Is a risk register a mandatory requirement for NDIS registered providers?

The NDIS Practice Standards require registered providers to have systematic risk management processes in place, and a risk register is the standard document that fulfils this requirement. While the Commission does not mandate a specific template, the absence of a risk register is a common non-conformance finding during certification audits.

What is the difference between an incident register and a risk register?

An incident register records things that have already happened — incidents, near-misses, and complaints. A risk register records things that could happen in future, along with the controls in place to prevent or mitigate them. The two documents should be linked: patterns in your incident register should trigger reviews and updates to your risk register.

How often does an NDIS provider need to review their risk register?

The Practice Standards do not set a single mandatory frequency, but best practice is a full annual review plus targeted reviews after any serious incident, complaint, regulatory change, or significant operational change. High and extreme risks should be monitored on an ongoing basis with review dates recorded in the register.

Do unregistered NDIS providers need a risk register?

Unregistered providers are not subject to the Practice Standards directly, but the NDIS Code of Conduct — which applies to all providers and workers — requires that supports be delivered safely and competently. Maintaining a risk register is strongly advisable for any provider seeking to demonstrate a genuine commitment to participant safety and organisational governance.

What happens if my risk register is found to be inadequate during an NDIS audit?

An auditor may issue a non-conformance finding that must be remediated before registration is granted or renewed. In more serious cases — particularly where a weak risk management system has contributed to participant harm — the NDIS Commission has powers under the NDIS Act to impose conditions on registration, suspend registration, or take further regulatory action.

Which risks should SIL providers always include in their risk register?

SIL providers should ensure their register covers participant-to-participant incidents, medication administration errors, restrictive practice risks, after-hours and emergency staffing gaps, abuse and neglect, financial viability, key-person dependency, and business continuity risks such as premises unavailability or technology failure.

Do you need an NDIS risk register? Provider requirements

Who needs an NDIS risk register?

If you are a registered NDIS provider, a risk register is not optional. The NDIS Practice Standards — the benchmark against which all registered providers are audited — require organisations to implement and maintain systematic approaches to identifying, assessing, and managing risk. A risk register is the core document that gives this requirement its practical form.

This obligation applies across all registration groups, but the depth and rigour expected scales with the complexity of the supports you deliver. Providers of Supported Independent Living (SIL), specialist disability accommodation (SDA), and high-intensity daily personal activities are subject to the most demanding requirements. For these providers, a superficial or incomplete risk register is one of the most common grounds for a non-conformance finding during a certification audit.

Unregistered providers are not subject to the Practice Standards directly, but the NDIS Code of Conduct — which applies to all providers and workers — still requires that supports be delivered safely and competently. In practice, any provider serious about participant safety and continuity of service should maintain some form of risk documentation regardless of registration status.

The regulatory foundation

The NDIS Commission's Practice Standards set out the outcomes providers must achieve. The strengthened framework, which the Commission has been progressively rolling out ahead of the 2026 mandatory registration expansion, has sharpened the governance and operational management standards. Key obligations relevant to risk registers include:

Governance and operational management: Providers must have clearly documented systems for identifying and managing risks to participants, workers, and the organisation.
Risk management: Providers are required to identify risks, assess their likelihood and consequence, implement controls, and review the register regularly — particularly after incidents, complaints, or significant changes in service delivery.
Incident management: The incident management system and the risk register must be linked. A pattern of incidents should trigger a risk review and update to the register.
Continuity of supports: Providers must plan for risks that could disrupt service delivery, such as staff shortages, technology failures, or premises unavailability. These scenarios belong in the risk register.
Human rights and restrictive practices: Where restrictive practices are used, associated risks to participant rights and safety must be documented and reviewed.

The National Disability Insurance Scheme (Provider Registration and Practice Standards) Rules 2018 (Cth) give the Practice Standards their legal weight. An approved quality auditor assessing your organisation will cross-reference your risk register against these standards.

What must your risk register contain?

The NDIS Commission does not prescribe a single mandatory template, but quality auditors look for a register that demonstrates genuine, systematic risk management rather than a document produced solely for audit purposes. At minimum, a compliant risk register should include the following fields for each identified risk:

Risk ID and description: A unique identifier and a plain-English description of what could go wrong.
Risk category: Common categories for SIL providers include participant safety, workforce, compliance and regulatory, financial, technology, and business continuity.
Likelihood rating: Typically scored on a scale (e.g., rare through to almost certain), using your organisation's defined criteria.
Consequence rating: Scored by the severity of impact on participants, workers, or the organisation (e.g., minor through to catastrophic).
Risk rating: The combined likelihood–consequence score, usually expressed as low, medium, high, or extreme using a risk matrix.
Existing controls: What you are already doing to reduce the risk.
Residual risk rating: The rating after existing controls are applied.
Treatment actions: Further steps planned to reduce residual risk to an acceptable level.
Risk owner: The named role responsible for monitoring and managing this risk.
Review date: When this entry was last reviewed and when the next review is scheduled.
Status: Whether the risk is open, being treated, or closed.

Risks that SIL providers must not overlook

Many SIL providers maintain a register but leave out categories that auditors specifically look for. The following risk areas are particularly scrutinised in SIL and disability accommodation contexts:

Participant-to-participant incidents: Where multiple participants share a dwelling, the risk of harm between residents must be explicitly addressed.
Use of restrictive practices: Any regulated restrictive practice carries inherent risk to participant rights. Each practice in use should appear as a documented risk with corresponding controls.
Medication administration errors: For SIL providers supporting participants with complex health needs, medication error is a high-consequence risk requiring robust controls and monitoring.
After-hours and emergency staffing: Thin staffing ratios overnight or on weekends represent a continuity-of-supports risk that must be planned for.
Abuse, neglect, and exploitation: These risks should be explicit in the register, not assumed to be covered by your general safeguarding policy. Controls should reference your safeguarding policy, reportable incidents obligations, and worker screening procedures.
Key-person dependency: Many smaller SIL providers depend heavily on one or two senior staff. This represents an organisational risk to service continuity.
Financial viability: The Commission pays attention to providers' financial sustainability. A register that omits financial risk categories will draw questions.

How often must you review your risk register?

The Practice Standards do not specify a single mandatory review frequency, but the expectation embedded in governance requirements is that reviews are conducted at regular intervals and in response to triggering events. Best practice — and the pattern auditors look for — is:

A full review at least annually, aligned with your organisation's governance calendar.
A targeted review following any serious incident, near-miss, complaint outcome, or change in the service environment.
A review following changes to the NDIS Practice Standards or relevant legislation.
Ongoing monitoring of high and extreme risks, with the review date noted in the register.

Evidence of regular review — meeting minutes, version control on the document, or a review log attached to the register — is what distinguishes a live risk management system from a document created for audit and then forgotten.

Consequences of not having a risk register

During a certification or verification audit, an absent or inadequate risk register is one of the clearest pathways to a non-conformance finding. Depending on severity, this can result in:

A non-conformance that must be remediated before registration is granted or renewed.
Conditions placed on your registration, limiting the supports you can deliver.
In cases where the absence of risk management has contributed to participant harm, regulatory action under the NDIS Act including banning orders or civil penalties.

Beyond audit consequences, a provider without a functioning risk register is genuinely more likely to experience preventable incidents — with direct costs to participants, workers, and the organisation.

Practical steps to build or strengthen your risk register

Adopt a risk matrix your whole team can use. Choose likelihood and consequence scales and define them clearly so that ratings are consistent regardless of who completes the entry.
Conduct a risk identification workshop. Involve frontline workers, coordinators, and managers. Frontline staff often identify risks that management documentation misses.
Map your register to the Practice Standards. Work through each standard that applies to your registration groups and ask: what could prevent us from meeting this outcome? Each answer is a candidate risk.
Link the register to your incident data. Review your incident register quarterly and ask whether recurring incident types represent an unaddressed or under-controlled risk.
Assign ownership at role level, not individual name. When a staff member leaves, the risk does not disappear. Ownership should sit with a role title so accountability transfers automatically.
Version-control the document. Date every revision and keep prior versions. Auditors want to see a history of genuine engagement with the document, not a freshly minted register.
Review at every board or management meeting. Include a standing agenda item for risks rated high or extreme. Record in your minutes that it was discussed.

Template excerpt: what an entry looks like

Risk ID	Description	Category	Likelihood	Consequence	Risk Rating	Controls	Owner	Next Review
R-014	Participant receiving high-intensity support experiences medication error due to worker unfamiliarity with complex medication regime	Participant Safety	Possible	Major	High	Medication management plan in place; high-intensity worker competency verified on induction; monthly supervisor spot-checks; incident reporting obligation communicated to all staff	Service Delivery Manager	Quarterly or following any medication incident

Providers working through the 2026 mandatory registration changes and building their governance documentation from scratch may find it useful to work from an audit-ready template set. The ndiscompliant.com.au 74-document SIL compliance kit includes a pre-structured risk register template mapped to the current Practice Standards, alongside the full suite of policies, procedures, and forms auditors look for — a practical starting point rather than a blank page.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.