1. What the regulation says
Systems or processes must be established and operated effectively to ensure compliance with the requirements in this Part.
assess, monitor and improve the quality and safety of the services provided … assess, monitor and mitigate the risks relating to the health, safety and welfare of service users.
maintain securely an accurate, complete and contemporaneous record in respect of each service user, including a record of the care and treatment provided to the service user and of decisions taken in relation to the care and treatment provided.
The full text of the regulation is at https://www.legislation.gov.uk/uksi/2014/2936/regulation/17. Where this policy and the regulation diverge, the regulation wins.
2. Plain British summary
You have to run effective systems and processes to comply with everything else in Part 3. The regulation lists six things those systems must enable in particular: quality assessment and improvement, risk management, accurate service-user records, accurate employment and management records, seeking and acting on feedback, and continually evaluating and improving how you process all this. If CQC requests a written report on quality and risk plus your improvement plans, you have 28 days from the day after the request.
3. Scope
This policy applies to all employees, contractors, and external parties who participate in any governance forum, decision-making process, or quality-assurance activity at . It covers the governance-meeting cycle (clinical governance committee, leadership team, board, multidisciplinary team), the risk register, the improvement-actions register, the document-control system, and the clinical and operational audit programme.
(Tenant updates the angle-bracket placeholder.)
4. Roles and responsibilities
- Registered Manager: accountable for the overall governance system under Reg 17. Chairs the monthly clinical governance committee, reviews the risk register and improvement-actions register monthly, signs off on the quarterly governance report.
- Nominated Individual: holds provider-side accountability for Reg 17. Reads the quarterly governance report and attends the board meeting where it is tabled.
- Quality and Governance Lead (where the role exists; the Registered Manager in small services): operates the audit programme, the risk-register cadence, and the improvement-actions completion tracking. Surfaces patterns at the governance committee.
- Clinical Lead: accountable for the clinical-audit subset of the audit programme. Brings the clinical-audit pattern view to the clinical governance committee.
- All managers: own the governance work for their service line (incident review, complaint themes, action follow-through). Bring their service-line view to the relevant governance meeting.
- All staff: complete actions assigned to them within the agreed timeframe, report patterns they notice through the line-management chain.
(Tenant updates the named role-holders.)
5. Procedure
The Reg 17 procedure operationalises the six governance elements through the platform's lifecycle structure.
- Governance-meeting cadence. A clinical governance committee meets at least monthly; a leadership team meets at the cadence the service shape requires (often weekly or fortnightly); a board or equivalent meets at least quarterly. Each meeting has a documented chair, attendees, agenda, and minutes. Recurring agenda items include: previous-month incident summary, complaints summary, safeguarding summary, statutory-notification status, risk-register review, improvement-actions follow-through, training-currency dashboard, audit findings.
- Quality-assessment cycle. The audit programme runs the annual clinical-audit calendar (sampled per the audit programme), the quarterly file audits per lifecycle (incidents, complaints, safeguarding, notifications), and the annual policy review (every document past its next-review date is read and refreshed).
- Risk-register maintenance. Risks are identified continuously by any team member; the risk-register review at the monthly clinical governance committee tests every Open risk against its current score, its current controls, and its next-review date. Treated risks have improvement actions cross-linked.
- Improvement-actions follow-through. Every improvement action carries an owner, a target date, and a completion-evidence requirement. The Quality and Governance Lead presents the overdue-actions view at the monthly committee.
- Service-user records. The clinical and care records are maintained securely with an accurate, complete, contemporaneous entry per service user per relevant intervention. The documents register holds the policies and procedures that govern record-keeping; the clinical system holds the records themselves.
- Staff and management records. The people register holds the Reg 19 Schedule 3 information set per employee. Governance roles (Registered Manager, Nominated Individual, Safeguarding Lead, etc.) are recorded with the named holder and the date of appointment and any change.
- Service-user feedback. Feedback channels are operated: complaints register, compliments captured, service-user surveys or family-feedback as fit, public reviews monitored. Aggregate feedback is reviewed quarterly at the governance committee.
- System-evaluation review. Annually, the leadership team reviews how the governance system itself is working: are the meetings producing decisions; do the decisions produce actions; do the actions complete with evidence; is the audit programme catching what it should; is the risk register reflecting reality. The review is documented as an annual governance report.
- Records availability for CQC. Every record this policy generates is available to be supplied to CQC. The 28-day Reg 17(3) response window applies if CQC requests a written report on quality, safety, risks, and improvement plans. The Registered Manager confirms the read-only export pathway for the workspace is functional quarterly.
- Continuous improvement of the governance process itself. Where the governance system surfaces its own gaps (a meeting that does not produce decisions, a register that has drifted, an audit pattern that misses a sector-specific risk), an improvement action is opened against the system itself.
6. Training requirement
Governance roles complete:
- Quality improvement methodology training (introductory) for the Quality and Governance Lead, at appointment.
- Risk management training for any team member running a risk-register section, at appointment and every three years.
- Investigation skills training for staff likely to investigate incidents or complaints, at appointment and every three years.
- Clinical audit methodology for the Clinical Lead, at appointment.
All staff complete Reg 17 awareness training at induction (covering what the governance system is, what their part in it is, and how to raise patterns).
Training records held in the tenant's training matrix register.
7. Audit
Compliance with this policy is monitored by the Quality and Governance Lead (or the Registered Manager in small services) through:
- Monthly governance-meeting effectiveness review: are decisions documented, are actions opened, are the previous month's actions reviewed for completion. Pattern signals reviewed.
- Quarterly audit programme review: is every planned audit running on cadence, are findings producing improvement actions, are the actions closing.
- Quarterly risk-register cadence audit: is every risk reviewed at its scheduled next-review date, do overdue reviews exceed a per-tenant threshold (typically 5%).
- Annual system review: the wider governance system itself, presented as the annual governance report.
Audit findings recorded in the tenant's audit register; actions logged in the improvement-actions register.
8. Record-keeping
Governance records (meeting minutes, audit reports, risk-register snapshots, improvement-actions records, annual governance reports) are held in the tenant's governance system for a minimum of 8 years from the date of the record per the NHS Code of Practice on Records Management. Board-level records (constitution, board minutes, statutory company filings) are held for the longer of the period the company exists or the period required by company-law retention rules (typically 6 years post-event under the Companies Act 2006 for accounting records, longer for some categories).
Verivius preserves the per-record audit trail indefinitely while the workspace is active.
9. Related policies in this pack
- Safe Care and Treatment Policy (
hscra-reg-12-safe-care-and-treatment) - Safeguarding Adults Policy (
hscra-reg-13-safeguarding-from-abuse) - Complaints Policy (
hscra-reg-16-receiving-and-acting-on-complaints) - Staffing Policy (
hscra-reg-18-staffing) - Duty of Candour Policy (
hscra-reg-20-duty-of-candour) - Fit and Proper Persons (Staff) Policy (
hscra-reg-19-fit-and-proper-persons-employed)
10. Document control
| Version | Date | Author | Changes |
|---|---|---|---|
| v1 | 2026-05-19 | Verivius (sample) | Initial sample template. |
| v1.1 | 2026-06-01 | Verivius (sample) | Filled out Sections 3 to 8 with concrete content. Section 4 names the typical governance role-set with their committee-level accountability. Section 5 procedure expanded to a 10-step Reg 17 flow covering the meeting cadence, the audit programme, the risk register, the improvement actions, the records, the feedback channels, and the annual system review. Section 6 names training topics by governance role. Section 7 names the four audit cadences. Section 8 references the NHS Code of Practice on Records Management and the Companies Act 2006 retention for board-level records. |
This sample policy template was issued by Verivius as part of the Mock Inspection design partner onboarding pack. It is a template, not a substitute for legal advice or the tenant's own policy-development process. Where this template and the live regulation diverge, the live regulation wins.