Practice technical risk vocabulary for due diligence: risk classification, disaster recovery gaps, test coverage, legacy dependencies, and deal-breaker vs. manageable risk framework.
0 / 5 completed
1 / 5
A due diligence report classifies a finding as 'high risk: no disaster recovery plan'. What does this mean?
A missing disaster recovery (DR) plan means the company has no tested procedure for restoring operations after a major failure (data centre outage, data corruption, cyberattack). This is high risk for acquirers because a post-acquisition incident could cause major financial and reputational damage, and building a DR capability requires significant investment.
2 / 5
'Medium risk: 80% test coverage but no integration tests.' Why are integration tests important despite high unit test coverage?
High unit test coverage provides confidence that individual functions work correctly in isolation. But many production bugs occur at integration points — between services, at database boundaries, or in API contracts. A system with no integration tests may work perfectly in unit tests but fail when components are assembled together in production.
3 / 5
'The legacy dependency is unsupported.' Why is an unsupported dependency a technical risk?
An unsupported dependency is one where the original maintainer has stopped providing updates, security patches, or bug fixes. This means: known CVEs will remain unpatched, compatibility issues with future platform updates will be unresolved, and the dependency becomes a growing liability over time. Replacing it requires refactoring — which is a cost and schedule risk.
4 / 5
In the risk classification framework, what distinguishes a 'deal-breaker' risk from a 'manageable' risk?
Risk classification helps acquirers make informed decisions: deal-breaker risks (e.g., unresolvable IP issues, active data breaches, hidden liabilities) may cause the acquirer to walk away or dramatically reprice the deal. Manageable risks are real but addressable — they inform the integration plan and may adjust the purchase price but don't invalidate the acquisition.
5 / 5
'We classify risks as deal-breaker, manageable, or acceptable.' What does 'acceptable' mean in this context?
An acceptable risk is one that falls within the acquirer's normal risk tolerance — it's acknowledged, documented, and monitored, but doesn't require specific mitigation. For example, 'the tech stack uses a framework version that is 2 years behind the latest release' may be acceptable if there's no active CVE. The three-tier classification (deal-breaker/manageable/acceptable) helps focus due diligence effort on the risks that matter most.