limits are breached? Is there a documented process for escalation, investigation, and resolution?
  • Stress testing: Does the firm conduct regular stress tests, and do the results inform business decisions?

Why ODD Matters Beyond Financial Audits

Financial audits are necessary but insufficient. They confirm that financial statements are fairly presented, but they do not assess whether the operational infrastructure is resilient, whether controls are effective, or whether the firm is prepared for adverse scenarios. History is replete with examples of firms that passed financial audits with clean opinions while operational weaknesses were already undermining their viability.

ODD matters because:

  • Operational failures are the leading cause of firm distress in the trading industry, ahead of market losses
  • Traders and partners increasingly demand evidence of operational integrity before committing capital or entering relationships
  • Regulators are expanding their focus from financial soundness to operational resilience
  • Insurance providers and banking partners use operational assessments to determine risk pricing and relationship terms

"A firm can survive a bad quarter in the markets. A firm cannot survive a governance failure that destroys trust, a technology failure that compromises data, or a compliance failure that attracts regulatory action. ODD addresses the risks that financial audits simply do not reach."

Red Flags in Operational Due Diligence

Experienced ODD reviewers watch for specific indicators that suggest deeper problems. While no single flag is necessarily disqualifying, patterns of flags warrant serious concern:

  • Documentation gaps: Policies that exist on paper but are not followed in practice, or practices that exist without documented policies
  • Excessive key person dependency: Critical functions that only one individual can perform, with no documented procedures or cross-training
  • Resistance to transparency: Reluctance to provide information, delays in responding to requests, or attempts to limit the scope of review
  • Inconsistent controls: Controls that are applied selectively rather than consistently, or controls that exist for some functions but not analogous ones
  • Absent or untested contingency plans: Business continuity and disaster recovery plans that have never been tested, or that were tested so long ago as to be unreliable
  • Poor incident history management: No records of past incidents, no evidence of root cause analysis, or repeated incidents of similar types suggesting systemic issues are not being addressed
  • Conflicted structures: Organisational arrangements where the individuals responsible for taking risk are also responsible for monitoring and reporting on it

Preparing Your Firm for an ODD Review

Preparation for ODD should not be a frantic exercise in the weeks before a review. The most effective preparation is an ongoing commitment to operational excellence. However, firms approaching a formal review can take specific steps to ensure the process is smooth and productive.

Conduct a Self-Assessment

Before external reviewers arrive, conduct your own honest assessment against the areas outlined above. Identify gaps, document remediation plans for any issues found, and begin addressing them. Self-identified and self-remediated issues are viewed far more favourably than issues discovered by reviewers.

Organise Documentation

Ensure that policies, procedures, governance records, and compliance documentation are current, organised, and accessible. Reviewers will request a wide range of documents, and delays in providing them slow the process and create negative impressions.

Prepare Key Personnel

Staff who will interact with reviewers should understand the purpose of the review, what to expect, and how to respond to questions. This is not about coaching staff to give specific answers — it is about ensuring they are comfortable, honest, and able to demonstrate their knowledge of the firm's operations.

Address Known Weaknesses

Every firm has areas that could be stronger. Where weaknesses are known, the best approach is to acknowledge them proactively, demonstrate awareness of the risk they create, and present a credible plan for remediation. Attempting to conceal known weaknesses invariably backfires when reviewers identify them independently.

Engage Leadership

Ensure that senior management and board members are engaged in the ODD process, not just delegating it to compliance teams. Reviewer conversations with leadership are a critical component of the assessment, and disengaged leaders send a powerful negative signal about the firm's commitment to operational integrity.

The Return on Operational Excellence

Firms sometimes view ODD preparation as a cost centre — an investment with no direct return. This perspective misses the substantial benefits that operational excellence delivers. Firms with strong operational frameworks experience fewer incidents, lower insurance premiums, stronger banking and processing relationships, easier regulatory interactions, and most importantly, greater trust from the traders and partners on whom their business depends.

Operational due diligence is not an obstacle to be overcome. It is a mirror that reflects the true state of your operations — and an opportunity to ensure that what the mirror shows is a firm built for resilience, integrity, and long-term success.