Best practice for categorising vendors to determine level of due diligence and oversight required