We have a fairly new Vendor Management Program (in its first year). We established criteria to define different levels of risk for our organization (see chart below). Each vendor is then classified into its appropriate risk tier, each of which carries different levels of due diligence. This has been our starting point and so far the vast majority of vendors fall into Tier 3, with a minimal number classified as Tier 1. You could call our Tier 1 vendors our "Top 10".
I hope this helps.
Rose Rotonda
Business Continuity & Strategic Planning Officer
Ohio Public Employees Retirement System
-----------------------------------------
CONFIDENTIALITY NOTICE:
-----------------------------------------
The Ohio Public Employees Retirement System intends this e-mail message, and any attachments, to be used only by the person(s) or entity to which it is addressed. This message may contain confidential and/or legally privileged information. If the reader is not the intended recipient of this message or an employee or agent responsible for delivering the message to the intended recipient, you are hereby notified that you are prohibited from printing, copying, storing, disseminating or distributing this communication. If you received this communication in error, please delete it from your computer and notify the sender by reply e-mail.