Is an incident management policy mandatory for all registered NDIS providers?

Yes. The NDIS Practice Standards require every registered provider to have a documented incident management system. This is assessed at every certification or verification audit, regardless of your organisation's size or the support types you deliver.

What is the difference between an incident and a reportable incident under the NDIS?

An incident is any unplanned event that harms or could harm a participant. A reportable incident is a defined category of serious events — including participant death, serious injury, abuse, neglect, and unauthorised use of restrictive practices — that must be formally notified to the NDIS Commission within prescribed timeframes under the NDIS (Incident Management and Reportable Incidents) Rules 2018.

How quickly must reportable incidents be notified to the NDIS Commission?

The NDIS (Incident Management and Reportable Incidents) Rules 2018 set out specific notification timeframes. Initial notification must occur as soon as practicable after the provider becomes aware of the incident. A follow-up report providing further detail is also required within the timeframe specified in the Rules. Providers should confirm the current timeframes directly on the NDIS Commission website, as these can be updated.

Do SIL providers have additional incident management obligations compared to other providers?

Yes. SIL providers face heightened obligations around restrictive practices (any unauthorised use is a reportable incident), out-of-hours incident management, and participant-to-participant incidents in shared living environments. The strengthened NDIS Practice Standards framework reinforces these expectations and auditors scrutinise SIL providers closely in these areas.

What happens if my incident management policy is found non-conformant at audit?

A non-conformance finding requires you to submit a corrective action plan to your approved quality auditor. Serious or repeated non-conformances can lead to the NDIS Commission imposing conditions on your registration, suspending your registration, or initiating civil penalty proceedings — particularly if reportable incidents were not notified as required.

Can a small SIL provider use a template incident management policy?

Yes, provided the template is genuinely adapted to your operating context — your support types, locations, staffing model, and the specific state or territory framework for authorising restrictive practices. An off-the-shelf template that is not contextualised is unlikely to satisfy an auditor, as the evidence of implementation (training records, incident registers, governance reviews) must reflect your actual operations.

Do you need an NDIS incident management policy? Provider requirements

Who needs an NDIS incident management policy?

If you are a registered NDIS provider — regardless of size — you are required to have a formal incident management system, and that system must be supported by a documented policy. This requirement sits within the NDIS Practice Standards and is assessed during every certification or verification audit conducted by an approved quality auditor.

This applies to organisations delivering Supported Independent Living (SIL), Specialist Disability Accommodation (SDA), personal care, behaviour support, and any other registered support type. Unregistered providers are not subject to the NDIS Practice Standards directly, but they remain bound by the NDIS Code of Conduct and should maintain incident documentation as a matter of duty of care.

The 2026 strengthened Practice Standards — which the NDIS Commission has been progressively rolling out — place renewed emphasis on provider governance, worker competency, and timely, transparent incident handling. SIL providers are specifically required to meet the High Intensity Daily Personal Activities or SIL-specific modules, which carry additional obligations around risk and incident management.

What the NDIS Practice Standards actually require

The NDIS Practice Standards set out quality indicators that registered providers must meet. The core standard relevant here is 1.9 – Incident Management. Under this standard, providers must demonstrate that they:

Have a clearly documented system for identifying, managing, and resolving incidents
Record all incidents in a timely manner
Take immediate action to protect participant safety when an incident occurs
Investigate incidents and implement corrective actions to prevent recurrence
Involve participants and, where appropriate, their supporters, in the incident management process
Review incidents at an organisational level to identify systemic issues and trends

Critically, a policy document alone does not satisfy these requirements. The auditor will look for evidence that the policy is actively implemented — through staff training records, incident registers, investigation reports, and governance meeting minutes that show leadership is reviewing incident data.

Reportable incidents: a separate but related obligation

Beyond your internal incident management obligations, the NDIS (Incident Management and Reportable Incidents) Rules 2018 impose a legal duty to notify the NDIS Commission of certain incidents.

Reportable incidents include:

Death of a participant
Serious injury of a participant
Abuse or neglect of a participant
Unlawful sexual or physical contact with, or assault of, a participant
Use of a restrictive practice that is not authorised
Sexual misconduct committed by a worker

Initial notifications must be made to the NDIS Commission within prescribed timeframes after the provider becomes aware of the incident. Follow-up reports providing further detail are also required. Your incident management policy must explicitly address how staff identify reportable incidents, who is responsible for lodging notifications, and how your organisation meets these mandatory timeframes.

Failure to notify is a serious compliance breach and can result in enforcement action, including conditions on registration or, in the most serious cases, banning orders against individuals involved.

What a compliant NDIS incident management policy must contain

An auditor assessing your policy against the Practice Standards will expect it to address the following elements at a minimum:

Purpose and scope: Which support types and locations the policy covers, and the legislative and regulatory framework it operates within (the NDIS Act, the Practice Standards, the Reportable Incidents Rules).
Definitions: Clear definitions of an "incident," a "reportable incident," a "near miss," and an "allegation" — these terms have specific meanings in the NDIS context and your staff need to understand the distinctions.
Roles and responsibilities: Who is responsible for recording incidents, investigating them, notifying the Commission for reportable incidents, and reporting to the board or governance body.
Incident recording: How and where incidents are documented (the incident register), what information must be captured, and timeframes for initial recording.
Immediate response: Steps workers must take in the immediate aftermath of an incident to protect participant safety and preserve evidence.
Investigation process: How investigations are conducted, by whom, and how findings and corrective actions are documented and tracked.
Reportable incident notification: The process for determining whether an incident is reportable, who lodges the NDIS Commission notification, and how your organisation meets the required timeframes.
Participant involvement: How participants and their supporters are kept informed and involved throughout the process, consistent with their rights under the NDIS Code of Conduct.
Systemic review: How incident data is aggregated and reviewed at a governance level to identify trends, inform training, and drive continuous improvement.
Confidentiality and record retention: How incident records are stored securely and for how long, consistent with applicable privacy obligations.

Special considerations for SIL providers

SIL providers operate in a particularly high-scrutiny environment because participants are often living with complex support needs, 24-hour staffing arrangements, and a heightened risk of both worker-on-participant and participant-on-participant incidents.

The NDIS Commission's strengthened Practice Standards framework reinforces expectations around:

Restrictive practices: Any use of a restrictive practice in a SIL setting must be authorised under the relevant state or territory framework and reported as a reportable incident if used without authorisation. Your policy must detail how staff identify, record, and escalate restrictive practice use.
Worker screening: Incidents involving workers must trigger a review of whether the worker holds a current NDIS Worker Screening Check and whether any reportable conduct obligations apply under state or territory law.
Out-of-hours incidents: SIL environments mean incidents frequently occur outside business hours. The policy must clearly assign responsibility for out-of-hours reporting and escalation.
Participant-to-participant incidents: In shared living environments, incidents between participants are common. The policy should address how these are managed while preserving the dignity and rights of all participants involved.

Consequences of not having a compliant policy

Operating without a documented, implemented incident management system is a direct non-conformance under the NDIS Practice Standards. The practical consequences include:

A finding of non-conformance at audit, which may trigger a corrective action plan or, in serious cases, referral to the NDIS Commissioner
Conditions being imposed on your registration or registration being suspended or cancelled
Civil penalty proceedings if reportable incidents are not notified within required timeframes
Reputational damage with participants, families, and support coordinators
Increased liability exposure if an incident leads to legal proceedings and you cannot demonstrate a documented, implemented management system

Beyond compliance, an effective incident management policy is simply good practice. Providers who investigate incidents rigorously and use the findings to improve their systems are demonstrably better at keeping participants safe and retaining staff.

Getting your documentation audit-ready in 2026

If you are preparing for registration, renewal, or a strengthened-standards audit, the practical steps are straightforward:

Review your current incident management policy (or draft one if you do not have one) against the elements listed above.
Map your policy to the specific quality indicators in the NDIS Practice Standards — auditors assess against those indicators directly.
Confirm that your incident register template captures all required fields and that staff know how to use it.
Conduct a tabletop exercise with your team to test whether they can correctly identify a reportable incident and follow the notification process.
Schedule at least one governance-level review of incident data per quarter and document that review in your board or management committee minutes.
Brief all workers on the policy during induction and refresh annually — keep signed acknowledgement records.

Providers building out their compliance documentation from scratch often find that developing each policy in isolation is time-consuming and risks gaps between documents. The ndiscompliant.com.au 74-document SIL compliance kit includes a pre-written, audit-aligned incident management policy alongside the full suite of Practice Standards documentation — which can save significant preparation time ahead of a 2026 audit.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.