Is a risk management policy mandatory for NDIS registration?

Yes. The NDIS Practice Standards — specifically the Governance and Operational Management core module — require all registered providers to have a documented risk management system. Without one, or with a policy that does not meet the standard, a quality auditor will issue a non-conformance finding that can delay or restrict your registration.

How often does an NDIS risk management policy need to be reviewed?

At a minimum, your policy should be reviewed annually. It should also be reviewed following any reportable incident, a significant near-miss, a change in service types or registration groups, or an adverse finding at audit. Auditors look for evidence — such as meeting minutes or a dated approval signature — that reviews actually occur.

What is the difference between a risk management policy and a risk register?

Your risk management policy sets the framework: purpose, scope, risk appetite, roles, processes, and review cycle. The risk register is the operational tool that records specific identified risks, their current rating, treatment actions, owners, and status. Both are required; the policy must reference the register as a companion document.

Do SIL providers need anything extra in their risk management policy?

Yes. SIL providers must address restrictive practice risks specifically, including cross-referencing their behaviour support obligations, the requirement for a registered behaviour support practitioner, and the state or territory authorisation process for regulated restrictive practices. Failure to include this is one of the most common non-conformances for SIL providers at audit.

Can we use a generic risk management policy template?

A template is a good starting point, but it must be contextualised to your organisation before use. Auditors check that the policy reflects your actual registration groups, service types, staff structure, and governance arrangements. A generic, unedited template with placeholder text will typically result in a non-conformance finding.

What happens if our risk management policy is found non-conformant at audit?

A non-conformance on risk management is considered a significant finding because it sits within the Governance core module. The NDIS Commission may impose conditions on your registration, require a corrective action plan with evidence of resolution within a set timeframe, or in serious cases defer registration renewal until the non-conformance is remedied.

How to write an NDIS risk management policy (2026 template + example)

Why your risk management policy matters more in 2026

The strengthened NDIS Practice Standards — progressively coming into effect from 2026 — place greater emphasis on proactive, evidence-based risk governance rather than paper compliance. For SIL and other high-intensity support providers, quality auditors now look for a risk management framework that is embedded in day-to-day operations, not filed away in a folder and forgotten.

The NDIS Commission's core module on Governance and Operational Management requires that registered providers implement documented risk management systems. A risk management policy is the foundational document that ties your risk register, incident management, restrictive practices safeguards, and worker screening obligations into a single coherent framework. If your policy is absent, generic, or outdated, you risk a non-conformance finding at audit — which can delay registration or trigger conditions on your registration.

What must a compliant NDIS risk management policy include?

Before you write a single sentence, understand what auditors are checking. The NDIS Practice Standards require that providers demonstrate risk management processes addressing at least the following areas:

Participant safety and wellbeing — risks arising from the delivery of supports, including environmental, clinical, and behavioural risks
Workforce risks — worker suitability, fatigue, scope of practice, and the NDIS Worker Screening requirements
Organisational risks — financial sustainability, governance failures, conflicts of interest
Incident and complaint pathways — how risks that materialise are escalated, reported, and reviewed
Restrictive practice risks — for SIL providers, your policy must link directly to your behaviour support and restrictive practices authorisation obligations
Emergency and continuity risks — natural disasters, sudden loss of key personnel, technology failures

Your policy does not need to be exhaustive on its own — it should reference your risk register, your incident management procedure, and your behaviour support policy as companion documents.

Step-by-step: how to write your NDIS risk management policy

Define scope and purpose
State which registration groups and service types the policy covers. For SIL providers, explicitly name Supported Independent Living (registration group 0115) and any other high-intensity groups. Include a short statement of the policy's purpose aligned to the NDIS Practice Standards and the NDIS Act 2013.
Establish a risk management framework
Adopt a recognised framework — most Australian disability providers align to the AS/NZS ISO 31000:2018 Risk Management standard. State which framework you use and why it is fit for purpose in a NDIS registered context.
Define risk categories and a rating matrix
Create a simple likelihood × consequence matrix (commonly a 5×5 grid). Assign plain-language descriptors — "Almost Certain / Rare" for likelihood and "Catastrophic / Negligible" for consequence — so that support workers without a risk management background can apply the matrix consistently.
Assign roles and responsibilities
Name the position (not the individual) responsible for each function: who maintains the risk register, who approves treatment plans, who reports to the NDIS Commission under mandatory notification obligations, and which governance body (board or executive team) receives periodic risk reports.
Document the risk identification and review cycle
Specify how frequently risks are formally reviewed — at minimum annually, and also following any NDIS Commission reportable incident, a change in service type, or a significant near-miss. Auditors look for evidence that the cycle actually occurs, so link this section to your meeting minutes or governance calendar.
Integrate with incident management and mandatory reporting
Reference your Incident Management Policy and the NDIS Commission's incident reporting obligations. The policy should make clear that any event meeting the threshold of a reportable incident under the NDIS (Incident Management and Reportable Incidents) Rules 2018 triggers both an internal risk review and an external notification within the prescribed timeframes.
Address restrictive practice safeguards (SIL-specific)
If your SIL service uses any regulated restrictive practices, your risk management policy must cross-reference your behaviour support obligations, the requirement for a registered behaviour support practitioner, and your authorisation and monitoring processes under state or territory law.
Set a policy review schedule and version control
Include a review date (at least annually), the name of the document owner, a version history table, and an approval signature block. Auditors expect to see version control as evidence that the policy is a living document.

Policy template: essential sections at a glance

Section	What to include
1. Purpose & scope	Why the policy exists; which services and registration groups it covers
2. Legislative context	NDIS Act 2013; NDIS Practice Standards; relevant state/territory laws
3. Risk framework	Adopted standard (e.g. ISO 31000); risk categories; risk appetite statement
4. Risk rating matrix	Likelihood × consequence grid with plain-language descriptors
5. Roles & responsibilities	Who identifies, assesses, treats, monitors, and reports risks
6. Risk register process	How risks are logged, assigned, and tracked to closure
7. Incident integration	Link to Incident Management Policy; mandatory notification triggers
8. Restrictive practices	Cross-reference to behaviour support policy; authorisation requirements
9. Review & continuous improvement	Review frequency; post-incident review; version history

Filled example excerpt: risk appetite and treatment approach

Below is a realistic policy excerpt illustrating the style and depth auditors expect. Adapt this to reflect your organisation's actual context.

Section 3.2 — Risk Appetite

[Organisation name] has a low tolerance for risks that affect the safety, health, or dignity of NDIS participants. The organisation accepts that some degree of inherent risk exists in delivering community-based supports and will manage residual risk to a level as low as reasonably practicable.

The organisation has a moderate tolerance for operational and financial risks where effective controls are in place and residual risk does not compromise participant outcomes.

Any risk rated High or Extreme on the risk matrix must be escalated to the Chief Executive Officer within one business day and tabled at the next scheduled Governance Committee meeting. Treatment actions must be documented in the Risk Register within five business days of identification.

Common mistakes to avoid

Generic off-the-shelf policies with no contextualisation — auditors can tell. Replace every placeholder with your actual services, registration groups, and staff titles.
No link to the risk register — a policy that does not refer to a living risk register is unenforceable. Your register is the evidence the policy is working.
Missing restrictive practices integration — for SIL providers, this is a common non-conformance. If you use regulated restrictive practices, the risk management policy must reference them.
Stale review dates — an outdated policy signals to auditors that governance is not active. Ensure the version on file has been reviewed within the last twelve months.
No named document owner — the policy must assign responsibility. Anonymous policies drift.

Getting audit-ready

A strong risk management policy does not stand alone. Auditors assess it alongside your incident register, complaint logs, NDIS Worker Screening records, and board or management meeting minutes. If any of these companion documents are missing or inconsistent with your policy, you will receive a non-conformance even if the policy itself is well written.

If you are building or refreshing your full compliance document suite ahead of re-registration or a mid-term audit, the 74-document SIL compliance kit at ndiscompliant.com.au includes a pre-built risk management policy template, risk register, and all companion procedures — structured to map directly to the NDIS Practice Standards core and supplementary modules.

Final checklist before submission

Policy states purpose and scope, including registration group numbers
Recognised risk framework named (e.g. ISO 31000)
Risk rating matrix included with plain-language descriptors
Roles and responsibilities assigned by position title
Risk register process documented and referenced
Mandatory incident notification obligations integrated
Restrictive practices section included (if applicable)
Annual review date set and document owner named
Version history table completed and policy approved by governance body

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.