Due Diligence and Due Care

The following is my definition of Due Diligence and Due Care. As I am not a lawyer, I just interpret them from my point of view and avoid to relate them to the context of the laws.

Due Diligence

The core concept of due diligence is about making informed decisions. A decision should be made based on sufficient information and justifications. If a decision-maker can’t do so, he or she doesn’t exercise due diligence. The decision-maker often implies the management.

CISSP PRACTICE QUESTIONS – 20190915

• Security Due Diligence
• Financial Due Diligence
• Operational Due Diligence
• Legal Due Diligence
• Human Rights Due Diligence

Due Care

The core concept of due care is about a reasonable person’s compliance and best efforts. A reasonable person should do his or her duty according to the organization’s policies, standards, and procedures; and with best efforts. Lack of due care is called negligence. The reasonable person role applies to everyone.

Due Diligence

• detailed assessment of one or more business processes or production lines, culture, assets, liabilities, intellectual property, judicial and financial situation in order to make the outsourcing decisions. (ISO 37500:2014)
• detailed assessment conducted by an economic operator to evaluate a supplier’s compliance with the guidance principles.
  Note 1 to entry: In the context of the guidance principles, due diligence is conducted through second-party audits or third-party audits and, wherever feasible, regularly monitored through government inspections and oversight. (ISO/IWA 19:2017)
• comprehensive, proactive process to identify the actual and potential negative social, environmental and economic impacts of an organization’s decisions and activities over the entire life cycle of a project or organizational activity, with the aim of avoiding and mitigating negative impacts. (ISO 26000:2010)
• process through which organizations proactively identify, assess, prevent, mitigate and account for how they address their actual and potential adverse impacts as an integral part of decision-making and risk management. (ISO 20400:2017)
• compilation, comprehensive appraisal and validation of information of an organization required for assessing accuracy, commercial integrity, financial stability and functional competence integrity at the appropriate stage of the agreement sourcing process (ISO 41011:2017)
• process to further assess the nature and extent of the bribery risk and help organizations make decisions in relation to specific transactions, projects, activities, business associates and personnel. (ISO 37001:2016)