What Outcome 2.2 Requires
Outcome 2.2 sits within Quality Indicator Group 2 (Provider Governance and Operational Management) of the NDIS Practice Standards Core Module. The outcome statement is clear: risks to participants and to the organisation are identified, assessed, and managed.
The underlying legislative authority comes from the National Disability Insurance Scheme Act 2013 (Cth) and the NDIS (Provider Registration and Practice Standards) Rules 2018. While the Practice Standards do not prescribe a specific risk management framework, ISO 31000:2018 is widely referenced by NDIS Approved Quality Auditors as the benchmark standard. You do not need to formally adopt ISO 31000, but your methodology should be consistent with its principles.
The quality indicators under Outcome 2.2 require you to demonstrate:
- A documented risk management policy and procedure is in place and current
- Risks are systematically identified, assessed, and rated using a consistent methodology
- Controls are implemented to reduce risk to an acceptable level
- A risk register is maintained and regularly reviewed at the governance level
- High-rated risks are escalated to senior management or the governing body
- Risk management is integrated with incident management, complaints handling, and continuous improvement
- Participants are involved in identifying and managing risks that affect their supports
A policy document alone does not satisfy Outcome 2.2. Auditors assess both the policy and the evidence that the policy is implemented. You need the policy, a populated risk register with recent review dates, risk assessment forms for participants with complex needs, and governance meeting minutes showing risk as a standing agenda item.
Policy Structure: Sections Your Document Must Include
Your risk management policy should follow a standard document control structure. Based on NDIS Commission guidance and common auditor expectations, include the following sections:
1. Document Control Box
Every NDIS policy document must include a document control box at the top containing: the policy title, document number, version number, date of issue, date of next review (no more than 12 months from issue), the approving authority (CEO, Board, or equivalent), and the NDIS Practice Standard reference (Outcome 2.2 — Risk Management).
2. Purpose and Scope
State the purpose of the policy: to establish a systematic approach to identifying, assessing, treating, and monitoring risks to participants and the organisation. Define the scope — the policy applies to all workers (employees, contractors, volunteers, and students on placement), all services, and all locations.
3. Legislative and Regulatory Context
List the legislation and standards that inform the policy. At minimum, reference:
- National Disability Insurance Scheme Act 2013 (Cth)
- NDIS (Provider Registration and Practice Standards) Rules 2018
- NDIS (Incident Management and Reportable Incidents) Rules 2018
- Work Health and Safety Act 2011 (or relevant state/territory WHS legislation)
- ISO 31000:2018 Risk Management (as a reference framework)
- AS/NZS 4360:2004 (predecessor standard, still referenced in some auditor guidance)
4. Definitions
Define key terms: risk, risk appetite, risk tolerance, risk assessment, risk treatment, residual risk, inherent risk, risk owner, risk register, likelihood, consequence, and controls. Using consistent definitions throughout the policy prevents ambiguity and demonstrates rigour to auditors.
5. Risk Appetite Statement
This section is covered in detail below. It must be specific to your organisation, not a generic statement copied from a template without customisation.
6. Risk Assessment Methodology
Describe the step-by-step process your organisation uses to identify, assess, rate, treat, and review risks. This is the operational core of the policy.
7. Risk Matrix
Include the risk rating matrix (likelihood x consequence) that the organisation uses to calculate risk scores. This must be consistent with the risk register.
8. Roles and Responsibilities
Define who is responsible for what. At minimum, specify the responsibilities of: the governing body or Board, the CEO or senior management, the risk management officer (if appointed), service managers, frontline workers, and participants.
9. Risk Register Requirements
Specify the fields in the risk register, who maintains it, how often it is reviewed, and how risks are escalated.
10. Integration with Other Systems
Describe how risk management connects to incident management, complaints handling, continuous improvement, WHS, and individual participant support planning. Auditors specifically look for evidence of integration — isolated systems are a red flag.
11. Review and Continuous Improvement
State that the policy and risk register will be reviewed at least annually (policy) and quarterly (register), and additionally after any significant incident, change in services, or regulatory change.
Writing Your Risk Appetite Statement
The risk appetite statement is one of the most commonly missing elements in NDIS risk management policies. Its absence signals to auditors that risk management is a tick-box exercise rather than a genuine governance practice.
Risk appetite defines the amount and type of risk your organisation is willing to accept in pursuit of its objectives. Risk tolerance is the specific boundary within each risk category that triggers escalation or action.
For a small SIL provider, a practical risk appetite statement might be structured as follows:
| Risk Category | Appetite Level | Tolerance Threshold |
|---|---|---|
| Participant safety (abuse, neglect, exploitation) | Zero tolerance | Any identified risk requires immediate action and escalation |
| Clinical and health risks | Very low | All clinical risks must have active controls; residual risk must not exceed “Medium” |
| Regulatory compliance | Very low | Non-compliance risks require immediate remediation planning |
| Operational risks | Low to moderate | Controls proportionate to impact; risks rated “High” require management attention |
| Financial risks | Moderate | Financial risks are accepted where controls are in place and impact is manageable |
| Reputational risks | Low | Risks that could damage participant or community trust require proactive management |
The risk appetite statement must be approved by your governing body (Board of Directors, Advisory Committee, or sole director in a small company) and reviewed at least annually. Include the date of approval and the name of the approving authority in the policy.
The 8-Step Risk Assessment Methodology
Auditors expect to see a documented, repeatable process for risk assessment — not ad hoc identification. The following 8-step methodology is consistent with ISO 31000 and NDIS auditor expectations:
Step 1: Establish Context
Before assessing individual risks, define the context: the services you deliver, the participant cohort, the operating environment, and the regulatory requirements. For a SIL provider, this includes the physical environment (shared houses, individual units), the participant profile (physical and intellectual disabilities, complex health needs, behaviours of concern), and the workforce model (shift workers, casuals, sole workers).
Step 2: Identify Risks
Use multiple methods to identify risks: incident and complaints data analysis, participant risk assessments during intake, staff feedback and near-miss reporting, workplace inspections, external intelligence (NDIS Commission practice alerts, coronial findings), and governance reviews. Document each risk with a clear description that includes the cause, the event, and the potential consequence.
Step 3: Analyse Risks (Assess Likelihood)
Rate the likelihood of each risk occurring using a 5-point scale:
| Rating | Descriptor | Definition |
|---|---|---|
| 1 | Rare | May occur only in exceptional circumstances (less than once in 5 years) |
| 2 | Unlikely | Could occur but not expected (once in 2–5 years) |
| 3 | Possible | Might occur at some time (once in 1–2 years) |
| 4 | Likely | Will probably occur in most circumstances (several times per year) |
| 5 | Almost Certain | Expected to occur in most circumstances (monthly or more frequently) |
Step 4: Analyse Risks (Assess Consequence)
Rate the consequence if the risk materialises, using a 5-point scale:
| Rating | Descriptor | Definition |
|---|---|---|
| 1 | Insignificant | No injury, minimal financial loss, no regulatory impact |
| 2 | Minor | First aid treatment, minor financial loss, minor regulatory finding |
| 3 | Moderate | Medical treatment required, moderate financial loss, non-conformance finding |
| 4 | Major | Serious injury or illness, significant financial loss, major non-conformance, NDIS Commission investigation |
| 5 | Catastrophic | Death, permanent disability, loss of registration, criminal prosecution |
Step 5: Calculate Risk Rating
Multiply likelihood by consequence to produce the inherent risk score. This is the risk score before any controls are applied.
Step 6: Identify and Assess Controls
For each risk, identify existing controls (what you already do to manage the risk) and assess their effectiveness. Then identify any additional controls required to reduce the risk to an acceptable level. Re-rate the risk after controls to produce the residual risk score.
Step 7: Treat Risks
Based on the residual risk score, determine the treatment approach:
- Avoid: Cease the activity that creates the risk (only where proportionate)
- Reduce: Implement additional controls to lower likelihood or consequence
- Transfer: Shift the risk to a third party (e.g., insurance, outsourcing)
- Accept: Accept the residual risk where it falls within the organisation’s risk appetite (document the acceptance decision)
Step 8: Monitor and Review
Assign a risk owner for each risk. Set review dates. Monitor the effectiveness of controls. Report to governance. Repeat the cycle.
Building Your Risk Matrix (Likelihood x Consequence)
The risk matrix is the visual representation of your risk rating methodology. It must be included in the policy and must be consistent with your risk register. The standard NDIS-compliant matrix is a 5x5 grid:
| Likelihood / Consequence | 1 Insignificant | 2 Minor | 3 Moderate | 4 Major | 5 Catastrophic |
|---|---|---|---|---|---|
| 5 Almost Certain | Medium (5) | High (10) | High (15) | Extreme (20) | Extreme (25) |
| 4 Likely | Low (4) | Medium (8) | High (12) | High (16) | Extreme (20) |
| 3 Possible | Low (3) | Medium (6) | Medium (9) | High (12) | Extreme (15) |
| 2 Unlikely | Low (2) | Low (4) | Medium (6) | Medium (8) | High (10) |
| 1 Rare | Low (1) | Low (2) | Low (3) | Medium (4) | Medium (5) |
Define the required response for each risk level:
| Risk Level | Score Range | Required Response |
|---|---|---|
| Low | 1–4 | Manage by routine procedures. Monitor at team level. Review annually. |
| Medium | 5–9 | Management attention required. Additional controls may be needed. Review quarterly. |
| High | 10–16 | Senior management attention required. Documented treatment plan with timeframes. Review monthly. |
| Extreme | 17–25 | Immediate action required. Escalate to governing body. Activity may need to cease until risk is reduced. Review continuously. |
Consistency is critical. If your policy describes a 5x5 matrix but your risk register uses a 3x3 matrix, or if risk scores in the register don’t match the matrix in the policy, auditors will flag this as a non-conformance. Ensure the matrix in the policy is the same one used to populate the register.
Risk Register Fields and How to Maintain It
The risk register is the living document that proves your risk management system works. A policy without a maintained register will not satisfy Outcome 2.2.
Required Fields
Your risk register should contain the following columns:
| Field | Description |
|---|---|
| Risk ID | Unique identifier (e.g., RISK-001) |
| Date Identified | When the risk was first recorded |
| Risk Description | Clear description including cause, event, and potential consequence |
| Risk Category | Participant safety, clinical, operational, financial, compliance, reputational, WHS |
| Likelihood (Inherent) | Rating 1–5 before controls |
| Consequence (Inherent) | Rating 1–5 before controls |
| Inherent Risk Score | Likelihood x Consequence |
| Existing Controls | What you currently do to manage this risk |
| Likelihood (Residual) | Rating 1–5 after existing controls |
| Consequence (Residual) | Rating 1–5 after existing controls |
| Residual Risk Score | Likelihood x Consequence after controls |
| Additional Controls Required | What else needs to be done to reduce the risk |
| Risk Owner | Named individual responsible for managing this risk |
| Target Date | When additional controls will be implemented |
| Review Date | Next scheduled review of this risk |
| Status | Open, Treated, Accepted, Escalated, or Closed |
Maintaining the Register
A risk register that was populated once and never updated is worse than no register at all — it demonstrates you have a system but do not use it. To maintain the register effectively:
- Make risk identification part of routine operations — staff should know how to escalate new risks
- Review the register at least quarterly at the governance or management meeting level
- Update the register immediately after any reportable incident, significant near-miss, or new participant intake with complex needs
- Record the date, attendees, and outcomes of each review in governance meeting minutes
- Close risks that have been effectively treated and are no longer active
- Include both organisational-level and participant-level risks in the register
For guidance on how risk management connects to your daily documentation, see our free NDIS Notes Rewriter, which helps support workers produce compliant progress notes that reference participant goals and flag risk-related observations.
Clinical Risk vs Operational Risk
NDIS auditors expect your risk register to capture both clinical and operational risks. Many small providers focus only on organisational risks (staff turnover, financial pressures, regulatory changes) and neglect participant-facing clinical risks. This is a common non-conformance finding.
Clinical Risks
Clinical risks are those directly related to participant health, safety, and wellbeing. For SIL providers, common clinical risks include:
- Medication errors: Wrong medication, wrong dose, missed administration, inadequate storage
- Manual handling injuries: Participant or worker injury during transfers, repositioning, or mobility assistance
- Choking and aspiration: Particularly for participants with dysphagia or modified food/fluid requirements
- Falls: In-house falls, community access falls, particularly for participants with mobility limitations
- Restrictive practices: Unauthorised use, escalation of behaviour, inadequate de-escalation
- Infection transmission: In shared living environments, gastro outbreaks, respiratory illness
- Skin integrity: Pressure injuries for participants with limited mobility
- Mental health deterioration: Risk of self-harm, psychosocial crisis, trauma response
Operational Risks
Operational risks relate to the provider’s business functions and capability to deliver safe services:
- Workforce: Staff shortages, inadequate training, high turnover, worker fatigue
- Financial: Cash flow constraints, NDIS pricing changes, claim rejections
- Compliance: Failure to meet Practice Standards, missed reporting deadlines, expired worker screening checks
- Information management: Data breaches, inadequate record-keeping, lost documentation
- Emergency management: Fire, flood, pandemic, utility failure affecting SIL houses
- Reputational: Complaints to the NDIS Commission, negative media coverage, loss of participant trust
Link participant risk assessments to the organisational risk register. When a participant’s individual risk assessment identifies a risk that has broader implications (e.g., a participant with a history of absconding from a SIL house), that risk should appear in both the individual support plan and the organisational risk register.
Skip the Writing — Get Audit-Ready Policies Today
The SIL Rescue Kit includes the Risk Management Policy (Document 03), Risk Assessment Template (Document 40), and Risk Register (Document 47) — all mapped to Outcome 2.2, professionally formatted, and ready to customise with your organisation details.
Get the SIL Rescue Kit — $297What Auditors Check and Common Failures
Understanding what an NDIS Approved Quality Auditor looks for during a certification audit will help you write a policy that passes first time. Auditors assess risk management across three dimensions:
Document Review
The auditor will request your risk management policy, risk register, risk assessment templates, and governance meeting minutes. They check that:
- The policy is current, version-controlled, and has been reviewed within the past 12 months
- The policy includes a risk appetite statement approved by the governing body
- The risk matrix in the policy matches the methodology used in the risk register
- The risk register has been updated within the past 3 months
- The register contains both organisational and participant-level risks
- High and extreme risks have documented treatment plans with named owners and target dates
- Governance meeting minutes show that the risk register is reviewed as a standing agenda item
Staff Interviews
Auditors interview a cross-section of staff, including management and frontline workers. They ask questions such as:
- “Can you describe how you identify and report risks in your work?”
- “What would you do if you identified a new risk to a participant?”
- “How does the organisation use the risk register?”
- “Can you give an example of a risk that was identified and how it was managed?”
If staff cannot answer these questions, the auditor may conclude that the risk management system exists on paper but is not implemented in practice — which is a non-conformance against Outcome 2.2.
Participant Interviews
Auditors also speak with participants to assess whether they are involved in risk decisions that affect their supports. Under the dignity of risk principle, participants have the right to make informed choices about risks in their own lives. Auditors check that:
- Participants are consulted about risks identified in their support plans
- Dignity of risk assessments are completed where participants choose activities that carry risk
- Participants understand how to raise concerns about their safety
The 5 Most Common Audit Failures
Risk registers that have not been reviewed or updated in months. A register with a last-reviewed date older than 3 months, or one that contains only generic risks with no evidence of active management, is the single most common risk management non-conformance in NDIS certification audits.
Failure 1: Policy exists but risk register is empty or stale. The policy describes a comprehensive methodology, but the register has not been updated since it was first created. This demonstrates a system that is not implemented.
Failure 2: No participant-level risks in the register. The register contains only organisational risks (financial, staffing, compliance) but no risks specific to participants. For SIL providers supporting participants with complex needs, this is a significant gap.
Failure 3: Risk matrix inconsistency. The policy describes a 5x5 matrix but the register uses a different scale, or risk ratings in the register do not align with the definitions in the policy.
Failure 4: No governance oversight evidence. The policy requires the risk register to be reviewed at governance meetings, but there are no meeting minutes showing this actually occurs.
Failure 5: Risk management isolated from other systems. The risk register shows no connection to incidents, complaints, or the continuous improvement register. Risk management should be integrated — an incident should trigger a risk register update, and a complaints trend should inform the risk assessment.
Review Cycle
Your policy should specify the following review cycle:
| Document | Review Frequency | Trigger-Based Reviews |
|---|---|---|
| Risk Management Policy | Annually (minimum) | After significant regulatory change, major incident, or organisational restructure |
| Risk Register | Quarterly (governance level) | After any reportable incident, new service type, significant near-miss |
| Individual Risk Assessments | Annually or as per support plan review | After participant incident, change in health status, change in living arrangements |
For a comprehensive overview of all NDIS Practice Standards and how they interconnect, see our guide to the NDIS Practice Standards Core Module.
All 25 Audit-Ready Policies — Written and Formatted
Or skip the writing entirely — get all 25 audit-ready policies, 25 forms, 10 registers, and 5 guides in the SIL Rescue Kit ($297). Every document is mapped to the NDIS Practice Standards and ready to customise.
Get the SIL Rescue Kit — $297Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.