Enforcement decision tree

Stage 3 uses a structured decision-making process to decide the appropriate enforcement action. At this stage, decision-makers should consider all civil and criminal enforcement options.

Sections 3A and 3B provide a framework for reaching a decision about what civil enforcement action is appropriate. Section 3C provides a framework for deciding whether it is appropriate to take criminal enforcement action.

Our enforcement criteria take account of CQC’s duty to protect and promote the health, safety and welfare of people who use regulated health and social care services by encouraging improvement and focusing on the needs and experiences of people using services.

The criteria also highlight the need for CQC to hold registered persons to account for breaches of regulations.

The decision-making process seeks to guide staff in taking consistent and proportionate decisions without being too prescriptive.

This stage uses 2 criteria to assist CQC staff in deciding which enforcement powers we should use. The criteria are:

• seriousness of the breach
• evidence of multiple and/or persistent breaches

Stage 3A: Seriousness of the breach

We will take progressively stronger action in proportion to:

• the seriousness of the breach
• the potential impact on people using a service
• the number of people affected.

We will take stronger action where a service is carried on in an inappropriate way without effective management of risk.

For example, a registered provider would be ineffective in managing risk if it had not implemented policies and procedures to control risk, despite this being reasonably practicable.

A registered provider would also be ineffective if there was:

• a disregard for legal requirements
• an attempt to avoid them.
• false or misleading information provided.

3A (1): Potential impact of the breach

For civil enforcement, colleagues should assess the level of potential impact that would result if the breach of regulations identified was repeated.

The focus for civil enforcement is on re-occurrence, to assess whether we should act to protect people using regulated services from harm in the future.

Potential impact of the breach: MAJOR

Definition: The breach, if repeated, would result in a serious risk to any person’s life, health or wellbeing including:

• permanent disability
• irreversible adverse condition
• significant infringement of any person’s rights or welfare (of more than one month’s duration)
• major reduction in quality of life.

Potential impact of the breach: MODERATE

Definition: The breach, if repeated, would result in a risk of harm including:

• temporary disability (of more than one week but less than one month’s duration)
• reversible adverse health condition
• significant infringement of any person’s rights or welfare (of more than one week but less than one month’s duration)
• moderate reduction in quality of life.

Potential impact of the breach: MINOR

Definition: The breach, if repeated, would result in a risk of:

• significant infringement of any person’s rights or welfare (of less than one week’s duration)
• minor reduction in quality of life
• minor reversible health condition.

3A (2): Likelihood that the facts giving rise to the breach will happen again

Colleagues should assess the likelihood that the facts that led to the breach will repeat themselves. The likelihood should be based on the provider’s control measures and processes put in place to manage the risks identified, including changes in practice (such as recruiting additional staff or replacing equipment).

Likelihood that the facts giving rise to the breach will happen again: PROBABLE

Definition: It is more probable than not that the facts that gave rise to the breach will repeat themselves, as there are insufficient or ineffective control measures in place to manage the risk identified.

Likelihood that the facts giving rise to the breach will happen again: POSSIBLE

Definition: It is possible that the facts or circumstances that led to the breach will happen again as some control measures have been put in place, but these are not completely effective.

Likelihood that the facts giving rise to the breach will happen again: REMOTE

Definition: It is unlikely that the facts or circumstances that led to the breach will repeat themselves as control measures have been put in place to manage the risk identified, although they may be newly implemented and/or not embedded.

3A (3): Seriousness of the breach

Colleagues need to assess both:

• the potential impact of the breach
• the likelihood that the facts giving rise to the breach will happen again

They should then apply them to the following table to determine whether the seriousness of the breach is either: low, medium, high, or extreme.

3A (4): Initial recommendation

Colleagues should use the results of 3A (3) to reach an initial recommendation about which civil enforcement powers should be used to protect people using the service from harm or the risk of harm.

This recommendation only takes account of the potential impact of the breach and the likelihood that the facts giving rise to the breach will happen again. We will not reach a final decision on what civil enforcement action to take until we have considered the multiple and persistent criteria, and our enforcement priorities.

Seriousness of the breach: EXTREME

Recommended initial civil enforcement action:

• Urgent cancellation
• Urgent suspension
• Urgent imposition, variation or removal of conditions

Seriousness of the breach: HIGH

Recommended initial civil enforcement action:

• Cancellation
• Suspension
• More significant conditions (impose, vary or remove)

Seriousness of the breach: MEDIUM

Recommended initial civil enforcement action:

• Conditions (impose, vary or remove) 
• s29 Warning Notice
• s29a Warning Notice

Seriousness of the breach: LOW

Recommended initial regulatory action:

• Action Plan Request (or Requirement Notice if using KLOEs)

Our enforcement policy describes these powers in detail, and it is important to read it along with this decision tree. Registration conditions as part of civil enforcement action can range from imposing minor amendments to registration up to significant restrictions on the carrying on of a regulated activity.

Stage 3B: Identifying multiple and/or persistent breaches

Once an initial recommendation has been reached under Stage 3A, colleagues should then apply the test under Stage 3B to consider whether a more or a less serious level of enforcement than the initial recommendation is appropriate.

This part of the decision-making process considers whether the identified breach and conduct is part of a pattern demonstrating systemic failings.

Where we are considering enforcement against a registered provider, we should assess the provider’s ability to identify risks and make and sustain necessary improvements.

Stage 3B considers evidence of multiple or persistent failures. This includes a review of:

• whether there are repeated breaches
• the provider’s overall history of performance
• whether there was a failure to assess or act on known risk
• whether there is adequate leadership and governance.

Conclusions reached under Stage 3B can result in a change to the recommended enforcement action by increasing or decreasing the severity.

At this stage, colleagues should work through each of the following questions to identify any adjustments to the initial recommendation made under Stage 3A (4).

3B (1): Has there been a failure to assess or act on past risks?

Colleagues should consider:

• Is there a history of failing to adequately assess risks to people using services, either deliberately, recklessly, through neglect or because ineffective or inadequate action has been taken to make improvements?
• Is there a history of failing to act on identified risks to people using services, including a failure to act on previous CQC assessment reports, requirements, or enforcement actions?

3B (2): Is there evidence of multiple breaches?

Colleagues should consider:

• Is there more than one breach of a regulation or relevant requirements at the same service, different services, or across the whole service, which may indicate that the current conduct is part of a pattern?
• Is there more than one key question rated as inadequate, or are ratings of inadequate more common in the service?
• Are there multiple breaches in a small service? (This may be of greater concern than multiple breaches in a large service, for example, 3 people affected in a 6-bed care home compared with a 600-bed NHS foundation trust.) Colleagues should take account of the proportion of breaches compared with the size of the service and population receiving care.

3B (3): Does the provider’s track record show repeated breaches?

Colleagues should consider:

• Is there a history of repeated breaches?
• Are there requirements or enforcement actions that have not been complied with?
• Have necessary improvements been made following breaches identified in reports or enforcement actions?
• Is there evidence that the provider has been unable to improve services? For example, showing that it still has one or more ratings of inadequate at the end of the time-limited period?

If the answer to the fourth question is ‘yes’, colleagues should consider cancelling the registration or taking action to remove relevant locations unless there is good reason not to do so.

Colleagues should note that a provider’s history is taken from the first date of registration of the provider or manager to carry on the regulated activity. If a provider has registered under a new entity, the history should still be considered, but with caution so as not to make unwarranted assumptions.

Stage 3B (4): Is there adequate leadership and governance?

Colleagues should consider:

• What are the previous ratings or findings for the well-led key question and the competency and capability of the provider’s management?

Stage 3B (5): Change to civil enforcement action due to multiple and persistent criteria

Depending on the answers to each of the above questions (3B (1) to 3B(4)), colleagues should make an overall assessment about the most appropriate civil enforcement action for us to take.

The answers to the questions may increase or decrease the severity of any recommended civil enforcement action.

Severity of civil enforcement action

Less severe civil enforcement action:

• The provider assessed and acted on a known risk.
• There were few or no other breaches.
• There is no history of breaches.
• There is effective leadership and governance.

More severe civil enforcement action:

• There was a failure to assess or act on a known risk.
• There are multiple breaches.
• The provider has a history of breaches.
• There is inadequate leadership and governance.

Section 3C: Consider whether we need to take criminal enforcement action

Criminal enforcement action should be considered in every case where CQC proposes civil enforcement and/or identifies a specific incident of suspected avoidable harm.

Decisions about the most appropriate criminal enforcement action to take will be made in consultation with legal services and following a review of the 2-stage test set out in the Code for Crown Prosecutors. This 2-stage test requires the decision-maker to consider both:

• the sufficiency of evidence gathered
• the public interest to be served in taking criminal enforcement action.

The decision-maker should have regard to CQC’s prosecution criteria in the enforcement policy and consider:

• the seriousness of the breach or breaches identified
• the potential impact of the breach or breaches identified on a person using the service and/or the ability of CQC to perform its regulatory functions (breach of conditions or failures to notify).