NDIS Risk Management Policy Template for Disability Service Providers

What's in this template?

This NDIS Risk Management Policy template is aligned to Core Module 1 of the NDIS Practice Standards (Version 4, November 2021) and the AS/NZS ISO 31000:2018 risk management framework. It provides a comprehensive approach to identifying, assessing, treating, monitoring, and reviewing risks across all aspects of NDIS service delivery, including participant-specific risk assessments, organisational risk governance, and integration with incident and complaints management.

The template covers 14 sections:

1. Purpose — commitment to proactive, systematic risk management aligned to NDIS Practice Standards and AS/NZS ISO 31000
2. Scope — all risks associated with NDIS-funded supports: participant safety, worker safety, operational, strategic, environmental, and information security
3. Legislative and Regulatory Framework — NDIS Act 2013, Practice Standards, Code of Conduct, WHS Act, Privacy Act, AS/NZS ISO 31000
4. Risk Management Principles — integrated, systematic, participant-centred, proportionate, inclusive, improvement-driven, dynamic
5. Risk Management Governance — governing body responsibilities, Responsible Person accountabilities, Risk Officer role, all-worker obligations
6. Risk Management Process — five-step ISO 31000 process:
   • 6.1 Risk Identification — intake assessments, workplace inspections, incident analysis, worker feedback, regulatory changes
   • 6.2 Risk Assessment — likelihood and consequence scales, risk matrix (5×5), risk ratings (Low/Medium/High/Extreme)
   • 6.3 Risk Treatment — avoid, reduce, transfer, accept; treatment plan documentation
   • 6.4 Risk Monitoring and Review — quarterly register review, effectiveness evaluation, governing body oversight
   • 6.5 Communication and Consultation — worker consultation, participant involvement, information sharing
7. Participant-Specific Risk Assessments — individual risk assessments at intake, support needs, safeguarding risks, documentation in support plans
8. Risk Register — central record of all risks with fields for description, owner, ratings, controls, treatment plans, residual risk
9. Work Health and Safety Integration — workplace inspections, safe work procedures, WHS consultation
10. Insurance — public liability, professional indemnity, workers' compensation, cyber liability
11. Reporting and Continuous Improvement — quarterly management review, biannual governing body reports, cross-referencing incident/complaint data
12. Training — induction, annual refresher, participant-level risk assessment training, governing body risk oversight
13. Related Policies — cross-references to Incident Management, Complaints, Privacy, Continuity of Supports, Governance, WHS
14. Review History — version control and approval

Editable placeholder fields

• {{practice_name}}, {{abn}}, {{ndis_registration_number}}, {{practice_address}}, {{phone}}, {{email}}
• {{responsible_person}} — key personnel / responsible person
• {{risk_officer_name}} — dedicated risk officer (optional, may be the Responsible Person)
• {{risk_register_location}} — where the risk register is maintained
• {{review_date}}, {{next_review_date}}

NDIS Practice Standards requirement

Core Module 1 — Risk Management requires that risks to participants, workers, and the organisation are identified and managed. The NDIS Quality and Safeguards Commission's quality indicators specify that providers must demonstrate:

• A risk management framework appropriate to the size and scope of the organisation
• Risks are identified, assessed, and treated using a systematic process
• A risk register is maintained and regularly reviewed
• Individual participant risk assessments are conducted and inform support planning
• Workers are involved in identifying and managing risks
• Incident and complaint data informs risk assessments
• The governing body has oversight of risk management activities

The NDIS Verification Module Required Documentation Guide lists the risk management policy as a required document for all registered providers. During a verification audit, auditors will review the risk management policy, examine the risk register, check participant-level risk assessments, and ask workers how they identify and report risks.

For providers undergoing certification audit, the assessment is more detailed and includes evaluating the maturity of the risk management framework, the quality of risk treatment plans, and evidence that risk management drives service improvements.

How to customise this template

1. Download the Word document and fill in all {{placeholder}} fields with your organisation's details
2. Insert your risk matrix — Section 6.2 includes likelihood and consequence scales; add your organisation's 5×5 risk matrix table
3. Establish your risk register — set up a spreadsheet, database, or software system using the fields listed in Section 8
4. Conduct an initial risk assessment — identify and rate risks across participant safety, operations, compliance, WHS, and information security
5. Develop individual participant risk assessments — create a risk assessment template for use at participant intake
6. Assign risk owners — each risk in the register needs a named person responsible for monitoring and managing it
7. Set your risk appetite — work with your governing body to define acceptable risk levels for different categories
8. Cross-reference your other policies — update Section 13 with the specific titles of your related policies
9. Schedule quarterly risk register reviews — add these to your management meeting agenda

Frequently asked questions

Is a risk management policy required for NDIS registration?

Yes. Risk management is part of Core Module 1 of the NDIS Practice Standards, which applies to all registered NDIS providers. The Verification Module Required Documentation Guide explicitly lists a risk management policy as a required document. Without one, you cannot pass a verification or certification audit.

What is the difference between an organisational risk register and a participant risk assessment?

The organisational risk register captures risks to the whole organisation — operational, financial, compliance, WHS, and strategic risks. Participant-specific risk assessments focus on the individual risks associated with delivering supports to a particular participant. Both are required under the NDIS Practice Standards. The organisational register is reviewed quarterly by management; participant risk assessments are reviewed at intake, plan reviews, and when circumstances change.

Do we need to use ISO 31000?

The NDIS Practice Standards do not mandate a specific risk management standard, but the NDIS Commission's guidance materials reference AS/NZS ISO 31000 as best practice. Using the ISO 31000 framework demonstrates a mature and systematic approach to risk management that auditors will view favourably. This template follows the ISO 31000 five-step process (identify, assess, treat, monitor, communicate).

How often should the risk register be reviewed?

ClinicComply recommends reviewing the risk register at least quarterly at management meetings, with the governing body reviewing it at least biannually. Individual risk treatment plans should be reviewed more frequently if they involve high or extreme-rated risks. The risk register should also be updated whenever a significant incident occurs, a new service is introduced, or there is a major change in circumstances.

What is "risk appetite" and how do we set it?

Risk appetite is the level of risk your organisation is willing to accept in pursuit of its objectives. It is set by the governing body and guides decision-making about which risks to treat and which to accept. For NDIS providers, risk appetite for participant safety should be very low (near zero tolerance for risks of abuse, neglect, or serious harm), while appetite for operational or financial risks may be higher. Document your risk appetite statement and reference it in this policy.

How does risk management link to incident and complaints management?

Risk management, incident management, and complaints management form an integrated quality and safety system. Incidents and complaints are both sources of information about risks that have materialised. Your risk assessments should be informed by incident and complaint data, and your risk treatments should aim to prevent recurrence. The NDIS Practice Standards expect providers to demonstrate this integration.