Is a risk register mandatory for NDIS registration?

Yes. The NDIS Practice Standards require registered providers to maintain effective risk management systems. While the Standards do not prescribe the exact format, a documented risk register is the standard way providers demonstrate they have systematically identified, assessed, and are managing risks to participants and the organisation.

How often should a SIL provider review its risk register?

The NDIS Practice Standards require regular review but do not prescribe a fixed interval. Best practice — and what auditors expect to see — is quarterly review of high and extreme risks, at least annual review of all entries, and an immediate review following any significant incident, near-miss, or change in service delivery.

What is the difference between inherent risk and residual risk in an NDIS context?

Inherent risk is the level of risk before any controls are applied. Residual risk is the remaining level after controls are in place. Auditors expect to see both ratings in a mature risk register, as this demonstrates that the provider has assessed whether its controls actually reduce risk to an acceptable level.

Do participant-specific risks need to be in the organisational risk register?

Individual participant risk plans (such as behaviour support plans or health management plans) are separate documents. However, systemic participant-safety risks — for example, a pattern of falls or medication errors — should appear in the organisational risk register. Auditors look for this linkage between individual and organisational risk management.

What happens if an auditor finds my risk register is non-conforming?

A non-conformance finding requires the provider to submit a corrective action plan within the timeframe set by the approved quality auditor and the NDIS Commission. Serious or repeated non-conformances can result in conditions being placed on registration, suspension, or in the most serious cases, revocation of registration.

Can we use a spreadsheet as our risk register or does it need to be specialist software?

The NDIS Commission does not require any specific software. A well-structured spreadsheet is acceptable provided it captures all required elements: risk description, likelihood, consequence, risk rating, current controls, residual rating, risk owner, review date, and status. What matters is currency, completeness, and evidence of active management — not the platform.

NDIS Risk Register: What Auditors Look For in 2026

Why Your Risk Register Is a Priority Audit Document

The NDIS Commission's approved quality auditors treat a provider's risk register as a live diagnostic tool, not a filing-cabinet artefact. Under the NDIS Practice Standards and Quality Indicators, providers must demonstrate systematic governance of risk across their operations. For Supported Independent Living (SIL) providers in particular — who deliver 24-hour supports to participants with complex needs — a well-maintained risk register is one of the clearest signals of organisational maturity an auditor will look for.

With the strengthened NDIS Practice Standards framework progressively rolling out from 2026, auditors are applying greater scrutiny to governance documentation. Understanding what they examine, and why, will help your organisation avoid findings that delay registration or trigger conditions.

The Regulatory Basis: What the Standards Require

The NDIS Practice Standards (published under the National Disability Insurance Scheme Act 2013) require registered providers to:

Maintain effective risk management systems that identify, assess, and respond to risks to participants and the organisation
Ensure governance arrangements support continuous improvement, incident management, and complaints handling
Demonstrate that risk controls are proportionate to the nature and complexity of supports delivered
Review risk management processes regularly and in response to significant events such as incidents or near-misses

For SIL providers, the Core Module requirements intersect with the High Intensity Daily Activities and Specialist Behaviour Support modules, which carry additional risk-related obligations around restrictive practices, medication management, and complex health support plans.

Exactly What an Auditor Examines in Your Risk Register

Approved quality auditors — whether conducting a certification, verification, or surveillance audit — will typically work through the following elements of your risk register:

1. Scope and Coverage of Identified Risks

Auditors check that the register captures risks across all relevant domains. For a SIL provider, this includes:

Participant safety (falls, medication errors, choking, self-harm, restrictive practice misuse)
Workforce (inadequate staffing ratios, unverified NDIS Worker Screening clearances, lone-worker incidents)
Financial viability (budget overruns, fraud, billing errors)
Operational continuity (technology failures, emergency management, supplier dependency)
Regulatory compliance (registration conditions, reportable incidents, mandatory notifications)
Environmental and property risks relevant to SIL accommodation

A register that addresses only one or two categories — often only WHS — will attract a query or a non-conformance finding. Auditors expect to see participant-specific risk considerations reflected, even if individual participant risk plans live in a separate clinical record.

2. Risk Rating Methodology

Auditors look for a consistent, documented rating method. Common expectations include:

A defined likelihood scale (for example: rare, unlikely, possible, likely, almost certain)
A defined consequence scale (for example: insignificant, minor, moderate, major, catastrophic)
A risk matrix or equivalent tool that produces a risk level (low, medium, high, extreme)
Consistent application of the methodology across all entries — not ratings that appear to have been assigned arbitrarily

Where ratings are inconsistent or the methodology is not documented, auditors typically raise this as a non-conformance against governance quality indicators.

3. Controls: Current State and Adequacy

The most common audit finding in risk registers relates to controls. Auditors assess whether:

Each identified risk has at least one active control listed — not just a plan to implement one in future
Controls are specific and verifiable (for example, "staff complete medication administration training before working independently" rather than "training provided")
Residual risk is re-rated after controls are applied, demonstrating that the controls genuinely reduce risk
Controls align with evidence seen elsewhere — a control citing "safe manual handling procedures" must be backed by observable practice and training records

4. Ownership and Accountability

Each risk entry must name an accountable person or role. Auditors check that:

A specific position (not just "management") is assigned as risk owner
There is evidence that the named person or role is actively managing the risk, not just listed as a formality
Escalation pathways are clear for high and extreme risks

5. Review Dates and Evidence of Active Monitoring

A risk register with no entries updated in the past twelve months is a red flag. Auditors look for:

Documented review dates on each entry, not just a single "last reviewed" date at the top of the document
Evidence that reviews actually occurred — version history, meeting minutes, or a risk review log
New or updated risks added in response to incidents, complaints, or near-misses — this linkage demonstrates a functioning improvement system
Closure or de-escalation of risks where controls have proved effective

6. Integration with Other Governance Documents

Auditors do not review the risk register in isolation. They cross-reference it against:

Your incident register — risks that have materialised should appear in both
Complaints register — systemic themes should feed back into risk identification
Policies and procedures — cited controls must exist in documented form
Board or leadership meeting minutes — evidence that risk is discussed at governance level

Disconnect between these documents — for instance, a pattern of medication incidents in the incident register that does not appear as a risk — is a substantive audit concern.

Common Non-Conformances and How to Fix Them

Non-Conformance	What Auditors Observe	The Fix
Incomplete risk coverage	Only WHS or financial risks listed; participant safety absent	Add a participant risk domain; link to support plans and incident data
Stale register	No updates in 12+ months; review dates missed	Schedule quarterly reviews; document them in meeting minutes
Generic controls	"Staff training" listed with no detail or evidence	Name the specific procedure, frequency, and verifiable record
No residual rating	Controls listed but risk not re-rated after control	Add inherent risk and residual risk columns to your matrix
No named owner	"Management" listed as responsible party	Assign a specific position title as risk owner
Disconnection from incidents	Frequent incident type not reflected as a risk entry	Build a standing agenda item: "do our incidents raise a new register entry?"

A Practical Step-by-Step Approach for SIL Providers

Audit your current register against auditor expectations — use the domains and criteria above as a checklist before your formal audit.
Confirm your rating methodology is documented — the risk matrix must live in a policy or procedure, not just in the register itself.
Cross-walk your incident data — every incident category that has recurred more than once in the past year should appear as a risk entry.
Name a risk owner for every entry — update role titles when staff turnover occurs rather than leaving a departed person's name in place.
Set calendar-based review triggers — quarterly at minimum for high and extreme risks; at least annually for low and medium risks.
Document your governance trail — capture risk register review discussions in leadership meeting minutes so auditors can see the paper trail.
Brief the responsible manager — whoever owns the register must be able to speak to it confidently during auditor interviews, not just present the document.

The 2026 Strengthened Standards: What Changes

The NDIS Commission's strengthened Practice Standards framework places increased emphasis on participant-centred governance, active risk management, and demonstrable continuous improvement. For SIL providers, this translates to a stronger expectation that risk registers reflect the specific complexities of each supported living environment — not just generic operational risk. Auditors conducting certification or re-certification audits under the updated framework are likely to probe more deeply into how participant voices and incident learnings influence risk identification.

Providers preparing for 2026 audits should treat their risk register as a living governance document, not a compliance checkbox. If you are building or overhauling your risk documentation from the ground up, the 74-document SIL audit-ready compliance kit at ndiscompliant.com.au includes a structured risk register template aligned to the current NDIS Practice Standards, alongside the policies and procedures that underpin each risk control.

Summary

An NDIS auditor reviewing your risk register is asking one core question: does this organisation know what could go wrong, is it actively managing those risks, and can it demonstrate that? A register that is comprehensive, consistently rated, actively owned, regularly reviewed, and visibly linked to incident and complaints data will satisfy that question. One that is generic, stale, or disconnected from operational reality will not.

Important: This article provides general guidance about NDIS compliance requirements. It is not legal or professional advice. Requirements may change as the NDIS Commission updates its policies and Practice Standards. Always verify current requirements with the NDIS Quality and Safeguards Commission or a registered NDIS consultant before making compliance decisions.