Risk Management: NDIS Provider Governance and Operational Management


Published: 15 August 2021

Providers of National Disability Insurance Scheme (NDIS) services must ensure that a risk management system is in place in order to protect NDIS participants, workers, the general public and the organisation itself from harm.

What is Risk Management?

Risk management is the process of identifying, assessing and controlling risks. It should be a proactive, planned and systematic process that addresses all potential hazards and risks in the workplace. Risk assessment is not a once-off task; it should be an ongoing process that responds to changes in the workplace and allows for continuous improvement. It should also be performed before undertaking any hazardous work activities (Safe Work Australia 2018).

Under the NDIS, a risk management system should comprise:

(NDIS 2020)

Benefits of Risk Management

Effective risk management can help to:

  • Protect the safety and wellbeing of participants, workers and the general public
  • Reduce the risk of adverse events, or harm from adverse events
  • Optimise the results of positive events
  • Ensure efficient and effective services
  • Ensure facilities and equipment are managed and maintained
  • Enhance confidence in the provider’s services
  • Ensure the provider operates within its allocated budget
  • Reduce the risk of legal action being taken against the provider
  • Ensure the provider follows legislative or funding requirements
  • Ensure that risk management strategies implemented are cost-effective.

(Real Living Options 2018; NDS 2016)

Risk Management in the NDIS Practice Standards

Risk management is a requirement of the NDIS Practice Standards under Core Module 2: Provider Governance and Operational Management.

This Practice Standard aims to ensure that any risks to NDIS participants, workers and the provider are identified and managed (NDIS 2020).

NDIS providers must meet the following quality indicators:

  • Any risks are identified, analysed, prioritised and treated. These risks may include:
    • Risks to NDIS participants
    • Risks to workers
    • Risks to business operations
    • Risks to service provision
  • Providers have a documented system in place to effectively manage risks. This risk management system should be relevant and proportional to the size and scale of the provider, as well as the scope and complexity of the services being delivered.
  • The delivery of supports should be linked to a risk management system.

(NDIS 2020; WAAMH 2021)

The Risk Management Process

There are four steps in the risk management process:

  1. Identify hazards.
  2. Assess risks.
  3. Control risks.
  4. Review control measures.

(Safe Work Australia 2018)

Risk management should be conducted together with the participant, and any control measures should be implemented as part of their care or service plan (QLD Gov 2018).

1. Identify Hazards

risk management idenitfying hazards woman slipping

Hazards are any objects or situations that have the potential to cause harm. Some hazards may be an inevitable part of your work, but others may be the result of accidents or failures (Safe Work Australia 2018).

There are a variety of hazards involved in the delivery of NDIS supports that may affect participants, staff, providers or the general public, including (but not limited to):

  • Manual handling
  • Work-related stress
  • Occupational violence
  • Slips, trips and falls
  • Bullying and harassment
  • Physical hazards
  • Participant dissatisfaction
  • Loss of government funding or changes to funding
  • Equipment (e.g. wheelchairs or lifting hoists)
  • Inadequate allocation of human, physical, financial or other resources
  • Financial hazards/mismanagement
  • Fraud
  • Failure to comply with legislation
  • Confidentiality breaches
  • Service disruption or closure
  • Lack of staff
  • System or technology failures
  • Difficulty retaining staff.

(Work Safe Victoria 2021; Real Living Options 2018; Sykes 2016)

2. Assess Risks

Once a hazard has been identified, the next step is to conduct a risk assessment. This will help you to determine the overall severity of the risk, whether existing control measures are effective, whether you need to take any further action, and how urgently further actions should be taken (Safe Work Australia 2018).

Note: If the particular risk is already well-known, with established control measures, a formal risk assessment may not be necessary (Safe Work Australia 2018).

Ask the following three questions:

1. How severe would the potential harm be?

  • What harm could occur as a result of the hazard? (e.g. injury, illness, death)
  • Are there any other factors that could influence the severity of potential harm? (e.g. the distance of a fall)
  • How many people could be harmed?
  • Are there any situations that could increase the severity of an accident?

2. How could harm occur?

  • What sequence of events could lead to harm occurring?
  • Can one or more of the events in the sequence be stopped or changed?

3. What is the likelihood of harm occurring?

  • Is it certain, very likely, likely, unlikely or rare?
  • How often does the hazard have the potential to cause harm?
  • How effective are current control measures (if any) in reducing the risk?
  • Could differences in operating conditions increase the risk?
  • Does the working environment increase the risk?
  • If harm occurs, how long would people be exposed to it for?
  • Could the likelihood be affected by the way people act or behave?
  • Does the likelihood depend on the people involved?

(WorkSafe VIC 2017)

3. Control Risks

The next step is to determine appropriate control measures for addressing the risk. Generally, the best way to control risk is to eliminate it as much as reasonably practicable. However, this is not always possible, as certain risks are inevitable (WorkSafe VIC 2017).

For example, the risk of you passing infectious diseases on to a participant can not be completely eliminated, as you being able to physically visit their home is an essential component of the service you are providing.

In these cases, the next best option is to minimise the risk as much as reasonably practicable (WorkSafe VIC 2017).

The process of determining appropriate control measures involves:

  1. Identifying the appropriate options for control measures.
  2. Deciding the option(s) most suitable for eliminating or reducing the risk effectively.
  3. Implementing the chosen control measure(s).

(WorkSafe VIC 2017)

The Hierarchy of Control Measures

hierarchy of control measures

The hierarchy of control measures lists different types of control measures from most to least reliable. You should always aim for elimination, as it offers the highest level of protection and is most effective in reducing the risk of harm. However, if elimination is not feasible, you should work your way down the hierarchy until you find the next best option (Safe Work Australia 2018).

Keep in mind that the lower levels of the hierarchy are less effective because without eliminating the hazard, there is no way to completely eliminate the risk. Even if you are able to minimise the risk, it will still exist in some capacity (Safe Work Australia 2018).

As a general rule:

  1. Eliminating the risk is most effective.
  2. Changing the risk to minimise it is less effective.
  3. Changing how people behave and expose themselves to the risk is least effective.

(WorkSafe VIC 2017)


Elimination involves completely removing the hazard and its associated risks.

This can be achieved through:

  • Not introducing the hazard in the first place
  • Removing the hazard (e.g. disposing of a hazardous object, refraining from going to a hazardous place).

(Safe Work Australia 2018)

Substitution, Isolation or Engineering Controls

The next best option is to either:

  • Substitute the hazard with a safer alternative
  • Physically isolate the hazard from people
  • Implement an engineering control (mechanical device or process) to reduce the risk (e.g. a trolley to move heavy objects).

(Safe Work Australia 2018)

Administrative Controls

Administrative controls are work methods or procedures that aim to minimise exposure to the hazard and provide appropriate information, training and instruction to staff. Examples include implementing new policies or using signs to warn people about a hazard (Safe Work Australia 2018).

Personal Protective Equipment (PPE)

PPE should be used to reduce any remaining risks. It must be used and worn correctly in order to be effective (Safe Work Australia 2018).

4. Review Control Measures

The final stage of the risk management process is to regularly check that control measures are working effectively. Control measures should be reviewed:

  • When they are not working effectively
  • Before changes that may cause new or different risks to arise
  • When new hazards or risks emerge
  • When a review is indicated or requested.

(Safe Work Australia 2018)

The Risk Management Process in Practice

risk management client with waking frame carer

Scenario: Shelly is a support worker who provides care to Tim, who uses a walking frame. When Shelley arrives at Tim’s home this morning, she realises that one of the wheels on Tim’s walking frame isn’t working properly.

1. Identify Hazard

In this case, the hazard is the dysfunctional wheel on Tim’s walking frame.

2. Assess Risk

In order to assess the risk, Shelley now needs to ask the following questions:

How severe would the potential harm be?
  • Tim could be seriously injured or harmed if the broken wheel causes him to slip or fall
How could harm occur?
  1. Tim attempts to mobilise using the walking frame
  2. The broken wheel causes Tim to slip or fall
What is the likelihood of harm occurring?
  • Harm could occur every time Tim uses the walking frame
  • Tim is at increased risk of injury due to his physical disability

3. Control Risk

Using the hierarchy of control, Shelley should now determine her options for controlling this risk.

Elimination Shelley could remove the walking frame until it is repaired or a replacement arrives. However, this solution is not feasible, as Tim requires a mobility aid in order to go about his daily life.
  • Substitution
  • Isolation
  • Engineering controls
  • Shelley could provide Tim with an alternative mobility aid (e.g. walking stick) until the walking frame is repaired or replaced
  • Shelley could remove the walking frame and place it in another room
  • Shelley could utilise other forms of manual handling equipment in order to help Tim mobilise until his walking frame is repaired or replaced.
Administrative Controls Shelley could report the broken walking frame to the appropriate personnel and arrange for repair or replacement.
PPE Shelley could ensure that Tim is wearing slip-resistant footwear until the walking frame is repaired or replaced.

4. Review Control Measures

Removing the broken frame, reporting the issue and using other safe manual handling equipment is the safest option until a new frame arrives. During this process, Shelley should check in with Tim to ensure he is still able to appropriately meet his daily needs. If not, this should be addressed.

Additional Resources



educator profile image
Ausmed View profile
Ausmed’s editorial team is committed to providing high-quality, well-researched and reputable education to our users, free of any commercial bias or conflict of interest. All education produced by Ausmed is developed in consultation with healthcare professionals and undergoes a rigorous review process to ensure the relevancy of all healthcare information and updates to changes in practice. If you have identified an issue with the education offered by Ausmed or wish to submit feedback to Ausmed's editorial team, please email ausmed@ausmed.com.au with your concerns.