Clinical governance and quality improvement

What clinical governance is and why it matters

Clinical governance is the framework through which healthcare organisations are accountable for continuously improving the quality of their services and safeguarding high standards of care. It was introduced following a series of high-profile care failures in the NHS and is now embedded in the regulatory expectations for all CQC-registered providers in England.

For healthcare leaders, clinical governance connects patient safety, staff development, clinical effectiveness, and organisational learning into a coherent whole. When it works well, problems are identified early, learning is shared, and care quality improves continuously. When it fails, the consequences can be catastrophic for patients, staff, and the organisation.

CQC assesses clinical governance directly under the Well-led key question. An organisation with weak governance will struggle to achieve a Good or Outstanding rating, regardless of how skilled its individual clinicians are.

The seven pillars of clinical governance

Clinical governance rests on seven interconnected pillars. Each pillar reinforces the others, and weakness in one area tends to undermine the whole framework:

Clinical effectiveness — Ensuring care is based on the best available evidence. This means following NICE guidelines, participating in national clinical audits, and measuring outcomes against benchmarks.
Risk management — Systematically identifying, assessing, and mitigating risks to patient safety. This includes incident reporting, root cause analysis, and proactive risk assessment.
Patient experience — Gathering and acting on feedback from patients and their families. Complaints, surveys, and patient stories all contribute to understanding the quality of care from the patient perspective.
Communication effectiveness — Ensuring information flows reliably between teams, departments, and organisations. Poor handover and communication failures are among the most common causes of patient safety incidents.
Resource effectiveness — Using staff, finances, and equipment efficiently to deliver safe, high-quality care. This includes workforce planning and ensuring safe staffing levels.
Strategic effectiveness — Aligning governance activities with the organisation’s strategy and objectives. Governance should drive improvement, not merely document compliance.
Learning effectiveness — Creating systems that capture learning from incidents, complaints, audits, and good practice, and translate that learning into measurable change.

Patient safety culture

At the heart of effective clinical governance is a patient safety culture. This is the shared set of values, attitudes, and behaviours that determine how an organisation responds when things go wrong.

Just culture

A just culture distinguishes between human error, at-risk behaviour, and reckless behaviour. It recognises that healthcare is inherently complex and that even competent, well-intentioned staff will sometimes make mistakes. The focus shifts from “who is to blame?” to “what can we learn?”

This does not mean accountability is abandoned. Reckless behaviour and deliberate violations are still addressed through disciplinary processes. But the default response to an honest error is support and learning, not punishment.

Freedom to Speak Up

Following the Francis Report into the Mid Staffordshire NHS Foundation Trust, all NHS organisations are expected to have a Freedom to Speak Up Guardian. Independent healthcare providers are strongly encouraged to adopt the same approach. The Guardian provides a confidential route for staff to raise concerns about patient safety, quality of care, or workplace culture without fear of reprisal.

CQC assesses speaking-up culture under the Well-led key question. Inspectors look for evidence that staff feel safe raising concerns and that the organisation acts on them.

Duty of candour

The statutory duty of candour is one of the most important governance obligations for CQC-registered providers. It requires openness and transparency when a notifiable safety incident occurs.

Duty of Candour (Regulation 20)

Regulation 20 of the Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 imposes a statutory duty of candour on all CQC-registered providers in England. Providers must be open and transparent when a notifiable safety incident occurs.

When the duty applies

The statutory duty of candour applies to all CQC-registered providers in England. It is triggered when a notifiable safety incident occurs — an unintended or unexpected incident that, in the reasonable opinion of a health care professional, could result in or appears to have resulted in:

The death of the service user (where the death relates directly to the incident)
Severe harm (permanent lessening of bodily, sensory, motor, physiologic or intellectual functions)
Moderate harm (requiring a moderate increase in treatment, significant but not permanent harm)
Prolonged psychological harm (experienced for a continuous period of at least 28 days)

What the provider must do

When a notifiable safety incident is identified, the provider must:

Notify the relevant person (the service user or, where appropriate, a lawful representative or family member) as soon as reasonably practicable after becoming aware
Provide reasonable support to the relevant person in relation to the incident
Offer an apology — saying sorry is not an admission of legal liability
Provide a truthful account of all the facts known at the time of notification
Give written notification within 10 working days, including the results of any further enquiries
Maintain a written record of all communications with the relevant person

Criminal offence

Under Section 91 of the Health and Social Care Act 2008, it is a criminal offence for a CQC-registered person to provide information that is false or misleading in a material respect, where they know it to be false or misleading or are reckless as to whether it is.

CQC assessment

CQC assesses duty of candour compliance under the Well-led key question during inspections. Providers must demonstrate systems for identifying notifiable incidents, notifying relevant persons, and learning from events.

Professional duty of candour

In addition to the organisational duty, individual healthcare professionals have a professional duty of candour set by their regulators (GMC, NMC, GDC and others). This applies UK-wide, not just in England.

Initial notification: As soon as reasonably practicable after becoming aware of the incident
Written notification deadline: Within 10 working days of the initial notification
Applies to: All CQC-registered providers in England
Criminal liability: Section 91 HSCA 2008 - offence to provide false or misleading information
CQC inspection key question: Well-led
Professional regulators: GMC, NMC, GDC, HCPC (professional duty applies UK-wide)

CQC Regulation 20 - Duty of candour

Professional duty alongside the organisational duty

Individual healthcare professionals also have a professional duty of candour imposed by their regulators. The GMC and NMC both require their registrants to be open and honest when things go wrong, regardless of whether the organisational duty under Regulation 20 is triggered. This professional duty applies UK-wide, not just in England.

Even where an incident falls below the threshold of a notifiable safety incident, individual clinicians are still expected to be honest with patients. Building a culture of candour means the organisation supports staff to have difficult conversations, not leaving them to navigate these situations alone.

Incident investigation and learning

How an organisation investigates and learns from patient safety incidents is a defining feature of its governance maturity.

Learn from Patient Safety Events (LFPSE) Service

The Learn from Patient Safety Events (LFPSE) service replaced the National Reporting and Learning System (NRLS) from September 2023 as the national system for reporting patient safety events in England. It supports the Patient Safety Incident Response Framework (PSIRF).

What is LFPSE

The Learn from Patient Safety Events (LFPSE) service is the national system for recording and analysing patient safety events across health and care in England. It replaced the National Reporting and Learning System (NRLS) from September 2023.

Who must report

Mandatory: NHS trusts and NHS-funded providers must report patient safety events via LFPSE
Strongly recommended: Independent healthcare providers are strongly encouraged to report voluntarily
GP practices, community providers, mental health trusts and ambulance services are all within scope

What to report

LFPSE captures three categories of patient safety event:

Patient safety incidents: Unintended or unexpected events that could have or did lead to patient harm
Near misses: Events prevented before reaching the patient
Patient safety concerns: Identified risks that have not yet resulted in an incident

Patient Safety Incident Response Framework (PSIRF)

PSIRF replaced the Serious Incident Framework from autumn 2023. It shifts the focus from reactive investigation of individual incidents to a systems-based approach to learning. Providers must develop a Patient Safety Incident Response Plan and Patient Safety Incident Response Policy.

Distinct reporting obligations

LFPSE is separate from and does not replace:

RIDDOR — workplace injuries, diseases and dangerous occurrences reported to HSE
CQC Statutory Notifications — serious incidents, deaths, abuse and other notifiable events reported directly to CQC
Safeguarding referrals — reported to the local authority
MHRA Yellow Card — adverse incidents involving medicines or medical devices

Service name: Learn from Patient Safety Events (LFPSE)
Replaced: National Reporting and Learning System (NRLS), September 2023
Managed by: NHS England Patient Safety team
Mandatory for: NHS trusts and NHS-funded providers
Framework: Patient Safety Incident Response Framework (PSIRF) replaced Serious Incident Framework
Event categories: Patient safety incidents, near misses, and patient safety concerns

LFPSE service - NHS England

From investigation to learning

The shift from the Serious Incident Framework to the Patient Safety Incident Response Framework (PSIRF) represents a fundamental change in philosophy. Rather than treating every serious incident as requiring a formal root cause analysis investigation, PSIRF asks organisations to develop a proportionate response based on what will generate the most learning.

This might mean:

A learning response — Where the system issues are already understood and the priority is implementing known improvements
A patient safety investigation — Where there are genuine questions about what happened and why, using systems-based methods rather than blame-focused inquiries
A thematic review — Where multiple related incidents suggest a systemic problem requiring analysis across cases

The key business consideration for healthcare leaders is that PSIRF requires dedicated resource. Organisations must develop a Patient Safety Incident Response Plan and a Patient Safety Incident Response Policy, and they must have trained staff to conduct investigations using the new methods.

Clinical audit

Clinical audit is the systematic process of measuring care against defined standards, identifying gaps, and implementing improvements. It is one of the most practical tools in the governance toolkit.

The audit cycle

Effective clinical audit follows a continuous cycle:

Plan — Select a topic and define the standard you are measuring against (typically a NICE guideline, national standard, or local policy)
Measure — Collect data on current practice against the defined criteria
Compare — Analyse how current practice compares to the standard, identifying where care falls short
Improve — Implement changes to close identified gaps
Re-measure — Repeat the data collection to confirm that changes have led to improvement

Many organisations fail to close the loop by re-measuring. Without re-audit, there is no evidence that changes improved care. CQC inspectors specifically look for completed audit cycles, not just audit activity.

National clinical audits

NHS-funded providers are expected to participate in relevant National Clinical Audit and Patient Outcomes Programme (NCAPOP) audits. Independent providers may not be mandated to participate but doing so demonstrates commitment to clinical effectiveness and provides benchmarking data that supports governance discussions.

Complaints as a governance tool

Complaints are not merely a regulatory requirement to be managed. They are one of the richest sources of intelligence about the quality of care your organisation provides.

Healthcare Complaints Handling

NHS and social care providers must have an accessible complaints procedure under the Local Authority Social Services and National Health Service Complaints (England) Regulations 2009. CQC-registered independent providers must meet equivalent requirements under Regulation 16.

Legislative framework

The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009 set out the requirements for NHS and social care complaints handling. CQC-registered independent providers must also meet Regulation 16 (Receiving and acting on complaints) of the Regulated Activities Regulations 2014.

Key requirements

Providers must have an accessible complaints procedure that is publicised and available to all service users
Acknowledge the complaint within 3 working days
Agree a timescale for investigation and response with the complainant
Investigate the complaint thoroughly and proportionately
Provide a written response signed by the chief executive or responsible person, including findings and any actions to be taken
Inform the complainant of their right to escalate if they remain dissatisfied

Escalation routes

NHS complaints: Escalate to the Parliamentary and Health Service Ombudsman (PHSO)
Social care complaints: Escalate to the Local Government and Social Care Ombudsman (LGSCO)
Independent healthcare: Complainants may also raise concerns directly with CQC, although CQC does not investigate individual complaints

CQC inspection

CQC assesses complaints handling at every inspection under the Responsive key question. Inspectors examine whether:

Complaints are easy to make and handled promptly
The provider learns from complaints and makes improvements
Complainants are treated with respect and not discriminated against
Themes and trends from complaints are reported to the board or governance meetings

Governance requirements

Maintain a complaints log recording all complaints, investigation outcomes and actions
Report complaint themes and trends to the board or governance meetings regularly
Use complaints data to drive service improvement
Where a complaint relates to a notifiable safety incident, the duty of candour (Regulation 20) also applies

Scotland, Wales and Northern Ireland

Scotland, Wales and Northern Ireland have separate complaints frameworks managed by their respective health and social care regulators.

Acknowledgement deadline: Within 3 working days
Response timescale: Agreed individually with the complainant
Written response: Signed by chief executive or responsible person
NHS escalation body: Parliamentary and Health Service Ombudsman (PHSO)
Social care escalation body: Local Government and Social Care Ombudsman (LGSCO)
CQC inspection key question: Responsive
Governance: Complaints log with themes reported to board
Related duty: Duty of candour (Regulation 20) applies if complaint involves notifiable safety incident

CQC Regulation 16 - Receiving and acting on complaints

Effective governance means going beyond resolving individual complaints. It means analysing complaint data for patterns and themes, reporting those patterns to the board or governance committee, and using that analysis to drive tangible improvements.

Where a complaint relates to a notifiable safety incident, the duty of candour applies in parallel with the complaints process. Organisations need clear processes that ensure both obligations are met without one being overlooked.

CQC Well-led assessment

CQC assesses clinical governance primarily through the Well-led key question. Under the single assessment framework, inspectors evaluate whether:

There is a clear vision and strategy, supported by governance structures and processes
Leaders have the skills, knowledge, and experience to perform their roles effectively
There are clear roles, responsibilities, and systems of accountability
The organisation manages risk, performance, and information effectively
There is a culture of continuous learning and improvement
The organisation engages with patients, staff, and stakeholders
Innovation and sustainability are encouraged

CQC fundamental standards

The 13 fundamental standards that all CQC-registered providers must meet

All CQC-registered providers must meet the fundamental standards - minimum standards below which care must never fall.

Regulation 9: Person-centred care
Regulation 10: Dignity and respect
Regulation 11: Consent
Regulation 12: Safe care and treatment
Regulation 13: Safeguarding from abuse
Regulation 14: Meeting nutritional and hydration needs
Regulation 15: Premises and equipment
Regulation 16: Receiving and acting on complaints
Regulation 17: Good governance
Regulation 18: Staffing
Regulation 19: Fit and proper persons employed
Regulation 20: Duty of candour
Regulation 20A: Display of ratings

Quality improvement methodologies

CQC expects providers to have a structured approach to quality improvement, not just ad hoc responses to problems. Common methodologies used in healthcare include:

Plan-Do-Study-Act (PDSA) cycles — Small-scale tests of change, widely used in healthcare quality improvement
Model for Improvement — Structured approach asking three fundamental questions: What are we trying to accomplish? How will we know that a change is an improvement? What change can we make that will result in improvement?
Lean methodology — Eliminating waste in processes to improve efficiency and reduce errors
Statistical process control — Using data over time to distinguish between normal variation and genuine changes in performance

The choice of methodology matters less than the commitment to using it consistently. CQC looks for evidence that improvement work is embedded in governance structures, not conducted as isolated projects.

How this connects to your wider obligations

Clinical governance does not exist in isolation. It connects to virtually every other compliance obligation you have as a healthcare provider:

Medicines management — Medicines audits and controlled drugs checks are governance activities
Infection prevention and control — IPC audits feed into the governance framework
Safeguarding — Safeguarding concerns are reported through incident reporting systems
Data protection — Information governance is part of the overall governance framework
Workforce — Staff training, supervision, and appraisal are governance enablers

Strong clinical governance creates the connective tissue between these individual obligations, ensuring they work together as a coherent system rather than as separate compliance silos.

Official guidance and further reading

CQC assessment framework - Well-led
How CQC assesses governance under the Well-led key question
cqc.org.uk
NHS England Patient Safety
Patient Safety Incident Response Framework (PSIRF) and national patient safety resources
england.nhs.uk
NHS England Freedom to Speak Up
Guidance on Freedom to Speak Up Guardians and speaking-up culture
england.nhs.uk
Healthcare Quality Improvement Partnership (HQIP)
National clinical audit programme and quality improvement resources
hqip.org.uk
NHS Resolution - Saying Sorry
Guidance on duty of candour and being open when things go wrong
resolution.nhs.uk

Business Context Testing

Content Graph

Guvnor

Clinical governance and quality improvement

What clinical governance is and why it matters

The seven pillars of clinical governance

Patient safety culture

Just culture

Freedom to Speak Up

Duty of candour

Professional duty alongside the organisational duty

Incident investigation and learning

From investigation to learning

Clinical audit

The audit cycle

National clinical audits

Complaints as a governance tool

CQC Well-led assessment

Quality improvement methodologies

How this connects to your wider obligations

Compliance Assistant

🧪 Business Context Testing

◉ Content Graph

What clinical governance is and why it matters

The seven pillars of clinical governance

Patient safety culture

Just culture

Freedom to Speak Up

Duty of candour

Professional duty alongside the organisational duty

Incident investigation and learning

From investigation to learning

Clinical audit

The audit cycle

National clinical audits

Complaints as a governance tool

CQC Well-led assessment

Quality improvement methodologies

How this connects to your wider obligations

Related guides in Risk Assessment

Business Context Testing

Content Graph