When Providers Should Share Risk Intelligence with Commissioners and Partners

Provider risk intelligence is not only for internal governance. Some concerns need to be shared with commissioners, safeguarding partners, health professionals or other stakeholders when risk affects safety, continuity or confidence.

Using provider risk profile intelligence for external communication helps leaders decide when internal concern should move into wider assurance.

This must be supported by CQC evidence and assurance for shared risk decisions, including care records, audits, feedback, action plans and governance records.

The wider CQC compliance and governance knowledge hub supports providers to connect transparency, monitoring and inspection-ready oversight.

Why this matters

Commissioners and partners do not expect providers to have no risk. They expect providers to identify risk early, act honestly and communicate where external assurance or coordination is needed.

Risk increases when providers hold serious or repeated concerns internally for too long. This can damage trust and weaken evidence of responsible governance.

Clear thresholds help managers avoid both under-reporting and unnecessary escalation.

A clear framework for sharing risk intelligence

Providers should consider external sharing when risk affects safety, continuity, safeguarding, contract delivery, public confidence or multi-agency action.

The decision should record what is being shared, why it is being shared, who is being informed and what operational action is already underway.

Good governance shows that communication is timely, factual and linked to improvement.

Operational example 1: Sharing staffing risk with commissioners

Baseline issue: A homecare branch had rising staffing pressure, with some care calls at risk of delay. The measurable improvement target was commissioner-informed risk management with reduced delayed visits within four weeks, evidenced through rotas, care records, audits and feedback.

Step 1: The branch manager reviews rota gaps and delayed visit indicators, identifies contract delivery risk, and records findings in the staffing risk profile.

Step 2: The provider operations lead reviews the evidence, decides commissioner notification is required, and records the rationale in the external communication log.

Step 3: The contract lead informs the commissioner of the risk, explains current controls and recovery action, and records the communication in the contract monitoring file.

Step 4: The rota lead applies the agreed recovery controls, prioritises high-risk visits, and records changes in the rota management system.

Step 5: The provider governance lead reviews delayed visit data after four weeks, checks whether risk reduced, and records outcomes in governance minutes.

What can go wrong is that providers delay commissioner communication until disruption is already visible. Early warning signs include repeated uncovered calls, short-notice changes or family concern. Escalation may involve temporary package review, provider resource or commissioner risk meeting. Consistency is maintained through contract-risk thresholds.

Governance audits check rota gaps, delayed visit records, commissioner communication and recovery outcomes. The provider operations lead reviews weekly during risk periods. Action is triggered by contract delivery risk, repeated delay, high-risk missed care indicators or no improvement after controls.

Operational example 2: Sharing safeguarding intelligence with the local authority

Baseline issue: Several low-level concerns involved the same setting and similar circumstances, but no single event had triggered a full safeguarding referral. The measurable improvement target was timely multi-agency review where repeated safeguarding indicators appear, evidenced through care records, audits, feedback and staff practice.

Step 1: The safeguarding lead reviews low-level concern records, identifies repeated indicators, and records the pattern in the safeguarding intelligence tracker.

Step 2: The Registered Manager checks care records and staff notes linked to the concerns, confirms whether risk is escalating, and records findings in the safeguarding review note.

Step 3: The provider safeguarding lead decides whether local authority advice is required, records the rationale, and updates the safeguarding oversight log.

Step 4: The safeguarding lead contacts the local authority for advice or referral where required, records guidance received, and updates the safeguarding action record.

Step 5: The provider safeguarding board reviews the pattern and response, checks whether controls changed practice, and records assurance in safeguarding governance minutes.

What can go wrong is that repeated low-level safeguarding indicators stay internal because each concern appears minor. Early warning signs include repeated wellbeing changes, staff uncertainty or similar allegations. Escalation may involve local authority advice, advocacy input or provider-led restrictions. Consistency is maintained through pattern review.

Governance audits check concern records, safeguarding rationale, external advice and action completion. The provider safeguarding board reviews quarterly, with immediate review for repeated indicators. Action is triggered by recurring safeguarding signals, uncertainty about threshold, vulnerable person impact or weak local controls.

Operational example 3: Sharing quality recovery progress after commissioner concern

Baseline issue: A commissioner raised concern about communication and missed updates, but recovery evidence was not shared in a structured way. The measurable improvement target was fortnightly evidence-led recovery updates until assurance improved, evidenced through feedback, audits, care records and staff practice.

Step 1: The contract lead records the commissioner concern, identifies required assurance, and enters the issue in the external assurance tracker.

Step 2: The Registered Manager gathers recovery evidence from feedback, care records and action plans, and records the evidence set in the service assurance file.

Step 3: The provider quality lead validates the recovery evidence, checks whether it proves improvement, and records findings in the assurance review note.

Step 4: The contract lead sends the commissioner a factual recovery update, explains progress and remaining risk, and records the update in the contract monitoring file.

Step 5: The provider governance group reviews commissioner feedback on the update, confirms next steps, and records decisions in governance minutes.

What can go wrong is that providers communicate reassurance without evidence. Early warning signs include repeated commissioner queries, unclear progress reports or unresolved feedback. Escalation may involve senior provider meeting, revised recovery plan or enhanced monitoring. Consistency is maintained through structured assurance updates.

Governance audits check commissioner concerns, evidence quality, recovery updates and outcome review. The provider governance group reviews fortnightly during recovery. Action is triggered by commissioner concern, weak assurance evidence, repeated request for updates or no measurable improvement.

Commissioner expectation

Commissioners expect providers to communicate significant or repeated risk transparently. They may ask when the provider first identified concern, what action was taken and why communication happened when it did.

They will look for evidence that external updates are factual and linked to operational controls.

Strong communication reassures commissioners that the provider is not hiding risk and is managing contract, safety and quality concerns responsibly.

Regulator and inspector expectation

CQC inspectors may review whether providers shared risk appropriately with commissioners, safeguarding partners or professionals. They may compare internal governance records with external communication.

If serious or repeated risk remained internal without rationale, inspectors may question openness and governance effectiveness.

The provider should evidence communication thresholds, decision rationale, external updates, action tracking and outcome review.

Conclusion

Providers should use risk intelligence to decide when internal concern needs external communication. The aim is not to over-escalate every issue, but to share significant, repeated or service-impacting risk at the right time.

Outcomes are evidenced through care records, audits, feedback, staffing data, safeguarding logs, contract files and governance minutes. Improvement is shown when risks are communicated early, recovery actions are evidenced and external confidence is supported by facts.

Consistency is maintained through clear thresholds, external communication logs, validated evidence and provider review. Decisions to share or not share should both be recorded where risk is significant.

For CQC and commissioners, this demonstrates transparent provider governance. It shows that intelligence is used not only to monitor risk internally, but to coordinate wider assurance where people, quality or continuity may be affected.

Latest from the knowledge hub

⬅️ Return to Knowledge Hub Index