Governance and Operational Management: the structural heart of the Core Module.
Module 2 catches the most providers, not because documents are missing, but because it tests whether governance is active or symbolic.
7 min read
If there is one module in the NDIS Core that consistently surfaces findings, it is Governance and Operational Management. Not because the domain is unusually difficult, but because it is the structural heart of the whole framework, and structure is what auditors actually examine.
What "active governance" actually means.
Auditors expect to see defined risk methodologies, clear ownership of risks, review cycles, escalation thresholds, and evidence that the governing body engages meaningfully with compliance information. The test is not whether governance is described. The test is whether information flows upward in a structured way, and whether oversight decisions flow back down with documented follow-through.
The risk register problem.
Risk registers are frequently cited in audits, but the presence of a register alone is insufficient. What matters is whether risks are:
- Current: reviewed on a documented cycle, not at audit time.
- Linked: mapped to the relevant standards and indicators.
- Owned: assigned to a named person with the authority to act.
- Connected: informed by incident trends, and linked to corrective actions.
A risk that is described but not reviewed is inert. A risk that is not linked to a corrective action is unmanaged. An auditor reading either tells the same story.
Workforce governance.
Credential verification, supervision frameworks, and training compliance must be demonstrable on request. If generating a training compliance report requires manual collation across multiple spreadsheets, structural fragility exists. Auditors do not need to find a non-compliant worker. They only need to find that you couldn't show you'd know if there was one.
Continuous improvement: the closing-loop test.
Internal audits must occur as scheduled. Findings must generate corrective actions. Corrective actions must be verified before closure. Lessons must be embedded into systems rather than treated as isolated tasks. The corrective action register from your last audit is the first artefact a current auditor will open.
Governance becomes defensible when information flows upward in a structured way and oversight decisions flow downward with documented follow-through.
Where to start.
Pull your risk register and your last four sets of board minutes. Try to find one risk discussion in the minutes that references a specific risk ID, an open corrective action, and an outcome decision. If you cannot, governance is currently being recorded as attendance, not as oversight.