Internal Audit Report¶
Audit Identification: IA202610
Area: Risk Management
Audit Date: 15/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 15/05/2026
Findings: 0 Non-conformities, 1 Observation
Scope: Clause 6.1 (ISO 9001:2015, ISO 14001:2015, ISO 45001:2018)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202510 (26/09/2025) — 0 NC, 2 OBS
Audit cycle context
This audit is part of AMWS's rolling 2026 internal audit cycle conducted across 28/04-19/05/2026 by Sean Ashton (HSQE Consultant), ahead of the Achilles UVDB Verify Category B2 surveillance audit on 3-4 June 2026. Some documents reviewed during the cycle were revised within the cycle as part of the broader 2025-26 IMS rebuild — see the Post-audit IMS evolution block at the foot of this report for details of changes completed by 13/05/2026.
Executive Summary¶
This audit re-examined Risk Management one year on from IA202510. Both 2025 observations are progressed:
- CAR-2025-014 (differentiated review frequency for high-risk items) — Closed. APP_05 Rev 3 retains the bi-annual review cadence as the formal floor. The standing weekly Director / HSQE compliance call provides effectively continuous review for high-priority items; the gap-closure tracker provides programme-level escalation. The continuous-compliance model delivers the differentiated review the 2025 observation called for, in practice.
- CAR-2025-015 (cross-reference APP_05 risk items ↔ APP_11 HSQE objectives) — Open — rolled forward as CAR-2026-002. The 2026 KPI simplification connects E3 (carbon) → APP_06 Aspect 1 → APP_05; B2 (improvement) → IAF register → APP_05. Other KPIs (H1, E2, Q1) remain operational metrics. Rolled forward as IA202610 OBS-01 to extend cross-referencing across all aspects (links to IA202602 OBS-01 / CAR-2026-002, target 31/08/2026).
Material risk-management additions this cycle: APP_17 BCP scenario set extended with cyber/ransomware and climate-physical risks; RA_HO_18 Fatigue introduces a new HO-level hazard with clear control hierarchy.
Year-on-year follow-up — IA202510 outcomes¶
| 2025 ref | 2025 finding (summary) | Status in 2026 audit |
|---|---|---|
| OBS-10.1 / CAR-2025-014 | Differentiated review frequency by risk score | Closed. Bi-annual cadence retained as floor; weekly compliance call provides effectively continuous review for high-priority items. Continuous-compliance model delivers the differentiated review the 2025 observation called for. |
| OBS-10.2 / CAR-2025-015 | Cross-reference APP_05 ↔ APP_11 | Open — rolled forward as CAR-2026-002. E3 + B2 explicitly linked; other KPIs to follow (target 31/08/2026, linked to CAR-2026-002 from IA202602). |
Introduction¶
This audit examined Risk Management under clause 6.1 one year on from IA202510. Particular focus on whether the IMS rebuild has materially altered the risk picture and whether the simplifications maintain risk-based thinking.
Aims & Objectives¶
- Confirm closure or progress on IA202510 OBS-10.1 and OBS-10.2
- Verify APP_05 Risk & Opportunity Register currency
- Confirm new 2026 risks captured (cyber/ransomware in BCP, climate-physical, fatigue HO-18)
- Cross-check KPI simplifications maintain risk-based-thinking integrity
- Sample 5 risk items for control effectiveness
Audit Method¶
- Document Review: APP_05 Risk & Opportunity Log Rev 3 / 01/06/2026 (risks reorganised by category R-01..R-21; 8 new 2026 risks: R-06 Benzene, R-10 Water SMA, R-11 ER Act 2025, R-12 Worker Protection Act, R-13 ISO transitions, R-14 NUAR, R-18 PFAS, R-21 Skills shortage; opportunities O-01..O-08 now scored using same A + B + (C × D) method as risks); APP_07 Hazard ID Rev 4 (HO-18 Fatigue [NEW 2026]); APP_08 Issue 2; 18 × RAs standardised to 4×4 matrix consistency. Plus: APP_05 Risk & Opportunity Register Rev 3 (1 June 2026), APP_06 Aspects Rev 3 (with 04/05/2026 simplification entries), APP_07 Hazards Rev 3 (with HO-18 added), APP_11 KPI Register Rev 3, SOP 3.1 Risk Identification Rev 3 HTML, SOP 3.2 Business Risk Rev 3 HTML, APP_17 DR-BCP Rev 3 (with cyber + climate-physical scenarios added), POL_HSQE_21 Risk Assessment Policy Rev 3.
- Interviews Conducted: Director (Aaron Mason — risk-owner), Site Supervisor (Jason May), HSQE Consultant.
- Observations: APP_05 traceability through to APP_11 KPI E3 + B2 (now explicit); APP_07 HO-18 traceability through to RA_HO_18; APP_17 BCP scenario set 2025→2026 evolution.
- Sampling: 5 risk items spanning operational / financial / supply-chain / regulatory / cyber categories; the 5 P1 gap-closure items still open as a programme-level risk.
Non-conformities¶
No non-conformities identified.
Observations¶
| Ref | Finding | Clause | Priority | Ref |
|---|---|---|---|---|
| OBS-01 | APP_05 ↔ APP_11 cross-referencing (rolled forward from CAR-2025-015 / links to CAR-2026-002 from IA202602). E3 + B2 are explicitly linked; other KPIs are not. The wider cross-reference exercise is in progress under CAR-2026-002 (target close 31/08/2026). No additional CAR raised — work is already programmed. | 6.1.1 | Low | (cross-ref CAR-2026-002) |
Corrective Action Summary¶
No new CAR raised. Cross-reference to CAR-2026-002 (raised under IA202602; target close 31/08/2026).
Conclusions¶
Risk management continues to operate well, with the 2025–26 cycle adding genuine risk awareness:
Areas Meeting Requirements (sustained from IA202510):
- APP_05 Risk & Opportunity Register continues to apply A+B+C×D scoring methodology
- POL_HSQE_21 Risk Assessment Policy continues to apply
- Bi-annual formal review cadence sustained; weekly compliance call provides continuous attention to high-risk items
New strengths since IA202510:
- APP_17 BCP scenario set extended — cyber/ransomware (water-sector breach pattern) and climate-physical (storm flooding) added as explicit scenarios. The Q2 2026 desktop on 28/05/2026 will exercise both.
- APP_07 HO-18 Fatigue — new HO-level hazard with concrete control hierarchy (driver max 9-hr day, 1-in-4 on-call cap, HAVS-fatigue trigger cap).
- POL_HSQE_30 IT Security introduces the cyber-incident pathway with UK GDPR 72-hour breach notification — an explicit new risk-management commitment.
- 5 P1 gap-closure items still open are visible as programme-level risk in the gap-closure tracker, with named owners and target dates within May 2026.
Position as at 13/05/2026: The findings above remain the formal record. The 12-13 May 2026 IMS consistency pass (see closure block below) does not alter any audit verdict; it strengthens the supporting evidence base going into the Achilles UVDB B2 surveillance audit (3-4 June 2026).
Recommendations¶
- Continue the bi-annual APP_05 review cadence; rely on the weekly compliance call for interim attention.
- Close CAR-2026-002 by 31/08/2026 to complete the APP_06 ↔ APP_05 cross-reference exercise.
- Add the 5 P1 gap-closure items as a single programme-level risk to APP_05 for the duration that they remain open.
Feedback & Acknowledgments¶
Full cooperation. The risk-management picture is materially richer than at IA202510 — particularly cyber and climate-physical, which were absent in the 2025 BCP scenario set.
Post-audit IMS evolution (12-13 May 2026)¶
The findings above stand as a point-in-time record at audit date. Following the 2026 audit cycle, AMWS completed an IMS-wide consistency pass on 12-13 May 2026 that affects references in this report. The audit findings remain valid; the system updates strengthen rather than supersede them. Material changes the auditor should be aware of:
Appendix-level changes
- APP_01 Context & Interested Parties Log — Issue 3 / 01/06/2026; 10 → 12 interested parties (Ofwat
[NEW 2026], ICO[NEW 2026]); 2[NEW]+ 3[UPDATED]tags inline - APP_02 ISO Clause Application Matrix — Issue 2; Standards Watch section added tracking ISO 14001:2026 / 9001:2026 / 45001:2027 transitions
- APP_02.1 Process Application Log — Issue 2; 8 → 9 processes (Information Security & Cyber
[NEW 2026]added) - APP_05 Risk & Opportunity Log — risks reorganised by category (R-01..R-21 in category order); opportunities now scored using the same A + B + (C × D) method as risks (8 opportunities O-01..O-08, O-09 dropped — Onyx Operations business, not AMWS); R-07 Supply chain controls reflect the APP_19 Issue 7 / 19-May-2026 HTML register migration (18 Active rated Excellent / 13 Inactive / 1 Merged following the IA cycle proportionality review)
- APP_06 Aspect Identification — Issue 3 / 01/06/2026; 12 → 14 environmental aspects (Aspect 13 Climate Adaptation
[NEW 2026], Aspect 14 PFAS[NEW 2026]) - APP_07 Hazard Identification — Issue 4 / 01/06/2026; HO-18 Fatigue Management added 04/05/2026; named owners throughout (generic role labels retired); RA review dates aligned to 01/06/2027
- APP_08 OHS Hazard Assessments — Issue 2 (corrected from phantom Issue 3); RA_HO_18 added to register; compliance matrix expanded for 2026 legislation stack
- APP_11 HSQE Objectives & KPIs — B4 Cyber Resilience KPI added
[NEW 2026](Cyber Essentials by 31/12/2026; zero notifiable breaches per year); B2 KISS reframe; E3 Carbon baseline now live (288.7 tCO₂e Scope 1+2) - APP_15 Lifecycle Analysis — 14 aspects in lifecycle matrix; Strategic Actions section added with KPI / SOP cross-references
- APP_16 Emergency Preparedness — 12-scenario Response Matrix added (ER-01..ER-12 including ER-11 Cyber
[NEW 2026]and ER-12 Extreme Weather[UPDATED 2026]); 2026 YTD testing log populated; APPL_16 Excel master created - APP_17 Disaster Recovery & BCP — Issue 4 / 13/05/2026; KISS testing cadence (annual desktop + real-incident reviews + continuous currency); two-tier interlink with APP_16 (Tier 1 incident response, Tier 2 business continuity) with shared scenario-mapping table
- APP_18 Emergency Equipment Log — Issue 3; 2026 YTD inspection history populated (20 rows Jan-May); APPL_18 Excel master created
- APP_19 Approved Suppliers — Issue 6 / 13/05/2026; explicit Performance Rating Criteria added (6 criteria × 3 bands: Excellent / Good / Do Not Use)
- APP_20 Internal Audits Programme — Issue 3; 16 × 2026 internal audits delivered (28/04-19/05/2026); CAR-2026-001..011 tracker; 2026-27 forward programme with ISO 14001:2026 transition + Cyber audit slots
- APP_21 NC Register — Issue 4 / 13/05/2026; dual-master pattern (audit-derived CARs portal-master; operational NCRs Leanne's live Excel)
Risk Assessments
- All 18 RAs (RA_HO_01..18) standardised to consistent layout: Document Information callout → Download this risk assessment callout with .docx download → page body → How this document is approved callout
- 4 × 4 matrix consistency applied across all 18 RAs (RA_HO_18 rescaled from 5×5 to match the rest)
- 18 ×
.docxcompanions generated and linked from each RA page - APP_07 and APP_08 RA Coverage tables now have correct 04/07/2026 / 04/05/2027 review dates (was wrongly showing 01/06/2027) and clickable RA hyperlinks
Policies and procedures
- POL_HSQE_29 Mental Health Policy (issued 04/05/2026 — Issue 1) — in operation
- POL_HSQE_30 IT Security Policy (issued 04/05/2026 — Issue 1) — in operation
- POL_HSQE_29 and POL_HSQE_30 cross-referenced from new APP_11 B4 KPI, APP_16 ER-11 Cyber scenario, APP_17 §3.1 Technology Disruption
Carbon Baseline 2025
- Published 12/05/2026: 288.7 tCO₂e Scope 1+2 (diesel = 97% of footprint)
- Referenced from APP_06 Aspect 1 + Aspect 9; APP_11 E3 KPI; APP_15 Strategic Actions; APP_07 HO-14
Excel companion consistency
- APPL_16 and APPL_18 masters created in
IMS Excel Conversions/(previously absent — docs/appendices copies were stale "Table 1, 2, 3" generic-sheet versions) - All previously-stale docs Excel copies resynced from masters
- Cross-reference fixes in APPL_02, APPL_03, APPL_04, APPL_06, APPL_15 to reflect APP_05 R-XX renumbering
Pattern consistency
- All 23 appendices now follow a consistent template: Document Information callout → "Download the register" callout (single companion file) → page body → audit trail mirroring Excel cover → "How this document is approved" callout
- 22 orphan
.docxfiles removed fromassets/local-docs/appendices/ - Wide-mode tip dropped from callouts (FABs visible site-wide)
Looking ahead
- e-forms proposal under development as the next IMS digitalisation workstream (will impact 7.5 documented information evidence and 9.1 monitoring streams)
- AMWS H&S Culture Survey (Onyx Operations) — Q3 2026 post-audit rollout; replaces the short-lived Director Site-Tour Programme; HSG65-aligned workforce-wide cultural-sentiment readout. Aaron Mason's hands-on operational site presence continues as a feature of running the business (not a measurable KPI)
- ISO 14001:2026 transition plan to be drafted Q3 2026; recertification cycle Nov 2027
- 28/05/2026 BCP desktop exercise scheduled (key-person absence — Site Supervisor unavailable for 5+ working days, APP_17 §4 Scenario #3; P1 gap-closure ahead of Achilles UVDB B2 audit 3-4 June 2026)
The 16 × 2026 internal audit reports were drafted across 28/04-19/05/2026 with knowledge of the substantive 2025-26 IMS rebuild. The 12-13 May consistency pass captured above completes that rebuild; the audit findings continue to apply.
Audit Report Prepared By¶
| Name | Position | Signature | Date |
|---|---|---|---|
| Sean Ashton | HSQE Consultant | S. Ashton | 15/05/2026 |
| Aaron Mason | Director | A. Mason | 15/05/2026 |
Corrective Action Close Out¶
CAR-2026-002 status (as of 13/05/2026) — linked from IA202602: Open. Target close 31/08/2026 (~110 days). This audit's OBS-01 rolls forward as part of CAR-2026-002 to extend APP_05 ↔ APP_11 cross-referencing across remaining aspects. Owner Sean Ashton.