Incident management is one of the important modules of the NDIS Standards. The NDIS Quality and Safeguards Commission encourages all providers to have a proper incident management system (IMS) in place. However, for registered providers, having an IMS is a mandatory requirement, as it is a condition for registration.
An IMS should be able to record and manage incidents that happen during the delivery of a support or service to a participant. Effective management of incidents allows providers to respond appropriately to any unexpected situation and ensures the health and safety of everyone involved. Therefore, incident management is not just an administrative function but rather a well-defined approach to protect participants and to prevent future harm.
What Is an “Incident”?
An incident is defined as the occurrence of something, an absence/omission or a situation that causes harm or could have caused harm to people when a service is being provided to a participant. This includes incidents that:
- Have caused harm to a person with disability
- Could have caused harm to a participant
- Involve acts by a person with disability that caused serious harm, or risk of serious harm, to another person
- Are reportable incidents or alleged reportable incidents
Incidents can threaten the health, safety or well-being of the parties below:
- People with disability
- Workers
- Families and carers
- Community members
There can be different types of incidents and incidents with different intensities. Some incidents are recognised as reportable incidents and are serious events or alleged events that relate to significant harm or unauthorised restrictive practices. Registered providers must inform the Commission about such incidents within the required timeframes.
However, not every incident is obvious.
Sometimes incidents are identified because:
- A worker witnessed what happened
- A participant reported the issue
- A third party raised a concern
- There were indirect indicators, such as unexplained injuries or behavioural changes
A strong incident management culture encourages workers and participants to speak up. If people feel unsafe reporting issues, your system will fail before it even begins.
What Is Incident Management
Incident management is the structured and well-defined procedure for handling an incident, from immediate response to appropriate solutions and documentation.
Having documented procedures and processes for managing an incident is useless and not enough. These guidelines and policies should be adapted and reflected well in practice. It allows you to be compliant and meet the standards, as well as improve your day-to-day operations by preparing for any issues or complications.
Therefore, the NDIS Quality and Safeguards Commission expects more than a written policy. It expects a working system that does the following:
- Identify incidents promptly
- Take immediate safeguarding action
- Record accurate and complete information
- Assess whether an incident is reportable
- Notify the Commission where required
- Investigate appropriately
- Implement corrective and restorative measures
- Learn from incidents and improve
An IMS must cover all incidents that take place in connection with providing NDIS supports or services. This means acknowledging, addressing and recording every incident internally.
The purpose is simple: when you know about incidents, you can reduce risk and improve your services.
The Six Steps of Effective Incident Management
The NDIS Quality and Safeguards Commission provides six key steps to better manage incidents.
-
Identify the Incident
Incidents may be identified by workers, participants, or other parties. Sometimes there are indirect signs, such as physical evidence or behavioural changes.
Your organisation should promote a culture where workers and participants feel comfortable reporting concerns. When incidents are hidden or ignored, risk increases.
-
Immediately Support the Impacted Person
Safety comes first.
If someone requires urgent medical attention or if a criminal offence is suspected, you must call 000 immediately. This action must not be delayed.
It is good practice to have a response plan that guides workers on:
- Immediate health and safety actions
- Risk assessment steps
- How and where to escalate internally
- When to consider notifying the Commission
Incident management is not only about investigation. It is about making the person with disability feel safe, respected and involved throughout the process.
-
Record the Incident
All incidents must be documented.
Your system must clearly describe:
- How records are created
- Where they are stored
- Who is responsible for completing them
- How privacy and confidentiality are maintained
Records should include relevant details and evidence and should be created promptly, for example, within 24 hours where possible.
If it is not written down properly, it is very difficult to prove what happened and how it was managed.
-
Report and Assess the Incident
Your system must include an internal reporting procedure.
This might involve:
- Submission through an online form
- Automatic escalation to key personnel
- A review meeting to confirm immediate actions were taken
An appropriate staff member must then assess:
- Why the incident occurred
- Whether it could have been prevented
- Whether it is a reportable incident
- What further action is required
- Whether other parties must be notified
If it is a reportable incident, it must be reported to the Commission within the required timeframe.
If it is not reportable, you still manage it through your internal system.
-
Investigation
If the initial assessment does not provide sufficient clarity, an investigation may be required. The Commission may also require an investigation.
The purpose of an investigation is to:
- Establish the cause
- Determine the impact
- Identify operational or systemic issues that contributed
The nature of the investigation must be proportionate to the harm caused and the risk of future harm.
-
Learn and Improve
Incident management does not end when the report is closed.
The records, assessments and investigation findings should be used to:
- Identify process gaps
- Improve training
- Strengthen supervision
- Adjust procedures
- Reduce the likelihood of recurrence
This learning function is what turns incident management from reactive compliance into proactive quality improvement.
Requirements for Your Incident Management System
NDIS providers are required to adhere to the code of conduct as well as the NDIS Standards. However, even when you follow these frameworks, incidents may still occur. Therefore, the purpose of an IMS is not to expect perfection. Rather, having an IMS ensures that when something does go wrong, the response is safe, structured and accountable.
Your IMS should clearly break down and provide the outline of the overall approach and key steps or actions to be taken when an incident occurs. The main focus of the system is assuring the safety and well-being of people with disabilities. Hence, it should state the responsibilities, clarify the principles, and define appropriate responses.
The guidance provided by the NDIS Quality and Safeguards Commission suggests that the system fulfils these three requirements. It should be:
- Suitable for your organisation's size and the types of support you deliver
- Documented in an accessible form, including written procedures
- Available to all workers and to people with disabilities receiving supports
The same minimum requirements apply to all registered providers. However, the structure of the system can be different according to the size, scope and complexity of the organisation and service provided. While a small-scale provider may use a simple digital tool with other procedures, a large-scale provider will require a more complex automated software solution and process.
Minimum Procedure Requirements
Your documented procedures must cover:
- How incidents are identified, recorded and reported
- Who incidents must be reported to internally
- Who is responsible for notifying the Commission
- How impacted persons are supported, including access to advocates
- How the person with disability is involved in management and resolution
- How investigations are conducted and documented
- When corrective action is required, and what that action involves
These are not optional inclusions. They are the minimum requirements under the Rules.
Conclusion
An incident management system is not a static document. It is a working framework that guides how your organisation responds under pressure.
You must be prepared to:
- Produce incident records when requested
- Demonstrate how decisions were made
- Show what actions were taken
- Prove what changes were implemented
In 2026, compliance is not measured by whether a policy exists. It is measured by whether your system protects people, documents actions clearly, and drives improvement over time.
The real question is not whether incidents occur. In human services, they sometimes will.
The real question is whether your organisation responds in a way that is structured, transparent, respectful and focused on preventing harm in the future.
Follow the link to access the detailed guidance on Incident Management Systems
