An internal document that asserts how the organization will manage third parties and risk. It’s written at a board-level and should include the basic broad framework as to how third-party risk management is handled.