Is a risk management policy mandatory for NDIS registration?

Yes. The NDIS Practice Standards — specifically the Governance and Operational Management core module — require all registered providers to have a documented risk management system. Without evidence of this, an approved quality auditor will find a non-conformance that must be resolved before registration is granted or renewed.

How often does an NDIS risk management policy need to be reviewed?

At minimum, annually. However, the NDIS Practice Standards also expect providers to review their risk policy and register following any significant incident, major complaint, relevant regulatory change, or significant change to the services they deliver. The 2026 strengthened framework emphasises continuous improvement rather than fixed annual cycles alone.

Do sole-trader NDIS providers need a risk management policy?

Yes. Registered providers of all sizes — including sole traders — must meet the NDIS Practice Standards. The format and complexity of the policy may be proportionate to the size of the organisation, but the core requirements around risk identification, assessment, controls, and review still apply.

What is the difference between organisational risk and participant risk in NDIS compliance?

Organisational risk covers threats to the provider's ability to operate — financial viability, workforce, IT systems, and reputational risks. Participant risk refers to risks specific to individual people receiving supports — their disability-related needs, living environment, health conditions, and behaviour support requirements. NDIS auditors expect both to be documented and managed.

What happens if an NDIS provider uses a restrictive practice without authorisation?

Using a regulated restrictive practice without the relevant state or territory authorisation is a serious breach. Providers are required to report unauthorised use to the NDIS Commission. This can trigger a compliance investigation, conditions on registration, suspension, or revocation of registration depending on the severity and frequency of the breach.

Does the NDIS risk management policy need to cover cybersecurity and data risks?

Increasingly, yes. The NDIS Practice Standards require providers to protect participant information and have systems in place to manage confidentiality. Auditors are paying growing attention to data governance and cybersecurity controls, particularly as providers store sensitive participant health and support information digitally. These risks should be included in your organisational risk register.

NDIS Risk Management Policy Checklist for New Providers (2026)

Why Risk Management Is a Non-Negotiable for New NDIS Providers

Registering as an NDIS provider in 2026 means demonstrating to the NDIS Quality and Safeguards Commission that your organisation has systematic processes to identify, assess, and respond to risks — before a single participant receives a service. Risk management is not a box-ticking formality. Under the strengthened NDIS Practice Standards introduced through the 2026 registration reforms, approved quality auditors will look for evidence that your risk framework is embedded in day-to-day operations, not just filed in a folder.

This checklist is written specifically for new providers preparing for initial registration or re-registration, particularly those delivering Supported Independent Living (SIL) or other higher-intensity supports where participant safety risk is elevated.

What the NDIS Practice Standards Require

The NDIS Practice Standards set out the quality outcomes that registered providers must demonstrate. Risk management sits across multiple modules:

Core Module — Rights and Responsibilities: Providers must actively support participants to understand and exercise their rights, which includes being transparent about how risks to their safety are managed.
Core Module — Governance and Operational Management: This module explicitly requires a risk management system that identifies organisational and participant-level risks, assigns accountability, and is subject to regular review.
Supplementary Module 2 — Implementing Behaviour Support: Applicable where restrictive practices are used; risk must be assessed and documented in the participant's behaviour support plan.
High Intensity Daily Activities Supplementary Module: Providers delivering high-intensity supports must demonstrate additional clinical risk controls and staff competencies.

The 2026 strengthened framework places greater emphasis on continuous improvement: auditors will test whether your risk register is a living document, not a static policy drafted at registration and never revisited.

NDIS Risk Management Policy Checklist

Work through each section below and tick when your documentation, processes, and evidence are in place.

1. Policy Foundation

Risk management policy is documented, dated, and version-controlled
Policy states its scope (which services, participant cohorts, and locations it covers)
Accountable owner is named (e.g., CEO, Compliance Manager)
Board or governing body has formally approved the policy
Review cycle is defined — at minimum annually, or following a significant incident
Policy aligns with NDIS Practice Standards and references the NDIS Act 2013 and NDIS (Conditions of Registration) rules

2. Risk Identification

Organisational risk register exists and covers: financial, reputational, operational, workforce, and technology risks
Participant-level risk assessment process is documented (how assessments are conducted, by whom, and how often)
Process for identifying risks specific to individual participants' disability, environment, and support needs
Environmental risk assessments completed for all support locations (including participants' homes for SIL)
Mechanism for staff to report emerging or new risks

3. Risk Assessment and Prioritisation

Risk matrix or equivalent tool used to rate likelihood and consequence
Risks categorised (e.g., low / medium / high / extreme) with corresponding response obligations
Participant risks incorporated into individual support plans
Documentation of who reviewed and approved each risk rating

4. Risk Controls and Treatment

Each identified risk has at least one documented control measure
Controls are specific, assigned to a responsible person, and have a target completion date
Hierarchy of controls applied (eliminate → substitute → engineer → administrative → personal protective)
Residual risk level documented after controls are applied
Emergency and contingency plans exist for high and extreme risks

5. Incident Management

Incident reporting policy and procedure in place (separate to but linked with risk policy)
All staff trained on what constitutes a reportable incident under the NDIS Commission rules
Timelines for internal reporting and NDIS Commission notification are documented and understood
Process for root-cause analysis following significant incidents
Learnings from incidents fed back into the risk register (closed loop)

6. Complaints and Feedback

Complaints management procedure documented and accessible to participants and their representatives
Complaints reviewed periodically for risk signals and trends
Participants are made aware of their right to contact the NDIS Commission directly

7. Workforce Risk Controls

NDIS Worker Screening Check policy — who requires a check, who is exempt, and how clearances are tracked
Police check and relevant qualification verification process documented
Supervision and performance review schedule in place
Staff training register covering mandatory training (e.g., NDIS Code of Conduct, incident reporting, restrictive practices where applicable)
Procedure for managing allegations of worker misconduct, including mandatory reporting obligations to the Commission

8. Restrictive Practices (if applicable)

Policy on the use of regulated restrictive practices, including prohibition of unauthorised practices
Process for obtaining relevant state or territory authorisation before any regulated practice is implemented
Behaviour support practitioner engagement process documented
Reporting obligations to the NDIS Commission regarding use of restrictive practices understood and assigned

9. Continuity and Emergency Planning

Business continuity plan addresses how participant services are maintained during disruptions (staff illness, natural disasters, system outages)
Emergency evacuation and personal emergency evacuation plans (PEEPs) in place for each participant in SIL
Contact lists (participants, families, emergency services, backup staff) current and accessible

10. Governance and Review

Risk management is a standing agenda item at governance meetings (board or senior leadership)
Internal audit or self-assessment process scheduled
Risk policy and register reviewed after each significant incident, complaint, or regulatory change
Continuous improvement actions tracked to completion

Common Non-Conformances Auditors Find

Approved quality auditors consistently identify the following gaps in new provider submissions:

Generic, undated policies — a risk policy downloaded from the internet with no customisation, no version date, and no evidence of governing body approval.
Risk register not connected to support plans — organisational risks are listed, but there is no link to how individual participant risks are assessed and reviewed.
No closed-loop from incidents to risk register — incidents are reported, but learnings are never documented as risk register updates.
Worker screening records incomplete — providers cannot produce evidence that every required worker holds a current NDIS Worker Screening clearance.
Restrictive practices used without authorisation — this triggers a mandatory report to the Commission and can result in compliance action.
No evidence of staff training — a training procedure exists on paper, but there is no signed register or LMS record showing completion.

A Practical Note on Documentation Volume

New providers often underestimate how many interrelated documents a risk management system actually requires — from the core policy itself through to participant risk assessment templates, incident forms, worker screening registers, and emergency plans. For SIL providers, the document burden is particularly significant because supports are delivered in a participant's home environment, often around the clock.

If you are building your compliance library from scratch, ndiscompliant.com.au offers a 74-document audit-ready SIL compliance kit that includes pre-built risk policy templates, a participant risk assessment form, incident register, and all supporting procedures — structured around the NDIS Practice Standards modules.

Next Steps for New Providers

Map your registration groups to the relevant Practice Standards modules to identify which risk controls apply to you.
Draft or adopt a risk policy and have it approved by your governing body before submitting your registration application.
Build your risk register with at least your top organisational risks documented, rated, and assigned.
Ensure all workers who require an NDIS Worker Screening clearance have one, and build a tracking process for renewals.
Schedule your first internal risk review within three months of commencing services.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.