NDIS Risk Register - How to Complete One?

Running an NDIS business isn’t just about delivering quality supports - it’s about managing risk responsibly. Whether you’re a sole trader or a growing provider, a properly completed NDIS Risk Register is essential for compliance, participant safety, and long-term sustainability.

Yet many providers:

• Don’t have a formal risk register
• Download a template but never update it
• Confuse it with an incident register

In this guide, we’ll explain what an NDIS Risk Register is, what to include, and how to complete one step-by-step, and Common mistakes to avoid with practical examples you can apply immediately.
‍

What Is an NDIS Risk Register?

An NDIS Risk Register is a structured document used to:

• Identify potential risks
• Assess their likelihood and impact
• Record control measures
• Assign responsibility
• Monitor and review risks over time

It is a proactive tool - meaning it helps you prevent problems before they occur.
‍

Risk Register vs Incident Register

Many providers mix these up.

‍

Why Is a Risk Register Important for NDIS Providers?

When you run an NDIS service, people are trusting you with their safety and wellbeing. A risk register helps you protect that trust.

It’s more than a compliance document - it’s a practical tool that helps you:

• Protect participants from harm
• Keep staff safe
• Reduce compliance breaches
• Avoid financial and operational disruptions
• Prepare confidently for audits
• Demonstrate strong governance

Under the National Disability Insurance Scheme (NDIS) framework, providers must maintain appropriate risk management systems aligned with the NDIS Quality and Safeguards Commission Practice Standards.

Auditors expect to see clearly identified risks, realistic risk ratings, documented controls, and evidence that the register is reviewed regularly - not just created and forgotten.
‍

What Should Be Included in an NDIS Risk Register?

Your risk register should include the following core columns:

1. Risk ID

Each risk should have a unique identification number or code to make it easy to track, reference, and manage across your risk register.

2. Risk Description

Provide a clear and concise explanation of the risk, outlining what could go wrong and the potential impact.
Example:

“Risk of medication error during community support, which could result in participant harm or non-compliance with care standards.”

3. Risk Category

Common categories include:

• Operational: Risks that affect day-to-day service delivery, such as staff shortages, rostering issues, or system failures.
• Clinical: Risks related to participant health and safety, including medication errors, falls, or inadequate care planning.
• Financial: Risks that may impact cash flow or revenue, such as incorrect claiming, missed invoices, or funding shortfalls.
• WHS (Work Health & Safety): Risks that could cause injury or harm to staff, such as unsafe environments, manual handling incidents, or lack of training.
• Compliance: Risks of breaching NDIS rules or regulatory requirements, including expired worker screening or incomplete documentation.
• Reputational: Risks that could damage your organisation’s public image, such as complaints, negative reviews, or serious incidents.

4. Likelihood

Likelihood refers to how probable it is that the risk will occur within your service.

• Rare: May occur only in exceptional circumstances.
• Unlikely: Could happen, but not expected under normal conditions.
• Possible: Might occur at some point.
• Likely: Will probably occur in most circumstances.
• Almost Certain: Expected to occur frequently or regularly.
  

5. Consequence

Consequence describes the level of impact if the risk does occur.

• Minor: Minimal impact with little disruption or harm.
• Moderate: Noticeable impact requiring corrective action.
• Major: Serious impact such as participant harm or compliance breach.
  

6. Risk Rating

Calculated using a risk matrix (Likelihood × Consequence). Results may be Low, Medium, High, or Extreme. Before rating risks, make sure you understand how to properly assess them. Our comprehensive NDIS Risk Assessment Guide walks through the full assessment process in detail.

7. Existing Controls

What measures are already in place?

Example:

• Medication training
• Double-checking procedures
• Incident reporting system

8. Additional Controls Required

Document any extra measures that need to be implemented to reduce the risk further or prevent it from occurring. This ensures you’re not just relying on existing controls.

9. Responsible Person

Clearly assign a person who is accountable for managing the risk, monitoring controls, and ensuring that actions are followed through.

10. Review Date

Specify when the risk will next be reviewed to ensure it remains relevant and that control measures are effective. Regular reviews help catch changes in circumstances or new risks.

11. Status

Indicate the current state of the risk, such as Open, Closed, Monitoring, or Action in Progress, to give a clear snapshot of where each risk stands at a glance.
‍

Step-by-Step: How to Complete an NDIS Risk Register

Completing an NDIS Risk Register doesn’t need to be complicated. The key is to follow a clear and consistent process. Here’s how to do it properly:

Step 1: Identify Risks

The first step is to list anything that could impact participants, staff, compliance, operations, or finances. Review incident reports, complaints, audit findings, staff feedback, and service changes.
Common risks include medication errors, expired worker screening, missed claims, data breaches, participant falls, poor documentation, and infection control issues.
‍

Step 2: Assess Likelihood

Decide how often risk could realistically happen.

Example:

• Rare: has never occurred
• Possible: could happen occasionally
• Likely: has happened before

Be honest. Auditors prefer realistic assessments over optimistic ones.
‍

Step 3: Assess Consequence

If the risk happens, what is the impact?

Consider:

• Participant harm
• Regulatory action
• Financial loss
• Reputation damage
• Service disruption

Example:

A medication error may have a Major or Severe consequence depending on circumstances.
‍

Step 4: Calculate Risk Rating

Use a simple risk matrix:   

High and Extreme risks require immediate action.
‍

Step 5: Record Existing Controls

Document what you already have in place. Examples: Staff induction training, Mandatory medication competency. Supervision processes. Policies and procedures, Insurance coverage, Secure client management system.
‍

Step 6: Assign Responsibility

Allocate a clear owner to manage and monitor the risk. Examples: Director, Compliance Manager, Clinical Lead, Operations Manager.

No owner = no accountability.
‍

Step 7: Review Regularly

Review the register at least annually, and after major incidents, audits, or service changes.

Remember, a risk register is a living document - not something you create once and forget.
‍

Common Mistakes Providers Make

Even providers with good intentions can get risk management wrong. Often, the issue isn’t having no risk register - it’s having one that isn’t properly completed, maintained, or embedded into everyday practice.

• Using a generic template without tailoring it
• Not calculating risk ratings
• No assigned responsible person
• No review dates
• Not linking risks to policies
• Treating it as a tick-box document
• Never updating it

During audits, these issues often lead to non-conformities.
‍

How Imploy Helps NDIS Providers Manage Risk

Managing risk manually becomes difficult as your organisation grows.

Imploy supports providers by helping:

• Track compliance documents
• Monitor staff credentials
• Centralise incident reporting
• Maintain digital documentation
• Generate audit-ready reports
• Set reminders for review dates

Instead of scattered spreadsheets, everything is managed in one system - making compliance simpler and more reliable.

‍

Final Thoughts

An NDIS Risk Register is not just a compliance requirement - it is a business protection tool.

It helps you:

• Safeguard participants
• Protect staff
• Reduce regulatory risk
• Strengthen governance
• Build a sustainable NDIS organisation

Start simple. Identify your major risks. Assign responsibility. Review regularly. Improve over time. Strong risk management isn’t about avoiding problems entirely - it’s about being prepared.
‍

FAQs

1. What is an NDIS Risk Register?
An NDIS Risk Register is a structured document used to identify, assess, and manage potential risks in your service. It helps providers prevent harm, maintain compliance, and demonstrate strong governance.

2. Do I need both a Risk Register and an Incident Register?
Yes. A Risk Register is proactive and focuses on potential risks, while an Incident Register is reactive and records events that have already occurred. Both are required under NDIS regulations.

3. What should be included in a Risk Register?
Core elements include:

• Risk ID
• Risk Description
• Risk Category (Operational, Clinical, Financial, WHS, Compliance, Reputational)
• Likelihood
• Consequence
• Risk Rating
• Existing Controls
• Additional Controls Required
• Responsible Person
• Review Date
• Status

4. How do I assess risk?
Use a combination of Likelihood and Consequence. For example, a risk that is “Likely” and has a “Major” consequence would result in a High risk rating. High and Extreme risks require immediate action.

5. How often should a Risk Register be reviewed?
At least annually, or more often after major incidents, audits, or service changes. Regular reviews ensure risks are up-to-date and control measures remain effective.

6. Who is responsible for maintaining the Risk Register?
Each risk should have a designated owner, such as a Director, Compliance Manager, Clinical Lead, or Operations Manager. Without a responsible person, accountability is lost.

‍

‍