Skip to content
State Government of Victoria logo
Service Agreement Information Kit for Funded Organisations

3.20.2 Risk management

Disclaimer: this disclaimer must be read in conjunction with the content of this page.

Risk management is an integral part of good management and governance practice.

Among other things, organisations with a Service Agreement are required to:

  • manage risk in accordance with Australian/New Zealand Risk Management Standard: AS/NZS ISO 31000:2009 (Australian Standard)
  • have a chief executive officer or board member of the organisation attest to the department annually that, among other things, its risk management processes are consistent with, and that the organisation has managed risk in accordance with, the Australian Standard.

The 'Guide to risk attestation under the service agreement' (Word 277KB)(opens in new window) has been developed to support organisations in making this attestation. The guide has been developed in consultation with the Service Agreement Working Group and the Victorian Managed Insurance Authority (VMIA).

The attestation is to be made online via the Service Agreement Module on Funded Agency Channel (external link, opens in a new window). Instructions for accessing the module are available on the Funded Agency Channel under User guidelines (opens in a new window).

Commencing July 2016, the risk attestation will be incorporated into the Service Agreement Compliance Certification (SACC) form. For more information, refer to section 3.8.1 Reporting and accountability.

Timelines for making the risk attestation

The risk attestation due date is aligned to an organisation's Financial Accountability Requirements (FAR) due date.

The risk attestation is due within three months from an organisation's financial operating period, or seven days after an organisation's annual general meeting (AGM), unless otherwise agreed by the department in writing.

For an organisation operating on a financial year basis, the attestation is due by 1 October each year or seven days after the AGM. For organisations operating on a calendar year basis, the attestation is due by 1 April each year, or seven days after the AGM.

If an organisation operates on a different financial operating period, an organisation can add three months from the beginning of its operating period, or seven days after its AGM to determine the risk attestation due date.

The primary contact of an organisation will be sent a request to complete the online risk attestation well before the due date. This request will normally be by email. The request will include instructions for accessing and completing the online risk attestation.

Further information

A range of risk management resources are available from the Victorian Managed Insurance Authority (VMIA) website (external link, opens in new window). A list of key VMIA resources is provided in the 'Guide to risk attestation under the Service Agreement' (Word 277KB, opens in new window).

A Frequently Asked Questions page 'FAQs Risk Attestation for funded agencies' is available on the VMIA 'Risk Attestation for CSOs - For funded agencies with a service agreement' web page (external link, opens in a new window).

For further information regarding risk management your organisation can also contact VMIA at

Staff seeking information relating to SACC, please email:

Please email any questions on the Service Agreement and these requirements to