Skip to content

Internal Audit Report

Audit Identification: IA202510
Area: Risk Management
Audit Date: 26th September 2025
Auditor: Sean Ashton
Date Completed: 26th September 2025
Findings: 0 Non-conformities, 2 Observations
Scope: Clause 6.1 (ISO 9001:2015, ISO 14001:2015, ISO 45001:2018)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025

Executive Summary

The audit of risk management processes demonstrated strong compliance with clause 6.1 requirements across all three ISO standards. A M Water Services has established a comprehensive risk management framework with clearly defined methodology, documented processes, and systematic identification of risks and opportunities. The risk scoring methodology (A+B+C×D) is well-embedded and consistently applied across business, environmental and safety contexts. Two minor observations were noted relating to enhancing risk review frequency for high-priority items and strengthening the link between risk actions and HSQE objectives.

The system benefits from strong leadership engagement, with directors actively involved in risk reviews and decision-making. Integration across the three standards is evident in the unified approach to risk assessment, with clear differentiation between business risks (APP_05), environmental aspects (APP_06), and health and safety hazards (APP_07).

Introduction

This audit examined the organisation's approach to addressing risks and opportunities as required by clause 6.1 across ISO 9001:2015, ISO 14001:2015, and ISO 45001:2018. The assessment focused on the processes for identifying, evaluating, and managing risks that could impact the achievement of intended outcomes, prevent undesired effects, and drive continual improvement. Particular attention was given to the practical application of documented procedures and the effectiveness of control measures.

Aims & Objectives

  1. Verify compliance with clause 6.1 requirements across all three ISO standards
  2. Assess the effectiveness of risk identification and evaluation processes
  3. Review integration of risk management across quality, environmental, and safety disciplines
  4. Evaluate the implementation of risk controls and monitoring arrangements
  5. Confirm alignment between identified risks and business objectives
  6. Examine the process for capturing and pursuing opportunities

Audit Method

  • Document Review: S.O.P_3.1 (Identification and Evaluation of Risk) Issue 2, S.O.P_3.2 (Business Risk & Opportunity Planning) Issue 2, APP_05 (Risk & Opportunity Log) Rev 2, APP_06 (Aspect Identification Log) Rev 1, APP_07 (Hazard Identification Log) Rev 3, APP_08 (OHS Hazard Assessments Register), risk assessments RA_HO_01 to RA_HO_06
  • Interviews Conducted: Managing Director (Aaron Mason), HSQE Consultant, Team Leaders from water main installation and grab operations
  • Observations: Risk review meeting minutes from August 2025, completed risk assessments for recent projects, environmental aspect evaluations for new grab lorry operations
  • Sampling: Review of 6 risk assessments updated in Q2 2025, 3 months of risk register updates (June-August 2025), corrective actions arising from risk evaluations

Non-conformities

No non-conformities identified.

Observations

Ref Observation Clause Priority Action Required Target Date Ref
OBS-10.1 Whilst the Risk & Opportunity Register (APP_05) states annual review, high-scoring risks (14-19 range) would benefit from more frequent review cycles to ensure controls remain effective. Current process does not differentiate review frequency based on risk exposure level. 6.1.1 Medium Consider implementing quarterly reviews for high-risk items (score 14+) and bi-annual for medium risks (8-13), maintaining annual review for low risks 31/12/2025 CAR-2025-014
OBS-10.2 The link between risk register actions and HSQE objectives could be strengthened. Currently, risk mitigation actions are tracked separately from objective programmes, potentially missing synergies and integrated planning opportunities. 6.1.1 Medium Enhance APP_11 to cross-reference risk register items, ensuring high-priority risks directly inform objective setting and resource allocation 31/01/2026 CAR-2025-015

Corrective Action Summary

Not applicable - no non-conformities identified.

Conclusions

The audit confirms that A M Water Services has established and maintains an effective risk management system that meets the requirements of clause 6.1 across all three ISO standards. Key strengths identified include:

Areas meeting requirements:

  • Comprehensive risk identification processes covering business, environmental, and safety aspects
  • Consistent application of the risk scoring methodology (A+B+C×D) across all disciplines
  • Well-documented procedures with clear roles and responsibilities
  • Integration of risk management with business planning and management review
  • Proactive identification of opportunities alongside risk assessment
  • Strong evidence of risk-based thinking in operational decision-making

What's working well: The unified approach to risk management demonstrates excellent integration across the three standards. The risk scoring methodology is clearly understood at all levels, from directors to team leaders, indicating effective communication and training. The recent update to include emerging risks such as AI adoption and climate change impacts shows the system is responsive to changing business contexts. The zero RIDDOR record validates the effectiveness of safety risk controls.

Integration across three standards: Risk management processes show strong integration, with S.O.P_3.1 and S.O.P_3.2 providing consistent frameworks applicable to quality, environmental, and safety contexts. The three risk registers (APP_05, APP_06, APP_07) complement each other whilst maintaining necessary discipline-specific requirements. Risk reviews at management meetings consider all three perspectives simultaneously, promoting holistic decision-making.

Recommendations

  1. Implement risk-based review frequencies: Develop a tiered review schedule based on risk scores, with high-risk items reviewed quarterly, ensuring critical controls are monitored more frequently than the current annual cycle.

  2. Create visual risk dashboards: Introduce simple visual management boards in the office and depot showing top 5 risks with current status and control effectiveness, improving risk awareness and engagement across all staff levels.

  3. Strengthen opportunity management: Whilst risks are well-managed, enhance focus on opportunity identification by introducing a monthly "opportunity spotlight" in team meetings to capture improvement ideas from operational staff.

  4. Link risk actions to objectives: Update the objectives management programme (APP_11) to include a column referencing related risk register items, ensuring resource allocation priorities align with risk exposure levels.

Feedback & Acknowledgments

The audit process was supported with excellent cooperation from all parties interviewed. The HSQE Consultant demonstrated thorough knowledge of risk management processes and provided comprehensive evidence promptly. Team Leaders showed strong understanding of operational risks and controls, particularly regarding utility strike prevention and water hygiene requirements. The Managing Director's active engagement in risk discussions demonstrates clear leadership commitment to risk-based thinking. The recent updates to risk registers, particularly the inclusion of supply chain and technology risks, show proactive management of emerging challenges.

Audit Report Prepared By

Name Position Signature Date
Sean Ashton HSQE Consultant/Auditor S. Ashton 26/09/2025
Aaron Mason Managing Director A. Mason 26/09/2025

Corrective Action Close Out

Not applicable - no corrective actions required.