Internal Audit Report¶
Audit Identification: IA202610
Area: Risk Management
Audit Date: 15/05/2026
Auditor: Sean Ashton (HSQE Consultant, Onyx Operations)
Date Completed: 15/05/2026
Findings: 0 Non-conformities, 1 Observation
Scope: Clause 6.1 (ISO 9001:2015, ISO 14001:2015, ISO 45001:2018)
Document Number: FORM_INTAR001 Rev 1 ID 01/09/2025
Builds on prior audit: IA202510 (26/09/2025) — 0 NC, 2 OBS
Executive Summary¶
This audit re-examined Risk Management one year on from IA202510. Both 2025 observations are progressed:
- CAR-2025-014 (differentiated review frequency for high-risk items) — partially closed. APP_05 Risk & Opportunity Register Rev 3 (1 June 2026) continues to apply the bi-annual review cadence. The standing weekly Director / HSQE compliance call provides effectively continuous review for high-priority items; the gap-closure tracker provides programme-level escalation. Differentiated formal cadence (quarterly for high-risk, bi-annual for medium, annual for low) not formally implemented but is largely achieved by the cadence model.
- CAR-2025-015 (cross-reference APP_05 risk items ↔ APP_11 HSQE objectives) — partially closed. The 2026 KPI simplification connects E3 (carbon) directly to Aspect 1 (emissions) → APP_05; B2 (improvement) directly to the IAF improvement register and gap-closure tracker → APP_05. Other KPIs (H1 zero RIDDOR, E2 waste diversion, Q1 complaint rate) remain operational metrics rather than risk-derived. Rolled forward as IA202610 OBS-01 to extend the cross-referencing across all aspects (links to IA202602 OBS-01 / CAR-2026-002).
Material risk-management additions this cycle: APP_17 BCP scenario set extended with cyber/ransomware and climate-physical risks; RA_HO_18 Fatigue introduces a new HO-level hazard with clear control hierarchy.
Year-on-year follow-up — IA202510 outcomes¶
| 2025 ref | 2025 finding (summary) | Status in 2026 audit |
|---|---|---|
| OBS-10.1 / CAR-2025-014 | Differentiated review frequency by risk score | Partially closed. Bi-annual cadence retained; weekly call provides interim review for high-risk items. Continuous-compliance model effectively delivers the differentiated review without the formal cadence change. |
| OBS-10.2 / CAR-2025-015 | Cross-reference APP_05 ↔ APP_11 | Partially closed. E3 + B2 explicitly linked. Other KPIs not yet cross-referenced. Rolled forward as IA202610 OBS-01 — links to CAR-2026-002 from IA202602. |
Introduction¶
This audit examined Risk Management under clause 6.1 one year on from IA202510. Particular focus on whether the IMS rebuild has materially altered the risk picture and whether the simplifications maintain risk-based thinking.
Aims & Objectives¶
- Confirm closure or progress on IA202510 OBS-10.1 and OBS-10.2
- Verify APP_05 Risk & Opportunity Register currency
- Confirm new 2026 risks captured (cyber/ransomware in BCP, climate-physical, fatigue HO-18)
- Cross-check KPI simplifications maintain risk-based-thinking integrity
- Sample 5 risk items for control effectiveness
Audit Method¶
- Document Review: APP_05 Risk & Opportunity Register Rev 3 (1 June 2026), APP_06 Aspects Rev 3 (with 04/05/2026 simplification entries), APP_07 Hazards Rev 3 (with HO-18 added), APP_11 KPI Register Rev 3, SOP 3.1 Risk Identification Rev 3 HTML, SOP 3.2 Business Risk Rev 3 HTML, APP_17 DR-BCP Rev 3 (with cyber + climate-physical scenarios added), POL_HSQE_21 Risk Assessment Policy Rev 3.
- Interviews Conducted: Director (Aaron Mason — risk-owner), Site Supervisor (Jason May), HSQE Consultant.
- Observations: APP_05 traceability through to APP_11 KPI E3 + B2 (now explicit); APP_07 HO-18 traceability through to RA_HO_18; APP_17 BCP scenario set 2025→2026 evolution.
- Sampling: 5 risk items spanning operational / financial / supply-chain / regulatory / cyber categories; the 5 P1 gap-closure items still open as a programme-level risk.
Non-conformities¶
No non-conformities identified.
Observations¶
| Ref | Finding | Clause | Priority | Ref |
|---|---|---|---|---|
| OBS-01 | APP_05 ↔ APP_11 cross-referencing (rolled forward from CAR-2025-015 / links to CAR-2026-002 from IA202602). E3 + B2 are explicitly linked; other KPIs are not. The wider cross-reference exercise is in progress under CAR-2026-002 (target close 31/08/2026). No additional CAR raised — work is already programmed. | 6.1.1 | Low | (cross-ref CAR-2026-002) |
Corrective Action Summary¶
No new CAR raised. Cross-reference to CAR-2026-002 (raised under IA202602; target close 31/08/2026).
Conclusions¶
Risk management continues to operate well, with the 2025–26 cycle adding genuine risk awareness:
Areas Meeting Requirements (sustained from IA202510):
- APP_05 Risk & Opportunity Register continues to apply A+B+C×D scoring methodology
- POL_HSQE_21 Risk Assessment Policy continues to apply
- Bi-annual formal review cadence sustained; weekly compliance call provides continuous attention to high-risk items
New strengths since IA202510:
- APP_17 BCP scenario set extended — cyber/ransomware (water-sector breach pattern) and climate-physical (storm flooding) added as explicit scenarios. The Q2 2026 desktop on 28/05/2026 will exercise both.
- APP_07 HO-18 Fatigue — new HO-level hazard with concrete control hierarchy (driver max 9-hr day, 1-in-4 on-call cap, HAVS-fatigue trigger cap).
- POL_HSQE_30 IT Security introduces the cyber-incident pathway with UK GDPR 72-hour breach notification — an explicit new risk-management commitment.
- 5 P1 gap-closure items still open are visible as programme-level risk in the gap-closure tracker, with named owners and target dates within May 2026.
Recommendations¶
- Continue the bi-annual APP_05 review cadence; rely on the weekly compliance call for interim attention.
- Close CAR-2026-002 by 31/08/2026 to complete the APP_06 ↔ APP_05 cross-reference exercise.
- Add the 5 P1 gap-closure items as a single programme-level risk to APP_05 for the duration that they remain open.
Feedback & Acknowledgments¶
Full cooperation. The risk-management picture is materially richer than at IA202510 — particularly cyber and climate-physical, which were absent in the 2025 BCP scenario set.
Audit Report Prepared By¶
| Name | Position | Signature | Date |
|---|---|---|---|
| Sean Ashton | HSQE Consultant | S. Ashton | 15/05/2026 |
| Aaron Mason | Director | A. Mason | 15/05/2026 |
Corrective Action Close Out¶
No new CAR raised — cross-references CAR-2026-002 (open, target close 31/08/2026).