Operational Due Diligence: 8-System Audit + Severity Matrix in 2026

Last updated: May 2026

Quick answer

Operational due diligence (ODD) is the systematic evaluation of how a target company actually runs. The 8-System ODD Audit covers People and Org, Process, Technology Stack, Customer Operations, Supply Chain, Financial Operations, Legal Operations, and Compliance and Risk.

Each finding scores on the 3-Axis Severity Matrix — likelihood × impact × remediability, divided by 5 — yielding a 0.2-25 risk score. Bands: 0-3 acceptable, 3.1-7 100-day-plan item, 7.1-12 repricing trigger, 12.1-25 deal-stopper.

PE associates run ODD as a deal-stopper; corporate buyers use it for synergies (Bain Global Private Equity Report 2026). Operational improvements have displaced financial engineering as the primary source of returns ("12 is the new 5"), making ODD the gating workstream before LOI. The 2026 HSR notification threshold is $133.9M (FTC).

Deal anchors below: HPE-Juniper (July 2025 close + DOJ Instant On divestiture), Boeing-Spirit AeroSystems (December 8, 2025 supplier-quality reacquisition), and the Thoma Bravo Medallia $5.1B equity wipeout (April 2026) — each illustrating a different system in the 8-System ODD Audit (EY operational due diligence, McKinsey on value creation).

Why I wrote this

I am Deqian, co-founder of Peony. I have spent the last seven years building the data room engine that PE operating partners, hedge fund ODD teams, and corporate development integration leads use to stage their ODD evidence pack. The single most common request I hear from a Tuesday-night call with an operating partner is: "I need the framework to score these findings so I can defend a 12% repricing to the IC on Friday." This guide is that framework.

The 8-System ODD Audit is the taxonomy I have seen consistently survive across PE, strategic, hedge fund, and infrastructure deals. The 3-Axis Severity Matrix is the scoring engine that converts qualitative findings into a single number the IC and the seller's banker can both push back on. The deal anchors below are the 2025-2026 transactions that prove the model. If you are running ODD on a deal closing in the next 90 days, this is the playbook.

What is operational due diligence and how is it different from financial due diligence?

Operational due diligence is the evaluation of the engine, not the dashboard. Financial due diligence — typically the QofE (quality of earnings) workstream — validates the numbers a target reports. ODD validates whether the operational engine producing those numbers is durable, scalable, and free of hidden liabilities that will surface in the hold period. For the full DD architecture see the M&A due diligence process guide.

The two workstreams answer different questions:

The Bain Global Private Equity Report 2026 captures the shift: GPs report the highest returns from generative AI in deal sourcing and due diligence, and the two most common 2025 deal-killers were inflated seller expectations and diligence red flags (poor earnings quality, customer churn, etc.). The combination — financial gaps surfacing in ODD interviews, ODD gaps surfacing in financial document review — is now the default failure mode of any underprepared sell-side.

EY's 2025 operational due diligence survey of European PE captured the practitioner shift: the questions ODD should be asking in 2025 are no longer "is the EBITDA real" (that is QofE territory) but "is the operating model fit for the next 5 years of compounding."

Why do PE associates run ODD as a deal-stopper while corporate buyers run it for synergies?

PE underwrites to a 5-7 year hold and an explicit VCP — every ODD finding either feeds the VCP or kills the deal. Corporate strategic buyers underwrite to a perpetual hold with synergies — most ODD findings become 100-day plan items because the corporate parent can absorb operational gaps that would crush a standalone PE LBO.

The differential explains why the same finding scores differently:

Vista Equity Partners' Value Creation Group (VCG), Thoma Bravo's operating partners, and Brookfield's Business Operations team all run ODD as the pre-LOI go/no-go. Thoma Bravo was recognized as a 2025 Top Private Equity Innovator across due diligence and value creation — and yet the same firm transferred Medallia to lenders in April 2026 in a $5.1B equity wipeout, illustrating that even best-in-class ODD does not catch macro valuation reversals when a 2021-era 9x revenue multiple compressed to ~6x by 2026. ODD catches operational risk; it does not catch enterprise software multiple compression.

Hedge fund ODD operates on a different axis — allocators are scoring the fund's operational risk, not a portfolio company's. The 175+ ODD reviews completed by perfORM in 2025 surfaced the top three allocator-walk triggers: information security, cash wire processes, and valuation policies. The 8-System framework still applies — People and Org becomes the management team, Process and Workflows becomes the trade lifecycle, Compliance and Risk becomes the SEC/FCA/MAS regulatory inventory — but the bands shift toward zero-tolerance on documentation gaps.

What is the 8-System ODD Audit and why this taxonomy?

The 8-System ODD Audit is the taxonomy I have seen survive across every PE, strategic, hedge fund, and infrastructure ODD I have built a data room for. Each of the 8 systems maps 1:1 to a discrete 100-day plan workstream, has its own document inventory in the data room, and has its own red-flag library.

System 1: People and Org

What it covers: key-person dependency, span of control, succession depth, management team quality, organizational structure, compensation alignment, turnover trends, culture diagnostics.

Document inventory: organizational chart by function; headcount by department and tenure; top-20 compensation table; management team bios + LinkedIn export; recent voluntary turnover by function (24 months); employee NPS or engagement survey results; succession plan documents; equity vesting schedules for top-10 employees; performance review summaries for direct reports of CEO and CFO.

Red flag library: single founder controls 60%+ of customer relationships with no #2; span of control above 12 direct reports for a single VP; involuntary turnover above 20% in any single department over 12 months; no documented succession plan for CEO, CFO, or CRO; equity cliff dates within hold period for top-5 employees; voluntary turnover among VPs above 30% in 24 months. On Peony Data Room at $52/admin/month, each workstream lead operates inside an isolated visitor group, so the HR consultant reviewing org-chart files never sees customer pricing or supplier contracts.

System 2: Process and Workflows

What it covers: the maturity ladder of every core business process from ad-hoc to documented to measured to optimized. The framework is borrowed from CMMI but applied to commercial workflows: lead-to-cash, hire-to-retire, procure-to-pay, plan-to-deliver, record-to-report.

Document inventory: process maps for each of the 5 core workflows; SOPs for each of the 5; KPI dashboards showing the metric for each workflow; documented exceptions log; cycle-time analysis (e.g., quote-to-close, AR days); ERP transaction logs by process; process audit reports if any internal audit team exists.

Red flag library: quote-to-close cycle time exceeds industry benchmark by 50%+; AR days above 60 in a B2B business or above 35 in a SaaS business; manual journal entries above 15% of total entries; no documented escalation path for customer complaints; no exception-tracking log for any of the 5 core workflows; SOPs older than 24 months with no recent revision history.

System 3: Technology Stack

What it covers: single points of failure, technical debt, infrastructure age, scalability ceiling, security posture, vendor lock-in, integration architecture, data architecture.

Document inventory: infrastructure inventory with end-of-life dates; application portfolio with vendor and version; integration map between core systems (ERP, CRM, HRIS, finance); production incident log (24 months) with MTTR; security control matrix (SOC 2, ISO 27001 if applicable); penetration test results (most recent + remediation status); CVE list with severity and remediation timeline; cloud spend by service and trend; data lineage documentation; engineering team size and seniority distribution.

Red flag library: any production infrastructure within 18 months of vendor end-of-life with no migration plan; CVE list with any open critical severity issues older than 90 days; MTTR above 4 hours for production incidents; SOC 2 Type II expired or with unresolved exceptions; single integration point connects 4+ systems with no redundancy; engineering team size below the threshold to support both feature delivery and platform maintenance; cloud spend growing faster than revenue for 4+ quarters. Sensitive penetration-test reports stage behind dynamic watermarks and screenshot protection so the buy-side IT consultant cannot exfiltrate the CVE register before signing.

System 4: Customer Operations

What it covers: NPS, churn, support load, customer concentration, renewal mechanics, upsell motion, support team economics.

Document inventory: top-20 customer revenue table by year (3 years); renewal/non-renewal log with reason codes; support ticket volume per customer per quarter; NPS history with sample size; net revenue retention (NRR) by cohort; gross revenue retention (GRR) by cohort; customer interview pack (8-15 references); change-of-control clauses inventory; customer-specific SLAs with penalty clauses.

Red flag library: any single customer above 15-20% of ARR; top-5 customers above 50% of ARR; NPS below 0 with declining trend; GRR below 85% for SaaS, below 90% for vertical SaaS; renewal-rate decline of 5+ points YoY; support ticket volume growing 30%+ faster than ACV growth; change-of-control termination clauses in top-20 customer contracts; customer-specific SLA penalties exceeding 5% of contract value. For the SaaS-specific overlay on customer concentration scoring, see the SaaS M&A data room playbook. Top-customer contracts route through Smart Q&A so the buy-side commercial diligence team can ask about change-of-control clauses without surfacing pricing to the IT or HR workstreams.

System 5: Supply Chain

What it covers: vendor concentration, geographic risk, single-sourcing exposure, working capital implications, inventory management, logistics risk, regulatory exposure (CFIUS, BIOSECURE, sanctions).

Document inventory: top-20 supplier table with spend, country, and contract length; single-source critical-component map; alternate-vendor qualification status; logistics provider concentration; inventory aging schedule; safety stock policy by SKU class; tariff exposure analysis; sanctions screening logs; CFIUS-flagged supplier list; BIOSECURE-flagged supplier list (biotech).

Red flag library: any single supplier above 25% of COGS; single-sourcing for any component on the critical path with no qualified alternate; supplier concentration in a single foreign-adversary jurisdiction; inventory aging above 90 days for non-seasonal goods; safety stock below 30 days for critical components; tariff exposure above 5% of revenue with no pricing pass-through; sanctioned-entity exposure anywhere in the supply chain. For upstream energy supply-chain ODD overlays (joint-operating agreements, partner solvency, decommissioning liabilities) see the oil and gas JV due diligence data room.

System 6: Financial Operations

What it covers: billing reliability, AR aging, revenue recognition hygiene, cash management, treasury operations, FP&A cycle, audit history.

Document inventory: billing-system architecture; invoice-to-cash cycle metrics; revenue recognition policy documents; deferred revenue schedule; auditor management letters (3 years); restated financial statement history; tax filing status by jurisdiction; sales tax nexus analysis; treasury policy; banking relationship inventory; FP&A model with assumption flow.

Red flag library: billing exceptions above 2% of invoices; AR aging buckets above 90 days exceeding 8% of total AR; revenue recognition policy non-compliant with ASC 606 or IFRS 15; unaccrued sales tax exposure exceeding 1% of revenue; auditor management letters citing material weaknesses; restated financials in the last 5 years; no FP&A model; banking concentration in a single institution above 60% of cash.

System 7: Legal Operations

What it covers: contract management discipline, IP hygiene, regulatory inventory, employment law compliance, litigation log, insurance coverage adequacy.

Document inventory: contract repository inventory; CLM tool inventory (DocuSign CLM, Ironclad, etc.); IP assignment chain for all founders and contractors; patent and trademark portfolio; pending litigation inventory; employment contract templates; non-compete and non-solicit inventory; D&O and E&O policies; insurance broker correspondence (2 years); regulatory filings inventory.

Red flag library: contracts outside the CLM tool exceeding 20% of total contracts; IP assignment gaps for any contributor whose work materially shaped a core product; pending litigation with exposure above 5% of equity value; non-compete clauses unenforceable in the target's primary jurisdictions (California, Massachusetts updates); D&O policy below 5x EBITDA; cyber insurance below 3x revenue; missing material regulatory filings. Pending-litigation files and sensitive employment correspondence stage behind link expiry and manage links so external counsel access auto-revokes at the end of each phase.

System 8: Compliance and Risk

What it covers: privacy (GDPR, CCPA, state laws), security (SOC 2, ISO 27001, NIST), sector-specific (HIPAA, PCI DSS, FDA, FedRAMP, SEC, FCA), antitrust history, sanctions compliance, anti-corruption (FCPA).

Document inventory: SOC 2 Type II report (most recent); ISO 27001 certificate if applicable; HIPAA risk assessment + BAA inventory (healthcare); PCI DSS Attestation of Compliance (payments); FDA 483 history + recent inspection reports (regulated products); FedRAMP authorization status (gov tech); regulatory examination reports; sanctions screening logs; FCPA training records; whistleblower hotline activity log; data breach notification history.

Red flag library: SOC 2 with unresolved exceptions; HIPAA BAA gaps for any vendor processing PHI; PCI DSS at SAQ-A when SAQ-D required; FDA 483 with unresolved Form FDA 483; FedRAMP Moderate required but Tailored only; pending regulatory enforcement actions; sanctions-list matches in customer or vendor base; data breach within 24 months requiring notification; whistleblower complaints filed in the last 24 months. For biotech-specific Compliance-and-Risk overlays (CVR continuity, IND/NDA records, GxP audits, BIOSECURE Act exposure), see the biotech M&A data room.

The 8-System taxonomy survives across PE, strategic, hedge fund, and infrastructure ODD because every operating partner staffs the workstream the same way: one lead per system, parallel workflows, weekly findings memos that roll up into a single repricing or walk recommendation. The numbering matters because it sequences the data room build — System 1-4 should be populated pre-LOI, System 5-8 should be staged for post-LOI release. Peony AI auto-indexing classifies uploaded files into the 8-System folder tree in under 3 minutes; redaction covers competitively sensitive line items in the pre-LOI phase before any teaser-tier reviewer opens the file.

How do you score findings on the 3-Axis Severity Matrix?

The 3-Axis Severity Matrix converts qualitative ODD observations into a single defensible number. Each finding gets three scores on a 1-5 scale:

Axis 1: Likelihood (1-5) — the probability the risk materializes inside the hold period.

Axis 2: Impact (1-5) — the EBITDA or enterprise-value hit if it materializes.

Axis 3: Remediability (1-5) — the inverse of how fixable the finding is in 100 days (5 = unfixable in any timeframe).

Risk score = (Likelihood x Impact x Remediability) / 5

The result is a number from 0.2 to 25.

Bands:

The matrix is defensible to the IC because every finding is scored on the same axes, and the dollar exposure rolls up to a single repricing ask rather than a list of qualitative concerns. The seller's banker can push back on individual scores (likelihood is overstated, impact is overstated, remediability is overstated) but cannot push back on the framework — which forces the negotiation to be about specifics, not about whether ODD is being run rigorously. PE deal teams on Peony Business score findings inside the data room itself, with AI extraction pulling the cited document section directly into the IC memo footnote.

Worked example: hypothetical SaaS target

A $40M ARR vertical SaaS target with $14M EBITDA being acquired at $280M (20x EBITDA, 7x ARR).

Aggregate score: 4 findings in repricing band (9.0-9.6 each) + 1 deal-stopper at 12.0 + 5 100-day items.

The IC memo synthesizes this into: "Repricing ask of $32M (11.4% of equity value) covering the 4 repricing-band findings. The customer-concentration finding at 12.0 requires the seller to renegotiate the top-customer renewal as a condition precedent to close, or we walk. The 5 100-day items fit inside a $4.2M operational budget already in the LBO model."

That memo is the kind of document the seller's banker can negotiate against. A bulleted list of "concerns" is not.

What red flags in People and Org actually killed deals in 2025-2026?

People and Org findings are the most underweighted system in inexperienced ODD teams, and the most common single cause of late-stage deal failure. Two patterns repeat:

Pattern 1: Key-person dependency with no documented succession. The founder-CEO controls 60%+ of customer relationships, accounting for 40%+ of forward revenue, with no #2 with customer-facing equity. This finding scores 4-5 on impact and 3-4 on remediability — operating-partner ODD teams consistently band it at 12-20 (deal-stopper or steep repricing). The fix is not "the founder will stay" — founders leave PE-owned businesses within 24 months at a rate north of 40% per the operating-partner literature. The fix is an earnout structure that ties seller payout to customer-retention milestones plus a CRO hire with material equity in the first 60 days post-close.

Pattern 2: Span-of-control collapse. A single VP carries 14+ direct reports across functions that should be 2-3 distinct leadership tracks. The VP is performing all three jobs (Sales VP, Operations VP, Customer Success VP) inadequately and the team is leaking on every front. Impact 3-4, remediability 3-4 (it takes 90-120 days to recruit two new VPs and onboard them), score 9-12 (repricing). The fix is a $200-300K budget against year-1 EBITDA to recruit the missing executive layer.

Hedge fund ODD applies a different pattern but the same scoring. The perfORM 2025 ODD report flags "Managers who frequently shift strategies or pursue opportunistic pivots without documented reasoning" as a top-three allocator-walk trigger — same framework, different population. Allocator data rooms run on Peony with NDA gating so the LP review never opens before signature is captured.

The deal-anchor pattern is consistent. Per the 2025 PE diligence trends literature, the firms running the most rigorous ODD (Vista Equity Partners' VCG, Thoma Bravo's operating partner network, Bain Capital's portfolio group) have institutionalized a pre-LOI management interview pack — 4-6 hours per top-5 executive, structured against a behavioral-event interview guide, with calibrated scores from at least three operating-partner reviewers. The output is a single People and Org score that gates LOI.

What red flags in Technology Stack triggered repricing in 2025-2026?

Three technology stack red flags repriced 2025-2026 deals:

(a) End-of-life infrastructure with no migration plan. Replacing EOL infrastructure post-close runs $200K-$3M per environment per the IT-DD literature, and the migration consumes 12-18 months of the operating team's bandwidth. Score band 9-13 (repricing or stopper). The fix is a capex allocation in the 100-day plan and a milestone-tracked migration with a hard cutover date inside year 1.

(b) Single-vendor lock-in with no portability path. The Thoma Bravo Medallia situation — handed to creditors for a $5.1B equity wipeout in April 2026 — illustrates the compound failure mode. Medallia was acquired for $6.4B in 2021 at a peak software multiple; the enterprise software valuation collapse dropped median revenue multiples for mature SaaS platforms from 9x in 2021 to roughly 6x in 2026; legacy architecture combined with peak-multiple debt made refinancing impossible at a level that preserved equity value. The creditor group (Blackstone, KKR, Apollo Global, Antares Capital) holds $3B in debt and now takes ownership. The deal anchors a broader pattern — there were $46.9B in distressed software loans across the private credit market as of February 2026. Score band for severe lock-in: 11-15.

(c) Deferred security spend with active CVEs in production. HIPAA, SOC 2, PCI gaps that require 12-18 months of remediation. Score band 8-12. The fix is a CISO-led remediation plan with a year-1 budget allocation, plus reps and warranties insurance to bridge the gap between signing and remediation completion.

The Bain Global PE Report 2026 cites GPs increasingly quantifying technical debt explicitly in deal economics rather than treating it as a post-close surprise. The shift is structural: technical debt is now a 8-System ODD Audit finding scored on the 3-Axis Severity Matrix, not a "we'll fix it post-close" note in the IC memo. For private-equity diligence teams, the System 3 finding is now staged with auto-indexing so the buy-side CTO has a navigable inventory before the first technical interview.

How do customer concentration and NPS feed the ODD scope?

Customer Operations is the system with the cleanest empirical research on repricing magnitude. The published SaaS DD literature converges on the following bands:

NPS compounds the concentration risk. NPS below 0 with a measurable churn gradient (declining NPS quarter-over-quarter) surfaces the customers most likely to leave first. ODD teams pull:

• Top-20 customer revenue table by year for the last 3 years. Trend lines reveal which large customers are at risk.
• Renewal/non-renewal log with reason codes. "Won lost" deals are leading indicators of churn risk in the renewal cohort.
• Support ticket volume per customer per quarter. A spike in ticket volume for a strategic customer is a 6-9-month leading indicator of non-renewal.
• Customer interview pack (8-15 references). Commission references for the top-10 customers plus a random sample of 5 churned customers. The churned-customer interview is the single highest-information call in the entire ODD process.

The Bain 2026 report flags customer churn as one of the two most-cited 2025 deal-killer red flags. The fix when concentration is structural (vertical SaaS, government services) is not "diversify the customer base in 100 days" — that is impossible. The fix is contractual: extend the top-5 customer contracts to 5+ year terms, add price-escalator clauses, and negotiate change-of-control consent rights out of the contracts before close.

Peony page-level analytics let sell-side advisors see which customer files buy-side reviewers spent the most time on. A buy-side team that spent 18 minutes on the top-customer file and 4 minutes on the company overview is about to surface customer concentration as the repricing lever — the sell-side advisor uses the analytics to anticipate the objection and pre-position the response. The same workflow is detailed in the DD data room checklist, with Peony's NDA gate enforcing reviewer-specific access before the top-20 customer file even appears in the index.

What 2025-2026 supply chain shocks repriced deals?

Three supply chain shocks repriced deals in 2025-2026:

Shock 1: Rare earth magnet concentration. China controls roughly 90% of global rare earth refining capacity and over 90% of global NdFeB magnet manufacturing output per IEA data and industry trackers. Any manufacturer with single-source Chinese magnet supply scores 4 on likelihood (probable in base case as US-China decoupling continues), 4 on impact (15%+ of EV for magnet-dependent products), and 4 on remediability (24+ months to qualify alternate sources). Score: 12.8 (deal-stopper). The fix is a multi-year qualification plan with US-based alternates — USA Rare Earth's Stillwater Oklahoma facility plans to double NdFeB magnet production to 10,000 metric tons annually with commissioning completing Q1 2026 per the CHIPS Act funding coverage.

Shock 2: Semiconductor reshoring uncertainty. The America First Investment Policy (signed February 21, 2025) expanded CFIUS scope to non-controlling 25%+ stakes in U.S. businesses involved in critical technologies including semiconductors. CFIUS now imposes heightened scrutiny on investors from foreign-adversary jurisdictions, with over 200 mitigation agreements under active supervision and four civil monetary penalties issued — more than all prior years combined. Score: 3 on likelihood (only triggers for foreign-investor deals), 4 on impact (60-90 day timeline addition), 3 on remediability (mitigation agreements are achievable but lengthy). Score: 7.2 (repricing band, typically reflected in break-fee structures).

Shock 3: Boeing-Spirit AeroSystems supplier-quality reacquisition. Boeing closed the acquisition of Spirit AeroSystems on December 8, 2025 for $4.7B in equity at $8.3B total enterprise value (including assumed debt). The FTC accepted the proposed consent order on December 2, 2025 (final order voted 2-0 on February 17, 2026) subject to divestitures negotiated with Airbus and Composites Technology Research Malaysia, and a requirement that Spirit remain a supplier for Boeing's competitors for future military aircraft programs. The deal anchors the principle that supply chain ODD is now an enterprise-risk-management workstream — Boeing's repeated quality failures on the 737 MAX program were the operational thesis for vertically reintegrating the fuselage supplier. Supplier files in Peony's data rooms stage behind leak protection so cross-border supplier audits stay traceable through the CFIUS review window.

The 8-System ODD Audit's System 5 framework — top-20 supplier table with spend, country, and contract length; single-source critical-component map; alternate-vendor qualification status — is now the gating workstream for any deal in defense, aerospace, semiconductors, biotech, or batteries. The KPMG 2025 Global Semiconductor Industry Outlook estimates global semiconductor sales reaching $975B in annual sales in 2026 with growth accelerating to 26%; that growth concentrates the supply-side risk into a small number of choke points (TSMC, ASML, NDFB magnets, gallium nitride). ODD teams price the concentration risk explicitly.

How does operational due diligence feed the 100-day plan and value-creation plan (VCP)?

Every ODD finding scored on the 3-Axis Severity Matrix routes to one of three outputs:

Output 1: The repricing memo to the IC. Findings scoring 7+ get aggregated into a single repricing ask, expressed as a dollar amount and a percentage of equity value. The memo cites the framework (8-System ODD Audit + 3-Axis Severity Matrix) and shows the score for each finding. The seller's banker can negotiate the scores but not the framework.

Output 2: The 100-day plan. Findings scoring 3-7 become workstreams in the first 100 days — each with an owner, a milestone, and a budget. Per the operating-partner literature, the critical first-100-day objectives include establishing a reconciled EBITDA baseline, a clear cash bridge, and an as-is trajectory; protecting safety, compliance, quality, and service levels; identifying the binding constraints that are truly limiting performance. ODD findings populate the gap analysis directly.

Output 3: The long-term VCP. Findings that take 12+ months to remediate become VCP items with year-2 or year-3 milestones. McKinsey's value creation work shows operational levers can drive 25-45% margin growth, with three levers consistently most effective: working capital and cash discipline (5-10% of sales unlocked as free cash within months), commercial and pricing excellence (revenue uplift as primary value-creation driver), and procurement and cost-out (3-7% of EBITDA in mid-market deals). Peony AI Rooms carry the ODD findings register into the post-close VCP workstream so the portfolio CEO inherits the scored evidence pack, not a fresh request list.

The data room engine is the throughline. Peony's data room engine carries the ODD-tagged folder structure into the post-close phase so the operating partner can hand off directly to the portfolio CEO without re-collecting documents. The 8-System taxonomy in the data room becomes the 8-workstream structure in the 100-day plan, becomes the 8-track VCP in years 1-3. For the underlying folder architecture across the full DD lifecycle see the DD data room checklist.

The Accenture private equity playbook captures the shift: PE firms are holding assets longer (median hold has stretched to 6+ years per the 2025 data), and operational value creation is now the primary lever for IRR. The Bain 2026 GP outlook captures the operating-partner shift: operational improvements have displaced financial engineering as the primary source of returns ("12 is the new 5" — deals now require 10-12% annual EBITDA growth vs the historical 5% baseline to hit a 2.5x return), with revenue growth accounting for 71% of value created in 2024 PE exits (up from 64% in 2023).

Which 10 deals in 2025-2026 were repriced or stopped by ODD findings?

Ten 2025-2026 deals where ODD findings repriced or stopped the transaction. Each illustrates a different system in the 8-System ODD Audit.

Deal 1: HPE-Juniper Networks (closed July 2, 2025). Originally announced January 9, 2024 at $14B, the deal faced a DOJ lawsuit filed January 30, 2025 alleging the combined firm plus Cisco would control 70%+ of the U.S. wireless networking market. HPE and Juniper reached a settlement with the DOJ requiring HPE to divest its global Instant On campus and branch business and facilitate limited access to Juniper's Mist AIOps technology for competitors. ODD lens: System 8 (Compliance and Risk) — the regulatory-antitrust finding became a deal-restructuring trigger, not a deal-stopper, because the seller was able to negotiate divestitures.

Deal 2: Boeing-Spirit AeroSystems (closed December 8, 2025). Boeing acquired Spirit at $4.7B equity value and $8.3B enterprise value (including assumed debt). The FTC accepted the proposed consent order on December 2, 2025 (final order voted 2-0 on February 17, 2026) subject to divestitures to Airbus and Composites Technology Research Malaysia and a requirement that Spirit remain a supplier for Boeing's competitors. Approximately 15,000 Spirit teammates across five sites (Wichita KS, Dallas TX, Tulsa OK, Belfast Northern Ireland, Prestwick Scotland) integrate into Boeing. ODD lens: System 5 (Supply Chain) — Boeing's repeated 737 MAX supplier-quality failures were the operational thesis for vertically reintegrating the fuselage supplier. The deal anchors supply chain ODD as an enterprise-risk-management workstream.

Deal 3: Thoma Bravo Medallia equity wipeout (April 2026). Thoma Bravo acquired Medallia for $6.4B in 2021. As of April 2026, Thoma Bravo nears agreement to hand the company to creditors (Blackstone, KKR, Apollo Global, Antares Capital, holding $3B in debt) — a $5.1B equity wipeout. Cause: enterprise software valuation collapse (median revenue multiples for mature SaaS dropping from 9x in 2021 to ~6x in 2026) combined with legacy architecture limitations. ODD lens: System 3 (Technology Stack) — legacy architecture constrained refinancing flexibility at the worst possible time in the software-multiple cycle. The broader pattern: $46.9B in distressed software loans across private credit as of February 2026.

Deal 4: Adobe-Figma abandoned (December 18, 2023). Adobe and Figma mutually terminated their $20B merger after the UK CMA's Phase 2 investigation and EU/UK regulatory pushback. Adobe paid Figma a $1B breakup fee. The CMA identified risk that the merger would substantially reduce competition in all-in-one product design software, vector editing, and raster editing. ODD lens: System 8 (Compliance and Risk) and System 4 (Customer Operations) — the antitrust analysis was driven in part by Figma's market position in collaborative design and Adobe's dominance in adjacent tools. Figma confidentially filed for IPO in April 2025, a year after the abandonment. Even though this deal sits slightly outside the 12-month window, it anchors the precedent for design-tool antitrust scrutiny.

Deal 5: FTC blocked Tapestry-Capri (October 24, 2024). The FTC sued April 2024 to block Tapestry's $8.5B acquisition of Capri Holdings; the federal court issued a preliminary injunction October 24, 2024. The FTC alleged the deal would give Tapestry dominant share of the "accessible luxury" handbag market and eliminate competition between Coach + Kate Spade (Tapestry) and Michael Kors (Capri). ODD lens: System 8 (Compliance and Risk) and System 1 (People and Org) — the FTC also argued the deal threatened to eliminate employer competition for the combined 33,000 employees, negatively affecting wages and benefits. The deal anchors antitrust ODD as a deal-stopper category for horizontal mergers in concentrated categories.

Deal 6: PE software take-privates with EOL infrastructure. The PE software take-private market repriced 8-15% on average per the IT-DD literature, with technical debt now an explicit repricing factor rather than a post-close surprise. ODD lens: System 3 (Technology Stack) — the shift from "we'll fix it post-close" to "we price it now" is the most consistent 2025-2026 pattern across the PE software vertical.

Deal 7: Mid-market SaaS with single customers above 25% ARR. Per the SaaS DD literature, mid-market deals with single customers above 25% of ARR repriced 15-30%. One representative case: a B2B SaaS platform with $1.1M ARR nearly closed at $4.2M; the buyer's analyst discovered one customer represented 38% of revenue, and the deal fell apart. ODD lens: System 4 (Customer Operations) — concentration above 25% is now consistently in the repricing-or-walk band.

Deal 8: Hedge fund allocator walks (175+ ODD reviews in 2025). perfORM completed 175+ ODD reviews in 2025. Top three allocator-walk triggers: information security, cash wire processes, valuation policies. ODD lens: System 8 (Compliance and Risk), System 6 (Financial Operations), and System 3 (Technology Stack) — disorganized or incomplete documentation halts the allocator process regardless of strong returns.

Deal 9: CFIUS-mandated ODD scope expansion (2025). The America First Investment Policy NSPM (February 21, 2025) expanded CFIUS jurisdiction into AI, semiconductors, biotech, and data infrastructure for foreign-adversary investors (PRC including HK and Macau, Cuba, Iran, DPRK, Russia, Venezuela). CFIUS now reviews non-controlling stakes of 25%+ in U.S. businesses involved in critical technologies. Over 200 mitigation agreements under active supervision and four civil monetary penalties issued — more than all prior years combined. ODD lens: System 8 (Compliance and Risk) — added 60-90 days to any deal with critical-technology exposure and a foreign-adversary investor in the cap table.

Deal 10: Sanofi-Genzyme Lemtrada CVR settlement ($315M, 2019) — anchoring 27 US CVR deals signed in 2025. Per Deal Point Data, 27 US CVR (contingent value right) deals signed in 2025 vs 7 in 2024. The Sanofi-Lemtrada $315M 2019 settlement established the precedent that ODD-continuity post-close is a contractually material question — the data room engine must continue to provide the CVR holder representative with audited access to the regulatory record for the 4-6 year holdback window. ODD lens: System 7 (Legal Operations) — CVR diligence is now a discrete ODD workstream in biotech and pharma M&A.

The pattern across the 10 deals: every system in the 8-System ODD Audit produced a repricing or walk in 2025-2026. The framework is empirically grounded, not theoretical.

How does the seller stage ODD-relevant documents in the data room?

The seller stages ODD-relevant documents in the data room across three phases — pre-LOI teaser, LOI to confirmatory, and confirmatory to close — using the 8-System taxonomy as the folder structure.

Phase 1: Pre-LOI teaser (Systems 1, 2, 4 only). The teaser data room holds the management presentation, the high-level financials, an organizational chart, the top-20 customer overview (anonymized), the process maturity self-assessment (System 2 maturity score per workflow), and a one-page summary of any material risks. The objective is to qualify buyers without exposing operational specifics that competitors could exploit — the same staging discipline detailed in the M&A due diligence process guide.

Phase 2: LOI to confirmatory (all 8 systems unlocked, controlled). After NDA and LOI, the buyer's ODD team gets staged access to all 8 systems' document inventories. Sensitive subfolders — Top-20 customer named, Key-person dependency analysis, IP assignment chain, sanctions-screening logs — are gated behind workstream-specific permissions. The objective is to support parallel ODD workstreams without leaking competitive intelligence across workstreams (e.g., the buyer's HR consultant should not see customer contract pricing).

Phase 3: Confirmatory to close (final binding bid disclosure). Schedule of disclosure exceptions, employee-level data, regulatory enforcement correspondence, pending litigation files, and reps-and-warranties exhibits unlock for the final binding bidder only. The objective is to close the deal without prolonged renegotiation — by this phase, the ODD team has already scored every finding and the IC has already signed off on the repricing.

The data room engine matters at every phase. Peony's AI auto-indexing auto-classifies uploaded files into the 8-System folder structure in under 3 minutes. Visitor groups enforce workstream isolation — the HR consultant tier sees System 1 only; the IT consultant tier sees System 3 only; the IC tier sees all 8 systems with reviewer activity rolled up. Page-level analytics let the sell-side advisor see which ODD workstream is heading toward an objection (e.g., the buy-side IT consultant spent 47 minutes on the EOL infrastructure inventory — a repricing memo on System 3 is coming).

The data room becomes the canonical record of who saw what when, which matters for two downstream uses: (a) reps-and-warranties insurance underwriting, where the underwriter audits the disclosure chain, and (b) post-close CVR continuity if the deal structure includes any contingent payouts. Peony Data Room at $52/admin/month maintains permanent access without per-deal closure penalties, which makes 4-6 year CVR continuity 5-10x cheaper than the legacy VDR alternative. Reviewer activity is auditable through page-level analytics and the underlying security layer.

For broader data-room hygiene see the DD data room checklist (174 documents across 10 categories) and the M&A due diligence process guide (6-phase playbook). For sector-specific overlays see the SaaS M&A data room, the biotech M&A data room, and the oil and gas JV due diligence data room.

Frequently asked questions

What is operational due diligence and how is it different from financial due diligence?

Operational due diligence (ODD) is the systematic evaluation of how a target company actually runs day-to-day — people, processes, technology stack, customer operations, supply chain, financial operations, legal operations, and compliance/risk. Financial due diligence (QofE) validates the numbers a target reports; ODD validates whether the operational engine producing those numbers is durable, scalable, and free of hidden liabilities. Peony's 8-System ODD Audit + 3-Axis Severity Matrix scores each finding on likelihood x impact x remediability (each 1-5) to convert qualitative observations into a defensible repricing case. The Bain Global Private Equity Report 2026 lists 'diligence red flags (poor earnings quality, customer churn, etc.)' as one of the two most common deal-killers in 2025 alongside inflated seller valuations.

Why do PE associates run operational due diligence as a deal-stopper while corporate buyers run it for synergies?

PE buyers underwrite to a 5-7 year hold and an explicit value creation plan (VCP) — every ODD finding either feeds the VCP or kills the deal economics, so PE ODD is binary by design. Corporate strategic buyers underwrite to a perpetual hold with synergies — most ODD findings become 100-day plan items, not walk-away triggers, because the corporate parent can absorb operational gaps that would crush a standalone PE LBO. The Bain Global PE Report 2026 notes that operational improvements have displaced financial engineering as the primary source of returns — "12 is the new 5" (deals now require 10-12% annual EBITDA growth vs the historical 5% baseline to hit a 2.5x return), which makes operational diligence the gating question, not a workstream. Vista Equity Partners' VCG, Thoma Bravo's operating partners, and Brookfield's Business Operations team all run ODD as the pre-LOI go/no-go before financial DD even starts.

What is the 8-System ODD Audit and why this taxonomy?

The 8-System ODD Audit covers (1) People and Org, (2) Process and Workflows, (3) Technology Stack, (4) Customer Operations, (5) Supply Chain, (6) Financial Operations, (7) Legal Operations, (8) Compliance and Risk. This taxonomy maps 1:1 to the post-close value creation plan: each system maps to a discrete workstream owner in the 100-day plan, each system has its own document inventory in the data room, and each system has its own red-flag library. The taxonomy survives across PE, strategic, hedge fund, and infrastructure ODD because it mirrors how operating partners actually staff diligence teams: one workstream lead per system, parallel workflows, weekly findings memos that roll up into a single repricing or walk recommendation.

How do you score findings on the 3-Axis Severity Matrix (likelihood x impact x remediability)?

Each finding gets three scores on a 1-5 scale. Likelihood is the probability the risk materializes inside the hold period. Impact is the EBITDA or enterprise-value hit if it materializes. Remediability is the inverse of how fixable the finding is in 100 days (5 = unfixable in any timeframe, 1 = fixable in under 30 days). Multiply the three and divide by 5 to get an ODD risk score from 0.2 to 25. Bands: 0-3 = acceptable (covered by the 100-day plan budget), 3.1-7 = 100-day-plan item (not a repricing trigger), 7.1-12 = repricing trigger (typically 5-15% of equity value), 12.1-25 = deal-stopper. The matrix is defensible to the IC because every finding is scored on the same axes, and the dollar exposure rolls up to a single repricing ask rather than a list of qualitative concerns.

What red flags in People and Org actually killed deals in 2025-2026?

The two deal-killing People and Org findings of 2025-2026 are (a) key-person dependency with no documented succession (founder-CEO controls 60%+ of customer relationships, accounting for 40%+ of forward revenue, no #2 with customer-facing equity) and (b) span-of-control collapse (a single VP carries 14+ direct reports across functions that should be 2-3 distinct leadership tracks). Both score 4-5 on impact and 3-4 on remediability — operating-partner ODD teams consistently band these in the 12-20 range. The hedge fund ODD industry reports allocators 'walk away' on disorganized or incomplete management documentation, and PE operating partners flag the same pattern in middle-market take-privates.

What red flags in Technology Stack triggered repricing in 2025-2026?

Three technology stack red flags repriced 2025-2026 deals: (a) end-of-life infrastructure with no migration plan (replacing EOL infrastructure post-close runs $200K-$3M per environment per the IT-DD literature), (b) single-vendor lock-in with no portability path (the Medallia situation Thoma Bravo handed to creditors for a $5.1B equity wipeout in April 2026 had legacy architecture that limited refinancing flexibility), (c) deferred security spend with active CVEs in production (HIPAA, SOC 2, PCI gaps that require 12-18 months of remediation). The Bain 2026 report cites GPs increasingly quantifying technical debt explicitly in deal economics rather than treating it as a post-close surprise. Score band: most enterprise tech-debt findings sit in the 7-12 repricing band, but unfixable architectural decisions (a monolith requiring 24+ months of rebuild) push into the 12+ deal-stopper band.

How do customer concentration and NPS feed the ODD scope?

Any single customer above 15-20% of ARR triggers a Customer Operations red flag; any single customer above 25% triggers a repricing of 15-30% to deal value per the SaaS M&A literature. NPS below 0 with a measurable churn gradient (declining NPS quarter-over-quarter) compounds the concentration risk by surfacing the customers most likely to leave first. ODD teams pull (a) the top-20 customer revenue table by year for the last 3 years, (b) the renewal/non-renewal log with reason codes, (c) the support ticket volume per customer per quarter, and (d) the customer interview pack (typically 8-15 customer references commissioned through a CDD provider). The Bain 2026 report flags 'customer churn' as one of the two most-cited 2025 deal-killer red flags. Peony page-level analytics let sell-side advisors see which customer files buy-side reviewers spent the most time on, which is a leading indicator of which customers are about to surface as objections.

What 2025-2026 supply chain shocks repriced deals?

Three supply chain shocks repriced deals in 2025-2026. (1) Rare earth magnet concentration — China controls roughly 90% of global rare earth refining and over 90% of NdFeB magnet manufacturing output (IEA data + industry trackers), which makes any manufacturer with single-source Chinese magnet supply a 15-25% repricing target. (2) Semiconductor reshoring uncertainty under the America First Investment Policy (February 2025) added 60-90 days of CFIUS timeline to any deal with critical-technology exposure. (3) Boeing-Spirit AeroSystems closed December 8, 2025 explicitly to reduce supplier-concentration risk after 737 MAX quality failures — the deal anchors the principle that supply chain ODD is now an enterprise-risk-management workstream, not a logistics workstream. Score bands: most supply chain findings sit at 7-12 (repricing band), but irreplaceable single-sourcing for critical components pushes 12+.

How does operational due diligence feed the 100-day plan and the value creation plan (VCP)?

Every ODD finding scored on the 3-Axis Severity Matrix gets routed to one of three outputs: (a) the repricing memo to the IC (findings 7+), (b) the 100-day plan (findings 3-7, each becoming a workstream with owner, milestone, budget), (c) the long-term VCP for findings that take 12+ months to remediate. Per the 100-day plan literature, the first 100 days establish a reconciled EBITDA baseline, a cash bridge, and an as-is trajectory — ODD findings populate the gap analysis. McKinsey's value creation work shows operational levers can drive 25-45% margin growth, with working capital discipline alone unlocking 5-10% of sales as free cash. Peony's data room engine carries the ODD-tagged folder into the post-close phase so the operating partner can hand off directly to the portfolio CEO without re-collecting documents.

Which 10 deals in 2025-2026 were repriced or stopped by operational due diligence findings?

Ten 2025-2026 deals where ODD findings repriced or stopped the transaction: (1) HPE-Juniper July 2, 2025 close required DOJ Instant On divestiture + Mist AIOps licensing as a quasi-ODD condition. (2) Boeing-Spirit AeroSystems December 8, 2025 close was driven by supplier-quality and supply chain operational risk. (3) Thoma Bravo Medallia April 2026 equity wipeout transferred the company to lenders after a $5.1B equity loss tied in part to legacy architecture refinancing constraints. (4) Adobe-Figma was abandoned December 2023 ($1B breakup fee) on regulatory + commercial review. (5) FTC blocked Tapestry-Capri in October 2024 on accessible-luxury market overlap. (6) PE software take-privates with EOL infrastructure repriced 8-15% on average per IT-DD literature. (7) Mid-market SaaS deals with single customers above 25% ARR repriced 15-30%. (8) Hedge fund allocators walked from 175+ ODD reviews in 2025 per perfORM data. (9) CFIUS expanded scope to non-controlling 25% stakes in semiconductors, biotech, AI under the America First Investment Policy adding 60-90 days. (10) The Sanofi-Genzyme Lemtrada CVR settlement ($315M, 2019) established the post-close ODD-continuity precedent now standard in 27 US CVR deals signed in 2025.

---

Related resources

• M&A due diligence process guide — hub for the broader DD cluster
• Hard vs Soft Due Diligence: 5-Frame Playbook — ODD bridges hard-DD and soft-DD; the 5-frame playbook positions ODD against the Cost-of-Skipping Index + Trigger Matrix
• DD Timeline: Critical-Path Playbook (2026) — ODD runs as parallel workstream Weeks 2-4; critical path is QoE → SPA → financing → RWI bind → HSR clock → close
• Due diligence data room checklist — 174-document file-side companion
• AI due diligence — 5-Layer AI Target Audit for AI-using targets
• Due diligence questionnaire (DDQ) — 5-persona template library
• Private equity due diligence — 6-strategy hold playbook
• IP due diligence — 5-Asset Encumbrance Matrix
• Vendor due diligence checklist — procurement third-party risk
• Due diligence cost breakdown — what diligence really costs
• Top 10 virtual data room providers 2026 — VDR shortlist
• Peony pricing — Business at $30/admin/month

---

The 8-System ODD Audit and the 3-Axis Severity Matrix are the framework I use when an operating partner calls on a Tuesday night and needs to defend a 12% repricing to the IC on Friday. The framework is what survives the negotiation with the seller's banker. The 8-System taxonomy is what survives the handoff to the portfolio CEO on day 1. The 3-Axis Severity Matrix is what makes the post-mortem repeatable so the next deal is run tighter than the last one.

If you are running ODD on a deal closing in the next 90 days, stand up an 8-System data room, assign one workstream lead per system, and score every finding on the 3-Axis Severity Matrix before you write the IC memo. The framework is the playbook. The data room engine is the substrate. The deal is the test.