Is a risk management policy mandatory for all NDIS providers?

Yes, for all registered NDIS providers. The NDIS Practice Standards require every registered provider to have a documented risk management system in place and to demonstrate that it is operational and regularly reviewed. Unregistered providers delivering higher-risk supports will face the same requirement once mandatory registration provisions take effect.

What is the difference between a risk management policy and a risk register?

Your risk management policy sets out how your organisation identifies, assesses, treats, and reviews risks — it is the governing framework. A risk register is the operational tool: a live document that lists specific risks, their current ratings, the controls in place, and when each risk was last reviewed. Both are required and auditors will expect to see evidence of both.

How often does an NDIS risk management policy need to be reviewed?

At minimum, annually. The policy should also be reviewed following any significant incident, a change in the services you deliver, a change in your participant cohort, or a regulatory change such as the strengthened Practice Standards. Reviews must be documented — a revised date on the policy document alone is not sufficient evidence.

Does my risk management policy need to cover individual participant risks?

Yes. For SIL and most registered supports, the risk management framework must operate at two levels: organisational risks (workforce, financial, reputational) and participant-level risks (safety in the home, health needs, vulnerability to abuse or neglect). Auditors will look for individual risk assessments linked to each participant's support plan.

What happens if my risk management policy does not meet the NDIS Practice Standards?

A non-conformance finding at audit can delay or limit your registration. The NDIS Commission can also issue compliance notices, impose conditions on your registration, or — in serious cases involving participant safety — suspend or revoke your registration and apply civil penalties under the NDIS Act.

Do the 2026 strengthened Practice Standards change what my risk management policy must include?

Yes. The strengthened framework places greater emphasis on participant outcomes, individual risk assessment, and the demonstrated link between risk management and actual practice. SIL providers in particular face stronger requirements around home environment risks, staffing arrangements, and the integration of behaviour support and restrictive practices oversight into their risk management system.

Do you need an NDIS risk management policy? Provider requirements

Who needs an NDIS risk management policy?

If you are a registered NDIS provider, a risk management policy is not optional — it is a compliance requirement under the NDIS Practice Standards. The Standards apply to every registered provider regardless of size, support type, or business structure.

For SIL (Supported Independent Living) providers and those delivering other higher-risk supports — including specialist disability accommodation, behaviour support, and personal activities involving complex health needs — the requirements are more detailed. These providers must meet the High Intensity Daily Personal Activities and Specialist Support modules in addition to the core standards, and risk management sits at the centre of all of them.

With the strengthened NDIS framework taking effect from 2026, the NDIS Commission has clarified that mandatory registration will extend to a broader cohort of providers who previously operated unregistered. If your organisation is preparing for registration, you need a compliant risk management policy in place before your audit — not after.

What the NDIS Practice Standards actually require

The NDIS Practice Standards set out two core requirements that directly concern risk management:

Risk management systems: Providers must have a documented, operational system for identifying, assessing, treating, and monitoring risks — to participants, workers, and the organisation.
Continuous improvement: The risk management system must be reviewed regularly and updated in response to incidents, audits, or changes in service delivery.

These are not tick-box exercises. An approved quality auditor reviewing your organisation against the Standards will expect to see a policy that is actually embedded in practice — evidenced through staff training records, documented risk registers, incident data, and management reviews.

What must a compliant risk management policy cover?

There is no single mandated template, but the NDIS Commission's expectations — reinforced through audit guidance and published practice resources — make clear that a compliant policy must address the following areas:

Purpose and scope: Who the policy applies to, what supports it covers, and how it links to your organisation's broader governance framework.
Risk identification: How you identify risks to participants (including safety, health, abuse, neglect, and exploitation), workers, and the business. SIL providers must specifically address risks arising from the home and living environment, overnight support, and participant-to-participant interactions.
Risk assessment methodology: A defined approach for rating likelihood and consequence — typically using a risk matrix — so that risks are assessed consistently across the organisation.
Risk treatment: How identified risks are controlled or mitigated, including who is responsible for implementing controls and within what timeframe.
Risk register: A maintained register that documents all significant risks, their ratings, controls in place, and review dates.
Incident reporting linkage: How your risk management system connects to your incident management and notification obligations under the NDIS (Incident Management and Reportable Incidents) Rules 2018.
Restrictive practices: For providers that use or authorise regulated restrictive practices, the risk management policy must address the assessment and oversight processes required under the relevant state and territory authorisation frameworks.
Review cycle: How often the policy is reviewed (at minimum annually, and after any significant incident or organisational change), and who holds accountability for that review.
Roles and responsibilities: Named positions (not just individuals) responsible for risk management at each level of the organisation.
Worker training: How workers are trained in risk identification and what records are kept of that training.

The 2026 strengthened framework: what is changing

The NDIS Commission's strengthened Practice Standards — developed following the review of the NDIS Quality and Safeguarding Framework — place greater emphasis on participant outcomes and provider accountability. For risk management, this means auditors will look beyond whether a policy document exists and focus on whether risk management is genuinely shaping how supports are delivered.

Key changes affecting SIL and high-intensity providers include:

Stronger requirements around the individual risk assessment for each participant receiving SIL, including environmental risks in the home.
Greater scrutiny of how providers manage risks arising from staffing ratios, worker capability, and after-hours support arrangements.
Clearer obligations to document and act on feedback and complaints as part of the risk identification process.
Tighter linkage between risk management documentation and behaviour support plans where restrictive practices are involved.

Providers preparing for mid-registration audits or initial registration in 2025–2026 should treat the strengthened Standards as the operative benchmark — not the earlier version.

Consequences of not having a compliant policy

The NDIS Commission has a range of compliance and enforcement powers where providers fail to meet their obligations. These include:

Non-conformance findings at audit: A finding against the risk management standard can delay registration or trigger a conditions-based registration outcome, limiting the supports you can deliver.
Compliance notices: The Commission can issue a compliance notice requiring a provider to take specific action within a defined timeframe.
Suspension or banning orders: In serious cases — particularly where participant safety has been compromised by inadequate risk controls — the Commission can suspend or revoke registration, or ban key personnel.
Civil penalties: Where providers breach conditions of registration, civil penalties may apply under the National Disability Insurance Scheme Act 2013.

Beyond regulatory consequences, the practical risk is straightforward: without a functioning risk management system, incidents that could have been prevented are more likely to occur, and providers are more exposed when they do.

Common gaps auditors find in SIL risk management policies

Based on publicly available NDIS Commission guidance and audit feedback patterns, the most frequent non-conformances in this area include:

Common gap	What auditors look for instead
Policy exists but no risk register is maintained	A live, dated risk register reviewed at defined intervals
Risks identified at organisational level only — no participant-level risk assessments	Individual risk assessments linked to each participant's support plan
Review cycle stated in policy but no evidence reviews have occurred	Signed management review records, version-controlled policy documents
No link between incident data and risk management updates	Demonstrated feedback loop: incidents → risk review → policy or practice change
Workers unaware of the policy or their obligations	Training records, induction acknowledgements, toolbox talk logs

Getting your documentation audit-ready

A risk management policy does not need to be lengthy to be effective — but it does need to be specific to your organisation and your services. A generic template downloaded from the internet and filed away will not satisfy an auditor who is asking your team to explain how risk controls work in practice.

Start by auditing what you already have: a written policy, a risk register, participant-level assessments, training records, and evidence of review. Map those against the NDIS Practice Standards modules relevant to your registration category. Identify the gaps, prioritise by audit timeline, and assign ownership for each remediation task.

For SIL providers managing the full documentation burden — including incident management, behaviour support, restrictive practices, complaints, and worker screening — ndiscompliant.com.au offers a 74-document audit-ready compliance kit built specifically for the 2026 strengthened Standards, which can significantly reduce the time needed to get from gap analysis to submission-ready documentation.

Whatever approach you take, the goal is the same: a risk management system that your workers actually use, that demonstrably protects participants, and that you can evidence to an auditor on the day.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.