Healthcare risk register: keeping it useful, not just compliant

Regulation 17 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 requires providers to have an effective system for assessing, monitoring and improving the quality and safety of the services provided, and to assess, monitor and mitigate the risks relating to the health, safety and welfare of service users. Reg 17 does not prescribe a specific risk matrix or a particular review cadence; it requires the provider to demonstrate the system is effective.

The de-facto UK healthcare standard for risk scoring is the NHS 5x5 risk matrix (likelihood from 1 to 5 against consequence from 1 to 5; product gives the score from 1 to 25; thresholds set the rating). It originates with the National Patient Safety Agency and is currently maintained by NHS England. It is not statutory but it is the framework inspectors and commissioners expect unless the provider has a defensible reason to use another. The ISO 31000:2018 risk management principles sit underneath.

For independent secondary care and NHS-contracted services, the register is also a procurement deliverable: commissioners ask to see it, and the cadence of board- level review is one of the items raised when a commissioner reviews a provider's assurance trail.

Across the inspection portfolio Klaudiusz worked over thirteen years inside CQC, three risk-register patterns showed up most often.

One: the register is a snapshot, not a workflow. The risks were identified on a single workshop day eighteen months ago. Each row carries the initial assessment from that day and has not been touched since. The review-cadence column says quarterly but the last reviewed-on date is from the original workshop. An inspector reads the register, sees the stale dates, and concludes the system is not in use. The point of the register is the recurring conversation; the document is a side effect.

Two: the controls column is generic. Entries read “training” or “policy review” without naming the specific training module, the specific policy, or the named owner. When the inspector samples one risk and asks what the specific control looks like, the team cannot evidence it. Generic controls do not reduce risk; they describe an aspiration.

Three: the link between the register and the other lifecycles is missing. An incident occurs that maps to a registered risk. The incident is investigated and closed; the register entry is not updated. A complaint surfaces a theme that matches a risk; the register entry stays static. The point of the register is that the day-to-day lifecycles feed it with evidence of whether the controls are working. A register disconnected from incidents, complaints, and safeguarding is reading-room compliance, not risk management.

The standard inspector reading is at three levels: the register as a whole, two or three sampled rows in depth, and the cross-reference to the day-to-day lifecycles. At the whole-register level the test is whether the review-cadence column reflects what actually happened (last-reviewed dates within the stated cadence, not stale).

At the sampled-row level the test is whether the inspector can trace from the residual risk grade back to the specific controls, and from the controls forward to evidence of effectiveness (training completion rates, audit results, near-miss frequency). A high-rated risk with generic controls and no evidence of effectiveness is a Reg 17 well-led concern.

At the cross-reference level the test is whether the register reflects what the team is seeing on the ground. If the incident log shows three falls in the last quarter, does the falls risk on the register have a recent review date and updated control assessment? If the complaints log shows a theme on consent quality, is consent on the register with current controls? The absence of cross-reference is the signal that the register is a document rather than a workflow.

For board-level oversight (Reg 17 well-led on independent hospitals), the inspector also asks how the top-rated risks featured in the most recent board or equivalent governance meeting. The minutes should show the register-level discussion; if the minutes are silent on risks the register grades as high or extreme, either the register grading is wrong or the board is not exercising the risk-oversight function.

Verivius runs risks as a closed lifecycle: identify, assess (NHS 5x5 matrix, score and rating computed automatically), treat (named controls with effectiveness grading), monitor (review cadence shaped by rating per the platform default or per-tenant override), close (accepted, transferred, or eliminated with rationale). Each transition writes one row to the audit trail. Reviews fire on the cadence and surface on the dashboard so the recurring conversation actually happens. Cross-lifecycle links connect risks to the incidents, complaints, safeguarding, and improvement actions that evidence whether the controls are working in practice. For the full feature walk-through see what Verivius actually does.

See also the Day-to-day use section on the FAQ for the short answers across every lifecycle.