NDIA Risk Management Policy/ies and Procedure/s

Currently waiting for a response from National Disability Insurance Agency, they should respond promptly and normally no later than (details).

Dear National Disability Insurance Agency,

Please provide a copy of the NDIA’s current Risk Management Policy/ies and Procedures, including all past versions. That is, all NDIA Risk Management Policies and Procedures since 2013, up to an including Jun 21.


Section 125B of the National Disability Insurance Scheme Act, 2013 provides broad guidance for the ‘management of risk’ [1]. More specifically, the companion National Disability Insurance Scheme – Risk Management Rules 2013 (RMR) specifies the requirement for a risk management framework for identifying, assessing, mitigating and monitoring all sources of risk; including operational, systems, processes and people in both standalone or combination [2] configurations. Expanding upon this guidance, the supporting Explanatory Statement (accompanying the legislative instrument) specifies the requirement for the Board to establish, maintain and review the risk management framework, inclusive of policies and procedures [3], in addition to citing ISO 31000:2009 Risk Management and ‘insurance-based principles’ with prior technical input from the Australian Prudential Regulatory Authority (APRA). Both ISO 31000:2019 [4] and APRA’s CPS 220 [5] cite the requirement for clear, written risk management policies and procedures as part of a prescribed risk management framework. This guidance is further articulated in more detail in APRA’s Prudential Standard CPS 220: Risk Management [6].

While the NDIA Annual Report 2013-14 declares “The NDIA Board established its governance procedures and implemented an extensive risk management system”, in addition to declaring the adoption of APRA’s CPS 220 Risk Management standard [7] and the formation of an Audit and Risk Committee in compliance with section 32 of the Commonwealth Authorities and Companies Act there appears a lack of public access and assurance of said declarations. However, both the RMR and CPS 220 are reaffirmed in the NDIA 2015-2016 Annual Report [8]. Furthermore, a dedicated Risk Committee was formed a couple of years later [9], which again affirmed the use of CPS 220 [10] which is aligned with ISO 3100 (as does the Commonwealth Risk Management Policy [12]); in addition to being routinely cited by the Australian National Audit Office [23]. Whereas the NDIS’ adherence to ‘insurance-based principles’ was cited again recently with regards to Personalised Budgets, including an emphasis on evidence-based decision making [16] public information on existing risk management policy and procedure were not included. Moreover, the NDIS Insurance Principals and Financial Sustainability Manual [12] appears to lack mention or alignment to the NDIS Risk Management Rules 2013, CPS 220 and ISO 3100.

Reinforcing guidance and normative risk management standards, the Governance Institute of Australia also supports and incorporates the ISO standard for Risk Management as better practice for boards and company directors as part of public/private sector risk management frameworks, policies and procedures [24]. It is commendable the NDIA is aligned to these corporate and technical standards. By comparison, numerous Commonwealth entities [13,14,21,22] and State Government entities [15] document and disclose Risk Management Policies and Procedures to the public. Paradoxically, NDIS providers offer generic risk management governance, policy, controls and templates as guidance [18,19,20], seemingly supporting the expert view that “Good risk oversight requires overseers to exercise challenge by asking good questions about risk management” [17].

Thank you for your assistance.

Yours faithfully,



1. Australian Government (2013) National Disability Insurance Scheme Act 2013. Available at: < https://www.legislation.gov.au/Details/C...>. Accessed [8 Jun 21]
2. Australian Government (2013) National Disability Insurance Scheme— Risk Management Rules 2013: Legislative Instrument. Available at: < https://www.legislation.gov.au/Details/F...>. Accessed [8 Jun 21]
3. Australian Government (2013) National Disability Insurance Scheme— Risk Management Rules 2013: Explanatory Statement. Available at < https://www.legislation.gov.au/Details/F...>. Accessed [9 Jun 21]
4. International Standards Organisation (2009) AS/NZS ISO 31000:2009 Risk Management-Principles and Guidelines
5. Australian Prudential Regulatory Authority (2018) Prudential Practice Guide CPG 220 Risk Management. Available at: < https://www.apra.gov.au/sites/default/fi...>. Accessed [9 Jun 20]
6. Australian Prudential Regulatory Authority (2017) Prudential Standard CPS 220: Risk management. Available at: < https://www.apra.gov.au/sites/default/fi...>. Accessed [9 Jun 20]
7. National Disability Insurance Agency (2014) Annual Report. Available at: < https://www.ndis.gov.au/about-us/publica...>. Accessed[6 Jun 21]
8. National Disability Insurance Agency (2016) Annual Report. Available at: <https://www.ndis.gov.au/about-us/publica...>. Accessed[6 Jun 21]
9. National Disability Insurance Agency (2018) Annual Report. Available at: <https://www.ndis.gov.au/about-us/publica...>. Accessed[6 Jun 21]
10. National Disability Insurance Agency (2019) Annual Report. Available at: < https://www.ndis.gov.au/about-us/publica... >. Accessed [6 Jun 21]
11. Department of Finance (2014) Commonwealth Risk Management Policy, Available at: < https://www.finance.gov.au/government/co... >. Accessed [9 Jun 21]
12. NDIS (2016) National Disability Insurance Scheme: Insurance Principles and Financial Sustainability Manual, Version 5, dated November 2016. Available at: < https://www.ndis.gov.au/media/833/download>. Accessed [9 Jun 21]
13. Department of Foreign Affairs and Trade (2019) Risk Management for Aid Investments. Available at: < https://www.dfat.gov.au/sites/default/fi...>. Accessed [9 Jun 21]
14. Tourism Australia (2019) Risk Management Policy and Procedure. Available at: < https://www.tourism.australia.com/conten...>. Accessed [7 Jun 21]
15. New South Wales Government (2019) Risk Management Framework: Audit Office of New South Wales. Available at: <https://www.audit.nsw.gov.au/sites/defau...>. Accessed [9 Jun 21]
16. NDIS (2021) Personalised Budgets: Proposal for a new NDIS budget model, Technical Information Paper, Version 1.0, dated June 2021, Available at: <https://www.ndis.gov.au/about-us/improvi...>. Accessed [9 Jun 21]
17. Powers, M. (2011) Smart and Dumb Questions to Ask About Risk Management, Risk Watch, The Conference Board of Canada, pp. 2-5. Available at: <https://web.archive.org/web/201703171812...>. Accessed [8 Jun 21]
18. National Disability Services (2019) Risk Management Policy Template. Available at: < https://www.nds.org.au/images/resources/...>. Accessed [8Jun 21]
19. National Disability Services (2011) Risk Management and Controls Model: For Disability Services. Available at: https://www.nds.org.au/images/resources/.... Accessed [8 Jun 21]
20. National Disability Services (2010) Governance Structure and Charter: Risk Management Resource. Available at: < https://www.nds.org.au/images/resources/...>. Accessed [8 Jun 21]
21. CSIRO (2019) Risk Policy, Commonwealth Scientific and Industrial Research Organisation. Available at: , https://www.csiro.au/en/about/Policies/R...>. Accessed [9 Jun 21]
22. RBA (2019) Risk Management Policy, Reserve Bank of Australia. Available at: <https://www.rba.gov.au/about-rba/our-pol...>. Accessed [9 Jun 21]
23. ANAO (2017) The Management of Risk by Public Sector Entities, Australian National Audit Office. Available at: < https://www.anao.gov.au/work/performance...> . Accessed [9 Jun 21]
24. Governance Institute of Australia (2016) Risk management for directors: A handbook. Available at: < https://www.linkwest.asn.au/documents/it... > . Accessed [9 Jun 21]

foi, National Disability Insurance Agency

Thank you for contacting the National Disability Insurance Agency (NDIA).


Freedom of Information


If your message is a request for access to documents under the
Freedom of Information Act 1982 (FOI Act), we will acknowledge it within
14-days of receipt.  We may be in touch with you sooner if your request is
too large or vague.


We are committed to processing all requests as quickly as possible.  We
will keep in regular contact with you, especially if there's any delay in
making a decision.


Further information about FOI is available on our website:


Please contact us at [2][NDIA request email] if you have any questions or
require help.


Participant Information Access


If you are an NDIS participant and you are seeking access to your own
personal information, you can make a request online under our Participant
Information Access (PIA) process.


To make a request, please complete our online request form:


Please contact us at [4][email address] if you have any
questions or require help.


Other enquiries


If your message is for something else, you should direct it to
[5][email address].


If your message is received outside our business hours of 9am to 5pm
(AEST), Monday to Friday or on a public holiday, we will action it on the
next business day.


If your message is urgent, you can call our National Conact Centre on 1800
800 110.


Warm regards


Email: [6][email address]

show quoted sections


Visible links
1. https://www.ndis.gov.au/about-us/policie...
2. mailto:[NDIA request email]
3. https://www.ndis.gov.au/about-us/policie...
4. mailto:[email address]
5. mailto:[email address]
6. mailto:[email address]