Risk management is one of the seven quality indicators within NDIS Practice Standard 2. Auditors do not just want to see a risk policy — they want evidence that your risk management framework is actively used. AuditCore links your incident data, complaint records, and audit findings to your risk register automatically, creating a live, evidence-based risk framework.
What Your Risk Management Policy Must Include
- Purpose and scope — what risks the policy covers and who it applies to
- Risk appetite statement — your organisation's tolerance for different risk categories
- Risk identification process — how risks are identified (incidents, audits, staff reports)
- Risk assessment methodology — how risks are assessed for likelihood and consequence
- Risk treatment process — how risks are mitigated, accepted, transferred, or avoided
- Roles and responsibilities — who owns the risk register and who reviews it
- Review frequency — how often the risk register and policy are reviewed
- Integration with other systems — how risk links to incidents, complaints, and governance
What Your Risk Register Must Show
AuditCore's Policy Library includes a pre-built NDIS Risk Management Policy template — mapped to Standard S2 and ready to customise for your organisation.
See the Policy Library →A risk register is the live document that puts your policy into practice. Auditors check that it is current, that risks have been reviewed, and that treatment actions have owners and due dates.
| Column | What to Include |
|---|---|
| Risk ID | Unique identifier for each risk |
| Risk description | Clear description of the risk event and its potential impact |
| Risk category | Participant safety, financial, operational, compliance, reputational |
| Likelihood | Rating (1–5) with justification |
| Consequence | Rating (1–5) with justification |
| Risk rating | Combined score (Extreme, High, Medium, Low) |
| Treatment action | Specific steps to mitigate the risk |
| Risk owner | Named individual responsible for the treatment |
| Review date | Date the risk was last reviewed |
| Status | Open, in progress, closed |
AuditCore's Internal Audit AI checks your risk management framework against NDIS Practice Standard S2 indicators — flagging gaps before your auditor does.
See Internal Audit AI →How AuditCore Populates Your Risk Register
Every incident logged in AuditCore is analysed for risk implications. If an incident pattern emerges — three medication administration incidents in two months, for example — AuditCore flags it as a potential systematic risk and prompts you to create or update a risk register entry. Complaint patterns, audit findings, and CI Register items are linked to the risk register in the same way. The result is a risk register that actually reflects what is happening in your organisation.