Risk registers for care homes: what to include and how to maintain them
A practical guide to running a CQC-compliant risk register in a care home: what fields to include, how to rate risks, and how to keep it current between inspections.
Statixs Compliance Team
Statixs
Why Most Care Home Risk Registers Fail CQC Inspection
The most common finding when CQC inspects a care home's Regulation 17 governance isn't that there's no risk register. It's that the one they find hasn't been reviewed since it was created.
A risk register is not a document you produce once and file. It is an active record of what could go wrong, who is responsible for preventing it, and what has been done. When a CQC inspector reviews your risk register, they are looking for evidence that governance is an ongoing activity, not a preparation exercise.
What a Care Home Risk Register Must Include
Minimum required fields
| Field | Purpose |
|---|---|
| Risk ID | Unique reference for tracking |
| Risk description | Clear statement of what could go wrong |
| Category | Operational / Clinical / Regulatory / Financial / Environmental |
| Likelihood rating | 1–5 scale (1 = rare, 5 = almost certain) |
| Impact rating | 1–5 scale (1 = negligible, 5 = catastrophic) |
| Risk score | Likelihood × Impact |
| Risk owner | Named individual responsible |
| Controls in place | Current mitigations actively applied |
| Residual rating | Risk score after controls |
| Date identified | When the risk was first raised |
| Last reviewed | When the risk was most recently assessed |
| Next review date | Scheduled review; must not be missed |
| Status | Open / Monitoring / Escalated / Closed |
Fields that strengthen your evidence
- Related incidents: link the risk to any incidents that triggered or relate to it
- Action plan reference: link to active actions addressing the risk
- Escalation record: log of any escalation to senior management
- CQC regulation mapping: which regulation this risk relates to (e.g. Reg 17, 18, 19)
Risk Rating: How to Score Consistently
CQC inspectors look for consistency in how risks are scored. A risk rated "low" that has resulted in three incidents should not stay rated "low."
Standard 5×5 risk matrix:
| Rare (1) | Unlikely (2) | Possible (3) | Likely (4) | Almost Certain (5) | |
|---|---|---|---|---|---|
| Negligible (1) | 1 | 2 | 3 | 4 | 5 |
| Minor (2) | 2 | 4 | 6 | 8 | 10 |
| Moderate (3) | 3 | 6 | 9 | 12 | 15 |
| Major (4) | 4 | 8 | 12 | 16 | 20 |
| Catastrophic (5) | 5 | 10 | 15 | 20 | 25 |
Risk thresholds:
- 1–6: Low. Monitor, review quarterly
- 7–12: Medium. Active management, review monthly
- 13–19: High. Priority action required, review weekly
- 20–25: Critical. Immediate escalation
Common Care Home Risk Categories
Clinical and care quality
- Medication management failure
- Falls prevention gaps
- Pressure injury risk
- Infection control breakdown
Staffing and workforce
- Staffing below baseline (Regulation 18)
- Expired training or credentials
- Agency reliance creating skill mix gaps
Governance and regulatory
- Evidence not structured for inspection
- Audit cycle lapses
- Incident review not escalated to governance
Environmental
- Equipment maintenance gaps
- Fire safety system failures
- COSHH storage non-compliance
How Often Should Risks Be Reviewed?
| Risk level | Minimum review frequency |
|---|---|
| Critical (20–25) | Weekly until reduced |
| High (13–19) | Monthly |
| Medium (7–12) | Quarterly |
| Low (1–6) | Bi-annually |
These are minimum frequencies. New incidents, complaints, or audit findings should trigger an immediate review of any related risks regardless of scheduled dates.
The Maintenance Problem
The reason risk registers fail is not that care providers don't understand what to include. It is that maintaining a spreadsheet risk register is a manual overhead that falls down when the home is under operational pressure.
When staffing is difficult and incidents are happening, the risk register update is what gets deferred. And then it stays deferred. Then CQC arrives.
A structured risk register system keeps the register current as part of normal governance activity. Risk ratings update when incidents are logged, actions are raised directly from risks, and review reminders are built into the workflow rather than dependent on someone remembering.
This is the structural difference between a risk register as a document and a governance operating layer as an operating function.
Risk Register vs Risk Assessment
A risk register is not the same as individual resident risk assessments (for falls, pressure care, nutrition, etc.). Those live in the care plan.
The governance risk register operates at the service level. It captures organisational and operational risks, not individual resident risks. Both are required. CQC will look at both. They are not interchangeable.
Getting Started
If you are building or rebuilding your risk register:
- Start with a category sweep: identify the main risk categories relevant to your service
- Populate the minimum fields: do not make this complex; start with what you can maintain
- Assign owners: every risk needs a named person, not a job title
- Set review dates: schedule them in a governance calendar
- Connect to action plans: every medium+ risk should have at least one active action
Once the structure exists, the discipline of maintaining it is easier. The problem is usually that the structure is wrong: too many fields, no review process, no escalation path.
CQC Inspection Checklist
Everything inspectors look for, structured by the five key questions. Free for care providers.
Get the checklistStay Updated on Care Home Compliance
Get weekly tips on CQC compliance, DBS checks, and care home management. Plus exclusive guides and updates.
Free weekly newsletter • Unsubscribe anytime • No spam, ever
See Statixs in your environment
A demonstration tailored to your compliance requirements: CQC compliance, DBS checks, scheduling, and workforce management.
Book a Demonstration