A board-level Legionella compliance report is not your logbook with a cover sheet. It is one page that answers a single question - is the water-safety programme under control? - through a handful of KPIs, the exceptions that still need attention, and any decision you need from the room. Everything else stays in the system underneath.
The mistake most Responsible Persons make is sending up volume - forty pages of readings exported because the data exists, in the hope it reads as diligence. A director cannot act on forty pages. They can act on one number that has moved the wrong way, with a name and a date against it.
What senior management actually needs from you
Four things, in order. Assurance that the routine is happening. Exceptions where it is not. A trend, so this month sits next to last month rather than floating alone. And an ask - the one decision, budget line, or sign-off you need, or an explicit “nothing this month”.
The audience is not technical. A finance director does not need to know what a sentinel outlet is; they need to know whether monitoring is current and what the open risks are. That is the same discipline as Communicating Legionella risk to stakeholders effectively - translate the engineering into a control picture without dumbing it into uselessness.
The report is a distillation of the underlying record, not a replacement for it. The logbook still has to hold the full evidence trail - readings, signatures, remedial close-outs, the written scheme - exactly as set out in What a compliant Legionella logbook must contain. The KPI report points at that record; it does not become it.
The KPIs that carry the message
Keep it to a handful. Each one should answer a question a non-specialist would ask.
Monitoring completion. Scheduled tasks done on time as a percentage of tasks due. This is your headline. It tells the board whether the routine - flushing, temperature checks, inspections - actually happened in the period, which is the duty the law is most interested in [1][3]. Overdue monitoring is the metric that exposes a slipping programme before a sample ever comes back positive.
Temperature compliance. The proportion of monitored readings that met the target values in your risk assessment. Those targets align with HSE guidance for hot and cold water systems [4], but here is the part to get right: the acceptable proportion out of range is a judgement your organisation makes through its risk assessment, not a statutory pass mark. There is no legal “95% green” line. Any benchmark you print is illustrative and site-specific - state in-range against the RA, and never let a number on your dashboard be read as a regulatory threshold [2].
Open remedial actions, and the age of the oldest one. Counts are weak; ageing is strong. “Six open actions” means little. “Six open, oldest 71 days” tells a director that something is stuck, which is usually a resourcing or contractor problem they can fix.
Sampling outcomes and risk-assessment status. Any samples taken in the period and any positives, with the action triggered. Plus whether the risk assessment and written scheme are in date or overdue for review [1][2]. A lapsed risk assessment is a board-level exposure on its own.
Incidents and external escalations. Any case that has gone outside the building - to an insurer, a regulator, or as a RIDDOR-reportable matter [5]. If this line is ever non-zero, it is the first thing they should see, not the last.
Trend each of these against the previous month with a simple colour - green holding, amber slipping, red breached. A red-amber-green strip turns a board compliance dashboard into something a director reads in ten seconds.
Turning raw logs into a number that means something
A KPI is only as honest as its denominator. Define each one before you publish it. Monitoring completion is tasks completed on time divided by tasks scheduled - not tasks completed divided by tasks attempted, which quietly hides everything nobody got to. Temperature compliance is in-range readings divided by readings taken, with “in range” pinned to the RA’s target values.
A digital logbook should produce these figures without retyping, and the same dataset lets you look behind the headline - which outlets, which weeks, which engineer - as in Analysing digital logs for performance improvements. Hand-count from paper each month and the report will be late, approximate, and quietly massaged.
Your one-page report: a build checklist
Use this to assemble the monthly summary. Group it the way the reader reads it - verdict first, detail last - and keep the whole thing to a single page.
Header - assurance at a glance:
- State the reporting period and the sites covered.
- Give one overall verdict for the programme (on track / attention needed) with a RAG colour.
- Place last period’s verdict beside it so the direction of travel is visible.
The numbers - keep to a handful:
- Report monitoring completion as a percentage of scheduled tasks done on time.
- Report temperature compliance against the site RA’s target values, flagged as RA-based, not a legal figure.
- Report open remedial actions with the age of the oldest.
- Report sampling outcomes and any positive results in the period.
- Report risk-assessment and written-scheme review status (in date / overdue).
- Report competent-person training status (in date / due).
Exceptions and actions - the part they actually read:
- List every overdue or out-of-range item with the corrective action and a named owner.
- Put a due date against each open action.
- Flag anything escalated externally (insurer, regulator, RIDDOR).
The ask - close the loop:
- State explicitly what you need from senior management this period: a decision, budget, or nothing.
- Record who prepared the report, who signed it, and the date.
Three reports, three audiences
The format flexes with who is reading.
Single site to a director. Keep it to the page above. The director owns one building’s risk: verdict, exceptions, ask - acknowledged in writing so the accountability is recorded.
A portfolio to a board. Do not stack twenty single-site pages. Roll up to a portfolio verdict, then surface the worst sites by exception - the three red ones - and let the forty green ones sit in an appendix. A one-page compliance summary across the estate, drill-down on request, is what lands in a board pack.
To an external auditor or insurer. Here the report becomes the index to your evidence, and every figure must reconcile to the underlying records on demand. A clean digital trail earns its keep, as set out in Audit prep: how digital records simplify compliance checks. An auditor tests one KPI back to source; if it reconciles, they trust the rest.
Where these reports go wrong
The commonest failure is the all-green report, month after month. In my view that should make a board more nervous, not less: a live programme of any size throws up the odd overdue task and out-of-range reading, and a permanent clean sheet usually means someone is reporting the routine they wish they ran. A credible report shows a little friction and shows it being closed.
The other failures are quieter. Vanity metrics that always read well and never drive a decision. No trend line, so nobody can see a slow slide. And burying the one bad number in paragraph nine. If something needs the board’s attention, it goes at the top.
A note on scope
This is general guidance on structuring upward reporting, not legal advice or a substitute for your duties. What you measure, what counts as in range, and how often you report all flow from a competent, site-specific Legionella risk assessment for your building and water systems - and any incident response or external notification is a matter for your own competent advisers and the relevant authority. The report communicates the programme; it does not set the controls.
FAQ
How often should I report Legionella compliance to senior management?
A monthly operational summary suits most occupied buildings, with a condensed quarterly version for the board. The cadence should follow the risk profile in your assessment - a complex healthcare estate reports more often than a low-risk office. Whatever the cycle, do not hold a serious exception, such as a positive result or a lapsed risk assessment, for the next scheduled report; escalate it when it happens.
Is there a legal pass mark for the percentage of outlets in range?
No. UK guidance sets target temperatures and a duty to monitor and act, but it does not define a statutory percentage of readings that must be compliant [2][4]. Your risk assessment determines what in-range means and what proportion of exceptions is acceptable before you act. Any threshold on your dashboard is an internal benchmark, not a regulatory line.
Should the board report list every outlet and reading?
No - that is the logbook’s job. The KPI report shows the roll-up and the exceptions. Keeping the full reading-by-reading record in the system, and only the summary in the board pack, is the point of separating the two.
Who should sign off the monthly compliance report?
Typically the Responsible Person prepares it and the duty holder or accountable director acknowledges it. Recording both names and the date turns the report into evidence that the risk was communicated and owned at the right level, which is exactly what an inspector or insurer looks for [1][3].
Do this next
Pull last month’s data and draft the single page now - verdict, the six numbers, the exceptions with owners and dates, and your ask. Show it to one non-technical colleague and ask them to tell you, in a sentence, whether the programme is under control. If they can, the report works. If they can’t, cut more until they can.
Sources
[1] HSE, “Legionnaires’ disease. The control of legionella bacteria in water systems - Approved Code of Practice and guidance (L8)”. https://www.hse.gov.uk/pubns/books/l8.htm [2] HSE, “Legionnaires’ disease: Technical guidance (HSG274)”. https://www.hse.gov.uk/pubns/books/hsg274.htm [3] HSE, “Legionnaires’ disease - what you must do”. https://www.hse.gov.uk/legionnaires/what-you-must-do/index.htm [4] HSE, “Hot and cold water systems”. https://www.hse.gov.uk/legionnaires/hot-and-cold.htm [5] HSE, “RIDDOR - Reporting of Injuries, Diseases and Dangerous Occurrences Regulations”. https://www.hse.gov.uk/riddor/