CQC inspectors don't just check that you have risk assessments. They check whether your assessments are specific, current, and acted upon. A practice with 16 generic templates downloaded from the internet is in a weaker position than one with five tailored assessments that reflect genuine hazards and documented actions. This guide explains what CQC actually evaluates, how to structure assessments that demonstrate real risk management, and the common mistakes that undermine otherwise good practices.
What makes a risk assessment "CQC-ready"
Most GP practices have risk assessments. The problem isn't usually that they're missing. It's that they're generic, outdated, or disconnected from how the practice actually operates. CQC inspectors see this constantly. A fire risk assessment that describes a building layout the practice hasn't occupied for three years. A COSHH assessment listing chemicals the practice no longer stocks. An infection control assessment that predates the practice's move to reusable instruments.
The legal framework is straightforward. The Health and Safety at Work Act 1974 requires employers to ensure the health, safety, and welfare of employees and anyone affected by the business (sections 2 and 3). The Management of Health and Safety at Work Regulations 1999 (MHSWR) makes risk assessment an explicit legal duty (Regulation 3) and requires employers to appoint a competent person to assist with health and safety (Regulation 7). CQC then layers Regulation 12 (Safe care and treatment) on top, requiring providers to assess risks to service users and do everything reasonably practicable to mitigate them.
CQC assesses risk management primarily under the Safe key question, but it also feeds into Well-led (do leaders have oversight?) and Effective (are decisions evidence-based?). Under the single assessment framework, inspectors look for evidence that risk management is embedded in day-to-day operations, not filed in a drawer.
What they specifically evaluate:
Specificity: Does this assessment describe your practice, or could it apply to any practice in England?
Currency: When was it last reviewed? Has it been updated after changes to premises, staffing, or services?
Actions: What did the assessment lead to? Are there documented controls, and are they being followed?
Ownership: Who conducted the assessment? Who is responsible for implementing controls?
Integration: Do staff know what the risks are and what they should do about them?
A practice that can walk an inspector through a risk, explain what controls are in place, and show evidence that those controls are monitored will score well, even if the assessment document itself is simple.
The five elements of a well-structured risk assessment
Every risk assessment, regardless of topic, should contain these five elements. This structure works for fire, COSHH, legionella, infection control, information governance, and everything else on the mandatory risk assessment list.
1. Identify the hazards specific to your practice
This is where most generic templates fail. They list hazards that could theoretically exist anywhere. Your assessment should list hazards that actually exist in your practice.
Generic (weak): "There is a risk of slips, trips, and falls in the workplace."
Specific (strong): "The corridor between reception and the treatment room has a raised threshold strip that catches wheelchair wheels. Three near-miss incidents were reported in 2025. The vinyl flooring in the staff kitchen becomes slippery when wet, particularly during winter when staff track in water."
Walk through your practice with a colleague and write down what you actually see. Look at your incident reports and significant events. Those are your real hazards, not theoretical ones.
2. Identify who might be harmed and how
Think beyond "staff and patients." Consider:
Patients with mobility difficulties navigating your premises
Pregnant staff handling certain chemicals or performing specific tasks
Lone workers conducting home visits or locking up after hours
Visiting professionals (pharmacists, district nurses) using your facilities
Delivery drivers accessing the building
Vulnerable adults and children in waiting areas
For each hazard, note the realistic harm. "Could cause injury" is weak. "A fall from the raised threshold could cause a hip fracture in an elderly patient, requiring hospital admission" is specific and demonstrates you've thought about the actual consequence.
3. Evaluate the risk and decide on controls
For each hazard, assess how likely it is to cause harm and how severe the consequence would be. You don't need a complex matrix. A simple approach works:
Likelihood | Severity | Risk level | Action required |
|---|---|---|---|
Unlikely | Minor | Low | Monitor. Review at next scheduled date. |
Possible | Moderate | Medium | Implement additional controls within 3 months. |
Likely | Moderate | High | Take action within 1 month. |
Any | Major or severe | High | Immediate action. Escalate to partners. |
A useful approach is to record both the inherent risk (before controls) and the residual risk (after controls). This shows inspectors that your controls actually reduce the risk, not just that you've identified it. For example, slips and trips in a corridor might score likelihood 4 (likely) x severity 3 (moderate) = 12 (medium) as the inherent risk. After installing non-slip mats, improving lighting, and implementing a wet-floor signage protocol, the residual risk drops to likelihood 2 x severity 3 = 6 (low). That reduction is the evidence that your controls work.
The controls you choose must be proportionate and practical. "All staff must be vigilant" is not a control. "Install a ramped threshold strip by 30 April 2026 (Building Manager). In the interim, place a high-visibility warning sign and brief reception staff to offer assistance to patients with mobility aids." That's a control with an owner, a deadline, and an interim measure.
4. Record your findings and implement them
The assessment must be documented. If you have five or more employees (almost all GP practices do), this is a legal requirement under section 2(3) of the Health and Safety at Work Act 1974 and Regulation 3 of the MHSWR 1999.
Your record should include:
Date of assessment and assessor name
Hazards identified with specific descriptions
Who is at risk and the nature of the harm
Existing controls already in place
Additional controls needed, with owners and deadlines
Risk rating before and after controls
Review date: when will this assessment be revisited?
This is where digital tools earn their value. A well-structured risk assessment document that tracks actions and review dates is significantly easier to maintain than a paper-based system or a Word document buried in a shared drive.
You can generate a tailored risk assessment for your practice using the AI risk assessment tool, which structures the output around your specific practice details: hazards, risk ratings, and control measures relevant to your situation.
5. Review and update regularly
A risk assessment is not a one-off document. CQC expects to see evidence that assessments are living documents, reviewed and updated in response to:
Scheduled reviews: At least annually for most assessments, more frequently for high-risk areas
Changes: New premises, staffing changes, new services, new equipment, building works
Incidents: Any significant event, near miss, or complaint that relates to an assessed risk
Regulatory changes: Updated guidance from CQC, HSE, NHS England, or professional bodies
External events: Lessons from other practices, national patient safety alerts, pandemic preparedness updates
Record every review, even if no changes were needed. "Reviewed 15 January 2026 by [Name]. No changes required. All controls remain in place and effective." That's evidence of active management. An assessment with no review date or no evidence of review tells an inspector that risk management is static.
Writing the assessment: a step-by-step approach
If you're starting from scratch or replacing outdated generic templates, this process works for any risk assessment topic.
Step 1: Gather your evidence
Before you write anything, collect:
Incident reports from the past 12 months related to the topic
Significant event analyses that identified relevant risks
Complaints that highlighted safety or environmental concerns
Staff feedback: ask the people who work in the space every day
Previous assessments, even if outdated. They're a starting point
Relevant guidance from HSE, CQC, NHS England, and professional bodies
Step 2: Walk the premises
For premises-related assessments (fire, general health and safety, legionella, infection control), physically walk through every area of the practice. Don't rely on memory or existing floor plans.
Bring a colleague. A second pair of eyes catches things you've normalised. Ask each other: "What could go wrong here?" and "What would a patient with mobility difficulties experience?"
Step 3: Consult your team
Different staff see different risks. Reception staff know about aggressive patients and cramped workstations. Nurses know about clinical waste handling and equipment failures. GPs know about consultation room ergonomics and emergency drug storage. The cleaner knows about chemical storage and slip hazards.
A 15-minute conversation with each group yields more useful hazard identification than hours of desk-based assessment.
Step 4: Draft the assessment
Structure your document with the five elements above. Be specific. Use plain English. This document needs to be understood by everyone in the practice, not just the assessor.
For each hazard, write the control measures in a way that someone unfamiliar with the practice could follow. "Store vaccines in the designated pharmaceutical fridge in the treatment room, checking and recording the temperature twice daily using the digital min/max thermometer" is actionable. "Ensure proper storage" is not.
If you want a structured starting point, the AI risk assessment tool generates assessments tailored to your practice context, covering the hazards, risk ratings, and control measures specific to your situation. You'll still need to review and customise the output (no AI tool knows your building layout or staffing model), but it gives you a solid framework to work from rather than a blank page.
Step 5: Get it reviewed and signed off
MHSWR 1999 Regulation 7 requires every employer to appoint one or more "competent persons" to assist with health and safety. In a GP practice, this is typically the practice manager, but for specialist assessments (fire, legionella, asbestos) you may need external expertise. Whoever conducts the assessment should have sufficient training and experience to identify the hazards relevant to that topic.
The assessment should be reviewed by:
The relevant lead: fire warden for fire, infection control lead for IPC, health and safety lead for general H&S
A GP partner for clinical risk assessments and overall governance sign-off
The practice manager for operational feasibility of controls
Sign-off demonstrates leadership engagement, which is exactly what CQC looks for under Well-led.
Step 6: Communicate and implement
An assessment sitting in a folder achieves nothing. Controls need to be:
Communicated to relevant staff (not just emailed, but discussed in a team meeting or briefing)
Implemented with clear ownership and deadlines
Monitored: are the controls actually being followed?
Evidenced: can you demonstrate compliance? (e.g., fridge temperature logs, fire drill records, training certificates)
Set up recurring tasks for monitoring activities. Use My Practice Manager task tracking or your existing system to schedule fire drill reminders, legionella flushing logs, DSE review dates, and annual assessment reviews. The evidence trail this creates is precisely what CQC asks for.
Common mistakes that concern CQC inspectors
These are the patterns that raise red flags during inspection. Avoiding them puts your practice in a significantly stronger position.
Mistake 1: Generic templates with no practice-specific detail
The most common failing. A downloaded template with the practice name pasted into the header and no other customisation. CQC inspectors can spot these immediately. They've seen the same template at the previous three inspections.
The fix: Start with a template if you need to, but adapt every section to your specific premises, staff, services, and patient population. If a hazard doesn't apply to your practice, remove it. If a hazard exists that isn't in the template, add it.
Mistake 2: No evidence of review or update
An assessment dated 2019 with no subsequent review. This tells the inspector that risk management stopped five years ago, regardless of what you say in the interview.
The fix: Record every review with a date and assessor name. Even if nothing has changed, the review record demonstrates active management. Set calendar reminders for annual reviews at minimum.
Mistake 3: Risk identified but no action taken
An assessment that identifies a hazard, rates it as medium or high risk, and then has no documented control measures or action plan. This is worse than not having the assessment at all. You've demonstrated awareness of a risk and failure to act on it.
The fix: Every medium or high-risk item must have a documented control with an owner and a deadline. If cost or logistics prevent immediate action, document the interim measures and the plan for a permanent fix.
Mistake 4: Controls exist on paper but not in practice
The assessment says "all staff trained in fire evacuation procedures." The inspector asks a receptionist what they would do in a fire and gets a blank look. The assessment says legionella flushing is done weekly, but there's no flushing log.
The fix: Controls must be implemented, not just documented. Training must be delivered and recorded. Monitoring activities (temperature checks, flushing logs, equipment calibration) must have evidence. If you can't show evidence, the control doesn't exist as far as CQC is concerned.
Mistake 5: No link between incidents and risk assessment updates
A patient falls in the car park. A significant event analysis is completed. But the general health and safety risk assessment isn't updated to reflect this incident and any new controls.
The fix: After any incident, complaint, or significant event, check whether it relates to an existing risk assessment. If it does, update the assessment. If it identifies a new risk, add it. This creates the feedback loop CQC wants to see between reactive investigation and proactive risk management.
Review cycles: how often is enough
Different assessments need different review frequencies, but as a baseline:
Assessment | Minimum review frequency | Trigger for earlier review |
|---|---|---|
Fire risk assessment | Annual (or after any building change) | Building works, change of layout, fire incident |
General health and safety | Annual | Incident, complaint, staffing change |
COSHH | Annual (or when products change) | New cleaning product, new clinical procedure |
Legionella | Every 2 years (water hygiene review annually) | Change to water system, temperature excursion |
DSE | When workstation changes or staff report issues | New equipment, new starter, complaint of discomfort |
Infection control | Annual | Outbreak, audit finding, change to decontamination process |
Information governance | Annual | Data breach, new IT system, regulatory change |
Safeguarding | Annual | Staff change, incident, updated guidance |
Medicines management | Annual | MHRA alert, audit finding, cold chain breach |
Business continuity | Annual | After activation of the plan, or significant operational change |
Record every review. Even a note saying "Reviewed [date] by [name]. No changes required. All controls remain effective and in place" counts as evidence of active risk management.
Pulling it all together
Risk assessment isn't a separate compliance exercise that sits alongside your normal operations. Done properly, it's the framework that connects your incident reporting, significant event analysis, staff training, and premises management into a coherent safety management system.
CQC inspectors want to see that connection. When they ask about a risk, they want you to point to the assessment, show the controls, demonstrate they're implemented, and explain how you'd know if something went wrong. When they review a significant event, they want to see that the learning fed back into the relevant risk assessment.
If you're maintaining risk assessments across a dozen or more topics (fire, COSHH, legionella, infection control, safeguarding, information governance, medicines management, and more), keeping them current and connected takes systematic effort. The AI risk assessment tool can help you generate structured, practice-specific assessments that cover the right hazards and controls for your context, significantly reducing the time from blank page to documented assessment.
For the complete list of mandatory and recommended risk assessments for GP practices, see our companion guide: Core risk assessments for your GP practice.
Browse the compliance library for risk assessment policy templates, audit checklists, and related governance documents.
This article is for informational purposes only and reflects understanding as of March 2026. It does not constitute legal, financial, or medical advice. Practices should consult with relevant professional bodies or legal counsel for specific circumstances and always refer to the latest official guidance from the CQC, the Health and Safety Executive, and NHS England.