Is a risk register mandatory for NDIS registration?

Yes. A documented risk register is required under the Governance and Operational Management module of the NDIS Practice Standards. Approved quality auditors check for a current, active risk register at both certification and verification audits. Absence of one will result in a non-conformance finding.

How often does an NDIS provider need to review their risk register?

At minimum, you must conduct a full review at least once a year. You should also review the register after any serious incident, significant complaint, near-miss event, or material change to your services — such as adding a new participant cohort, location, or service type.

What risk categories must a new SIL provider include?

At minimum: participant safety, restrictive practices, workforce management (including NDIS Worker Screening), governance, financial management, complaints and incident management, information management, and business continuity. Each category should contain specific, context-relevant risks — not generic placeholder text.

Does the risk register need to be linked to incident and complaints records?

Yes. The NDIS Practice Standards require your risk management to be integrated with your incident and complaints management systems. Auditors expect to see evidence that real incidents and complaints have informed your risk register — for example, a trend in near-miss incidents leading to a new or updated risk entry.

What happens if my risk register is found to be non-compliant at audit?

A non-conformance against the Governance and Operational Management standard can result in conditions being placed on your NDIS registration, a requirement to submit a corrective action plan, or in serious cases, referral for further regulatory action by the NDIS Quality and Safeguards Commission.

Can I use a template risk register for my NDIS audit?

You can start with a template, but you must customise it to reflect your specific organisation, services, locations, and participant cohort. Auditors routinely ask providers to explain their risks in conversation — a register that is clearly copied from a generic template without contextualisation is treated as evidence of a system that is not genuinely operational.

NDIS Risk Register Checklist for New Providers (2026)

Why New NDIS Providers Need a Risk Register

A risk register is not optional for registered NDIS providers — it is a core element of the Quality Management System required under the NDIS Practice Standards. For new providers entering the scheme under the strengthened registration framework that took effect from mid-2025 and continues to be enforced through 2026, having a documented, living risk register is one of the first things an approved quality auditor will examine at your initial certification audit.

Without an operational risk register, you are likely to receive a non-conformance finding against the Governance and Operational Management standard — a finding that can delay your registration or trigger conditions on your approval. This checklist walks you through exactly what to include, how to structure it, and how to keep it audit-ready from day one.

What the NDIS Practice Standards Require

Under the NDIS Practice Standards (Core Module — Governance and Operational Management), registered providers must demonstrate that they:

Identify and document risks relevant to their organisational context and service types
Assess those risks using a consistent methodology (likelihood × consequence)
Assign risk owners and treatment actions with target resolution dates
Review the risk register at defined intervals and after significant incidents
Integrate risk management with their incident, complaint, and continuous improvement processes

The Strengthened NDIS Practice Standards — which reflect the Royal Commission into Violence, Abuse, Neglect and Exploitation of People with Disability recommendations — place heightened emphasis on participant safety risks, restrictive practice governance, and workforce-related risk. New providers are assessed against these strengthened standards from their first audit.

Risk Register Checklist: What to Include

Use the following checklist to build or audit your risk register before your initial NDIS Commission audit. Each item should have a corresponding entry or reference document in your quality management system.

1. Register Structure and Identification Fields

Unique risk ID for each entry (e.g. RR-001, RR-002)
Risk category (see categories below)
Clear risk description — what could happen, under what circumstances
Date risk was first identified
Risk owner (named position, not just a title)
Date of last review
Date of next scheduled review

2. Risk Assessment Fields

Likelihood rating (e.g. 1–5 scale: Rare / Unlikely / Possible / Likely / Almost Certain)
Consequence rating (e.g. 1–5 scale: Insignificant / Minor / Moderate / Major / Catastrophic)
Inherent risk score (pre-controls: likelihood × consequence)
Existing controls documented
Residual risk score (post-controls)
Risk appetite statement — is the residual risk within acceptable tolerance?

3. Treatment and Escalation Fields

Treatment action — specific steps to reduce likelihood or consequence
Treatment owner (the person responsible for completing the action)
Target completion date for treatment action
Status of treatment action (Not Started / In Progress / Complete)
Escalation pathway if risk is rated High or Extreme
Link to relevant policy, procedure, or incident report where applicable

4. Mandatory Risk Categories

Your register must cover at minimum the following categories. Auditors will check that each category is represented with genuine, context-specific risks — not generic placeholder text.

Category	Examples of Risks to Document
Participant Safety	Harm from inadequate supervision; falls; medication errors; abuse or neglect by staff
Restrictive Practices	Unauthorised use of restrictive practices; failure to obtain behaviour support plan approval; inadequate monitoring of reduction plans
Workforce	Insufficient NDIS Worker Screening checks before commencement; high staff turnover; inadequate supervision of new workers; worker misconduct
Governance	Key-person dependency on a single director; board conflicts of interest; failure to notify the Commission of reportable incidents
Financial Management	NDIS funds claimed for services not delivered; fraudulent billing; insufficient financial controls over participant funds
Complaints and Incidents	Complaints not recorded or actioned; NDIS reportable incidents not notified within required timeframes; failure to close the loop with complainants
Information Management	Unauthorised access to participant records; data breach; loss of critical documents
Business Continuity	Provider closure without managed exit planning; IT system failure; loss of key staff during a critical period

5. Review and Maintenance Requirements

Register reviewed at least annually as a full-register review
Register reviewed after any serious incident, near miss, or significant complaint
Register reviewed after a change in services, locations, or participant cohort
Evidence of review maintained (meeting minutes, version history, or sign-off log)
Risk register referenced in your continuous improvement plan
Risk register referenced in governance committee or board meeting agendas

6. Integration with Other NDIS Obligations

Risks linked to your Incident Management procedure (including NDIS reportable incident categories)
Risks linked to your Complaints Management procedure
Restrictive practice risks linked to your Behaviour Support policy
Workforce risks linked to your Worker Screening and Supervision procedures
Financial risks linked to your Fraud Control and Participant Funds Management policies

Example Risk Register Entry

The following is an example of how a single risk entry should look in your register. Every entry in your register should be this specific — vague descriptions such as "staff issues" or "compliance risk" will not satisfy an auditor.

Risk ID	RR-007
Category	Workforce
Risk Description	A support worker commences shifts before their NDIS Worker Screening clearance is confirmed, creating an unmitigated risk of harm to participants.
Likelihood	3 — Possible
Consequence	4 — Major
Inherent Score	12 (High)
Existing Controls	Recruitment policy requires screening application evidence before offer; HR checklist reviewed by Operations Manager
Residual Score	6 (Medium)
Treatment Action	Implement automated reminder in HR system to flag any worker without confirmed clearance; Operations Manager to verify clearance status in Worker Screening database before first shift
Treatment Owner	Operations Manager
Target Date	30 July 2026
Status	In Progress

Common Audit Failures to Avoid

Based on known NDIS Commission audit guidance and non-conformance patterns, new providers most commonly fail on the following:

Generic risks copied from templates — every risk must reflect your actual service types, locations, and participant cohort. Auditors ask you to explain your risks verbally.
No evidence of review — having a register with a date of "January 2025" and no subsequent updates is treated as an inactive register.
Missing restrictive practice risks — if you support participants with behaviour support plans, this category is non-negotiable.
Risk owners listed as "CEO" for everything — genuine ownership means the person responsible for the treatment action, not the most senior person in the organisation.
No linkage to incident or complaint records — auditors expect to see the risk register informed by real events in your organisation.

Getting Your Documentation Audit-Ready

Building a compliant risk register from scratch is one of over 70 governance and operational requirements new providers must satisfy. If you are working through the full documentation burden of initial NDIS registration, the 74-document SIL compliance kit at ndiscompliant.com.au includes a pre-structured risk register template with all mandatory categories, a completed example, and a matching risk management policy — designed specifically for new providers navigating the strengthened 2026 Practice Standards.

Whatever documentation approach you take, ensure your risk register is a living document that your leadership team genuinely uses — not a file created for audit day and forgotten immediately after.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.