What is the Governance and Operational Management module under the NDIS Practice Standards?

It is one of the core Practice Standards modules that all registered NDIS providers must meet. It covers how an organisation is led, how policies and risk are managed, and how operational decisions are made, documented, and improved over time. Auditors assess whether governance arrangements are genuinely effective, not just documented.

How often should NDIS providers conduct a management review?

At minimum, providers should conduct a formal management review annually. Higher-risk providers, or those who have experienced significant incidents, complaints, or organisational changes, should consider more frequent reviews — quarterly or half-yearly. The review must be documented and must draw on real performance data.

What happens if an auditor records a non-conformance in Governance and Operational Management?

A non-conformance must be addressed through a corrective action plan with a timeframe agreed with the auditor. Depending on the severity, the Commission may impose conditions on registration, require a follow-up audit, or — in cases of serious or repeated non-conformance — take enforcement action. Unresolved non-conformances can prevent renewal of registration.

Do SIL providers face additional governance requirements compared to other NDIS providers?

SIL providers are subject to the same Practice Standards as other registered providers but are also assessed against the SIL-specific Practice Standards module. Because SIL involves high-intensity, 24-hour support in participants' homes, auditors apply heightened scrutiny to how governance arrangements protect participant safety and rights at the operational level.

Is a risk register mandatory for NDIS registration?

Yes. The NDIS Practice Standards require providers to have a risk management framework in place, which in practice means a maintained, current risk register. Auditors will check that risks are identified, controlled, owned, and regularly reviewed — not just listed. A risk register that has not been updated is a frequent source of non-conformance findings.

What is the difference between a conformance finding and a non-conformance in an NDIS audit?

A conformance finding means the auditor has verified that the provider meets the relevant quality indicator. A non-conformance means the provider has failed to demonstrate compliance with one or more indicators. Non-conformances are graded; major non-conformances signal significant risk and require urgent corrective action before registration can be granted or renewed.

Governance and Operational Management: Common Audit Non-Conformities

Governance and Operational Management is one of the core modules that registered NDIS providers must satisfy under the NDIS Practice Standards. For Supported Independent Living (SIL) providers and other registered disability-support organisations, it is also one of the most consistently problematic areas when approved quality auditors conduct certification or verification audits. A non-conformance finding in this module can delay registration, attract conditions, or — in serious cases — trigger enforcement action by the NDIS Quality and Safeguards Commission.

This article walks through the indicators auditors examine, the non-conformities they most commonly record, and the practical steps providers can take to fix each one.

What Auditors Are Actually Looking For

Under the NDIS Practice Standards, the Governance and Operational Management module requires providers to demonstrate that their organisational structure, leadership accountability, policies, risk management, and operational processes are fit for purpose and consistently applied. Auditors are not simply checking whether documents exist — they are looking for evidence that the governance framework is understood, owned, and lived across the organisation.

Common evidence sources reviewed during audit include:

Board or leadership meeting minutes and terms of reference
Policy and procedure registers, including version control and review dates
Risk registers and records of risk-review activities
Staff acknowledgement of policies and procedure updates
Records of internal audits, management reviews, or quality meetings
Delegation of authority frameworks and role descriptions
Evidence that operational decisions are documented and tracked

The Top Non-Conformities — and How to Fix Them

1. Accountability Structures Are Unclear or Undocumented

Auditors frequently find that providers cannot clearly demonstrate who is responsible for governance oversight. This surfaces as missing or generic terms of reference for boards, advisory committees, or leadership teams; absent conflict-of-interest registers; or no documented process for how the board receives and acts on operational performance information.

The fix: Establish and document a clear governance chart that identifies each leadership role, their accountabilities, and how they interface with the board or governing body. Ensure terms of reference are reviewed at least annually and that board agendas and minutes record substantive governance decisions — not just attendance.

2. Policies Are Outdated, Inaccessible, or Not Reviewed on Schedule

The most common single finding across governance audits is a policy register where review dates have lapsed — sometimes by years. The NDIS Commission expects providers to maintain a current, accessible suite of policies that reflect the NDIS Code of Conduct, the Practice Standards, and any legislative changes (including updates flowing from the strengthened 2026 framework). Policies stored on a shared drive that staff cannot locate, or policies that reference superseded legislation, are a clear non-conformance.

The fix:

Audit your entire policy register. Identify every document with a review date that has passed or is within the next three months.
Assign each policy a named owner responsible for review.
Build a recurring calendar reminder into your quality management system so reviews happen before expiry, not after.
Ensure policies are stored in a single, version-controlled location that all relevant staff can access.
Record staff acknowledgement when policies are updated, particularly for high-risk areas such as restrictive practices, incident management, and complaints.

3. Risk Management Is Treated as a Paperwork Exercise

Providers often maintain a risk register but cannot demonstrate that it is a living document. Auditors look for evidence of regular risk review (including escalation, closure of resolved risks, and addition of emerging risks), linkage between the risk register and operational decisions, and clear ownership of each risk. A static risk register that has not been updated in six or more months is a common non-conformance, as is a register that lists generic risks with no site-specific or participant-specific context.

The fix: Schedule risk register reviews into your regular leadership or quality meeting cadence — at minimum quarterly, and following any significant incident or organisational change. Each risk entry should record the risk owner, the current control measures, the residual risk rating, and the date of last review. For SIL providers, ensure participant-level risk information is linked back to the organisation-wide register where systemic patterns emerge.

4. Management Reviews Are Missing or Superficial

The Practice Standards require providers to conduct formal management reviews of their quality system. Auditors commonly find either that no documented management review has occurred, or that what was recorded is a brief agenda item with no substantive analysis of performance data, complaints, incidents, or audit outcomes.

The fix: Conduct at least one formal management review per year (more frequently for larger or higher-risk operations). The review should draw on data from complaints, incidents, restrictive practice notifications, worker screening outcomes, internal audit findings, and participant feedback. Document the inputs, the discussion, the decisions made, and the actions assigned with due dates.

5. Incident and Complaints Data Is Not Feeding Back into Governance

A non-conformance that is growing in prevalence — particularly following Commission enforcement activity — is the failure to close the loop between incident and complaints reporting and governance-level oversight. Providers may be reporting incidents to the Commission correctly but have no internal process for the board or leadership to receive trend analysis, identify systemic issues, or drive improvement actions.

The fix: Establish a monthly or quarterly governance report that summarises incident categories, complaint themes, restrictive practice usage, and any Commission correspondence. The governing body should formally receive and minute this report, and record any decisions or actions arising from it.

6. Delegation of Authority Is Absent or Not Followed in Practice

Many providers have an informal understanding of who can authorise what — but no written delegation framework. Auditors checking financial delegations, policy approval authority, or staff disciplinary authority frequently find that decisions are made outside documented boundaries, or that no boundaries have been documented at all.

The fix: Produce a simple delegation-of-authority table that maps each operational decision type (financial approval, policy sign-off, incident reporting sign-off, restrictive practice authorisation) to the role with authority to make it. Review this table when organisational structure changes.

7. Evidence of Continuous Improvement Is Weak

Governance is not just about structure — it is about learning and improving. Auditors look for evidence that the provider identifies gaps, implements corrective actions, and verifies that those actions have been effective. Providers who cannot demonstrate a closed-loop corrective action process — from identification through to verification — consistently receive non-conformance findings under the operational management element.

The fix: Implement a simple corrective and preventive action (CAPA) register. Every non-conformance, complaint theme, or audit finding should generate a CAPA entry with a root cause analysis, a planned action, a responsible person, a due date, and a field for recording verification of effectiveness. Review open CAPAs at each management review.

A Practical Pre-Audit Governance Checklist

Area	What to check	Status
Leadership accountability	Board/leadership terms of reference current and signed	[ ]
Policy register	All policies reviewed within scheduled period; version-controlled	[ ]
Risk register	Updated within last quarter; each risk has an owner	[ ]
Management review	Formal review conducted and minuted in past 12 months	[ ]
Incident/complaints loop	Trend data presented to governing body; actions recorded	[ ]
Delegation framework	Written delegation table exists and is followed in practice	[ ]
CAPA register	All open corrective actions have due dates and owners	[ ]
Staff policy acknowledgement	Records of staff sign-off on current policy versions	[ ]

The 2026 Strengthened Framework — What Changes for Governance

The strengthened NDIS Practice Standards introduce more explicit expectations around provider self-assurance and demonstrable governance maturity. Providers should expect auditors to probe more deeply into how the governing body exercises genuine oversight — not simply rubber-stamps management reports. SIL providers in particular will face scrutiny of how governance arrangements translate into the day-to-day safety and quality of supports delivered in participants' homes. Boards and leadership teams who have not engaged substantively with governance as a practice risk should prioritise doing so before their next audit cycle.

If your organisation needs a head start, ndiscompliant.com.au offers a 74-document audit-ready SIL compliance kit that covers the Governance and Operational Management module alongside all other Practice Standards areas — a practical resource for providers who want structured, ready-to-customise documentation rather than building from scratch.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.