What Is an NDIS Risk Register and Why Does It Matter?
A risk register is one of the foundational governance documents NDIS quality auditors inspect when assessing whether a registered provider meets the NDIS Practice Standards. For Supported Independent Living (SIL) providers, it serves a dual purpose: it demonstrates that your organisation has systematically identified the risks that could harm participants or compromise service quality, and it provides a documented, auditable trail of how those risks are being managed.
Under the NDIS Commission's strengthened 2026 registration requirements, all registered providers — including SIL providers subject to certification audits — must demonstrate robust governance and operational management. A current, maintained risk register is direct evidence of this. Auditors will look not just for the document's existence but for proof that risks are reviewed regularly and that controls are actually being implemented.
Key Risk Categories for SIL Providers
Before looking at the filled-in sample, it helps to understand the main risk categories an NDIS SIL risk register should cover:
- Participant safety and wellbeing — risks of abuse, neglect, exploitation, or harm in the home environment
- Restrictive practices — unauthorised use of regulated or prohibited practices, non-compliance with behaviour support plans
- Incidents and serious incidents — failure to detect, report, or respond to reportable incidents within NDIS Commission timeframes
- Workforce — inadequate screening, unqualified staff, insufficient supervision ratios in SIL settings
- Complaints and feedback — failure to maintain an accessible, functional complaints system
- Financial and contractual — billing errors, fraud, plan budget overruns affecting participant choice
- Business continuity — loss of staff, sudden closure, emergency management gaps
- Information governance — privacy breaches, incorrect record-keeping, failure to maintain participant records
How to Rate Risks: Likelihood and Consequence
Most NDIS providers use a simple 5x5 or 4x4 risk matrix. The two dimensions are:
- Likelihood — how probable the risk event is (e.g., Rare / Unlikely / Possible / Likely / Almost Certain)
- Consequence — the severity of impact if the risk occurs (e.g., Insignificant / Minor / Moderate / Major / Severe)
Multiplying or combining these produces a risk rating: Low, Medium, High, or Extreme. Extreme and High risks require immediate documented treatment plans and named owners. The NDIS Commission's Practice Standards require providers to have processes for identifying and managing risk; the matrix is the most common tool used to satisfy this requirement in audit evidence.
Filled-In NDIS Risk Register Sample
The table below is a realistic worked example for a SIL provider operating a small residential setting. It is illustrative only — your register must reflect your actual operating context, participant cohort, and controls.
| Risk ID | Risk Description | Category | Likelihood | Consequence | Risk Rating | Existing Controls | Treatment / Action | Owner | Review Date | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| R-001 | Participant sustains a serious injury in the home due to undetected environmental hazard (e.g., fall risk, unsecured hazardous materials) | Participant Safety | Possible | Major | High | Quarterly home safety audits; hazard checklist completed on move-in; incident reporting procedure in place | Implement monthly environmental walk-through using updated NDIS-aligned checklist; document and resolve all identified hazards within 5 business days | House Supervisor | 30 Jul 2026 | In Progress |
| R-002 | Unauthorised use of a restrictive practice by support worker without behaviour support plan approval or NDIS Commission authorisation | Restrictive Practices | Unlikely | Severe | High | All staff complete restrictive practices training on induction; behaviour support plans reviewed by registered behaviour support practitioner | Introduce random monthly practice observations; add restrictive practices agenda item to monthly team meetings; report any suspected unauthorised use within 24 hours per NDIS Commission requirements | Quality & Compliance Manager | 30 Jul 2026 | Open |
| R-003 | Failure to notify NDIS Commission of a reportable incident within required timeframes | Incidents | Possible | Major | High | Incident reporting policy and procedure in place; staff trained on incident categories and timelines; NDIS Commission portal access granted to manager | Create a quick-reference flowchart of reportable incident types and notification timelines; conduct simulation drill each quarter; appoint a backup notifier if primary manager is unavailable | Operations Manager | 15 Aug 2026 | In Progress |
| R-004 | Support worker employed without valid NDIS Worker Screening Check, creating risk of harm to participants | Workforce | Unlikely | Severe | High | HR onboarding checklist requires screening check clearance before commencement; checks recorded in HR system | Implement automated expiry alert in HR system; conduct bi-annual audit of all worker screening records; ensure labour hire workers have checks verified before placement | HR Manager | 30 Sep 2026 | Open |
| R-005 | Participant complaint not acknowledged or resolved within the organisation's stated timeframes, undermining trust and compliance | Complaints | Possible | Moderate | Medium | Complaints policy accessible to all participants and guardians; Easy Read version available; complaints log maintained | Review complaints log monthly at management meetings; send acknowledgement to complainant within 2 business days; escalate unresolved complaints beyond 28 days to senior leadership | Quality & Compliance Manager | 30 Aug 2026 | Open |
| R-006 | Loss of key SIL support staff causing service continuity gap for participants with high support needs | Business Continuity | Likely | Major | Extreme | Casual relief pool maintained; handover documentation for each participant; participant support plans updated quarterly | Engage minimum two trained agency backup workers per site; cross-train permanent staff across participant sites; review business continuity plan annually and after each critical staffing incident | Operations Manager | 15 Jul 2026 | Open |
| R-007 | Participant personal information disclosed without consent or accessed by unauthorised person, breaching Privacy Act obligations | Information Governance | Unlikely | Major | Medium | Privacy policy in place; staff sign confidentiality agreement; records stored in password-protected system | Conduct annual privacy awareness training; audit user access permissions every 6 months; ensure data breach response procedure is tested and up to date | CEO / Director | 30 Sep 2026 | Open |
What Auditors Look for in Your Risk Register
When an approved quality auditor reviews your risk register during a certification or verification audit, they are assessing evidence against the NDIS Practice Standards — particularly the Governance and Operational Management core module. Common findings that lead to non-conformances include:
- No review history — a risk register dated more than 12 months ago with no evidence of periodic review indicates the document is not being used as a live governance tool.
- Generic or copy-paste risks — risks that do not reflect your actual participant cohort, services, or operating environment suggest the register was created for audit purposes only.
- No named owners — every risk must have an accountable person; anonymous ownership means treatment actions are unlikely to be followed through.
- Missing links to policy — the risk register should reference or link to relevant policies and procedures (e.g., Incident Reporting Policy, Restrictive Practices Policy) so auditors can trace the control chain.
- No participant-level risks — SIL providers in particular must demonstrate that individual participant risks (as distinct from organisational risks) are captured, either in the risk register or in individual risk management plans within participant files.
Maintaining Your Risk Register
The NDIS Practice Standards require that governance systems are not static documents. For your risk register to satisfy auditors and, more importantly, actually protect participants, build these habits into your operations:
- Review the full register at least every six months and after any significant incident, near-miss, or organisational change.
- Update risk ratings when controls are implemented — a treated risk may move from High to Medium.
- Integrate risk discussions into regular management and team meetings so the register is part of operational life, not a compliance afterthought.
- Keep a version history showing when the register was last updated and who approved it.
If you are preparing for your 2026 NDIS registration renewal or an upcoming certification audit, the ndiscompliant.com.au 74-document audit-ready SIL compliance kit includes a fully editable risk register template alongside policies, procedures, and governance tools built to align with the strengthened Practice Standards — worth reviewing if you want to avoid building from scratch under time pressure.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.