How to evaluate CQC governance software

Registered managers, nominated individuals, owner-operators, and operations leads at small CQC-regulated independent health and social care providers in England. The target span is 1 to 25 staff per location, 1 to 5 locations. Independent secondary care, dental, adult social care, general practice, independent ambulance, private clinics, diagnostic imaging, and similar.

If you run an NHS Trust, this guide is not for you. The market is different, the procurement model is different, the budgets are different. Look at the mid-enterprise category instead.

CQC governance software is a market shaped by two failure modes. The first: vendors sell to providers who do not actually need software, exploiting inspection anxiety to push a tool a spreadsheet would do better. The second: providers buy a tool that does not fit their shape (a mid-enterprise platform pitched at a small clinic, or a clinical EMR pitched as a governance tool) and stop using it within months.

This guide is the framework that prevents both failures. Six sections: the four shapes of CQC governance tooling (what you are choosing between), the eight evaluation criteria that actually matter (what to grade each option against), common red flags in vendor pitches (what to walk away from), the ten questions to ask in any vendor demo (what to test), when in-house is enough (the honest "you do not need software" check), and how to run a 30-day evaluation (what to do once you have a shortlist).

When you sit down to evaluate, you are choosing between four genuinely different categories. Treating them as one category produces the wrong shortlist.

• Shape A: Spreadsheets, paper, or a shared drive. Most small providers start here. It is honestly the right answer for some shapes of service. The breakpoint is described in the "When in-house is enough" section below.
• Shape B: A consultancy retainer. A human relationship delivered as periodic engagement work and paperwork updates. Most consultancies do not provide software at all; they deliver written reports and policy refreshes. Some bundle a light document repository alongside. The product is the person, not the platform.
• Shape C: Mid-enterprise SaaS. Platforms like Radar Healthcare, Care Vision, and similar. Built for providers with hundreds of staff, dedicated compliance teams, sales-led procurement, and six-figure annual budgets. Real products for the real market they serve. Materially over-specified for a small provider, with the corresponding price.
• Shape D: Small-provider-shaped dedicated SaaS. Built specifically for the small independent end. Verivius sits here. So does any future entrant that focuses on the 1-to-25-staff segment.

A fifth shape, bespoke development (commission a developer to build something for you), exists but is rare and almost always the wrong answer at small-provider scale. Briefly addressed at the end.

Most prospects shortlist B against D and never look at the others. The right comparison is across all four, because shape A is genuinely the right answer often, and shape C is the right answer if you discover you are actually mid-enterprise scale.

The vendor demo will throw twenty feature comparisons at you. Most of them do not matter. Eight criteria do.

2.1 Continuous evidence vs episodic

The single most important question. Does the platform capture evidence as a side effect of doing the work, every day, or does it produce evidence on demand when an inspector turns up?

The continuous-evidence model: every incident, complaint, training renewal, audit, safeguarding concern, governance meeting flows into a structured record at the moment it happens. The evidence trail an inspector samples already exists.

The episodic model: you generate evidence retrospectively, often in a six-week scramble before a known inspection. Spreadsheets, paper logs, and some consultancy-led tools work this way.

Most CQC inspections of small independent providers are now unannounced. The episodic model fails when the inspection lands without notice. The continuous model passes unchanged. This is the single most important criterion in the list.

2.2 Audit trail integrity

Every write to every record needs to be timestamped and attributable. Who edited what, when, with the before-and-after values. The trail needs to survive a regulator request without the vendor or you being able to back-fill it.

What good looks like: a database-trigger-captured audit log per tenant, visible to the owner, immutable. Verivius does this; mid-enterprise SaaS usually does; spreadsheets cannot; consultancy-delivered tools sometimes do not.

Why it matters: an inspector who asks "who closed this incident on the 12th?" gets an answer in seconds from a real audit log. They get "let me ask my team" from a tool without one. The second answer reads as evidence loss.

Test in the demo: ask the vendor to show you the audit log on their demo workspace. If they cannot, or if it is paginated by row insertion rather than by record change, the audit log is decorative not load-bearing.

2.3 Sector specificity

A platform that ships with no sector pack is asking you to configure your own taxonomy, your own assurance calendar, your own training matrix. That is weeks of work the vendor should have done.

A platform that ships with sector packs gets the right vocabulary, the right categories, the right recurring assurance items pre-loaded for your sector. Dental practices get HTM 01-05 audit cadences and GDC CPD tracking. GP practices get Significant Event Analysis cycles and cold-chain logs. Ambulance services get per-shift vehicle defect checks. Each is provisioned at signup.

Test in the demo: ask the vendor what the platform looks like specifically for your sector. If the answer is "we configure that during implementation", the configuration is your problem and the vendor's implementation fee.

2.4 Transparent pricing

Pricing should be on the website. List price per location per month, no asterisks, no "contact sales for a quote". Setup fee, professional services markup, per-user fees, all visible up-front.

The opaque-pricing model is the sales-led mid-enterprise model. It is appropriate when the platform genuinely needs sales-led implementation (which is almost never true at small-provider scale). It is inappropriate when the buyer is a single registered manager who needs a same-day decision.

Verivius publishes pricing at verivius.co.uk/pricing. Mid-enterprise vendors largely do not.

Test: try to find the price on the vendor's website without booking a demo. If you cannot, the vendor is qualifying out small providers from the funnel; you are not the target.

2.5 Setup time

Same-day setup or weeks-to-months implementation. There is no middle ground that serves a small provider well.

Same-day setup: sign up online, your workspace is provisioned with the sector pack, you walk through a setup wizard, you have a usable platform inside an hour. This is the small-provider expectation.

Weeks-to-months implementation: kick-off call, scoping document, configuration sprints, user-acceptance testing, training rollout, go-live. This is the mid-enterprise expectation. Not wrong for that market; wrong for yours.

Test: ask the vendor how soon you could be using the platform if you paid today. If the answer is anything beyond "this afternoon", they are not built for your scale.

2.6 Cancellation friction

How easy is it to cancel and what happens to your data? A platform you can cancel from settings, with no notice period and a clean data export, signals confidence in the product. A platform that requires email contact, has a notice period, locks you into annual commitments, or charges for data export, signals a lock-in business model.

Lock-in is rational for the vendor and bad for you. A vendor confident in the product retains customers through value, not through friction. The friction is the tell.

Test: read the vendor's terms of service. Specifically the cancellation clause and the data-export clause. The terms reveal more than the sales call.

2.7 Founder accessibility and the support model

At small-provider scale, you will hit edge cases. The platform does not cover something you need; you have a question only someone with sector knowledge can answer; you find a bug. What is the path?

Founder-accessible support, while the company is small, is a meaningful signal. The founder reads your email; you might get a written response from the person who wrote the software. This does not scale beyond a few hundred customers but it is genuinely useful while it lasts.

Mid-enterprise support is ticket-based, often via a customer success manager who is not a domain expert. Sometimes outsourced offshore. Quality varies.

Consultancy support is excellent but engagement-priced; you pay for the relationship per hour.

Test: book the vendor's discovery call. Note who you spoke to. Is it the founder? A salesperson? A customer success manager? The model is visible in the answer to that first question.

2.8 Honest fit

The most important and least-tested criterion. Will the vendor walk you away when they are not the right answer for you?

The pattern: a credible vendor will explicitly tell you when their product does not fit your shape. "You are mid-enterprise; we are not for you, look at Radar." "You are happy with your spreadsheet and you should stay with it." "You need an EMR; we are not that."

A vendor who claims to fit every shape is overselling. The same product cannot honestly serve an NHS Trust and a single-location dental practice; the same vendor cannot honestly fit every conversation.

Test: tell the vendor explicitly that you are leaning toward another option (a competitor, in-house, consultancy). A vendor confident in honest fit will explain when their product is the right comparison and when it is not. A vendor not confident in honest fit will pitch against the alternative.

Five patterns to walk away from.

• "We can guarantee a CQC rating." No one can. The rating depends on what an actual CQC inspector sees and how they weigh it on the day. A vendor promising otherwise is either misinformed or misleading. Walk away.
• "We have certified inspectors on the team." Verivius is honest about this: an ex-CQC inspector is no longer a CQC inspector. They were one, with specific dates and specific inspection counts. The credential is the past role, not the present authority. A vendor who blurs that line is overstating their authority.
• "Our platform paraphrases the regulations into simpler language for you." No. CQC regulations are statutory; the wording is the wording. A platform that paraphrases is producing wrong text with a citation. The right pattern is to reproduce regulatory wording verbatim with citation, never to summarise.
• "You will be inspection-ready in 30 days." Inspection-readiness is the side effect of doing the underlying work well, over time. No platform makes you inspection-ready in 30 days unless your underlying practice was already there. The platform can make the evidence findable; it cannot manufacture the evidence.
• "We have a 100% pass rate among customers." Selection bias dressed as causation. Customers who buy a £20k/year platform are usually well-resourced providers who would have passed without it. The pass rate is a marketing claim, not a product claim.

Walk into every demo with this list. The vendor's answers tell you more than the demo does.

1. Show me the audit log on your demo workspace, filtered to the last 7 days, then a single record's full change history.
2. Show me what your platform looks like specifically for my sector (whatever your sector is). If the answer is "we configure that", count it as no sector pack.
3. Show me how a near-miss gets from a junior staff member's observation into a documented action with assigned owner and closure date. The friction in that path is the platform's real value or real failure.
4. Show me the report your platform produces for inspection week. If it is a wall of data the registered manager has to re-sort, the platform is the wrong shape.
5. Show me how you reproduce regulator wording. Find me a regulation citation in your platform. If it is paraphrased, walk away.
6. What does cancellation look like? Walk me through ending my subscription today.
7. What is the data export process? Can I get a complete CSV of my data without contacting support?
8. What happens to my data after cancellation? When is it deleted? Where is it stored?
9. Who am I speaking to today? (Founder, salesperson, customer success manager, etc.) Who would I email if I had a question after signup?
10. Tell me a case where your product was the wrong answer for a prospect. What did you tell them to do instead?

The tenth question is the most important. A vendor who has a ready answer practises honest fit. A vendor who fumbles or rebrands every prospect as their ideal customer does not.

The genuine "you do not need software" check. A spreadsheet, a shared drive, or paper logs are the right answer when all four of the following hold:

• Single location. Multi-location consolidation breaks spreadsheet workflows fast.
• The person using the spreadsheet built it. A spreadsheet you inherited is brittle; a spreadsheet you built is durable.
• Under thirty active records at any time. Above this, pattern detection becomes impossible without aggregation tools.
• Stable team for years. Nobody about to leave who is the institutional memory of the spreadsheet's structure.

If any of those four breaks, the spreadsheet model breaks with it. Open a second location, or have your senior nurse leave, or have a year where incident volume spikes, and the spreadsheet is suddenly a liability.

Until those conditions break, however, the spreadsheet is fine. Use it. Do not buy software for a problem you do not have.

Almost never at small-provider scale. The right conditions for bespoke:

• You have specific clinical workflows that the standard CQC governance shape does not capture. Most small providers do not.
• You have a budget of £30,000 or more and a tolerance for a multi-month build cycle. Most small providers do not.
• You have a developer or agency you trust personally. Most small providers do not.

The risk: small-provider bespoke builds frequently stall. The first version ships under-specified; the maintenance cost is permanent; the developer churns or moves on. Five years later you have an unmaintained tool that is also bespoke, which is worse than spreadsheets.

If the question is "should we build our own or buy off-the-shelf", buy off-the-shelf. Bespoke pays off at five-to-ten times the scale we serve.

Once you have a shortlist of one to three vendors, the evaluation. A structured 30 days produces a better decision than ten years of intermittent searching.

Week 1: load real data. Pick one vendor and sign up to their trial. Load a representative set of recent records: ten incidents, three complaints, one safeguarding concern, your training matrix for two or three staff, two months of governance meeting minutes. Do not load everything; load enough to feel the friction.

Week 2: use it on a normal Tuesday. Log incidents as they happen in your service. Use the assurance calendar to schedule the next month's recurring work. Read the dashboard every morning. Have a team member log a record. Notice what is friction-free and what is not.

Week 3: simulate an inspection request. Have a colleague who has not used the platform send you five inspector-style questions. "Show me your governance meeting minutes for the last quarter." "Show me every safeguarding concern open in the last 12 months." "Show me who closed incident X on date Y." Try to answer them in under ten minutes. Note the failures.

Week 4: decide. Three questions. Was the friction lower than your current setup? Did you stop using it within the first 30 days (because if you stopped, you would stop after signup)? Could you imagine the registered manager using this every Tuesday morning for the next two years?

If yes to all three, sign up. If no to any, either move to the next vendor on the shortlist or stay with your current setup and revisit in six months.

After all the criteria, all the questions, all the trial weeks, one specific thing decides whether the platform will hold up under regulator scrutiny:

The audit log.

A platform with a real audit log has integrity at the data layer. A platform without one is decorative. Every other feature (the dashboard, the assurance calendar, the training matrix) builds on the audit log; if the audit log is weak, none of them mean anything.

Spend twenty minutes inside the platform's audit log on the demo workspace. Filter by actor. Filter by date. Open a record's full change history. Look for the "Verivius Support" badge or its equivalent (vendor staff actions visible to you). If the vendor's audit log answers all of these questions cleanly, the platform's integrity is sound. If it does not, no other feature compensates.

Verivius makes the audit log surface visible to every tenant owner at /audit-log. Other vendors vary. The audit log is the test.