How often must an NDIS provider review its risk management policy?

The NDIS Practice Standards require regular review of your risk management system. Most providers conduct a formal annual review as a minimum. However, significant incidents, regulatory changes — such as the strengthened 2026 standards — or material changes to your service model should trigger an out-of-cycle review. Review dates and sign-off must be documented in the policy itself.

Does a risk management policy need to be separate from other policies?

There is no strict requirement that it be a standalone document, but in practice auditors find it easier to assess a dedicated risk management policy. It should clearly cross-reference your incident management, complaints, restrictive practices, and business continuity procedures. Having it embedded deep inside a general operations manual can make audit evidence harder to locate and demonstrate.

What is the difference between a risk register and a risk management policy?

The policy describes your framework — how you identify, assess, control, and monitor risk, including roles, methodology, and review cycles. The risk register is the operational record — a living list of specific identified risks, their ratings, current controls, residual risk level, and responsible persons. Auditors expect to see both, and they must be consistent with each other.

Can a SIL provider use a generic risk management policy template?

You can start from a template, but a generic document submitted without customisation is a reliable path to a non-conformance finding. Auditors expect the policy to reflect your actual service type, participant cohort, locations, and operational risks. The risk register in particular must contain risks specific to your services, not placeholder examples.

What evidence do auditors request to verify risk management in practice?

Typical evidence requests include: the signed and dated risk management policy; the current risk register; individual participant risk assessments; staff training records showing risk management induction; incident reports cross-referenced against the risk register; and governance records such as board minutes showing the governing body has received risk reporting.

How do the 2026 strengthened NDIS Practice Standards change risk management requirements?

The strengthened framework places greater emphasis on active governance and demonstrable participant safety culture. This includes requirements for the governing body to actively oversee risk — not just delegate it — and stronger expectations around participant involvement in safety and risk planning. Providers delivering SIL and higher-intensity supports face the most significant uplift requirements.

NDIS Risk Management Policy: What Auditors Look For

Why Your Risk Management Policy Is an Audit Priority

For registered NDIS providers — especially those delivering Supported Independent Living — risk management is not a back-office formality. Approved quality auditors treat it as a core indicator of organisational maturity. A weak or template-copy policy is one of the most consistent sources of non-conformance findings at audit, and under the strengthened NDIS Practice Standards framework taking effect in 2026, scrutiny has intensified further.

This article explains exactly what auditors examine, the common gaps they find, and what a genuinely audit-ready risk management policy looks like.

What the NDIS Practice Standards Actually Require

The NDIS Practice Standards (made under the National Disability Insurance Scheme Act 2013) require registered providers to have and implement a risk management system. For SIL and other higher-intensity supports, the relevant quality indicators include:

A documented risk management policy and procedures that are proportionate to the scale and complexity of the provider's operations.
A process for identifying and assessing risks to participants, workers, and the organisation.
Clear risk controls, responsibilities, and escalation pathways.
Integration between risk management, incident management, complaints, and restrictive practices systems.
Regular review of the policy — not just at audit time — with documented evidence of that review.

The strengthened framework released by the NDIS Commission strengthens these requirements by placing greater emphasis on active governance: the governing body must demonstrate genuine oversight of risk, not merely sign off on a document once a year.

The Eight Things Auditors Check First

Approved quality auditors follow a structured evidence-gathering process. Here is what they consistently prioritise when reviewing your risk management policy and associated records:

1. Policy Currency and Version Control

Auditors check when the policy was last reviewed and whether that review was substantive. A policy last updated several years ago, or one with a future review date that has passed, immediately signals poor governance. Your policy must carry a version number, review date, and the name and role of the person who approved it.

2. Risk Register Existence and Completeness

The policy alone is not enough. Auditors expect to see a live risk register — a document or system that lists identified risks, their assessed likelihood and consequence, current controls, residual risk rating, and the responsible person. Registers that are blank, undated, or carry only generic risks not specific to your service type are routinely cited as non-conformances.

3. Integration With Incident Management

Under the NDIS (Incident Management and Reportable Incidents) Rules 2018, providers must have an incident management system. Auditors verify whether your risk register and policy are connected to incident data — meaning that patterns from incidents are feeding back into risk identification and control updates. A risk policy that exists in isolation from your incident records is a red flag.

4. Participant-Specific Risk Planning

At the individual support level, auditors look for evidence that participant risk assessments exist and are current. This includes health risk assessments, behaviour support documentation where relevant, environmental risk assessments for SIL properties, and any specific risk controls named in support plans. Generic risk plans not tailored to the individual are consistently cited.

5. Staff Training and Competency Records

Policy documents must be translated into worker practice. Auditors request training registers to confirm that workers have been trained in risk management procedures, including how to identify emerging risks, report concerns, and follow escalation protocols. Untrained staff or training records that cannot be produced are a common cause of corrective action requests.

6. Restrictive Practices Risk Documentation

Where your organisation uses or supports the use of regulated restrictive practices, auditors examine whether the associated risks have been documented, whether authorisation requirements are met, and whether risk is being monitored at the individual level. This is an area of heightened focus under the 2026 strengthened standards.

7. Business Continuity and Emergency Provisions

For SIL providers particularly, auditors check that the risk management framework covers operational continuity risks — including contingency arrangements for staff shortages, natural disasters, utility outages, and medical emergencies at supported living sites. Many providers address participant risk but omit organisational continuity entirely.

8. Governing Body Oversight Evidence

Under the strengthened Practice Standards, the governing body (board, directors, or equivalent) must actively oversee risk management. Auditors may request board minutes, governance reports, or risk committee records to verify that leadership is receiving and acting on risk information — not simply delegating it to operational staff.

Common Non-Conformances Found at Audit

Non-Conformance	Why It Matters	The Fix
Risk register is blank or generic	Demonstrates no actual risk identification has occurred	Complete a service-specific register with real identified risks and rated controls
Policy not reviewed in over 12 months	Indicates passive, not active, governance	Schedule annual reviews with documented sign-off and a calendar reminder
No link between incidents and risk updates	Misses systemic learning required by the Practice Standards	Add a standing agenda item: after any notifiable incident, review the risk register
Participant risk assessments missing or outdated	Individual risks unmanaged; potential harm to participants	Set review triggers — at minimum annually, and after any significant incident or change in support needs
Workers cannot describe risk procedures	Policy is not embedded in practice	Deliver induction and refresher training; document and retain records
No business continuity provisions	SIL-specific operational risk is unaddressed	Add a dedicated continuity section covering staffing, utilities, emergency contacts, and evacuation

What a Compliant Risk Management Policy Must Contain

To satisfy audit requirements, your risk management policy should include all of the following elements:

Purpose and scope — which services, locations, and populations the policy covers.
Legislative and standards alignment — explicit reference to the NDIS Act, NDIS Practice Standards, and relevant Rules.
Risk assessment methodology — your rating matrix (likelihood × consequence) with defined risk appetite and tolerance thresholds.
Roles and responsibilities — who identifies risks, who approves controls, who reports to the governing body.
Risk register maintenance — how often it is reviewed, by whom, and how it is updated.
Integration provisions — how risk management connects to incident management, complaints, restrictive practices, and human resources processes.
Participant-level risk planning — reference to individual risk assessments and support planning.
Business continuity — contingency arrangements for service disruption.
Training requirements — who must be trained and how often.
Review cycle — minimum frequency (annual is standard; more often for high-risk services) and escalation triggers for out-of-cycle review.

A Practical Step List for Audit Preparation

Pull your current risk management policy and check the review date and version control fields.
Open your risk register. Confirm it contains real, service-specific risks — not placeholder text.
Cross-check the risk register against your last three months of incident data. Update any risk entries where incident patterns have emerged.
Review participant files and confirm individual risk assessments are current and signed.
Check training records to confirm all staff have completed risk management induction.
Locate or create your business continuity provisions and ensure they are referenced in the policy.
Confirm the governing body has received a risk report in the last quarter and that this is minuted.
Have a colleague unfamiliar with the policy read it and ask them to explain the escalation process — if they cannot, the policy needs plain-language revision.

Getting Audit-Ready in 2026

The 2026 strengthened NDIS Practice Standards bring additional requirements around governance evidence, participant co-design in safety planning, and enhanced scrutiny for SIL providers. Providers who approach risk management as a living system — not a document filed once and forgotten — are consistently better placed at audit.

If you are building or overhauling your risk management documentation alongside the rest of your compliance suite, the 74-document audit-ready SIL compliance kit available at ndiscompliant.com.au includes a fully structured risk management policy, risk register template, and participant risk assessment forms aligned to the current Practice Standards.

Regardless of what tools you use, the principle is the same: auditors are looking for evidence that risk management is embedded in how your organisation actually operates — not just what it claims on paper.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.