Corrective Action Report 005¶
A M Water Services Limited¶
QEHS/NCR Ref: OBS-IA202604-01
Date: 01/05/2026
CAR ID: CAR-2026-005
Document Number: FORM_CAR001 Rev 1 ID 01/09/2025
Process/Area/Department: Operations / Business Continuity
Requirement/Clause No.(s): ISO 9001/14001/45001:2015 - Clause 8.1
Type: ☑ Internal Audit ☐ Client Audit ☐ Inspection ☐ Complaint ☐ Sub-contractor ☐ Certification Review
Details of Nonconformity¶
Statement of Nonconformity: OBSERVATION: The Q2 2026 BCP desktop exercise (cyber / ransomware + extreme-weather scenarios) was scheduled for 28/05/2026 but had not yet been held at the time of the audit. The exercise is a P1 gap-closure item from the audit-readiness tracker; scenario briefs ready and participants confirmed. The exercise must be held and documented before the 3–4 June 2026 surveillance audit to close the contingency-planning evidence under clause 8.1.
Planned Actions¶
Containment Action(s), including correction, with supporting completion date(s):
- Hold the Q2 2026 BCP desktop exercise — joint Tier 1 (APP_16) + Tier 2 (APP_17) (by 31/05/2026)
- Document scenario, response actions, issues identified and any action register (on completion)
- File the record in the APP_17 §7.2 testing log (on completion)
Root Cause¶
Primary Cause: The APP_17 testing log was rebuilt under the 2026 KISS-cadence reframe; the Q2 desktop was the first exercise under the new annual cadence and fell just inside the pre-audit window. Contributing Factors: Scheduling around director and operative availability for a joint remote exercise.
Proposed Corrective Action¶
- Deliver the joint Tier 1 + Tier 2 desktop covering (a) ransomware lock-out of office systems on a critical-repair day and (b) extreme-weather storm flooding impacting yard access during an emergency call-out.
- Capture outcome and any actions in the APP_17 testing log §7.2.
- Confirm the next desktop exercise date in the forward programme.
Verification¶
- [x] Exercise held and recorded in the APP_17 testing log (§7.2).
- [x] Outcome reviewed; arrangements confirmed effective; no actions outstanding.
Recommendations¶
- Maintain a small scenario library so each annual/interim exercise tests a different risk.
- Keep the joint APP_16 / APP_17 framing so each exercise tests both immediate response and continuity.
Feedback & Acknowledgments¶
Owners confirmed and scenario briefs drafted ahead of the exercise. Exercise delivered remotely with full participation.
Corrective Action Report Prepared By¶
| CAR Prepared By | Signature | Position | Date |
|---|---|---|---|
| Sean Ashton | S. Ashton | HSQE Consultant | 01/05/2026 |
| CAR Reviewed By | Signature | Position | Date |
|---|---|---|---|
| Aaron Mason | A. Mason | Director | 01/05/2026 |
Corrective Action Close Out¶
Target Completion: 31/05/2026
Closure summary: Q2 2026 BCP desktop exercise held 26/05/2026, conducted by Leanne Mason remotely with Sean Ashton's support. Both scenarios (cyber/ransomware + extreme-weather) walked through; existing arrangements confirmed effective under each. Outcome: no issues or actions raised. Recorded in the APP_17 testing log §7.2, mirrored in APP_16 §4, and logged in APP_21.
| Corrective Action Completed | Signature | Position | Date |
|---|---|---|---|
| Leanne Mason (exercise lead, remote) | L. Mason | Director | 26/05/2026 |
| Verification By — Sean Ashton | S. Ashton | HSQE Consultant | 26/05/2026 |
Status: CLOSED — 26/05/2026