NDIS Incident Management: What Your System Must Include

Every registered NDIS provider must maintain an incident management system that meets the Commission's Rules, and it's one of the first things auditors test, on paper and in worker interviews. Here is what the system must contain, which incidents are reportable and when, and how to build it so it works in practice.

Last updated: 12 June 2026

The legal foundation

The NDIS (Incident Management and Reportable Incidents) Rules 2018 require every registered provider to have an incident management system that is proportionate to the size of the organisation and the supports delivered, documented, and understood by workers. The system covers all incidents connected with your supports: things that harmed or could have harmed a participant, and acts by a participant that harmed or could have harmed others.

What the system must include

A documented procedure covering identification, immediate response, assessment, recording, investigation, and resolution of incidents, including who does what and within what timeframes.
An incident register recording each incident, the participants and workers involved, the response, investigation outcomes, and corrective actions.
Support for impacted participants: keeping them informed, involving them in the response, and providing supports they need after an incident.
Worker training so every worker can recognise, respond to, and report incidents, evidenced in your training register.
Periodic review of incident data to identify trends and feed your continuous improvement plan, auditors love seeing an incident trend review minuted in a management meeting.

Reportable incidents and timeframes

A subset of incidents must be notified to the NDIS Commission whenever they occur in connection with NDIS supports:

Reportable incident	Notify the Commission
Death of a participant	Within 24 hours of key personnel becoming aware, with a detailed report within 5 business days
Serious injury of a participant
Abuse or neglect of a participant
Unlawful sexual or physical contact with, or assault of, a participant
Sexual misconduct against, or in the presence of, a participant
Use of an unauthorised restrictive practice	Within 5 business days (24 hours if the participant was harmed)

Notifications go through the Commission's portal, and your procedure should name who is authorised to submit them. Timeframes and definitions are maintained by the Commission and can change, build the current versions into your procedure and check them at each policy review.

Building a system that passes Stage 2

Most providers fail incident management at implementation, not documentation. The Stage 2 audit samples your register, traces individual incidents through your own procedure, and asks workers what they would do. To be ready:

Make the form easy. If reporting an incident takes 40 minutes of friction, workers will under-report and your register will look implausibly clean. A one-page initial report with a follow-up workflow beats a perfect form nobody completes.
Record near misses. An empty register at an established provider reads as under-reporting, not excellence. Near misses evidence a living system.
Close the loop. Every register entry should show an outcome: what changed, who was informed, and when it was reviewed. Open-ended entries are standing audit findings.
Brief your workers, then test them. Five minutes in each team meeting on "what would you do if" scenarios prepares staff for the exact questions auditors ask.

Where to get the documents

Our 220+ document package includes the complete incident management set: policy, procedure with reportable incident workflows and timeframes, incident report forms, the register, investigation templates, and the training materials to brief your team, all editable and structured against the Practice Standards outcomes your auditor will assess.

Frequently Asked Questions

Do unregistered NDIS providers need an incident management system?

The Incident Management and Reportable Incidents Rules bind registered providers, but the NDIS Code of Conduct applies to everyone, and it requires all providers to take reasonable steps to prevent and respond to violence, abuse, neglect, and exploitation. In practice, plan managers and coordinators increasingly expect unregistered providers to run a real incident system too, and you'll need one the day you register.

What makes an incident reportable to the NDIS Commission?

Reportable incidents are the most serious category: the death of a participant, serious injury, abuse or neglect, unlawful sexual or physical contact with or assault of a participant, sexual misconduct, and the use of an unauthorised restrictive practice. These must be notified to the Commission within the required timeframes whenever they happen in connection with NDIS supports.

What are the reporting timeframes?

For deaths, serious injuries, abuse or neglect, unlawful contact or assault, and sexual misconduct: notify the Commission within 24 hours of key personnel becoming aware, with a more detailed report within 5 business days. Unauthorised restrictive practices must be reported within 5 business days, or 24 hours if the participant was harmed. Confirm current timeframes against the Commission's guidance, they are tested in audits.

What do auditors actually check in the incident system?

Four things: a compliant procedure, a populated register (or a credible empty one for new providers), evidence that incidents were managed as the procedure says, and workers who can describe what they would do. Stage 2 interviews routinely ask support workers how they would report an incident; a perfect policy that staff have never seen is a finding.