Why Your NDIS Risk Register Matters More Than Ever in 2026

A risk register is not a formality — for Supported Independent Living (SIL) providers it is one of the most closely scrutinised documents during an NDIS Commission audit. Under the strengthened NDIS Practice Standards that apply to providers seeking or renewing registration from 2026, auditors are looking beyond the existence of a risk register to its quality, currency, and genuine integration into day-to-day practice.

The NDIS Commission's Practice Standards require registered providers to implement and maintain a systematic risk management approach that identifies, analyses, evaluates, and treats risks to the health, safety, and wellbeing of participants. For SIL providers in particular — who operate high-intensity support environments with complex needs — a weak risk register creates real exposure: to adverse outcomes for participants, to non-conformance findings, and potentially to suspension or cancellation of registration.

The following are the most common mistakes auditors identify in SIL provider risk registers, along with practical guidance on how to fix each one.

Mistake 1: Using a Generic, Non-Participant-Specific Register

Many providers download a template risk register and apply it unchanged across every participant or SIL house. The result is a document full of stock phrases — "risk of falls," "risk of medication error" — with no reference to the specific circumstances of the people living in that home.

The NDIS Practice Standards require that supports and risk management are individualised. An auditor will check whether the risks listed actually reflect the known health conditions, behaviours of concern, environmental hazards, and support needs of the specific participants covered by the register. A generic document fails this test immediately.

The Fix

Draw risks directly from each participant's support plan, behaviour support plan, health management plan, and any previous incident history. Name the participant (or use their identifier) in the relevant risk entry. Risks should be specific enough that a new support worker, reading only the register, would understand the real hazard and the real person involved.

Mistake 2: Failing to Link Risks to the NDIS Practice Standards

A risk register that floats free of the Practice Standards gives auditors nothing to cross-reference. The strengthened framework introduced outcome indicators and quality evidence requirements under each Standard. Providers who cannot demonstrate that their identified risks map to specific Standards — such as the Safe and Supportive Environment Standard, the Responsive Supports Standard, or the High Intensity Daily Activities Standard — struggle to show their governance is coherent.

The Fix

Add a column to your register that references the relevant Practice Standard and, where applicable, the outcome indicator. This one-step change transforms a reactive list of hazards into a compliance-linked governance document. It also makes it significantly easier to report to your board or leadership team against a structured framework.

Mistake 3: Describing Controls Without Evidence They Are Effective

A very common non-conformance finding is a risk register that lists controls — "staff trained in manual handling," "medication locked away," "incident reporting procedure in place" — but contains no reference to how the organisation knows those controls are actually working.

The NDIS Commission expects providers to monitor and review risk controls, not simply record their existence. During an audit, you may be asked to produce the training records, the medication log audits, or the incident data that demonstrates the control is functioning. If the register does not point toward this evidence, it suggests the monitoring has not occurred.

The Fix

For each control, record both the monitoring method and the monitoring frequency. For example: "Staff complete manual handling refresher training annually — records held in HR system, reviewed by Team Leader quarterly." Then actually conduct those reviews and note the date of the last review in the register itself.

Mistake 4: Not Updating the Register After Incidents or Near Misses

The NDIS Commission's incident management requirements under the National Disability Insurance Scheme (Incident Management and Reportable Incidents) Rules place obligations on providers to learn from incidents. Yet in many SIL services, the incident report and the risk register sit in entirely separate systems, with no workflow connecting them.

When an incident occurs — a fall, a medication error, an episode of violence between participants — the risk register should be reviewed. If the hazard that caused the incident is not already in the register, it must be added. If it is in the register but the existing control clearly failed, the control must be revised.

The Fix

Build a mandatory review trigger into your incident management procedure: following every reportable incident and every significant near miss, the responsible manager must check the risk register within a set timeframe (commonly five business days) and document whether an update is required. Make this a standing agenda item at your post-incident debrief.

Mistake 5: Treating the Risk Register as an Annual Document

A register reviewed once a year is insufficient for a SIL environment. Participant circumstances change — new diagnoses, changes in behaviour, new housemates, new support workers, physical modifications to the home. A risk that was rated low twelve months ago may be rated high today.

The NDIS Practice Standards do not prescribe a single review frequency, but auditors assess whether the review cadence is appropriate to the risk level and the operating context. For high-intensity SIL environments, a quarterly review is generally considered a reasonable minimum, with ad hoc reviews triggered by the events described above.

The Fix

Set scheduled review dates in the register itself — and record when each review occurred and who conducted it. Differentiate between a full review (all risks reassessed) and a targeted review (one participant's risks following a change in circumstances). Both are legitimate but both must be documented.

Mistake 6: Missing Restrictive Practice Risk Entries

For SIL providers who use any regulated restrictive practices — whether environmental restraints, chemical restraints, or any other regulated category — the risk register must address those practices explicitly. This includes risks to participants arising from the use of the practice itself, risks from improper implementation, and risks from failing to comply with authorisation and reporting obligations under the relevant state or territory legislation and the NDIS Commission rules.

Omitting restrictive practice risk entries from a register is a significant gap in high-intensity SIL contexts and almost always surfaces as a non-conformance during audit.

The Fix

Create a dedicated section in your register for restrictive practice risks. Cross-reference each entry with the relevant behaviour support plan, the authorisation status, and the scheduled review date. Ensure the risks reflect not just the practice itself but the governance obligations around it.

Mistake 7: Inconsistent Risk Scoring With No Documented Rationale

When auditors review a register and find that similar risks have been scored very differently — one rated high, an almost identical risk rated low — without any explanation, it signals that the scoring has not been applied systematically. This undermines the credibility of the entire document.

The Fix

Use a consistent risk matrix (likelihood versus consequence) and attach it as an appendix to your register so any reader can reproduce your scoring. Where a risk is scored differently than a superficially similar one, add a brief rationale note. This takes seconds to write but dramatically increases the document's defensibility.

A Practical Risk Register Structure for SIL Providers

A compliant SIL risk register should include at minimum the following columns:

  1. Risk ID and description (specific, not generic)
  2. Participant or location reference
  3. Risk category (health and safety, compliance, operational, financial)
  4. Relevant NDIS Practice Standard
  5. Likelihood rating (with rationale)
  6. Consequence rating (with rationale)
  7. Overall risk rating
  8. Current controls
  9. Monitoring method and frequency
  10. Responsible person
  11. Last reviewed date and next review date
  12. Status (open, being treated, closed)

Getting Audit-Ready for 2026

The strengthened NDIS Practice Standards introduce a greater emphasis on demonstrated outcomes — auditors are increasingly focused on what actually happens for participants, not just what your policies say. A risk register that is specific, evidence-linked, regularly reviewed, and integrated with your incident management system is a concrete demonstration that your governance is real.

If you are working through your full compliance documentation ahead of registration or re-registration, the 74-document audit-ready SIL compliance kit at ndiscompliant.com.au includes a risk register template pre-mapped to the Practice Standards, along with the supporting policies and procedures auditors check alongside it.

Getting the risk register right is one of the highest-leverage compliance tasks a SIL provider can undertake — it underpins your entire risk governance framework and is one of the first documents an auditor will request.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.