This Rules/Policy document is provided to you and your organization as a starting point or maturity checkpoint for existing rules/policies. It is brought to you on behalf of Jim McConnell, Principal Owner, and Ask McConnell, LLC — A Converged Security Services Provider. The content is not meant to cover every circumstance, industry, law, regulation, contractual requirement, threat, environment, or risk, but it provides an easy, defendable, highly accountable starting point for any organization. Please consult with your legal counsel and insurance provider about added requirements. If you know of peers that you think would find value in these resources, please have them contact us. These will be updated on our website regularly. We are not legally protecting these documents; we just ask for credit, shout-outs, and referrals if you find them helpful. If you have recommended updates, we are all ears. And if you need Converged Security Consulting and Training, please reach out, we would be honored to serve you and your organization.
Jim McConnell | info@askmcconnell.com | askmcconnell.com
Supplier and Customer Due Diligence Policy
Updated: 23 March 2025
Protecting human lives is the highest requirement of our entire organization, whether they are employees, customers, volunteers, visitors, or part of our supply chain while under some nexus to our organization. Knowing who our suppliers and customers are is not just for marketing and customer service — it is also critical to avoid doing business with parties that could negatively impact our resources and brand through lack of integrity or involvement in illegal activities.
Definitions:
Due Diligence — A minimum set of checks, verification, and validation on a company and its principal leadership to identify reputation issues that could impact our organization.
Supplier — Generally speaking, a company that we pay, directly or indirectly, that can have a financial, reputation, or brand impact — positive or negative.
Reasonableness note: Performing due diligence on every vendor used for a company picnic or on every small-purchase customer is not practical. Developing a clear Due Diligence criteria threshold is critical.
- I will report supplier and customer security concerns, vulnerabilities, and threats to my supervisor or the organization’s Ethics Hotline as soon as discovered.
- I will verify that a due diligence is completed on all suppliers I use that are required to have one, before receiving products or services from them or providing them any access to organization assets.
- I will verify that a due diligence is completed on all customers I service that are required to have one, before beginning to service them or deliver products to them.
- If I am responsible for supplier and customer due diligence, I will perform all checks as required by law, regulations, and customer requirements before releasing the entity to service or be serviced by our organization — including all applicable checks per our organization’s due diligence criteria (e.g., OFAC/ABC screening, business license verification, litigation history, financial health, cyber security posture).
- I will make sure all due diligences are updated at least yearly, or sooner if required.
- I will hold all products and services from suppliers — and to customers — that I use or service, if a due diligence reveals flags of non-compliance or red flags.
Signature Note: I am a huge fan of wet signatures on these types of documents for accountability and investigation reasons. You can add the signature lines below to each rule/policy document, or have a collective wet signature with references in the Security Commitment Agreement document available on the One-Pager library page. Organizational preference.
________________________
Print Full Legal Name
________________________
(Blue Ink) Full Legal Signature
Style of signature must closely match Driver’s License
________________________
Date
🖶 To save or print this policy, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.