compliance

AWIA Risk and Resilience Assessment Recertification

Use this recertification assessment to verify your community water system’s five-year AWIA risk and resilience review, document updated threats, and close gaps before the next due date.

Fill it now — Free Get Started

Customize with AI → Live preview →

Trusted by frontline teams 15 years of frontline software AI customization in seconds

Built for: Municipal Water Utilities · Public Drinking Water Systems · Utility Operations · Environmental Compliance

9:41

Inspections

1 Assessment Scope and Recertificatio...

System name, service area, and PWS identifier are documented Type here…

Recertification due date and five-year cycle are verified 🕒 mm/dd/yyyy hh:mm

Assessment scope includes all required facilities, assets, and interconnections !

Assessment team includes operations, engineering, cybersecurity, and emergenc... ["choices",...×

Prior assessment findings and open corrective actions were reviewed

✓ Yes ✗ No

2 Physical Assets and Critical Infras...

Treatment and pumping facilities have controlled access and perimeter protection ★ ★ ★ ★ ★

Critical assets are identified and prioritized by consequence of failure !

✓ Yes ✗ No

Backup power, fuel, and redundancy are available for critical operations !

Storage tanks, valves, and distribution nodes are inspected for physical vuln... ★ ★ ★ ★ ★

Hazardous chemical storage and handling controls are documented !

✓ Yes ✗ No

3 Natural Hazard and Climate Resilience

Natural hazard threats relevant to the service area are identified ["choices",...×

Flood elevation, drainage, and site protection controls are adequate for expo... ★ ★ ★ ★ ★

Drought contingency and supply interruption planning is current !

✓ Yes ✗ No

Climate and weather-related vulnerabilities have been updated since the prior...

✓ Yes ✗ No

4 Malevolent Acts and Security Controls

Threats from malevolent acts are evaluated for all critical facilities !

✓ Yes ✗ No

Access control, surveillance, and intrusion detection measures are in place a... ★ ★ ★ ★ ★

Employee screening, visitor management, and contractor controls are documented

Contamination response and isolation procedures are available for intentional... !

✓ Yes ✗ No

5 Cybersecurity and Control Systems

SCADA and OT assets are inventoried and included in the assessment !

✓ Yes ✗ No

Remote access, authentication, and account management controls are documented ★ ★ ★ ★ ★

Backups, patching, and recovery procedures for critical systems are current

Cyber incidents are included in emergency response and business continuity pl... !

✓ Yes ✗ No

6 Emergency Response, Documentation, ...

Emergency response plan is aligned with current assessment findings !

✓ Yes ✗ No

Required documentation, evidence, and version history are complete !

✓ Yes ✗ No

Inspector sign-off

✏️

Tap to sign

Overview

This template is for the five-year recertification of a community water system risk and resilience assessment under the AWIA framework. It helps a utility confirm the assessment scope, document current threats and vulnerabilities, and show that the review includes physical assets, natural hazards, malevolent acts, cybersecurity, and emergency response readiness.

Use it when the prior assessment is nearing its recertification date, when the system has added or changed facilities, or when new conditions such as flooding, drought, cyber incidents, or security upgrades could affect the risk profile. The structure is built for a real utility walk-through: it starts with scope and due-date verification, moves through critical infrastructure and site protections, then covers hazard exposure, intentional threats, OT/SCADA controls, and final documentation and sign-off.

Do not use it as a generic safety inspection or a substitute for day-to-day operations checks. It is not meant for routine water quality sampling, asset maintenance, or a one-off emergency drill. It is also not enough to simply copy the prior assessment forward; the recertification should capture what changed, what remains open, and whether the emergency response plan still matches current conditions. If the system has multiple plants, interconnections, or shared control systems, the template should be customized so each facility and critical dependency is actually reviewed.

Standards & compliance context

This template supports the AWIA risk and resilience assessment recertification process for community water systems and helps preserve a clear compliance record.
The physical security and emergency response sections align with common drinking water security expectations and resilience practices used by utilities and primacy agencies.
The cybersecurity section reflects widely used OT and critical infrastructure control practices, including asset inventory, access control, backups, and recovery planning.
Natural hazard and climate resilience fields help document the kind of site-specific risk review commonly expected under water utility resilience programs and emergency preparedness standards.

General regulatory context for orientation only — verify current requirements with counsel or the relevant agency before relying on this template for compliance.

What's inside this template

Assessment Scope and Recertification Details

This section matters because it proves the right system, the right cycle, and the right facilities were included before any risk review begins.

System name, service area, and PWS identifier are documented (weight 2.0)
Recertification due date and five-year cycle are verified (critical · weight 3.0)
Assessment scope includes all required facilities, assets, and interconnections (critical · weight 4.0)
Assessment team includes operations, engineering, cybersecurity, and emergency response stakeholders (weight 3.0)
Prior assessment findings and open corrective actions were reviewed (weight 3.0)

Physical Assets and Critical Infrastructure

This section matters because the recertification must show which assets are most important and whether their physical protections and redundancies are still adequate.

Treatment and pumping facilities have controlled access and perimeter protection (critical · weight 5.0)
Critical assets are identified and prioritized by consequence of failure (critical · weight 5.0)
Backup power, fuel, and redundancy are available for critical operations (critical · weight 5.0)
Storage tanks, valves, and distribution nodes are inspected for physical vulnerability (weight 5.0)
Hazardous chemical storage and handling controls are documented (critical · weight 5.0)

Natural Hazard and Climate Resilience

This section matters because flood, drought, and weather-related vulnerabilities can change the system’s risk profile even when the equipment has not changed.

Natural hazard threats relevant to the service area are identified (critical · weight 5.0)
Flood elevation, drainage, and site protection controls are adequate for exposed assets (weight 5.0)
Drought contingency and supply interruption planning is current (critical · weight 5.0)
Climate and weather-related vulnerabilities have been updated since the prior assessment (weight 5.0)

Malevolent Acts and Security Controls

This section matters because intentional threats, access control, and contamination response procedures are core parts of a water system resilience review.

Threats from malevolent acts are evaluated for all critical facilities (critical · weight 5.0)
Access control, surveillance, and intrusion detection measures are in place and functioning (critical · weight 5.0)
Employee screening, visitor management, and contractor controls are documented (weight 5.0)
Contamination response and isolation procedures are available for intentional contamination events (critical · weight 5.0)

Cybersecurity and Control Systems

This section matters because SCADA and OT risks can disrupt operations even when the physical plant appears secure.

SCADA and OT assets are inventoried and included in the assessment (critical · weight 4.0)
Remote access, authentication, and account management controls are documented (critical · weight 4.0)
Backups, patching, and recovery procedures for critical systems are current (weight 4.0)
Cyber incidents are included in emergency response and business continuity planning (critical · weight 3.0)

Emergency Response, Documentation, and Sign-Off

This section matters because the assessment is not complete until the emergency plan, evidence, and approval trail match the current findings.

Emergency response plan is aligned with current assessment findings (critical · weight 2.0)
Required documentation, evidence, and version history are complete (critical · weight 2.0)
Inspector sign-off (critical · weight 1.0)

How to use this template

1. Enter the system name, PWS identifier, service area, and recertification due date, then confirm the five-year cycle and the full scope of facilities, assets, and interconnections to be reviewed.
2. Assign the assessment team and collect prior findings, open corrective actions, and supporting records so the review starts with current information instead of a blank slate.
3. Walk each facility and document physical protection, critical asset prioritization, backup power, chemical storage, natural hazard exposure, and any site-specific vulnerabilities with observable evidence.
4. Review malevolent act controls and cybersecurity measures by checking access control, visitor management, SCADA inventory, remote access, backups, patching, and recovery readiness.
5. Compare the current assessment to the emergency response plan, record any gaps or updates needed, and assign corrective actions with owners and target dates before sign-off.

Best practices

Use the actual five-year due date as the first control point so the recertification cannot drift past the required cycle.
Document each critical asset by function and consequence of failure, not just by location or equipment name.
Photograph access controls, backup power equipment, chemical storage, and other deficiencies at the time of the walk-through so the record is defensible.
Include OT and cybersecurity stakeholders early, because SCADA, remote access, and backup recovery issues are often missed by operations-only reviews.
Tie every open corrective action to a specific owner, due date, and verification method so the recertification produces follow-through.
Update the hazard review for recent flood, drought, wildfire, severe weather, or source-water changes instead of reusing the prior hazard list.
Check that the emergency response plan reflects current contact lists, isolation steps, and contamination response procedures before final approval.

What this template typically catches

Issues teams running this template most often surface in practice:

The prior assessment is reused without updating new hazards, facility changes, or open corrective actions.

Critical assets are listed, but the review does not explain why they are critical or what happens if they fail.

Backup power exists on paper, but fuel availability, transfer capability, or load coverage is not verified.

Access control gaps are found at treatment plants, pump stations, or chemical storage areas, including unsecured doors or weak visitor controls.

SCADA assets are missing from the inventory, especially remote radios, gateways, laptops, and vendor access paths.

Cyber backups exist, but restore testing, patch status, or account review has not been documented.

The emergency response plan is outdated and does not match current contacts, isolation steps, or contamination response procedures.

Common use cases

Municipal Utility Compliance Manager

A city water utility uses the template to recertify its AWIA assessment before the deadline and to document that prior corrective actions were closed or carried forward with owners. The manager can use the sections as a checklist for operations, engineering, and emergency response sign-off.

Water Plant Operations Supervisor

A plant supervisor uses the physical assets and emergency response sections to verify access control, backup power, chemical storage, and isolation procedures at a treatment facility. The template helps turn a site walk into a documented recertification record.

OT and SCADA Coordinator

An OT lead uses the cybersecurity section to inventory control-system assets, review remote access, and confirm backup and recovery procedures. This is useful when the utility has added new telemetry, vendor support tools, or cloud-connected monitoring.

Emergency Preparedness Lead

A preparedness coordinator uses the assessment to compare current hazards and vulnerabilities against the emergency response plan. The template helps identify whether contact lists, contamination response steps, and mutual aid assumptions still match the system’s current risk profile.

Frequently asked questions

What does this recertification template cover?

This template covers the five-year recertification of a community water system risk and resilience assessment. It walks through scope verification, physical assets, natural hazards, malevolent acts, cybersecurity, and emergency response documentation. It is designed to capture what changed since the prior assessment and what corrective actions remain open.

Is this for every water utility or only community water systems?

This template is written for community water systems that need to maintain an AWIA risk and resilience assessment on the five-year cycle. It is not a generic utility audit and should be used only where the recertification requirement applies. Smaller systems can still use it as a structured internal review if they want the same evidence trail.

How often should this assessment be completed?

Use it on the five-year recertification cadence and whenever a major change affects risk, such as a new source, treatment upgrade, SCADA migration, flood event, or security incident. The template includes a due-date check so the team can confirm the next cycle before the current one expires. Many utilities also run it earlier as a management review to avoid last-minute gaps.

Who should complete the assessment?

The best results come from a cross-functional team that includes operations, engineering, cybersecurity or OT support, emergency response, and management. A competent person familiar with the system should lead the walk-through and collect evidence. If the utility uses consultants, they should support the review rather than replace the people who actually run the system.

How does this relate to regulatory expectations?

The template is aligned to the AWIA risk and resilience framework and supports documentation that can be retained for compliance purposes. It also reflects common expectations from drinking water security, emergency preparedness, and resilience programs. Where relevant, it helps organize evidence that may also support state primacy agency reviews or internal audits.

What are the most common mistakes when using this template?

Common mistakes include reusing the prior assessment without updating hazards, leaving cyber controls out of scope, and documenting assets too broadly to be useful. Another frequent issue is treating the recertification as a paperwork exercise instead of verifying open corrective actions and changed conditions. The template is most effective when each item is tied to an observable condition or current control.

Can this template be customized for different system sizes or treatment processes?

Yes. You can tailor the asset list, hazard profile, and emergency response references to match a small groundwater system, a surface water plant, or a multi-site distribution network. The structure stays the same, but the evidence fields should reflect your actual facilities, interconnections, and control systems.

Can the assessment be integrated with other audits or records?

Yes. Many utilities link this template to preventive maintenance logs, SCADA asset inventories, emergency response plans, cybersecurity policies, and corrective action tracking. That makes it easier to prove that the recertification reflects current conditions rather than a one-time review. It also reduces duplicate data entry across compliance and operations records.

How should we roll this out across a utility with multiple sites?

Start by assigning one owner for scope control and one reviewer for each major domain: physical security, natural hazards, cyber, and emergency preparedness. Then collect site-specific evidence for each treatment plant, pump station, storage tank, and interconnection before the final sign-off. A phased rollout works well when the system has multiple facilities or shared control systems.

Related templates

Inspections

Lead Service Line Inventory Field Verification

Use this Lead Service Line Inventory Field Verification template to document public-side and cust...

Inspections

Water Main Disinfection and Bacteriological Clearance Record

Record the cleaning, disinfection, flushing, bacteriological sampling, and clearance steps needed...

Inspections

Disinfection CT Calculation and Compliance Log

Track disinfectant residual, contact time, and CT compliance in one log to verify daily disinfect...

Inspections

Finished Water Storage Tank Inspection - AWWA D101

Finished Water Storage Tank Inspection - AWWA D101 is a field-ready audit template for checking t...

Inspections

Warehouse Club Gas Station Underground Tank Monitoring Log

Use this daily log to document underground tank monitoring at a warehouse club fuel center, inclu...

Forms

Lead Service Line Replacement Work Order

A Lead Service Line Replacement Work Order for documenting the field replacement of lead or galva...

Sop

Cash Drawer Open & Count

Cash Drawer Open & Count is the SOP for verifying a drawer, counting the starting bank, recording...

Hr Policy

Anti-Harassment & Anti-Discrimination Policy

Anti-Harassment & Anti-Discrimination Policy template for defining prohibited conduct, reporting ...

Go deeper on the topic

Related concepts

Predictive Scheduling Law

Predictive scheduling laws — also called fair workweek laws or secure scheduling — require employers in covered industries to publish employee schedules...
Overtime Calculation

Overtime calculation is the process of applying federal, state, local, and contractual rules to hours worked to determine the correct pay — including...
Near-Miss Reporting

A near-miss is an event that could have caused injury or damage but didn't — a slip that didn't fall, a load that shifted but didn't drop, a machine that...
Lockout/Tagout

Lockout/tagout (LOTO) is the procedure for controlling hazardous energy — electrical, hydraulic, pneumatic, mechanical, thermal, chemical — before...

Related guides

Risks of Unregulated Generative AI in Workplaces

Unregulated generative AI exposes companies to data leaks, compliance violations, and productivity blind spots. Learn how to govern AI adoption before...
Overcoming Enterprise-Wide AI Deployment Challenges

Overcome enterprise-wide AI deployment challenges with scalable GenAI strategies that cut costs, boost adoption, and deliver measurable ROI.
The Shift From AI Advice to AI Action in Workforce Management

MangoApps AI agents now take action across 21 apps—approving leave, advancing candidates, managing schedules—not just surfacing recommendations.
5 Tips for Successfully Deploying Collaboration Tools

Deploy collaboration tools successfully with 5 proven tips to boost adoption, align teams, and improve communication from day one.

Ready to use this template?

Get started with MangoApps and use AWIA Risk and Resilience Assessment Recertification with your team — pricing built for small business.

Get Started Customize with AI