Good risk management protects participants and your business, and it is something auditors expect to see in action. You do not need a complex system, you need a clear, used one. Here is how to approach NDIS risk management.
The risks to cover
Cover risks to participants (safety, neglect, abuse, health), to workers (work health and safety), and to the organisation (financial, legal, reputational, continuity of supports). A good approach looks across all three.
Build a simple risk register
A risk register lists each risk, how likely and serious it is, the controls in place, who owns it, and when it was last reviewed. Keeping it current is what turns a policy into real risk management.
Participant and incident links
Risk management connects to your incident and complaints data. Patterns in incidents should feed back into your risk controls, closing the loop and showing continuous improvement.
How it shows up at audit
Auditors look for a risk management policy, a maintained risk register, evidence you act on risks, and a continuity or emergency plan. An untouched register dated a year ago is a red flag.
Frequently asked questions
What should an NDIS risk management plan cover?
Risks to participants, workers and the organisation, including safety, work health and safety, financial, legal and continuity risks, each with controls, an owner and a review date.
What is an NDIS risk register?
A living document that lists each risk, its likelihood and severity, the controls in place, who owns it and when it was last reviewed. Keeping it current is the key to real risk management.
Do auditors check risk management?
Yes. They look for a risk management policy, a maintained risk register, evidence you act on risks, and an emergency or continuity plan.
Related NDIS guides
General information for Australian NDIS providers, not legal advice. Always check the current NDIS Practice Standards and NDIS Quality and Safeguards Commission requirements for your situation.