The risk register most providers get wrong

Strip away the formality. A risk register exists for four reasons. None of them are about looking organised.

To make the high-attention risks visible to people who do not work on them every day. A new starter, a covering nurse, a junior manager, should be able to read the register and know what the service is worried about. If the register is so generic that any small clinic could have written it, it is not doing this job.

To drive a review cadence proportional to risk. A high-rated risk should be reviewed monthly with evidence of progress. A medium-rated risk quarterly. A low-rated risk annually. If every entry is reviewed annually regardless of rating, the rating is decorative.

To drive action. Each open risk should have a current mitigation, a named owner, and either a closure target or an explicit decision to accept the risk at its current level. A risk with no mitigation, no owner, and no closure target is not a managed risk; it is a logged risk.

To get closed. A risk register that only grows is broken. Closing a risk is a positive event that should leave a dated record. If your register has not closed an entry in twelve months, either nothing is genuinely resolving (operational problem) or closure is not being recorded (process problem). The register cannot tell you which without you investigating.

If a risk register is not doing these four jobs, the time spent maintaining it is wasted. Worse: it produces a document that an inspector can read as evidence of governance theatre rather than governance practice.

In rough order of frequency.

Risks written too generically."Risk of harm to patients" is not a risk; it is the entire reason the service exists. "Risk that a patient receives the wrong dose of insulin because the prescription is not double-checked at the point of administration" is a risk. The first cannot be mitigated specifically; the second can. Generic entries are the single most common failure I see.

Mitigations that are not actions. "Staff training" is not a mitigation; it is a category of activity. "All clinical staff completed module 4.2 of the insulin administration training by 30 April, verified by competency assessment" is a mitigation. The first cannot be evidenced; the second can.

Owners that are roles, not people. "The clinical lead" is not an owner; it is an org-chart entry. "Sarah Khan, until 30 September; reassign on her return from leave" is an owner. The first hides who is actually responsible; the second makes it visible.

Review dates that drift.Most registers I read have a "next review" column that has been in the past for several months. A review date that has passed is not a date; it is a backlog. Either the register is being maintained or it is not; a register where reviews are quietly overdue is showing the inspector exactly what they are looking for.

This is the test I use when reading a service's risk register for the first time.

Pick three open entries at random. For each, ask the registered manager: name one specific decision the service made in the last quarter that was made because of this entry on the register.

If they can name a decision for all three, the register is doing work.

If they can name a decision for one or two, the register is partially doing work; the entries without a recent decision are candidates for closure or for a real action plan.

If they cannot name a decision for any, the register is dead weight. The fix is not to add more entries. The fix is to take the existing entries and ask, for each, whether a real action would follow from leaving it open. Entries that pass become the live register. Entries that fail get closed, with the reasoning recorded.

A live register with twelve entries that each drive monthly action is worth more than a dead register with sixty entries that drive nothing.

Some risk registers use no scoring. Some use a 1-25 scale (likelihood × consequence). Some use traffic-light colours. Some use the NHS 5×5 Risk Matrix.

The NHS 5×5 matrix is the best default for healthcare in England. Two reasons: most clinicians have encountered it before, which lowers the cost of new staff adopting your register; and it produces a defensible score (low, moderate, high, extreme) that maps onto review cadence cleanly. A 25 (extreme) entry is reviewed monthly; a 12 (moderate) quarterly; a 4 (low) annually.

If you use no scoring at all, the register cannot drive cadence. Every entry is reviewed on the same calendar, which means high-attention risks get reviewed too rarely and low-attention risks too often.

If you use traffic-light only, the same problem applies in softer form. Three categories of attention. Better than nothing; worse than a 5×5 scored register that gives you twenty-five gradations to work with.

The matrix you use matters less than the consistent application of it. A register where different people are scoring entries differently is a register that does not produce a meaningful score.

Verivius ships a risk register module built around the NHS 5×5 matrix. Each entry has structured fields for risk description, current mitigation, owner, score, review cadence, and review history. The cadence drives a queue of overdue reviews into the dashboard so reviews that have drifted are visible to the manager rather than hidden in a static document. Closure is a tracked event with a dated record. Pattern detection across the register surfaces clusters (multiple entries citing the same staff member, the same equipment, the same time of day) so the register works as a system, not a list.

None of this is novel. It is what a working risk register should do; what is novel is that small independent services can now have it as part of their daily-use platform.

A risk register exists to change what the service does. If yours does not, no amount of polish on the spreadsheet will make it pass the inspector test. Strip it back to the entries that drive real action. Close the entries that do not. Review on a cadence proportional to score. Make the owner a person, with a date, not a role.

A live register with ten entries that each drive monthly decisions is the best evidence of well-led you can produce. A dead register with sixty entries that drive nothing is the worst.