The structural model: Standards, Controls, Evidence, Risks, Governance.
A defensible compliance system connects seven layers. Most audit findings sit precisely where two of those layers fail to connect.
6 min read
The NDIS Practice Standards are outcome-based. They describe what must be achieved but leave the structure to you. That sounds like flexibility. In practice, it is where most providers come unstuck.
To move from policy compliance to structural compliance, you have to translate outcomes into operational architecture. A defensible system connects seven layers.
The seven layers.
- Standards define the obligation.
- Quality Indicators clarify what must be demonstrated under each standard.
- Operational Controls define how the organisation manages the obligation day to day.
- Evidence demonstrates that those controls are functioning, not just documented.
- Risks identify what could undermine the controls.
- Corrective Actions respond when controls fail or weaken.
- Governance Oversight ensures leadership monitors the whole structure and intervenes.
Where these layers operate in isolation, compliance becomes reactive. Where they are linked, compliance becomes stable.
Where the model breaks.
The link from incident to risk. A control fails, an incident is logged, and the line stops there. The enterprise risk register isn't updated. The risk rating doesn't move. The pattern is invisible to leadership.
The link from risk to standard. Risks are described well enough in plain language but never mapped to the indicators they actually threaten, so the auditor cannot trace a finding back to a managed risk.
The link from corrective action to the issue that triggered it. Actions are tracked separately and quietly close themselves with no evidence of verification.
Most audit findings are not the absence of a layer. They are a break between two layers.
How to know if yours is linked.
Run the trace test on one standard. Start with the obligation. Move to the indicator. Identify the control. Open the evidence. Find the risk. Locate the corrective action. Find the governance review.
If any step in that chain takes more than a minute, or requires a different system, a different person, or a phone call, that's where the model is breaking.
Where to start.
Don't try to fix all seven layers at once. Pick one standard. Make the chain visible. The exercise of seeing the structure is itself the first move from documentation to system.