Login Talk to us
Assurance

Governance risk controls

Incident reporting

A practical, audit-ready approach to reporting and learning from incidents related to guideline use, guideline currency, and decision support workflows.

What this page is for

Incident reporting isn't just a safety requirement — it's a governance control. This page sets out what to record, how to triage, and how to evidence learning when incidents involve guideline content, guideline currency, or how guidance is applied in practice.

  • For governance: consistent categorisation, ownership, and board-level visibility.
  • For audit: clear traceability from incident → action → verification.
  • For safety: rapid containment and prevention of recurrence.

Minimum incident record (audit-safe)

Keep the incident record short, structured, and reproducible. At minimum, capture:

  1. What happened (one-paragraph narrative, time/date, setting, service line).
  2. Impact (actual harm, potential harm, operational impact).
  3. Guideline context (which guideline / pathway, version/date, where it was accessed).
  4. Decision trace (what was followed, what deviated, and why — including uncertainty).
  5. Detection + containment (how found, immediate steps taken, who was informed).
  6. Owner + timescales (named accountable lead, due dates, review cadence).

Note: If you need "audit-safe wording", link your incident template to your audit standard: Audit-safe standards.

Triage: classify the cause (so you can fix the right thing)

To avoid mixing problems, triage incidents into one primary class:

  • Currency — the guidance referenced was superseded or updated.
  • Coverage — relevant guidance exists but was not found or not surfaced at the point of need.
  • Interpretation — guidance was found, but misread or misapplied (ambiguity, context mismatch).
  • Workflow — the process around guidance failed (handover, documentation, escalation, governance sign-off).
  • System — technical issues (availability, integration, permissioning, logging).

This classification should map directly to your corrective action types (below), so leadership can see whether problems are content, process, or system.

Corrective actions (what auditors look for)

A good CAPA is specific, testable, and time-bound:

  • Containment: immediate mitigation (e.g., alert, banner, temporary block, comms).
  • Correction: fix the immediate defect (e.g., update references, adjust pathway, revise local note).
  • Prevention: change the system/process to stop recurrence (e.g., review cadence, logging, training).
  • Verification: show it worked (spot-check, audit sample, follow-up review).

Link actions to the relevant governance owner (clinical governance, safety, quality, or IT), and keep a single source of truth for evidence.

Evidence pack: what to keep

Keep a lightweight evidence pack so you can demonstrate control without over-documenting:

  • Incident form + triage classification
  • Change record (what changed, when, by whom)
  • Communication note (who was informed)
  • Verification result (audit sample, re-test, review minutes)
  • Learning summary (what will change going forward)

How this links to your Assurance structure

  • Governance: risk ownership, policy alignment, decision accountability.
  • Audit: demonstrate repeatable standards and safe wording.
  • Clinical safety: show proactive hazard management and learning.
  • Currency assurance: show how you detect and respond to guideline updates.

Related pages: