NDIA Procurement Risk Management Policy/ies and Procedure/s

Currently waiting for a response from National Disability Insurance Agency, they should respond promptly and normally no later than (details).

Dear National Disability Insurance Agency,

Please provide a copy of the NDIA’s Procurement Risk Management Policy/ies and Procedure/s, in addition to all prior versions. That is, all NDIA Procurement Risk Management policies and procedures created and used by the NDIA since 2013, up to and including Jun 2021.


The Department of Finance advises that “Procurement is the process of acquiring goods and services. It begins when a need has been identified and a decision has been made on the procurement requirement. Procurement continues through the processes of risk assessment, seeking and evaluating alternative solutions, and the awarding and reporting of a contract” in section 2.7 of the Commonwealth Procurement Rules [1]. Moreover, section 8.2 of the same rules specifies that “Relevant entities must establish processes to identify, analyse, allocate and treat risk when conducting a procurement. The effort directed to risk assessment and management should be commensurate with the scale, scope and risk of the procurement. Relevant entities should consider risks and their potential impact when making decisions relating to value for money assessments, approvals of proposals to spend relevant money and the terms of the contract” [2]… inclusive of “procurement security risk, including in relation to cyber security risk, in accordance with the Australian Government’s Protective Security Policy Framework” [3].

More specifically, “Budget Policy requires that entities complete a Risk Potential Assessment Tool (RPAT) for each New Policy Procedure (NPP) with an estimated financial implication of $30 million or above. The RPAT may still be used as an opt-in better practice measure for NPPs with financial implications of less than $30 million” [4], augmenting supporting guidance more extensive risk management policy and procedure identifiable in the Commonwealth Risk Management Policy [5]. These would be in addition to the NDIS Risk Management Rules [6], supporting the Australian National Audit Office’s observation that “risk management should be an integral part of the way the Australian public sector conducts business” [7] by means of a risk assessment to “ anticipate and identify risks before they arise rather than to deal with them once they have” [8], also advising that “entities ensure risk management and probity considerations are commensurate with the scale, scope and risks of the procurement when procuring from pre-existing arrangements” and “when allocating a risk rating to a procurement it is useful to document why the procurement was given that rating. This can assist officials to ensure the risk assessment process was sufficiently thorough and can assist in monitoring risks over the course of the procurement.” [9]

Thank you for your assistance.

Yours faithfully,



1. Australian Government (2020) Commonwealth Procurement Rules, Department of Finance. Available at: < https://www.finance.gov.au/sites/default... >. Accessed [9 Jun 21]
2. Ibid
3. Ibid
4. Australian Government (2016) Risk Potential Assessment Tool: Resource Management Guide No.107. Available at: < https://www.finance.gov.au/sites/default...> . Accessed [9 Jun 21]
5. Australian Government (2014) Commonwealth Risk Management Policy, Department of Finance, Available at: < https://www.finance.gov.au/government/co... >. Accessed [9 Jun 21]
6. Australian Government (2013) National Disability Insurance Scheme— Risk Management Rules 2013: Legislative Instrument. Available at: < https://www.legislation.gov.au/Details/F...>. Accessed [8 Jun 21]
7. ANAO (2017) The Management of Risk by Public Sector Entities: Across Entities, The Auditor General, ANAO Report No.6 2017-18. Available at: < https://www.anao.gov.au/work/performance...> . Accessed [9 Jun 21]
8. ANAO (2020) Procurement of Garrison Support and Welfare Services: Department of Home Affairs, The Auditor General, Auditor-General Report No.37, 2019-20 Performance Audit. Available at: < https://www.anao.gov.au/sites/default/fi...> . Accessed [9 Jun 21]
9. ANAO (2020) Establishment and Use of ICT Related Procurement Panels and Arrangements: Across Entities, The Auditor-General, Auditor-General Report No.4 20220-21 Performance Audit. Available at: < https://www.anao.gov.au/sites/default/fi...>. Accessed [9 Jun 21]

foi, National Disability Insurance Agency

Thank you for contacting the National Disability Insurance Agency (NDIA).


Freedom of Information


If your message is a request for access to documents under the
Freedom of Information Act 1982 (FOI Act), we will acknowledge it within
14-days of receipt.  We may be in touch with you sooner if your request is
too large or vague.


We are committed to processing all requests as quickly as possible.  We
will keep in regular contact with you, especially if there's any delay in
making a decision.


Further information about FOI is available on our website:


Please contact us at [2][NDIA request email] if you have any questions or
require help.


Participant Information Access


If you are an NDIS participant and you are seeking access to your own
personal information, you can make a request online under our Participant
Information Access (PIA) process.


To make a request, please complete our online request form:


Please contact us at [4][email address] if you have any
questions or require help.


Other enquiries


If your message is for something else, you should direct it to
[5][email address].


If your message is received outside our business hours of 9am to 5pm
(AEST), Monday to Friday or on a public holiday, we will action it on the
next business day.


If your message is urgent, you can call our National Conact Centre on 1800
800 110.


Warm regards


Email: [6][email address]

show quoted sections


Visible links
1. https://www.ndis.gov.au/about-us/policie...
2. mailto:[NDIA request email]
3. https://www.ndis.gov.au/about-us/policie...
4. mailto:[email address]
5. mailto:[email address]
6. mailto:[email address]