A risk register is one of the most common accreditation gaps, and one of the easiest to fix properly. This guide is the build procedure: how to create a register that an assessor accepts and that actually helps you run the practice. For why a missing or token register fails on survey day, read the common accreditation failures post; this guide does not re-cover that, it shows you how to build one. For the wider context, see the RACGP accreditation pillar.
Before you begin
Get the right people in the room: the practice manager (who usually owns the register), the principal or owner (who owns the high-level risks), and a clinical lead. Decide where the register will live so it is one controlled document, not three spreadsheets. And be clear on what a risk register is: a forward-looking list of what could go wrong and what you are doing about it. That makes it different from an incident register, which records what already did go wrong. The two are linked (an incident often reveals a new risk to add), but they are not the same document.
Step 1: Set the structure and scope
Decide the columns before you list a single risk, because consistent columns are what turn a list into a register. A workable structure is: the risk, its category, likelihood, consequence, the resulting rating, the existing controls, the further treatment, an owner, and a review date. Scope the register across every category that can hurt the practice, not just clinical care: clinical risk, work health and safety, IT and cyber security, financial, regulatory and accreditation, and business continuity.
Scoping wide is what separates a real practice risk register from a clinical-incident list. An assessor expects to see that you have thought about the business risks (a Medicare billing exposure, the loss of a key GP, a data breach) alongside the clinical ones. Setting the categories up front is what prompts you to find risks you would otherwise miss.
Step 2: Identify your risks across each category
Work category by category and ask "what could go wrong here, and what would the impact be". Bring the team in, because reception, nursing and clinical staff each see different risks. Use the predictable healthcare risks as a starting checklist: cold chain failure, a Schedule 8 register discrepancy, a notifiable data breach, an AHPRA registration lapse, the sudden loss of a key practitioner, a Medicare billing error, fire or evacuation, and an extended IT outage.
Capture each risk in plain, specific language ("vaccine fridge fails overnight and stock is lost", not "cold chain"). Our clinical risk management and business continuity plan templates give you a head start on the clinical and continuity categories. Aim for breadth first; you will prioritise in the next step.
Step 3: Rate each risk on a consistent matrix
Score every risk the same way, so the ratings are comparable. Use a likelihood scale (for example rare, unlikely, possible, likely, almost certain) and a consequence scale (insignificant, minor, moderate, major, severe), and combine them into a rating: low, medium, high, or extreme. A 5x5 matrix is standard, but a 3x3 is fine for a small practice as long as you apply it consistently.
Define what each level means before you score, or two people will rate the same risk differently. The rating is not busywork: it is what tells you which risks demand action now and which you simply monitor. A register where everything is "high" is as useless as one where everything is "low".
Step 4: Assign controls, owners, and treatment to the significant risks
For each medium-and-above risk, record the controls already in place, the further treatment you will add, a named owner, and a due date. This is the step that turns the register from a list into management. "Owner" is a role (the practice manager, the principal), not just a name, so it survives staff turnover, and every extreme or high risk should escalate to the practice owner or principal for sign-off.
Treatment follows the usual hierarchy: eliminate or reduce the risk where you can, then add controls, and accept and monitor only what is genuinely low. The register should show risks being actively managed (controls added, ratings coming down over time), which is exactly the evidence an assessor wants and the substance of good clinical governance.
Step 5: Set the review cadence and keep it living
A register written once and filed is worse than none, because the dates prove you stopped. Set a review schedule (at least annually for the whole register, plus a trigger-based review whenever something changes, a new service starts, or an incident occurs) and record each review date in the register. Feed your incidents and significant events back in: when something goes wrong, ask whether it points to a risk that belongs on the register.
Treating the register as a standing item (a recurring agenda point at practice meetings, with owners reporting on their actions) is what keeps it current between accreditation cycles. A living register with movement in it tells an assessor far more than a polished one created the week before the survey.
A worked example
A short, realistic register looks like this. Keep yours specific to your practice, but this shows the shape and the spread across categories.
| Risk | Category | Likelihood | Consequence | Rating | Key controls | Treatment / owner | Review |
|---|---|---|---|---|---|---|---|
| Vaccine fridge fails overnight, stock lost | Clinical | Possible | Major | High | Data logger, alarm, daily temp checks | Add backup alarm to phone; nurse lead | Quarterly |
| Schedule 8 register discrepancy | Clinical | Unlikely | Major | High | Dual sign-off, weekly count | Monthly audit; principal | Monthly |
| Notifiable data breach / ransomware | IT & Cyber | Possible | Severe | Extreme | MFA, backups, patching | Essential Eight uplift; PM + MSP | Quarterly |
| Key GP departs at short notice | Business continuity | Possible | Major | High | Locum contacts, cross-cover | Succession + locum panel; principal | 6-monthly |
| AHPRA registration lapses unnoticed | Regulatory | Unlikely | Major | High | Central register, reminders | Renewal tracking; practice manager | 6-monthly |
| Medicare billing error / over-servicing | Financial | Possible | Major | High | Billing education, item checks | Periodic self-audit; principal | 6-monthly |
| Fire or evacuation | WHS | Rare | Severe | High | Alarms, drills, exits clear | Annual drill; WHS lead | Annual |
| Extended power or IT outage | IT & Cyber | Possible | Moderate | Medium | UPS, paper fallback | Test downtime procedure; PM | Annual |
What good looks like
- The register spans clinical, WHS, IT/cyber, financial, regulatory and continuity risks.
- Risks are written specifically, so anyone can understand the scenario.
- Every risk is rated on one consistent matrix, with the levels defined.
- Each significant risk has controls, a named owner role, treatment, and a due date.
- Review dates are recorded and the register shows movement over time.
Common mistakes: listing only clinical risks, rating everything the same so nothing stands out, leaving risks with no owner or no treatment, and building the register once for accreditation and never reviewing it. Confusing it with the incident register is the other frequent slip: one looks forward at what could happen, the other back at what did.
Frequently asked questions
What does the RACGP risk-management requirement involve for a risk register?
The Standards expect a documented, systematic approach to risk, not just awareness that risks exist. Clinical risks are assessed under the Quality Improvement standards (Criterion QI3.1, Managing clinical risks), and the practice is also expected to manage business and operational risks. A risk register, scored and reviewed, is the practical way to demonstrate both, which is why assessors look for one.
How is a risk register different from an incident register?
A risk register is forward-looking: it lists what could go wrong, how likely and serious it would be, and what you are doing to prevent it. An incident register is backward-looking: it records what actually happened. They connect (an incident should prompt you to add or re-rate a risk), but they are separate documents and an assessor expects both.
Who should own the risk register?
The practice manager usually maintains it day to day, but ownership of the high-level risks sits with the principal or practice owner, and each individual risk should have a named owner role responsible for its controls. Assigning owners by role rather than person means the register survives staff changes.
How often must a risk register be reviewed?
Review the whole register at least annually, and review individual risks whenever something changes: a new service, a new system, a regulatory change, or after an incident. Record each review date in the register. A schedule of dated reviews is what shows an assessor the register is a living tool, not a one-off.
What are the most common risks to include?
Across categories: cold chain failure and Schedule 8 discrepancies (clinical), a data breach or IT outage (cyber), loss of a key practitioner and financial or billing exposure (business), an AHPRA registration lapse (regulatory), and fire or evacuation (WHS). Start from these predictable risks, then add the ones specific to your practice, services, and location.
Part of
RACGP AccreditationLast reviewed