What Is Governance and Why Should Allied Health Providers Care?

Governance is one of those words that makes most Allied Health providers switch off. It sounds like something hospitals worry about. Something for large registered providers with boards and compliance teams.

It applies to you.

So what actually is governance?

Governance is how your service makes decisions, manages risk and takes responsibility for safety and quality. It's the system that sits behind your clinical work and makes sure everything holds together when things get busy, when something goes wrong, or when a new team member starts and needs to know how things work here.

At its core, governance answers five questions:

1. Who is accountable when something goes wrong? Is there a clear line of responsibility, or does it depend on who happens to be around?

2. What does good service delivery look like here, and how do we know? Are there documented standards your team works to, or does "good" mean different things to different clinicians?

3. How do we reduce the chance of something going wrong? Are risks identified and managed proactively, or does the business react after the fact?

4. What happens when something does go wrong? Is there a process for reporting, investigating and learning from incidents and complaints, or do things get mentioned once and forgotten?

5. How does leadership know what's actually happening on the ground? Are there registers, reports or review processes that create visibility, or is everything verbal and invisible?

You don't need a board. You don't need a 200-page manual. You need clear, documented answers to those five questions that your team can find and follow. That's governance.

The practical components that sit underneath those questions include things like incident management, complaints handling, documented procedures for service delivery, supervision and workforce development, consent and privacy processes and a policy framework with regular review cycles. The specifics scale to the size of your organisation, but the principles apply whether you're a sole trader or a 50-clinician business.

Yes, governance is how you meet the requirements of the funding schemes you access. But more importantly, it's how you keep the people you provide services to and the staff who deliver them safe. When a participant is injured because a procedure wasn't followed, or a clinician faces a complaint with no documented process to fall back on — the consequences are real and personal before they're regulatory. Everything that follows in this article is about the compliance environment catching up to that reality.

Why you should care right now

Both the NDIS and aged care systems are moving in the same direction: more oversight, more accountability, higher governance expectations for anyone accessing government funding.

If you're a small unregistered provider thinking this doesn't apply to you, it does. The NDIS Code of Conduct applies to every provider delivering NDIS supports, regardless of registration status. The Commission can investigate complaints, issue banning orders and pursue civil penalties against unregistered providers right now. Anyone can lodge a complaint at any time: a participant, a family member, a plan manager, an ex-employee. If that happens and you have no documented processes, no incident register and no evidence of how your service is supposed to operate, you have nothing to fall back on.

Good intentions and good clinical work are not a defence when someone asks what your process was and you can't point to one.

NDIS

The NDIS Quality and Safeguards Commission has named strengthened oversight of unregistered providers and sole traders as one of four regulatory priorities for 2025-26. The Commission's language is direct: being unregistered does not shield providers from the NDIS Code of Conduct or the reach of the regulator. If your business delivers NDIS supports, the Commission has told you exactly what it's looking at.

The enforcement activity reflects this. In Q2 2025-26 alone, the Commission issued 95 banning orders, revoked 117 provider registrations, issued 179 compliance notices and suspended 983 worker screening clearances. The Integrity and Safeguarding Bill 2025, currently before the Senate, proposes criminal penalties including jail time.

Mandatory registration is expanding from 1 July 2026, and it's only a matter of time until Therapeutic Supports are included. According to the Australian National Audit Office, 94% of active NDIS providers are currently unregistered.

That exposure is already shaping pricing policy. The NDIA's Independent Pricing Committee has recommended differentiated pricing for registered and unregistered providers, and the NDIA has publicly acknowledged that a sole trader working from home can currently charge the same rate as a large organisation with quality systems. There are realistically four outcomes that could occur as early as July 2026:

• Registered providers get a price increase

• Unregistered providers get a price decrease

• No changes

• Everyone gets an increase (lol)

If you're building a business for the long term, waiting to find out which one lands is a risk.

Aged care

The Aged Care Act 2024 commenced on 1 November 2025 with substantially strengthened governance obligations. If you deliver allied health services into aged care as an Associated Provider, both you and your workers must now comply with the Aged Care Code of Conduct, worker screening requirements and relevant quality standards. The registered provider cannot contract out their legal obligations, but those obligations still flow through to you.

As Roland Naufal from Invox put it: subcontractors have been recast as extensions of the registered provider's organisation. Their risks are your risks. Their paperwork is your paperwork. That's a significant shift for a sole trader or small business that previously just invoiced and delivered services.

The AHPRA (or equivalent) gap

Being a registered, ethical clinician does not mean you are meeting governance requirements. AHPRA registration (or equivalent professional association membership) confirms your clinical competence and adherence to professional standards of conduct. It says nothing about whether your business has incident management processes, complaints handling procedures, documented service delivery procedures or risk management frameworks. These are organisational governance requirements, and government funders are increasingly expecting both.

What happens when governance fails

In June 2023, Afford became the first NDIS provider to receive a civil penalty: $400,000. In January 2025, Valmar Support Services was fined $1.9 million after a participant died. The court noted zero staff training on safe mealtime procedures. In November 2025, Lifestyle Solutions received $2.5 million — the highest penalty to date. In January 2026, the Federal Court imposed $1.1 million on Oak Tasmania for 474 contraventions of the Reportable Incidents Rules. Staff were not following care management plans. Medical devices were improperly administered. An adolescent was not properly supervised. The court found that reporting delays could have been avoided if proper processes and guidelines had been in place.

These are large SIL providers delivering daily living supports. The failures are extreme. But the governance breakdowns behind every one of these cases follow the same pattern I see regularly across Allied Health: missing procedures, staff who don't know the process, no visibility for leadership. A complaint handled inconsistently. A new clinician who doesn't know where to find the consent procedure. An incident with a participant that gets mentioned once and never recorded. The scale differs. The pattern doesn't.

Simply having policies is not governance

Governance means your team knows where to find procedures, follows them consistently and reports when things go wrong. The policy manual is one input into that system. On its own, it achieves nothing.

I see three failure modes across Allied Health providers.

Nothing at all. Sole traders and small businesses that have never documented anything. Every decision lives in someone's head. This is common in early-stage businesses, but it creates real risk the moment you take on staff, subcontract into aged care or face a complaint.

Policies that no one follows. The 100-page manual in a shared drive that was written two years ago, never updated and never referenced. In an investigation, this is arguably worse than having nothing. It demonstrates you knew what you should be doing and chose not to do it.

Policies that are generic and disconnected from your operations. An off-the-shelf pack from a consultant, or documents generated by AI, that no one has read or contextualised. Both are legitimate starting points. Neither is a finished product. The work is in reading, adapting, implementing and maintaining. A bought pack you've reviewed and embedded into your operations is better than an AI-generated one you haven't touched. Both are useless if no one reads them.

Governance lives in implementation.

What would I see if I walked into your business?

Forget the theory. If I walked into your business tomorrow, here's what I'd be looking for.

Where do your staff go when they need to know the process for something? Is there a centralised knowledge base they can search from their phone during a home visit? Or are they texting a colleague, checking email for an attachment from two years ago, or guessing?

How does your team handle an incident? Is there a documented incident reporting process with a form your team knows how to use and a register that leadership reviews? Or does someone mention it in passing and it never gets recorded?

How does a new team member know what's expected of them? Is there an onboarding procedure? Or do they shadow someone for a few days and figure it out?

When was the last time a policy was reviewed? Is there a review cycle? Or were your policies written when you started the business and never touched again?

Can you see patterns in incidents or complaints? Are there registers that create visibility across the business? Or is everything ad hoc, verbal and invisible?

I recently recorded a full walkthrough of how I set up a centralised knowledge base for Allied Health providers using SharePoint. It covers knowledge base structure, what a gold standard procedure page looks like, policy libraries with metadata and incident registers using Microsoft Lists. The same principles apply on Google Sites for providers using Google Workspace.

Where to start

If you're reading this and thinking your governance needs work, start with three things.

Audit what you have and where it lives. How many locations are your policies, procedures, forms and registers spread across? How many are current?

Pick one area and build it properly in one centralised location. Safety and quality is usually the best starting point because it has the most regulatory exposure. Get your incident management procedure, form, register and policy set up in one place, then replicate that pattern across everything else.

Separate your policies from your procedures. Policies set expectations. Procedures explain how it works here. Combining them creates bottlenecks and documents that are too long for anyone to use.

You don't need to do it all at once. But both the NDIS and aged care regulators are making it clear that clinical competence alone won't cut it. The governance bar is going up, and the providers who build early will be the ones positioned for what comes next.

If you want help getting your governance structures in order, book a strategy call with me. I work with Allied Health providers across Australia on exactly this.