1. What the regulation says
Care and treatment must be provided in a safe way for service users. (Reg 12(1) (the headline duty))
assessing the risks to the health and safety of service users of receiving the care or treatment, (Reg 12(2)(a) (risk assessment))
doing all that is reasonably practicable to mitigate any such risks, (Reg 12(2)(b) (risk mitigation))
Regulation 17 adds the governance duties that this policy operationalises:
Systems or processes must be established and operated effectively to ensure compliance with the requirements in this Part. (Reg 17(1): the umbrella duty)
assess, monitor and improve the quality and safety of the services provided in the carrying on of the regulated activity (including the quality of the experience of service users in receiving those services) ... assess, monitor and mitigate the risks relating to the health, safety and welfare of service users and others who may be at risk which arise from the carrying on of the regulated activity. (Reg 17(2)(a) and (b): quality and risk)
Regulation 20 adds the duty of candour that applies where an incident is a notifiable safety incident:
Registered persons must act in an open and transparent way with relevant persons in relation to care and treatment provided to service users in carrying on a regulated activity. (Reg 20(1) (the headline duty))
The full text is at https://www.legislation.gov.uk/uksi/2014/2936/regulation/12, https://www.legislation.gov.uk/uksi/2014/2936/regulation/17 and https://www.legislation.gov.uk/uksi/2014/2936/regulation/20. Where this policy and the regulation diverge, the regulation wins.
2. Plain-English summary
Care and treatment must be provided in a safe way. The regulation lists the areas a provider must address, including risk assessment, risk mitigation, staff competence, safe premises, safe equipment, sufficient equipment and medicines, medicines safety, infection prevention and shared-care planning. Good governance under Regulation 17 means running effective systems to assess, monitor and improve quality and safety, and where an incident is a notifiable safety incident the duty of candour under Regulation 20 requires you to be open and transparent with the person affected.
3. Purpose
The purpose of this policy is to make sure that incidents, accidents, near misses and safety concerns are identified, reported, investigated, acted on and used for learning.
The service will not treat incident reporting as blame or paperwork. Incident reporting is a safety system. It allows the provider to understand what happened, protect people from further harm, identify patterns, meet statutory duties and improve the quality and safety of care.
This policy supports compliance with Regulation 12, Regulation 17, Regulation 20, safeguarding duties, RIDDOR where applicable, and CQC statutory notification requirements.
4. Policy warning
All staff must report incidents, accidents, near misses and safety concerns without delay.
A failure to report, concealment of an incident, alteration of records, or delay in escalation may be treated as a serious conduct matter and may also create safeguarding, professional-regulatory or criminal concerns.
Where an incident has caused harm, may have caused harm, or indicates abuse, neglect, unsafe care or serious service failure, the Registered Manager must make sure that immediate protective action is taken before administrative review begins.
5. Scope
This policy applies to:
- incidents involving people using the service
- incidents involving staff, visitors, contractors or others affected by the service
- near misses and unsafe conditions
- medication incidents
- safeguarding concerns
- falls, injuries, pressure damage, infections or deterioration
- missing persons or unauthorised absence where applicable
- equipment, premises, vehicle or environmental incidents
- information governance incidents where safety or confidentiality may be affected
- complaints that reveal possible harm or unsafe care
- incidents requiring external reporting
6. Definitions
An incident is any event that caused harm, had the potential to cause harm, disrupted safe care, or showed that a system did not work as intended.
A near miss is an event that could have caused harm but did not, either by chance or because someone intervened.
A serious incident is an incident involving serious harm, death, abuse, serious neglect, major service disruption, police involvement, or a risk that may require notification to CQC, safeguarding, RIDDOR or another authority.
A learning action is an action taken to reduce the chance of the same or similar incident happening again.
7. Responsibilities
All staff are responsible for recognising and reporting incidents immediately, taking urgent action to keep people safe, and recording what they saw or did accurately.
The person in charge of the shift, clinic, visit, transport journey or session is responsible for immediate safety actions, escalation and initial fact gathering.
The Registered Manager is responsible for incident triage, investigation, external reporting, duty of candour decisions, action tracking and governance review.
The Nominated Individual or provider representative is responsible for ensuring that serious incidents, themes and overdue actions are reviewed at provider level.
8. Immediate response
When an incident occurs, staff must:
- make the person safe
- call emergency services if required
- obtain clinical advice where needed
- preserve evidence where appropriate
- inform the person in charge
- inform the Registered Manager or on-call lead
- record the incident as soon as reasonably possible
- support the person affected and any staff involved
- consider safeguarding, duty of candour and external notification requirements
Immediate care and safety always come before form completion.
9. Reporting timescales
All incidents must be reported internally on the same working day, or immediately if urgent.
Serious incidents must be escalated to the Registered Manager immediately.
Where the incident occurs out of hours, the on-call escalation process must be followed.
A written incident record must be completed as soon as possible and normally before the staff member finishes their shift or duty period, unless urgent care needs prevent this.
10. Incident record
The incident record must include:
- date and time of incident
- location
- person affected
- staff involved or present
- factual description of what happened
- immediate action taken
- injury, harm or potential harm
- witnesses
- relevant care plan, risk assessment or procedure
- whether family, representative or advocate was informed
- whether external advice or emergency support was sought
- whether safeguarding, duty of candour, RIDDOR or CQC notification was considered
- initial grading
- person responsible for review
- follow-up actions
Records must be factual, dated, attributable and written in plain language. Staff must not speculate, blame or alter records retrospectively without clear audit trail.
11. Triage and grading
The Registered Manager, or delegated competent person, must review each incident and decide:
- level of actual harm
- level of potential harm
- immediate risk of recurrence
- whether the incident indicates abuse, neglect or unsafe practice
- whether duty of candour may apply
- whether CQC notification may be required
- whether safeguarding referral may be required
- whether RIDDOR or other external reporting may be required
- whether a full investigation is needed
- whether the risk register needs updating
- what immediate and longer-term actions are needed
The grading must be reviewed if new information emerges.
12. Investigation
The depth of investigation must be proportionate to the level of harm, potential harm and learning value.
An investigation may include:
- speaking with the person affected
- speaking with family, representative or advocate where appropriate
- speaking with staff and witnesses
- reviewing care records, risk assessments and plans
- reviewing staffing, training and supervision records
- reviewing equipment, premises or environmental factors
- reviewing medicines records where relevant
- reviewing previous incidents or complaints
- identifying immediate and root causes
- identifying what should change
A serious incident investigation must be led or reviewed by a competent person who was not directly involved in the incident, where possible.
13. Duty of candour
The Registered Manager must consider whether the incident meets the threshold for statutory duty of candour.
Where the duty applies, the service must act openly and transparently with the person affected or their relevant person. This includes giving a truthful account, an apology, reasonable support, information about further enquiries, written follow-up and a record of the process.
Saying sorry is not an admission of liability. It is part of safe, open and compassionate care.
14. External reporting
The Registered Manager must consider whether the incident requires reporting to:
- CQC
- local safeguarding authority
- police
- RIDDOR
- professional regulator
- DBS
- commissioner or placing authority
- coroner
- insurer
- equipment manufacturer or safety-alert route
- Information Commissioner's Office, where a personal data breach is involved
The decision to report or not report must be recorded, including the rationale.
External reporting must not be delayed because an internal investigation is unfinished.
15. Actions and learning
Every incident review must consider whether action is required.
Actions must have:
- clear description
- owner
- due date
- evidence required
- completion date
- review date where needed
- check that the action worked
Examples of learning actions include care plan review, risk assessment update, staff briefing, training, supervision, equipment repair, environmental change, audit, policy update, staffing review or referral to an external body.
An action is not complete just because it has been written down. It is complete when there is evidence that it was done and, where appropriate, checked.
16. Trend review
The Registered Manager must review incidents at least monthly, or more often where risk is high.
The review must consider:
- repeated incidents involving the same person
- repeated incident types
- repeated locations, staff groups, shifts or times
- medication themes
- safeguarding themes
- falls, injuries, infections or pressure damage
- late reporting
- overdue actions
- duty of candour compliance
- whether risks need escalation to the risk register
Themes must be discussed through the service's governance process and used to improve care.
17. Support for people and staff
People affected by incidents must receive appropriate support, information and involvement.
Staff involved in incidents must be supported, supervised and debriefed where appropriate. Support does not replace accountability. Where unsafe practice, neglect, dishonesty or professional misconduct is suspected, the service must follow the relevant safeguarding, disciplinary and referral processes.
18. Audit and governance
The Registered Manager must audit incident records at least quarterly.
The audit must check:
- timely reporting
- completeness of records
- appropriate grading
- external reporting decisions
- duty of candour decisions
- quality of investigation
- action completion
- evidence of learning
- repeat incidents
- overdue actions
Findings must be recorded and reviewed by the provider.
19. Related records
The service should maintain:
- incident record
- investigation notes
- witness statements
- action plan
- duty of candour record
- safeguarding referral record
- CQC notification record
- RIDDOR report where applicable
- risk register entry where applicable
- learning bulletin or team briefing record
- audit and governance review record
20. Related policies
This policy should be read with:
- Safeguarding Policy
- Duty of Candour Policy
- Complaints Policy
- Risk Management Policy
- Action Plan and Improvement Tracking Policy
- Medicines Policy
- Infection Prevention and Control Policy
- RIDDOR Policy
- Data Breach Policy
- Whistleblowing Policy
- Staff Conduct and Disciplinary Policy
- CQC Statutory Notifications Policy
21. Review
This policy will be reviewed annually, or sooner following a serious incident, safeguarding concern, CQC inspection finding, change in legislation, external guidance, or repeated incident theme.
22. Sources and further reading
This template is based on CQC's guidance for providers and managers, the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014, and other topic-specific legislation and guidance listed below. It is a starting point for adaptation, not a substitute for legal, clinical, HR, safeguarding or specialist professional advice.
- CQC Regulation 12: Safe care and treatment
- CQC Regulation 17: Good governance
- CQC Regulation 20: Duty of candour
- CQC notifications guidance
- RIDDOR 2013 and HSE RIDDOR guidance
- Local authority safeguarding procedures
- Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (https://www.legislation.gov.uk/uksi/2014/2936/regulation/12)
23. When to seek further advice
Seek specialist advice where the issue involves serious harm, safeguarding, deprivation of liberty, restraint, children, professional misconduct, controlled drugs, radiation, termination of pregnancy, infection outbreak, water safety, employment dismissal, DBS barring referral, or regulatory enforcement.
24. Document control
| Version | Date | Author | Changes |
|---|---|---|---|
| v1 | 2026-06-10 | Verivius (sample) | Initial sample template, conformed to the Verivius policy standard. |
This sample policy template was issued by Verivius. It is a template, not a substitute for legal advice or the tenant's own policy-development process. Where this template and live law or regulator guidance diverge, the live source wins.