Blog: 5 things organisations need to know about their board’s quality and compliance obligations

Why does it matter to your board that your organisation has a robust quality and compliance system in place? Because they, as the governing body, are responsible for the system’s success, and your organisation may not be meeting your legal obligations if they are not engaged with and fail to meet their responsibilities.

In this article we step out five things your organisation needs to know about your board’s quality and compliance obligations including, crucially, how to make sure your board is interested in and engaged with their responsibilities.

  1. Who are the certification bodies and what are their obligations for governing bodies?

Service providers in Queensland often work across multiple compliance frameworks, but we have focused below on the three main ones –  the Human Services Quality Framework, ISO9001:2015 and the NDIS Practice Standards. Under each, the board must fulfil specific obligations. Let’s look at what these obligations are:

Human Services Quality Framework (HSQF)

Under Standard 1 Governance and Management of HSQF, governing bodies or boards must have the following systems in place:

    • board induction processes
    • skills reviews
    • role descriptions that clearly identify the role of the governing body or the board
    • safety and quality processes
    • risk management processes with delegations, disaster management business continuity plans and maintenance of contractual organisation obligations.

Auditors are looking to make sure these systems are documented, implemented and communicated to stakeholders. In short, they want to make sure the governing bodies are walking the talk.

HSQF Standard 4.2 around Blue Cards for board members results in the most non-conformances. This notifiable issue is very easily fixed! Make sure you highlight to your board members that they must have the right blue card.


ISO9001 applies worldwide across industry. Standard 5 Leadership of ISO9001 lays out obligations for governing bodies and boards. Under this standard, the board or governing body is directly responsible for the effectiveness of their quality management system. This is called “top management”.

Boards governed by this certification will need scheduled reporting for management review, internal audits, incidents and risk management and continuous quality improvement.

NDIS Practice Standards

Board obligations for the NDIS practice standards fall under “Core Module Division 2 – Provider Governance and Operational Management”. As well as governance and operational outcome indicators, Core Module Division 2 has, since 2021, included disaster and emergency management.

Under Core Module Division 2, the board must:

    • provide opportunities for people with disability to contribute to the governance of the organisation. Auditors will want to see how this is done
    • be fit for purpose. This means not only must they have the required skills, but they must maintain their skills, and identify and fill skill gaps
    • monitor the performance of management and continually improve quality from the executive level down
    • have clear delegations in place and a process to manage any real or perceived conflicts of interest
    • develop, test and adjust emergency and disaster management plans according to a clear review timeline (this is not specified in the practice standards, but it could be at 6, 12 or 18 months depending on your organisation’s capacity). The board also needs to demonstrate how they have consulted and communicated their plans with participants and support networks.
  1. What are your board’s responsibilities when it comes to the strategic plan?

Your board needs to approve your organisation’s strategic direction and strategic plan. They also need to ensure that there are structures and systems in place to enable your organisation, and its governance structure (including committees and sub-committees), to achieve its strategic objectives.

Once the strategic plan is approved, your board must monitor and evaluate its outcomes. Don’t have a strategic plan unless you’re measuring your performance against strategic objectives. Including your safety and quality objectives in the strategic plan is a good way to make sure these are reported on, and commented on, on an ongoing basis.

Make sure your board is doing more than just receiving and reading organisational progress reports. They also need to be evaluating them, reviewing feedback and complaints and providing feedback to the organisation. They should also be prioritising resource allocation to meet the safety and quality objectives of the organisation.

  1. What’s the board’s role in approving policies and procedures?

While the board should endorse your organisation’s policy development system, they should not be approving every single policy (unless it’s something that they have a specific obligation for such as a delegations policy).

The board needs to make sure that the system complies with the necessary requirements and that they review the organisation’s compliance with policy and regulatory obligations. In your role you need to provide justification or evidence to the board about how the policy system meets regulatory obligations.

  1. How can you make sure your board is interested and engaged with quality and compliance?

While your board must fulfil its obligations under whichever certification framework your organisation uses, board members are often volunteers and time poor so, despite their best intentions, they may side line their quality and compliance responsibilities if their importance isn’t clearly explained. Here are some tips for how to effectively communicate their gravitas:

  • start with the why. For example, what is the dollar value of your organisation’s contracts? How much money would your organisation lose if you didn’t meet your obligations under these contracts’ quality and compliance frameworks?
  • explain the benefits of certification
  • make sure your board understand what their specific obligations are. They should know what standards they need to be across and they should be provided with reports that show whether they and the organisation are meeting these standards
  • remember this is a two-way conversation, it shouldn’t just be you reporting to the board, the board should be letting you know what actions you need to take to reduce risks
  • provide reports about performance against strategic objectives within the strategic plan. Make sure your business and operational plans have quality and safety objectives and report against those.
  1. Don’t overwhelm your board with information about quality and compliance

Your board don’t want to see the minutiae, so unless they ask for it, have sufficient detail in your reports to answer any questions they might have, but not so much that it’s overwhelming.

You need to keep your board up to date with organisational structure changes and risk and incident management data either monthly or quarterly depending on your organisation’s size and capacity. You don’t need to report to the board about specific incidents (unless they’re critical). The board are looking to see trends that may become risks.

Your quality performance data could be summarised and reported—include key highlights and explain how your organisation is tracking against its objectives, or the summary from audit reports. Put yourself in your board member’s shoes, and structure your reports with them in mind.

Thank you to Fiona Loughlan from IHCA for her time in speaking to the QCOSS Quality Collaboration Network about speaking to boards and management committees about quality and compliance.

Interested in all things quality and compliance?

The QCOSS Quality Collaboration Network is a peer-led network for those involved in implementing the HSQF within their organisation. Monthly meetings provide an opportunity to share experiences, information and resources. Find out more.