Survive & Thrive Series Part 7 – Structuring Your Approach to Risk

24 July 2025

Welcome to Part 7 of our Survive & Thrive strategic leadership series for NDIS leaders who want to move beyond surface-level compliance and into transformational leadership.

In Part 6, we dove into the essential relationship between cost, value and price and, how to help you identify what’s driving real value in your organisation, what needs attention, and what’s consuming resources without meaningful return.

In Part 7, we look into structuring your approach to risk as your new competitive advantage as well as your best approach to staying out of court, and out of the public eye for the wrong reasons. We also provide a clearer picture of where your key risks likely lie and the development of core mitigation strategies.

NDIS Providers Are Failing at Risk Management

Let’s drop the polite language for a minute and engage in some uncomfortable dialogue that may prevent you from becoming the next negligent provider splashed across the front page.

Most NDIS service providers are terrible at risk assessment and management. Not because they are unethical. Not because they do not care, but because their systems, cultures, and leadership approaches are not designed to manage the real risks this sector faces.

Risk identification is not a form, nor is it a 70-line register.

Risk identification is whether you will see the next major problem before it hits, and risk management is whether you have the right actions in place to prevent the major problem you have identified and mitigate the impact of those that can’t be avoided.

Right now, most providers will not.

Take Valmar and LiveBetter for example. They were fined a collective $3.5 million in civil penalites. Why? Because they did not pre-empt known risks.

• LiveBetter: Instinctively, we all know it is possible to be burnt in a bath. LiveBetter took assumed knowledge and applied it across a broad range of services. They failed to ensure risks were tailored to the specific requirements of each person being supported. They also had no mechanism to test actual knowledge or preventative steps to minimise harm. In this case, the services LiveBetter provided scaled in complexity and risk, but the governance around the support did not. Commissioner of the NDIS Quality and Safeguards Commission v Valmar Support Services Ltd [2025] FCA 11
• Valmar: This case confirmed that risks generally are not captured in paperwork. They live in the gaps in between. Fragmented communication between allied health teams, SIL staff, and families meant no one took ownership of the choking risks within a support setting. Add staff using their own initiative—building on actions that had worked before—and you can see how a catastrophic outcome occurred so easily.  Commissioner v LiveBetter Services Ltd [2024] FCA 374 (LiveBetter)

LiveBetter and Valmar could have been any number of NDIS service providers. Our systems have been shaped by years of external pressures and learned behaviour and we have all been systematically conditioned along the way. We have stopped benchmarking against what we should be doing and instead aim for what will simply be tolerated.

The easy excuse is “sector fatigue” but really, it is sector-wide learned helplessness, wrapped in compliance language, and passed off as risk management.

The only way we can change this is by calling out the 5 biggest illusions driving poor risk management, which are often overlooked in any risk appetite statement.

The 5 Biggest Illusions Driving Poor Risk Management

1. Illusion: Growth Is a Sign of Success

Reality: Too Many NDIS Providers Scale Faster Than They Build Capability

The NDIS was designed as a consumer-driven market, but it forgot to build in the gateways that test if consumers have the capability and capacity to reform market operations. This mirage was always going to take hold, as there was more demand than support and the systems reward a ‘billable hour’ and not a quality service.

It has been relatively easy for providers take on new homes, new supports, new risk profiles, without the infrastructure, leadership depth, or data intelligence to handle it.

This isn’t bold growth. We are confusing responsiveness with readiness and that can result in calculated negligence. Yes, roles are filled, rosters are built, generic one size fits all training is provided, so the provider continues to say yes.

But who is asking the hard questions?

• Are we clinically prepared?
• Are our leaders equipped to supervise complexity? 
• Do we have the infrastructure to effectively negotiate with more stakeholders from multiple different lenses?
• Most importantly, has there been scrutiny applied to whether the data systems are catching risk and responding to minor escalation, prior to major problems?

Providers aren’t resourced to step back and reassess safely. So they push on, burn out, or break down.

So whilst growth is often an aspiration for many businesses, in NDIS it needs to be approached with nuance and caution. Growth doesn’t just increase risk, it multiplies exposure and dilutes control.

2. Illusion: Being A Registered NDIS Provider Means We Have Good Risk Controls and Governance

Reality: Provider Audits Are About Compliance Not Competence

The NDIS Practice Standards have created the illusion of capability. The Standards say that if you have policies, registers, and forms, your organisation demonstrates appropriate risk maturity.

The problem? Auditors assess documentation, NOT decision making and especially not decision making under pressure.

Risk management in the NDIS has become performative. Don’t believe me?

How many of the following can you answer positively?

• You have an organisational risk matrix
• You have considered the impact of “staff turnover” and “participant injury”
• You have a risk management policy
• There is an agenda item on the meeting schedule for risks
• Staff complete online risk management training

My guess is most providers would have done pretty well with those questions.

Now, openly assess your confidence level that you can say you would be aware of:

• A burnt-out team leader who has not had supervision in 3 months?
• A participant whose restrictive practice data is trending upwards, but no one has looked into it?
• A participant with razor thin funding, escalating needs and poor-quality support plans from their allied health providers?
• A SIL participant with some mild disorientation and difficulty with road safety (but no major incidents) wanting to walk to the shops on their own yet their family says it’s too dangerous?
• A disengaged worker who spends more time on their phone than providing support?
• A participant risk management plan that has a mitigation strategy of “refer to BSP”?
• Staff who are afraid to support a participant due to their aggressive behaviours?

These aren’t hypothetical. They’re daily occurrences. And they’re happening because we confuse documentation with risk aware service delivery, but real risk leadership means seeing the early signals, owning the hard calls, and acting before the system fails. It is so much more than having paperwork and recording what happened after something has gone wrong.

3. Illusion: A Network of Supports Means Risks Are Caught Early

Reality: Fragmented Services Create Blind Spots No One Owns

The NDIS was built on intersectionality. Support coordinators, allied health professionals, behaviour practitioners, SIL providers, day programs, plan managers, clinical teams, families, and advocates. A web of services and stakeholders that should catch risks before they spiral, right?

But what this has meant in practice is support delivered through silos.

Does this sound familiar?

1. Support coordinators often drive service planning without full insight into behavioural risks or trauma history.

2. Allied health teams deliver functional assessments and prescribe goals with little understanding of staffing limitations, site dynamics, or family complexities.

3. SIL providers are held responsible for 24/7 outcomes yet frequently operate without access to full psychosocial or clinical profiles.

We have created a system where communication is transactional, responsibilities are compartmentalised, and real risk lives in the white space between roles.

And the most complex, human risks involving behaviour, trauma or psychosocial complexity definitely do not fit neatly into a single service stream. They emerge at points of overlap, often compounded by friction between services.

As an organisation, when did you last document:

• Where a participant’s goals clash with their capacity?
• Where reasonable and necessary plan funding is grossly misaligned to safe service delivery needs? or
• Where different professionals interpret the same data in completely different waysor or don’t buy in at all?

When something goes wrong, it’s rarely because one provider failed. It’s often because we have failed to view the system of supports around a participant to ensure there were no gaps and no overlaps.

4. Illusion: If We Say We Deliver Best Practice, It Must Be True

Reality: Repeating What Worked Once Isn’t a Substitute for Support

“Best practice” in the NDIS is everywhere. Providers frequently use the term to signal quality or compliance, but it’s rarely tied to tangible measures or verified impact and even fewer can say what excellence truly means in their context. Add this to the lack of formal ‘best practice’ definition from the NDIS Quality and Safeguards Commission, which simply encourages providers to be “contemporary, evidence-based, and person-centred” and you can feel the risks begin to simmer beneath the surface.

This bubbling risk is better known as Best Practice Paralysis. Providers repeat the same rosters, use the same templates and run the same routines, not because they’re effective, but because they’re safe, they passed audit, and it works within the funding. It’s risk-averse repetition disguised as quality. It kills off innovation, responsiveness, and the space to actually design supports around real lives. And I can prove it.

How many providers still use the following?

• Person centred ‘About me’ or ‘Individualised Support’ plans?, or
• A ‘My Safety Plan’ or Risk Assessment checklist?

How many organisations have implemented tools to routinely track ability (physical or mental) to participate in activities of daily living?

How many have created templates that show micro improvements in capacity building?

Many might even still have the same look and feel of their state based government department templates.

What we’re seeing is a kind of ‘sameness’ creep.

• Every SIL house ends up with the same rules: meals at 5pm, outings on Tuesday, staff who rotate every three days.
• Behaviour support looks identical, even though the people are not.
• Support Coordinators push participants into whatever’s available, not what’s meaningful.
• Allied Health goals seem to be totally disconnected from what staff can realistically deliver.

The system is teaching us all to think the same, plan the same, and operate the same. It assumes that if something works once, it’ll work everywhere. It assumes that quiet houses mean happy participants. It assumes that just because we’ve seen it before, it’s the right fit.

And that’s how we miss the early signs. We ignore boredom, frustration, or distress because it doesn’t look like a reportable incident. We say we’re person-centred, but we run programs that could support anyone, which means they truly support no one. If we want to lift quality, we need to stop templating support and start noticing people.

Service providers need to question if their ‘best practice’ is creating an environment of missed changes in participant needs, overlooked warning signs, and drifting away from responsive support. By not measuring outcomes, reflecting on implementation, or adapting based on feedback, risk becomes invisible by design.

5. Illusion: If We Have Policies and Reporting Systems, We’re Covered

Reality: Culture Eats Risk Systems for Breakfast

The biggest risk that most organisations fail to call out, let alone manage, is their own cultural blindness. This isn’t a gap in procedure, nor is it likely to get picked up in an audit. It’s the broken feedback loop between risk, responsibility, and reality.

It shows up subtly when:

• A support worker sees something unsafe but keeps it to themselves because the last time they spoke up, nothing changed.
• A team leader edits an incident report to tone it down because they’re worried about how the exec team will react.
• A regional manager decides not to escalate a staffing issue because “we’ve all been under pressure lately.”
• When execs get told what they want to hear, not what they need to know.

And the kicker? Every one of these signs appears long before something blows up.

But only if you’re looking in the right places and most risk frameworks miss this critical concept: You can’t mitigate what you don’t see.

The Human Complexity of Risk

This is especially dangerous in human services, where the core product isn’t a process or a product that meets specs. It’s a relationship where outcomes depend not just on what’s written down, but on what’s actually said, felt, and acted on between people every day.

And this is the root cause of why disability service providers suck at risk management.

People complexity can’t be managed through templates, protocols, or assumptions. This sector isn’t driven by systems or even logical and rational explanations. It’s driven by human beings, and that means unpredictability, emotion, pressure, and nuance live in every layer of your organisation:
Frontline workers carry emotional labour, ethical tension, and the burden of real-time decision-making, often with little support. We provide them with training on how to provide personal care or write an incident report but vary rarely do we train them in emotional intelligence or communication skills.

So, you need to include in your organisation risk assessments:

• Burnout that goes unspoken until it ends in resignation.
• Incidents stemming from missed cues or exhausted judgement.
• Staff disengaging emotionally long before they walk out physically.
• Participant experiences being limited by staff beliefs.

I hear you. In NDIS Services, everything can be a risk and that’s exactly the problem.

When leaders treat all risks equally, they often end up focusing on the most visible or administratively convenient ones: overdue reports, audit gaps, documentation errors or the latest incident report which shows your pants pulled down.

Real risk management isn’t about catching everything, it’s about prioritising what matters and that requires reminding ourselves to think in terms of likelihood × consequence. It’s not just what might happen, but how serious it would be if it did. A staff member skipping a daily log note might not be high-risk but a team culture where no one flags concerns? That’s a critical failure in the making.

The goal isn’t to be risk averse, it’s to be risk intelligent and that starts by learning to see what matters most.

The 10-Point Reality Check 

Start with this 10 point checklist. For each checkpoints you answer in the negative, or even just hesitate at, ask yourself, how likely is it that this might turn into a big problem for the organisation and how big is the actual big problem?

The more often you repeat this process, the greater the consequences might be for your organisation.

Download our Risk Management Self-Assessment Checklist

This is a hard checklist. It intentionally goes beyond intentions and looks to what occurs in routine practice. It is designed to challenge most current practices as we need to rewire how we define readiness, risk, and success. Otherwise, you are likely to become another nameless “best practice’ provider that grew too fast, carried too much liability, and collapsed under complexity they were never supported to hold.

If you’re a CEO, board member, or executive leader in the NDIS, you need to stop asking whether you have a risk register. Instead, ask yourself: Would I know if something critical slipped tomorrow — today?

If the answer is no, that’s where your risk starts. But you don’t need another audit to tell you that, you need a leadership space to look risk in the eye, without performative bullshit. 

That is what Supporting Potential’s NDIS Executive Command Centre is for. Stepping into real risk leadership

Supporting Potential’s NDIS Executive Command Centre

Built for NDIS leaders by NDIS leaders and people with disabilties inside and outside of the Scheme

Inside, CEOs and executives are guided to:

• Diagnose silent risks within their business
• Map cultural friction points that drive harm
• Build leadership muscle for uncertainty and scaling
• Translate risk intelligence into strategic decision-making

No boardroom posturing. No theoretical models. Just real tools, real language, real change.

🧭 So are you ready to stop managing risk and start leading through it?

Join the NDIS Executive Command Centre and finally get ahead of what is holding your organisation back.

The Key Takeaways….

• Risk is a potential event, not paperwork. Real risk management is about seeing problems before they happen and taking proactive action, not just keeping forms and registers.

• Compliance ≠ safety. Audits and policies create an illusion of control but don’t test decision-making under pressure or detect cultural risks.

• Growth without capability multiplies risk. Many providers scale too quickly, diluting control, governance, and oversight.

• Fragmented services create blind spots. Siloed roles and poor communication mean risks often live in the gaps no one owns.

• Culture drives outcomes. Even with systems in place, a culture where staff fear speaking up or leaders soften bad news will always fail to catch risks early.

• “Best practice” often masks stagnation. Repeating what worked once leads to templated, risk-averse routines that miss early warning signs.

• Risk leadership is about prioritising what matters most. Treating all risks equally wastes focus; leaders need to build risk intelligence, not just compliance.

Click here to book your NDIS Critical Systems Audit today!

This isn’t about judgment. It’s about protection and progress because in today’s high-stakes NDIS environment, “good enough” is never safe enough and the gap between providers is widening. The next reform wave won’t treat everyone equally.

The Value of a Critical Systems Audit

You don’t have to do all this alone. When you’re working inside the system every day, it’s easy to miss the slow drifts, silent risks, and legacy processes that no longer serve.

That’s where a NDIS Critical Systems Audit becomes invaluable and why outsourcing it makes strategic sense.

An Independent Critical Systems Audit brings more than just fresh eyes. It brings:

• Unbiased insight into whether your systems are truly aligned to the NDIS Practice Standards, not just on paper, but in quality practice.
• Early identification of red flags that could lead to non-compliance, service gaps, or reputational harm.
• Cross-sector benchmarking, helping you learn from high performers and avoid pitfalls others didn’t see coming.
• A clear, actionable roadmap to move from “barely surviving” to “really thriving.”

Outsourcing also preserves your internal capacity. Your leaders stay focused on delivery while specialists dig deep into the bones of your organisation. It looks at your:

• Service models
• Financial viability
• Incident response
• Documentation trails
• Governance, and
• Frontline systems of accountability

Join our supplementary webinar via the link below

Part 7 – Structuring Your Approach to Risk

Wednesday, 30 July at 11am.

https://events.teams.microsoft.com/event/17c59c54-7f1c-4e04-a45b-491f9d43490a@d8fe5969-e9bc-4d6b-ba5a-62e8825302c8

Coming up in the next fortnightly instalment in our NDIS Survive & Thrive Series

Part 8 – Reframing Compliance to be Your Competitive Advantage

Mandatory registration will mean being registered is no longer a quality indicator. How are you going to adapt to new Practice Standards quicky whilst developing data that proves the quality is being delivered?

Outcome – the development of a mobilisation plan which identifies how changes to the Practice Standards might impact your operations, and how you will shift your approach to support efficient and effective quality.

Get Involved and Get Connected!

• We would love to know if you’ve tried any of the activities we’ve suggested or done something similar in the past – and what the outcomes were! You can reach out to us in the Get in Touch section at the bottom of this page.
• We also share practical tips, real life examples, and expert insights every week on LinkedIn. Follow along, join the conversation, and share these posts with your network.
• Join our mailing list here to receive notifications up upcoming instalments and webinars. We truly value the insights and experiences attendees are bringing to our webinars!

How We Can Help

In today’s climate of tight overhead margins and a competitive labour market, resourcing your transformation team entirely with internal staff may not be feasible. That’s where we come in. Our experienced project and change managers can provide the specialised support you need to keep your transformation on track.

We also offer skilled facilitation for transformation team meetings, maximising your time and ensuring meaningful, high-quality outcomes.

For broader strategic needs, we provide executive advisory and tailored support packages designed to empower NDIS businesses at every stage of growth and development.

Get in Touch

If you would like confidential assistance in looking at this differently, book in a time to have a no obligation chat via my  bookings calendar or email me at  angela@supportingpotential.com.au.

Let’s build a stronger, more adaptable NDIS community, together.

Your partner in achieving compliance, growth and sustainability 

Angela Harvey

Managing Director of Supporting Potential

To read all our other blogs visit here