Of all the governance documents CQC inspectors examine during a visit, the risk register is one of the most revealing. A well-maintained, regularly reviewed risk register demonstrates systematic governance across multiple Quality Statements in the Well-led domain. A poor one — a list of risks updated once a year before inspection — does the opposite.
Why the Risk Register Matters Under the SAF
The risk register directly evidences multiple Quality Statements, particularly within Well-led:
- Governance, management and sustainability — a live risk register is a core element of demonstrating active oversight of quality and safety
- Shared direction and culture — a register presented to and discussed by the board demonstrates shared leadership awareness of risk
- Learning, improvement and innovation — risks that arise from incidents and are formally captured and mitigated show a genuine learning culture
The 7 Categories Every Risk Register Must Cover
- Clinical — Falls, pressure ulcers, medication errors, infection outbreaks, DoLS, mental capacity
- Staffing — Vacancies, agency dependency, training compliance, single points of failure
- Environmental — Building maintenance, fire safety, COSHH, Legionella, equipment
- Regulatory — CQC compliance gaps, outstanding actions from previous inspections
- Financial — Occupancy levels, fee income dependency, insurance
- Governance — Oversight gaps, manager absence cover, audit coverage
- Safeguarding — Active safeguarding enquiries, complaints with patterns
The Structure of a Functional Risk Entry
| Field | What It Contains | Why It Matters |
|---|---|---|
| Risk Description | Specific, not generic — not "medication risk" but "risk of MAR errors due to bank staff unfamiliarity" | Specificity shows genuine risk identification |
| Likelihood (1–5) | Scored on evidence, not assumption | Shows the risk is assessed, not just listed |
| Impact (1–5) | 1 (negligible) to 5 (catastrophic) | Drives prioritisation of mitigation effort |
| Risk Score | L × I = Score 15–25 High 8–14 Medium 1–7 Low |
Prioritises board attention appropriately |
| Named Owner | A specific person — not "the team" | Inspectors look for individual accountability |
| Review Date | No more than monthly for High scores | Shows the register is live, not static |
Common Mistakes — and What Works Instead
"Risk: Staffing. L:3. I:3. Owner: Management. Review: Annually."
"High agency use on nights creating unfamiliarity with residents' care needs. L:4 I:4=16 (High). Owner: Deputy. Monthly review. Action: Induction pack by 30/04."
A risk register identical in Month 1, 6, and 12. No updated dates, no evidence of review.
A register with monthly review dates signed, risk scores that change as mitigations are put in place, and a 12-month archive.
The 12-month file: When CQC visits, produce 12 months of dated risk register versions showing scores have evolved, actions have been completed, and new risks have been identified. This is one of the most powerful compliance artefacts a care home can present.
The Monthly Risk Register Rhythm
Make risk register review a fixed monthly agenda item at your board or management meeting. At the end of each month, save the register as a dated version (e.g. "RiskRegister_March2026.xlsx") and archive it. After 12 months you have an unbreakable audit trail.
Is Your Risk Register Up to Standard?
Keystone Compliance rebuilds and maintains your risk register every month as part of our governance retainer — ensuring it is always inspection-ready, always current, and always presented to your board.
Book a Free Risk Register Review →