Is a risk management policy mandatory for NDIS SIL registration?

Yes. The NDIS Practice Standards (Core Module) require all registered providers, including SIL providers, to have a documented and implemented risk management system. Auditors will assess both the policy document and evidence of its operation in practice.

How often must an NDIS risk management policy be reviewed?

At minimum annually. However, providers must also conduct a triggered review following a reportable incident, a significant complaint, an audit non-conformance finding, or any material change to the organisation's operations or the regulatory framework.

What risk categories should a SIL provider include in their risk register?

A SIL risk register should cover participant safety, restrictive practices and behaviour support compliance, workforce and rostering, information security and privacy, financial viability, emergency and business continuity, and regulatory and legislative change.

Can I use a generic risk management template for my NDIS audit?

A generic template is a starting point only. Auditors assess whether the policy reflects your actual service model, participant cohort, and operating environment. Risk register entries, controls, and risk owners must be specific to your organisation to demonstrate genuine implementation.

What is the difference between inherent risk and residual risk in an NDIS context?

Inherent risk is the rating before any controls are applied. Residual risk is the rating after your controls are in place. NDIS auditors want to see both documented so they can assess whether your controls are adequate and proportionate to the level of risk.

Do restrictive practices need to appear in the risk management policy?

Yes, for SIL providers. The use of regulated restrictive practices carries both participant safety and regulatory compliance risk. Failure to document and manage this risk is a common audit non-conformance finding for SIL and behaviour support providers.

NDIS risk management policy: example filled-in sample

Why SIL providers need a documented risk management policy

Under the NDIS Practice Standards, all registered NDIS providers must operate within a defined risk management system. For Supported Independent Living (SIL) providers, risk management sits at the intersection of two core modules: the Core Module (which applies to every registered provider) and the High Intensity Daily Personal Activities or Specialist Disability Accommodation modules that many SIL providers must also meet.

The NDIS Quality and Safeguards Commission assesses whether your risk management arrangements are documented, implemented, and reviewed — not simply whether a policy document exists. Auditors look for evidence of a living system, not a filing-cabinet artefact.

With the strengthened NDIS Practice Standards framework that took effect progressively from 2023 and continues to be applied under the 2026 mandatory registration expansion, the expectation has sharpened: providers must demonstrate proportionate, participant-centred risk thinking across governance, operations, and individual support delivery.

What a compliant NDIS risk management policy must contain

Before examining a sample, understand the structural requirements an approved quality auditor will verify:

Purpose and scope — who the policy applies to (staff, contractors, volunteers) and what risk categories it covers.
Risk appetite statement — a qualitative or scaled declaration of the level of risk the organisation is willing to accept in pursuit of its objectives.
Risk identification process — how risks are identified (incident data, staff reporting, participant feedback, environmental scanning).
Risk assessment methodology — a consistent likelihood-by-consequence matrix, producing a risk rating (low / medium / high / extreme).
Risk register — a maintained record of identified risks, controls, residual ratings, and risk owners.
Treatment and controls — the actions taken to eliminate, reduce, transfer, or accept each risk.
Roles and responsibilities — who owns, monitors, and escalates risks at each level (Board/CEO, management, frontline).
Review cycle — minimum annual review, plus triggered review after a serious incident, near miss, or significant organisational change.
Links to related policies — incident management, complaints, restrictive practices, emergency management, and WHS.

Filled-in sample policy excerpt

The following is a realistic illustrative sample. Customise all fields — particularly the organisation name, ABN, risk appetite, and specific controls — to reflect your actual operations before use.

Policy element	Sample filled-in content
Policy title	Risk Management Policy
Applies to	Sunridge Disability Support Pty Ltd — all employees, contractors, and volunteers delivering SIL supports
Policy owner	Chief Executive Officer
Approved by	Board of Directors
Approval date	14 June 2025
Next review date	14 June 2026 (or earlier following a notifiable incident or significant change)
Version	3.1

1. Purpose

This policy establishes the framework by which Sunridge Disability Support identifies, assesses, controls, and monitors risks that may affect the safety, wellbeing, and rights of participants, staff, and the organisation. It supports compliance with the NDIS Practice Standards (Core Module — Quality Management) and the NDIS Code of Conduct.

2. Risk appetite statement

Sunridge Disability Support has a low risk appetite for any risk that may result in harm to a participant or breach of participant rights. We have a moderate risk appetite for operational and financial risks where appropriate controls are in place. We have a zero tolerance for risks involving abuse, neglect, exploitation, or unlawful use of restrictive practices.

3. Risk assessment matrix

Likelihood / Consequence	Minor	Moderate	Major	Catastrophic
Almost certain	Medium	High	Extreme	Extreme
Likely	Medium	High	High	Extreme
Possible	Low	Medium	High	Extreme
Unlikely	Low	Low	Medium	High
Rare	Low	Low	Medium	High

4. Sample risk register entries

Risk ID	Risk description	Category	Inherent rating	Controls in place	Residual rating	Risk owner
R-001	Participant suffers a fall in SIL home resulting in injury	Participant safety	High	Individual support plans include falls-risk assessment; staff trained in manual handling; home environment audited quarterly; incident reporting activated within 24 hours	Medium	House Supervisor
R-002	Staff member fails to report a restrictive practice, causing a compliance breach	Regulatory / compliance	High	Annual restrictive-practices training mandatory; behaviour support plans reviewed by registered NDIS behaviour support practitioner; monthly compliance spot-checks by Operations Manager	Low	Operations Manager
R-003	Cyber incident exposes participant personal and health information	Information security	Extreme	Multi-factor authentication on all systems; annual penetration test; staff phishing awareness training; data breach response plan activated within 72 hours per Privacy Act obligations	Medium	CEO
R-004	Key worker vacancy leaves participant without adequate SIL support ratio	Workforce	High	On-call casual pool maintained; NDIS plan manager notified within 24 hours of ratio shortfall; participant and/or nominee informed; casual coverage activated within 4 hours	Medium	Rostering Coordinator

5. Review and continuous improvement

The risk register is reviewed by the CEO and Operations Manager at minimum every 12 months. A triggered review is conducted within 30 days of any of the following events:

A reportable incident (as defined under the NDIS (Incident Management and Reportable Incidents) Rules 2018)
A significant complaint outcome involving harm or systemic concern
An NDIS Commission audit finding of non-conformance
A change in the organisation's registration scope or service delivery model
A material change in legislation, Practice Standards, or Commission guidance

All review outcomes, including decisions to accept residual risks, are documented and tabled at the next Board meeting.

Common gaps auditors find in SIL risk management policies

Risk register not updated since last audit — dated or unpopulated fields signal a policy that is not operational.
No participant-specific risk consideration — organisational-level risks documented but no link to individual support plans or behaviour support plans.
Risk owners not named or no longer employed — "Management" is not an acceptable risk owner for an auditor seeking accountability.
Controls described but not evidenced — policy says training occurs annually; auditor asks for training records and finds none.
No triggered-review mechanism — policy only specifies annual review, ignoring the obligation to respond to incidents and change.
Restrictive practices risks absent — for SIL providers this is a significant omission given the Commission's enforcement focus on regulated restrictive practices.

Connecting your risk policy to the broader compliance system

A risk management policy that operates in isolation is unlikely to satisfy an auditor. Your risk management system should demonstrably connect to your incident management procedure, complaints management procedure, behaviour support and restrictive practices framework, emergency and business continuity plan, and worker screening and training register.

For SIL providers preparing for re-registration or an initial registration audit under the 2026 mandatory registration expansion, having this connected documentation in order before your audit application is submitted is strongly advisable.

If you are building or reviewing your full compliance document suite, ndiscompliant.com.au offers a 74-document audit-ready SIL compliance kit covering all required policies, procedures, and forms aligned to the current Practice Standards — which can significantly reduce the time and cost of preparing from scratch.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.