18 May 2026
Organisations often confuse optimism with due diligence – until the horse bolts. Although the term ‘due diligence’ appears constantly in ethical frameworks, contracts, audits, procurement documents and compliance discussions, many people still struggle to define what it means in practice. Asking a few hard questions sometimes helps, but real due diligence requires organisations to take the time to understand the systems, and the providers they choose to trust.
Due diligence is not “one size fits all”
For businesses that store client information with a cloud provider, due diligence might involve understanding where the data is stored, who can access it and what protections exist if something goes wrong. Clinical practices that adopt AI note-taking platforms should ask how the platform processes recordings, whether information leaves Australia and what the provider does with retained data. If a company engages an external IT contractor, due diligence may simply involve clarifying how the contractor will manage and revoke access.
Failing to exercise due diligence can be costly
Australian regulators have increasingly signalled that organisations cannot outsource responsibility for security and privacy risks. A widely discussed example was Australian Securities and Investments Commission v RI Advice Group Pty Ltd. In that case, the court found that inadequate cybersecurity practices exposed the organisation to foreseeable risks. Authorised representatives and external environments created many of the problems. Consequently, the case reinforced an important point: organisations must take reasonable steps to understand and manage the systems and providers they rely upon.
In our experience, organisations rarely fail because they completely ignore risk. More often, they move too quickly, assume common platforms are already safe, or rely on verbal assurances without taking reasonable steps to confirm them.
Due diligence is not about eliminating risk
Good due diligence does not eliminate all risk. But it helps organisations to:
- demonstrate that they took reasonable steps to understand and control risks
- make informed decisions
- maintain appropriate oversight over systems that handle sensitive information
Due diligence is a process not a milestone.
Importantly, due diligence is not a one-off exercise. Over time, systems evolve, suppliers change and staff move on. Technology that seemed sensible three years ago may no longer meet current expectations around privacy, security or governance. In our experience, the organisations that manage risk best are usually not the most paranoid. They are those that maintain clear visibility over how their systems operate as they grow.
