By reviewing trends emerging from CORS (Operations) audits completed during Periods 13–2, RISQS can identify common themes appearing across suppliers of different sizes, disciplines, and locations. While every audit is unique, recurring patterns can offer valuable insights into where organisations are finding challenges in demonstrating compliance, governance, and operational control. These insights are shared to support transparency, consistency, and shared learning across the RISQS community.

Why we are sharing these insights

RISQS audits provide a valuable view of the challenges and trends emerging across the rail supply chain. By sharing anonymised findings, we can help suppliers stay informed about the themes most identified during audits and support shared learning across the industry.

Major versus minor findings

Major findings typically indicate a significant weakness in governance, control, or compliance.

Minor findings usually indicate that arrangements exist but are not always applied consistently or supported by sufficient evidence.

This quarter's findings show a clear pattern: major findings are often linked to ownership and oversight, while minor findings more commonly relate to consistency and evidence.


The most common themes identified in Periods 13–2

Figure 1: Top major and minor non-conformance themes identified during CORS (Operations) audits in Periods 13–2

Top major and minor non-conformance themes identified during CORS (Operations) audits in Periods


The results highlight an important trend. Most findings were not caused by a complete absence of processes or procedures. Instead, they were typically linked to how arrangements were managed, evidenced, and applied in practice.

What we are seeing in major findings

Major non-conformances tend to point to weaknesses in governance and oversight. Across this quarter's findings, three themes stood out.

Monitoring and corrective actions (CORS 8.1)

Monitoring remains the most common major non-conformance theme and was also the leading category in the previous reporting period.

A recurring issue was organisations being unable to demonstrate that previous findings had been fully addressed and formally closed.

Common examples included:

  • Corrective actions not being tracked through to completion.
  • Incomplete evidence of close-out activities.
  • Previous findings remaining open beyond expected timescales.
  • Limited links between findings, improvement activities, and management reviews.

In simple terms, organisations were often identifying issues, but not always able to clearly demonstrate that those issues had been resolved and prevented from recurring.

Management structure (CORS 1.1)

This quarter also saw management structure emerge as a key major finding category.

Many findings related to uncertainty around who was responsible for specific activities or how accountability was managed within the organisation.

Examples included:

  • Unclear or outdated organisational structures.
  • Key responsibilities not clearly documented.
  • Critical deputies not identified.
  • Limited evidence linking responsibilities to competence requirements.

The theme was not a lack of capable people, but challenges in demonstrating clear ownership, accountability, and governance arrangements.

Management of legal and other requirements (CORS 2.2)

The third most common major finding related to how organisations identify, maintain, and communicate legal and compliance requirements.

Typical findings included:

  • Registers that were incomplete or out-of-date.
  • Review arrangements that could not be demonstrated.
  • Changes inconsistently communicated across the organisation.
  • Requirements that did not fully reflect operational activities.

These findings suggest that maintaining visibility of changing requirements remains a challenge for some organisations.

What we are seeing in minor findings

Minor non-conformances often act as early indicators of where controls may be starting to weaken. While arrangements were generally in place, evidence showed opportunities to improve consistency and application.

Business continuity (CORS 2.7)

Business continuity remains the most frequently observed minor non-conformance theme. It continues a trend seen in previous reporting periods.

Common observations included:

  • Business continuity plans not being fully tested.
  • Testing covering only part of an organisation's activities.
  • Recovery roles and responsibilities being unclear.
  • Limited evidence of testing outcomes and reviews.

The common thread was not whether plans existed, but whether organisations could demonstrate that those plans would work effectively when needed.

Organisation and subcontractor management (CORS 3.1)

Supplier assurance and subcontractor management remained a prominent source of minor findings.

Themes included:

  • Incomplete approved supplier records.
  • Inconsistent supplier monitoring activities.
  • Limited evidence of reassessment processes.
  • Assurance activities not always formally documented.

In most cases, processes existed, but records and evidence did not always demonstrate consistent application.

Occupational health management (CORS 7.1)

A new entrant into this period's top three minor findings was occupational health management.

Auditors commonly observed:

  • Health surveillance arrangements being applied inconsistently.
  • Monitoring records that were incomplete.
  • Limited evidence of periodic review.
  • Wellbeing arrangements that could not always be clearly demonstrated.

This highlights the importance of being able to demonstrate how occupational health arrangements are maintained and monitored over time.

Looking at the bigger picture

Across both major and minor findings, three common themes emerged:

  • Clear ownership and accountability.
  • Consistent application of processes.
  • Effective evidence and record keeping.

Many organisations already have the necessary arrangements in place. The challenge is often being able to consistently demonstrate how those arrangements operate in practice and how improvements are tracked over time.

Why this matters

One of the benefits of RISQS is the ability to identify trends and learning opportunities across a wide range of suppliers operating throughout the rail industry. By sharing anonymised audit insights, suppliers can gain visibility of common challenges, benchmark against wider industry themes, and better understand the topics attracting the greatest audit attention.

We will continue to share periodic audit insights to help suppliers stay informed about emerging trends and support continual improvement across the RISQS community.