Why your SIL service needs a compliant incident management policy
For registered NDIS providers delivering Supported Independent Living, an incident management policy is not optional. The NDIS Practice Standards (Quality Indicators) require every registered provider to have a documented system for identifying, recording, managing, investigating, and learning from incidents involving participants. The NDIS Commission's strengthened framework — progressively applied from 2024 and embedded in the 2026 registration renewal cycle — places heightened scrutiny on how SIL providers handle incidents, particularly those involving restrictive practices, abuse, neglect, or unexplained injury.
Failing to demonstrate a compliant policy during an approved quality auditor's assessment is a common reason providers receive non-conformance findings. Getting this right before audit protects participants, protects your registration, and protects your staff.
What the NDIS Commission requires: the legal foundation
Your policy must be grounded in the following instruments:
- The NDIS (Incident Management and Reportable Incidents) Rules 2018 — the primary rules governing what constitutes a reportable incident, timeframes for notification, and investigation obligations.
- The NDIS Practice Standards — specifically the Core Module (Incident Management quality indicator) and, for SIL providers, the High Intensity Supports module requirements.
- The NDIS Code of Conduct — which creates duties for both providers and workers to report incidents and act on concerns.
- Any state or territory restrictive practices authorisation requirements applicable to your operating jurisdiction, since incidents involving regulated restrictive practices carry additional reporting obligations to the Commission.
Under the Incident Management Rules, a reportable incident includes death of a participant, serious injury, abuse or neglect, unlawful sexual or physical contact, use of an unauthorised restrictive practice, and circumstances where a participant goes missing. These must be reported to the Commission within mandated timeframes — with an initial report required very promptly (within 24 hours for the most serious categories) and a follow-up report submitted once the internal investigation is complete.
Step-by-step: how to write your policy
-
State the purpose and scope
Open with a clear purpose statement explaining that the policy governs how your organisation identifies, records, responds to, investigates, and learns from incidents affecting NDIS participants. Specify which services, sites, and staff the policy applies to. For SIL providers, include all supported accommodation settings and any outreach or community participation support delivered alongside SIL.
-
Define key terms
Include plain-English definitions for: incident, reportable incident, near miss, restrictive practice, and investigation. Use the definitions from the NDIS Incident Management Rules so your terminology is audit-consistent. Auditors check that staff understand these terms, so clarity here matters.
-
Specify roles and responsibilities
Clearly assign responsibility for each stage of incident management. At minimum, name the following roles and their obligations:
- Support worker: immediate response, first aid, participant safety, verbal notification to supervisor.
- Team leader / shift supervisor: confirm immediate response, complete incident record, notify manager.
- Incident Manager / Quality Lead: determine reportability, submit Commission notification, initiate investigation, notify participant and their nominated person.
- CEO / Executive sponsor: oversight of serious incidents, sign-off on corrective action plans, board or governance reporting.
-
Set out the reporting pathway and timeframes
Document the step-by-step pathway from the moment an incident occurs to the Commission notification and internal close-out. Include specific timeframes aligned to the Rules. Your policy should clearly state that initial notification for the most serious reportable incident categories must occur as soon as practicable — and that follow-up reports are required after investigation completion. Do not invent specific hours if you are unsure; instead refer directly to the current NDIS Incident Management Rules for the authoritative timeframe for each category.
-
Describe the investigation process
Your policy must require a documented investigation for every reportable incident. Outline: who conducts the investigation, what evidence is gathered (witness statements, CCTV if available, contemporaneous notes, medical records), how conflicts of interest are managed, and what the investigation report must contain. For incidents involving a specific worker, include the interim risk management steps (such as redeployment away from the affected participant pending outcome).
-
Address participant and family notification
The NDIS Commission and the Code of Conduct require that participants and, where appropriate, their families, guardians, or nominees are informed of incidents affecting them. Your policy should specify who is responsible for this communication, what must be communicated (without compromising investigation integrity), and how the notification is documented.
-
Establish corrective action and learning loops
A compliant policy goes beyond reporting — it must show how your organisation uses incident data to improve. Include: a corrective action register, requirements for root-cause analysis on serious incidents, how findings feed back into training and policy review, and a schedule for periodic review of incident trends (for example, at team meetings and governance committee meetings).
-
Link to related policies
Cross-reference your Complaints Management Policy, Restrictive Practices Policy, Safeguarding Policy, and Whistleblower / Worker Protection Policy. Auditors expect to see these documents operating as a coherent system, not in isolation.
-
Include document control details
Every policy must carry a version number, review date, document owner, and approval authority. The NDIS Practice Standards quality indicators require evidence of regular policy review — annually at minimum, or after a significant incident or regulatory change.
Policy excerpt: what a completed section looks like
The following is a realistic example of how a reporting timeframe section might read in a finished policy:
| Incident category | Internal notification | Commission notification | Follow-up report |
|---|---|---|---|
| Death of a participant | Immediately to Incident Manager and CEO | As soon as practicable (refer to current NDIS Incident Management Rules) | Within timeframe specified in Rules, once investigation complete |
| Serious injury | Within 1 hour to Team Leader and Incident Manager | As soon as practicable | On investigation completion |
| Unauthorised restrictive practice | Immediately to Incident Manager | As soon as practicable | On investigation completion |
| Abuse or neglect | Immediately to Incident Manager and safeguarding lead | As soon as practicable | On investigation completion |
Note: always verify exact timeframes against the current NDIS (Incident Management and Reportable Incidents) Rules 2018 and any amendments, as these can be updated by the Commission. Your policy should cite the Rules directly rather than reproduce specific numbers that may become outdated.
Common non-conformances auditors flag
- Policy defines incidents too narrowly — omitting near misses, restrictive practice incidents, or financial abuse.
- Timeframes are absent or vague — "as soon as possible" without reference to the Rules is insufficient.
- No participant notification requirement — this is a specific obligation that many policies miss entirely.
- Investigation process lacks conflict-of-interest controls — investigations conducted by a person who was involved in the incident are a red flag for auditors.
- No evidence of review and learning — the policy exists but there are no records showing incidents are analysed for systemic patterns.
- Document control is missing — undated, unversioned policies cannot demonstrate they are current.
Getting your full compliance document suite in order
An incident management policy works in concert with the rest of your compliance framework. If you are preparing for a 2026 registration or renewal audit and need to build or update your full document suite, the 74-document audit-ready SIL compliance kit at ndiscompliant.com.au covers incident management alongside complaints, restrictive practices, safeguarding, staffing, and all other Practice Standards modules — structured for SIL providers operating under the strengthened framework.
Once your policy is drafted, test it against the NDIS Commission's self-assessment tool and ensure frontline staff can describe the reporting pathway without referring to the document — that practical knowledge is what auditors probe in worker interviews.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.