Water compliance risk register: a guide for 2026

A water compliance risk register is a structured, centralised record used to identify, assess, and monitor water-related compliance risks, assigning ownership, scoring, and controls to each identified hazard. For compliance officers and facility managers operating under UK health and safety law, this document is not optional. It is the operational backbone of any credible water safety programme, sitting between your risk assessments and your governance framework.

Legionella is the most visible risk in water systems, but a register covers far more: sampling failures, temperature exceedances, disinfection lapses, and regulatory permit breaches. A risk register captures a canonical list of risks with owners, assessment scores, controls, and actions. That structure is what separates a managed programme from a collection of disconnected reports.

What is a water compliance risk register and what does it contain?

A water compliance risk register is a living management document, not a static report. It records every significant water-related compliance risk your organisation faces, alongside the controls in place, the person accountable, and the actions required to reduce residual risk to an acceptable level.

The core fields in a functional register include:

• Risk description and category: A clear statement of the risk, such as “Legionella growth in calorifier due to inadequate temperature maintenance,” with a category label such as legionella, sampling, or discharge.

• Inherent risk score: The risk level before any controls are applied, calculated by multiplying likelihood by impact on a defined scale.

• Controls in place: The specific measures currently operating to manage the risk, such as weekly temperature monitoring or quarterly cleaning regimes.

• Control status: Whether each control is functioning, overdue, or failed, confirmed through inspection or testing evidence.

• Residual risk score: The risk level after controls are applied. This is the figure that tells you whether your current programme is sufficient.

• Risk owner: The named individual or role accountable for managing the risk and ensuring actions are completed.

• Open actions: Specific tasks with due dates and assigned owners, generated when controls are found to be inadequate or when a risk score exceeds the organisation’s risk appetite.

• Evidence links: References to supporting documents such as temperature logs, disinfection certificates, and sampling results.

The table below illustrates how a single register entry might look in practice:

Pro Tip: Set your risk appetite threshold in the register itself. Any residual risk score above that threshold should automatically generate an open action. This removes ambiguity about when escalation is required.

How does a water risk register differ from a legal compliance register?

The two documents serve different purposes and should never be merged into one. Legal registers focus on obligations and evidence, while risk registers focus on potential events, likelihood, consequence, and mitigation plans. Conflating them creates gaps in both.

A legal compliance register lists the specific laws, regulations, and permits that apply to your organisation, such as the Health and Safety at Work Act 1974, the Control of Substances Hazardous to Health Regulations 2002, or a site-specific discharge consent. It records whether you are currently compliant with each obligation and what evidence demonstrates that compliance.

A water compliance risk register, by contrast, is forward-looking. It asks: what could go wrong, how likely is it, what are we doing about it, and is that enough? The two registers are complementary. Your legal register tells you what you must do; your risk register tells you whether you are doing it well enough to prevent failure.

ISO management systems explicitly distinguish these two records, and auditors expect both to be maintained separately. An organisation that presents only a risk register when asked for its legal compliance register, or vice versa, will face a non-conformance finding. Both documents must exist, both must be current, and both must be accessible.

Pro Tip: Cross-reference your legal compliance register and your risk register using shared identifiers. If a regulatory obligation in your legal register is not represented by at least one risk entry, you have a gap in your risk programme.

What water risk assessment techniques feed into the register?

A risk register is only as good as the assessment process that populates it. Several established techniques are used in UK water compliance management to identify and score risks before they enter the register.

The Drinking Water Inspectorate uses hazard categories and risk persistence multipliers in its Risk Assessment Risk Index (RARI) methodology. This approach scores risks based on how long a hazard persists before mitigation is applied, giving a more accurate picture of cumulative exposure than a simple likelihood-impact matrix.

For legionella specifically, the HSE Approved Code of Practice L8 requires a documented risk assessment of all water systems that could present a legionella risk. That assessment identifies hazard sources, populations at risk, and existing controls. The findings from this assessment are the primary input to your risk register entries. Reviewing your legionella risk assessment regularly is what keeps the register current rather than historical.

Common water system risks that typically appear in a register following assessment include:

• Calorifiers or hot water cylinders operating below 60°C storage temperature

• Cold water storage tanks with temperatures above 20°C

• Infrequently used outlets presenting stagnation risk

• Cooling towers or evaporative condensers without biocide dosing records

• Thermostatic mixing valves (TMVs) not serviced within the required interval

• Water sampling results exceeding action levels for legionella or other indicators

Once risks are identified, the scoring process follows a structured sequence:

1. Assign an inherent risk score based on likelihood and impact before any controls are considered.

2. Document all existing controls and verify their current operational status.

3. Calculate the residual risk score after applying confirmed, functioning controls.

4. Compare the residual score against your organisation’s defined risk appetite.

5. Generate open actions for any risk where residual score exceeds the acceptable threshold.

6. Set a review date for each entry, proportionate to its risk level.

Risk evidence quality depends on consistent use of hazard categories and explicit tracking of risk persistence before mitigation. This is not a bureaucratic preference. It is what makes your register defensible under scrutiny.

How to implement and maintain an effective water compliance risk register

Building the register is the straightforward part. Keeping it accurate and useful over time is where most organisations struggle. The following steps reflect best practice for ongoing register management.

1. Assign named risk owners at the outset. Every entry in the register must have a named individual, not a job title or department, who is accountable for managing that risk. Accountability without a name is accountability without consequence.

2. Establish a formal review cycle. High-scoring risks should be reviewed monthly. Medium risks quarterly. Low risks annually. These intervals should be written into your water safety policy, not left to individual judgement.

3. Link every risk entry to its supporting evidence. Temperature logs, legionella logbook records, disinfection certificates, and sampling results should all be referenced by a consistent identifier that matches the register entry. Consistent identifiers across registers and evidence logs are critical for audit retrieval and compliance demonstration.

4. Treat the register as a management tool, not an archive. Risk registers must be living documents continuously updated with ownership, residual risk status, and open actions. A register that was last updated six months ago is not a risk register. It is a historical record with no management value.

5. Retain records for a minimum of five years. HSE ACoP L8 requires that risk assessment activities, monitoring, cleaning, and inspection records are kept for at least five years. Your register and its linked evidence must meet this retention standard.

6. Use the register to drive resource allocation. A well-structured register shows decision-makers exactly where risk is concentrated. Registers enhance decision-making by providing structured visibility, ownership, and prioritisation in one consolidated source. Use that visibility to justify investment in monitoring, servicing, or remediation.

Pro Tip: Never copy a risk assessment directly into a risk register. The assessment identifies and scores risks at a point in time. The register tracks what happens to those risks over time. They are different documents with different purposes, and mixing them creates confusion during audits.

Key takeaways

A water compliance risk register is the central management tool that connects risk assessment findings to organisational accountability, control evidence, and audit readiness.

Why risk registers are the document compliance officers most often underestimate

From my experience working across water compliance programmes in commercial, healthcare, and housing settings, the risk register is consistently the document that organisations either neglect entirely or confuse with something else. Facilities teams often present a legionella risk assessment when asked for their risk register, not realising these are fundamentally different tools. The assessment tells you what the risks are. The register tells you what you are doing about them, who is responsible, and whether it is working.

The most common failure I see is the static register. It was built during an audit preparation exercise, scored correctly at the time, and then never touched again. Recordkeeping in legionella compliance is essential to demonstrate management continuity, not optional administrative burden. A register that does not reflect current control status is worse than no register at all. It creates a false sense of assurance.

The second failure is orphaned risk ownership. A risk entry with “Facilities Department” as the owner has no owner. When an action is overdue and there is no named individual accountable, nothing happens. I have seen this pattern contribute directly to compliance failures that were entirely preventable.

What works is treating the register as a standing agenda item in your water safety group meetings. Every open action gets reviewed. Every overdue control gets escalated. The register becomes the mechanism through which your water safety programme is actually managed, not just documented.

How Bespokecompliancesolutions supports your water compliance register

Bespokecompliancesolutions works with compliance officers and facility managers across the UK to build and maintain water safety programmes that are genuinely audit-ready. From legionella risk assessments in Binley to bespoke logbook systems and water testing services, every service is designed to generate the evidence your risk register needs to remain credible and current. If your organisation needs a structured risk register, a reviewed assessment, or ongoing compliance support, Bespokecompliancesolutions provides the specialist input to make that happen without the guesswork.

FAQ

What is a water compliance risk register?

A water compliance risk register is a structured, centralised document that records water-related compliance risks, assigns ownership, documents controls, and tracks open actions. It is a living management tool, not a static report, and must be updated continuously to reflect current risk status.

How often should a water compliance risk register be reviewed?

High-scoring risks should be reviewed at least monthly, medium risks quarterly, and low risks annually. Review frequency should be written into your water safety policy and linked to your operational monitoring schedule.

What records must be kept alongside a water risk register?

Under HSE ACoP L8, organisations must retain written risk assessments, temperature logs, inspection records, disinfection certificates, and sampling results for a minimum of five years. These records should be cross-referenced to register entries using consistent site and system identifiers.

What is the difference between a risk register and a legal compliance register?

A legal compliance register lists regulatory obligations and the evidence that demonstrates adherence. A risk register records potential failure events, their likelihood and impact, and the controls in place to prevent them. Both are required for sound governance and auditors expect to see each maintained separately.

Do small organisations need a water compliance risk register?

Any organisation that operates water systems presenting a legionella or water quality risk is required under UK health and safety law to manage those risks systematically. A risk register is the standard mechanism for doing so, regardless of organisation size or sector.

Recommended

• Water compliance management system: a practical guide

• Domestic water risk assessments explained for UK compliance

• Water risk: The health and safety manager’s critical role

• Essential guide to water risk assessment for Legionella