How CQC Assesses Whether Risk Controls Are Working Across Multiple Quality Statements Before Rating Decisions
CQC rating decisions often depend on whether risk controls are working in practice. A provider may have clear policies, updated risk assessments and completed action plans, but assessors usually look further. They may test whether controls are visible in daily support, staff decisions, incident response, audit findings and leadership review. For wider context, see our CQC assessment and rating decisions guidance, CQC quality statements resources and CQC compliance knowledge hub.
Strong providers can show that risk controls are active across the service. They explain what the control is, where it appears in records, how staff apply it, how leaders monitor it and what changes when evidence suggests the control is weakening.
Why this matters
This matters because risk control is rarely judged from documents alone. CQC may ask whether staff understand the control, whether it is used consistently and whether it reduces the risk it was designed to manage.
It also matters because controls often connect several quality statements. A moving and handling control, for example, may link to safe care, staff competence, person-centred planning, governance and feedback from the person supported.
Clear framework for evidencing working risk controls
The first requirement is control clarity. Providers should define the specific risk, the agreed control and the expected staff action in plain operational terms.
The second requirement is cross-evidence testing. Leaders should check whether the control is visible in records, audits, observations and feedback. This reflects how CQC identifies patterns of risk and excellence across quality statements, because working controls usually create a positive pattern across several evidence routes.
The third requirement is response to drift. Providers should show what happens when control evidence weakens, including who acts, what changes and how improvement is checked.
Operational example 1: Falls risk controls need to be visible in care records and daily support
Step 1: The Quality Lead reviews falls risk assessments, mobility plans and recent incident records, records control status in the falls assurance tracker, then identifies whether agreed controls are current and matched to each person’s needs.
Step 2: The Registered Manager compares falls controls with daily notes and staff handovers, records the findings in the risk control review, then checks whether written controls are being followed during routine support.
Step 3: The Deputy Manager observes mobility support during selected visits or shifts, records staff actions in the live practice sheet, then confirms whether equipment, prompts and supervision match the care plan.
Step 4: The Team Leader addresses any gap with the staff involved, records coaching and immediate corrections in the local safety log, then confirms the corrected control is understood before the next shift.
Step 5: The Registered Manager reviews falls control evidence at the quality meeting, records the judgement in the assurance summary, then escalates if control gaps repeat or falls increase.
What can go wrong is that the falls plan is correct but staff practice varies when routines are busy. Early warning signs include vague daily notes, repeated near misses and staff using different approaches. Escalation may involve equipment review, competency checks or increased supervision. Consistency is maintained by checking the control in real delivery, not only in the care plan.
Governance should audit falls assessments, daily records, incident themes and observed practice. The Registered Manager reviews monthly, senior leaders review quarterly, and action is triggered by repeat falls, unclear staff practice or mismatch between records and delivery. The baseline issue is uncertain falls control reliability. Measurable improvement includes fewer repeated falls, clearer staff practice and stronger record alignment. Evidence sources include care records, audits, feedback and staff practice.
Operational example 2: Medication risk controls need to show safe handling across staff groups
Step 1: The Medicines Lead checks medication profiles, MAR charts and competency records, records control gaps in the medicines control log, then identifies whether safe administration routines are consistent across staff groups.
Step 2: The Registered Manager compares medication audit findings with incident and near-miss records, records the analysis in the medicines assurance note, then assesses whether controls are reducing repeat risk.
Step 3: The Deputy Manager observes a medication round or administration process, records staff practice in the validation sheet, then confirms whether checks, prompts and recording are completed as required.
Step 4: The Team Leader completes focused follow-up with any staff member needing support, records discussion and observed correction in the medicines practice log, then reinforces the agreed control at handover.
Step 5: The Registered Manager reviews medication control evidence through governance, records the current risk judgement in the assurance summary, then escalates if errors continue after coaching or audit action.
What can go wrong is that audit compliance looks acceptable while the same small medication risks recur in practice. Early warning signs include repeated signing corrections, unclear escalation after near misses and staff relying on memory rather than process. Escalation may involve pharmacist advice, temporary double-checks or competency reassessment. Consistency is maintained by linking audit results to observed practice and staff confidence.
Governance should audit MAR accuracy, competency evidence, near-miss trends and action closure. The Registered Manager reviews monthly, senior leaders review quarterly, and action is triggered by repeat errors, weak competency evidence or unsafe variation. The baseline issue is medication control inconsistency. Measurable improvement includes fewer MAR corrections, stronger staff confidence and reduced repeat near misses. Evidence sources include care records, audits, feedback and staff practice.
Operational example 3: Behaviour support controls need to be applied consistently and least restrictively
Step 1: The Practice Lead reviews behaviour support plans, incident records and restrictive practice checks, records control evidence in the behaviour support tracker, then identifies whether agreed proactive strategies remain current and least restrictive.
Step 2: The Registered Manager compares behaviour incidents with staff debriefs and supervision notes, records the pattern in the practice assurance file, then checks whether controls are preventing escalation or only responding afterwards.
Step 3: The Deputy Manager observes support during known trigger periods, records staff use of proactive strategies in the live validation sheet, then confirms whether practice matches the person’s agreed plan.
Step 4: The Team Leader completes reflective discussion with staff after any incident, records learning and agreed changes in the behaviour support log, then reinforces consistent proactive practice across the team.
Step 5: The Registered Manager reviews behaviour control evidence at governance meeting, records the risk and rights judgement in the assurance summary, then escalates if restrictive responses increase or proactive controls weaken.
What can go wrong is that staff respond safely to incidents but do not consistently use proactive controls that prevent distress. Early warning signs include repeated triggers, more reactive responses and weaker recording of what worked. Escalation may involve PBS review, staff coaching or multidisciplinary advice. Consistency is maintained by checking whether proactive support happens before distress escalates.
Governance should audit behaviour plans, incident themes, restrictive practice review and observed staff practice. The Registered Manager reviews monthly, senior leaders review quarterly, and action is triggered by increased incidents, repeated triggers or rising restrictive responses. The baseline issue is inconsistent proactive behaviour support. Measurable improvement includes fewer repeated incidents, stronger proactive practice and clearer rights-based review. Evidence sources include care records, audits, feedback and staff practice.
Commissioner expectation
Commissioners expect providers to prove that risk controls are working in daily delivery. They look for services that can show the link between assessed risk, staff action, governance review and measurable improvement.
They also expect providers to act quickly when controls drift. A control that is written but not applied consistently will not provide the same assurance as one that is checked, corrected and evidenced through practice.
Regulator / Inspector expectation
CQC assessors expect providers to evidence risk controls across records, staff conversations, observed practice, incidents and governance. They may test whether leaders understand which controls are strong and which need closer review.
Inspectors usually gain confidence when controls are current, understood and visibly reducing risk. They lose confidence when controls exist in paperwork but are weak, inconsistent or poorly monitored in practice.
Strong services routinely apply triangulation across audits and reviews to ensure governance reflects real-world delivery.
Conclusion
Risk controls influence rating confidence when they are active, understood and evidenced across quality statements. Providers should not rely on policies or care plans alone. They need to show that controls are used by staff, checked by leaders and adjusted when evidence shows drift or changing need.
Governance makes this visible. Control logs, assurance notes, validation sheets, safety records and governance summaries should show how each risk is managed from assessment through to daily delivery and review. Outcomes are evidenced through fewer repeat incidents, clearer staff practice, better records and stronger feedback from people and families.
Consistency is maintained when every control follows the same route: define the risk, agree the action, test practice, correct drift and review whether the control is improving safety and experience. This helps CQC see that risk is not only identified, but actively managed across the service.