1. What Is an NDIS Risk Register?
An NDIS risk register is a structured document that records all identified risks to your organisation's ability to deliver safe, quality disability services. For each risk, the register documents the risk description, its likelihood and consequence, the resulting risk rating, the control measures (treatments) in place to manage it, and the residual risk level after controls are applied.
The risk register is not a one-time document. It is a living record that is reviewed and updated regularly as new risks emerge, existing risks change, controls prove effective or inadequate, and your operating environment evolves. It sits at the intersection of your risk management policy (which describes your framework and methodology) and your operational management (which applies the framework in practice).
For small NDIS providers, the risk register typically contains 15-30 risks covering participant safety, workforce management, operational continuity, environmental hazards, financial sustainability, and regulatory compliance. SIL providers will have additional household-specific risks for each property they operate.
2. Practice Standards and Risk Management
The NDIS Practice Standards Core Module Outcome 2.2 (Risk Management) requires that providers implement a risk management system that:
- Identifies and assesses risks to participant safety, health, wellbeing, and rights
- Implements appropriate controls to mitigate identified risks
- Monitors and reviews risks regularly
- Integrates risk management into day-to-day operations and decision-making
- Draws on incident data, complaints data, and other sources to identify emerging risks
Your risk register is the primary operational document that demonstrates compliance with these requirements. Without a functioning risk register, auditors cannot verify that your risk management framework exists beyond policy — and a policy without implementation is a non-conformance.
The risk register also supports compliance with other Practice Standards outcomes. For example, Outcome 4.1 (Safe Environment) requires environmental risk assessments, Outcome 2.4 (Incident Management) requires that incident trends inform risk identification, and Outcome 2.6 (Human Resource Management) requires that workforce risks are identified and managed.
3. Essential Risk Register Fields
Your risk register should include the following fields for each identified risk:
| Field | Purpose | Notes |
|---|---|---|
| Risk ID | Unique identifier | Format: RISK-001, RISK-002, etc. |
| Risk category | Classification for grouping related risks | Participant safety, workforce, operational, environmental, financial, compliance |
| Risk description | Clear statement of the risk | Use the format: "Risk that [event] may occur, resulting in [consequence]" |
| Risk source / trigger | What causes or contributes to this risk | E.g., "Staff fatigue during overnight shifts," "Inadequate medication storage" |
| Affected parties | Who is affected if the risk materialises | Participants, staff, organisation, families, community |
| Likelihood (inherent) | How likely the risk is to occur without controls | Rare / Unlikely / Possible / Likely / Almost Certain |
| Consequence (inherent) | Impact if the risk materialises without controls | Insignificant / Minor / Moderate / Major / Catastrophic |
| Inherent risk rating | Pre-treatment risk level | Low / Medium / High / Extreme (derived from matrix) |
| Existing controls | What you are currently doing to manage this risk | Be specific — list actual controls, not aspirational ones |
| Control effectiveness | How well the controls are working | Effective / Partially Effective / Ineffective / Not Yet Assessed |
| Likelihood (residual) | Likelihood after controls are applied | Same scale as inherent |
| Consequence (residual) | Consequence after controls are applied | Same scale as inherent |
| Residual risk rating | Post-treatment risk level | Low / Medium / High / Extreme |
| Additional treatments planned | Further actions planned to reduce the risk | Specific, measurable actions with target dates |
| Risk owner | Person responsible for managing this risk | Name and role |
| Date identified | When the risk was first identified | DD/MM/YYYY |
| Last review date | When the risk was last reviewed | DD/MM/YYYY |
| Next review date | When the risk is next due for review | DD/MM/YYYY |
| Status | Current state of the risk | Active / Monitoring / Closed |
| Linked documents | Cross-references to related compliance documents | Policy number, incident register entries, CI register entries |
4. Risk Identification for NDIS Providers
Before you can assess and manage risks, you need to identify them. Risk identification should draw on multiple sources:
Internal Sources
- Incident register: What types of incidents are occurring? Are there patterns? Your incident register is one of the richest sources of risk information.
- Complaints register: What are participants and families concerned about? Recurring complaint themes may indicate unmanaged risks.
- Staff feedback: Frontline staff observe risks daily that management may not see. Include staff input through team meetings, supervision sessions, and suggestion systems.
- Participant feedback: Participants can identify risks to their own safety and wellbeing that may not be captured through formal systems.
- Internal audits: Systematic reviews of your own processes and environments.
- WHS inspections: Workplace health and safety hazard identification.
External Sources
- NDIS Commission alerts and guidance: The Commission publishes safety alerts and guidance notes that may identify sector-wide risks.
- Legislation changes: New or amended legislation may create compliance risks.
- Industry benchmarking: What risks are other providers experiencing?
- Media reports: Reports of incidents at other disability services may highlight risks relevant to your operation.
- Environmental scanning: Natural disasters, pandemic risks, economic conditions affecting workforce availability.
5. The Risk Matrix: Likelihood x Consequence
A risk matrix is a visual tool that plots each risk based on its likelihood of occurring and the consequence if it does occur. The intersection of likelihood and consequence determines the risk rating. The standard 5x5 matrix used in Australian risk management (aligned with AS/NZS ISO 31000) is:
Likelihood Scale
| Rating | Descriptor | Definition |
|---|---|---|
| 1 | Rare | May occur only in exceptional circumstances. Less than once per 5 years. |
| 2 | Unlikely | Could occur but not expected. Once per 2-5 years. |
| 3 | Possible | Might occur at some time. Once per 1-2 years. |
| 4 | Likely | Will probably occur in most circumstances. Several times per year. |
| 5 | Almost Certain | Expected to occur. Monthly or more frequent. |
Consequence Scale
| Rating | Descriptor | Definition |
|---|---|---|
| 1 | Insignificant | No injury. Minor inconvenience. No service disruption. |
| 2 | Minor | First aid treatment. Minor service disruption. Minor financial loss. |
| 3 | Moderate | Medical treatment required. Temporary service disruption. Moderate financial loss. Complaint to NDIS Commission. |
| 4 | Major | Hospitalisation. Extended service disruption. Significant financial loss. NDIS Commission investigation. Reportable incident. |
| 5 | Catastrophic | Death. Permanent disability. Loss of registration. Criminal prosecution. Organisational closure. |
Risk Rating Matrix
| Likelihood / Consequence | Insignificant (1) | Minor (2) | Moderate (3) | Major (4) | Catastrophic (5) |
|---|---|---|---|---|---|
| Almost Certain (5) | Medium | High | High | Extreme | Extreme |
| Likely (4) | Medium | Medium | High | High | Extreme |
| Possible (3) | Low | Medium | Medium | High | High |
| Unlikely (2) | Low | Low | Medium | Medium | High |
| Rare (1) | Low | Low | Low | Medium | Medium |
Response Requirements by Rating
| Rating | Response Required | Review Frequency |
|---|---|---|
| Low | Manage through routine procedures. Monitor for changes. | Annually |
| Medium | Specific controls required. Management attention. Action plan with target dates. | Quarterly |
| High | Senior management attention. Detailed action plan. Priority resource allocation. | Monthly |
| Extreme | Immediate action required. Board/governance level attention. May require service modification or cessation until managed. | Weekly until reduced |
6. Risk Treatment and Controls
For each risk in your register, you must document the treatment measures (controls) that reduce the risk to an acceptable level. The AS/NZS ISO 31000 hierarchy of risk treatment options applies:
- Avoid: Eliminate the risk entirely by not undertaking the activity that generates it. (Rarely practical in disability services — you cannot avoid providing supports.)
- Reduce: Implement controls that reduce the likelihood and/or consequence of the risk. This is the most common treatment approach.
- Transfer: Shift the risk to another party through insurance, outsourcing, or contractual arrangements.
- Accept: Accept the risk where the cost of treatment outweighs the benefit, or where the risk is within your organisation's risk tolerance. Accepted risks must still be monitored.
Documenting Controls Effectively
When documenting controls in your register, be specific. Avoid vague statements and instead describe concrete, verifiable actions:
| Weak Control Description | Strong Control Description |
|---|---|
| "Staff are trained" | "All support workers complete medication administration competency assessment annually. Last completed: March 2026. Tracked in training register." |
| "We have a policy" | "Incident Management Policy (POL-001, v3.0, reviewed 01/2026) with documented procedures for identification, reporting, investigation, and follow-up." |
| "Safety checks are done" | "SIL House Safety Inspection Checklist (20 items) completed monthly by House Coordinator. Results recorded and actioned. Last inspection: 15/03/2026." |
| "Insurance is in place" | "Professional indemnity insurance with [Insurer], policy #PI-2026-1234, $10M cover, renewal date 30/06/2026." |
Auditors will test your controls, not just read them. If your register states that monthly safety inspections are conducted, auditors will ask to see the completed inspection checklists. If your register states that staff are trained in medication administration, auditors will check the training register for evidence. Only document controls that actually exist and are actually implemented.
7. Understanding and Documenting Residual Risk
Residual risk is the level of risk that remains after all control measures have been applied. It is calculated using the same likelihood x consequence matrix, but with adjusted ratings that reflect the impact of your controls.
For example:
| Likelihood | Consequence | Rating | |
|---|---|---|---|
| Inherent risk (medication error causing participant harm) | Likely (4) | Major (4) | High |
| Controls applied | Medication administration training and annual competency assessment. Double-check procedure at administration. Medication Administration Records (MARs) reviewed weekly. Incident reporting for all medication errors. Pharmacy-dispensed Webster packs. | ||
| Residual risk | Unlikely (2) | Moderate (3) | Medium |
Your register should document both the inherent and residual risk ratings. A significant gap between the two demonstrates that your controls are adding value. If the inherent and residual ratings are the same, it suggests your controls are not effective — or that you have not accurately assessed the impact of your controls.
Many providers set residual risk ratings unrealistically low to make their register look good. Auditors are experienced enough to recognise this. A SIL provider that rates the residual risk of falls as "Low" when supporting elderly participants with mobility impairments will be questioned. Be honest in your residual risk assessments — auditors respect realistic ratings more than artificially optimistic ones.
8. Common Risk Categories for NDIS Providers
The following risk categories and examples provide a starting point for building your risk register. Customise these to reflect your specific service model, participant cohort, and operating environment.
Participant Safety Risks
- Falls and mobility-related injuries
- Medication errors (missed doses, wrong medication, adverse reactions)
- Abuse, neglect, or exploitation by staff or other participants
- Self-harm or suicidal ideation
- Choking or aspiration (participants with swallowing difficulties)
- Elopement or absconding
- Unauthorised use of restrictive practices
- Transport-related injuries
Workforce Risks
- Staff shortages affecting service delivery
- Expired worker screening checks
- Competency gaps in critical areas
- Staff burnout and high turnover
- Agency staff unfamiliar with participants or procedures
- Workplace injuries (manual handling, aggression, fatigue)
Operational Risks
- Service continuity during staff absence or natural disaster
- IT system failure (loss of access to records, communication systems)
- Data breach or privacy violation
- Supply chain disruption (medication, food, consumables)
- Vehicle breakdown affecting transport services
Environmental Risks
- Fire in SIL property
- Flooding or severe weather damage
- Building maintenance issues (structural, electrical, plumbing)
- Infection outbreak
- Hazardous materials or unsafe storage
Financial Risks
- Cash flow shortfall due to NDIS billing delays
- Participant money mismanagement or fraud
- Underpricing of services relative to NDIS Price Guide
- Non-compliance penalties or registration suspension
Compliance Risks
- Failure to meet audit requirements resulting in conditions on registration
- Failure to report reportable incidents within required timeframes
- Non-compliance with state or territory legislation
- Changes to NDIS Practice Standards creating new requirements
- Key personnel changes affecting organisational capability
Get a Pre-Populated Risk Register Template
The SIL Rescue Kit includes a risk register pre-populated with common SIL provider risks, a risk assessment template with the 5x5 matrix, and a comprehensive risk management policy — all mapped to NDIS Practice Standards.
Get the SIL Rescue Kit — $2979. Risk Register Review Schedule
Your risk register must be reviewed and updated regularly. The review schedule should be documented in your risk management policy and followed consistently. Auditors will check the "last review date" field in your register and expect to see reviews occurring at the frequencies specified in your policy.
| Review Type | Frequency | Scope |
|---|---|---|
| Extreme risks | Weekly until reduced to High or below | Review controls, verify implementation, assess effectiveness |
| High risks | Monthly | Review controls and residual rating, check treatment progress |
| Medium risks | Quarterly | Verify controls still in place, reassess ratings if circumstances have changed |
| Low risks | Annually | Confirm risk is still relevant, verify controls remain appropriate |
| Full register review | Annually | Reassess all risks, add new risks, close resolved risks, review methodology, update based on incident and complaint trends |
| Triggered review | As needed | After a major incident, significant complaint, legislative change, or new service/participant |
10. Linking the Risk Register to Other Compliance Documents
Your risk register should not exist in isolation. It must connect to and be informed by other compliance documents in your system. These connections should be documented through cross-references in your register.
- Risk management policy: Your policy describes the framework and methodology; your register applies them. The policy should reference the register, and the register should apply the methodology described in the policy.
- Incident register: Recurring incidents should trigger new risk entries or cause existing risk ratings to be reassessed. Cross-reference incident numbers.
- Complaints register: Complaint trends may reveal risks not previously identified. Cross-reference complaint numbers.
- Continuous improvement register: Risk treatments often generate improvement actions. Cross-reference CI entry numbers.
- Training register: Workforce competency risks should link to training plans. Cross-reference relevant training items.
- Worker screening register: Screening expiry creates compliance risk. Link to your worker screening register.
- Participant support plans: Individual participant risk assessments should inform the organisational risk register where risks are systemic.
11. What Auditors Expect from Your Risk Register
During a certification audit, auditors will examine your risk register and evaluate it against the following criteria:
- The register contains a reasonable number and range of risks for your service type and size
- Risk descriptions are clear and specific (not vague or generic)
- A consistent risk assessment methodology (matrix) is applied across all risks
- Both inherent and residual risk ratings are documented and realistic
- Controls are specific, verifiable, and actually implemented (not aspirational)
- High and extreme risks have active treatment plans with target dates
- The register shows evidence of regular review (review dates, changes documented)
- Incident and complaint data has informed risk identification and rating
- Each risk has an assigned risk owner
- The register is consistent with the risk management policy
- Cross-references to related documents are included
Common non-conformances include: a risk register that has not been updated in over 12 months, risks with no documented controls, unrealistic residual risk ratings (everything rated "Low"), no evidence that incident or complaint data informed the register, and controls that do not actually exist when tested. Avoid these by maintaining your register as a genuine operational tool rather than a compliance checkbox.
Summary
Your NDIS risk register is the practical expression of your risk management framework. It demonstrates that your organisation proactively identifies threats to participant safety and service quality, assesses their severity using a consistent methodology, implements and monitors controls, and reviews risks regularly. A well-maintained risk register satisfies auditors and — more importantly — helps you prevent incidents and deliver safer services.
The key principles are: identify risks from multiple sources (incidents, complaints, staff feedback, environmental scanning), assess each risk using a consistent likelihood x consequence matrix, document specific and verifiable controls, record realistic residual risk ratings, review the register at defined intervals, and connect the register to your incident, complaints, CI, and training systems.
For support workers, good documentation is a key risk control. Our free NDIS Notes Rewriter helps ensure shift notes meet compliance standards. And if you are preparing for your SIL certification audit, the SIL Rescue Kit provides a complete risk register template, risk assessment template, and risk management policy — all pre-populated with common SIL risks and ready to customise.
Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.