Why operational due diligence is more than a governance checklist

When governance fails, it's rarely because a policy was missing. More often, failures occur when accountabilities are unclear, controls are overridden, challenge is muted, or issues aren't escalated early enough. Across asset owners, regulators and investors, there is a growing acknowledgement: governance must be demonstrable, not assumed.

We spend plenty of time debating what makes a good investment and what makes a good investment manager. Yet when operational failures hit the headlines - outages, mis-allocations, pricing errors, cyber incidents, disclosure failures - the post-mortem is often consistent: governance existed on paper, but it didn't work in practice.

Investors and regulators are signalling - loudly - that "we have a framework" is no longer an acceptable answer. The new expectations are evidence-based: show me how decisions are made, how conflicts are managed, how incidents are logged and remediated, and how oversight is independent of the people taking the risk.

With APRA's CPS 230 operational risk regime having commenced in July 2025, trustees and other asset owners are looking beyond frameworks and comfort letters, seeking evidence that oversight and controls function day to day.  They want to understand what happens in practice when markets move, people are away, or systems fail.

From expectation to evidence

Operational due diligence (Ops DD) is just one of the areas where that expectation becomes real. Done well, it tests whether accountabilities are clear, oversight is independent, escalation works, and controls hold under pressure. It isn't a tick-the-box exercise.

Ops DD is the investor's on-the-ground governance tool for both third parties and internalised functions - asking not just "do controls exist?", but "do oversight, reporting, incident notification and remediation demonstrably work in practice?".

APRA's CPS 230 has accelerated this shift. It applies to APRA-regulated entities, but it is also resetting expectations across the market. Where critical operations are performed by third parties, regulated entities must treat key providers as material service providers. The implication is simple: worry less about the narrative and more about early warning and testing the plans for what may arise - what breaks, how you find out, who is told, and how fixes are verified.

Under CPS 230, when critical operations sit with a material service provider (or chain of sub-providers), the key question becomes: can the provider demonstrate what they do, and can operational resilience be proven end-to-end?

The ASFA Investment Manager Operational Due Diligence Guidance Note - finalised in April 2026 - provides a better-practice reference point to support more consistent and rigorous approaches to Ops DD. It provides practical guidance on how operational risk is identified, assessed and monitored in practice. Aligned to CPS 230, it emphasises independent assessment, transparency, and common review criteria to lift industry standards.

The global context:  An alternative approach

Recognising both the absence of a global standard, and the reality that Ops DD is most effective when grounded in peer-relative practice, the Guidance Note offers a new possibility for markets beyond Australia to consider adopting. Importantly, it enables scalable comparability without compromising independence, through shared and consistently applied criteria.

While there will always be nuances in each market or sector, a common base provides a platform for investors globally to undertake comparable assessments and build shared understanding that ultimately supports improved beneficiary outcomes.

From principles to proof

Governance is only as strong as the information it is built on. For asset owners assessing managers and outsourced providers, Ops DD provides structured questioning and testing that turns governance principles (clear accountability, independent oversight, disciplined escalation) into observable evidence.

At its core, effective governance rests on simplified fundamentals: clear roles and responsibilities, appropriate segregation between decision-making and oversight, and well-defined escalation pathways.

Prevention is better than cure - but in investing, prevention doesn't mean pretending risk can or should be eliminated. Understanding risk, particularly investment and operational risk means knowing how decisions get made, where errors can occur, and how you detect and correct them quickly.

Ops DD has matured quickly. In fast-moving areas such as data governance, cyber resilience, generative AI use and business continuity, governance and guardrails that are current, practised and provable is needed.

You can't "audit your way" to good governance. You make it real through clear accountabilities, genuine independence, and repetition: routine forums, decision matrices that are clear and comparable over time, clear minutes and disciplined follow-ups.

Proportionality still matters. Investors will go deeper in different areas of interest based on mandate size, complexity and risk appetite, but it's not an excuse for ambiguity. When operating models change (through growth, new strategies, outsourcing or new technology), roles, delegations and controls must be refreshed and evidenced.

If you forced me to pick one "make or break" indicator in Ops DD, it would be this: are roles and responsibilities actually accurate, and do they create real independence? Breakdowns usually come from blurred role ownership over time. The result is predictable: weak challenge, late escalation and poor remediation.

What good looks like in practice: the investor asks that matter

Turning the Guidance Note into a workable Ops DD program doesn't require perfection - it requires a few core disciplines:

• Roles and responsibilities that match reality (and create genuine independence between risk-taking and oversight),
• Delegations and decision forums that make decisions traceable,
• Escalation pathways that are time-bound and evidenced through current incident, breach and remediation logs, and
• Critical operations mapped end-to-end so failures are detected early and fixed quickly.

Additionally, where activities are outsourced, treat material service providers as part of the governance perimeter - agree what is delivered, what is monitored, how incidents are notified/escalated, and what a credible transition looks like if service deteriorates.

Final word

The ASFA Investment Manager Operational Due Diligence Guidance Note isn't intended to create more paperwork. It's to lift the baseline of operational reality and strengthen governance - consistent with CPS 230's shift from documented intent to demonstrable, day-to-day resilience. Done well, Ops DD is "prevention" in the most practical sense.

Governance isn't proven by policies; it's proven by repeatable decisions, transparent oversight and clear follow-through. Ultimately, it's not about stopping risk; it's about understanding the risk you're accepting. Organisations that invest in clear accountabilities, genuine independence and disciplined escalation don't just look better in due diligence - they respond faster when things go wrong, run better businesses and ultimately deliver better investment outcomes to their beneficiaries.