Back to Blog
Governance & Compliance·

Risk registers for care homes: what to include and how to maintain them

A practical guide to running a CQC-compliant risk register in a care home: what fields to include, how to rate risks, and how to keep it current between inspections.

Statixs Compliance Team

Statixs

Why Most Care Home Risk Registers Fail CQC Inspection

The most common finding when CQC inspects a care home's Regulation 17 governance isn't that there's no risk register. It's that the one they find hasn't been reviewed since it was created.

A risk register is not a document you produce once and file. It is an active record of what could go wrong, who is responsible for preventing it, and what has been done. When a CQC inspector reviews your risk register, they are looking for evidence that governance is an ongoing activity, not a preparation exercise.


What a Care Home Risk Register Must Include

Minimum required fields

Field Purpose
Risk ID Unique reference for tracking
Risk description Clear statement of what could go wrong
Category Operational / Clinical / Regulatory / Financial / Environmental
Likelihood rating 1–5 scale (1 = rare, 5 = almost certain)
Impact rating 1–5 scale (1 = negligible, 5 = catastrophic)
Risk score Likelihood × Impact
Risk owner Named individual responsible
Controls in place Current mitigations actively applied
Residual rating Risk score after controls
Date identified When the risk was first raised
Last reviewed When the risk was most recently assessed
Next review date Scheduled review; must not be missed
Status Open / Monitoring / Escalated / Closed

Fields that strengthen your evidence

  • Related incidents: link the risk to any incidents that triggered or relate to it
  • Action plan reference: link to active actions addressing the risk
  • Escalation record: log of any escalation to senior management
  • CQC regulation mapping: which regulation this risk relates to (e.g. Reg 17, 18, 19)

Risk Rating: How to Score Consistently

CQC inspectors look for consistency in how risks are scored. A risk rated "low" that has resulted in three incidents should not stay rated "low."

Standard 5×5 risk matrix:

Rare (1) Unlikely (2) Possible (3) Likely (4) Almost Certain (5)
Negligible (1) 1 2 3 4 5
Minor (2) 2 4 6 8 10
Moderate (3) 3 6 9 12 15
Major (4) 4 8 12 16 20
Catastrophic (5) 5 10 15 20 25

Risk thresholds:

  • 1–6: Low. Monitor, review quarterly
  • 7–12: Medium. Active management, review monthly
  • 13–19: High. Priority action required, review weekly
  • 20–25: Critical. Immediate escalation

Common Care Home Risk Categories

Clinical and care quality

  • Medication management failure
  • Falls prevention gaps
  • Pressure injury risk
  • Infection control breakdown

Staffing and workforce

  • Staffing below baseline (Regulation 18)
  • Expired training or credentials
  • Agency reliance creating skill mix gaps

Governance and regulatory

  • Evidence not structured for inspection
  • Audit cycle lapses
  • Incident review not escalated to governance

Environmental

  • Equipment maintenance gaps
  • Fire safety system failures
  • COSHH storage non-compliance

How Often Should Risks Be Reviewed?

Risk level Minimum review frequency
Critical (20–25) Weekly until reduced
High (13–19) Monthly
Medium (7–12) Quarterly
Low (1–6) Bi-annually

These are minimum frequencies. New incidents, complaints, or audit findings should trigger an immediate review of any related risks regardless of scheduled dates.


The Maintenance Problem

The reason risk registers fail is not that care providers don't understand what to include. It is that maintaining a spreadsheet risk register is a manual overhead that falls down when the home is under operational pressure.

When staffing is difficult and incidents are happening, the risk register update is what gets deferred. And then it stays deferred. Then CQC arrives.

A structured risk register system keeps the register current as part of normal governance activity. Risk ratings update when incidents are logged, actions are raised directly from risks, and review reminders are built into the workflow rather than dependent on someone remembering.

This is the structural difference between a risk register as a document and a governance operating layer as an operating function.


Risk Register vs Risk Assessment

A risk register is not the same as individual resident risk assessments (for falls, pressure care, nutrition, etc.). Those live in the care plan.

The governance risk register operates at the service level. It captures organisational and operational risks, not individual resident risks. Both are required. CQC will look at both. They are not interchangeable.


Getting Started

If you are building or rebuilding your risk register:

  1. Start with a category sweep: identify the main risk categories relevant to your service
  2. Populate the minimum fields: do not make this complex; start with what you can maintain
  3. Assign owners: every risk needs a named person, not a job title
  4. Set review dates: schedule them in a governance calendar
  5. Connect to action plans: every medium+ risk should have at least one active action

Once the structure exists, the discipline of maintaining it is easier. The problem is usually that the structure is wrong: too many fields, no review process, no escalation path.

See how a structured risk register works in practice

Free resource

CQC Inspection Checklist

Everything inspectors look for, structured by the five key questions. Free for care providers.

Get the checklist

Stay Updated on Care Home Compliance

Get weekly tips on CQC compliance, DBS checks, and care home management. Plus exclusive guides and updates.

Free weekly newsletter • Unsubscribe anytime • No spam, ever

See Statixs in your environment

A demonstration tailored to your compliance requirements: CQC compliance, DBS checks, scheduling, and workforce management.

Book a Demonstration