Quick answer: NDIS providers operate under two distinct risk management frameworks at the same time. One is focused on participant safety and quality of support under the NDIS Practice Standards. The other is focused on worker safety under WHS legislation. Neither replaces the other, and both require active management.
Last reviewed: June 2026 by the BlueSafe Technical Team.
NDIS and WHS regulations change frequently. Always verify current requirements with the NDIS Commission and your relevant state or territory WHS regulator before making compliance decisions. Nothing in this guide is legal advice.
Running an NDIS provider means managing two parallel risk obligations that are often confused, merged incorrectly, or — most commonly — only one of which gets proper attention.
This guide explains how each framework works, where they differ, where they meet, and how to maintain both without duplicating unnecessary effort.
At a glance
| Feature | NDIS risk management | WHS risk management |
|---|---|---|
| Primary focus | Risk to participants | Risk to workers |
| Legal framework | NDIS Act 2013, NDIS Practice Standards | Work Health and Safety Act (jurisdiction-specific) |
| Regulator | NDIS Quality and Safeguards Commission | State/territory WHS regulator |
| Who it protects | Participants receiving supports | Workers, contractors, volunteers |
| Covers restrictive practices | Yes | No |
| Covers manual tasks, falls, hazardous substances | Not primarily | Yes |
| Register required | Yes (risk management is a Practice Standard requirement) | Yes (hazard register is a WHS requirement) |
| Common overlap area | Environments where both workers and participants are present | Same |
What is NDIS risk management?
NDIS risk management is the structured process by which a registered provider identifies, assesses, and controls risks to participants receiving NDIS-funded supports.
The obligation sits within the NDIS Practice Standards. Registered providers must demonstrate they have systems to:
- identify risks that could affect participant safety, wellbeing, or quality of supports
- assess the likelihood and consequence of those risks
- implement controls and review their effectiveness
- connect risk management to service planning and individual support plans
- document the process and decisions
Key risk areas under the NDIS Practice Standards include:
- risks arising from the nature of the supports being delivered
- risks associated with participant health, behaviour, and complex needs
- risks relating to restrictive practices and authorisation
- risks from the operating environment, including transport, community access, and accommodation
- risks to participant rights and dignity
The NDIS risk framework is participant-centred. The question being answered is: what could go wrong for this person, in this context, given their specific needs and circumstances?
For more on the broader NDIS compliance context, see our guide on NDIS and WHS obligations for providers.
What is WHS risk management?
WHS risk management is the process required under the Work Health and Safety Act to identify hazards, assess risks, and implement controls to protect workers.
In the context of an NDIS provider, workers include:
- paid employees at all levels
- contractors and subcontractors
- volunteers who perform work for the business
The WHS risk management process follows the hierarchy of controls — elimination, substitution, isolation, engineering controls, administrative controls, and personal protective equipment — applied in that order of preference.
Common hazard categories for NDIS providers include:
- manual handling and physical tasks during personal care
- hazardous environments (for example, cluttered homes, uneven surfaces, inadequate lighting)
- client-initiated violence and aggression
- working in isolation or after hours
- driving and vehicle safety
- infectious disease and infection control
- psychological hazards including vicarious trauma, workload, and poor support structures
The WHS framework is worker-centred. The question being answered is: what hazards exist in this workplace, and what is the risk to the people doing the work?
For a step-by-step guide to the WHS process, see How to Conduct a WHS Risk Assessment.
How the two frameworks differ
The most important distinction is the focus of protection.
NDIS risk management protects the person receiving supports. WHS risk management protects the person delivering supports. Both are legally required. Both need documented systems. Neither substitutes for the other.
Beyond focus, the frameworks differ in several practical ways:
Restrictive practices. NDIS risk management includes obligations around the use of restrictive practices — including assessment, authorisation, and monitoring. This is entirely absent from WHS obligations.
Behaviour support. Participant behaviour that creates safety concerns must be addressed in participant risk planning and, where relevant, through a behaviour support plan. The WHS framework addresses the risk that behaviour poses to workers, but through a different lens and different controls.
Individual vs systemic focus. NDIS risk management frequently operates at the individual participant level — assessing the specific risks for each person and their support plan. WHS risk management typically operates at the workplace or task level, identifying hazards across roles and environments.
Regulator. NDIS compliance is overseen by the NDIS Commission. WHS compliance is overseen by the relevant state or territory WHS regulator. Reporting a matter to one does not satisfy an obligation to the other.
Where the two frameworks overlap
For NDIS providers, there is significant practical overlap because participants and workers often share the same environments.
The most common overlap areas are:
Aggression and challenging behaviour. A participant with a history of physical aggression creates a participant risk (for the person themselves and others they interact with) and a WHS risk (for the worker managing the behaviour). Both frameworks require a response, and the controls — de-escalation plans, environmental adjustments, staffing ratios — may be the same document, but the obligation in each direction is separate.
Residential and in-home supports. A worker providing support in a participant's home faces WHS hazards in an environment the provider does not fully control. The same environment may also contain risks to the participant. Both require assessment.
Transport. Vehicle safety and driving risk is a WHS matter for workers. Transport risk for participants — including restraint systems, communication during travel, and emergency response — is an NDIS matter. A transport risk assessment should address both.
Infection control. In a provider's facility or during personal care, infection control protects both participants and workers. Controls will often be the same, but the legal obligation runs in both directions.
Benefits of an integrated risk register
Many providers maintain separate NDIS and WHS risk registers. This works, but it creates the risk that overlapping risks are assessed inconsistently or that controls applied for one framework do not account for the other.
An integrated risk register — one document that tags each risk against the relevant framework or frameworks — offers several advantages:
- leadership sees the full risk picture in one place
- dual-impact risks are identified and controlled once, consistently
- review cycles can be coordinated
- audit readiness is simpler when there is a single source of record
- it reduces the chance that a WHS control inadvertently creates a participant risk, or vice versa
The integration does not mean collapsing the obligations. Each risk entry should still identify which framework applies, which regulator is relevant, and which review process governs it.
A well-structured integrated register will typically include columns or tags for: risk description, risk category (participant / worker / both), applicable framework (NDIS / WHS / both), likelihood, consequence, current controls, residual risk rating, review date, and responsible person.
Practical steps for providers
- Map your risks separately first. Before integrating, make sure you have completed a proper NDIS risk assessment across your service types and a proper WHS hazard identification across your work environments. Gaps in one will not be obvious until they cause a problem.
- Identify dual-impact risks explicitly. For each risk, ask whether it could affect a participant, a worker, or both. Document the answer.
- Align your review cycles. Both frameworks require ongoing review, not a one-time exercise. Set a common review schedule and tie it to incidents, changes in service delivery, and new participants with complex needs.
- Train staff on the distinction. Workers and team leaders should understand that a concern about a participant's safety is different from a concern about their own safety — and that both should be reported through the right channel.
- Verify your obligations with the relevant regulators. The NDIS Practice Standards and WHS legislation are not static. What is required today may be updated. Check with the NDIS Commission and your state or territory WHS regulator when in doubt.
Related guides
- NDIS and WHS Obligations for Providers
- How to Conduct a WHS Risk Assessment
- NDIS Incident Management - Reportable Incidents, Obligations and Procedures
Frequently asked questions
Are NDIS risk management and WHS risk management the same thing?
No. NDIS risk management focuses on risks to participants under the NDIS Practice Standards, while WHS risk management focuses on hazards to workers under the Work Health and Safety Act. Both apply to registered NDIS providers.
Do NDIS providers need both an NDIS risk register and a WHS risk register?
Providers need to address both frameworks. They can use a single integrated register that identifies which risks sit under which obligation, provided neither set of risks is overlooked.
What happens if a risk affects both a participant and a worker?
Dual-impact risks should be assessed under both frameworks. The controls may be shared, but the legal obligations and review processes remain separate.
Which regulator oversees each framework?
The NDIS Quality and Safeguards Commission oversees NDIS Practice Standards compliance. The relevant state or territory WHS regulator oversees WHS obligations.