The Compliance & Incident Management module is a critical component of NDSS CRM that ensures the organisation maintains adherence to NDIS Practice Standards, manages and tracks incidents through their full lifecycle, conducts audits, and maintains a comprehensive risk register. This module supports the organisation's obligations under the NDIS Quality and Safeguards Framework and provides the tools necessary to demonstrate compliance during NDIS Commission audits and reviews.
NDIS registered providers are legally required to report certain categories of incidents to the NDIS Quality and Safeguards Commission within specific timeframes. Failure to report can result in compliance action, including conditions on registration or deregistration. NDSS CRM's compliance module is designed to support these obligations, but it remains the organisation's responsibility to ensure timely and accurate reporting.
The Compliance module is accessed via the Compliance item in the main sidebar navigation. The module is organised into a tabbed interface with three primary views: Incidents, Audits, and Reports. Each tab provides access to specialised functionality for managing that aspect of the organisation's compliance program.
| Card | Metric | Description |
|---|---|---|
| Open Incidents | Count of non-closed incidents | Total number of incidents in Open, Under Review, or Investigation status. Sub-count shows critical-severity incidents requiring immediate attention. |
| Overdue Actions | Corrective actions past due date | Number of corrective actions from incident investigations or audits that have passed their target completion date. Prioritised by severity. |
| Upcoming Audits | Scheduled audits count | Number of audits scheduled in the next 90 days. Shows the date of the next upcoming audit. |
| Compliance % | Overall compliance score | Calculated from the most recent audit results across all NDIS Practice Standards. Weighted average of all compliance areas. Month-to-date trend indicator. |
| Action | Support Worker | Coordinator | Manager | Compliance Officer | Admin |
|---|---|---|---|---|---|
| Report Incident | Yes | Yes | Yes | Yes | Yes |
| View Own Incidents | Yes | Yes | Yes | Yes | Yes |
| View All Incidents | No | Own clients | Yes | Yes | Yes |
| Investigate Incidents | No | No | Yes | Yes | Yes |
| Close Incidents | No | No | Yes | Yes | Yes |
| Manage Audits | No | No | No | Yes | Yes |
| View Risk Register | No | No | Yes | Yes | Yes |
| Generate Reports | No | Limited | Yes | Yes | Yes |
| Configure Module | No | No | No | No | Yes |
Incident reporting is the cornerstone of the Compliance module. Every staff member in NDSS CRM has the ability to report an incident, and the organisation should foster a culture where incident reporting is encouraged rather than punitive. The incident report form captures all necessary details for initial assessment, investigation, and regulatory reporting. The form is designed to be comprehensive while remaining accessible to frontline support workers who may need to file reports quickly.
| Type | Description | Examples | Reportable to NDIS Commission |
|---|---|---|---|
| Accident / Injury | An unplanned event resulting in physical injury to a participant, staff member, or third party. | Falls, burns, cuts, collisions, manual handling injuries | If serious injury to a participant (requires hospital admission or ongoing medical treatment) |
| Behavioral Incident | Behaviour of concern exhibited by a participant that causes or risks harm to themselves or others. | Physical aggression, self-harm, elopement, verbal threats | If results in serious injury or if restrictive practices are used |
| Medication Error | Any deviation from the prescribed medication regimen including wrong medication, wrong dose, wrong time, or missed dose. | Wrong medication administered, double dose, missed dose, wrong participant | If results in hospitalisation or serious adverse reaction |
| Property Damage | Damage to property belonging to a participant, the organisation, or a third party. | Broken furniture, damaged equipment, vehicle damage | Generally not reportable unless related to abuse or neglect |
| Near Miss | An event that did not result in harm but had the potential to cause injury or damage. | Slippery surface identified, equipment malfunction caught before use, medication error caught before administration | Not reportable, but critical for internal quality improvement |
| Abuse / Neglect / Violence | Any suspected or confirmed abuse (physical, sexual, emotional, financial), neglect, or violence involving a participant. | Physical abuse, sexual abuse, emotional abuse, financial exploitation, neglect of care needs | Always reportable - within 24 hours for immediate notifications, 5 business days for detailed report |
| Unauthorised Restrictive Practice | Use of a restrictive practice that is not authorised in the participant's Behaviour Support Plan or that exceeds the authorised parameters. | Physical restraint, seclusion, chemical restraint, environmental restraint, mechanical restraint | Always reportable - monthly reporting of all restrictive practices, immediate reporting if unauthorised |
| Death | Death of a participant while receiving services or supports, or within 24 hours of service delivery. | Death during service delivery, death shortly after service delivery | Always reportable - immediate notification required (within 24 hours) |
| Other | Any incident that does not fit the above categories but warrants recording and review. | Complaints, service delivery failures, environmental hazards, data breaches | Assessed on a case-by-case basis |
Every incident is classified with a severity level that determines the urgency of response, notification requirements, and investigation depth. The severity classification drives the escalation workflow and ensures that critical incidents receive immediate executive attention while minor incidents are managed through standard processes.
| Severity | Colour Code | Definition | Response Timeframe | Investigation Required | Notification Chain |
|---|---|---|---|---|---|
| Minor | Green | Low-impact incident with no injury or minimal impact. No disruption to service delivery. No regulatory reporting required. | Acknowledge within 48 hours. Review within 7 business days. | Desktop review only. Document findings in the incident record. | Team Leader → Service Coordinator |
| Moderate | Orange | Incident resulting in minor injury requiring first aid, minor property damage, or a near miss with significant potential consequences. May require regulatory notification. | Acknowledge within 24 hours. Investigation commenced within 3 business days. | Formal investigation required. Root cause analysis. Corrective action plan within 14 days. | Team Leader → Service Coordinator → Manager |
| Major | Red | Serious incident resulting in significant injury requiring medical attention, significant property damage, or serious breach of participant rights. Likely requires regulatory reporting. | Acknowledge within 4 hours. Investigation commenced within 24 hours. Regulatory notification within 24 hours if reportable. | Comprehensive investigation required. External investigator may be engaged. Full root cause analysis. Corrective actions with executive sign-off. | Team Leader → Service Coordinator → Manager → Director → NDIS Commission (if reportable) |
| Critical | Dark Red | Life-threatening incident, death of a participant, alleged abuse or assault, unauthorised restrictive practice, or any incident likely to attract regulatory or media scrutiny. Mandatory regulatory reporting. | Immediate response required. Regulatory notification within 24 hours. CEO/Board notification within 2 hours. | Full independent investigation required. External investigators engaged. Board-level review. May involve police or coroner. Corrective actions with Board sign-off. | Immediate: Manager → Director → CEO → Board Chair → NDIS Commission → Police (if applicable) |
NDSS CRM provides preliminary severity suggestions based on the incident type selected. However, the reporting staff member can override the suggested severity. The following rules apply:
Every incident follows a defined workflow from initial report through to closure. The workflow ensures that incidents are properly triaged, investigated, resolved, and reviewed before being marked as complete. The workflow also includes escalation procedures for incidents that are not progressing within expected timeframes.
| From | To | Trigger | Required Role | Conditions |
|---|---|---|---|---|
| Open | Under Review | Assign to reviewer | Manager, Compliance Officer | An investigator/reviewer must be assigned. Severity confirmed. |
| Under Review | Investigation | Open formal investigation | Manager, Compliance Officer | Investigation plan must be documented. For Major/Critical, external investigator details required. |
| Under Review | Resolved | Resolve directly | Manager, Compliance Officer | Resolution summary required. Only available for Minor and Moderate incidents. Corrective actions (if any) must be documented. |
| Investigation | Resolved | Complete investigation | Compliance Officer, Admin | Investigation report must be attached. Root cause analysis complete. Corrective action plan documented with target dates and responsible persons. |
| Resolved | Closed | Review and close | Compliance Officer, Admin | All corrective actions completed or scheduled. Post-incident review documented. Lessons learned recorded. For reportable incidents, NDIS Commission reporting confirmed as complete. |
NDSS CRM automatically monitors incident progress and triggers escalation notifications when incidents are not progressing within expected timeframes:
| Condition | Escalation Action | Notification Recipient |
|---|---|---|
| Open incident not acknowledged within the response timeframe for its severity level | Automatic email and in-platform notification. Incident highlighted in red on the Compliance Hub. | Assigned Manager, Compliance Officer |
| Under Review for more than 5 business days with no progress notes | Escalation notification sent. Incident flagged as "Stale". | Director, Compliance Officer |
| Investigation not completed within 14 business days | Escalation notification sent. Requires written justification for delay. | Director, CEO (for Major/Critical) |
| Resolved incident not closed within 30 days | Reminder notification. Compliance review triggered. | Compliance Officer |
| Corrective action past its target completion date | Overdue action alert. Action appears in the Overdue Actions metric card. | Responsible person, their Manager |
For incidents classified as Moderate, Major, or Critical, a formal investigation process is required. The investigation module within NDSS CRM provides structured tools for conducting thorough investigations, documenting root causes, and developing corrective action plans. The investigation record becomes part of the permanent incident file and is available for audit purposes.
The Audit Management function within NDSS CRM supports the scheduling, execution, and tracking of internal and external audits. Regular auditing is a cornerstone of the NDIS Quality and Safeguards Framework, and NDSS CRM provides the tools to manage the full audit lifecycle from planning through to findings resolution.
| Audit Type | Purpose | Frequency | Conducted By | Output |
|---|---|---|---|---|
| Internal Quality Audit | Assess compliance with internal policies, procedures, and quality standards. Identify areas for improvement. | Quarterly (recommended) | Internal Compliance Officer or Quality Team | Internal audit report with findings, recommendations, and action plan |
| External NDIS Audit | Formal assessment of compliance with NDIS Practice Standards as required for provider registration and renewal. | Every 3 years (certification) or as required by NDIS Commission | NDIS-approved external auditor | Audit report submitted to NDIS Commission. Non-conformities must be addressed within specified timeframes. |
| Spot Audit | Targeted review of a specific area, process, or location in response to an identified risk or incident. | As needed (triggered by incidents, complaints, or risk indicators) | Internal or external auditor | Spot audit report with findings and immediate corrective actions |
| Documentation Audit | Review of documentation completeness and accuracy including care plans, risk assessments, staff records, and policies. | Monthly (sample-based) | Internal quality team | Documentation compliance score and list of gaps requiring rectification |
| Financial Audit | Review of financial records, invoicing accuracy, NDIS claim integrity, and funding utilisation. | Annually | External auditor (for statutory audit) or internal finance team (for management audit) | Financial audit report, management letter with recommendations |
NDSS CRM includes configurable audit checklists that can be customised for each audit type. Checklists are organised by NDIS Practice Standard area:
The Reports tab within the Compliance module provides access to a range of pre-built compliance reports and dashboards. These reports are designed to give the Compliance Officer and executive team visibility into the organisation's compliance posture, incident trends, and audit findings.
| Report | Description | Key Metrics | Frequency |
|---|---|---|---|
| Incident Summary | Overview of all incidents for a selected period, grouped by type, severity, and status. | Total incidents, breakdown by type, breakdown by severity, average resolution time, repeat incident rate | Monthly / Quarterly |
| Incident Trend Analysis | Time-series analysis of incident volumes showing trends, seasonal patterns, and correlation with staffing changes or service expansion. | Incidents per month, trend direction, comparison to prior period | Quarterly |
| Reportable Incidents Register | List of all incidents reported (or required to be reported) to the NDIS Quality and Safeguards Commission. | Reportable incident count, reporting compliance rate, average reporting time | Monthly |
| Corrective Action Tracker | Status of all open corrective actions from incidents and audits. | Open actions, overdue actions, completion rate, average days to completion | Weekly / Monthly |
| Audit Compliance Score | Overall compliance score derived from audit results, tracked over time by Practice Standard area. | Compliance score per area, overall weighted score, trend over last 4 audits | Per audit / Quarterly |
| Risk Register Report | Current state of the organisational risk register including all active risks, their ratings, and mitigation status. | Total risks, risks by category, high/extreme risk count, mitigation progress | Quarterly |
NDSS CRM is built with the NDIS Quality and Safeguards Framework at its core. This section outlines how the platform supports compliance with the NDIS Practice Standards and the reporting obligations to the NDIS Quality and Safeguards Commission.
| Practice Standard | NDSS CRM Module(s) | How NDSS CRM Supports Compliance |
|---|---|---|
| Rights and Responsibilities | Client Management, Client Portal | Participant rights documentation stored in client profiles. Complaints process accessible via Client Portal. Advocacy information provided during onboarding. |
| Governance and Operational Management | Compliance, Admin & Settings | Risk register, quality management audit trail, information management controls, role-based access controls. |
| Provision of Supports | Client Management, Clinical, Rostering | Service agreements, individualised support plans, transition planning, safe environment assessments. |
| Support Provision Environment | Client Management, Clinical, Compliance | Medication management with audit trail, participant money tracking, environmental safety checklists. |
| Human Resource Management | Staff Management, Learning | Staff qualifications tracking, NDIS Worker Screening check management, mandatory training tracking, performance management. |
| Incident Management | Compliance | Full incident lifecycle management, severity classification, investigation tools, corrective action tracking, NDIS Commission reportable incident identification. |
Under the NDIS (Incident Management and Reportable Incidents) Rules, the following incidents must be reported to the NDIS Commission:
NDSS CRM automatically identifies potentially reportable incidents based on the incident type and severity classification. When a reportable incident is detected, the system displays a prominent banner reminding the user of the reporting obligation and timeframes. The Compliance Officer receives an immediate notification.
Immediate notification: Within 24 hours of becoming aware of the incident, an initial notification must be made to the NDIS Commission via the NDIS Commission Portal. NDSS CRM generates a pre-populated notification form that can be used for this purpose.
Detailed 5-day report: Within 5 business days of the initial notification, a detailed report including investigation findings and corrective actions must be submitted. NDSS CRM's investigation report can be exported in a format suitable for this submission.
The Risk Management function in NDSS CRM provides a centralised risk register for identifying, assessing, mitigating, and monitoring organisational risks. The risk register is a living document that should be reviewed regularly and updated as new risks emerge or existing risks change in nature or likelihood.
| Field | Description |
|---|---|
| Risk ID | Unique identifier (R-XXX) |
| Risk Title | Short descriptive title |
| Risk Category | Operational, Financial, Clinical, Compliance, Reputational, Strategic, IT/Cyber |
| Description | Detailed description of the risk, including potential triggers and impact |
| Likelihood | Rare, Unlikely, Possible, Likely, Almost Certain |
| Consequence | Insignificant, Minor, Moderate, Major, Catastrophic |
| Inherent Risk Rating | Calculated from Likelihood x Consequence before controls |
| Current Controls | Existing controls and mitigation measures in place |
| Control Effectiveness | Effective, Partially Effective, Ineffective |
| Residual Risk Rating | Risk rating after considering current controls |
| Planned Mitigations | Additional mitigation strategies planned or in progress |
| Risk Owner | Person responsible for managing this risk |
| Review Date | Next scheduled review date |
| Status | Active, Mitigated, Accepted, Closed |
Document compliance ensures that all organisational policies, procedures, and critical documents are current, reviewed on schedule, and acknowledged by relevant staff. NDSS CRM provides a document management system within the Compliance module that tracks document lifecycle from creation through review, approval, distribution, and staff acknowledgment.
When a policy or procedure is published or updated, NDSS CRM can require staff to acknowledge that they have read and understood the document. The acknowledgment system provides:
Document acknowledgments can be linked to mandatory training modules in the Learning & Development module (Chapter 13). For example, when a medication management policy is updated, staff can be required to complete a refresher training module before their acknowledgment is recorded. This ensures that acknowledgment reflects genuine understanding, not just a checkbox exercise.