Is a risk register mandatory for NDIS registered providers?

Yes. The NDIS Practice Standards require all registered providers to have a risk management system in place, which includes identifying, assessing, treating, and reviewing risks. For SIL providers undergoing certification audits, a current and evidence-based risk register is a core requirement that approved quality auditors will examine.

How often does an NDIS risk register need to be reviewed?

At minimum, your risk register should be reviewed in full at least annually. It must also be reviewed after significant incidents, following major operational changes (such as opening a new SIL home or changing your staffing model), and whenever a regulatory change affects your risk profile. The review date and reviewer should be documented.

What risk categories should a SIL provider include in their register?

SIL providers should include participant safety and wellbeing, medication management, restrictive practices, workplace health and safety, staffing and workforce, financial and commercial risks, data and privacy, regulatory and compliance risks, and emergency and business continuity risks. The register must reflect the specific risks of your participant cohort and operating environment.

What is the difference between inherent risk and residual risk in an NDIS context?

Inherent risk is the level of risk before any controls are applied — essentially, what the risk looks like in the absence of your policies, procedures, and safeguards. Residual risk is what remains after your controls are factored in. NDIS auditors expect both ratings to be present, as they demonstrate that your controls are actually reducing risk to an acceptable level.

Can participant-specific risk assessments replace an organisational risk register?

No. Participant-specific risk assessments address individual support risks for each person you support. An organisational risk register addresses systemic, operational, financial, and governance risks at the provider level. Both are required, and they should be cross-referenced — for example, a recurring risk identified across multiple participant assessments may need to be escalated to the organisational register.

What happens if an NDIS auditor finds our risk register is non-conformant?

The auditor will raise a non-conformance against the relevant Practice Standard indicator. Depending on severity, this may result in conditions being placed on your registration, a requirement to submit a corrective action plan within a specified timeframe, or — in serious cases — a referral to the NDIS Commission for further regulatory action. Addressing the non-conformance promptly with documented evidence is essential.

How to Write an NDIS Risk Register (2026 Template + Example)

What Is an NDIS Risk Register and Why Does It Matter in 2026?

A risk register is a structured record of the risks facing your NDIS registered provider organisation — and how you are managing each one. It is not a one-off checklist. It is a living governance document that must be maintained, reviewed, and acted upon.

Under the strengthened NDIS Practice Standards that the NDIS Commission has progressively implemented, robust risk management is embedded across multiple core modules. Auditors from approved quality auditors (AQAs) assess whether your risk register is current, credible, and connected to your actual operations. An outdated or generic register is one of the most common non-conformances found during certification audits for SIL providers.

If you support participants in a Supported Independent Living setting, the stakes are higher still. SIL environments carry inherent risks — from medication management and restrictive practices through to fire safety and incident escalation — and your risk register must reflect that complexity.

What the NDIS Practice Standards Require

The NDIS Practice Standards set out quality indicators that all registered providers must meet. The Risk Management core module requires providers to:

Identify risks to participants, workers, and the organisation
Assess the likelihood and consequence of each identified risk
Put controls in place to treat or mitigate those risks
Assign responsibility for each risk to a named role
Review risks at planned intervals and after significant incidents
Ensure risk management is integrated with your quality management system

The Code of Conduct reinforces this through obligations on providers to act with integrity, deliver supports safely, and maintain systems that protect participants from harm. Where restrictive practices are used in a SIL setting, the risk register must cross-reference your behaviour support plans and the relevant state or territory authorisation requirements.

Step-by-Step: How to Write Your NDIS Risk Register

Define your risk categories. Group risks into logical categories so nothing falls through the gaps. Common categories for SIL and disability-support providers include: participant safety and wellbeing; workplace health and safety; financial and commercial; compliance and regulatory; information technology and data; governance and management; and reputation and stakeholder relations.
Identify risks within each category. Run a structured risk identification exercise involving your management team, frontline support workers, and — where appropriate — participants themselves. Brainstorm what could go wrong, what has gone wrong historically (check your incident register), and what external changes (regulatory, environmental, staffing) might create new exposures.
Write each risk as a risk statement. A clear risk statement follows the format: "The risk that [event] occurs, resulting in [consequence]." Avoid vague entries like "staff issues" — instead write: "The risk that inadequate staffing ratios during overnight shifts result in a participant not receiving timely support, causing harm."
Rate likelihood and consequence. Use a consistent rating scale — typically 1 to 5 (or Rare / Unlikely / Possible / Likely / Almost Certain for likelihood, and Insignificant / Minor / Moderate / Major / Catastrophic for consequence). Document your rating criteria so assessors are applied consistently across the register.
Calculate a risk level (inherent risk). Multiply or matrix-map your likelihood and consequence scores to produce an overall risk level: Low, Medium, High, or Extreme. This is the inherent risk — what exists before controls are applied.
Document existing controls. For each risk, describe the controls already in place (policies, procedures, training, supervision arrangements, technology). Be specific — reference the actual policy name or procedure number where possible.
Rate the residual risk. After controls, re-assess likelihood and consequence to produce a residual risk level. This tells you how much risk remains even with current controls in place.
Identify treatment actions. For any residual risk rated Medium or above, document the additional action needed, the person responsible, and the target completion date.
Assign a risk owner. Every row in your register must name a role (not just a person) responsible for monitoring and reporting on that risk. For SIL providers, this often means the House Manager, Practice Leader, or a member of the senior leadership team.
Set review dates. At minimum, review your full register annually. Review individual risks immediately following a related incident, a regulatory change, or a significant operational change such as opening a new SIL home.

Example: Completed Risk Register Row

Risk ID	Category	Risk Statement	Likelihood	Consequence	Inherent Risk	Existing Controls	Residual Risk	Treatment Action	Owner	Review Date
R-014	Participant Safety	The risk that a participant's medication is administered incorrectly, resulting in adverse health outcomes or hospitalisation.	Possible (3)	Major (4)	High (12)	Medication management policy; competency-assessed administration; medication charts double-checked by senior staff; incident reporting for all medication errors.	Medium (6)	Implement monthly medication audits; add medication safety to induction checklist; review after any medication incident. Target: 31 July 2026.	Practice Leader	30 June 2026

What Approved Quality Auditors Look For

When an AQA conducts your certification or verification audit, they will look well beyond the existence of a document. Expect scrutiny of:

Currency: Is the register dated? Has it been reviewed within the last twelve months, or after relevant incidents?
Completeness: Does it cover all material risk categories, including risks specific to SIL settings (overnight support, medication, restrictive practices, participant-to-participant incidents)?
Evidence of use: Are treatment actions closed out? Do meeting minutes or governance reports reference the risk register?
Integration: Is the risk register referenced in your incident management system, quality improvement register, and board or management reporting?
Worker awareness: Can frontline workers describe how risks in their setting are identified and reported? (Auditors may interview staff.)

Common Mistakes SIL Providers Make

Copying a template without customising it. Generic risk registers that do not reflect your actual participant cohort, staffing model, or service locations will be identified immediately.
No residual risk rating. Listing only the inherent risk without demonstrating how controls reduce that risk is a common gap.
Risks with no owner. Every risk must have a named accountable role. "Management" is not sufficient.
No evidence of treatment action completion. Open treatment actions with past-due dates suggest the register is not actively managed.
Ignoring participant-specific risks. The risk register must integrate with individual participant risk assessments, not sit in isolation from them.
Failing to update after incidents. If a reportable incident occurs and the register is not reviewed, this represents a governance failure that auditors will note.

Template Structure: Minimum Columns for a Compliant Register

At minimum, your risk register table should include the following columns:

Risk ID
Date identified
Risk category
Risk statement (event + consequence)
Likelihood rating (with scale defined)
Consequence rating (with scale defined)
Inherent risk level
Existing controls
Residual risk level
Treatment action (if residual risk is Medium or above)
Treatment action owner
Treatment due date
Status (open / in progress / closed)
Next review date
Date last reviewed

Maintain a version history and document approval by your governing body or senior management at each review cycle.

Integrating Your Risk Register With the Broader Compliance System

A risk register that sits in isolation is only partially useful. To meet the intent of the NDIS Practice Standards, connect it to:

Your incident management system — incidents should trigger risk register reviews
Your complaints management process — repeated complaint themes may signal an emerging risk
Your quality improvement register — treatment actions often become improvement initiatives
Your behaviour support and restrictive practices documentation — restrictive practices carry specific regulatory risk that must be captured
Your board or management governance reporting — the risk register should be a standing agenda item

If you are building out your compliance documentation system from scratch or preparing for a re-registration audit, the 74-document audit-ready SIL compliance kit available at ndiscompliant.com.au includes a ready-to-use risk register template, risk rating matrix, and integration guidance aligned to the strengthened Practice Standards.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.