← Back to blog

Risk register for community services: a practical guide

July 19, 2026
Risk register for community services: a practical guide

TL;DR:

  • A risk register records, rates, and assigns ownership to all significant risks facing an organization, fulfilling compliance and governance needs. It should include clear risk descriptions, ratings, controls, residual risks, and designated owners, reviewed regularly by the board or committees. Effective registers are specific, owned by individuals, and connected to operational data and regulatory requirements to guide decision-making and maintain accountability.

A risk register is a living governance document that records, rates, and assigns ownership to every material risk facing your organisation. For community service providers in Australia, it is also a direct compliance requirement. The ACNC Governance Standards require boards to act in the best interests of the charity and manage its affairs responsibly. The NDIS Practice Standards require documented risk management systems proportionate to provider size. A well-built risk register for community services sits at the intersection of both obligations, giving boards and managers a single source of truth for operational, strategic, and compliance risks.

What core elements should a community services risk register include?

A risk register without structure is just a list of worries. Each entry needs five components to be useful.

  • Risk description. Write in source-consequence format: "What results in what." For example: "Insufficient trained staff on shift results in a participant safety incident." Clear specific descriptions enable targeted mitigation rather than vague concern.
  • Likelihood and consequence ratings. Use a standard risk matrix to score each risk. A 5x5 matrix rating likelihood (rare to almost certain) against consequence (insignificant to catastrophic) produces a residual risk score that is defensible to auditors.
  • Existing controls. Document what you already have in place. This is where most registers fall short. Listing a control as "staff training" without specifying the training type, frequency, and evidence location tells an auditor nothing.
  • Residual risk level. After applying controls, what risk remains? This rating drives your prioritisation decisions.
  • Named Risk Owner. Assign a person, not a team. Named individuals prevent accountability gaps that occur when responsibility sits with a department.

Pro Tip: Standard registers cover 15–30 core risks across key categories. If yours has 60 entries and no one reads it, it is not a risk register. It is a risk archive.

A practical starting template looks like this:

ColumnPurpose
Risk descriptionSource-consequence format, one sentence
Likelihood rating1–5 scale, documented rationale
Consequence rating1–5 scale, linked to service impact
Current controlsSpecific, evidenced, not generic
Residual risk scorePost-control rating driving review priority
Risk OwnerNamed individual, not a role title
Review dateScheduled, not "as required"

Close-up of risk management materials on community services desk

How can boards provide effective risk oversight?

Boards of smaller non-profits cannot outsource their legal duty to manage risk. The Corporations Act and ACNC Governance Standards both place that obligation squarely on directors. The question is how to fulfil it without a dedicated risk team.

  1. Appoint a Risk Officer or form a small Risk Committee. A smaller NFP can maintain effective oversight through a two or three person committee rather than a full governance structure. The committee reviews the register before each board meeting and flags items requiring board decision.
  2. Set a tiered review schedule. High-rated risks warrant quarterly review. The full register should be reviewed at least annually. Embedding this into the board calendar prevents the register from becoming a document that surfaces only at audit time.
  3. Report risk at every board meeting. The risk register should appear as a standing agenda item, not an annual attachment. Boards that see risk data regularly make better decisions about resourcing, policy, and service delivery.
  4. Seek external advice when the board lacks expertise. External advice and training assist boards in fulfilling their legal obligations, particularly in areas like WHS, safeguarding, and financial risk where sector-specific knowledge matters.
  5. Document board engagement. Minutes should record that the board reviewed the register, noted changes, and approved treatment actions. This is your evidence of due diligence.

Good board governance practice treats the risk register as a decision-making tool, not a compliance artefact.

Pro Tip: If your board only sees the risk register once a year, it is not governing risk. It is acknowledging it. There is a significant difference when a regulator comes knocking.

Infographic illustrating core elements of a risk register

What practical steps build and maintain a useful register?

Most organisations get stuck at the blank spreadsheet. The way through is to start narrow and go deep.

  • Focus first on your highest exposure areas. Work Health and Safety, safeguarding, financial controls, and regulatory compliance are the right starting points for any community service provider. Starting with high-exposure areas avoids the paralysis of trying to capture everything at once.
  • Engage staff and participants in risk identification. Frontline workers see operational risks that boards never encounter. A structured workshop or a simple prompt sheet ("What keeps you up at night? What nearly went wrong last month?") surfaces risks that would otherwise stay invisible.
  • Assign named owners with deadlines. Every treatment action needs a person and a due date. "Review the WHS policy" assigned to the Operations Manager by 30 June is a treatment action. "Review WHS" is not.
  • Define review triggers beyond the calendar. A critical incident, a complaint, a regulatory change, or a significant staffing change should all trigger an immediate review of relevant register entries. Living documents integrate incident and complaints data to detect emerging risks early.
  • Keep the register accessible. A register locked in a CEO's drive is not a management tool. Store it where the Risk Owner and relevant managers can update it between formal review cycles.

Consider this scenario: a mid-sized disability provider in regional New South Wales identified a WHS risk around manual handling during a staff workshop. The risk had existed for two years but had never appeared in any governance document. Once named, rated, and assigned to the Operations Manager, a treatment plan was in place within three weeks. The risk did not disappear, but it was now visible, owned, and managed.

How does a risk register connect to compliance frameworks?

The NDIS Practice Standards require risk management across eight explicit domains including incident management, financial controls, WHS, and safeguarding. That means your register must map to these domains, not just list generic organisational risks. The same principle applies under the Aged Care Quality Standards (Strengthened) and the ACNC Governance Standards.

Linking your risk register to your compliance obligations produces two practical benefits. First, it closes the gap between what the register says and what your policies and procedures actually cover. Second, it gives you audit readiness without last-minute scrambling.

Active risk registers covering governance, financial, operational, strategic, and reputational risks are vital for trust and reporting in the Australian charity sector. That coverage also aligns with what the ACNC expects to see when it reviews governance practices. For providers working across multiple standards, mapping each risk entry to its relevant regulatory domain is a straightforward way to demonstrate proportionate, documented risk management.

Linking incident data and complaints directly to the register is where continuous improvement becomes real. When a complaint about a support worker's conduct appears in your complaints register, the corresponding safeguarding risk entry should be reviewed within days, not at the next quarterly cycle. Proactive risk culture depends on this connection.

For providers in aged care, the risk-based regulation framework makes this integration even more pressing. Regulators assess not just whether you have a register, but whether it is actively shaping how you manage your service.

Key takeaways

A risk register in community services works only when it is specific, owned, and reviewed regularly against real operational data.

PointDetails
Use source-consequence formatWrite each risk as "what results in what" to make controls and treatment actions specific.
Assign named individualsA person, not a team, must own each risk to prevent accountability gaps.
Embed review in board governanceHigh-rated risks need quarterly review; the full register needs annual board sign-off.
Map to regulatory domainsLink each entry to NDIS Practice Standards, Aged Care Quality Standards, or ACNC requirements.
Connect to incident and complaints dataUpdate relevant register entries within days of a significant incident or complaint.

What I have learned from registers that actually work

The registers I have seen make a real difference share one quality: someone in the organisation genuinely believes the document matters. That sounds obvious, but it is rarer than you would think.

The most common failure I encounter is a register built for an audit and then filed. It has 45 entries, most described in three words, with no named owners and review dates that passed eighteen months ago. The board has not seen it since it was submitted. That document does not manage risk. It creates a false sense of security, which is arguably worse than having nothing.

What works is starting with five to eight risks in your highest-exposure areas, describing them precisely, naming an owner, and reviewing them at every board meeting until the habit is embedded. Then you expand. Incremental development focused on priority risks is far more effective than a comprehensive register that no one reads.

The other thing I would say directly: the risk register is one of the most useful decision-making tools a board has, if it is used that way. When a board is weighing whether to take on a new programme, the register should be part of that conversation. What risks does this create? Do we have the controls? Who owns them? That is governance working as it should.

What does your board actually do with the risk register between audits?

— Rachel

Risk register support for community service leaders

https://theplanningandpracticehub.com.au

Building a register that satisfies regulators and actually guides your organisation takes more than a template. The Planning and Practice Hub works with non-profit boards and management teams across Australia to develop risk registers grounded in your specific regulatory obligations, whether that is the NDIS Practice Standards, Aged Care Quality Standards (Strengthened), or ACNC Governance Standards. Rachel Willis brings nearly three decades of sector experience to this work, which means the advice is practical, not theoretical. If you are ready to move from a compliance checkbox to a register your board genuinely uses, explore The Planning and Practice Hub's governance and risk consulting or the NFP governance support available to community service organisations.

FAQ

What is a risk register in community services?

A risk register is a structured document that records each identified risk, its likelihood and consequence rating, existing controls, residual risk level, and a named owner. In community services, it is both a governance tool and a regulatory requirement under frameworks including the ACNC Governance Standards and NDIS Practice Standards.

How many risks should a community services register include?

Standard registers cover 15–30 core risks across key categories such as WHS, financial, safeguarding, and compliance. A register with significantly more entries often becomes unmanageable and is less likely to be reviewed regularly.

Who is responsible for maintaining the risk register?

A named Risk Officer or a small Risk Committee holds day-to-day responsibility, but the board retains legal accountability. Boards cannot delegate their duty to manage risk under the Corporations Act or ACNC Governance Standards.

How often should the risk register be reviewed?

High-rated risks need quarterly review. The full register should be reviewed at least annually at board level. Significant incidents, complaints, or regulatory changes should trigger an immediate review of relevant entries.

How does a risk register support NDIS compliance?

The NDIS Practice Standards require documented risk management across eight domains including incident management, WHS, financial controls, and safeguarding. Mapping each register entry to its relevant domain demonstrates proportionate, evidenced risk management to the NDIS Quality and Safeguards Commission.