Quick answer: NDIS incident management is about more than reacting when something goes wrong. Registered providers need a working system for internal reporting, investigation, and external notification of reportable incidents to the NDIS Commission.
Last reviewed: March 2026 by the BlueSafe Technical Team.
NDIS regulations change frequently. Always verify current requirements with the NDIS Commission before making compliance decisions.
NDIS providers often confuse incident management with a single report form. In practice, it is a broader system covering escalation, investigation, record keeping, regulatory notification, and learning.
At a glance
| Item | Summary |
|---|---|
| Who needs the system | Registered NDIS providers |
| What triggers external reporting | Certain reportable incident categories |
| Initial notification timing | 24 hours according to the approved page notes |
| Follow-up report timing | 5 business days according to the approved page notes |
| Internal system must cover | Reporting, investigation, records, corrective action |
| Common risk | Treating incident management as paperwork instead of an operating process |
What is NDIS incident management?
Incident management is the provider's system for:
- identifying incidents
- escalating them internally
- protecting the participant and others
- investigating what happened
- deciding whether the matter is reportable
- recording actions and improvements
The process needs to work quickly and consistently, especially when the event may be a reportable incident.
Reportable incident categories
| Category | Initial notification timing | Notes |
|---|---|---|
| Death of a participant | Within 24 hours | Serious category identified in the approved notes |
| Serious injury | Within 24 hours | Assess promptly and preserve records |
| Abuse or neglect | Within 24 hours | Immediate safeguarding response is critical |
| Unlawful physical or sexual contact | Within 24 hours | Escalate urgently |
| Unauthorised restrictive practice | Within 24 hours | Check behaviour-support and authorisation status |
| Serious endangerment of health or safety | Within 24 hours | Assess whether the facts meet the threshold |
The exact reporting details should always be verified against current Commission guidance, especially when the facts are complex.
The 24-hour notification and 5-day report process
- Make the immediate situation safe.
- Escalate the incident internally.
- Assess whether it meets a reportable category.
- Submit the initial notification within the required timeframe.
- Gather facts, records, and supporting information.
- Submit the fuller written report within the 5-business-day timeframe allowed by the page spec.
- Track corrective actions and system improvements.
The biggest operational problem is delay at step 3. If workers do not know what to escalate, the timeframe risk starts immediately.
Who is responsible for reporting?
The provider organisation is responsible for having a reporting process and ensuring the right person makes the notification.
That usually means the business should define:
- who triages serious incidents
- who decides whether the incident is reportable
- who submits the external notification
- who monitors follow-up actions
Without clear role ownership, reporting delays become more likely.
What an incident management system must contain
- a clear incident definition
- internal escalation steps
- decision points for reportable incidents
- investigation procedures
- record keeping requirements
- corrective action and review process
- leadership oversight
A provider does not need a complex system. It does need one that actually works under pressure.
Internal reporting by workers
The system fails if workers are unsure what to report, who to tell, or how quickly to escalate.
Training should make it clear:
- what counts as an incident
- what needs urgent escalation
- how to document facts without delay
- who can support immediate response decisions
NDIS incident reporting vs WHS notifiable incidents
NDIS incident obligations and WHS incident obligations can overlap, but they are not the same system.
| Issue | NDIS Commission | WHS regulator |
|---|---|---|
| Reportable participant safety incident | May apply | May or may not apply |
| Serious worker safety event | May or may not apply | May apply |
| Investigation and corrective action | Yes | Yes |
| Legal framework | NDIS | WHS |
NDIS providers should not assume that reporting to one regulator covers the other.
Consequences of failing to report
The most immediate consequence is compliance exposure. But operationally, failure to report also means:
- leadership loses visibility
- patterns are missed
- safeguarding weaknesses continue
- audit risk increases
A poor incident system is often a sign of a broader governance problem.
State and territory variations
The NDIS incident framework is national, but some related interfaces such as police, child protection, restrictive-practice approvals, or WHS reporting can involve state and territory processes.
Providers should keep the NDIS reporting system clear while verifying those adjacent obligations where relevant.
Related guides
- NDIS Policies and Procedures - Complete List of What Registered Providers Need
- How to Prepare for an NDIS Audit - Checklist and What Auditors Look For
- Notifiable Incidents: What Must Be Reported to SafeWork Under WHS Law
Frequently asked questions
What is a reportable incident under the NDIS?
A serious incident category that must be notified to the NDIS Commission.
How quickly must a reportable incident be notified?
The approved page notes say within 24 hours, followed by a fuller report within 5 business days.
Do unregistered providers have the same reporting duty?
No, not under the same registered-provider incident reporting framework.
What should an incident management system include?
Clear definitions, escalation steps, investigation, record keeping, notification rules, and review.