NDIS Risk Management: The Plan, the Register, and the Audit

Risk management is a Core Module requirement that runs through every other part of your NDIS compliance system: incidents, complaints, WHS, clinical care, and continuity all hang off it. Here is what a compliant system looks like at both the organisational and participant level, and what auditors test.

Last updated: 12 June 2026

What the Practice Standards require

The Core Module requires risk management proportionate to your organisation's size and the scope and complexity of the supports you deliver. Proportionate does not mean optional: whether you're a sole trader or a 200-staff organisation, the auditor expects a documented framework, a living register, and risk thinking visibly applied to each participant's supports. Risk management also anchors the verification pathway, where a risk management approach is one of the named document requirements.

Layer 1: organisational risk

Your enterprise risk system needs four working parts:

A risk management policy and framework describing how risks are identified, rated, treated, owned, and reviewed, usually with a simple likelihood-by-consequence matrix.
A risk register covering the real categories for an NDIS provider: participant safety, workforce and screening compliance, clinical and medication risk, WHS, financial viability, information and privacy, fraud, and continuity. Each entry carries a rating, a treatment, an owner, and a review date.
Linked registers. Incidents, complaints, and corrective actions all feed risk reviews; an incident trend that never updates the risk register is a classic finding.
Scheduled review. A standing agenda item with minutes, quarterly works for most small providers, showing the register is used, not framed.

Layer 2: participant risk

Every participant file should show an individual risk assessment completed at intake and reviewed regularly: health and medication risks, environment and home safety, behaviours of concern, communication and decision-making support needs, transport, and community settings. Two qualities separate a pass from a finding:

The assessment matches the plan. Risks identified at intake should visibly shape the support plan, dignity-of-risk conversations included, with the participant's choices documented.
The assessment matches reality. Stage 2 auditors cross-check files against worker interviews and, where applicable, site visits. An assessment that hasn't been reviewed since intake while the participant's needs changed is the most common participant-level finding.

The overlaps: WHS and emergency planning

NDIS risk management doesn't replace work health and safety law, your workers are owed a safe system of work under WHS legislation regardless, and home visits, manual handling, and community settings are where the two regimes meet. Keep WHS hazards in scope of the same register rather than running parallel systems.

Emergency and disaster management is now a distinct Core Module expectation: a documented plan for maintaining critical supports through pandemics, natural disasters, and infrastructure failures, with participant-level continuity arrangements for people who depend on your services for daily living. Review it annually and after every activation, and minute the review.

What auditors check, by pathway

Verification	Certification
A documented, proportionate risk management approach alongside your incident and complaints processes	The full framework: register quality, participant assessments sampled from files, linkage to incidents and improvement, emergency planning, and whether workers and managers can describe how risk is actually managed

Where to get the documents

Our 220+ document package includes the complete risk set: risk management policy and framework, organisational risk register with matrix, participant risk assessment templates, WHS forms, and the emergency and disaster management plan, all editable Word documents structured against the Practice Standards outcomes auditors assess.

Frequently Asked Questions

What risk documents does an NDIS audit actually require?

Expect to show a risk management policy and framework, a current organisational risk register with ratings and treatments, participant-level risk assessments on file, work health and safety documentation, and an emergency and disaster management plan. Verification audits ask for a proportionate subset; certification audits test the full system and whether it's used.

What is the difference between organisational and participant risk assessment?

Organisational risk covers the business: workforce, financial, clinical governance, WHS, information security, and continuity risks, held in the enterprise risk register. Participant risk assessment is individual: the risks in each participant's supports, environment, health, and behaviours, documented in their file and reflected in their support plan. Auditors check both layers and the link between them.

Do small providers need a full risk matrix?

The Practice Standards require risk management proportionate to your size and scope, so a sole trader's system can be lean, but it still needs to exist in writing: a register, a simple likelihood-by-consequence rating, named owners, and review dates. 'It's all in my head' is an automatic finding.

Why do audits care about emergency and disaster planning?

A Core Module requirement strengthened after COVID-19 requires providers to plan for continuity of critical supports during emergencies: pandemics, natural disasters, infrastructure failures. Auditors look for an emergency and disaster management plan, participant-level continuity arrangements for those who depend on your supports, and evidence the plan has been reviewed or tested.