Skip to content

Corrective Action Report 005

A M Water Services Limited

QEHS/NCR Ref: OBS-IA202604-01
Date: 01/05/2026
CAR ID: CAR-2026-005 Document Number: FORM_CAR001 Rev 1 ID 01/09/2025

Process/Area/Department: Operations / Business Continuity
Requirement/Clause No.(s): ISO 9001/14001/45001:2015 - Clause 8.1
Type: ☑ Internal Audit ☐ Client Audit ☐ Inspection ☐ Complaint ☐ Sub-contractor ☐ Certification Review

Details of Nonconformity

Statement of Nonconformity: OBSERVATION: The Q2 2026 BCP desktop exercise (cyber / ransomware + extreme-weather scenarios) was scheduled for 28/05/2026 but had not yet been held at the time of the audit. The exercise is a P1 gap-closure item from the audit-readiness tracker; scenario briefs ready and participants confirmed. The exercise must be held and documented before the 3–4 June 2026 surveillance audit to close the contingency-planning evidence under clause 8.1.

Planned Actions

Containment Action(s), including correction, with supporting completion date(s):

  1. Hold the Q2 2026 BCP desktop exercise — joint Tier 1 (APP_16) + Tier 2 (APP_17) (by 31/05/2026)
  2. Document scenario, response actions, issues identified and any action register (on completion)
  3. File the record in the APP_17 §7.2 testing log (on completion)

Root Cause

Primary Cause: The APP_17 testing log was rebuilt under the 2026 KISS-cadence reframe; the Q2 desktop was the first exercise under the new annual cadence and fell just inside the pre-audit window. Contributing Factors: Scheduling around director and operative availability for a joint remote exercise.

Proposed Corrective Action

  1. Deliver the joint Tier 1 + Tier 2 desktop covering (a) ransomware lock-out of office systems on a critical-repair day and (b) extreme-weather storm flooding impacting yard access during an emergency call-out.
  2. Capture outcome and any actions in the APP_17 testing log §7.2.
  3. Confirm the next desktop exercise date in the forward programme.

Verification

  1. [x] Exercise held and recorded in the APP_17 testing log (§7.2).
  2. [x] Outcome reviewed; arrangements confirmed effective; no actions outstanding.

Recommendations

  1. Maintain a small scenario library so each annual/interim exercise tests a different risk.
  2. Keep the joint APP_16 / APP_17 framing so each exercise tests both immediate response and continuity.

Feedback & Acknowledgments

Owners confirmed and scenario briefs drafted ahead of the exercise. Exercise delivered remotely with full participation.

Corrective Action Report Prepared By

CAR Prepared By Signature Position Date
Sean Ashton S. Ashton HSQE Consultant 01/05/2026
CAR Reviewed By Signature Position Date
Aaron Mason A. Mason Director 01/05/2026

Corrective Action Close Out

Target Completion: 31/05/2026

Closure summary: Q2 2026 BCP desktop exercise held 26/05/2026, conducted by Leanne Mason remotely with Sean Ashton's support. Both scenarios (cyber/ransomware + extreme-weather) walked through; existing arrangements confirmed effective under each. Outcome: no issues or actions raised. Recorded in the APP_17 testing log §7.2, mirrored in APP_16 §4, and logged in APP_21.

Corrective Action Completed Signature Position Date
Leanne Mason (exercise lead, remote) L. Mason Director 26/05/2026
Verification By — Sean Ashton S. Ashton HSQE Consultant 26/05/2026

Status: CLOSED — 26/05/2026