Due Diligence, Risk ID for Major Projects

Episode: 018
Date: Tue 28 Sep 2021
Title:               Due Diligence, Risk ID for Major Projects


Due diligence is not the same as risk assessment, but they are complementary. Let’s explore their application in major projects.



Due Diligence (defined) and High Quality Risk Assessment: how are they used in a complementary fashion in major projects?

Main points

1. Reflections on financial risk management (Ep 17): quote from L. Burke Files.

1. Definition of due diligence.

2. How due diligence is distinct from yet complementary to risk assessment: order of operations.

3. a. Due diligence in major investment projects: example of detailed schema using a maturity matrix:
– review of firm
– management team
– business model
– deal structure

3. b. What are the risks evident in the maturity analysis? The old adage is “high returns = high risk”. Is it strictly accurate?

Example: An investment structure and management team with a relatively low risk profile may have significant returns designed into the product.

Conversely, a low-ROI product may be subject to uncontrollable conditions, or have sub-standard management, and thus carry high risk.

With this methodology, risk takes on a comprehensive and properly differentiated character. We want separate views of:
– level of maturity of the firm, management team, business model and deal structure;
– the anticipated returns (due to the nature of the investment); and
– the risk profile affecting execution.
 4. Application of Due Diligence and High Quality Risk Assessment in stages of major projects:
– review of strategic options; procurement process; financing methods – use combination of methods
– review of major stages (feasibility; approvals; construction phases; commissioning) – risk assessment

1. Due diligence has to do with checking against pre-set authoritative criteria; risk assessment has to do with investigating the uncertainty associated with plans to execute goals and objectives.
2. The two are complementary methods that help you take your analysis of candidate projects beyond the single dimension of a probability estimate of success (assuming you even have a relevant Risk Rating database).
3. Use criteria arranged in levels of accomplishment to assign a maturity score in one or another aspect.
4. We used the categories of firm, management team, business model and deal structure in a sample due diligence system. You can create the system that is relevant to your business.
5. Check your project management methods to ensure you are using due diligence, as applicable, and risk assessment at all phases of major projects. The risk register helps you not only design contract clauses but also guide the ongoing management.

“The practice of due diligence has evolved into SOX checklists… Best practice awards are given to the weightiest presentations (by the pound) and third part vendors are predominantly selling ‘perfect solutions’ for enterprise risk management that will seriously impede your ability to conduct business.” (L. Burke Files, Due Diligence for the Financial Professional, 2010, p.6)

Robertson, E. Enterprise Risk Management Tools and Templates, 2016. p. 35 – Enterprise Risk Management maturity matrix, based on Carnegie-Mellon methodology.

Mark C. Paulk, Bill Curtis (CAST Research Labs), Mary Beth Chrissis, Charlie Weber Capability Maturity Model for Software (Version 1.1)   The original article whose methodology has been borrowed and applied to many aspects of business.


[edited for clarity]

This is Ep18 Due Diligence and Risk Identification for Major Projects. 

In the last episode episode (17) on financial risk management, we cautioned against the use of, or I should say, the exclusive use of a financial models, quantitative models, to do risk assessment. I suggested that be subject to a broader review to bring in different disciplines and a strategic context.  

I have another quote here from a professional in due diligence, who has a similar philosophy. He says:

“The practice of due diligence has evolved into SOX [Sarbanes Oxley] checklists, anti-money laundering policy and procedure manuals. Best practice awards are given to the weightiest presentation, by the pound, and third party vendors are predominantly selling ‘perfect solutions’ for enterprise risk management that will seriously impede your ability to conduct business.”  

And he concludes his chapter by saying: “What is needed today is a less rigid, less quantified, more qualified and thoughtful approach to due diligence.”  

Well, I’ll give a citation in the show notes so that you know where that comes from. But in this episode what we want to do is take a look at due diligence and investigate its relationship to risk assessment.  

[02:10] We’ll start with a working definition of due diligence and how it’s distinct from risk assessment. We’ll also discuss how they can be used together; how they’re complementary; what order of operations you should take. Then we’ll go into a specific schema to conduct due diligence in, let’s say a major investment project, and then discuss again, in a little more detail, how the risk assessment would be applied on the same project, and discuss the implications of that approach. In conclusion, we’ll talk about the application of high quality risk assessment in stages of major projects.

[02:46] Well this is not an authoritative definition, but it’s one that differentiates it from risk assessment: What I want to say is that due diligence really concerns itself with the checking of the presence or absence of one or another feature. So you might say: well, that sounds like a checklist operation, where you go through a list of criteria … and in a sense, well, that’s correct, but that doesn’t mean it’s a bad thing to do. In fact it’s really a good first step.

The whole question of the quality of the process lies in the nature and degree of refinement, and the business savvy that is built into the criteria that you have in that checklist. Now I think this is going to become a little bit clearer when I give the example on the major projects and the investment project that we’re going to discuss in just a few minutes.  

But let’s be clear: there’s a distinction between due diligence and risk assessment. So if due diligence — if I’m correct in formulating at that way, in saying that it consists in the verification of the presence or absence of certain essential, and very telling and relevant features, according to the context — then risk assessment is something else again. It’s an investigation of the uncertainty that is associated with the plans to execute to achieve a certain goal or objective — and that that is distinctly different.

Now I think it makes sense to use due diligence as the first in the order of operations. That is, if you’re going to make a selection about a certain investment, or a project, or some sort of endeavor where you have a “hurdle” — you’ve got minimum requirements that must be met — then these can be incorporated into a checklist. And you start out with those… that means that you know you’ve got something that’s feasible, that’s going to pass the minimum requirements, that you have as a starting point. Then afterwards, you can take a look at the uncertainty, by doing a risk assessment.  

Let me give you an example. One day, back in the day when I was at risk management branch, the exec director came to my office and said: I’m consulting with a federal group, trying to figure out the best risk financing method for this federal agency. Now how can we use risk assessment to help us make the decision to choose the best risk financing method?  

[05:20] So I grabbed a sheet of paper and I said, well, do you have criteria in mind, essential criteria, things that the risk financing method must do… requirements or qualifications that it has to meet? And he said yes.  

And I said, okay, and I drew matrix on this piece of paper. Across the top, on the x axis, I put a space for each one of these criteria. Then I said, I take it you have different risk financing methods in mind, different candidates or options, isn’t that right? and he said, yes. So I made a space in the y axis, on the left hand side of the sheet of paper in this matrix, for each of those options. Then I said the first thing to do is simply to go through this matrix, and check off the various criteria or features for each option, and see which option wins out — which one, on the face of it, meets the requirements.

Now that’s a fairly simple exercise. But once you’ve done that, you’ve passed the first barrier, the first hurdle of your decision making process. Then I said: once you’ve selected the winning candidate using this method, that’s the time to then do risk assessment — in other words to investigate the uncertainty, the risk, that is imposed by selecting this one option over the other ones.

He came back later and said that method actually worked, so I got some confirmation on that score.

[06:46] Now I want to introduce the idea of a maturity matrix. Perhaps you’ve heard of that. It was originated by Carnegie Mellon University. They used it originally for vetting the quality of software service providers, but since that time it’s been used in many different business contexts, including enterprise risk management. So here’s what it looks like:

You’ve got a set of criteria that are arranged in levels. So if you wanted to assign a score to your organization with regard to its level of maturity in its enterprise risk management practice, you would have to have a schema that sets out certain criteria that are associated with level 1 — let’s say, the basics. 

Then other criteria could be assigned to Level 2, indicating a more mature practice, and so on. In my book Enterprise Risk Management Tools and Templates on page 35, there’s an example of one of these maturity matrices for enterprise risk management. You can see that it’s set out with five levels of maturity and this is borrowed from the Carnegie Mellon method. So it goes from Level 1 “initial” to Level 2 “repeatable”, Level 3 “defined”, Level 4 “managed” and finally a Level 5 “optimized”.

So my point in bringing that up is that we can apply that concept in our little thought experiment today to do due diligence on a major project — that is a financial investment that is intended to be a cash flowing project, or if not cash flowing, then is intended to deliver some return on investment.  

[08:19]Alright, so our due diligence exercise, which is the first exercise: we’re going to consider four categories of due diligence.. and they [each] will have criteria, arranged, as I indicated, by level of maturity.  

It might make sense, for example, to start with the category of Firm — the maturity analysis of the firm itself. Then we can proceed to maturity analysis of the Management Team. Then in the third category will go to a maturity analysis of the Business Model that they propose. And in the fourth category we’ll do a maturity analysis of the Deal Structure. So I’m proposing that to investigate a project, to assess a project of this nature, those four broad categories make sense: Firm, Management Team, Business Model, Deal Structure. 

So starting with a review of the Firm and applying a list of criteria we can start with what we would characterize as the minimum criterion that they would have to meet, and that would be to provide audited financial statements. We could also have various measures in the form of financial strength ratios, and if they met those minimum requirements then you could proceed with the other criteria in the list for Firm. These could have to do with their market position, products and services, or level of profitability, the market outlook, and then their internal processes, their HR, the strength of their internal assets, and so on.

So you can see I’m proposing that you would set out all of these various criteria in levels of maturity, so that you’re able to assign them a score.This is semi-quantitative analysis, where you check for the presence or absence of certain features, and then convert that qualitative information into a quantitative score.  

The second category of analysis for our due diligence of this firm is the Management Team. Now there the minimum hurdle that they would have to meet would be their registration notices; the fact that they would be in good standing with the regulatory agencies; that there would be no stop trades or warning against any of the members on the management team. Having met those initial criteria, the other items to check on the management team list for due diligence would be the competencies and backgrounds, experience and track records, and so on.  

[10:40] The next major category of due diligence that we proposed was the Business Model itself. There you may not have any specific minimum criteria, but you could look at the soundness of the concept and the excellence in execution at this stage of their proposed business model. You would have to look deeply into it to find out the degree of sophistication and deliberate strategy: to what degree are things simply uncertain and undefined in their proposed business practice?; to what degree is it well planned, well researched, and actually already proven?  

You could also compare their proposed business practice with that same practice in the general market and find out, in a general sense: what are the risks?; what is the likelihood of success?; what is the likelihood of a positive cash flow? So you can see, there is, of course, a place for the various financial models — if that sort of data is indeed available. Otherwise, it will be a matter of trying to assess the competitiveness of the firm, and to assess the quality of its unique competitive features. 

[11:49] The final major category that we’re proposing is the deal structure. You could have certain criteria with regard to the intent to return the investors’ money: How soon do I get my money back with this investment?; what is the nature and frequency of the distributions that are intended?; essentially, how well are the investors’ interests protected and looked after?; what does the management compensation look like?; do they have skin in the game?; are their interests aligned with those of the investors?

Well, now that we’ve reviewed, at least in a cursory way, the four major categories in this proposed due diligence system (that is: Firm, Management Team, Business Model, and Deal Structure) you’re probably wondering: well, does anyone have a due diligence system where they’ve got these categories set out like this, with all of the various criteria neatly arranged into levels of maturity, that they can use for a scoring system?  

The answer is: no, there’s nothing like that that I’m aware of — I simply put my own together, along the lines of what I’ve described to you. But you would have to create your own, based on the nature of your business, the nature of your target investments and projects.  

[13:01] You recall back in the last episode, we talked about the Internal Risk Rating System. Well, this is what I’m proposing — except that I’m proposing that you go beyond simply a database that gives you a probability of success or failure (given the nature of the business).  

Rather, to build out a multi-variant due diligence system in several categories of analysis. Of course, that’s not easy to do. But once you get started and the more you build it and refine it as you proceed with your business, the more valuable it will be — the better it will serve you.

[13:36] All right, so in my proposed method, after we finished the due diligence portion of the exercise, we can take a look at where the candidate project actually scored poorly. From that information, we can start to generate a risk profile — that is, we can formulate the risks, just like we were doing for high quality risk assessment, based on the idea that: well, in certain aspects of the Firm, they’re deficient; or in certain aspects of the Management Team, they’re deficient; or their Business Model, and so on. Each of those deficiencies presents some sort of uncertainty or risk which should be identified, quantified… it should be assessed and set out in the risk matrix, and something should be done about it (to mitigate the risk). 

The end result is that you’ve got not only a due diligence exercise, based on authoritative criteria, you’ve also actually got an investigation into the uncertainties, using risk assessment.

The question that arises: how much time and effort are we going to spend in following this proposed method for any given project? Of course, the answer is: it all depends on the magnitude of the project. We can see in many examples, whether in public or private sector, a lot of money is being spent where the due diligence and risk assessment applied is simply not sufficient. 

I would consider doing due diligence and risk assessment very thoroughly. Not only does it help you assess the viability of the project, it also helps you manage the project and [helps to ] ensure success.

Can you imagine if you actually included the candidate management team in the risk assessment process and shared with them the results of your analysis? — how it would equip them to really run the business much better, and give you confidence that they’re actually going to do a good job and be successful in meeting their goals and objectives? 

[15:26] There’s another way in which this proposed method gives a little more sophistication compared to the conventional approach. The old adage is that “high returns equal high risk”. And I’ve seen this on the website of financial authorities. High returns equals high risk… is that strictly accurate?

You know, you could have an investment structure and a management team with a very low risk profile, and so they’re destined to be successful — and yet they simply [do or] do not have high returns designed into the product. Conversely, you could have a product with a low return on investment, and so you would say: that must be, by definition, low risk. But no, it could be subject to uncontrollable conditions; they might have substandard management, and therefore they might carry high risk.

So I don’t see that this adage ‘high returns equals high risk’ is really useful. Instead, if we do our multi- variant due diligence, and then apply high quality risk assessment… well, with that methodology, risk takes on a comprehensive and properly differentiated character.  

[16:36] So we’re going to have a separate and distinct view of the level of maturity of the features of the Management.. of the Deal… of the Firm, and so on, as opposed to the anticipated returns, which is largely determined by the nature of the investment proposal, and the market that they’re getting into.

And those two [i.e., maturity and projected return] again will be distinct from the risk profile — the uncertainty that is impinging upon their plans for action.

 [17:00] Well, one final aspect of the application of due diligence and high quality risk assessment that I wanted to discuss today is their application to major projects. So I can ask you: What is the state of risk management within your project management methodology?  

If it’s just minimal, if you only do one risk assessment, let’s say, at the beginning of the project, then I suggest that that’s not sufficient. You can take the various stages of a major project. First of all, you’re going to be reviewing the strategic options; you’ll be looking at your procurement process; you’ll be looking at financing methods (the way I was discussing earlier in the example at risk management branch)… There you can use a combination of methods, using due diligence criteria and a risk assessment.  

As you proceed into major stages of a project, that is where you’ve got [the stages of] feasibility… approvals… a construction phase… and then perhaps commissioning.  

The risk assessment that attaches to each of those stages is going to be distinct and very useful to identify the various uncertainties and help you manage the project successfully.  

Don’t forget that the risk assessment that you conduct at various stages of the project can help inform the clauses of the contracts that you may have with service providers. That helps you to, so to speak, “paper the deal.“

[18:31] All right, well let me try to summarize what we covered today:

1. Due diligence has to do checking against preset authoritative criteria, while risk assessment has to do with investigating the uncertainty that is associated with plans to execute on goals and objectives.
2. The two methods are complementary, because you take your analysis of candidate projects beyond the single dimension of probability estimate of success for similar projects (based on some database that you may or may not have).
3. Use criteria, arranged in levels of accomplishment, to assign a maturity score in one or another aspect. 4. We use the categories of Firm, Management Team, Business Model and Deal Structure to create an example for analysis of candidate projects for an investment.
5. Check your Project Management methods to ensure that you’re using due diligence, as applicable, and risk assessment at all phases of major projects. The risk register that you develop helps you not only to design contract clauses (where those come up) but also to guide the ongoing management of the project.






Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Leave a Comment

Your email address will not be published. Required fields are marked *

Social Media

Recent Posts

Get Transcripts | Resources

Subscribe To Our Monthly Newsletter