What must an NDIS risk management policy include?

An NDIS risk management policy must include: the organisation's risk appetite and tolerance statement; a risk identification and assessment process; a risk rating matrix (likelihood x consequence); roles and responsibilities for managing risk; the risk register format and review schedule; escalation procedures for high-rated risks; how risk management links to incident management; and how participants are involved in risk decisions, including dignity of risk considerations.

What is Practice Standard Outcome 2.2 for NDIS providers?

Outcome 2.2 (Risk Management) requires that the provider identifies and manages risks to participants and the organisation. Providers must have a documented risk management system that includes identifying risks, assessing their likelihood and impact, implementing controls, and monitoring the effectiveness of those controls. The system must be proportionate to the scale and complexity of the provider's services.

What does an NDIS risk register need to contain?

An NDIS risk register must contain: a unique risk ID for each risk; a clear description of the risk; the risk category (participant safety, operational, financial, compliance, reputational); the likelihood rating (1–5 scale); the consequence rating (1–5 scale); the overall risk rating (likelihood x consequence); existing controls; proposed additional controls; the risk owner; the review date; and the status of the risk (open, treated, accepted, closed).

How often must the risk register be reviewed under NDIS requirements?

The NDIS Practice Standards require risk management to be an ongoing process, not an annual exercise. Auditors expect the risk register to be reviewed at least quarterly at a governance level, immediately after any significant incident or near-miss, when a new high-risk activity is commenced, and when the organisation's operating environment changes materially. The date of each review should be recorded in the register.

NDIS Risk Management Policy: What It Must Include and How to Write It

Understanding Outcome 2.2: Risk Management

Outcome 2.2 sits within Quality Indicator Group 2 (Provider Governance and Operational Management) of the NDIS Practice Standards Core Module. While most of Group 2 deals with internal governance, Outcome 2.2 has a direct participant safety dimension: risks to participants must be identified and managed, not just organisational risks.

The quality indicators under Outcome 2.2 require providers to demonstrate that:

A documented risk management policy and procedure is in place
Risks are systematically identified, assessed, and rated
Controls are implemented to reduce risk to acceptable levels
A risk register is maintained and regularly reviewed
High-rated risks are escalated to management and the board or governing body
Risk management is integrated with incident management and quality improvement processes
Participants are involved in identifying and managing risks that affect them

The legislative basis for risk management requirements under the NDIS includes the NDIS (Provider Registration and Practice Standards) Rules 2018 and the National Disability Insurance Scheme Act 2013 (Cth). The ISO 31000:2018 Risk Management standard is widely referenced by NDIS auditors as the benchmark framework, though providers are not required to formally adopt it.

Risk Appetite and Tolerance

One of the most commonly missing elements in NDIS risk management policies is an explicit statement of the organisation's risk appetite and tolerance. Auditors who review risk management systems expect to find this — and its absence suggests the organisation has not genuinely engaged with risk at a governance level.

Risk appetite is the amount and type of risk the organisation is willing to take in pursuit of its objectives. For most NDIS providers, this means accepting some operational risk (e.g., participant independence activities that carry some physical risk) while having zero tolerance for risks involving participant abuse, financial fraud, or regulatory non-compliance.

Risk tolerance is the specific threshold at which action is required. Expressed in the context of a risk rating matrix, this means: risks rated below a certain score may be monitored; risks rated above that threshold require immediate treatment.

A typical risk appetite statement for a small NDIS provider might read: "The organisation has low tolerance for risks that could result in harm to participants, workers, or the public. The organisation accepts moderate operational risk where this supports participant independence and informed choice. The organisation has zero tolerance for financial irregularity, criminal conduct, or conduct that breaches the NDIS Code of Conduct."

The Risk Assessment Process

Risk management is not a once-per-year activity. Under Outcome 2.2, providers must demonstrate that risk assessment is an ongoing process embedded in service delivery.

When Risk Assessments Are Required

Before commencing support with a new participant
When a participant's circumstances, health status, or behaviour changes significantly
Before introducing a new activity, environment, or support strategy
After every incident or near-miss
At least annually for all active participants
When a new worker is introduced to a participant with complex needs

The Risk Assessment Steps

A compliant NDIS risk assessment process follows these steps:

Identify the risk: What could go wrong? Involve the participant and relevant workers in identifying risks specific to the participant's situation and the activities being undertaken.
Assess likelihood: How likely is it that this risk will occur? Rate on a 1–5 scale (1 = rare, 5 = almost certain).
Assess consequence: If the risk occurs, how severe will the impact be? Rate on a 1–5 scale (1 = insignificant, 5 = catastrophic).
Calculate the risk rating: Multiply likelihood by consequence to produce a risk score (1–25). Map this to a risk level: 1–5 low, 6–12 medium, 13–19 high, 20–25 extreme.
Identify controls: What is already in place to reduce the likelihood or consequence? Document existing controls and assess whether they are adequate.
Determine additional controls: If the residual risk (risk after existing controls) is still above the acceptable threshold, what additional controls are needed?
Assign ownership: Who is responsible for implementing and monitoring the controls?
Set a review date: When will the risk be reassessed?

Dignity of Risk

A critical concept that intersects with risk management under the NDIS is dignity of risk — the principle that participants have the right to take reasonable risks as part of living an ordinary life. Risk management must not be used to restrict participant choice and autonomy. Where a participant makes an informed choice to engage in an activity that carries some risk, the provider's role is to mitigate unnecessary risk (through planning, supervision, or equipment) — not to refuse to support the activity.

This must be documented in the risk assessment: the participant's informed choice must be recorded, and the agreed risk mitigation approach must be explicit.

Risk Register Requirements

The risk register is the live document that records all identified organisational and participant-level risks. It is not a theoretical document — auditors will check that it has been recently updated and that it reflects the actual risks facing the organisation.

Required Fields in an NDIS Risk Register

Field	Description	Why Auditors Check This
Risk ID	Unique reference number for each risk entry	Enables tracking and cross-referencing with incident records
Risk description	Clear statement of what could go wrong	Generic descriptions ("participant safety risk") indicate superficial engagement with risk
Risk category	Participant safety / operational / financial / compliance / reputational	Ensures all risk types are systematically considered
Likelihood rating (1–5)	How probable is the risk occurring?	Must be consistent with the risk matrix in the policy
Consequence rating (1–5)	How severe would the impact be?	Must reflect realistic impact on participants and the organisation
Risk score and level	Calculated risk rating and corresponding level (Low/Medium/High/Extreme)	Must align with the risk rating matrix in the policy
Existing controls	What is already in place to manage this risk?	Demonstrates active risk management, not just identification
Additional controls / action plan	What further actions are planned or underway?	High and extreme risks must have active treatment plans
Risk owner	Named person responsible for managing this risk	Accountability is a key governance requirement
Review date	When this entry will next be reviewed	A register with no review dates indicates it is not actively maintained
Status	Open / Under treatment / Accepted / Closed	Shows the current state of risk management action

The 8 Required Elements of an NDIS Risk Management Policy

A compliant NDIS risk management policy must contain all of the following elements. Policies that omit any of these are likely to attract a corrective action request at audit:

Purpose and scope: What the policy covers, which services and activities it applies to, and which Practice Standards it addresses (specifically Outcome 2.2 and the relevant sections of the NDIS (Provider Registration and Practice Standards) Rules 2018).
Risk appetite and tolerance statement: The organisation's explicit position on the types and levels of risk it will accept, and the threshold at which risks require escalation or treatment.
Risk management framework: The methodology used to identify, assess, treat, and monitor risks — typically referencing ISO 31000 or an equivalent structured approach.
Risk rating matrix: The specific likelihood × consequence matrix used to calculate risk scores, with defined rating levels (Low, Medium, High, Extreme) and corresponding response requirements.
Roles and responsibilities: Who is responsible for identifying risks, completing risk assessments, maintaining the risk register, escalating high-rated risks, and reviewing the risk management system at a governance level.
Risk register maintenance: How the register is structured, who maintains it, how frequently it is reviewed, and what triggers an unscheduled review (e.g., incidents, significant organisational change).
Integration with other systems: How risk management connects to incident management (incidents may generate new risk register entries), the complaints system (patterns of complaints may indicate systemic risk), and the continuous improvement process.
Participant involvement: How participants are involved in identifying and managing risks that affect them, and how the principle of dignity of risk is applied to ensure risk management does not unduly restrict participant choice.

Need a Complete NDIS Risk Management Policy?

The SIL Rescue Kit includes Document 03 (Risk Management Policy), Document 40 (Risk Assessment Template), and Document 47 (Risk Register) — all audit-ready, mapped to Outcome 2.2, and ready to customise.

Get the SIL Rescue Kit — $297

What Auditors Check Under Outcome 2.2

NDIS certification auditors have a structured approach to assessing risk management. Knowing what they look for helps providers prepare effectively:

Document Review

Risk Management Policy — current version, approved by a director or board, with a version history
Risk register — must show recent entries and updates (not last updated 12 months ago)
Risk assessment forms for a sample of participants, particularly those with complex needs
Evidence that high-rated risks have been escalated (board minutes, management meeting minutes)
Evidence that the risk register was reviewed following significant incidents

Staff and Management Interviews

Auditors commonly ask managers: "Can you walk me through how you identify and manage risks in your organisation?" and "What would you do if a worker identified a new risk with a participant?" If managers cannot describe a process — and it must be consistent with what is documented in the policy — this is a finding.

Governance Evidence

For registered providers, auditors expect to see evidence that risk management is on the agenda of governance meetings. Board or management meeting minutes should show that the risk register is reviewed at the governance level at least quarterly.

Common Risk Management Failures in NDIS Audits

Most Common Finding

Risk registers that have not been updated in months are the single most common risk management finding in NDIS audits. A register that was last updated 6–12 months ago, or that only contains generic organisational risks and no participant-specific risks, consistently attracts a non-conformance.

Failure 1: Risk Register Not Maintained

Having a risk register template is not enough. Auditors check when it was last updated. A register last reviewed more than three months ago, or one that shows no changes over time, will be flagged.

Failure 2: No Participant-Level Risks in the Register

Many small providers include only organisational risks (financial risk, staff turnover, regulatory changes) and omit participant-specific risks. Under Outcome 2.2, the register must also capture risks identified in individual participant risk assessments.

Failure 3: Risk Rating Not Consistent with Policy

If the policy describes a 5×5 risk matrix but the risk register uses a 3×3 matrix, or risk ratings appear to have been assigned without reference to any methodology, auditors will note the inconsistency as a non-conformance.

Failure 4: No High-Risk Escalation Evidence

The policy may require that extreme or high risks are escalated to the board or senior management, but if there is no evidence that this escalation has occurred (e.g., meeting minutes showing risk discussion), the governance element of Outcome 2.2 will not be satisfied.

Failure 5: Risk Management Isolated from Other Systems

Providers who maintain a risk register that shows no connection to incidents, complaints, or continuous improvement suggest that risk management is a compliance exercise rather than a genuine operational practice. Auditors look for evidence of integration.

Policy and Template Requirements

For a complete risk management system under Outcome 2.2, you need the following documents:

Risk Management Policy (Document 03 in the SIL Rescue Kit): The policy document describing your framework, methodology, roles, and processes.
Risk Assessment Template (Document 40): The standard form used to assess individual participant risks and new activities.
Risk Register (Document 47): The live register of all identified organisational and participant-level risks.

Risk Management Policy is current, version-controlled, and approved by leadership
Policy includes a risk appetite statement and risk tolerance thresholds
Policy includes a risk rating matrix (likelihood × consequence)
Risk register exists and has been updated in the past 3 months
Risk register contains both organisational and participant-specific risks
High and extreme risks have documented treatment plans and named owners
Governance minutes show the risk register is reviewed at board/management level
Risk assessment forms are completed for participants with complex needs
Risk management process is connected to the incident management system
Staff can describe the risk management process when interviewed

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.