Entity has a documented Vendor Management Policy that provides guidance to staff on performing risk assessment of third-party vendors.