Aged Care Risk Register: Building a 5x5 Risk Matrix for Governance

A risk register is the central governance tool that every aged care provider needs to identify, assess, treat, and monitor risks across their organisation. Under the Aged Care Act 2024, governing bodies are accountable for the quality and safety of care — and a well-maintained risk register is the primary evidence that risks are being actively managed.

This guide covers how to build an aged care risk register using a 5x5 risk matrix, identify aged care-specific risks, develop treatment plans, and report risk data to your governing body.

A 5x5 risk matrix is a tool that assesses each identified risk on two dimensions: likelihood (how probable is the risk?) and consequence (how severe would the impact be?). Each dimension is rated on a 5-point scale, and the two ratings are multiplied to produce a risk score from 1 to 25.

Likelihood ratings: 1 = Rare (may occur only in exceptional circumstances) 2 = Unlikely (could occur but not expected) 3 = Possible (might occur at some time) 4 = Likely (will probably occur) 5 = Almost certain (expected to occur regularly)

Consequence ratings: 1 = Insignificant (no injury, minor financial loss) 2 = Minor (first aid required, moderate financial loss) 3 = Moderate (medical treatment, significant financial loss) 4 = Major (extensive injuries, major financial loss, regulatory action) 5 = Catastrophic (death, organisational viability threatened)

Risk scores are then categorised: Low (1-4), Medium (5-9), High (10-16), Extreme (17-25). Each category has a corresponding response requirement — extreme risks require immediate governing body attention and active treatment, while low risks may be accepted and monitored.

Aged care providers face risks across multiple domains. A comprehensive risk register should include:

Clinical risks: Falls, pressure injuries, medication errors, infection outbreaks, clinical deterioration, restraint use, malnutrition. These directly affect care quality and feed into quality indicators and SIRS reporting.

Workforce risks: Staffing shortages, care minutes non-compliance, worker screening lapses, training gaps, SCHADS underpayment, high turnover, agency reliance.

Governance risks: Responsible persons suitability failures, board skills gaps, inadequate oversight, policy currency lapses.

Financial risks: Prudential non-compliance, RAD liquidity shortfalls, billing errors, SAH budget overruns, revenue forecast inaccuracy.

Regulatory risks: ACQSC non-compliance findings, late SIRS notifications, enforcement action, conditions on registration.

Operational risks: IT system failures, data breaches, natural disasters, supply chain disruptions, pandemic outbreaks.

Reputational risks: Negative star ratings, media coverage, complaints escalation to ACQSC, family dissatisfaction.

Step 1: Identify risks. Draw from multiple sources — incident data, complaints trends, quality indicator performance, audit findings, staff feedback, industry alerts, and legislative changes. A risk identification workshop with key staff from clinical, operations, finance, and governance is an effective starting point.

Step 2: Assess each risk. Apply the 5x5 matrix to rate likelihood and consequence. Be honest — inflating or deflating assessments undermines the register's value. Use historical data where available (e.g., falls rate data to assess falls risk likelihood).

Step 3: Assign treatment. For each risk rated Medium or above, define a treatment plan: what actions will reduce the likelihood or consequence? Assign an owner and deadline. Treatments should be specific and measurable — not generic statements.

Step 4: Monitor and review. Risk assessments change as circumstances change. Review the full register at least quarterly, with extreme risks reviewed monthly. After any significant incident, reassess the relevant risks.

Step 5: Report to the governing body. The governing body should receive a risk report at every board meeting — showing the top risks, movement since last report, treatment progress, and any new or emerging risks. This reporting is evidence for Quality Standard 2 (The Organisation).

The Governance module includes a digital risk register with an interactive 5x5 risk matrix. Each risk is linked to its treatment plan, assigned owner, review schedule, and evidence trail. Heat maps visualise your risk profile across categories, and trend dashboards show how your risk posture is changing over time.

Risk data integrates with other modules — SIRS incident trends automatically surface clinical risks, quality indicator data highlights QI-related risks, and workforce compliance data flags staffing risks. Board-level risk reports are generated through the Reporting Hub, giving your governing body the visibility they need under Quality Standard 2.

Risk management is one of 35 modules in Statura Care's aged care governance software — purpose-built for the Aged Care Act 2024.