Boundary Risk Assessment for Healthcare Governance
Most healthcare governance frameworks measure safety within organisations. We measure safety between them.
A Boundary Risk Assessment is a structured evaluation of patient safety, data governance, and clinical responsibility transfer at the joins between healthcare organisations. It scores every organisational boundary across seven governance dimensions, identifies cross-organisational risks that no internal framework measures, and produces a funded remediation roadmap.
Every existing assurance framework — CQC, DCB 0129/0160, PSIRF, DSPT — assesses governance within an organisation. None assesses what happens between them. That's where patients are most vulnerable, where data governance is weakest, and where clinical responsibility falls into gaps.
The Boundary Risk Assessment makes boundary risk visible. For the first time, your board gets a scored, per-boundary view of governance maturity — with statutory traceability, cascading failure logic, and a funded remediation roadmap.
Trusted by organisations operating across: NHS & Private Pathways · Multi-Provider Networks · Healthcare Investors & Acquirers · Clinical Safety & Digital Governance Leaders
The governance gap no one is measuring
70.1% of 14,747 NHS digital health deployments have no documented clinical safety assurance.
Source: JMIR, 2025
PSIRF "does not create a wider policy environment for cross-boundary arrangements that promote cross-system patient safety."
Source: Journal of Long-Term Care, 2025
ICBs are unable to coordinate cross-organisational safety investigations in practice.
Source: HSSIB, October 2025
These findings describe governance within organisations. The boundary dimension — where systems, data, and responsibility cross between organisations — represents the most significant healthcare interoperability risk that remains entirely unassessed. Until now.
Typical triggers for a Boundary Risk Assessment
Most organisations recognise boundary risk when a specific event forces visibility. These are the situations that typically bring organisations to a Boundary Risk Assessment.
Post-acquisition integration
Two governance frameworks that must work together but were designed independently.
Preparing for CQC review
Internal governance is strong but boundary governance has never been formally assessed.
Clinical incident at a boundary
A patient safety event that neither organisation's internal processes detected or prevented.
New provider partnership
Establishing referral pathways, data sharing agreements, or sub-contracting arrangements.
PE due diligence requirement
Investors requiring governance assurance across portfolio boundaries before or after acquisition.
ICS or provider collaboration
Standing up cross-organisational models that need proactive governance design from day one.
NHS-private referral pathways
Designing referral routes that cross constitutional domains — from NHS to private or insurer to care.
Board assurance requirement
Board requesting evidence that boundary-specific risks are identified, assessed, and managed.
Three pillars. One assessment.
Seven Flows Methodology
Every boundary scored across seven governance dimensions: Identity, Consent, Provenance, Clinical Intent, Alert & Responsibility, Service Routing, and Outcome. Cascading failure logic reveals structural dependencies invisible to internal governance.
How Seven Flows works →Constitutional Transition Analysis
Not all boundaries are equal. When data crosses from NHS to private, or from care to insurance, the legislation changes, the regulator changes, and the institutional orientation towards the patient changes. Our Constitutional Transition Matrix maps every domain crossing and rates the additional governance risk.
See the constitutional domains →Infrastructure & Funded Remediation
Can your technology enforce governance programmatically? Our technology assessment evaluates each boundary's infrastructure and produces a vendor-neutral remediation roadmap — with a funded business case using available cloud migration incentives.
How the technology assessment works →From scoping call to Boundary Risk Score
Scope
60-minute call. We identify your organisational boundaries, constitutional crossings, and priority flows. You tell us where you think the risk is. We tell you where we've seen it before.
Assess
Structured interviews on both sides of every boundary. Six stakeholder roles. Three-level evidence hierarchy: Documentary, Demonstrable, Observed. Cross-organisation evidence reconciliation.
Score
Per-boundary, per-flow maturity rating (0–4). Raw and cascade-adjusted scores. Constitutional Transition Analysis. MVRT compliance evaluation. Technology readiness assessment.
Report
Board-ready scorecard. Legal traceability matrix. Funded remediation roadmap. Executive presentation. Every finding mapped to CQC, DCB, UK GDPR, and PSIRF obligations.
What your board receives
The Boundary Risk Score gives your board a single, defensible metric for governance at every organisational boundary. Here's what it looks like.
| Flow | Raw Score | Cascade-Adjusted | Key Finding |
|---|---|---|---|
| Identity | 2 | 2 | PDS lookup at discharge, no verification at GP receipt |
| Consent | 2 | 2 | Generic DSA, no boundary-specific DPIA |
| Provenance | 1 | 1 | Author identified but no structured metadata |
| Clinical Intent | 1 | 1 | Free-text discharge, no structured action codes |
| Alert & Responsibility | 1 | 1 | MVRT failure: discharge completes without confirmed GP receipt |
| Service Routing | 2 | 1 | Cascade-adjusted: Clinical Intent < 2 caps routing |
| Outcome | 1 | 1 | No structured outcome feedback across boundary |
- Per-boundary, per-flow scoring (0–4 maturity scale)
- Raw and cascade-adjusted scores showing structural dependencies
- MVRT compliance assessment at every boundary
- Overall rating: Assured / Conditional / Not Assured
- Every finding mapped to specific statutory obligations
Built for the people who own boundary risk
Private Healthcare Groups
Post-acquisition integration. Provider network governance. CQC readiness at organisational boundaries. NHS sub-contracting compliance.
Boundary governance for private healthcare →Clinical Safety Officers
Boundary-specific hazard identification. Cross-organisation evidence reconciliation. DCB 0129/0160 extended to boundaries. Evidence for your hazard log.
CSO-specific boundary risk guidance →PE Firms & Acquirers
Pre-acquisition boundary mapping. Constitutional Transition Analysis as a risk pricing tool. Portfolio-level Boundary Risk Score. Post-acquisition governance roadmap.
M&A due diligence framework →Insurers & PMI Networks
Provider network governance. Pre-authorisation boundary assessment. Constitutional crossing analysis. Claims pathway governance.
Discuss insurer boundary governance →Engagement tiers
Boundary Risk Snapshot
£15,000–£25,000
2–4 weeks · 2–3 boundaries
- Scorecard with per-boundary, per-flow scoring
- Priority remediation recommendations
- Executive summary
Boundary Governance Audit
£45,000–£65,000
6–10 weeks · 4–8 boundaries
- Full scorecard with cascade adjustments
- Legal traceability matrix
- Technology assessment
- Funded remediation roadmap
Boundary Governance Programme
£65,000–£85,000+
10–16 weeks · 8+ boundaries or system-wide
- All audit deliverables
- Funded business case
- Board presentation
- Quarterly review option
A Boundary Risk Snapshot takes 2–4 weeks. A full Boundary Governance Audit takes 6–10 weeks. A Boundary Governance Programme for complex or multi-site organisations takes 10–16 weeks.
No. The assessment is based on structured interviews, document review, and observed processes. We don't require access to your IT systems, patient data, or clinical records. We assess governance control maturity at boundaries — the processes, documentation, and organisational arrangements that govern how data and responsibility cross between organisations.
Yes. Many organisations start with a Boundary Risk Snapshot focused on their highest-risk boundary, then expand to a full Audit once they've seen the methodology and output. The scoring framework is consistent across tiers, so Snapshot scores carry forward into broader assessments.
Independent. Vendor-neutral. Statutory-traceable.
The Boundary Risk Assessment is a diagnostic engagement. It evaluates governance requirements — it does not prescribe specific vendors, platforms, or implementation approaches. The technology assessment specifies what any compliant solution must do, not which solution to buy. If you engage us for remediation, that's a separate engagement with separate terms. You're free to use any implementation partner.
The assessment does not certify clinical safety outcomes. It does not transfer statutory responsibility from your CSO, Registered Manager, or provider. It provides evidence that assists your organisation in understanding and meeting its boundary-specific obligations.
