ESG Due Diligence Checklist (HealthTech / Biotech)
Purpose: provide a concise, investor‑grade checklist to evaluate ESG risks and controls during deal screening and confirmatory diligence—without slowing transaction speed.
How to use
For each item, record: Status (Yes/Partial/No), Priority (H/M/L), and Evidence/Notes (link or reference). Treat any “No” in Privacy/Security/Clinical as a gating item before close.
1) Governance
| Item | Status (Y/P/N) | Priority (H/M/L) | Evidence / Notes |
|---|---|---|---|
| Board oversight of ESG and AI ethics (committee, cadence, minutes). | |||
| Code of conduct and supplier code aligned to healthcare standards. | |||
| AI/ML governance policy (data provenance, model risk, human oversight). | |||
| Privacy & security governance (DPO/CISO named; DPIA/TRA performed). | |||
| Whistleblowing & incident response (hotline, documented playbooks). | |||
| ESG KPIs reported to the board (targets, accountability owners). |
2) Environmental
| Item | Status (Y/P/N) | Priority (H/M/L) | Evidence / Notes |
|---|---|---|---|
| Energy & cloud footprint measured (Scopes 1–2; major Scope 3 categories). | |||
| Data center/cloud procurement includes energy and location criteria. | |||
| E‑waste & hardware lifecycle policy (devices, medical peripherals). | |||
| Supplier environmental screening (critical vendors assessed). | |||
| Reduction roadmap with milestones (efficiency, renewables, offsets policy). |
3) Social
| Item | Status (Y/P/N) | Priority (H/M/L) | Evidence / Notes |
|---|---|---|---|
| Patient safety & clinical risk management (QMS, CAPA, post‑market). | |||
| Algorithmic bias monitoring (representative data, fairness testing). | |||
| Diversity, equity & inclusion policy with metrics (hiring, leadership). | |||
| Workforce well‑being & training (security, privacy, clinical safety). | |||
| Patient communication & consent clarity (readability, localization). |
4) Compliance & Risk
| Item | Status (Y/P/N) | Priority (H/M/L) | Evidence / Notes |
|---|---|---|---|
| Regulatory mapping (MDR/FDA classification, pathway, evidence plan). | |||
| Privacy compliance (GDPR/HIPAA equivalents, data transfer controls). | |||
| Security controls (ISO 27001/SOC2, pen tests, incident logs). | |||
| Clinical evaluation & evidence (RWE/RCTs; endpoints aligned to payers). | |||
| ESG reporting readiness (policies, KPIs, limited assurance options). | |||
| Third‑party & supply chain risk (DPAs, SLAs, critical vendor monitoring). |