Skip to content

APP_05 — Risk & Opportunity Log

Document Information

Field Value
Document Reference APP_05
Issue Number 3
Issue Date 1 June 2026
Next Review 1 June 2027
Controlled By Sean Ashton (HSQE Consultant)
Approved By Aaron Mason, Director

Master source — this page is canonical

The IMS portal is the master source for APP_05. The Excel below is a downloadable snapshot — same content, filterable by exposure, one row per risk / opportunity.

Download as Excel

Related: APP_10 Legal Register · APP_09 COSHH Register · APP_17 BCP

Tip: use the floating button bottom-right to toggle wide-mode (Alt+W).

Document control

Rev Changes Date Approved By
1 Initial Issue 01/06/2024 Aaron Mason
2 Annual Review — added AI, climate change, supply chain 01/06/2025 Aaron Mason
3 2026 annual refresh. Eight new risks added from 2025-26 horizon scan (cyber / ransomware at water-sector critical-infrastructure level; Water (Special Measures) Act 2025 client-contract impacts; ISO 9001/14001/45001 transitions; Employment Rights Act 2025; Worker Protection Act duty-to-prevent; NUAR migration; PFAS monitoring; water-sector skills shortage; benzene exposure from new COSHH additions). Opportunities split into dedicated Section 5. Action-owner and target-date columns added. Methodology clarified. Treatment-option column added. Filterable Excel companion produced. 01/06/2026 Aaron Mason

1. Purpose

This register identifies, scores and manages risks and opportunities that could affect A M Water Services Limited's ability to:

  • Achieve its strategic and operational objectives
  • Maintain compliance with ISO 9001:2015, ISO 14001:2015 and ISO 45001:2018 (and the pending 2026 / 2027 revisions)
  • Deliver safe, quality services to its water-industry customers

It is the operational output of ISO 9001/14001/45001 Clause 6.1 — actions to address risks and opportunities — and is the single working register that feeds into every Management Review.

2. Scope

This register covers:

  • Strategic, operational, and compliance risks across all business activities
  • Opportunities for improvement, innovation, or competitive advantage
  • Risk-assessment methodology and scoring criteria (Section 3)
  • Control measures and residual (post-control) risk evaluation
  • Treatment-option selection (Accept / Transfer / Mitigate / Avoid) per risk
  • Integration with business planning and the Management Review cycle

3. Risk-assessment methodology

3.1 Scoring criteria

Each factor is scored 1–4:

Factor 1 2 3 4
A. Impact on the business Low Noticeable Great Severe
B. Legal requirement at stake No regulations Guidance / ACoPs Standards Laws / Regulations
C. Likelihood of occurrence < 0.1 % 10 % 50 % > 95 %
D. Frequency of exposure Almost never Rare Regular Always

Risk Score = A + B + (C × D) — range 3 to 24.

3.2 Exposure bands

Score Exposure Action required Timeframe
3–7 Low Monitor only — review annually 12 months +
8–13 Medium Mitigate through management controls Within 6 months
14–19 High Implement controls to reduce Within 3 months
20–24 Very High Cease activity until reduced Immediate

3.3 Treatment options

Option Description
Accept Current controls deemed appropriate. Monitor. Develop contingency plans where practicable.
Transfer Shift responsibility via contract or insurance. Can be whole or shared.
Mitigate Reduce likelihood through management controls. Reduce consequences via contingency planning / BCP / liability cover.
Avoid Do not proceed with the activity or choose an alternative approach. Risk management — not aversion.

4. Risk register

Pre-control scores are the inherent (gross) risk. Post-control scores are the residual (net) risk after our existing controls are applied.

# Ref Category Risk Inherent (A·B·C·D → R) Existing controls Treatment Residual Owner Target review
1 R-01 Resource / People Loss of key staff with required competencies (WIRS, EUSR, NRSWA). Loss of staff to accident / incident. 3·2·3·2 → 11 #TEAM culture, performance reviews, succession planning, H&S training, competency tracking Mitigate 2·2·2·1 → 6 Aaron Mason 01/06/2027
2 R-02 IT / Cyber Cyber-attack / ransomware (water sector is now critical-infrastructure target — cf. South Staffs Water 2022, Southern Water 2024). Data loss, compliance data, WIRS records. 4·3·2·2 → 11 External IT support, firewall, anti-virus, cloud backup, BCP Mitigate + Transfer 3·3·1·1 → 7 Leanne Mason 01/10/2026 — review alignment to forthcoming UK Cyber Security & Resilience Bill
3 R-03 Premises Loss of Northampton office & equipment. Relocation costs. Equipment / tools / records loss. 3·1·2·1 → 6 BCP, maintenance, fire-risk assessment, insurance, remote working Accept + Transfer 2·1·1·1 → 4 Aaron Mason 01/06/2027
4 R-04 H&S — excavation & site Fatalities / injuries in water-infrastructure work: excavation collapse, confined-space, live-mains, manual handling, highway working. 4·4·2·3 → 14 RAMS programme, trained staff, equipment checks, inspections, emergency procedures, field RAs (RA01–25), MSs (Section 2 + 3) Mitigate 2·4·1·2 → 8 Jason May 01/06/2027
5 R-05 Occupational health Occupational-health claims: manual handling, HAVS, noise, waterborne disease, stress / MH. 3·3·3·2 → 12 Health surveillance programme, training, low-vibration tools, PPE, wellbeing support Mitigate 2·3·2·1 → 7 Sean Ashton 01/06/2027
6 R-06 Occupational health — benzene (new) Carcinogen (benzene, < 1 % in BP unleaded petrol — COSHH_23) exposure for operatives routinely refuelling petrol tools. HSE EH70 statutory surveillance obligation. 4·4·2·2 → 12 Open-air refuelling, cold-tool rule, nitrile gloves, 20 L quantity limit, SOP 8.7 health surveillance to activate 6-monthly Mitigate 3·4·1·1 → 8 Sean Ashton 01/09/2026 — review surveillance arrangements before 1 Aug ordering cycle
7 R-07 Supply chain Loss of key subcontractor / supplier. WIRS-compliance gaps in supply chain. Quality issues. Price rises. 2·2·3·2 → 10 Approved supplier list (APP_19), 32 SARs (currently overdue — see APP_21), multi-supplier sourcing, contingency planning Mitigate 2·2·2·1 → 6 Leanne Mason SAR refresh 01/06/2026
8 R-08 Culture / governance Poor culture, communication failures, family-business governance gaps. 2·1·3·3 → 12 #TEAM philosophy, regular meetings, performance management, clear governance, ISO implementation Mitigate 1·1·2·2 → 6 Aaron Mason 01/06/2027
9 R-09 Legal & regulatory — water sector Changes in legislation (Water (Special Measures) Act 2025, WIRS standards, water-quality regs, CDM updates, staff competency gaps). 3·4·3·2 → 13 APP_10 Legal Register (Rev 3 just issued), compliance audits, SOP 3.3, Management Review Mitigate 2·4·2·1 → 8 Sean Ashton Quarterly horizon-scan
10 R-10 Legal — Water (Special Measures) Act 2025 (new) Tighter client-pass-through clauses: spill-reporting, audit documentation, environmental-incident liability. Client water-cos under pressure from Act will pass risk down. 3·3·3·2 → 12 Monitor new contract wording; legal review on any new framework Mitigate + Transfer 2·3·2·1 → 7 Aaron Mason On each new contract award
11 R-11 Legal — Employment Rights Act 2025 (new) Day-one unfair-dismissal rights, zero-hours contract changes, Fair Work Agency, sick-pay reform. Phased commencement 2026-27. 3·3·2·2 → 10 Contracts and HR procedures review scheduled Q4 2026; Acas updates tracked Mitigate 2·3·1·1 → 6 Leanne Mason 01/10/2026
12 R-12 Compliance — Worker Protection Act 2023 (new) New employer duty to prevent sexual harassment, in force 26 Oct 2024. Risk of 25 % tribunal uplift for breach. 3·4·2·2 → 11 Sexual-harassment risk assessment (in progress), updated policy, training records Mitigate 2·4·1·1 → 7 Leanne Mason 01/09/2026
13 R-13 Compliance — ISO standards transition (new) ISO 14001:2026 (published April 2026), ISO 9001:2026 (Q4 2026), ISO 45001:2027 — three simultaneous 3-year transitions by ~2029. 3·3·4·3 → 15 Transition plan to be drafted Q3 2026 (14001 first); aligned to recertification cycle Nov 2027 Mitigate 2·3·2·2 → 9 Sean Ashton 01/09/2026
14 R-14 Operational — NUAR migration (new) Statutory National Underground Asset Register replacing LSBUD (DUAA 2025). Impact on CAT-scan procedure, operative training, and commercial search workflow. 2·3·3·3 → 14 Watching brief on DESNZ commencement; CAT-scan SOP refresh planned Mitigate 2·3·2·2 → 9 Jason May Review Q3 2026
15 R-15 Transport Driving on company business. RTAs. Driver fatigue. Vehicle breakdowns. Public-liability incidents. 3·3·3·3 → 15 Fleet maintenance, driver training, daily checks, journey management, drivers' handbook, O-Licence compliance Mitigate 2·3·2·2 → 9 Aaron Mason 01/06/2027
16 R-16 Technology — AI AI tools — accuracy, data-security, copyright, hallucinations, skills gap, implementation costs. 2·2·3·2 → 10 AI policy (draft), controlled pilot use for documentation, security measures, DUAA 2025 monitoring Mitigate 1·2·2·1 → 5 Sean Ashton 01/12/2026
17 R-17 Environmental — operational Pollution incidents, waste breaches, protected species, spillages, non-containment of chlorinated water. 3·4·2·2 → 11 Environmental procedures, spill kits in van packs, waste-management SOPs, field training, incident response Mitigate 2·4·1·1 → 8 Sean Ashton 01/06/2027
18 R-18 Environmental — PFAS (new) Emerging UK REACH restrictions on per- and polyfluoroalkyl substances. Potential supply-chain disruption if current consumables are affected. 2·2·2·2 → 6 Monitor supplier SDSs for PFAS content; no current known use Accept (monitor) 1·2·1·1 → 4 Sean Ashton 01/12/2026
19 R-19 Financial Financial sustainability. Payment delays. Interest-rate / inflation. Economic downturn. Cash-flow issues. 3·2·3·2 → 11 Cash reserves, credit control, client diversity, cost monitoring, banking relationships Mitigate 2·2·2·1 → 6 Leanne Mason 01/06/2027
20 R-20 Climate Climate change / extreme weather. Site flooding. Heat stress. Ground conditions. Working-day losses. (2025 was the driest Feb–April since 1956 per government reporting.) 2·1·3·3 → 12 Weather monitoring, flexible working, PPE, pumping equipment, emergency procedures, fleet fuel-demand planning Mitigate 2·1·2·2 → 7 Jason May 01/06/2027
21 R-21 Skills shortage — water sector (new) UK water industry faces documented shortage in digital / engineering / environmental roles during PR24 period. Competition for WIRS-certified operatives increasing. 3·1·3·2 → 10 Apprenticeship route, CPD budget, retention via #TEAM culture, cross-training to broaden ticket portfolio Mitigate 2·1·2·1 → 5 Aaron Mason 01/09/2026

4.1 Summary — risks above Medium

At this review, no risks are residually High or Very High after existing controls. The four highest inherent-risk entries are R-04 (H&S site), R-13 (ISO transitions), R-14 (NUAR), and R-15 (transport) — all drop to Medium residual with existing controls in place.

5. Opportunity register (new structural section)

Opportunities are tracked separately so they're not lost in the risk-mitigation noise.

# Ref Category Opportunity Benefit Owner Target
1 O-01 Recruitment Local schools / universities / apprenticeships Lower-cost talent pipeline; fresh perspectives Aaron Mason 01/09/2026
2 O-02 Digital / IT Complete digital IMS rollout (this project) + transition to ISO27001-aligned information-security management Reduces cyber risk R-02; supports client procurement requirements Sean Ashton 01/12/2026
3 O-03 Compliance First-mover advantage in ISO 14001:2026 transition — publish case study Marketing + audit evidence Sean Ashton 01/06/2027
4 O-04 Environmental Electric-vehicle transition for fleet; cut fuel exposure (incl. benzene R-06); net-zero positioning Cost reduction + reputational Aaron Mason 01/12/2027
5 O-05 Services Resilience-services offer (emergency response, drought / burst-main callouts) — capitalising on 2025 drought pattern and PR24 £500 m net-zero funding Revenue diversification Aaron Mason 01/06/2027
6 O-06 Services Strategic partnerships / framework agreements with one or two Tier-1 water clients Revenue predictability Leanne Mason 01/09/2026
7 O-07 Operations NUAR early-adopter — become visible operator to water clients Contract differentiator Jason May 01/09/2026
8 O-08 Culture Formal health-and-wellbeing programme linked to expanded health surveillance Lower claims, better retention Leanne Mason 01/12/2026
9 O-09 Compliance Consultancy side — Sean's offer extended to other small water-sector firms needing ISO / COSHH support Ancillary revenue; sharpens own practice Sean Ashton 01/06/2027

6. Horizon scan — watching brief

Emerging items not yet formally on the register but under active monitoring (in scope for review earlier than Rev 4):

  • UK Cyber Security & Resilience Bill — expected to expand incident-reporting duties on water-sector contractors (DESNZ / DSIT)
  • DVSA Earned Recognition eligibility once grab fleet reaches scheme threshold
  • EN-590 diesel FAME content changes being debated at EU level — may affect winter-grade performance in bulk tanks
  • ONS commentary on reinstated operative benchmarks following post-Brexit labour-market data revisions in 2025

7. Review and update

This register is:

  • Reviewed quarterly by Sean Ashton (HSQE Consultant) and Aaron Mason
  • Updated on change — new risks added when identified (incident, audit finding, legislation, client contract, supplier failure)
  • Presented at Management Review — Section 6 of the MR agenda
  • Cross-referenced with: audit findings, incident investigations, supplier-performance evaluations, Management Review minutes

8. Sources consulted for this review

10. Audit trail

Date Action By Details
01/06/2024 Rev 1 issued Aaron Mason Initial register — 13 risks
01/06/2025 Rev 2 issued Aaron Mason AI, climate change, supply chain added
24/04/2026 Rev 3 drafted Sean Ashton, HSQE Consultant Eight new risks (R-06, R-10, R-11, R-12, R-13, R-14, R-18, R-21); opportunities separated to own register; owner / target-date columns added; treatment-option selected per risk; methodology clarified; Excel companion produced; horizon-scan section added

This document forms part of A M Water Services Limited's Integrated Management System. Paper copies are uncontrolled — always check the current version on the IMS site.

How this document is approved

This document is maintained under AMWS's continuous-compliance model. Substantive revisions are reviewed and signed off by the Directors at the standing weekly Director / HSQE compliance call (Sean Ashton, Onyx + Leanne Mason). Currency, cross-references and minor edits are checked at the monthly Onyx site visit. The annual Management Review (September) provides the strategic-level confirmation. Compliance is therefore continuous, not gated on a single annual meeting.

Local controlled copy

Word version of this controlled document (for offline / paper records):

Download APP_05 (.docx)

The page above is the master source — the Word doc is a snapshot for offline use.