Provider classification for accreditation

The Right Fit For Risk (RFFR) approach classifies Providers and Subcontractors into categories to obtain accreditation.

• Category One: Providers and Subcontractors delivering Services to 2,000 or more individuals per annum because of all their Deeds.  Third Party Employment and Skills (TPES) System vendors obtaining accreditation are also classified as Category one.
• Category Two: Providers and Subcontractors delivering Services to fewer than 2,000 individuals per annum because of all their Deeds. This category includes two sub-categories referred to as “Category 2A” and “Category 2B” below. 

When determining whether a Provider is in Category 2A or 2B, the Department will consider a range of risk factors including the:

• IT environment
• level of outsourcing
• subcontracting arrangements
• organisational structure
• level of security maturity
• the extent of sensitive information held and level of access to departmental systems
• other relevant factors.

The Department considers the number of individuals receiving services from the Provider and any subcontractors (“case load”) taken together across all Deeds. Should the Provider or Subcontractor enter new Deeds with the Department that alters the caseload volume, the Department will reassess their categorisation and may require the accreditation to be updated if the categorisation changes.

Each of the Provider categories is associated with its own assurance pathway under the RFFR approach. 

The Department will categorise a Provider based on their RFFR questionnaire submission (or equivalent), and additional information obtained through an interview with the Provider. Completion of this interview and categorisation activity marks Milestone 1 in the RFFR process.

The below table provides guidance to Providers on the classification requirements.