Due Diligence Questionnaire (DDQ): What It Is and How to Prepare

What Is a Due Diligence Questionnaire (DDQ)?

A Due Diligence Questionnaire (DDQ) is a structured set of questions used to gather comprehensive information about a vendor, investment target, or business partner before entering into a formal relationship. In the context of enterprise procurement and vendor management, a DDQ goes beyond security controls to cover the full range of organizational risk: financial stability, corporate governance, business continuity, legal history, insurance coverage, regulatory compliance, operational resilience, and supply chain risk.

While a security questionnaire focuses specifically on a vendor’s information security posture, a DDQ takes a broader view of whether the vendor is a sound and reliable organizational partner. Both instruments are increasingly standard in enterprise vendor onboarding processes, particularly for vendors who will provide mission-critical services, handle sensitive data, or create significant operational dependencies.

TL;DR — Key Takeaways
• A DDQ gathers comprehensive organizational risk information about a vendor before onboarding.
• It covers financial stability, corporate governance, legal history, business continuity, and security in addition to technical controls.
• DDQs are broader than security questionnaires, which focus specifically on information security controls.
• High-value and high-risk vendor relationships typically trigger both a DDQ and a security questionnaire.
• In investment contexts, DDQs assess fund managers and investment vehicles before capital allocation.

What Does a DDQ Cover?

A comprehensive due diligence questionnaire covers multiple dimensions of organizational risk, each addressing a different category of concern for the buyer or investor.

Financial stability and viability covers the vendor’s financial health: revenues, profitability, cash reserves, debt obligations, funding history, and ownership structure. This dimension addresses the question of whether the vendor will still exist and be capable of supporting their customers in three to five years. A vendor who wins a long-term contract but becomes insolvent during the contract period creates significant operational risk for the buyer. Corporate governance covers the organization’s ownership structure, board composition, management team stability, related-party transactions, and ethical governance practices. Legal and regulatory history covers any material litigation, regulatory investigations, enforcement actions, or compliance failures that might affect the vendor’s ability to perform or create reputational risk for the buyer.

Business continuity and operational resilience covers how the vendor ensures continuity of operations in the event of disasters, cyberattacks, key personnel loss, or supply chain disruptions. Insurance coverage covers the types and limits of insurance the vendor maintains — cyber liability, professional indemnity, general liability, errors and omissions — which determines how financial losses would be allocated in the event of a vendor failure or incident. Supply chain and subcontractor risk covers the vendor’s own dependencies: which critical suppliers or subcontractors they rely on, how they assess and manage those relationships, and what concentration or single-point-of-failure risks exist in their supply chain. Environmental, social, and governance (ESG) risk covers labor practices, environmental impact, anti-corruption policies, and other ethical standards that are increasingly important in enterprise and public sector procurement.

How Does a DDQ Differ from a Security Questionnaire?

The distinction between a DDQ and a security questionnaire is one of scope. A security questionnaire focuses specifically on information security controls: how the vendor protects data, manages access, responds to incidents, maintains systems availability, and certifies compliance with security frameworks like SOC 2 and ISO 27001. A DDQ covers all of this, plus financial health, governance, legal history, business continuity, insurance, supply chain, and ESG. In enterprise vendor onboarding, the security questionnaire asks “will this vendor expose us to a data breach?” The DDQ asks “will this vendor still exist and be capable of performing in three years, and are they a sound organizational partner?”

In practice, many organizations administer both: the security questionnaire for technical security assurance, the DDQ for broader organizational risk assessment. Some organizations combine elements of both into a single comprehensive vendor assessment document; others keep them separate and administer them to different risk tiers. Understanding why enterprises send security questionnaires provides context for why they also send DDQs: both are instruments for operationalizing vendor risk management programs before granting access or forming dependencies.

When Is a DDQ Typically Required?

DDQs are most commonly triggered by high-value or high-risk vendor relationships. Organizations typically apply a risk tiering framework to their vendor portfolio, where the depth of due diligence required scales with the vendor’s risk profile. A vendor who provides a simple SaaS productivity tool with no access to sensitive data may require only a lightweight security review. A vendor who will provide mission-critical infrastructure, process sensitive personal data, or create significant operational dependency will typically trigger both a full security questionnaire and a comprehensive DDQ.

In financial services, the requirement for comprehensive vendor due diligence is often mandated by regulation: the EU’s Digital Operational Resilience Act (DORA), the FCA’s outsourcing guidelines, and equivalent frameworks in other jurisdictions impose specific requirements on financial institutions to conduct and document vendor due diligence before entering material outsourcing arrangements. For vendors pursuing deals with financial institutions, healthcare organizations, or government entities, DDQ completion is typically a prerequisite for contract execution.

What Is a DDQ in Investment and Asset Management Contexts?

In investment and asset management, DDQ has a specific and somewhat different meaning. Investment DDQs are questionnaires sent by institutional investors — pension funds, endowments, foundations, family offices — to fund managers before allocating capital. The investment DDQ assesses the fund manager’s investment strategy, risk management processes, operational infrastructure, regulatory compliance, fee structure, service providers (administrator, auditor, custodian), personnel, ownership, and conflicts of interest.

Investment DDQs are a standard feature of institutional investment due diligence and are required by most institutional allocators as part of their fiduciary process. The Alternative Investment Management Association (AIMA) publishes standardized DDQ templates for hedge funds and private equity that are widely used across the industry, reducing the burden on fund managers who would otherwise receive hundreds of unique questionnaires from different institutional investors.

How Should Vendors Approach DDQ Responses?

DDQ responses are both a compliance obligation and a commercial signal. The quality, accuracy, and completeness of a vendor’s DDQ responses communicates to the buyer’s procurement, legal, and risk teams how seriously the vendor takes organizational governance and risk management. Vague, incomplete, or defensive answers to sensitive questions — about financial stability, litigation history, or business continuity — create concern rather than resolving it.

Several principles improve DDQ response quality. Answer completely and accurately: incomplete answers to sensitive questions typically generate follow-up requests and slow down the procurement process more than a complete, candid answer would. Provide context where numbers or facts might be misinterpreted: a vendor who has disclosed a past regulatory investigation along with a clear explanation of resolution and remediation is in a much better position than one who omits the disclosure and has it discovered during background checks. Maintain a current DDQ response library that is updated whenever material organizational changes occur, so that responses can be quickly assembled and adapted for each new request. And respond promptly: procurement timelines are real, and a vendor who returns a DDQ in two days while a competitor takes two weeks has already made a positive commercial impression.

How Steerlab Helps Vendors Respond to DDQs and Security Questionnaires

For vendors who regularly receive DDQs, security questionnaires, and RFP requests from enterprise customers and institutional buyers, Steerlab.ai automates the drafting of responses from a centralized knowledge base — helping teams respond accurately, consistently, and at speed to the volume of due diligence requests that enterprise sales and business development processes generate.

Frequently Asked Questions

What is a due diligence questionnaire (DDQ)?

A due diligence questionnaire is a structured set of questions used to gather comprehensive information about a vendor, investment target, or business partner before entering into a formal relationship. In vendor management, it covers financial stability, governance, legal history, business continuity, insurance, supply chain risk, and often security. In investment contexts, it assesses fund managers before capital allocation.

What is the difference between a DDQ and a security questionnaire?

A security questionnaire focuses specifically on information security controls: data protection, access management, incident response, and compliance certifications. A DDQ is broader, covering financial stability, corporate governance, legal history, business continuity, insurance, and supply chain risk, in addition to security. Both are typically administered for high-risk vendor relationships.

When is a DDQ required in vendor procurement?

DDQs are typically required for high-value or high-risk vendor relationships: vendors providing mission-critical services, handling sensitive personal data, or creating significant operational dependencies. In financial services, healthcare, and government procurement, DDQ completion is often mandated by regulation as a prerequisite for entering material outsourcing arrangements.

What financial information is typically requested in a DDQ?

Most DDQs request information about the vendor’s revenue, profitability, cash position, debt obligations, funding history, ownership structure, and audited financial statements. The goal is to assess whether the vendor is financially viable and will remain capable of performing under the contract for its duration.

How is a DDQ used in investment due diligence?

In investment and asset management, DDQs are sent by institutional investors to fund managers before allocating capital. They assess the fund manager’s investment strategy, risk management, operational infrastructure, regulatory compliance, fee structure, personnel, and conflicts of interest. Standardized templates from bodies like AIMA are widely used to reduce the burden of completing multiple unique questionnaires.

What is a vendor risk tier and how does it affect DDQ requirements?

A vendor risk tier is a classification of a vendor’s overall risk profile based on factors like the sensitivity of data they access, the criticality of services they provide, and the degree of operational dependency they create. Higher-risk tiers typically trigger deeper due diligence, including both a comprehensive security questionnaire and a full DDQ. Lower-risk tiers may require only a lighter assessment.

How can vendors prepare for DDQ requests efficiently?

By maintaining a current, comprehensive DDQ response library that covers standard questions across all major dimensions — financial stability, governance, legal history, business continuity, insurance, security certifications, and ESG — and updating it whenever material organizational changes occur. Having pre-approved, accurate answers ready for rapid customization dramatically reduces response time and improves response quality.

Does a SOC 2 report satisfy DDQ requirements?

A SOC 2 report satisfies the information security portions of a DDQ, but it does not address the non-security dimensions: financial stability, governance, legal history, business continuity, insurance, and supply chain risk. A vendor that responds to a DDQ with only their SOC 2 report will typically receive follow-up requests for the financial and organizational information that the security audit does not cover.