Back to Blog
Governance & Compliance·

CQC Regulation 17 Good Governance: what care providers need to evidence

CQC Regulation 17 requires care providers to maintain effective governance systems. This guide explains what evidence inspectors expect, and how to produce it consistently.

Statixs Compliance Team

Statixs

What is CQC Regulation 17?

CQC Regulation 17 (Health and Social Care Act 2008, Regulated Activities Regulations 2014) requires registered persons to maintain effective governance systems that assess, monitor, and improve the quality and safety of the services they provide.

In practice, it is the regulation that covers everything that stops a care home from descending into reactive crisis management: risk registers, audit cycles, action plans, management oversight, and formal review structures.

It is also one of the most commonly cited regulations in CQC requirement notices. Poor governance is rarely about one incident. It is about the absence of a system that would have caught the incident earlier.


What CQC Inspectors Expect to See

1. A maintained risk register

Not a spreadsheet created the week before inspection. Inspectors look for:

  • Active risks with current ratings (likelihood × impact)
  • Named owners and review dates
  • Evidence that risks have been reviewed, not just listed
  • Actions taken in response to elevated risks

A risk register that hasn't been updated in three months tells an inspector that governance is ceremonial, not operational. See how a structured risk register system produces this evidence as you work.

2. Action plans that close

Action plans must demonstrate improvement, not just intent. CQC expects:

  • Actions linked to identified risks, incidents, or audit findings
  • Named responsible persons with deadlines
  • Evidence of completion, not just a "closed" checkbox
  • A trail showing what happened between the action being raised and being resolved

3. Regular audits with dated findings

Governance audits must be documented and dated. If your audit is "mental notes from the manager's walkround," it will not satisfy inspection evidence requirements.

Common audit areas inspectors look for evidence of:

  • Medication management
  • Staffing levels against baselines
  • Training compliance
  • Infection prevention

4. Governance meetings with minutes

Regular management review meetings with attendance records and decision logs. If governance only happens during inspections, the evidence will show it.

5. Responsive action after incidents

Inspectors follow the trail from incident to investigation to action to review. If that chain breaks anywhere, the governance finding will follow.


Common Governance Failures That Lead to Requirement Notices

Gap What CQC Sees
Risk register not updated "No evidence that risks were actively managed"
Action plans created but not closed "Actions identified but not followed through"
No governance meeting minutes "No documented oversight by the registered person"
Audit findings not actioned "Audits conducted but no evidence of improvement"
Incidents not reviewed at governance level "Individual incident review but no systemic analysis"

The Problem with Spreadsheet Governance

Most care providers run governance through a combination of spreadsheets, shared drives, and email threads. The fundamental problem is not the tools. It is that these systems do not produce evidence automatically.

When a CQC inspector asks for your governance evidence, you either have it structured and ready, or you spend the first hour of an inspection assembling it. The latter signals that governance is not embedded in day-to-day operations.

A governance operating layer changes this by producing evidence as part of the workflow (risk identified, action raised, evidence structured, review completed) rather than as a separate administrative exercise.


What Good Governance Evidence Looks Like

When Regulation 17 evidence is produced structurally:

  • Risk register shows real-time status, last review date, current actions, escalation history
  • Action plans show each action from open to closed, with evidence attached
  • Assurance packs are pre-structured around CQC standards, ready before the inspector requests them
  • Governance reviews are scheduled, attended, and logged with outcomes
  • Audit trail is automatic. Every change, review, and decision is timestamped

This is the difference between governance as a paper exercise and governance as an operating function.


Regulation 17: Key Requirements Summary

Requirement Evidence Expected
Assess, monitor and improve quality Regular audits with dated findings and outcomes
Assess, monitor and mitigate risks Maintained risk register with owner and review trail
Maintain accurate, complete records Documented governance decisions and meeting minutes
Seek and act on feedback Records showing feedback received and responded to
Share information with relevant persons Evidence of disclosure and notification where required

Next Steps

If your current governance system relies on spreadsheets and shared folders, the question is not whether CQC will find a gap. It is when. This is the job CQC compliance software exists to do: produce governance evidence as part of daily work, not as a separate exercise before an inspection.

The Statixs governance layer is built specifically around Regulation 17 activity: risk register, action plans, assurance packs, and governance reviews connected in one operating system.

See how the governance layer works

Free resource

CQC Inspection Checklist

Everything inspectors look for, structured by the five key questions. Free for care providers.

Get the checklist

Stay Updated on Care Home Compliance

Get weekly tips on CQC compliance, DBS checks, and care home management. Plus exclusive guides and updates.

Free weekly newsletter • Unsubscribe anytime • No spam, ever

See Statixs in your environment

A demonstration tailored to your compliance requirements: CQC compliance, DBS checks, scheduling, and workforce management.

Book a Demonstration