13.15 1
13.30 2
14.10 3
14.30 4
15.00 5
15.10 6
Post Office Limited
POST OFFICE LIMITED
(Company Number 2154540)
POL00184703
POL00184703
Meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE
to be held at 13.15 on Wednesday 13 February 2013
at 148 Old Street, London, EC1V 9HQ in the Board Room
Minutes of the last meeting and matters arising
e Minutes of the meeting held on 13 November 2012
and meeting dates for 2013
e Matters arising:
- Confirmation of external audit fees for 2012/13
- Minutes of Regulatory Risk Committees and Risk
and Compliance Committees
- Whistle-blowing policy
Risk Management within Post Office Limited
e Approach to risk management
e Risk management framework
e Policies to mitigate against key regulatory risks
e Treasury Risk Framework
Annual Report and Accounts
« Key Messages
e Definition of Key Management Personnel
Internal Audit
e Summary of Internal audit reports completed since
April 2012 and status report on audit actions
e Recent audit results
e Draft 2013/2014 POL Internal Audit plan
Specific matters referred by the Board to ARC
e Update report on information security
e Eagle contract: termination event scenario planning
Any other business
Alasdair Marnoch
Chris Day/Susan Crichton
Mark Davies
Sarah Hall
Malcolm Zack/Stephen
Collins'
Lesley Sewell
Hugh Flemington?
The Operating Plan briefing will begin at 15.30 and finish at 16.45pm.
' Stephen Collins of Royal Mail Internal Audit will join the meeting at this point.
? Lesley Sewell CIO and Hugh Flemington Head of Legal, will join the meeting at this point
POL00184703
POL00184703
Post Office Limited
PRESENT: Alasdair Marnoch (Chairman)
Susannah Storey (Non-executive director)
Neil McCausland (Non-executive director)
SECRETARY: Alwen Lyons (Company Secretary)
APOLOGIES: Tim Franklin (Non-executive director)
IN ATTENDANCE: Alice Perkins (Company Chairman)
Paula Vennells (Chief Executive)
Susan Crichton (HR & Corporate Services Director)
Chris Day (CFO)
Sarah Hall (Head of Financial Control and Compliance)
Malcolm Zack (Head of Internal Audit)
Stephen Collins (Audit Manager, Royal Mail Group Internal Audit)
Lesley Sewell (Chief Information Officer)
Hugh Flemington (Head of Legal)
Item Action Requested
1 Minutes of last meeting/matters arising
« Minutes Approve
e Audit fees confirmation Approve
¢ Financial regulation regime Note
¢ Minutes of Regulatory Risk Committee Note
¢ Minutes of Risk and Compliance Committee Note
2 Risk Management in Post Office Limited
e Approach to Risk Management and Risk Direct and Approve
Management Framework
e Regulatory Policies — status Note/Direct as necessary
¢ Treasury Risk Framework Direct and Approve
3 Annual Report and Accounts
e Key Messages Discuss and Approve
« Template for Corporate Governance Statement Discuss
* Timetable Approve
* Definition of Key Management Personnel Approve
4 Internal Audit
e¢ Summary of 2012 Royal Mail audit reports and
status of actions Note
¢ Recent Audit Results Note/Comment
«Draft 2013/2014 Internal Audit Plan Discuss, Direct and Approve.
5 Specific matters referred by the Board
e Information Security Paper Note and direct
¢ Eagle Contract — Termination event scenario Note and direct
planning
POL00184703
POL00184703
Post Office Limited — Strictly Confidential
POLARC12 (2"%)
POLARC12/8-15
POST OFFICE LIMITED
(Company no. 2154540)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE
held on Tuesday 13 November 2012
at 2pm at 148 Old Street, London EC1V 9HQ
Present:
Alasdair Marnoch Chairman of Committee
Tim Franklin Non-Executive Director
Neil McCausland Senior Independent Director
Susannah Storey Non-Executive Director
In attendance:
Alice Perkins (AP) Chairman, Post Office Limited
Chris Day (CD) CFO
Paula Vennells CEO (item 12/11 only)
Sarah Hall (SH) Head of Financial Control and Compliance
Nick Kennett (NK) Financial Services Director (item 12/13 only)
Alwen Lyons (AL) Company Secretary
Hugh Flemington (HF) Head of Legal Services (item 12/11 only)
Lesley Sewell (LS) Chief Information Officer (item 12/11 only)
Malcolm Staite (MS) Interim Head of Risk Governance
Malcolm Zack (MZ) Head of Internal Audit
Stephen Collins (SC) Audit Manager, Royal Mail Group Internal Audit (item 12/12 only)
Angus Grant (AG) Audit Partner, Ernst & Young (item 12/12 only)
Jeremy Midkiff (JM) Audit Manager, Ernst & Young (item 12/12 only)
POLARC12/8 INTRODUCTION
(a) A quorum being present, the Chairman of the Committee opened the meeting
and welcomed all those present.
(b) The Chairman noted that the Committee would not be able at this meeting to
discuss Risk Management in detail, as the executive team were still working
through the processes and the necessary recruitments had not yet been
completed. The approach to risk management would be a matter for
particular focus at the next meeting in February.
POLARC12/9 GOVERNANCE
(a) The Chairman asked MZ to talk through the new format proposed for the
Terms of Reference of the Committee, including an outline schedule of
matters to be discussed and a form of standing agenda.
POL00184703
POL00184703
Post Office Limited — Strictly Confidential
(b) Following discussion, it was agreed that the revised Terms of Reference for
the Committee, dated November 2012, are approved and adopted subject to
an amendment in 2.1 to clarify that the HR & Corporate Services Director and
the General Counsel were the same role.
(c) These Terms of Reference would be included in the pack of corporate
ACTION: Company governance documents to be approved by the Board in January 2013.
Secretary
(d) IThe Committee requested that the banking and treasury delegated authority
limits discussed at the Board meeting on 23 October 2012 should return to
the ARC in February for discussion and that outstanding balances and any
ACTION: CD breaches by counterparties be brought to the attention of the ARC.
(e) IThe Committee asked for sight of the internal audit reports completed since
April 2012, and a status report on the audit actions to be presented at the
ACTION: MZ February meeting.
(f) IThe Committee requested discussion at the February meeting on:
(i) the policies in place to mitigate against key business risks (a paper to be
produced by the Head of Risk Governance); and
(ii) the process for establishing and ensuring compliance by the Business
with those policies and with regulatory requirements. It was recognised
that this exercise would take some time, with priority areas starting to
become clear over the course of 2013.
ACTION:MZ/SC
(g) IThe CFO and HR & Corporate Services Director would then lead a session at
the Board to give comfort that the Business understands its regulatory risks
and has the policies in place to monitor and mitigate.
ACTION: CD/SC
POLARC12/10 ANNUAL REPORT AND ACCOUNTS AND HALF YEAR TRADING
STATEMENT
(a) CD presented the latest draft of the half-year trading statement. It was noted
that the DVLA decision had now been announced and could therefore be
included in the statement.
(b) It was noted that the trading statement had not been reviewed formally by
Ernst & Young but it was confirmed that the basis of preparation was
consistent and that there had been no major changes in accounting policies
or practice.
(c) The proposed date for release of the statement to the press and general
public was 22 November 2012. Discussions would be held separately with
the Shareholder.
(d) I The Committee discussed the tone of the statement and the comments
received to date from members of the Board and it was agreed that final
comments would be input by 14 November, after which the statement
ACTION: CD would be re-circulated to the Board for final approval.
ACTION: Company
Secretary
ACTION: Company
Secretary
POLARC12/11
(e)
(f)
(9)
POL00184703
POL00184703
Post Office Limited — Strictly Confidential
A copy of the final statement and press release would be circulated to the
Board.
The paper presented by SH, setting out an approach for preparation of the full
year accounts for 2012/13, was considered.
After discussion it was agreed that:
(i) Post Office should not take advantage of the exemptions from being a
wholly owned subsidiary of a UK parent producing group financial
statements;
(ii) Post Office should continue to report under UK GAAP but the
consolidated financial statements will be under IFRS;
(iii) the Post Office Annual Report and Financial Statements should be
prepared as one formal document for lodging at Companies House;
(iv) Post Office should include the additional Business Review disclosures
applicable to quoted companies where appropriate;
(v) Post Office should aim to meet the elements of the UK Corporate
Governance Code and DTR disclosure requirements on corporate
governance that are appropriate; and
(vi) Post Office should comply with legal requirements concerning the
disclosure of directors’ remuneration but would not seek to go beyond
the statutory level of disclosure for the financial year 2012/3.
A full analysis of Post Office’s compliance with the UK Corporate Governance
Code was under way and would be provided for discussion by the Committee
at its next meeting.
There appeared to be nothing which would prevent the Post Office from
confirming that it upheld the principles of the Code, even if some of the
detailed recommendations would not be applicable to a Government-owned
organisation.
RISKS — HIGH RISK CONTRACTS
The CEO, LS and HF joined the meeting to provide an update on the
information security issue which had recently been faced by the Post Office.
An approach to establishing the risk profile of customer data held within the
Post Office had been set out in the paper from LS and this was discussed.
The Committee thanked the CEO and the Business for the rigour with which
they had handled the issue and asked for a short update report in mid-
December followed by a formal report on information security for the next
ARC meeting in February, including a noting paper on High Risk Contracts.
ACTION:LS
POLARC12/12
ACTION:MZ
(a)
(d)
(e)
(f)
(9)
POL00184703
POL00184703
Post Office Limited — Strictly Confidential
The Committee asked to be kept informed in the meantime of any actions
necessary to mitigate against any actual or perceived liability on the part of
the Post Office.
INTERNAL AND EXTERNAL AUDIT
SC, AG and JM joined the meeting.
MZ was introduced as the new Head of Internal Audit. He explained the
future audit team he was recruiting for the Business and that going forward
the audit plan would be based on the key risks which would be signed off by
the ARC. He confirmed the activity in the Audit plan for 2012/13 and that
Royal Mail’s Internal Audit Team would assist Post Office up to 31 March
2012.
The Committee agreed that there may be a need to monitor the increased
strategic risks driven by separation and transformation, but that there also
needed to be a focus on compliance within the Network.
The Committee asked for a summary of the areas covered by RMG Internal
Audit reports to be presented to the ARC in February.
Stephen Collins left the meeting
AG, the Ernst & Young Audit Partner responsible for the Post Office external
audit, reported that the previous year’s audit had been finalised. He expected
that 2012/13 would be a challenging year for the Business in several areas
because of separation and major change, and that the audit would need to
focus on separation, pensions, and taxation with an overlay of IT. He set out
the proposed approach to external audit of the full year accounts and the
outline timetable. The detailed focus of the audit would be:
(i) I Revenue recognition and the accounting treatment across diverse
revenue streams;
(ii) Counterparty risk;
(iii) Pension valuation and accounting;
(iv) Separation accounting risks; including pensions and treasury;
(v) Valuation of accounting provisions;
(vi) Risk of fraud/burglary in the Network and Cash operations;
The ARC was comfortable with the approach, alongside the separate
ISAE 3402 IT audit which had been jointly commissioned by the Post Office
and Fujitsu.
The Chairman asked at what level of materiality the E&Y team would report.
AG explained that this would be similar to previous years. Although E&Y did
put a figure on P&L materiality, they would propose to report any identified
audit adjustments above £600k to the Committee and, as a general rule,
POL00184703
POL00184703
Post Office Limited — Strictly Confidential
insist on changes to the accounts for any single item or accumulation of items
with an effect of over £5-6 million. This was accepted.
(h) The Chairman informed the meeting that he would pick up the Ernst & Young
fees with the CFO outside the meeting
ACTION:AM/CD
(i) I The external audit plan was agreed. The external auditors left the meeting.
POLARC12/13 MATTERS REFERRED TO ARC BY THE BOARD
Governance of the “Eagle” Contract
(a) NK joined the meeting.
He presented the paper and explained the governance processes now in
place with the Bank of Ireland (Bol) following agreement of the new contract.
The Committee was informed of the arrangements and the governance
committees put in place to monitor performance. The Committee asked that
the minutes of future Regulatory Risk Committees (RRC) be provided for the
ACTION: NK ARC.
(b) NK noted the termination rights currently contained in the contract. Bol was
obliged to provide certification within 15 days of each quarter end to assure
Post Office that Bol was meeting its requirements in respect of:
(i) Tier One Ratio and Capital buffers
(ii) Liquidity
(iii) NSFR requirement
and that it had not breached any of the terms of the contract creating a
Termination Obligation.
(c) IThe Chairman asked if this gave the Business sufficient warning of any
problems. NK assured the Committee that the Bank was obliged to give Post
Office early warning of any capital or liquidity problems and Post Office had a
buffer above the regulatory and statutory requirements set by HM Treasury
(HMT), the Bank of England (BoE) and the FSA.
(d) Post Office had also established a system for tripartite meetings with HMT
and BoE, to which the FSA was also invited. The purpose of this meeting
was to give Post Office a medium to long term view of the banking
environment and how any developments might affect the Post Office.
(e) NK explained that the FSA would soon be splitting to form two organisations:
the Prudential Regulation Authority (PRA) and the Financial Conduct
Authority (FCA). This should lead to a strengthening of regulatory
relationships and give the Business more comfort.
(f) I The Committee asked NK to provide an interim update on the regulatory
ACTION: NK position in September 2013, 6 months after the changes had taken effect.
POL00184703
POL00184703
Post Office Limited — Strictly Confidential
(g) IThe Chairman noted that it would be useful at the same meeting to look at
ACTION:NK scenarios in which Post Office would need to respond to a termination event.
(h) NK reported that Post Office deposits had grown substantially above the
planned £16.6 billion target agreed with the FSA. The parties were working
together to agree a commercially sustainable position on pricing for Bol whilst
ensuring protection for Post Office customer assets and the Post Office
brand.
NK explained the securitisation of assets by Bol and noted that the new
contract required consent from the Post Office to securitise any Post Office
customers’ assets. The terms were designed to ensure that Post Office
customers’ assets were managed effectively but also ring-fenced in the event
that a transfer to an alternative provider became necessary.
NK then left the meeting.
Uncommitted Credit Facilities
ACTION: (i) I The CFO asked for the Committee’s views on the proposals relating to
CD/Company uncommitted loan facilities which had been put forward to the Board. He
Secretary noted that banking counterparties would require a resolution of the full Board.
(j) I The Committee discussed the proposals to enter into two loan facilities. CD
confirmed that these proposals had been discussed with the Shareholder and
no concerns had been expressed.
(k) IThe Committee endorsed the following recommendations to the Board:
(i) approval for Post Office to enter into external borrowing facilities up to a
maximum value of £100m, such that external borrowing of up to £50m
may be drawn down at any one time;
(ii) approval for the CFO and Head of Corporate Finance to conduct
negotiations with counterparties and sign and deliver the loan and
related documentation
(iii) approval for the form of Board resolution included in the paper, subject
to review by Susan Crichton (Head of HR and Corporate Services).
POLARC12/14 ANY OTHER BUSINESS
ACTION: (a) It was agreed that the schedule of meeting dates for 2013 should be revised
Company to allow for meetings in February, May, September and November. The
Secretary Company Secretary was asked to recirculate the dates.
POLARC12/15 CLOSE
There being no further business, the meeting was declared closed.
Bank of Ireland Members:
Post Office Ltd. & Bank of Ireland (UK) Regulatory Risk Committee
16" November 2012, 11.00 — 1.00pm. Board Room, Bow Bells House, London.
Post Office Members:
QBR Meeting
Key Decisions and Actions
In Attendance:
Apologies:
Debra Codack Bol(UK)
Alec Hughes Bol (UK)
Richard Holden (Chair) Bol (UK)
Roger Gale (POL)
Jonathan Hill (POL)
Jeremy Law (POL)
David Mason (POL)
Nick Kennett (POL)
Malcolm Staite (POL)
Hope Stack (Secretary)
David Mc Gowan BOI (UK)
Kevin Gilliland(POL)
Susan Crichton(POL)
Nick Fahy BOI (UK)
Key discussion points:
Governance:
- Meeting minutes of 19" October were approved and matters arising updated.
BOI (UK) Regulatory & Operational Risk Monitoring:
POL00184703
POL00184703
- T&D Reviews — It was agreed that a full root & branch review of the in-branch T&D framework would take place following the full deployment of the
video mystery shopping programme.
- Savings Mystery shopping results for T&D Reviews in Q3 showed some slight improvement on Q2 results; with a caveat that Q3 volumes were lower
than those undertaken in Q2. It was agreed that the success of the credit card re-accreditation programme would be assessed at the end of Q4
- Financial Promotions — Deterioration in quality of submissions from POL is impacting on Bank ability to sign off promptly. An action was agreed to
review stakeholder responsibilities in light of the recent structural change and the need for clarity ofaccountability in the new structure for the different
elements of the FP production and approval cycle. It was agreed that it would be helpful to bring in the Product Managers aspart of the review.
- -Video Mystery Shopping - Feedback received to-date suggests that the pilot has been a success. However, a date has not yet been agreed for a full
rollout. The Committee agreed that the next phase should, include counter staff as Banks risk is not limited just to FS’s.
Compliance Report Highlights:
- The Mortgage Pilot 3 month interim review showed positive indicators following post validation calls which were carried out onsmall sample of 14
customers. The Pilot will continue lead by 10 Mortgage Specialists. Further discussions took place re the expeted outcome of the pilot and next steps.
ancial Specialists Capability
The red rated issues reported on mystery shopping were to be raised at BOI (UK) BRC and require both short term and long term solutions to address.
The Committee noted that significant efforts have been made to improve levels of compliance in relation to the inbranch sale of credit cards and that
these should begin to have a positi
e impact in the near future.
Top 5 Risks
Top 5 Risks to be updated following discussion by the Committee
Customer Complaints MI & TCF Scorecard
AOB —~ Terms of References
Open actions out of 16" November POL & BOI (UK) meeting
The Committee ToR is to be revised to reflect recent changes and will be presented at the December meeting for approval.
: : Action : co : Owner I Due Date I Update as at 23rd November t
126. I T&D Review Process — J.Law took an action to keep the JL nla Closed
Committee updated on the progress of the overall review of
the T&D framework
127. I Crown T&D Reviews — DC took an action to extract the DC/RG 12" Dec DC to provide detail behind results to RG I Closed
detail (question and results per branch) behind the results as agreed. This action was closed as
reported on page 7 of Monitoring report, and provide these to complete 26" November.
Roger Gale.
128. I Financial Promotions Submissions — Agreed that a RACT DC/JH/JL I 12" Dec Provide Committee with an update on the Open
should be completed with all key stakeholders in light of new review at the next meeting.
operating structure.
129. I Video Mystery Shopping — Phase IT DC/DM _I Dec/Jan DC/DM to discuss plans for next phase of I Open
Video Mystery shopping and advise
Committee
130. I Financial Specialists Capability RG/IL to provide an update on the paper I Open
i) Provide paper on summary of the key issues RGJL I Jan presented by AH to the Committee in
highlighted, the impact of the issues and how they September at the January Committee
can be addressed in short/long term. meeting.
ii) Provide NK&JL a copy of RCA paper presented Closed
by DM/AH at 19" Oct meeting NK/JL Nov HS circulated a copy of the RCA paper as
requested
POL00184703
POL00184703
Both sets of MI currently under review. AH presented a draft ‘PO Distribution - Conduct Risk Dashboard’ to the Committee and confirmed the intention
that this will replace the distribution related elements of the POFS TCF Scorecard. I was agreed that AH would finalise the proposal in this regard and
present the final version to the Committee in January.
12™ Dec
131. I Regulatory Risk Assessment JH JH to provide Committee with update at Open
i) AH to circulate supporting document on the Dec meeting
Customer Detriment Risk Assessment Process
JH/IJL I 19% Dee I JH to provide Committee with update at
Dec meeting. Open
AH Nov AH provided document and was Closed
circulated to the Committee members.
132. I Top 5 Risks to revised reflecting the current relevant risks AH Jan AH to update and present to the next QBR I Open
meeting.
133. I AH presented a draft ‘PO Distribution - Conduct Risk AH to finalise the proposed Open
Dashboard’ to the Committee and confirmed the AH Jan Dashboard and present the final
intention that this will replace the distribution related version to the Committee in January.
elements of the POFS TCF Scorecard.
134, I The Committee ToR will be revised to reflect recent changes RH 12" Dec Revised ToR to be presented at 12” Dec Open
and presented at the December meeting for approval. meeting
135. I Schedule of 2013 meeting dates — JH requested that some of JH Nov/ Dec HS re-sent copy of 2013 schedule to JH Closed
the 2013 meeting dates change to facilitate POL availability. for review and feedback
Previous actions out of POL & BOI (UK) meeting:
Action 4 : “Owner I Due Date I Update as at 23rd November ———_—I, ‘Status.
121. POL Branch classification and the development of Local SL 29" Nov _ I HS circulated a copy of the presented Closed
Branches — It was agreed SL would circulate here
presentation to the Committee and advised she would be
available to answer any questions members of the Committee
might have following the meeting.
received from SL of POL
Approved by: Richard Holden, Chairman
Date: 12" Decebmer 2012
POL00184703
POL00184703
POL00184703
POL00184703
Post Office Ltd. & Bank of Ireland (UK) Regulatory Risk Committee
QBR Meeting
12" December 2012, 10.00 — 12.00pm. Board Room, Bow Bells House, London.
Key Decisions and Actions
Bank of Ireland Members: Post Office Members: In Attendance: Apologies:
Debra CodackBol(UK) Jonathan Hill (POL) Hope Stack (Secretary) Roger Gale (POL)
Alec Hughes Bol (UK) Jeremy Law (POL) Nick Fahy BOI (UK)
Richard Holden (Chair) Bol (UK) I David Mason (POL) Nick Kennett (POL)
Malcolm Staite (POL)
Key discussion points:
Governance:
- Key decisions of 16" November were approved and all open actions were updated.
BOI (UK) Regulatory & Operational Risk Monitoring:
- T&D Reviews — The overall rating of Crown T&D reviews for the month was Amber. Generic Reviews reported no change at amber and significant
improvement was noted on the Thematic Mystery Shopping of credit cards with an overall rating graded green (24 green & 4 red) All mystery shops
were noted to be carried out post the POL credit card training in early November.
Exceptions report was presented with additional detail on each exception following queries raised by POL at November meeting. The Committee was
advised that further monitoring would take place in Jan/Feb 2013
Generic Compliance Reviews — The Committee was again made aware of the review findings in terms of the number of staff who are unaware of the
procedure to follow in the event of a customer wishing to make a complaint - This has now increased to an exception rate of 83% over the last 3 months.
- -Video Mystery Shopping pilot (phase II) — All video mystery shops associated with phase II of the pilot (a mix of credit card & savings products)
have been completed across a total of 17 locations. The assessment process was confirmed as being underway and DC advised findings to date show an
increase in Red results for phase II. . DM advised that POL will be compiling a report in relation to the performance of the pilot, which will be made
available to the committee for review once complete. In terms of full roll out of Video Mystery Shopping, POL advised that it would be preferable to
first identify whether it could be procured from one of their existing mystery shopping providers such as ABA(POL are subject to public procurement
rules which make it simpler to procure services from existing suppliers). RH confirmed that he understood the challenge facedby POL in this respect,
but stressed that any party wishing to be considered for the tender process must be capable of demonstrating their ability to deliver the service
effectively.
RRC 142
POL00184703
POL00184703
POJV Compliance update
Branch Mystery Shopping— the monthly report demonstrated continuing improvement in relation to the number of green ratings now being achieved.
AH highlighted the CPP mis-selling- FSA Fine and advised that POJV Compliance would be carrying out an analysis of the sales practices that led to the
FSA taking action against CPP to ensure that BOI (UK) has no similar regulatory compliance exposure. An update will be provided at the next meeting.
Gender neutral pricing — It was confirmed gender neutral pricing has been introduced for all insurance products.
Deposit Protection — Raising Consumer Awareness- while the FSA’s new rules in this regard are not applicable to POL, a range of ‘voluntary’ measures
were to have been considered by the POL Executive Committee. J. Hill took an action to circulate an update to the Committee ahead of the next meeting in
January 2013.
Regulatory Risk Assessment & Management Process
Regulatory Watch List — due to the unavailability of data, this report was noted to be incomplete. AH confirmed that, assuming the data is available, an
updated report will be produced for the January 2013 meeting.
BOI (UK) Risk Planning Register — This report is not available until working day 20, it was agreed the Secretary would circulate once available (Secretary
issued this report to the committee & attendees 2I' December 2012)
Customer Complaints Report — The Complaints report (in a temporary format) was presented to the Committee and the Chairman confirmed an action to
liaise with Bob Tennant in order to agree how future Complaints reports would be presented. Separately, a POL review of Post Office Complaints was noted
to be currently underway and JH suggested POL would engage with the BOI (UK) complaints team once their review was complete. AH added that he will
restart the production of the quarterly analysis of inbranch complaints in the new year.
TCF -—
Outcome I — Complaints from CMCs with regards to PPI mis-selling — It was noted that 91% complaints are not upheld and a very significant percentage
(circa 70%) did not have PPI policy for the product against which the complaint was raised. DC advised that work is in progress within BOI UK to implement
a simplified process for dealing with DSAR requests from CMC’s in relation to PPI claims. Longer term this should see a reduction in the number of
speculative complaints that subsequently come in. Several of the larger CMC’s have signed up to the simplified process, and BOI UK Risk team would be
engaging with Rob Lear of Group Customer Complaints to maximise opportunity.
Voice of Customer/Social Media Update - As NF was unable to attend the meeting, it was agreed this item would be carried forward to QBR.
AOB ~— Terms of References - A number of small queries were raised in relation to the TOR:(i) it was advised NK would only attend meetings on a
quarterly basis;(ii) Under the “Duties” section of the document, it was requested that “POL” is removed from “Voice of the Customer and Social media
reports”; and (iii) there was an action for the Committee to agree how its duties align to those of other POL/BOI (UK) Committees in terms of responsibility
and reporting.
2013 Schedule of meeting dates — HS confirmed that the proposed set of 2013 meeting dates are with POL for review and approval. JH committed to
reverting on the dates w/c 15"" December.
RRC 142
Open actions out of 12" December 2012 POL & BOI (UK) meeting
SN Ore — Action Ge _ Owner I Due Date I Update as at 23rd November I Status I
136. I Video Mystery Shopping phase IT DM 21/01/2013 I DM to provide update at QBR meeting. Open
i) POL POC Review report to be made available to
the committee for review once complete. NK/DM/
ii) Full VMS roll out Plan — POL to provide BOI UK JH 21/01/2013 I Update to be provided to Committee at 0
with update on the status of the Project next meeting pen
137. I CPP mis-selling- FSA Fine — AH to carry out an analysis of AH 21/01/2013 I AH to update at next meeting Open
the sales practices that led to the FSA taking action against
CPP to ensure that BOI (UK) has no similar regulatory
compliance exposure. Update to be provided by AH at the
January meeting.
138. I Deposit Protection — Raising Consumer Awareness - JH JH Jan 2013 JH to circulate paper presented to Senior Open
took an action to circulate an update to the Committee ahead Executive
of the next meeting in January 2013.
139, I BOI (UK) Risk Planning Register — This report was not HS 21/12/2012 I Secretary issued this report to the Closed
available until working day 20, Secretary would circulate once committee & attendees 21 December
available. 2012.
140. I Customer Complaints Report
i) The Chairman confirmed an action to liaise with RH 21/01/2013 I Update to be provided at Jan meeting. Open
Bob Tennant in order to agree how future
Complaints reports would be presented.
ii) A POL review of Post Office Complaints is work
in progress. J.Hill suggested POL would engage
with BOI (UK) complaints team once their review I JH_——_I 21/01/2013 I JH to provide update at Jan meeting Open
was complete.
iii) __ AH to restart the production of the quarterly AH 21/02/2013 I Q4 report to be made available at Open
analysis of in-branch complaints in the new year. February meeting.
141. I Terms of Reference — Further minor changes requested by RH 21/01/2013 I TOR to be amended and represented to Open
members to be updated, amended TOR will be presented at the for approval
next meeting for approval
142. I 2013 Schedule of meeting dates — POL to confirm approval JH 21/01/2013 I JH to provide Committee with agreement Open
of all proposed meeting dates for 2013 on the scheduling of monthly meetings.
RRC 142
POL00184703
POL00184703
Open actions out of 16" November POL & BOI (UK) meeting
; : Action I Owner I Due Date I Update as at 23rd November ——_—I_Status
128. I Financial Promotions Submissions — Agreed that a RACI pc Jan 2013 DC engaged with Gp Change Mgt who Open
should be completed with all key stakeholders in light of new will arrange RACI review allowing
operating structure. continuity. DC took action to follow up.
130. I Financial Specialists Capability RG/JL to provide an update on the paper Open
i) Provide paper on summary of the key issues RG/JL Jan presented by AH to the Committee in
highlighted, the impact of the issues and how they September at the January Committee
can be addressed in short/long term. meeting.
ii) Provide NK&JL a copy of RCA paper presented Closed
by DM/AH at 19" Oct meeting NK/JSL Nov HS circulated a copy of the RCA paper as
requested
132. I Top 5 Risks to be revised reflecting the current relevant risks AH Jan AH to update and present to the next QBR I Open
meeting.
133. I AH presented a draft ‘PO Distribution - Conduct Risk AH to finalise the proposed Open
Dashboard’ to the Committee and confirmed the AH Jan Dashboard and present the final
intention that this will replace the distribution related version to the Committee in January.
elements of the POFS TCF Scorecard.
134. I The Committee ToR will be revised to reflect recent changes RH 12" Dec Revised ToR was presented at 12” Dec Closed
and presented at the December meeting for approval. meeting with the committee adding some
minor amends RH to update
Closed actions of previous POL & BOI (UK) meetings
: ‘ ae Action _I Owner I Due Date I Update as at 23rd November Status
129. I Video Mystery Shopping — Phase II DC/DM _I Dee/Jan DC/DM to update committee re this item I Closed
under agenda item 2ii of meeting. The
action can be closed
Approved by: Richard Holden, Chairman
Date: 21% January 2013
RRC 142
POL00184703
POL00184703
See Distribution
Post Office Ltd — Strictly Confidential
Risk and Compliance
Committee (R&CC)
POL00184703
POL00184703
Reference: R&CC/MIN/JAN13
Date: 21 January 2013
MINUTES OF THE POST OFFICE RISK & COMPLIANCE COMMITTEE HELD IN 148
OLD STREET AT 13.30 HRS ON 21° January 2013
Present Susan Crichton HR & Corporate Services Director Chair
Chris Day Chief Financial Officer Member
Paul Brown Head of Mails & Retail Services (for Member
Commercial Director)
Simon Baker Head of Programme & Planning (for Chief Member
Information Officer &Strategy Director)
Hugh Flemington Head of Legal Report
Jonathan Hill Head of Financial Services Risk Report
Mark Pearce Head of Information Security Report
Heather Bignell-Blye Regulatory Risk Business Partner - Data Report
Protection & Privacy
Nigel Tuppen Business Risk & Assurance Manager Report
Malcolm Zack Head of Internal Audit Report
Rob Bolton Risk & Assurance Adviser Secretariat
Apologies Susan Barton Strategy Director Member
Lesley Sewell Chief Information Officer Member
Martin Moran Commercial Director
Nick Ket
Financial Services Direct
1. Introduction
1.1 The Chair welcomed everyone to the meeting. Apologies had been
received from Susan Barton, Lesley Sewell and Martin Moran.
2. Minutes of
Previous Meeting
2.1 The minutes of the last meeting had been circulated and were accepted
as an accurate record by those present
3. Outstanding
Actions from the
Previous Minutes
3.1. The actions from the previous meeting were discussed.
Action 1505 Updated paper had been provided — this is a work in progress
but action considered completed
Action 1510 Nothing further, Susan Crichton to discuss with the
Communications Director outside of the meeting. Action closed
Action 1512 ExCo meeting now scheduled for 5” February, including Internal
Audit, to review proposed risk management strategy for the year. An ExCo.
risk session to be arranged - Action Completed
Action 1516 Verbal update provided and feedback to be discussed as part of
agenda item — Action Completed
POL00184703
POL00184703
Post Office Ltd — Strictly Confidential
Action 1517 Action Completed
Action 1518 Agenda item — Action Completed
Action 1519 Action carried forward
Action 1520 Action carried forward
Action 1521 Verbal update provided. It was agreed that any reporting from
the Network Compliance Forum to the R&CC should be by exception and
that Malcolm Zack should attend the Network Compliance Forum - Action
Completed
Action 1522 Malcolm Zack to be invited to future Network Compliance 1522 —NT
Forums and any reporting from that forum to the R&CC to be by
exception.
4 PCI Update 4.1 As requested at the last meeting Mark Pearce had provided a paper that
identified the RAG status for PCI across all channels:
Horizon — Green
Paystation —- Green
Post & Go - Green
RMG Call Centre - Red
MP stated RMG red status as RMG not planning to issue a remediation plan
until end of January 2013.
Products: Service Suppliers - Amber
MP confirmed amber status due currently 80% through the top 12 suppliers.
Planned to complete by the end of February 2013.
e-Business Platform - Amber
MP stated that amber status as not yet confirmed if Capgemini services were
out of scope for PCI.
Homephone & Broadband - Green
MP stated there was a requirement for suppliers to be PCI compliant but not
certified.
4.2 In summary it was agreed that Horizon certification had been achieved
which was noteworthy however there was still some work to be done in all of
the other areas.
Action 1523 Provide a summary paper identifying the issues relating to I 1523 - MP
the RMG Call Centre and Capgemini services to assist with the
escalation to the MSA Board
Action 1524 PCI issues to be raised at next MSA Board 1524 - SB
5. Data 5.1 Heather Bignell-Blye provided a paper over the need for a Privacy & Data
Governance Protection Governance structure, explained its recommendations, and that
Susan Crichton was the sponsor for Data Governance in the Business.
5.2 The need for such a role was agreed but was highlighted by Chris Day
that this should be done in a way as not to increase overall head office costs.
Post Office Ltd — Strictly Confidential
POL00184703
POL00184703
5.2 It was agreed in the meeting that the development of Data Governance
and the appointment of a Head of Privacy should be aligned to and taken
forward within the scope of Project Javelin.
Action 1525 Progress establishing Data Governance and the
appointment of Head of Privacy aligned to and within the scope of
Project Javelin
1525 —
HBB/SC
6. Audit & Risk
Committee
Update
6.1 Malcolm Zack provided a verbal update from the Audit & Risk Committee
(ARC). He stated the Chair of the ARC had requested an update on the
policies in place within Post Office Ltd, the availability of these policies and
whether the Business was compliant with them.
Action 1526 Put together a proposal for the next R&CC for the
management of policies within Post Office Ltd to ensure all policies are
in place, available and that the Business is compliant against them.
Action 1527 Put together a response to the next available ARC,
following the March R&CC meeting, identifying Post Office Ltd
approach to the management of policies to ensure all are in place,
available and that the Business is compliant against them.
1526 -—
MZ/NT
1527 -
MZ/NT
7. Revised Risk &
Compliance
Committee Terms
of Reference
7.1 The updated terms of reference together with Malcolm Zack's paper
relating to the linking of the ARC and the R&CC had been circulated in
advance of the meeting. There was no further discussion and the meeting
agreed the new terms of reference for the Risk & Compliance Committee.
8. Enterprise Risk
Management
Update
8.1 Nigel Tuppen explained that a new Risk Policy had been developed in
liaison with Internal Audit and this had been circulated for approval. This was.
discussed and endorsed by the meeting and it was agreed that the policy be
submitted to the ARC for final sign off.
8.2 NT gave an update over ERM and stated that Strategy and Network &
Sales directorates had not yet fully identified their key risks and that the
overall process for identifying risks was still very “bottom up”. He stated this
should be resolved by planned session with the ExCo to discuss and review
key risks.
8.3 NT explained that there was an inconsistent approach to the use of the
project server programme management tool. He highlighted that some
programmes didn't have any risks identified on this tool. He also stated that
the development of the interface between project server and the Stratex risk
tool was in progress at the technical build stage.
8.4 The Key Risks paper was reviewed and discussed. In particular there
was a discussion around identified key risks relating to information security
and the need for a progress update on this in next meeting.
Malcolm Zack highlighted need to show the movement of the key risks for the
next update meeting. Also to consider also showing risks that are have a high
impact but low likelihood.
8.5 The Programme risks were discussed and MZ queried what had
happened to justify the downward movement identified on the heat map. It
was therefore agreed at the meeting that the SPMO should be invited to
attend the R&CC to provide an update on the Network Transformation
programme to explain key risks and their movement.
Post Office Ltd — Strictly Confidential
POL00184703
POL00184703
8.6 NT highlighted need for year-end report to be prepared, approved and
issued in readiness for end of year. Chris Day confirmed Sarah Hall would
pull this report together using the latest key risks identified by ExCo and the
Directorates. Agreed this should be ready by early to mid-April.
Action 1528 Risk Policy to be submitted to the next available ARC for
final sign off.
Action 1529 Movement of key risks to be shown in future ERM updates.
Action 1530 High impact and low likelihood risks to be shown within
future risk reports to the R&CC.
Action 1531 SPMO to be invited to the next R&CC meeting to provide an
update on the Network Transformation programme.
Action 1532 Year-end report to be prepared by mid-April using the latest
key risks identified by ExCo and Directorates.
Action 1533 Report on the key information security risks resulting from
the Buffalo report to be provided to the next R&CC.
1528 —
SC/NT
1529 — NT
1530 — NT
1531 —NT
1532 —
CD/SH
1533 -—
LS/SB
9. Internal
Controls
Framework
9.1 Nigel Tuppen presented update and stated that a desk top status had
now been completed for each of the areas within the framework following
discussions with relevant management.
9.2 He confirmed that the next step was to perform further testing in each of
the areas but initially focusing on the areas specifically related to the end of
year assurance statements that are provided to clients. This would be
completed by the end of March 2013 and he also advised that he was liaising
with Internal Audit & Risk Management as it was planned for them to be
involved in some of the testing to be completed. Extended testing in the other
areas of the framework would be completed in Q1 of 2013/2014.
10. Business
Continuity
10.1 Nigel Tuppen explained that a new Business Continuity Manager had
recently started. He referred to the new Business Continuity Management
(BCM) Policy that had been circulated for approval and asked if there any
questions or comments. There was nothing further and it was agreed thatthe
new BCM policy be submitted to the next ARC for final sign off.
Action 1534 Business Continuity Management policy to be submitted to
the next available ARC for final sign off
1534 —
SC/NT
11. Any Other
Business
11.1 There was nothing further raised
12. Next Meeting
The next meeting of the Risk and Compliance Committeeis scheduled to be
held on 18" March 2013. Meeting to be held in the POL Boardroom from
13.30pm - 15.30pm
POL00184703
POL00184703
Post Office Ltd — Strictly Confidential
13. Summary I Ref Action Lead Status
of Actions
Carried 1519 Enterprise Risk Management to be added to next Susan
Forward Transformation Board agenda Barton
‘, i I nT Susan
Carried Enterprise Risk Management and the identification of Crichton /
1520 I risks to be discussed at the next ExCo Strategy
Forward Refresh ti Susan
‘efresh meeting Barton
Malcolm Zack to be invited to future Network Nigel
New Action 1522 I Compliance Forums and any reporting from that forum Tuppen
to the R&CC to be by exception
Provide a summary paper identifying the issues Mark
New Action 1523 I relating to the RMG Call Centre and Capgemini services Pearce
to assist with the escalation to the MSA Board
‘ ' A Simon
New Action 1524 I PClissues to be raised at next MSA Board Baker
Heather
Progress establishing Data Governance and the Bignell-
New Action 1525 I appointment of Head of Privacy aligned to and within Blye/
the scope of Project Javelin Susan
Crichton
Put together a proposal for the next R&CC for the Malcolm
i management of policies within Post Office Ltd to Zack /
New Action 1526 ensure all policies are in place, available and that the Nigel
Business is compliant against them Tuppen
Put together a response to the next available ARC, Malcolm
following the March R&CC meeting, identifying Post Zack I
New Action 1527 I Office Ltd approach to the management of policies to Nigel
ensure all are in place, available and that the Business Tuppen
is compliant against them
Susan
New Action 1528 Risk Policy to be submitted to the next available ARC Crichton /
for final sign off Nigel
Tuppen
. Movement of key risks to be shown in future ERM Nigel
New Action 1529 updates Tuppen
. High impact and low likelihood risks to be identified Nigel
New Action 1530 within future risk reports to the R&CC Tuppen
SPMO to be invited to the next R&CC meeting to Nigel
New Action 1531 I provide an update on the Network Transformation Tuppen
programme
POL00184703
POL00184703
Post Office Ltd — Strictly Confidential
13. Summary [RSE Action Lead Status
of Actions
A sl el Chris Day
. Year-end report to be prepared by mid-April using the
New Action 1832 latest key risks identified by ExCo and Directorates {Sarah
Lesley
. Report on the key information security risks resulting Sewell /
New Action 1533 from the Buffalo report to be provided to the next R&CC Simon
Baker
Susan
i Business Continuity Management policy to be Crichton /
New Action 1534 submitted to the next available ARC for final sign off Nigel
Tuppen
POL00184703
POL00184703
Speak Up Policy
The Post Office is committed to conducting business
with the highest standards of honesty, integrity and openness
where our colleagues feel able to raise concerns internally.
Main topic areas
@ Policy statement
@ Confidentiality and protection of workers
@ Underpinning legislation
@ When should concerns be raised?
@ How should concerns be raised?
@ How will concerns be dealt with?
The Post Office.V1 30/04/2012
Getting help
In the first instance,
any queries relating
to this policy should
be directed to your
line manager.
Line managers can
obtain advice by
contacting the MY HR
Help Adviceline
Alternatively visit the
My HR Help website.
POL00184703
POL00184703
Scope This policy applies to all colleagues of the Post Office.
This policy is effective from 01 April 2012.
This policy does not form part of contracts of employment. We reserve the right
to amend this policy from time to time.
Policy The Speak Up Policy sets out the process by which workers, i.e. colleagues and
statement others who are contracted to personally perform work on behalf of the Post
Office, can raise concerns in confidence and if required, anonymously about
serious malpractice in the organisation in the knowledge that concerns will be
acknowledged and action taken where appropriate.
Any worker who raises a legitimate concern in good faith under this process will
not in any way be liable to disciplinary action or loss of benefits, rights or
prospects as a result of their action.
Disciplinary action may be taken against any worker who is shown to have used
these procedures to make malicious or misleading allegations.
Confidentiality Confidentiality is not the same as anonymity. Workers who raise concerns are
and protection sometimes understandably concerned about their position, and may wish to
of workers remain anonymous.
However, it is often difficult to conduct an effective investigation without being
able to discuss it fully with the person who raised the concern. The helpline staff
will ask callers if they are willing to provide a contact name and number, but
callers do not need to provide contact details.
Although the business will attempt to investigate anonymously raised concerns
wherever possible, practical difficulties may prevent investigations from being
undertaken in certain cases.
Underpinning Workers are protected by the Public Interest Disclosure Act (PIDA), which
legislation provides workers with the right not to suffer any detriment or dismissal by the
employer if they raise a concern which qualifies as a protected disclosure.
PIDA identifies protected disclosures as those which are made in good faith and
are reasonably thought to show one or more of the following:
¢ That a criminal offence has been committed, is being committed or is likely to
be committed
e That a person has failed, is failing or is likely to fail to comply with any legal
obligation to which he /she is subject
¢ That a miscarriage of justice has occurred, is occurring or is likely to occur
e That the health or safety of any individual has been, is being or is likely to be
at risk
The Post Office.V1 30/04/2012
POL00184703
POL00184703
e That the environment has been, is being or is likely to be damaged; or
e That information about any of the above matters is being or is likely to be
deliberately concealed
A disclosure will not qualify as protected if the person making the disclosure
commits an offence by making it.
When should Workers should raise a concern if they are aware of, or suspect, wrongdoing
concerns be which affects others (eg. customers, members of the public, colleagues or the
raised? Post Office).
Some examples of situations where a worker may raise a concern are:
e Fraud
¢ Giving or taking of bribes
e Financial malpractice
e Misreporting
e Practices that might put individuals or the environment at risk
How should .In the first instance workers should raise concerns with their line manager, or a
concerns be senior HR manager in the Post Office. They will either act on the information
raised? given to them, or pass it to the relevant person who can deal with it.
It is recognised that sometimes raising a concern directly with the business will
not be possible, for example, if the worker considers that the line management
may be involved in the issue or if they have a concern about confidentiality.
In such instances workers should contact the “Speak Up” confidential reporting
line, which is run by InTouch MCS Ltd, an independent company. Access to the
reporting line can be made by phone or via an on-line web service. InTouch will
treat concerns in complete confidence and the worker does not have to provide
contact details.
The worker will be requested to provide information about their concern, for
example the history of the concern, relevant individuals and the reason why they
are particularly concerned about the situation.
There is no requirement to provide contact details. However, not providing details
may reduce the business’ ability to make a thorough investigation into the
concerns raised. All calls to the Speak Up line will be acknowledged within five
working days.
How will Details of the concern raised will be forwarded to the Post Office who will act on it
concerns be in the most appropriate way. Any resulting investigations will be made by people
dealt with? with appropriate authority who have the technical and professional knowledge
needed for the particular case.
It is possible that the business may wish to directly contact the worker to request
additional information. This will be done only where the worker has given
express consent and are happy for a representative from the Post Office to
The Post Office.V1 30/04/2012
POL00184703
POL00184703
speak directly to them. In all cases the individual's concern will be treated
sensitively and in confidence.
Where concerns about serious malpractice are raised through other routes, such
as other business helpdesks, and the concern would appear to be sufficiently
serious to be covered by the Public Interest Disclosure Act, this should be
investigated and managed in line with this policy.
Investigation The Post Office does not have to inform a worker who raises a concern the
outcome outcome of any investigation and in some cases the Post Office may need to
protect confidentiality or rights of other individuals and workers. However, the
Post Office may provide an update on progress where this is deemed
appropriate.
Responsibilities Executive Team
e Approval of the Speak Up Policy
e Ensuring that resources are made available within the Post Office as required
Risk and Compliance Team
e The development and maintenance of the Speak Up Policy
e The development and maintenance of the framework and associated high
level processes
* Coordinating the receipt of cases from the Post Office's helpline provider and
reporting back on progress and outcomes
e Reporting incidents and outcomes to the Audit and Risk Committee and to
CEC
e Chairing a working group consisting of the subject matter experts, to ensure
that serious claims are effectively investigated
e Contractual management of the 3rd party helpline provider
Where to go for Speak Up (whistleblowing)
more
information To report a concern:
e Telephon and choose to either speak to an operator, or
leave a voicemail message
e Alternatively leave a message using the confidential on-line web based
service using www.intouchfeedback.com/royalmail
If clarification is required as to whether or not a claim raised by a colleague is
relevant to the Speak Up Policy, email if
contact the Risk and Compliance team.
Bullying & Harassment Helpline
A free helpline, operated by an independent company, to offer confidential advice
relating to bullying or harassment concerns:
Telephone
The Post Office.V1 30/04/2012
POL00184703
POL00184703
Forms
Related
documents
The Post Office.V1
Grapevine
To report any information about a crime relating to the Post Office:
Telephone: ¢
There are no forms relevant to this policy.
There are no related documents to this policy.
30/04/2012
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Confidential
Risk Management Strategy 2013-2014
1. Purpose
The purpose of this paper is to:
14
1.2
POL00184703
POL00184703
Inform the committee on the current status of the Enterprise Risk Management
(ERM) framework in Post Office Limited.
Request that the Committee approves the next stage of the ERM development
approved by the Executive Committee as explained in the Executive Committee
paper which follows.
2. Background
21
ERM has been implemented by the Post Office Risk and Compliance function
during 2012. It has gathered risks using a bottom up method. It now needs a top
down view from the Executive Committee and a structured plan for the next
stage of its development.
3. Current Situation and Summary of Action Needed.
3.1
3.2
3.3
Stage 1 — To commence February 2013
Draft and approve Risk Management Policy
Confirm Governance of the Risk Management Framework
Appoint the new Head of Risk
Stage 2 — Commence April 2013
Establish Executive Committee top level business wide view of risk
Directorate level risk assessment
Communicate with Senior Leadership Team
Regular Risk reviews
Define Risk Appetite and Risk Tolerance
Develop the Business Controls Framework
Stage 3 — January 2014 onwards
Develop next stage of strategy
Refine techniques
Establish ongoing auditing of risk management frameworks
4. Recommendations
The Audit, Risk and Compliance Committee is asked to approve the next stage of the ERM
development.
ARC Risk Management Strategy 2013-14 Malcolm Zack ~ Head of Internal Audit
13 February 2013
Page 1 of 1
POL00184703
POL00184703
Confidential - Draft for discussion Ver 2.0
POST OFFICE LTD EXECUTIVE COMMITTEE
Risk Management Strategy 2013-2014
1. Purpose
The purpose of this paper is to:
1.4 Inform the committee on the current status of the Enterprise Risk Management
(ERM) framework in Post Office Limited.
1.2 Request that the Committee approves and visibly leads the next stage of the
ERM development.
1.3 Recommend approval to the Board.
2. Background
2.1 ERM has been implemented by the Post Office Risk and Compliance function
during 2012. The business has nominated risk champions and risk coordinators
in each Directorate and commenced transferring information from spreadsheet-
based risk registers into a dedicated software tool called “Stratex”.
2.2 The approach has built detailed information around risks to business objectives.
The “bottom up” approach has been moderated and used to inform the Risk and
Compliance Committee of the top risks that could potentially impact the
organisation.
2.3. The Risk and Compliance team has drafted a risk policy and is building a
business controls framework.
3. Current Situation and Action Needed.
3.1 The output from Stratex provides a partial view of top risks but now needs to be
complimented by a top down view from senior executives.
3.2 The Executive Committee to support the ERM approach and apply it across the
business. The approach will need to:
¢ Be proportionate to the current risk maturity of the organisation.
e Recognise the different risk profiles in each Directorate.
* Be scalable and grow with the business as it develops over the next few
years.
3.3 The Executive Committee to provide the strategic top down input to the risk
framework and to fully endorse the risk management policy.
Risk Management Strategy Malcolm Zack ~ Head of Internal Audit Page 1 of 4 February 5" 2013
POL00184703
POL00184703
Confidential - Draft for discussion Ver 2.0
Plan
Stage 1 — Target 31° March 2013
4.4 The Risk and Compliance function will draft a Risk Management Policy to apply
across the organisation.
4.2 The Executive Committee will review and approve the policy and recommend its
approval by the Board.
4.2 Confirm the Governance Structure of the Risk Management Framework
« Agree the position, relationship and relative risk responsibilities of the Audit
and Risk Committee, (ARC) and the Risk and Compliance Committee
(R&CC). (Refer to Appendix 1)
o The R&CC will report its activity and highlight key risks and issues to
the upcoming ARC.
o The R&CC will notify the ExCo of key risks and issues for its
attention.
o The R&CC will invite Directorates to present their current views of risk
o The ARC may also invite Directorates to present and will review the
overall ExCo view of risk.
e The R&CC will finalise the Terms of Reference for the R&CC and primary
content of meetings.
« Agree the linkage between Head of Internal Audit and Head of Risk.
4.3 Appoint the new permanent Head of Risk.
44 Strengthen the risk management framework.
e Identify and assess risks using risk mapping.
e Improve the Action planning with clear dates and ownership. .
« Improve the monitoring and reporting of progress of actions using the ERM
Stratex tool.
e Share results of Directorate Risk reviews at ExCo meetings.
45 The Executive Committee to establish its top level business wide view of risk.
Identify and assess the top 15-20 risks to achieving the strategic objectives.
Create first Executive “Board Level” Risk Map.
Create the initial action plan.
Assign ExCo members to each risk and action plan.
Assign an ExCo member to present first draft to the ARC (possibly April) or
to the Board.
e Agree to review and update the ExCo risk map and action plans each
quarter.
Stage 2 - Target to complete December 31° 2013
4.6 Commence integration to next level.
e Share the ExCo Risk map with the SLT and risk champions
Risk Management Strategy Malcolm Zack ~ Head of Internal Audit Page 20f4 February 5" 2013
POL00184703
POL00184703
Confidential - Draft for discussion Ver 2.0
e Implement in Directorates using workshop and risk map approach
47 In each Directorate - Flow down the top risks from the Executive
e Identify which ones does the business unit under review link to.
« Identify own top risks related to own top objectives.
e Identify if there are risks at this level that should be promoted upwards.
48 Refine the library of risk maps, action plans and provide input to the Stratex tool.
¢ Quarterly each Directorate will review its risks and input to the ERM tool.
* Improve the quality of Directorate review of business risks at the Risk and
Compliance Committee and/or ARC where appropriate.
e The Transformation Board will review and manage the risks and
interdependences of the Transformation Programme
4.9 Alongside risk map roll out:
« Work with the Executive Committee to define the company’s risk appetite
and risk tolerance concepts to be ratified by the Board. (Head of Risk)
e Review Stratex model and populate with output from risk workshops
(ongoing — Head of Risk to lead).
e Develop the Business Controls Framework which supports the
management of risk.
e Track risks arising from results of audits (internal, external) and input
these into the risk management framework.
e Develop Workshop material and training where needed
4.10 The Executive Committee will start its quarterly reviews and update the ARC or
Board, explaining movements in the key risks and highlighting new ones.
Stage 3 — January 2014 —-onwards
« Develop the next stage of strategy. (Head of Risk)
« Assess status, benchmark, consider longer term move towards
recognised ISO risk Management standards. (Head of Risk)
e Identify if some Directorates require more sophisticated techniques (e.g
Financial Services). — (Head of Risk)
e Establish ongoing auditing of risk management framework and provide
advice/support where required. (Head of Internal Audit)
5. Recommendations
The Executive Committee is asked to:
5.1 Approve and visibly support the next stage of the ERM development.
5.2 Recommend approval to the Board
Susan Crichton
5" February 2013
Risk Management Strategy Malcolm Zack ~ Head of Internal Audit Page 3 0f4 February 5" 2013
POL00184703
POL00184703
Confidential - Draft for discussion Ver 2.0
Appendix 1
Board
Receives Audit Committee
Chairman’s report
Each Periodic
Meeting _ Audit and Risk Committee
© Summaries of
Oversees: audit work done
System of Financial and Operational control by business
e Financial Reporting Practices and Disclosure areas. (e.g
Matters Oversight of risk management framework employed Branch/Supply
e Internal Audit by the business Chain audit
e External Audit Give Direction to Internal Audit/External audit teams)
¢ Board referred e Fraud risk
e Risk Issues for e Ethics and code
the Audit Meet at least 4 times a year. of conduct
Committee e —ExCo risk
presentations
Report Report
e Summary of Activity e Key highlights to
e Risk Highlights for Audit ExCo where
Committee attention required. (e.g
e Key risk maps Reputational Risk)
Each Periodic
Meeting Risk and Compliance Committee
___
Oversee identification, assessment of risks and
© Status of f risk:
Strategic risk management of risks. Directorate risk
© Risk & . review assessments
Compliance Risk Management Framework and presentations.
Activit Risk Policy
tivity. . Risk Appetite
e Status of Risk
Risk Acceptance
Management
Framework Meet at least 4 times a year Transformation Board
° 3rd Party Risk 3-4 weeks prior to ARC Risks of
and Compliance .
Activities Transformation
© Risk highlights Programme
from Internal
Audit
Ongoing through the year:
Directorates identify, assess and manage
their risks
Risk Management Strategy Malcolm Zack ~ Head of Internal Audit Page 4 of 4 February 5" 2013
POL00184703
POL00184703
Confidential
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Regulatory Risk Framework & Controls
1. Purpose
The purpose of this paper is to:
1.1 provide the Committee with an oversight of the regulatory landscape in which Post
Office operates;
1.2 describe the control framework that exists in Post Office to manage this;
1.3 provide the committee with a view of actions in place to address any identified gaps
in the framework; and
1.4 gain the committee’s approval to the proposal for review of the control framework.
2. Background
2.1 Prior to separation, Post Office largely relied on Royal Mail Group to set the
framework for managing regulatory risk. As an independent company, it is necessary
that Post Office has in place its own arrangements.
3. Activity to date
3.1 A refresh of the regulatory landscape (originally documented in 2004) has been
carried out to reflect current legislation, regulation and applicable codes of practice.
This has been validated and augmented by Bond Pearce LLP.
3.2 A desktop exercise has been carried out to identify:
The impact of the regulation on each directorate;
The primary owner of policy for this regulation;
The accountable ExCo member;
Monitoring and assurance controls in place to assure compliance with the
regulation.
3.3 The impact, likelihood and aggregate risk for each regulation has been assessed
and the risks have been prioritised on this basis.
3.4 The complete landscape can be seen in the associated spreadsheet ‘filename?’
3.5 The individual ExCo members have endorsed the outputs from this exercise.
Regulatory Risk Framework & Controls Susan Crichton Page 1 of 2
6" February 2013
POL00184703
POL00184703
Confidential
4. Outputs
41 As a result of the above activity, the following list of high regulatory risks has been
established for Post Office:
Regulatory risk Policy Directorate Policy Assurance
Owner
Significant loss of I Martin Commercial Data Protection I Annual training
customer data by I Moran Policy
Post Office
Significant loss of I Lesley Strategy (inc IT I Data Protection I Supplier
customer data by I Sewell & Change) Policy contracts
3" party supplier Audit &
inspection
programme
4.2 There are no policy or assurance gaps associated with the identified significant risks.
4.3 The full framework of regulatory risks can be found in the associated spreadsheet:
‘Reg framework — list of applicable regulations’
44 Where a gap exists in the control framework for other risks, the accountable ExCo
member has commissioned an action plan to address this within the next 6 months
5. Proposals
5.1 It is proposed that the Risk & Compliance Team will maintain the regulatory
landscape document in its new format.
5.2 It is proposed that the current status of controls will be maintained through the
Internal Control Framework, with a report produced which will form the basis of
regular monitoring by control owners with oversight provided by the Risk &
Compliance Team.
5.3 It is proposed that a summary scorecard will be developed by the Risk & Compliance
Team with a quarterly summary provided to the Risk & Compliance Committee.
6. Recommendations
The Committee is asked to:
6.1 Confirm that the regulatory framework identified is comprehensive;
6.2 Agree that the controls in place are adequate to manage the significant risks
identified;
6.3 Endorse the approach to monitoring; and
6.4 Agree that the ARC should review the scorecard and landscape annually.
Susan Crichton
6" February 2013
Regulatory Risk Framework & Controls Susan Crichton Page 2 of 2
6" February 2013
POL00184703
POL00184703
Confidential
POST OFFICE LIMITED AUDIT, RISK AND COMPLIANCE COMMITTEE
Treasury Risk Management: Framework, Policies and Authorities
Purpose
The purpose of this paper is to:
11 Provide the Committee with an overview of the treasury risks to which the Post
Office is exposed;
1.2 Describe the actions that are taken to mitigate these risks;
1.3 Propose a framework of treasury policies and procedures to identify, manage
and control treasury risks, including:
. The associated authorities and limits.
. The governance and reporting mechanisms.
1.4 Gain approval for the framework, policies and authorities such that the
Committee recommends to the Post Office board the adoption of this
framework, policies and authorities.
Background
2.1 On the 26" March 2012, Post Office Limited took control of its own treasury
activities from Royal Mail, but to maintain continuity and to de-risk the transfer,
retained the same approach and investment limits that had been applied within
Royal Mail treasury. There have been no breaches to these policies.
2.2 A review of treasury risks of Post Office Limited has now been carried out and
Post Office has developed its own treasury policies. This paper:
. Recommends an overall approach to treasury risk management;
° Describes the principal risks the Post Office is exposed to;
. Based on the above two points proposes a treasury management
framework, which sets out the procedures to identify, manage and
control treasury risks.
2.3 The new framework, policies and authorities will be in place by 31%’ March 2013.
Treasury Risk Management: Chris Day Page 1 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
Treasury Risk Management Approach
3.1. The key principle of Post Office’s treasury risk management is to minimise risk
by taking a cautious approach. As appropriate, and without compromising this
key principle, the most cost-effective solutions are sought.
3.2. The treasury management framework has therefore been designed to:
. protect financial asset values.
. minimise income statement volatility.
. ensure the Post Office can meet its financial obligations as they fall due
via appropriate short term liquidity management.
. set out an appropriate capital structure and secure long term funding to
meet overall business objectives and shareholder return requirements.
3.3 The key areas of risk that treasury manages to protect asset values and
minimise income statement volatility are:
. Foreign exchange risk - arises from the holding of currency balances in
the network and cash centres to meet “on demand” requirements from
customers.
. Commodity risk — arises from the movements in the price of diesel, gas
and electricity used throughout the business.
. Interest rate risk — adverse movements in interest rates will negatively
impact the cost of funding.
. Insurance risk - Post Office has appropriate and adequate insurance
programmes in place to cover material loss categories at optimal cost.
. Adverse movements in asset values and income statement volatility are
also created via counterparty exposures as a result of treasury and
commercial activity.
3.4 Short term liquidity management objectives are met as follows:
The Post Office has access to a £1.15 bn working capital facility provided by the
Department of Business, Innovation and Skills (BIS). Funding requirements
must be notified to BIS 2 days in advance. Forecasting variances may lead to a
shortfall between the amount drawn down and the actual amount required. The
strategy to mitigate the risk of a shortfall between notified and actual funding
requirements is to hold a liquid investment reserve of £50m and to have
uncommitted facilities of £50m available for drawdown’
In addition, Post Office is a member of the Bank of England (B of E) Notes
Circulation Scheme. The scheme allows the Post Office to declare and
‘ Note - As facilities are uncommitted, they may not always be available for drawdown. Actual facilities
in place are £80m but drawdown is limited to £50m per working capital agreement with Department of
Business, Innovation and Skills.
Treasury Risk Management: Chris Day Page 2 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
notionally “deposit” cash with B of E reducing the Post Offices funding
requirement on a daily / overnight basis. The operation of the scheme requires
the provision of collateral facilities to B of E. These are currently provided by
RBS and total £550m split £350m intraday facility and £200m overnight facility.
3.5 Long term funding is managed through on-going dialogue with Government, to
ensure an appropriate capital structure and / or long term funding is in place
over 3 -5 year time horizon. Currently, Post Office is in year one of a three year
funding plan which has been agreed with Government. This provides the
following:
. Funding of £410m in FY 2012/13.
. Funding of £415m in FY 2013/14.
. Funding of £330m in FY 2014/15.
. Working capital facility of £1.15bn expiring on 31% March 2016.
4 Recommendation
The Committee is asked to:
* Acknowledge the treasury risks to which the Post Office is exposed
« Recommend the proposed framework of treasury policies and procedures to
the Post Office Limited Board, including:
e The governance and reporting mechanisms.
e The associated approvals and limits
5 Treasury Risks
5.1 The principal treasury risks to which the Post Office is exposed are described in
this section with recommendations as to how each risk should be managed.
5.2 Foreign Exchange Risk
Nature of Risk
Post Office foreign exchange risk principally arises from the holding of currency
balances in the network and cash centres to meet “on demand” requirements
from customers.’ All currencies are purchased from FRES. The risk arises
from time of purchase from FRES to sale of currency to the customer. The size
of balances on hand is determined by historic demand.
? Pre order and online sale of currency is transacted via the Post Office JV with FRES
Treasury Risk Management: Chris Day Page 3 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
Size of Risk
Post Office holds balances in 72 currencies. On average, currency holdings are
approximately £58m but can peak at over £100m during holiday periods. EUR
and USD comprise over 80% of the total balance as illustrated in the table
below.
; Estimated Income
Average Maximum statement impact
< Noof Balance INoof Balance post hedging +/ -
Range CCY's I £m %ICCY's £m % Em
> £410m EUR 35 60f EUR 63 62 0.31
USD 12 21f USD 23 22 0.09
£1m -£10m 3 5 of 3 es) 0.03
£0.5m -£1m 3 Pe) 8 oO 0.02
}£0.1m - £0.5m 15 4 7 Az 3.3 0.37
<£0.1m 49 051 47 0 9 0.04
ee 58 foo 72 103 709] 7086
A more detailed analysis by currency is shown in appendix 1.
Applying a policy of hedging 90% of each currency balance over £0.5m (as
described in 7.2), leaving 10% of the balance unhedged and not hedging
balances below £0.5m, the “expected” gain / loss in the income statement
would be on the approx. + / - £0.86m based on actual currency volatility over
the last 12 months.
Foreign Exchange Risk Management Recommendation
. Up to 90% of the average forecast holding 1 month forward for all
balances over £1m will be hedged where an active FX market exists.
. Hedging of forecast average holdings 1 month forward between £0.5m -
£1m is at the discretion of the Head of Corporate Finance. Hedges will
be up to 90% of the forecast holding 1 month forward where an active
FX market exists.
. Forecast average holdings 1 month forward below £0.5m will not be
hedged.
5.3 Commodity Risk
Nature of Risk
Post Office is exposed to movements in the price of diesel, gas and electricity
used throughout the business.
Treasury Risk Management: Chris Day Page 4 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
Size of Risk
The annual expenditure on commodities is approximately £8m split as follows:
diesel, £3m, gas, £3m and electricity £2m. Historically, Post Office commodity
volumes have been included within the Royal Mail hedging program and it is
intended to continue with this arrangement.
The size of annual expenditure is relatively small for Post Office Limited and
hedging of commodity exposures at these volumes would not be economic on a
standalone basis. Royal Mail has much larger exposures to these commodity
types and operates a comprehensive 3 year rolling commodity hedging program
to provide financial planning certainty for future financial years. Post Office
volumes comprise the following approximate percentages of the total hedged by
Royal Mail: diesel 2%, gas 9%, electricity 9%.
As Post Office is a small participant in the overall commodity hedging program
and the values are relatively immaterial for the Post Office, Royal Mail policies
and targets have been reviewed and are considered appropriate for adoption by
Post Office.
Current hedge position for future years
The table below summarises the current hedge position across all commodities.
For FY2013/14 forecast requirements are fully hedged, FY2014/15 is 80%
hedged and FY2015/16 is 25% hedged.
FY Iae Guarerio be Hedger FITOTT DEY AHS GUAT Be HOSES rn FY ISIN Guarerto be Hedges] FYTSTE
‘average. average average
hedge % hedge % hedge %
Completed
stort ate: 8 a az se a ast ar a)
[Apr-Jun July-Sept Oct-Dec Jan-Mar: [April Jun July-Sept Oct-Dec Jan- MarI Japril-Jun July-Sept Oct-Dec Jan- MarI
Taw aT
Oct10 Dee
dant Mart
pr sunt
aut Sept] 20 2%] Fa 0 3
oct Dect} 4 4 440 0 2 2» 10
dani2 Maca] 60 68]. © 2° © » 2%
ape? Junta]? 8088 20 2 4 20 rr
Jui2 Sepa) 00 = 100100100 100 ro oo © 40 % 10 3
Oct32 —_Dve-t2 a 8 220 io
dani Mact3f 0 po 80 30 on 40820 25
Apes Juni 0 980 0 sD ADS 20 40
Jult3___ Sep-19 100 10010000100 sO 5s
* eiscrosonary trades o advance the next quarters volumes willbe alowee
Commodity Risk Management Recommendation
. Continue to participate in the current commodity hedging programmes
with Royal Mail.
5.4 Interest Rate Risk
Nature of Risk
Adverse movements in interest rates will negatively impact the Post Offices cost
of funding.
Post Office funding is via a £1.15bn floating rate working capital facility from BIS
maturing in 2016. Interest is calculated at LIBOR + 0.5%. Post Office earns
commission (credited to revenue) at a rate of LIBOR — 0.125% on the balances
of benefit payments held by JP Morgan. This arrangement expires in 2015 with
an option to extend for a further 2 years. In general, the refund of benefit
payments is at least equal to the Post Office borrowing requirement as the
balances are considerably larger than the facility. The commission (interest)
Treasury Risk Management: Chris Day Page 5 of 24
Framework, Policies and Authorities January 2013
car4oom
POL00184703
POL00184703
Confidential
receivable on benefit refunds creates a natural hedge against the interest
payable on the working capital facility.
Size of Exposure
The net interest expense is shown below. Note, this is net interest payable and
excludes the commission discussed above.
FY Fy FY YTD
£m 2011/12 2012/13 =. 2012/13
Actual Budget Actual
Net Interest 6 8 3
Interest Rate Risk Management Recommendation
. Continue to utilise the “natural hedge” offset opportunity provided
through LIBOR based floating rate interest payable on the working
capital facility and LIBOR based interest receivable on the refund of
benefits paid on behalf of government.
5.5 Insurance Risk
Nature of Risk
Post Office faces the following insurable risks; crime, property / business
interruption, employers and public liability, motor directors and officers and
personal accident. Post Office has appropriate and adequate insurance
programmes in place to cover these material loss categories at optimal cost.
Programme summary
Full Value Unimited
5m
4£250k E and E loss for ELE PL,
ee peorees aie pec eontngency
tm Eand E loss on ues
IDEDICTIBLE” the primary layer Elm E and E oss 1£250k each and every loss Motor
not eperegcies Nl excess
Insurer tberty and tloyds Iurich ave liberty
TOTAL PREMIUM
lemum £721,307 £215,109 £682,147 £11,200 £4,700 £1,634463
(net ote)
Directors and officers liability remains a shared policy with Royal Mail Group
Insurance Risk Management Recommendation
. Current programme executed in October 12. No changes required.
Treasury Risk Management: Chris Day Page 6 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
5.6 Counterparty Risk
Summary
Post Office Limited exposure to financial counterparties® primarily results from
the following transaction types:
° Individual contracts to support Post Office financial services
activity. Exposure is primarily generated through the clearing of debit
card and cheque receipts, processing of benefit payments and
collections associated with ATM withdrawals. Total exposure approx.
£420m.
. Corporate banking and Treasury activity. Principally investment of
surplus funds (covered in the Short term Liquidity Management section
5.7 below) and settlement processing. Total exposure approx. £220m
. Over the counter cash transaction services. Withdrawals via the
Post Office branch network for retail banking customers. This creates
exposures equal to the amount paid out by the Post Office on behalf of
the bank and the commission due for providing this service to each bank.
Total exposure approx. £40m
Exposures by transaction type are summarised below:
Counterparty Exposure by Transaction Type
-£'m
Benefits Reimbursed
Sale of bank notes
ATM clearing
Debit card clearing
Cheque clearing
Money Market Funds
Deposits pase
Corporate Banking gx
Comm's receivavble gy
Payments reimbursed
y aS I I
0 20 40 60 80 100 120 140 160 180 200
[individual contract exposures [J Treasury exposures J Over the counter exposures
Exposures by transaction type and counterparty are detailed in appendix 2.
* POL also has v short term corporate c/party exposures resulting from cash distribution activity. This exposure is o/s scope of
this paper
Treasury Risk Management: Chris Day Page 7 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
Post Office Counterparties
The counterparty population supporting Post Office financial activity is shown in
the graph below. Where a counterparty is shown with a £nil exposure this is
because the Post Office always has a net payable position to that counterparty.
Maximum Net Exposure by Counterparty - £'m
swip
Santander
RBS MMF
RBS
NS&l
Nationwide
NAB - Clydesdale
NAB - Yorkshire
Moneygram
Lloyds/HBOS
JP Morgan (2)
INVESCO
IGNIS
Global payments
HSBC
co-op
Blackrock
PSL
Barclays
Link / Bol (ATM's) (1)
Bank of Ireland
iF
°
sy
8
40
8
8
8
8
3
g
180
The largest exposures are generated by clearing activity (cheques, debit cards,
ATM's), reimbursement for the settlement of benefits and investment of surplus
funds via money market deposits.
A full list of financial counterparties and net exposures is shown in appendix 3
with activity by counterparty shown in appendix 4.
Counterparty strategy and principles
. Over the counter. Continue to grow counterparties for this commercial
offering subject to appropriate counterparty credit checks.
. Consolidate corporate banking services into a smaller number of service
providers.
. Maintain banking relationships required for geographic purposes (i.e.
Bank of Ireland and Clydesdale).
. Ensure sufficient investment funds are available to diversify risk.
. Head of Corporate Finance to approve counterparty selection for all
contracts involving financial institutions (except the appointment of new
over the counter customers).
Treasury Risk Management: Chris Day Page 8 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
. Counterparty selection will consider the risk arising from existing
exposures to a particular counterparty when contracts are renewed /
awarded, including the appointment of new over the counter customers.
5.7 Short term Liquidity Management
Nature of Risk
Funds in excess of daily /short term liquidity requirements are deposited with
financial institutions. A combination of money market funds and bank deposit
accounts are used to manage this together with DMO. Investment of funds
creates an exposure to financial counterparties.
Size of Exposure
The Post Office will receive a second tranche of funding of £415m in April 2013
from the government. This together with daily and seasonal cash flow variation
is likely to lead to a significant cash surplus, potentially above £500m during H1
FY 2013/14. This situation is likely to be repeated in H1 F2014/F15. The current
number of counterparties and limits will not be sufficient to allow all surplus cash
to be deposited. Credit limits by investment type / category will be increased to
accommodate the additional inflow of funds. These proposed new limits are
detailed below. The Treasury and Financial Services Committee (see section
6.1) will be updated on a regular basis and will recommend changes as
appropriate.
IGNIS 30 30
INVESCO 30 30
RBS MMF - Institutional 50 30
SWIP Investments 100 50
Blackrock 50 50
Unallocated 0 60
Total 250
Unallocated MMF Govt stk / gilts 0 150
Total 150
Barclays - FIBCA 30 30
DMO Govt Deposit Unlimited Unlimited
Short Term liquidity Management strategy and principles
. Deposits with money market funds which invest in corporate /
institutional funds limited to £250m in total. Exposure to new
counterparties will be capped at £30m per counterparty.
. Deposits with money market funds investing in Government stock limited
to £150m in total. Investments in individual funds to be capped at £50m.
Treasury Risk Management: Chris Day Page 9 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
. Where a single counterparty has segregated institutional funds and
government stock funds, investments can be made in both funds subject
to the limits above.
. Deposits with banks limited to £30m per banking group. The number of
bank counterparties will remain flexible to provide additional investment
capacity.
. Where possible align investment activity with other financial activity with
the same counterparty but without creating additional risk. i.e. use of
money market fund from corporate banking counterparty. RBS corporate
bank account and RBS money market fund (ensuring risks are
independent).
. Maintain sufficient funds to ensure diversification of risk.
Treasury Risk Management: Chris Day Page 10 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
6 Treasury Risk Management Framework: Governance and Reporting
The following structures are recommended to govern and report on treasury risks
6.1 Treasury Risk Governance
Treasury risks are governed through the following structures:
Post Office Board: Authority to approve policies and approval limits relating to
treasury risk management resides with the Board. Treasury risk management
includes but is not limited to the following: foreign exchange, commodity,
insurance, interest rate, short term liquidity management, long term funding /
borrowing and counterparty. The board will delegate authorities to facilitate the
operation of treasury risk management and the daily operation of the treasury
function as detailed in section 6 and 7 of this document.
Audit, Risk and Compliance Committee: Financial risk management policies
and approval limits are recommended to the Board for approval by the Audit
Committee.
Treasury and financial services committee: The treasury and financial
services committee meets on a quarterly basis to review financial risks, report
on and recommend changes to policy to the audit committee as required. The
treasury and financial services committee composition incudes; CFO, Head of
Corporate Finance, Treasurer.
The Board has delegated the following specified authorities to the CFO and
Head of Corporate Finance (HofCF). Treasury reports to the HofCF.
Authorities:
Approval of Investment instrument limits
Approval of counterparty selection criteria
Approval of counterparty limits
Authorities:
Approval of counterparties
Approval of counterparty limits within the approved investment
instrument limits
Head of
Corporate
Finance
Daily operation of treasury activity is delegated to the following panels:
Treasury Risk Management: Chris Day Page 11 of 24
Framework, Policies and Authorities January 2013
Confidential
Treasury Members appointed by:
Authorisation
Panel Head of Corporate Finance:
Authorities:
Investment and borrowing approval
Current composition:
Charles Colquhoun,Louise Fairhurst, Ruth
Pearson, Carl Nielsen, Lorraine Finnie,
Andrew Smith.
Members appointed by:
Dealing Panel
Head of Corporate Finance’
Activitie:
Execution of approved daily investment /
borrowing transactions
Current Composition:
Andrew Ashsall, Martin Knights, Ryan
Skidmore, Louise Fiarhurst, Ruth Pearson
Members appointed by:
CFO together with any oneI
BCP member
Banking Contro!
Authorities:
Opening & closing bank accounts,
Maintenance of bank mandates.
Exclusions: Authorisation of payment
instructions
Current Composition:
Mark Wood, Sue Oxley, Dawn Brooks, Alison
Bolsover
Panel (BCP) Opening and closing of
bank accounts
Any two signatures from BCP, or a POL director or company secretary, following prior
approval from POL Treasurer
Other banking instructions}
(other than payment
instructions)
Any one member of BCP, or a POL director or the company secretary
Banking
Authorisation
Panel Any one member of BCP
Members appointed by:
Activities: Authorisation of payment instructions
Members appointed by:
Acti
ities: Release of payments to bank
Payment panel
Any one member of BCP
Limits: <£ 50 k - Any one payment panel member. >£ 50K - Any two payment panel membersI
Treasury Risk Management: Chris
Framework, Policies and Authorities
Day Page 12 of 24
January 2013
POL00184703
POL00184703
POL00184703
POL00184703
Confidential
6.2 Treasury Risk Management Reporting
Policy breaches will be immediately reported to the CFO
The Treasury and Financial Services report will be produced on a quarterly basis.
The contents of the report will include: foreign exchange risk management,
interest rate risk management, commodity risk management, counterparty
exposures, long term funding update and short term liquidity management.
Together with any policy changes required and review of any policy breaches.
The Treasury and Financial Services Committee will meet on a quarterly basis. It
will review the Treasury and Financial Services report and consider any other
treasury risk management issues as required. The committee will be scheduled
such that at half year and full year the Treasury and Financial Services report will
be forwarded to the audit committee. The audit committee will receive a bi-
annual update on treasury risk and activity as a result of this.
Treasury Risk Management: Chris Day Page 13 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
7 Financial Risk Management Framework: Policies & Authorities
The following treasury policies and authorities are recommended to manage the treasury
risks that have been identified:
7.1 Short term Liquidity Management / Investment Risk
Risk Management Objective
Ensure the security of funds invested. Minimise investment exposure to
individual financial counterparties via use of appropriate instruments. i.e. Money
Market Funds (MMF). Diversify MMF risk over a number of counterparties.
Corporate deposits used for investment of late advised funds and un-forecasted
outflows.
Investment Risk Management Policies
Investment is only allowed in sterling denominated funds / accounts.
a) Money Market Funds:
¢ The fund must be AAA rated.
e The Post Office proportion of the total fund managed must not be greater
than 10% of the total fund.
e Funds must have a stable or accumulating net assets value with daily
liquidity.
b) Bank deposits:
e Bank must have a long term credit rating of at least single A.
e¢ Bank must be a member of CHAPS (A list of CHAPS banks is attached in
appendix 5).
Authorities
e Only treasury is authorised to invest surplus funds.
¢ CFO is authorised to approve counterparty limits.
e CFO is authorised to approve investment instruments.
e Head of Corporate Finance is authorised to approve counterparties.
Treasury Risk Management: Chris Day Page 14 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
Maturity and investment limits are as shown in the table below
Amount: <£300m <£100m <£50m <£300m <£50m >£50m
to3 to6
Maturity: up to 1month, 228 “ uptolyear I Overlyear I Overlyear
months months
One of One of One of
ten ee oy Hestot os one
Authority:
Bony Authorisation] Authorisation} Authorisation Serpette other poard I POL board
Finance (*) member
panel panel panel
(")-Head of Corporate Finance is also authorised to invest with a maturity of up to 5 years for the purpose of providing collateral for the notes circulatioy
scheme
7.2 Foreign Exchange Risk
Risk Management Objective
Minimise the impact on the income statement of movements in foreign exchange
rates on currency balances held to satisfy “on demand” transactions by
customers.
FX Risk Management Policies
. Up to 90% of the average forecast holding 1 month forward for all
balances over £1m will be hedged where an active FX market exists.
. Hedging of forecast average holdings 1 month forward between £0.5m -
£1m is at the discretion of the Head of Corporate Finance. Hedges will be
up to 90% of the forecast holding 1 month forward where an active FX
market exists.
. Forecast average holdings 1 month forward below £0.5m will not be
hedged.
. The maximum maturity of financial instruments used to hedge foreign
exchange exposures will be 6 weeks.
. Foreign currency balances can only be hedged using foreign currency
forwards and swaps.
. FX hedging instruments can only be used to hedge exposures generated
by holding currencies to meet “on demand” transactions by customers.
Authorities
. Only Treasury is permitted to transact hedges to protect against foreign
currency movements.
. The Chief Financial Officer is authorised to amend the list of approved FX
hedging instruments.
. The Head of Corporate Finance is authorised to approve financial
counterparties for hedging.
Treasury Risk Management: Chris Day Page 15 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
° The Head of Corporate Finance is authorised to determine the currencies
to be hedged.
. Transactions to hedge exposures not created by currency holdings to
meet on demand requirements must be approved by the CFO, up to £50m
and the Post Office board above £50m.
Accounting for Foreign Exchange instruments used to hedge On demand
Exposures
Exchange gains and losses on currency balances together with gains and losses
resulting from revaluing associated hedges will be recognised in the income
statement as and when they occur. Hedge accounting and the designation of
hedging instruments to underlying exposures will not be undertaken due to the
short duration of the hedges.
7.3 Commodities Risk
Risk Management Objective
Minimise the impact on the income statement of movements in commodity
prices.
Policies
. If economic to do so treasury will hedge commodity exposures forward to
a maximum of 3 years based on forecast future usage.
. The hedging time horizon for all commodity programmes and the
associated foreign exchange will be no more than 36 months.
. Major recurring fuel oil, power and gas exposures are reviewed by the
Commodity Price Risk Management Board (CPRMB). A Royal Mail
committee which meets quarterly and at which Post Office is represented.
. Permitted hedging instruments are spot purchases, currency deposits,
forward contracts, call options, matched options (e.g. cylinders) and
swaps. Futures will not be used without specific authority of the Chief
Financial Officer.
Accounting for commodity hedges
The Post Office will designate commodity cash flow hedges against forecast
underlying exposures. Unrealised gains and losses on hedges will be deferred in
reserves. This will be recycled to the income statement when the hedge matures
to match forecast expenditure.
Approvals
. Only treasury is permitted to transact hedges to protect against
commodity price movements.
. Commodity hedging counterparties are approved by the CFO.
. Commodity hedge transactions are approved by the Head of Corporate
Finance.
Treasury Risk Management: Chris Day Page 16 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
7.4 Interest Rate Risk
As noted in section above the risk of adverse movements in interest rates on the
floating rate LIBOR working capital facility is offset by LIBOR based commission
receivable on the refund of benefits payments from the government. This forms
an effective natural hedge.
Any changes to this strategy will be approved by the Audit, Risk and Compliance
Committee and board.
No hedging instruments for interest rate risk management are currently
authorised.
7.5 Funding / Borrowing
Policy
Borrowing is only permitted in sterling.
Borrowing is only permitted as per the funding agreement with Department of
Business, Innovation and Skills as follows:
. Working capital facility of £1.15bn expiring on 31% March 2016.
. Maximum £50m external facilities.
. Maximum £50m leasing.
Together with facilities to support Post Offices participation in the notes circulation
scheme. Maximum £550m.
Treasury Risk Management: Chris Day Page 17 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
Authorities
Authorities to drawdown under the facilities are as follows:
Amount: <£50m <£50m <£50m
External S ‘ai a fh
noriowiies Maturity: Overnight up to 6 months Over 6 months
Authority; [one ot Meastry eee Head of Corporate Finance CFO
panel
Note: Total maximum external borrowing (exc BIS & leasing) is limited to £50 m
‘Amount: <£50m <£50m
Leasing & Maturity: <8years <8years
Contract Hire
Authority: Head of Corporate Finance (with prior on
approval from CFO)
Note: Total maximum leasing islimited to £50m
‘Amount: up £ 500m up£i.i5 bn up£ 1.15 bn
Working Capital I
ape Maturity: up to 12 months up to 12 months > 12months
with BIS oneorn gunned
Authority: dee eel e ‘orisationI “ead of Corporate Finance cro
panel
7.6 Guarantees
Nature of Risk
Guarantees that are provided by Post Office Limited create a financial exposure if they
are called.
Policy
In general, Post Office will not enter into financial / bank guarantees.
Approvals
Only CFO is authorised to issue bank guarantees / performance bonds.
Chris Day
January 2013
Treasury Risk Management: Chris Day Page 18 of 24
Framework, Policies and Authorities January 2013
Confidential
Appendix 1 — Foreign Exchange by currency
POL00184703
POL00184703
Average Maximum 52 week FX Estimated income
No of Balance No of Balance rate High statement impact
Range CCyY's £'m_% ICCY's £m % /Low +/-£m
< £0.1m 49 i) 1 47 O 0} JEst.volatility 10% 0.04
£0.1m -£0.5m] 15 4 7 12 3 3] JEst.volatility 10% 0.37
EGP 1 1 At 92 10.4 12% 0.01
NZD 14 14 19> 24 11% 0.01
CHF 1 1 tt 1.4 1.5 8% 0.01
HRK 1 4 8.7 9.7 10% 0.00
5m - £1
Don om PLN 14 49 56 13% 0.00
BGN Te 2.3 2.5 9% 0.00
THB 121 47.5 50.6 6% 0.00
AED 120 5.6 6.0 T% 0.00
CAD. 1 2 14 1.5 1.6 5% 0.01
£1m -£10m I AUD pS I 2:2 1.6 1.6 10% 0.02
TRY 2.3 44 27. 29 6% 0.01
> £10m USD. 12° 21 23 22 1.5 1.6 7% 0.09
EUR 35 «60 63 62 2 1.3 9% 0.31
Total A 58 100 72 __103 100} I"Expected” gain /loss 0.85,
Treasury Risk Management: Chris Day Page 19 of 24
Framework, Policies and Authorities
January 2013
POL00184703
POL00184703
Confidential
Appendix 2: Gross Counterparty Exposures by Transaction Type
£m Product / Service
‘Over the Counter I Treasury Individual contracts
Financial Money Debit Sale of
Total Gross
Institution I Payments Comm's Corporate Market Cheque card ATM bank _ Benefits Exposure
reimbursed receivavble Total Banking Deposits Funds Total clearing clearing clearing _notes Reimbursed Total
Bank of, “
ireland 3 3 3}
Link / Bol
(atm's) 90 9 9
Barclays a ae a 20 2 25)
PSL 160 16 16%
Blackrock 50 650 Es
CO-OP, 1 <r 1
HSBC 1 1 1
Global
payments 80 BC 8
IGNIS 30 «30 3
INVESCO 30 30 EI
JP Morgan 60 6 E
Uoyds /
HBOS 15 ca Pd 17
NAB 30 3
Nationwide] 2 2 2
NS&I 2 2 S 2
RBS 6 1 7 3 3 1
RBS MMF 30 30 3
SWIP 50 50 5
[Total 33 Bik 39 6 20 190216 160 80 90. 30. 60 421 645
Treasury Risk Management: Chris Day Page 20 of 24
Framework, Policies and Authorities
January 2013
POL00184703
POL00184703
Confidential
Appendix 3: Net Counterparty Exposures
i)
90 90 90I
£ af - 20 29 29)
160 160 160
50 50 50I
(10) 1: 1
us 1 4
60 60 60I
30 30 30I
30 30 30I
90 90 90I
45 2 17 17
(5) 0 0}
0 0 i)
30 30 30I
2 2 2
2 (40) 2 0
6 1 (550) 3 10 )
30 30 30I
(150) 0 0
50 50 50I
33 6 (350) 6 20 190 685 669)
(2) Growth bond payables to Bo! (4) Clearing of debit card receivables from multiple c/parties
(2) Processing of benefit payments (5) Small business banking
I(3) Clearing of cheques from multiple counterparties (6) Note circulation scheme & uncommitted facilities
Treasury Risk Management: Chris Day Page 21 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
Appendix 4: Summary of services by counterparty
Maximum
Counterparty I Owner I Service Exposure I Comment
& Duration
Barclays Treasury I Corporate deposit £30m Manage fluctuations
(o/night) in daily forecast cash
flow
IPSL (via FSC Clearing of cheques received I £160m As this is a clearing
contract with through network. Cheque (2 day process, risk lies with
Barclays) clearing contract signed with I clearing) banks on which
Barclays but managed by cheques are drawn
IPSL i.e. this is
disaggregated over a
number of counter
parties
CO-OP FSC Postal order clearing Enil Post Office is a net
payer as CO-OP is
paying bank for PO’s
FSC Camelot lottery payments / Enil cashed
collection Post Office is net
payer due to
purchases of lottery
tickets
Lloyds Treasury I Scottish widows (SWIP) £50m Investment of short
Money market fund term surplus cash
Citi Treasury I Uncommitted loan facility Enil
£30m
National Supply Sale of GBP notes to £30m Exposure attached to
Australia Clydesdale to support their settlement by
Bank Group — note issuance. Clydesdale for notes
Clydesdale Sale of £50 notes purchased
Ignis Treasury I Money market Fund £30m Investment of short
term surplus cash
Invesco Treasury I Money market Fund £30m Investment of short
term surplus cash
HSBC. Treasury I Bank accounts to support £1m Overnight exposure
debit card clearing relating to clearing of
debit / credit card
transactions
Global FSC Clearing of card payments £60m As this is a clearing
Payments — received through network process, risk lies with
(via contract banks on which debit
with HSBC) cards are issued i.e.
this is disaggregated
over a number of
counter parties
Link / Bank of I FSC ATM cash servicing £90m Average overnight
Ireland exposure £90m. Can
peak at £130m after
bank holidays
JP Morgan FSC Processing of benefits £90m Overnight exposure
settlements £90m. Intraday
exposure can be as
high as £150m
Treasury Risk Management: Chris Day Page 22 of 24
Framework, Policies and Authorities January 2013
POL00184703
POL00184703
Confidential
RBS Treasury I Intra-day and overnight Enil
facilities and provision of
RTGS account to support
Treasury I Post Office membership of Enil
note circulation scheme
Treasury I Primary corporate banking Enil - £5m
partner for Post Office
settlements etc.
Treasury I Uncommitted loan facility Enil
£50m
Santander FSC Small business banking Enil
Yorkshire Treasury I Corporate deposit £1m To be closed
bank (owned
by National
Australia
Bank Group)
Treasury Risk Management: Chris Day Page 23 of 24
Framework, Policies and Authorities January 2013
Appendix 5 —- Chaps Banks
Bank of America (N.A)
Bank of England
Bank of Scotland (HBOS)
Barclays Bank PLC
Citibank N.A
CLS Bank International
Clydesdale Bank PLC
The Co-operative Bank PLC.
Danske Bank
Deutsche Bank A.G
HSBC Limited
J.P. Morgan Chase Bank
Lloyds TSB Bank PLC
National Westminster Bank PLC
The Royal Bank of Scotland PLC
Santander UK PLC
Standard Chartered
State Street Bank
UBS A.G.
Treasury Risk Management:
Framework, Policies and Authorities
Confidential
Chris Day
January 2013
POL00184703
POL00184703
Page 24 of 24
2.1
2.2
2.3
3.2
POL00184703
POL00184703
Strictly Confidential
POST OFFICE LTD
Publication of our Report and Accounts — Key Messages
Background and Purpose
The purpose of this paper is to set out plans for the publication of the Post Office’s
Report and Accounts for the financial year 2012/13. It deals with key messages and
the overall suggested tone of the document. It also proposes a timeline for clearance
of the report and sets out proposals for the style and promotion of the publication.
This will be our first such Report and Accounts as an independent company. We
should therefore seek to surprise, to demonstrate an innovative approach and to find
ways of standing out from other such reports. This paper sets out an initial direction
of travel.
Tone and key messages
The report is planned for publication in June against the backdrop of tight budgetary
control within the company, a difficult external economic environment which is putting
pressure on margins and discussions with Government around future strategy and
post-2015 funding positions.
We will work to align messages in the Report and Accounts with those currently
being worked up for our future strategy (on which the Communications and Strategy
teams are working together).
Subject to that process, we propose that the tone of the report should therefore be
one of:
- solid progress on fundamentals creating confidence for the journey ahead (with a
sense that in key areas, such as Network and Crown Transformation, the
turnaround has started, albeit in difficult circumstances)
- excitement at the innovation and change capabilities of this newly independent
company to deliver commercial and social value: the spirit of a start-up
- realism as to the task ahead, and empathy with subpostmasters and colleagues
as we work together in challenging circumstances
An outline report structure appears as Annex 1. An illustration of the proposed overall
tone can be seen in the initial draft of the Chairman’s Statement given at Annex 2.
A draft Corporate Governance statement and statutory Directors’ Report are provided
at Annex 3. To provide context - at Annex 4 - we also produce a draft of what the
Financial Review within the Accounts might look like based on Q3 forecasts.
Ultimately the tone, messages and approach need to be driven by what the financial
results reported will say.
Key messages within the Report and Accounts Document
We are a fully independent Company — a commercial business with a social purpose
- which operates and reports to plc standards.
We have made solid progress over the past year and are on track towards financial
sustainability. Significant steps have been taken as part of this: a new Board,
progress on transforming the business, the creation of the Stakeholder Forum.
Report and Accounts Mark Davies and Chris Day Page 1 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
3.3 We are also creating a new culture for this new independent company: more focused
on the customer, more innovative and flexible in the face of change: a culture which
recognises our unique place in society, and listens to all those with whom we
engage.
3.4 We are developing a strategy which will position us as a multi-channel company
which remains at the heart of communities — delivering key and essential services
across financial services, mails, government services and beyond.
3.5 But we are also realistic about the challenges we face, such as the economic
environment, the digital revolution and customer perceptions around relevance and
effort. We have no illusions about the hard work ahead, but our determination to
deliver the business transformation of the decade is undimmed.
3.6 We are proud to be part of the social and economic fabric of the UK. We will work
with Government to realise the commercial and social potential of our network.
4. Timeline
4.1 An outline of the timetable is given at Annex 5. The structure and approach to the
report will be cleared through corporate governance mechanisms in advance of year
end with Board sign off in late May and publication from early June.
5. Publication and promotion
5.1. We plan to produce an annual report in such a way that it reinforces our core
communications aim of both surprising and reassuring. We intend to surprise reader s
about the ways in which the Post Office is changing, but also reassure that the Post
Office retains its traditional values around trust and social purpose. We intend to
seek to reinforce these points through the style of the annual report. It will be
authoritative and comprehensive, in the way one would expect from an organisation
of our size and status, but also that it surprises: that we do things slightly differently.
5.2 We propose that traditional paper copies of the report are produced alongside an
interactive digital version. We will also produce a video version, with interviews from
the chairman, chief executive, members of staff, customers and subpostmasters.
5.3 To this end we are seeking specialist agency advice and are assessing the way in
which other businesses approach their Report and Accounts (by examining examples
of last year’s publications from a range of other companies)
5.4 In the spirit of seeking to develop an innovative approach, the content of our report
will include an introduction from the Chairman and an executive summary from the
Chief Executive but could also provide space for comments and reflections from
members of staff, customers andsubpostmasters. Involving a broad range of Post
Office people emphasises the ‘surprise’ element — few companies would take this
approach — and showcases our ways of working: engaging, listening and learning.
5.5 We also plan to commission new photography for the report and engage an agency
to support this project. Work on identifying an appropriate agency is ongoing. The
project will be funded from the communications budget.
5.6 A full PR and stakeholder plan will be developed around the report, including a
launch event which we suggest takes place outside London and with regional
elements (with Board members and ExCo involvement). The PR plan will build on the
success of the media work around our half-year results.
Report and Accounts Mark Davies and Chris Day Page 2 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
6. Key Risks
6.1 Key stakeholders may choose not to engage in the process, and the media plan may
lead to criticism (depending on the status of wider business issues such as network
transformation). Given the ‘routine’ nature of companies producing annual report we
will have to fight all the harder to gain media interest.
6.2 We also need to ensure we engage all relevant stakeholders in the development of
the report, at appropriate levels and with clarity around their expectations.
6.3 We will mitigate these risks through effective project planning and a flexible response
to the changing external environment. We will have a clear defined early view of what
the core Report and Accounts looks like but have scope for adjustment and flexibility
in the way we implement the media / stakeholder engagement around its launch.
Chris Day and Mark Davies
February 2013
Report and Accounts Mark Davies and Chris Day Page 3 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Annex 1
High Level Outline of Report and Accounts structure
Chairman’s Statement
Performance Highlights
Chief Executive’s Review
- Personal Comments
- Progress as an independent company on plan to 2015
- Network Modernisation — Agents and Crowns plus direct / digital channels.
- Front Office developments
- Financial Services Developments
- Telephony and Travel developments
- Mails developments
- Developments in support infrastructure developments — Cash carrying, IT and
administration
- Mutualisation / Ways of Working
- Looking forward
A view from a Subpostmaster
A view from a Crown Counter Colleague
A view from a customer
A view from a small business customer
Financial Review - Financial numbers with general explanation of movements
Business Review - covering
e Strategy - Government policy / funding position. Progress in this area.
Developments / challenges ahead
« People - Numbers, diversity, involvement, engagement
¢ Community - Network — CSR — Involvement — Social Value — Engagement with
Stakeholders
e Business Risks
Directors and advisers — biographies/pictures
Corporate governance -— covering
« Compliance Statement, making reference to the UK Corporate Governance Code
Development of Processes
Roles of Chairman, Chief Executive and Non-Executives and attendance at meetings
Governance and Committee Structures
Mutualisation developments
Risk management /internal control overview
eoeeee
Directors’ Remuneration Report - tbc
Directors’ report - covering
e Principal activity, business review and employee engagement/CSR (cross ref to review
section above) and standard Directors’ report content (dividend, donations etc)
Post Office Group consolidated Financial Statements and notes
Post Office company Financial Statements and notes
Report and Accounts Mark Davies and Chris Day Page 4 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Annex 2
Draft _— Chairman's statement — Post Office Ltd Report and Accounts 2012/13
The Post Office is an integral part of the social and culture fabric of the United Kingdom.
I am delighted therefore to be playing a part in another important chapter in its 350 year
history by presenting its first Report and Accounts as an independent company.
This independence is important. Setting out on our own as a commercial business with a
social purpose was a landmark step in a journey which we intend will place the Post Office
on a sustainable footing. We will be less reliant on the taxpayer, and more focused on
customers and their needs in a fast-changing world.
Our vision is of a multi-channel Post Office — embracing the innovation and agility demanded
in a digital world while also retaining our place at the heart of communities. The Post Office
is changing, and will change more, but our commitment to supporting High Streets across
the UK is unwavering.
Over the next few pages, chief executive Paula Vennells will set out the steps we have taken
during 2012/13 to set us on this path towards a sustainable future.
The thoughts of subpostmasters and staff from across the business are also included. I
thank them for their work to establish the business as an independent company.
It is they who collectively hold the stewardship of this company and it is they who have
delivered the significant progress covered in this report.
I would also like to thank our partners, particularly Royal Mail Group and the Bank of Ireland,
and also the Department for Business, Innovation and Skills for its support over this period. I
would particularly like to thank the three ministers with whom we worked in 2012/13— Edward
Davey, Norman Lamb and Jo Swinson - for their guidance and support.
The year saw a number of significant developments, from the further strengthening of the
Post Office board to solid progress towards the transformation of hundreds of Post Offices of
all shapes and sizes.
Report and Accounts Mark Davies and Chris Day Page 5 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Independence has also led to innovative thinking about our future. This will be reflected in a
new strategy which will articulate a vision of the Post Office in 2020. In the creation of a
Stakeholder Forum, which has brought together a wide range of organisations to define the
public purpose of the Post Office, we have started to consider how our future as a
sustainable business might be enhanced by mutualisation.
Meanwhile we are continually challenging ourselves to ensure that as we change we engage
our people - customers, staff, subpostmasters - in a way which meets these mutual
aspirations: open to challenge, prepared to change, listening and learning.
The financial picture we face as we start our journey is encouraging, albeit against the
backdrop of a difficult economic climate and ever more competitive markets. You can read
more about this in Chris Day’s Financial Review on page xx.
The challenges we face mean that the Post Office must be as ready as at any time in its
history to take new approaches. We must be more adaptable and, crucially, ever more
focused on the people who matter most to our business: our customers.
The Post Office needs to become the oldest company in the UK with the mentality of a start-
up business.
It is in that context that this Report and Accounts should be seen. They report on the first
steps of progress into a new future for a new Post Office: a future which blends the trust,
integrity and accessibility for which the Post Office is renowned with the contemporary
relevance, innovation and professionalism of a financially sound 21 st century company.
Report and Accounts Mark Davies and Chris Day Page 6 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Annex 3 — Corporate Governance Statement and Directors’ Report
Statement on Corporate Governance
Post Office Limited (the “Post Office”) became an independent company on 1 April 2012.
Corporate Governance Principles
As the Post Office is not a company whose shares are listed and traded on a public
exchange, it is not formally required to report on its compliance with the UK Corporate
Governance Code (the “Code”). Nonetheless, the Board of the Post Office believes this is
an appropriate benchmark for reporting on corporate governance and the following report
therefore follows the model expected of large listed companies.
In its first year of independence, Post Office has established a full Board and Committee
structure and has set principles for good governance which follow the provisions of the
Code, so far as they can apply to a Government-owned entity which has no private or
institutional external shareholders.
Legal Ownership Structure
Post Office considers its principal shareholder to be the Shareholder Executive of the
Department of Business, Innovation and Skills (“ShEx”). ShEx manages the Government's
interest through a legal shareholding in the Company, in the form of one Special
Redeemable Preference Share in Post Office Limited, issued on 1 April 2012.
A strong link remains between Royal Mail and Post Office — Post Office has a long term
agreement in place to continue to supply Royal Mail products and services through its
network. That link is currently reinforced in the corporate structure by a common Group
holding company which holds shares in both the Post Office and Royal Mail main operating
companies. This will remain in place until there is a change in ownership of Royal Mail.
Shareholder Executive
(within The Department for Business, Innovation & Skitts)
The Articles of Association of Post Office set out the circumstances in which the Board of
the Post Office must seek the Shareholder’s consent or notify the Shareholder in advance
of proposed changes in the business. Such matters include significant expenditure (over
£20 million), entry into borrowings or financial commitments over £50 million, new areas of
proposed business and changes to Board membership.
Neither Royal Mail Holdings plc nor ShEx have any day to day involvement in the
operations of the Post Office or the management of its branch network and staff.
The Board
Alice Perkins was appointed as Chairman of the Board in July 2011, marking the first step
on the road to building an independent Board for the Post Office. Neil McCausland joined
Report and Accounts Mark Davies and Chris Day Page 7 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
in September 2011 as the Senior Independent Director and, in the year under review, a
further four non-executive directors have been appointed, each bringing particular skills and
experience relevant to the business targets of growth, modernisation, customer focus and
business efficiency.
The Board therefore now comprises two executive Directors and six independent Non-
Executive Directors, including the Chairman. This provides a strong level of independent
challenge to decision-making and enables the Post Office to call upon a wide range of
experience and opinion. Short biographies of all members of the Board appear on page X
of this Annual Report.
The roles and responsibilities of the Chairman, the Chief Executive Office (“CEO”) and the
Senior Independent Director have each been agreed by the Board and [can be found on
the Post Office website].
All Directors’ appointments and the terms under which they serve, including Non-Executive
Directors’ fees and any changes in the total remuneration for each Executive Director,
require the consent of ShEx as the principal Shareholder.
Paula Vennells, CEO and Chris Day, Chief Financial Officer (“CFO”), have signed
employment contracts with the Post Office dated 29 October 2010 and 3 May 2011
respectively.
The Executive Directors’ contracts require them to devote their working time to the Post
Office. Neither of the Executive Directors is a director of any public company.
The contracts provide for 6 months’ notice of termination to be given by the director and 12
months’ notice to be given by the Company. [The standard form of contract is available for
inspection on request from the Company Secretary]. [The Company maintains rights to
claw back incentive amounts subsequently found to have been based on incorrect
accounting information. Such provisions have never needed to be enforced.]
Non-Executive Directors are not employees of the Company but provide services under the
terms of an individual Letter of Appointment, signed at the commencement of their
directorship. [The standard form of letter of appointment is available for inspection on
request from the Company Secretary.]
All the Non-Executive Directors are entirely independent of the Company, having no other
connection or financial interest in the Post Office, other than as customers and taxpayers.
Non-Executive Directors’ Terms of Office
Director Date of appointment Term of Unexpired term Committee
office at 31 March 2013 memberships
Alice Perkins 21 July 2011 Rolling 12 N/A Nominations
month (Chair)
contract Remuneration
Neil MCausland 22 September 2011 3 years 1 year 175 days Remuneration
(Chair)
ARC
Nominations
Tim Franklin 19 September 2012 4 years 3 years 172 days ARC
Virginia Holmes 4 April 2012 3 years 2 years 4 days Pensions (Chair)
Nominations
Remuneration
Alasdair Marnoch 18 May 2012 3 years 2 years 48 days ARC (Chair)
Susannah Storey 18 April 2012 3 years 2 years 18 days ARC
Pensions
Report and Accounts Mark Davies and Chris Day Page 8 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Board Meetings
Formal Board meetings were held X times during the year to 31 March 2013. As well as
considering strategic plans and approving new project proposals and policies, the Board
received a financial and performance update and a report from the CEO (including health
and safety) at each meeting.
One additional conference call meeting was held during the year to finalise the extension of
the agreement with the Bank of Ireland and the sale of Midasgrange Limited (“Proj ect
Eagle”). In addition, special workshops were held to allow greater time for debate and
increase the Board’s detailed understanding of single issues such as IT and the development
of the annual operating budget.
There is a formal Schedule of Matters Reserved for the Board which includes major capital
expenditure, entry into significant borrowings, acquisitions or disposals of any material part of
business and entry into different geographic areas or business activities. These are the types
of matter which could involve significant expenditure or would require Shareholder approval
from ShEx. The Board’s Terms of Reference, including the Schedule of Matters Reserved for
the Board, can be found on the Post Office website.
The Board's primary focus in the year to 31 March 2013 was on setting the strategic direction
for the business, in preparation for completion during 2013/4 of the Strategic Plan and
Funding Agreement with Government for the period 2015-2020. Three specific strategy
sessions were held in June and November 2012 and in January 2013.
The first draft of the Strategic Plan and Funding Agreement was submitted to ShEx for
discussion on [31 March 2013]. Approval of a final plan and agreement for future funding for
the period 2015-2020, to include business targets such as objectives for the size and shape
of the Post Office network and customer satisfaction measures, is expected by [31 October
2013].
Figure 1: Proportion of Board time spent in 2012-2013
Attendance at Board and Committee meetings
Directors are expected to attend all Board meetings, unless prevented from doing so by
illness or unavoidable personal circumstances. Apologies for absence are formally recorded
in the minutes of the meeting.
Report and Accounts Mark Davies and Chris Day Page 9 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
In the year under review, the Board established sub-committees which met regularly during
the year to undertake more detailed reviews in specialist areas, as recommended by the
Code. Such focus areas included accounting policy and practices, risk and controls,
executive remuneration, the processes for evaluation of performance, and the nomination
and appointment of new directors or the removal of directors from the Board; and Pensions.
Board ARC. Mutualisation I Nominations Pension Remuneration
Committee Committee Committee Committee
Alice Perkins 12/12 13" /4 2/2 : 3/3
Paula Vennelis 12/2 I - 4 : : 212"
Chris Day 12/12 3" 4 S TT 2
Neil McCausland 12/12 13 /4 2/2 = 3/3
Tim Franklin® 5/5 12 13 fe = =
Virginia Holmes 12/12 : 14 2/2 TT 3/3
Alasdair Marnoch* 10/11 3/3 14 es e :
Susannah Storey 12/12 3/3 14 - 6/6* -
*from date of appointment
‘in attendance, by invitation
Board Sub-Committees
Audit, Risk and Compliance Committee
The Audit, Risk and Compliance Committee (“ARC”) looks, not only at financial performance
and policies, including any changes to accounting policies and controls within the business to
ensure that the directors can fulfil their statutory responsibilities to produce proper financial
accounts each year, but also at the levels of risk which exist within the Post Office and the
steps taken to mitigate against risks.
Following its separation from the Royal Mail Group in April 2012, the Post Office has been
building its own risk management, internal control and internal audit procedures and this will
be an area for further development during the 2013/14 financial year.
In the year under review, the ARC met [3] times, under the leadership of Alasdair Marnoch.
Alasdair is a Chartered Accountant and has recent and relevant experience as a Finance
Director of customer-facing and service businesses, including recent involvement with
MyCSP, the first pensions mutual organisation developed by the Government with and for
members of Civil Service Pension schemes.
One of the ARC’s primary responsibilities during the period was to review both the half year
trading statement and the full year accounts, to assess the validity of assumptions made and
the accounting policies used and to consider the ways in which Post Office should present its
financial performance as a newly independent entity.
A second major responsibility has been to promote the development of a risk management
framework suited to the complex nature of Post Office business. This will take some time
and is a key focus area for the coming year. The development of more sophisticated risk
management and control procedures and the establishment of a full internal audit
programme are areas of high priority now that the Post Office is an independent entity.
Post Office intends to implement a full Enterprise Risk Management system to help in
assessing, measuring and mitigating against risk, where this is possible, in each of the main
business areas — the Post Office Network, Mails Services, Front Office of Government
activities, Telephony and Broadband Delivery and, perhaps most importantly, in the
developing area of Financial Services. Post Office has a target to grow its public perception
as a reputable and reliable financial services organisation.
Report and Accounts Mark Davies and Chris Day Page 10 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
The Board recognises that it is not possible to eliminate risk entirely. A chart showing the
principal risks and uncertainties facing the business and the steps taken to mitigate against
key risks is included in the Financial Review on page X.
In this period, a new Head of Internal Audit was appointed and the transition from using the
Royal Mail internal audit function to building a new internal team has begun. This is one
element in the re-examination of internal controls within the business.
The ARC works with both the internal audit team and Ernst & Young, the external auditor.
There is no current intention to change the existing audit relationship but the ARC will
continue to monitor the independence of the auditor and will, in future years, consider
whether the audit should be put out to competitive tender, in line with best practice applying
to listed companies.
Remuneration Committee
The Remuneration Committee is made up of three Non-Executive Directors and is chaired by
Neil McCausland, the Senior Independent Director. The Committee met for the first time in
October 2012, remuneration for senior executives having previously been under the control
of the Royal Mail Holdings plc Remuneration Committee.
The Committee is responsible for making recommendations to the ShEx on the remuneration
of the Executive Directors. In doing so, it also reviews the remuneration policy and packages
of the most senior leadership team, being the roles which report directly to the Chief
Executive. It also obtains information on salary levels across the business and within external
organisations of comparable size in order to set remuneration levels within an appropriate
context.
The Chief Executive may attend meetings, at the invitation of the Chairman, to discuss
matters relating to the remuneration of the CFO and members of the Executive Committee
but the Committee upholds the principle that no individual may be involved in discussions
concerning their own remuneration.
The full Terms of Reference of the Remuneration Committee can be found on the Post
Office website.
The Committee is able to consult on remuneration matters with the HR & Corporate Services
Director, other members of the HR team and with external consultants. In the year under
review, advice was primarily obtained from New Bridge Street Consultants on market
practice and benchmark development. New Bridge Street Consultants have no other links
with the Company which could compromise their independence.
No material changes can be made to Directors’ base salaries, benefits or incentives without
the consent of ShEx. A priority for the Remuneration Committee in this period was to agree
with ShEx performance criteria for short and long term incentive schemes in which the
Executive Directors were invited to participate.
Further details of the schemes now in place, and a table setting out the remuneration paid to
all Directors in the year to 31 March 2013, are provided in the Directors’ Remuneration
Report on page X.
Nominations Committee
The Nominations Committee is chaired by Alice Perkins, the Chairman of the Company. It
met for the first time in December 2012, with director appointments up to that time having
been made according to specific criteria, following discussions with ShEx.
Report and Accounts Mark Davies and Chris Day Page 11 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
The primary role of this Committee is to recommend to the Board any changes in Board
membership and to manage the process for recruiting and replacing directors. The Board
has only recently been completed and no immediate changes are expected. The Committee
will keep under review the balance of skills, experience and diversity available within the
Board and each of the Board Sub-Committees.
The Nominations Committee will also oversee the process for Board and Committee
performance evaluation.
Diversity
The Board believes that, at this stage of the Company’s development, building talent and
diversity within the Post Office community merits special attention. The Board has therefore
delegated authority to the Nomination Committee to monitor the development of a talent
management programme and to receive regular reports on diversity at all levels of the
organisation.
Post Office does not intend to operate a quota system to ensure a fixed representation of
any particular group but will seek balance in making appointments, particularly at senior
levels.
Its general policy will be to recruit for talent, using a range of recruitment solutions, including
encouraging open applications through its own website, engaging specialist independent
recruitment consultants and operating school leaver, graduate and apprentice schemes.
Over Christmas 2012 the Post Office welcomed XXX previously unemployed individuals to
work in branches over the busiest period of the year. XXX have since taken up permanent
positions in the Company.
Report and Accounts Mark Davies and Chris Day Page 12 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Pension Committee
The Pensions Solution, adopted in April 2012, saw a substantial transfer of assets from the
Royal Mail Pension Plan (“RMPP”) to the Government, in return for the Government
assuming the obligations for past service liabilities. The transfer was made possible by
European Union State Aid funding.
As part of the solution, the pension fund was sectionalised, with Post Office assuming
responsibility for setting the investment strategy for funds relating to Post Office employees
and pensioners.
The Board has delegated authority to a specialist Pension Sub-Committee to appoint
professional advisers, to enter into negotiations with the Trustees of the RMPP on the
valuation of the funds, strategic asset allocation for the Post Office sections and to monitor
investment performance. The Committee reports back to the full Board so that its work can
dovetail with executive recommendations and union negotiations on pay and benefits.
In August 2012, the Committee recommended to the Board the appointment of AON Hewitt
as investment advisers. Working with AON Hewitt and with Towers Watson, the appointed
actuary for the RMPP, the Committee has satisfied itself as to the fair value of assets
transferred into the Post Office section at 31 December 2012 and has revised the investment
principles with the aim of maintaining the long term sustainability of the Scheme and
protecting against an unmanageable increase in liabilities for the Post Office in the future.
[Further paragraphs about the implications of Project Robin, if agreed, and the valuation
exercise].
Mutualisation Sub-Committee
An additional sub-committee, open to all Directors, was established to consider future
ownership models for the Post Office, following the Government's publication in July 2012 of
responses to the consultation on “Building a Mutual Post Office’. The Mutualisation
Committee met [4] times in the period.
A summary of the valuable work undertaken to date on perceptions of the Post Office and
the steps which would need to be taken to secure a successful future, whether in an existing
form of mutual structure or a different organisational model, appears on page X.
The establishment of the Stakeholder Forum to discuss the steps towards potential
mutualisation has enabled the views of many different groups to be expressed and the Board
is grateful to all those who have contributed ideas and enthusiasm to this important project.
Independence of the Committees
As membership of the Mutualisation Committee is open to the full Board, it follows that
executive directors attend and participate fully in these meetings, though the Committee
retains a majority of independent non-executive directors. The Pensions Sub-Committee is
made up of two Non-Executive Directors and the current CFO. All of the other sub-
committees are constituted solely of independent Non-Executive Directors.
Performance Evaluation
The Board intends to carry out an annual evaluation of the effectiveness of the Board and of
the Board sub-committees. In recognition of the fact that appointments to the Board and sub-
committees were finally completed only in September 2012, the initial performance
Report and Accounts Mark Davies and Chris Day Page 13 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
evaluation will take the form of an informal assessment by the Chairman and Non-Executive
Directors of overall effectiveness in the period. Separately, an appraisal of the personal
effectiveness of the Chairman will be led by the Senior Independent Director.
The performance of the CEO is assessed half yearly by the Chairman as part of the Group’s
standard performance appraisal structure; the performance of the CFO is similarly assessed
by the Chief Executive. The results of performance appraisals are reported to the
Remuneration Committee. The Remuneration Committee is then responsible for assessing
whether performance criteria for awards under the Company's variable incentive schemes
have been met and for recommending payments to be made, with the approval of the Board
and ShEx.
The Executive Committee
Below main Board level, the Executive Committee is the most senior management body and
is made up of the CEO and each of her direct reports, supported by the business unit heads
who report to members of the Executive Committee.
The Executive Committee (“"ExCo”) implements the strategy agreed by the Board and
monitors business performance and development at a day-to-day level. It meets formally at
least once a month to discuss proposals for new business development, receive financial
and other performance reports, review the results of personal performance assessments
undertaken throughout the organisation and address urgent issues which have arisen within
the business requiring senior level resolution.
Under the delegated authorities established by the Board, individual ExCo members are
responsible for the decisions taken in their own area up to a set limit [value of £Xm for
budgeted expenditure and up to £Xm for unbudgeted expenditure]. Above this level there is
a process for escalation of business proposals for approval, through ExCo as a body and the
Post Office Board and, ultimately, to ShEx, if so required by the Company's Articles of
Association.
The CEO, CFO and the Company Secretary attend both Board and ExCo meetings which
facilitates and strengthens the communication channels between the senior leadership team
and the Board and its Committees.
[The Terms of Reference of the Executive Committee have been set out in writing and are
available to download from the Post Office website .]
Report and Accounts Mark Davies and Chris Day Page 14 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Directors’ Report
The Directors present the financial statements for Post Office Limited (the Company). These
financial statements relate to the 52 weeks ended 31 March 2013 (2011 25 March 2012).
Principal activities
The Company’s principal activities are the provision of access to a wide range of Government,
financial, travel and retail services through its network of Post Office branches and other
channels across the United Kingdom (UK).
Review of the business and expected future developments
Information contained within the Chief Executive’s Review and the Financial Review on pages X
to X constitutes the business review required by the Companies Act 2006 and is incorporated
into this directors’ report by reference.
Results and dividends
The profit after taxation for the year was XX million (2012 £37 million). The Directors do not
recommend the payment of a dividend (2012 £nil dividend).
Pensions
[Wording to be agreed.]
Political and charitable contributions
During the year, the Company made charitable contributions amounting to £XXXIKXX (2012
£320,108). No political contributions were made in the year (2012 £nil).
Research and development
Research and development expenditure during the year amounted to Enil (2011 £nil).
Policy on the payment of suppliers
The Company's policy is to use its purchasing power fairly. Payment terms are agreed in
advance for all major contracts. For lower value transactions, the standard payment terms
printed on the purchase order apply. It is Company policy to abide by the agreed terms. The
Company has sought to comply with the Department for Business, Innovation and Skills (BIS)
Better Practice Code. The number of days’ purchases in creditors at the balance sheet date was
XX days (2012 33 days).
Land and buildings
The net book value of the Company's land and buildings, based upon a historic cost accounting
policy and excluding fit-out, is © £XX million (2012 £11 million). In the opinion of the Directors,
the aggregate market value of the Company's land and buildings at the year end exceeded their
net book value by at least £XX million (2012 £45 million).
Directors and their interests
The following served as Directors of the Company during the year ended 31 March 2013 and
remain in post as at the date of approval of these financial statements.
A Perkins CB
CM Day*
T A Franklin (Appointed 19 September 2012
V A Holmes (Appointed 4 April 2012)
A Marnoch (Appointed 23 May 2012)
N W McCausland
S J Storey (Appointed 18 April 2012)
P A Vennells*
*executive directors
No Director has a beneficial interest in the share capital of the Company. All the Non-Executive
Directors are considered to be independent, having no financial connection with the Company
other than by virtue of the fees paid for their services as a director. The emoluments of directors
are set out in the Directors’ Remuneration Report which appears on pages X to X.
Report and Accounts Mark Davies and Chris Day Page 15 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Insurance and qualifying third party indemnity provisions for Directors
Post Office Limited maintains directors’ and officers’ liability insurance for the benefit of all
directors and officers of the Company.
A partial qualifying third party indemnity provision (as defined in section 234 of the Companies
Act 2006) was and remains in force for the benefit of all the Directors of Post Office Limited and
former Directors who held office during the year. The indemnity is granted under article 129 of
Articles of Association or Royal Mail Holdings plc, the ultimate parent company. The indemnity is
partial in that it does not allow the Company to cover the costs of an unsuccessful defence of a
third party claim.
The new regulations for listed companies from 2013 will require the strategic report to
include consideration of human rights issues, as well as social and community issues. It
will also require a gender split for directors, managers and employees (table to be
considered for inclusion in this year’s Corporate Governance Report under the heading
of Diversity).
People
Our goal is to ensure that all employees are engaged and involved in the business and are
aligned and equipped to meet business objectives. As part of our commitment to drive better
service for customers we continue to focus on improving the quality of our leadership,
professionalising key roles and achieving greater employee involvement in decision making.
Extensive training and development programmes have been put in place to support our ambition
to create a high performance customer-oriented sales culture. This ambition is further supported
by a range of bonus schemes which are based on the achievement of business targets.
Underpinning all of this is a need for dignity at work, where everybody feels valued, is treated
fairly and equally with everyone playing a full part in helping the Company to achieve its goals.
Regular employee opinion surveys are conducted to allow employees an opportunity to express
their views and opinions on important issues. This two-way communication encourages all
employees to contribute towards making business improvements.
Corporate Responsibility
Post Office Limited is committed to carrying out its activities in a socially responsible manner in
respect of the environment, employees, customers and local communities. [Further information
will be provided in the Business Review].
Disabled employees
The Company's policy is to give full consideration to applications for employment from disabled
persons. Employees who become disabled whilst employed receive full support through the
provision of training and special equipment to facilitate continued employment where
practicable. The Company provides training, career development and promotion to disabled
employees wherever appropriate.
Post balance sheet events
To be confirmed post year end.
Going Concern
After analysis of the financial resources available and cash flow projections for the Company,
the Directors have concluded that it is appropriate that the financial statements have been
prepared on a going concern basis. Further details are provided in accordance with the
fundamental accounting concept in note 1 to the financial statements.
Audit information
The Directors confirm that, so far as they are aware, there is no relevant audit information of
which the auditor is unaware and that each Director has taken all reasonable steps to make
themselves aware of any relevant audit information and to establish that the auditor is aware of
that information.
Report and Accounts Mark Davies and Chris Day Page 16 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Auditor
The auditor, Ernst & Young LLP, is deemed to be reappointed under section 487(2) of the
Companies Act 2006.
By Order of the Board
Alwen Lyons
Secretary
Post Office Limited (company number 2154540)
148 Old Street, London EC1V 9HQ.
XX June 2013
Report and Accounts Mark Davies and Chris Day Page 17 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Annex 4 — Draft outline of potential Finance Report content
Financial review
NOTE: This statement includes indicative content although much is still to confirm as shown
by ‘xxx’ and square bracketed comments. All 2012-13 outturn references are currently
populated with Quarter 3 forecast data and all statements, roundings etc are to be checked and
validated once year end outturns are known. We alsoneed to consider referencing to 53 weeks
in 2012-13.
Chris Day [Insert picture]
Chief Finance Officer
Summary results
The Post Office has delivered a sound performance in its first year as an independent company.
Turnover has increased in three of the four core product pillars. This has enabled investment to build
the brand and drive future growth and allowed improvements in the supporting infrastructure to the
network, however, the scale of transformational change ahead remains significant and widereconomic
conditions continue to be challenging.
Operating profit before exceptional items was £95 million (2012 £61 million). Cashflow was
XXXXXXXXXXXXXXXX (2012 £xm).
Profit and Loss Summary
2012-13 2011-12
£m £m Variance
Turnover 1,020 980 40
Network Subsidy Payment 210 180 30
Revenue 1,230 1,160 70
People Costs (261) (251) (9)
Agents’ Costs (481) (483)
Other Operating Costs (425) (395) (30)
Share of profit from joint ventures and 31 31 0
associates
Operating profit before exceptional items 95 61 33
Revenue
Post Office Revenue has increased by £70 million to £1,230 million, including an increase in the
Network Subsidy Payment from Government of £30 million. The Post Office segments income into four
pillars; Mails & Retail, Financial Services, Government Services and Telephony Services.
2012-13 2011-12
£m £m Variance
Mails & Retail 410 392 18
Financial Services 280 264 15
Government Services 162 164 (1)
Telephony Services 129 120 8
Other 40 39 0
Turnover 1,020 980 40
Network Subsidy Payment 210 180 30
Revenue 1,230 1,160 70
Report and Accounts Mark Davies and Chris Day Page 18 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
The table below shows the year on year movements of the £70 million increase:
(— >)
Revenue - Prior Year to Current Year
30
£m 18 ee I eh
I I “
2011-12 Mails & Retail Financial Government Telephony Network 2012-13
Revenue Services Services Services Subsidy Revenue
Payment
S
Mails & Retail
Mails and Retail revenue of £410 million (2012: £392 million) has increased by £18 million.
Royal Mail products’ turnover has increased by £11 million driven primarily by the tariff rises introduced
by Royal Mail in April 2012. [more to add at year end on the volumes growth areas.] Retail turnove has
increased by £2 million due to the collectibles relating to the Jubilee and the Olympics memorabilia, as
well as the introduction of new products [to confirm details for year end]. Income from sales of lottery
tickets has risen by £3 million as the high number of rollover draws drove sales volumes up.
Financial Services
Financial Services revenue of £280 million (2012: £265 million) has increased by £15 million.
Personal Finance Services income rose by £22 million driven by the implementation of anew contract
with the Bank of Ireland, which has increased commissions received. Savings products have
performed well — particularly x, y and z— along with the introduction of a new mortgage product. The
value of savings held in Post Office branded accourts has increased by £x million during the year to £y
million. There has been decline in the traditional financial services products, most notably a £3.3
million decline in income from NS&l as NS&l has sought to encourage customers to use its online
channel.
Government Services
Government Services revenue of £162 million (2012: £164 million) has decreased by £2 million. There
has been [continued?] growth in income from the passport check and send service which is £2 million
higher. [Rate vs volume impactto be confirmed at year end]. However, the anticipated growth in
income from identity related services has been disappointing. Revenue from the Post Office Card
Account is £5 million lower as customer numbers continue to reduce. [volume and LIBOR varianes vs
PY to be checked].
Telephony Services
Telephony Services revenue of £129 million (2012:£121 million) has increased by £8 million. Income
from the Post Office Homephone and Broadband product rose by £10 million primarily due to higher
customer numbers following xxxxxxx [the introduction of more service packages offering options for
Mark Davies and Chris Day
ExCo 12 February 2013
Report and Accounts Page 19 of 24
POL00184703
POL00184703
Strictly Confidential
inclusive calls with effect from April 2012]. [Statement to be validated]. Income from e top ups was £2
million below prior year as more customers migrate away from prepay.
Network Subsidy Payment
The Network Subsidy Payment has increased by £30 million this year to its peak of £210 million before
it begins to reduce with effect from 2013-14 reflecting reduced requirement following progress made
with the Network Transformation programme. [to confirm wording]
Costs
Post Office costs have risen by £37 million to £1,167 million (2012: £1,129 million).
r
Costs - Prior Year to Current Year
(30)
em (9)
Be e—O_—_—— Ea
2
011-12 People Costs Agents Costs Other 2012-13
OperatingCosts
Staff costs
Staff costs of £261 million (2012:£251 million) have increased by £9 million jmarily due to the impact
of separation from Royal Mail Group, which is largely offset by savings in intercompany charges from
Royal Mail Group Ltd, and some pay rises.
Agents’ costs
Agents’ costs represent almost half of the cost base and have reducedby £2 million to £481 million
(2012: £483 million). Adjusting for a one-off payment made to Agents last year of [£4] million the
underlying year on year movement would be £xxm. [Need to explain further depending on outcome.]
Other Operating Costs
Other operating costs have increased by £30 million to £425 million (2012: £395 million), driven by
additional nvestment to drive future revenue growth and build the brand, as well as establishing the
framework for longer term efficiencies and improving the supporting infrastructure across the Network.
Share of Joint Venture and Associate profits
Share of Operating Profit from the joint ventures (First Rate Exchange Services Limited) and associate
(Midasgrange Ltd until its sale on [1] September 2012) was £31 million (2012: £31 million).
Report and Accounts Mark Davies and Chris Day Page 20 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Exceptional Items
2013 2012
Exceptional items £m £m
Operating exceptional items: 7
Transformation costs (80) (2)
Impairment of property, plant and equipment (79) (36)
Utilisation of Government grant 118
Non-operating exceptional items: -
Asset disposal 2 1
Business disposals (30)
Net exceptional items (69) (37)
Transformation costs include the costs of delivery of major change: Network Transformation
introduces new style agency offices and seeks to improve fundamentally the profitability of the Crown
network. IT Transformation creates the IT infrastructure appropriate for an independent business with
ambitious growth plans.
Network Transformation resulted in costs of £33m for agents’ compensation and £26m programme
costs. £11 million of redundancy costs mainly related to the Crown network, costs of £10 million
related to transforming our IT infrastructure and there was £1 million for other exceptional costs.
The non Network Subsidy [check if there is better terminology for this] Government grant funding is
included within operating exceptional items to match the associated costs. Government grant funding
received of £118 million has been utilised against £66million capital expenditure, £33 million Network
Transformation related agents’ compensation and £20 million Network Transformation programme
costs.
Property disposals during the year mainly comprise the sale of freehold of Woking Crown office. The
loss on disposal of Post Office Limited’s interest in our associate investment in Midasgrange Ltd was
£30 million.
Free cash flow
Operating profit of £95 million (2012 £61 million) is higher by £33 million.
Capital expenditure of £68 million (2012 £32 million)is higher on account of investment in Network
Transformation, Supply Chain and IT infrastructure.
Redundancy and exceptional items comprise a cash inflow of £47 million (2012: outflow £17 million)
mainly resulting from the receipt of Government grant funding of which £118 million (2012 £nil) has
been spent in the year. The grant has been used towards capital expenditure above, Network
Transformation costs £46 million (2012 £XX million), redundancy £11 million (2012 £12 million) and IT
infrastructure £10 million (2012 £xx million). There were other exceptional items of £4 million (2012 £5
million).
Net debt has decreased by £xx million year on year as shown in the table below
2013
£m
Net debt brought forward 25th March 2012
Free cash flow (see pageXX)
Interest earned on pension escrow investments (included within the free cash flow above)
Increase in loans and borrowings - accrued non cash interest on shareholder loan
Foreign currency exchange impact on cash and cash equivalents
Total net debt
Report and Accounts Mark Davies and Chris Day Page 21 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Pensions
On 1 April 2012 — after the granting of State Aid by the European Commission on 21 March 2012—
almost all of the pension liabilities and pension assets of the Royal Mail Pension Plan (RMPP), built up
until 31 March 2012, were transferred to HM Government. On this date, the RMPP was also
sectionalised, with Royal Mail Group Ltd and Post Office Limited each responsible for their own
sections in future. This arrangement left the RMPP fully funded on an actuarial basis in respect of
historic liabilities at this date.
Pension Plans
Post Office Limited is a participating employer within the Post Office Section of the Royal Mail Pension
Plan (RMPP) and is a participating employer within the Royal Mail Defined Contribution Plan (RMDCP).
Royal Mail Group Ltd is the principal employer of the Royal Mail Senior Executives’ Pension Plan
(RMSEPP) and Post Office Limited is a participating employer within RMSEPP. RMPP and RMSEPP
are both defined benefit plans on a career average basis.
The balance sheet pension position has changed from a deficit of £206 million at March 2012, to an
asset of £xx million at March 2013. The improvement in position is primarily due to the transfer of
almost all of the pension liabilities and pension assets of theRoyal Mail Pension Plan (RMPP), built up
until 31 March 2012, to HM Government on 1 April 2012. Since 1 April 2012 xxxxxxxxxxxxx.
Both defined benefit plans are now closed to new members. RMSEPP closed on 31 December 2012
and has no active members. Newemployees are offered membership of the defined contribution plan,
RMDCP.
2013 2012
£m £m
Operating pension costs (26) (24)
Exceptional pension costs (relating to redundancy) (XX) (XX)
Net pension interest credit/(charge) 3 2
Pension charges (XX) (XX)
The £2 million increase in operating pension costs is caused principally by changes in market
conditions, resulting in a pension charge for RMPP equating to 17.8 per cent of pensionable pay,
compared to 17.1 per cent last year. The percentage applied to the pensionable payroll is determined
at the beginning of the financial year and is intended to represent the amount by which liabilities will
increase due to employing active members for one more year.
The net pension interest credit reflects the unwinding of the discount on the plans’ liabilities, less the
long-term expected rate of return on the plans’ assets.
Pension cash payments for all Plans
Following the transfer of almost all of the pension liabilities and pension assets of the RMPP toHM
Government explained above, the future funding of ongoing pension contributions into RMPP and
deficit payments into RMSEPP is being discussed with the respective pension trustees. The payments
for 2012-13 disclosed in the table below were based on the arangements that were in place for the
2011-12 financial year.
2013 2012
£m £m
Regular pension contributions (XX) (24)
Funding of the pension deficit- RMSEPP. (XX) (1)
Payments relating to redundancy (XX) (XX)
Net cash payments (XX) (XX)
Regular pension contributions have increased/decreased due to xxxxxxxxxx. The regular future
service contributions cash rate for RMPP expressed as a percentage of pensionable pay remained at
17.1 per cent (2012 17.1 per cent). The regular rate of employee contibutions for the RMPP remains
unchanged at six per cent.
Report and Accounts Mark Davies and Chris Day Page 22 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Pension deficit recovery payments by Post Office Limited have xxxxxxxxxxx. The £1 million (2012 £1
million) deficit payment relates to RMSEPP. There was no RMPP deficit payment in either year as a
result of State Aid clearance granted on 21 March 2012 and the subsequent transfer of almost all of
the pension liabilities and pension assets of the RMPP to HM Government on 1 April 2012.
Treasury management overview
Following the transfer of Post Office Limited from the ownership of Royal Mail Group Ltd to Royal Mail
Holdings plc on 1 April 2012, Post Office Limited has operated an independent Treasury function and
manages its own financial assets (including network cash) and financial liabilities (mairly Government
loans).
The treasury function derives its authority from the Board and provides regular reports for Board
review. It has the authority to undertake financial transactions relating to the management of the
underlying business risks however itdoes not engage in speculative transactions and does not operate
as a profit centre. The principal financial instruments utilised are deposits and borrowings.
Facilities
The terms of the Government borrowing facilities and the associated Framework Agreerrent impose
constraints on the purposes for which they can be used and the availability of external borrowing. Post
Office Limited's treasury policy is to minimise the amount drawn down on the loan in order to reduce
the interest charge. The facility is limited to a maximum of £1.15bn or the amount of security available
(mainly network cash) whichever is the lower. The facility is available at 2 days’ notice.
At 31 March 2013 the company was financed as follows:
Borrower: Post Office Limited Average
Purpose Interest rate* Facility Facility Utilised maturity
%. end date £m. £m date
Network Cash [0.8] 2016 1,150 118 2013
* Average interest rate of loan drawn down
Financial risks and related hedging
[The company is exposed to currency and commodity price risk. The company operates hedging
policies via Royal Mail Group Ltd.tbc]
Events after the reporting period
XXXXXXXXXXXXAXXXAKK
Chris Day
Chief Financial Officer
Post Office Limited
XX June 2013
Report and Accounts Mark Davies and Chris Day Page 23 of 24
ExCo 12 February 2013
POL00184703
POL00184703
Strictly Confidential
Annex 5 - Timetable showing key dates and meetings
Date Activity
13 February I ARC meeting — review of Corporate Governance disclosures
Mid Provide template for year end financial statements to EY for technical review
February prior to issuing to the Audit Committee
27 February I Post Office Board Meeting — review of key messages for year end
(November Board action point)
24 February I Period 11 month end hard close
4 March Pension Committee meeting — initial review of potential year end
accounting assumptions for pension
March EY perform audit procedures on Period 11 results
13 March ARC meeting — review of template for year end financial statements
Late March _I EY period 11 closing meeting
31 March Year end
4 April Pension Committee — phone call or by correspondence to agree pension
assumptions for recommendation to the Board
April EY field work
Late April EY year end closing meeting
20 May For information - RMG Board meeting to approve financial statements
21 May Audit Committee, followed by Board Meeting (as last year, subject to
confirmation with the Company Chairman and ARC Chairman)
— to approve the financial statements and delegate authority
(i) to the Audit Committee to undertake any further detailed review, as
needed; and
(ii) to a sub-committee of the Board to give final approval for publication
5 June Audit Committee (subject to confirmation) - to review the final form
Report & Financial Statements and recommend final approval
Early June Board Sub-Committee (subject to confirmation but usually constituted
of the Chief Executive and CFO) - to give final approval for publication
From early I Announce results (subject to alignment and discussion with Royal Mail)
June
Report and Accounts Mark Davies and Chris Day Page 24 of 24
ExCo 12 February 2013
11
1.2
1.3
1.4
21
2.2
2.3
3.1
POL00184703
POL00184703
Strictly Confidential
POST OFFICE LTD
AUDIT, RISK AND COMPLIANCE COMMITTEE
Key management personnel accounting disclosure requirements under IFRS
Purpose and background
The Post Office has decided to report under IFRS and include the accounting disclosures
expected of a FTSE listed plc where applicable.
IAS 24 ‘Related Party Transactions’ has the stated objective of ensuring that financial
statements contain the disclosures necessary to draw attention to the possibility that the
financial position of the entity may have been affected by the existence of related parties and
transactions with them. These related party transactions are required to be disclosed in a
note to the financial statements.
A person is a related party if:
e they have control or joint control of the entity
« they have significant influence over the entity or
e they are a member of the key management personnel (KMP) of the reporting entity or of
a parent of the reporting entity.
The purpose of this paper is to define the KMP for the Post Office and to ask the Audit, Risk
and Compliance Committee to note that this is the definition that will be applied for the 2012-
13 financial statements.
Interpretation of IAS 24
IAS 24 defines KMP as ‘those persons having authority and responsibility for planning,
directing and controlling the activities of the entity, directly or indirectly, including any director
(whether executive or otherwise) of that entity.’
Interpretation of the standard suggests that the definition is intended to include supervisory
boards and anyone who has responsibility for management of a significant part of the
business, although they may not hold the title of director. If these persons are carrying out
duties normally carried out by directors they are likely to be considered to be KMP.
Membership of a ‘management committee’, which takes decisions which are delegated to it
by the Board, is put forward as an example which falls within the definition of KMP. On this
basis it is likely that the members of the Executive Committee (ExCo) will be considered to
be KMP as ExCo has authority for planning, dictating and controlling the entity's activities
under delegated authority from the Board.
Disclosure requirements
The accounting standard requires disclosure of KMP compensation in aggregate and for
each of the five following categories:
e Short term employee benefits: Wages, salaries, social security contributions,
holiday pay, profit share, bonuses payable within 12 months of the year end, medical
Key management personnel Chris Day Page 1 of 2
disclosure requirements under IFRS February 2013
POL00184703
POL00184703
Strictly Confidential
care, car allowance. We expect that the 10/11 LTIP due to be paid in June 2013
would be disclosed here.
e Post-employment benefits: Pensions, life insurance, medical care. For defined
contribution schemes the disclosure should be the aggregate contributions payable
into the schemes for the KMP. Where defined benefit schemes are not operated
solely for the benefit of the KMP it is difficult to calculate the total recognised cost in
respect of the KMP. An acceptable alternative is to disclose the current service cost
attributable to the KMP.
e Other long-term benefits: Long-service or sabbatical leave, any deferred
compensation not payable within 12 months of the year end. We need to investigate if
the 11/12 or 12/13 LTIP (if approved) is required to be disclosed here.
e Termination benefits: Compensation for loss of office, ex-gratia, redundancy.
e Share-based payment: Share options and other grants of shares.
3.2 In addition to the above the general disclosure requirements of IAS 24 which apply to the
wider definition of a related party would apply to KMP. Therefore any transactions, or
balances held with KMP would also need to be disclosed. This would include any of the
following transactions if not captured by the specific disclosure requirements noted above:
Purchases/sales of goods
Rendering/receiving of services
Leases
Provisions of finance (loans)
Guarantees
eeeee
3.3 It is likely that the members of the Executive Committee (ExCo) will be considered to be
KMP as ExCo has authority for planning, dictating and controlling the entity’s activities
under authority from the Board. Therefore there may be a requirement for the members of
the ExCo, as well as the Board, to sign a certification to confirm the pay they have
received during the year and that they have had no transactions of the above nature with
Post Office Limited as a company.
4. Conclusion
441 It is our view that, in the case of POL, the KMP would constitute the Board of Directors
and the members of ExCo and that the above disclosures would need to be made for the
POL financial statements for the year ended 31 March 2013.
5. Recommendation
5.1 The Audit, Risk and Compliance Committee is asked to:
Note that the Post Office Key Management Personnel under IAS 24 is defined to include
the members of the Post Office Board and the members of the Post Office Executive
Committee.
Chris Day
February 2013
Key management personnel Chris Day Page 2 of 2
disclosure requirements under IFRS February 2013
POL00184703
POL00184703
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Internal Audit — Activity Report
1. Purpose
The purpose of this paper is to:
1.1 Inform the committee of the recent activities of the two internal audit functions.
1.2 Summarise the results of the Royal Mail audits for 2012/13 to date as requested
at the November 13" 2012 committee.
1.3. Summarise the status of recommendations.
1.4 Outline remaining audits for 2012/13.
1.5 The Committee is requested to note the activity and provide comment.
2. POLIA activity November 2012 to February 2013
2.1 Appendix 1 summarises the activity of POLIA including coordination with Royal
Mail Internal audit team and status of their recommendations made during 2012
audits.
2.2 POLIA activity has been focused mainly on RMIA coordination, team set up and
recruitment, advisory work on the Risk Management strategy including a full risk
workshop with the Finance senior team, and support to the Information Security
Finance Roadmap and Data Protection projects.
2.3 It is intended to highlight significant implementations by management in POLIA
activity summaries where appropriate going forward.
3. Royal Mail Internal Audit Activity in Post Office.
3.1 Appendicies 2, 3 and 4 are provided by RMIA and summarises the results of the
Royal Mail Audits, recommendations status and audit plan for remainder of FY
2012/3
3.2 The completed and reported assignments are
¢ Business Risk Assurance (Reported July)— This examined the overall assurance
framework in place at Post Office shortly after its separation from Royal Mail.
e Information Security Management (reported August)
¢ Operation of the POLSAP environment (Used for Supply Chain and Finance) —
reported November.
¢ Supplier Contract Management (reported November)
e Horizon system - examination of items arising from the external audit
management letter. (reported January)
¢ Network Transformation — Financial Controls (Reported January)
3.3. Appendix 2 details the top findings from each of these audits and the status
reported by management to Royal Mail Internal Audit as at January 2013. The
top issues and themes from each are summarised below. Full copies of the
reports are available to the committee upon request.
Internal Audit Activity. Malcolm Zack — Head of Internal Audit Page 1 of 3
13" February 2013
POL00184703
POL00184703
Confidential
Top priority issues and themes.
Whilst the audits cover different areas with differing issues, the recurring themes
are governance, coordination and oversight.
e The business risk assurance environment will benefit by more centralised
oversight and coordination. Improved visibilty to the Risk and Compliance
Committee and ultimately the Audit Committee is required. It was
comparatively segmented at the time of the review but the Risk and
Compliance team have since commenced work to update the business
controls framework, and monitoring of processes. The terms of reference
of the Risk and Compliance Committee and its linkage to the Audit and
Risk Committee has been revised and strengthend.
o NB. The establishment of the Internal Audit function in Post Office
since the audit will assist in improved coordination and oversight.
¢ The Information Security Framework was found to be fragmented across
POL and third parties, with insufficient POL resource which did not have
enough oversight over the security activities of third parties. The audit did
recognise some improvements since the previous review. Action is being
taken to embed better information security needs in supplier contrcatual
requirements, within new products and services and to develop security
training and awareness.
o NB this audit was conducted and reported prior to the recent
information secuity review undertaken by IT.
e The Post Office Finance and Supply Chain systems are operated on
POLSAP. This review assessed the general computing control
environment and also followed up on progressed raised by the 2011/12
external audit on IT security related issues.
¢ The review noted improvements were needed in a number of areas but
none of these individually of high risk. Progress is needed to resolve
interface issues between the Post and Go system and POLSAP. Control
over leavers whose IDs still had access to the system and clarity of
ownership of the end to end change management process needed
addressing. The review also noted that some progress had been made in
resolving the SAP Security issues from the external audit. Management
have undertaken further work since that review and a short follow up of
POLSAP in February 2013 should reconfirm actions taken.
e Governance and formalisation was also a theme in Supplier Contract
Management which was reported at the November 13” Audit Risk and
Compliance Committee. The review noted that further work was needed
in the overall application of standard policies and procedures and
maintenance of documentation. There were differences in the way
contracts were managed and more formalisation needed in areas such as
documentation, legal review and recording of key decisions such as
authorisations. Management had work underway at the time of the
review.
e A review on specific IT areas of the Horizon system followed up on
findings from the external audit Management Letter on security
Internal Audit Activity. Malcolm Zack — Head of Internal Audit Page 2 of 3
13" February 2013
POL00184703
POL00184703
Confidential
weaknesses noted in the 2011/12 external audit. These focused around
the use of shared generic user accounts which had priviged access and
security policies. Actions on these and those arising from the POLSAP
have been addressed by IT and reported through to the Risk and
Compliance Committee.
e Strengthening of the financial framework for the assessment and
selection of branches for the Network Transformation conversion
programme was needed and is being implemented. There were errors in
the sample of spreadsheet tools used and the audit highlighted that the
batching approach used was potentially allowing some branches to pass
the tests when on an individual basis they would have been marginal or
subject to further assessment. Review and approval mechanisms are in
place and it is essential to maintain these and the improved assessment
methods given the high pace of branch conversion required.
3.4. The remaining Royal Mail internal audit activity for 2012/3 includes:
¢ Assurance support for the E&Y payroll controls
e Master Data change process review (Request from IT)
e Support to the Bank of England Notes Circulation Scheme — process
narrative. (This has been been completed historically each year)
e Link Scheme —- Annual attestation of compliance requirement. (May
commence post March 2013)
e POLSAP security controls — final follow up and check.
Appendix 4 provides a summary
3.5 The recommendations status is summarised in appendix 3. Forty four actions
have been raised by Royal Mail Internal Audit for 2012 of which as at January
2013, 18 (41%), have been reported as completed. A significant tranche are due
for completion by management through February and March. Details on the
status of each action point are available but have not been included in the papers
due to size.
4. Requested Action
4.1 The Audit, Risk and Compliance Committee is asked to
¢ Note the activities and status and provide comment or direction to the
Internal audit teams.
Malcolm Zack
13" February 2013
Internal Audit Activity. Malcolm Zack — Head of Internal Audit Page 3 of 3
13" February 2013
POL00184703
POL00184703
Appendix 1 - POLIA Internal Audit Activity Summary
Summary I Highlighted Implementations — last 3 months
Royal Mail IA work on Financial Controls in Branch investments completed, LINK work Key security and operational controls in the POLSAP computer environment
delayed because a new standard issued and Fujistu need to implement this first...
Business Controls framework audit planned for February start. POL SAP follow up Ownership for end to end POLSAP change management process assigned
underway. Key IT supplier contracts reviewed by procurement with legal support
POLIA recruitment underway. One individual appointed to start March 4” Standard
documentation designed, audit plan drafted, advisory work underway in several business
areas. POLIA team expected to be in situ through May 2013. POLIA supporting
Information Security Programme through Working and Steering Committee and Data
Protection Programme. Risk Strategy for 2013/14 proposed for Executive Committee
Contractual information security requirements embedded into Transformation
programme
Recommendations status — Royal Mail — Jan 25 2013
Activity Resp Type Status
Total raised in current year — 44
Financial Controls in NT Programme Royal M Audit # reported as completed by management — 18
Horizon - IT controls Royal M Audit # reported as in progress/on track — 26
LINK - attestation Royal M Audit
POL SAP Follow up Royal M Audit 8 actions in progress due to be completed by end of
Change controls over master data Royal M Audit January, 2 in February. The next major tranch of
Information Security Project - Buffalo MZ Advisory actions will be due by end of March.
Data Protection Project - review of j
thods/output M2 Advisory tani
mel None reported as significantly overdue. See
E&Y liasion and status MZ External Audit appendix 3 from Royal Mail Internal Audit
Assurance Mapping/S lines of defence Mz Advisory Recommendations Status — POLIA raised actions
‘Team set up and recruitment MZ Set up
2013-4 Objectives and plans Mz Set up Reporting will commence in FY 2013/14.
Risk Management Framework/Strategy MZ Risk Mgt
Finance Risk Assessment and Mapping MZ Risk Mgt
Treasury Risk Framework MZ Advisory
Induction, branch and cash centre visits MZ Setup
Bank of Ireland Liaison MZ Set up
Finance Systems - Project MZ Advisory
lA benchmarking - other Post Office IA depts MZ Set up
POL00184703
POL00184703
COMPLETED ASSIGNMENTS
Commentary:
Key Business Risk Assurance
Findings -
Developing an assurance framework: POL need to do more work to identify the assurance required by the business against that which is currently
undertaken. Analysis by POL in 2012 highlighted some key gaps, but further work is needed to ensure assurance requirements are identified and met.
Implementing an integrated assurance model: Central management of compliance and assurance across the business has become outdated and
requires more formalisation to ensure clear ownership and oversight. An updated integrated controls assurance framework is now under development.
Monitoring of business critical processes: The critical business process schedule has not been maintained nor have the processes been recently
assessed. Compliance recognised this in April 2012 and have drafted a proposal to establish a suitable internal controls framework.
Reporting to the Risk and Compliance Committee (R&CC): There was overly detailed reporting of the findings and results of assurance activity to the
R&CC making it difficult to identify significant issues. This is being addressed by the re-focus of the R&CC on key risks and issues arising from assurance
activity.
Consistency of supplier compliance assurance: Although a number of key contracts require suppliers to provide POL management with evidence that
they are meeting their contractual obligations, and allow POL to audit this information, this is not standard across all suppliers.
What is being done —
Developing an assurance framework: The key assurance requirements are to be confirmed, and any gaps in the provision of compliance and assurance
activity will be identified.
Implementing an integrated assurance model: An internal controls and assurance framework is to be developed and deployed, with executive level
ownership, which covers entity level controls to ensure against key business risks and obligations.
Monitoring of business critical processes: Critical business processes will be identified and the executive level ownership of these processes will be
confirmed and agreed. Self assessment and independent validation of these processes and the associated key controls will be defined and implemented.
Reporting to the Risk and Compliance Committee (R&CC): The revised R&CC terms of reference has been agreed. There is now monitoring of
management reporting to ensure there is sufficient focus on key risk and compliance issues for management review and direction of mitigating actions.
Consistency of supplier compliance assurance: Standard contract terms and conditions are being developed to allow POL to maintain appropriately
transparent arrangements and monitoring of performance with all key suppliers.
POL00184703
POL00184703
Information Security
Findings -
The control environment is somewhat fragmented with control over Information Security activities spread across third party providers and within teams in
both RMG and POL. The POL Information Security team have made a number of improvements to the control environment over the past two years,
including to Payment Card Industry (PCI) requirements and risk management, and POL has a direct relationship with Fujitsu which, from an Information
Security perspective, is now well managed.
The Information Security team is not provided with sufficient information to have adequate oversight of the frequency and effectiveness of a number of
activities provided by RMG, CSC, and other third parties. These activities include user access, IT asset management, and threat and vulnerability
management. Some other activities do not have well documented audit trails and are not always undertaken in a structured manner, including compliance
management and training.
The POL Information Security function appears somewhat under-resourced. The Information Security team has recognised that investment in resources
and technology is required to alleviate weaknesses in the current control environment.
What is being done —
+ Contractual requirements for Information Security (including risk, access, asset, threat and vulnerability management) are to be embedded in the new
supplier requirements as part of the IT & Change Transformation Programme.
+A process is to be developed to enhance and monitor the engagement between the Information Security function and new product and service projects to
ensure that Information Security requirements are embedded before the services are made available to customers.
* Compliance with IS027001 certification is to be reviewed and a process to monitor and performance manage compliance will be developed and deployed.
+ Information Security policies are to be communicated that i) require new starters to sign-off acceptance to the user policy before being granted access and
ii) make business process owners responsible for the regular performance of user access and system role reviews. A new process will monitor compliance
with these controls.
* The accuracy of the IT hardware and software asset register is to be confirmed, and a process established to manage information assets in future.
+A process for identifying and reacting to Information Security threats is to be developed, and appropriate specialist resource will be made available to
deliver this process. Regular internal vulnerability scanning for high risk Information Security services will be implemented, including those currently
managed by RMG.
+ A training and testing strategy and plan will be implemented that incorporates annual testing, and the results will be reported to senior management.
POL00184703
POL00184703
POLSAP
Findings -
Transaction data: The responsibility for reviewing exceptions on the Paystation and Post&Go to POLSAP interfaces has not been defined. The review
identified that there are approximately 800 issues which are being investigated in relation to the completeness of the Post&Go interface, some of which are
several years old. There are no predefined service levels for the resolution of these issues specified in the contract with the third party, Wincor.
Access to software: One of the 25 new and modified user access requests sampled was not correctly documented as approved, and another request
was processed as a temporary role change in error when it was a permanent change. Further testing identified six users within the P&BA team that had
left the business but still had active accounts, and nine users where the user had a role that needed removing from their profile.
Change management: Whilst a formal change management process is in place, the responsibility for the end-to-end process has not been defined.
Sample testing identified one change that had not been communicated to the POLSAP testing team.
Supplier service provision: The scope of the monthly reviews with third party suppliers has not been defined, and the results are not reported to the
Information Security Management Forum.
The 2011/12 E&Y Management Letter identified a number of areas for improving POLSAP system controls. The IA&RM review identified that there are
some areas where further work is required, where the completed action has yet to be evidenced in the operation of the control. It should be noted that
there are some completed actions that have not been in place for the entire financial year.
What is being done —
Transaction data: Responsibility for monitoring the accuracy and completeness of the interfaces between Paystation, Post&Go and POLSAP has been
assigned to appropriate members of staff. Service level agreements between POL and Wincor for the timely resolution of transaction data errors during
the interfaces between Paystation, Post&Go and POLSAP are being drafted.
Access to software: A review of POLSAP user access in POL P&BA, Supply Chain, Steria and Fujitsu is scheduled for Q3 2012/13. The process for
identifying and taking action on POLSAP user accounts where the user has left the business is to be reviewed
Change management: All POLSAP changes that require user acceptance testing will be routed to the POLSAP testing team prior to implementation.
Supplier service provision: Third party user access reviews are to be assessed to ensure that the scope includes all areas of the application that POL
determines as priority for review. The results of the third party user access reviews will be documented within the minutes of the Information Security
Management Forum.
Outstanding E&Y recommendations: All remaining actions are to be completed by the end of Q3 2012/13. IA&RM will review this progress.
POL00184703
POL00184703
Supplier Contract Management
Findings —
Governance Policies and Procedures: Although individual working practices have been developed for each supplier contract, ranging from contract
administration to commercial contract management, there are no formal standard policies and procedures that cover the whole Contract Management
function, although these are under development There are inconsistencies between contracts over activities including risk management, supplier
engagement, relationship management, and review of service provision.
Documentation of Changes: There is a formal process in place to ensure that changes are agreed with the supplier and POL stakeholders and reviewed
by contract management before implementation. However, contract documentation, authorisations and other key documents such as minutes of
governance meetings were often stored on local hard drives rather than in a central repository. Some authorisations are informally recorded in email
correspondence and in the sample reviewed were not always sufficiently clear to evidence whether approval had been provided.
Legal Services Review: Although Contract Managers consult Legal on contract changes, there is no agreed formal process for them to review or sign off
on contract amendments, nor is there a process for Legal to review or audit contracts on a regular basis. A formal process is currently under development
between Contract Management and Legal.
Benchmarking: The right to undertake benchmarking is not included in all key contracts.
Exit Plans: Sample testing identified that the exit clause in the Ingenico contract does not specify which party bears the exit costs, and the exit clause in
the Fujitsu contract is unclear as to how Intellectual Property Rights (IPR) to the Horizon system would be transferred to POL. The Fujitsu IPR issue is
currently being managed through the IT Transformation Programme.
What is being done —
Governance Policies and Procedures: Formal policies and procedures across the Contract Management function are under development, along with a
formal process for the risk management of all supplier contracts.
Documentation of Changes: A single document repository for all authorised changes and a process to review compliance with documentation processes
are to be implemented.
Legal Services Review: A formal process to obtain Legal concurrence for changes to contract terms and conditions is currently being developed.
Benchmarking: A process to identify and assess opportunities to benchmark key supplier performance is to be implemented.
Exit Plans: Key supplier contracts are to be reviewed to ensure that the contracts cover: responsibilities for exit costs in the event that a supplier gives
notice; licences for supplier owned software; and, access to data post exit.
POL00184703
POL00184703
Horizon E&Y Management Letter Actions
Findings -
Generic privileged accounts: Generic privileged accounts remain in use on Horizon by Fujitsu.
Password parameters: E&Y recommended that POL operate a single Information Security Policy, however POL management use two separate policies,
one for Horizon and one for POLSAP respectively.
In addition, POL management have not completed the E&Y recommendation to review key password parameters, as these have not been defined.
Testing also identified two password parameters configured in the Horizon application that did not comply with the Horizon Security Policy.
What is being done —
Generic privileged accounts: A paper was presented to the November POL Risk and Compliance Committee where any residual business risks
associated with this control were accepted by IT and Change on behalf of the business.
Password parameters: Any residual business risks associated with POL having two separate security polices for Horizon and POLSAP were accepted by
IT and Change on behalf of the business at the November POL Risk and Compliance Committee meeting.
Key password parameters are to be reviewed and defined, and the Horizon Security Policy is to be reviewed and changed to reflect the findings of this
review. In addition the process for manually changing privileged account passwords on the Oracle databases and Linux operating systems is documented
within the Horizon Security Policy.
Key password parameters will be reviewed on a periodic basis. Once defined, management will perform a review of key password parameters to ensure
that the third party supplier is implementing the Horizon Security Policy.
POL00184703
POL00184703
Network Transformation Financial Controls
Findings -
Review and authorisation of investment costs pipeline: The control that is designed to assess (pass / fail) batches and individual branches has not
worked effectively, as evidenced by:
* Errors identified in the control spreadsheets used by Network Transformation (NT) and Finance teams (subsequently rectified);
+ Design of the spreadsheet used by Finance is such that, on an individual basis, all branches will pass the initial review;
+ Acommercial decision was taken to pass two batches that were escalated on the basis of the initial review. The high costs associated with branches in
these batches is distorting the cumulative figures that are designed to be used as part of the decision process; and,
* No reconciliation between the source data received from Network and that processed by Finance.
Financial Assessment prior to the branch proceed decision: Controls are in place to prevent investment in high risk branches. However, poor quality
of documentation received from Agents, results in duplication of effort leading to delays in the process. Short term revisions to the test for risks have been
introduced and accelerated the processing of branches for inclusion in the programme. This does not weaken the control as branches cannot proceed to
contract stage without having passed the full risk assessment.
No controls have been put in place in relation to the following:
+ Joint approval by Finance and Network to proceed to contract stage. However, if the actions identified by Finance to strengthen other controls are
completed then POL should give consideration to the need for this control.
+ Review, validation and approval by Finance of all contract data prior to release of contracts for agent signature, or prior to POL signature on return of
signed contracts from the agent.
What is being done —
Review and authorisation of investment costs pipeline: The existing process have been reviewed to ensure that both elements of the control (i.e.
branch and batch) are achieved. Sample checks of investment batches are to be performed to ensure they have been processed accurately within
Finance. Investment batch data is to be reconciled to that provided by the Supply team.
Financial Assessment prior to the branch proceed decision: The process for escalation of branches with one / two issues from the financial
assessment is to be documented as part of the control framework. In conjunction with the Network team a document is to be produced outlining the
financial assessment process, detailing the specific requirements for use by Agents when completing their finance assessment pack.
Other controls: The need for a control requiring joint approval to proceed to contract stage is to re-considered in light of other improvement activity listed
above. A mechanism is to be introduced to ensure that the finance information that is to be included in the agents contract is reviewed by Finance on a
sample basis prior to the contract being sent out.
6
POL00184703
POL00184703
Appendix Summary of IARM Actions
[Summary of actions by month due
Not yet due but ability to deliver is in doubt OR Overdue JOverdue
land ability to deliver is in doubt Due Jun 42
Due Sep 12
Not yet due, but significant slippage expected OR Due Oct 12
[Currently overdue Due Nov 12
Due Dec 12
IINot yet due, but some slippage expected Due Jan 13
Due Feb 13
I Due Mar 13
Not yet due, but on target Due May 13
Due Nov 13
No.actions
Action Completed
Review Title [Summary of actions by review
Due Dec 12
Due Mar 13,
Due Oct 12
Due Mar 13
Due Jan 13
Due May 13
Due Nov 13
Due Nov 12
Due Dec 42
Due Jan 13
Due Mar 13,
Due Jan 13
Due Jan 13
Due Feb 13,
Due Mar 13,
No, actions
Business Risk Assurance
Key Controls in POLSAP
Key Controls in Horizon Follow Up.
pepe s
Post Office Limited (POL) - Internal Audit & Risk Management Plan (IA&RM) 12/13
ERD ISTE BR TOPO RSS MOTTE TESTE
£04 Tamlomstonrogrnne eter rantrmaton fewer, I ongoneizx3 I aco “ ca Ifnancalcontcl senment sated Alex wore signet tbe
eed a
Ne ponies sean act wi be nen Tein and ape inte
Fro ote ct Goverment imation I ongszias I 30 Comers _ eon ahewsr ts rsnuew bees tte
Tere Taco soe cv i buat he ig nd ope wt Pree
IT rasfermaton nse en I ongoneizas I 40 Teese foe rrourenme there ns rescue wile use forthe NT
f Pregame
fe rove sbi surance on pes of py posing wing dt aes. Coneetea I cance wa Wa Noone reeds pe dicnsion wth SHalScrcton
sett nenuneauon sean ero rau nova etd eames renneratenosubpesimasesinceI cy ee ‘ia 1 Ppeteaereanreasperdiusn wih sacar sperste by
‘s evel eet eter pment 2g “ "A lit ogame Reps wit cre Cots od ERY separ
ssn of where ad tow POL ating stance or tly Buen ra ara eae] ang es e TRA Lager Leonean
eybunss nik Asrnce eases of whee and " ny Hoe :
Conraanogerent— revewot exit spor creat mangementn PL. vowed I Noveer 0 2 2 fememoroverenttegures
vous ee of OL SAP wher the eryf woes, ety aa ser conn. wed I november 0 ” 51 Pemetmorovrent ears
[sew of Tor tant aid Ress nanabonanrmatan Aaa Mnseonen Theat a
oman secety fait Managemen nomaton Sent sk Evert Wet: and ntmation Sey] sed est fo 6 15 fesse - oor vit fares Hom pay penis
Seine aceon ogres nthe anager an na ote ai amy ik Ea Re ————-——
fskand Asuronce suppor [nso sees nd ata to PL fr March 2013 handover ‘onire I omoneizns I 20 8 oo aR eee es at ees Nee ee
ad of ses an ‘er a 2 hares mete
Ste ovo ard management Speak Up arargemet fer POL ome I omen I 10 2 10 freroLremed dices ecevedto ete Cent pel
sub Tota sundays 20deys 2a dys
500 days as agreed per RMG/ POL MSA. So far three assignments (Payroll Data Analytics, Agents Remuneration and Business Risk) cancelled totalling 120 days, replaced by additions below.
one to quran Fal to perf en maf easing
wow ea atesation of compan rquremert. somes I aptey20xs I 20 5 oes ep ponte lene adinernpes aoe
from ou Sect
Conca mses convols sree suport for rte uns cones Seveaweet I sepuay » 2 20 febaar stn me
: rete Te io
Ey part soc opto enteral mtorr POL Pavel cons esate I say A 15 eeu oe
ae ai Aen: [rue eet emer no 01 Hate res cnet abate RE Sa I ae 3 2 2 fame imarowemen Renres
TOLSAP Ek sos ow ap tow owes nade by FOL h sresing FOL SAP onvalpansrasedine WERE AYOOE) aon I pany zi 5 ag Soe
futons Dus coarge acess fevewof conto orth Rtownce bats Chang races. fretwork I Febuary x0 ee ed
notes Creaatonsemme fo rowseaprecessmrate of om PLreprteandaltesdecraton torte ark ngare. I Sang I etary » : 5 fone dew.
sub Total topos aos 6 Das
Grand Total soon aia tds
POL00184703
POL00184703
POL00184703
POL00184703
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Post Office Limited Internal Audit
Status and proposed 2013/4 plan
1. Purpose
The purpose of this paper is to:
1.1 Outline the status of the set up and recruitment of the Post Office Limited
Internal Audit (POLIA) team.
1.2 Outline the proposed internal audit plan for Post Office for Financial year
2013/2014
1.3. Outline the resourcing approach for the above.
1.4. Request final direction and approval from the Audit and Risk Committee of the
audit plan and resourcing.
2. Background
2.1 The Royal Mail Internal Audit function has been engaged to provide internal audit
services while Post Office sets up its own function. The ARC on November 13
2012 supported the proposal by the POL Head of Internal Audit of three Internal
Audit Managers supported by a co-source arrangement with an external provider.
The three roles will work across the business but with some specialist focus and
background.
«Audit Manager — IT
¢ Audit Manager — Programmes and Projects
e Audit Manager — Network and Supply Chain
2.2 The latter two roles are more generalist and are expected to devote
approximately 50% of their time in the specialist areas.
2.3. The co-source arrangement is currently budgeted for 100 man days (half a man
year) and will support the team where specific expertise or additional temporary
headcount is needed for certain audits or reviews. All co-source staff will be
under the direct supervision of POLIA.
24 The Royal Mail Internal Audit team were originally contracted by management in
2012 to provide an agreed audit plan and support for 2012/13 totalling 500 man
days up to 31% March 2013.
2.5 Internal Audit represents the 3" line of defence in the model of risk management
and control. Post Office also has several functions in the 2™ line of defence,
including a Supply Chain Compliance Team who conduct compliance against a
number of external standards across the cash centres and the Field Support
Advisors who conduct audits of cash and valued stock at branches with some
compliance work. These report through to management, not Internal Audit. This
paper therefore focuses on the plans for Internal Audit.
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 1 of 4
13" February 2013
POL00184703
POL00184703
Confidential
Current Situation
Malcolm Zack
Head of Internal Audit
(Previous 3 roles Brakes,
Visa, Sainsburys)
Vacancy Vacancy Garry Hooton
Audit Manager
Audit Manager Audit Manager Network/Supply Chain
IT Programmes/projects (Brakes, Superdrug,
Forte)
Joins March 2013
3.1 At the time of writing, the Audit Manager - Network and Supply Chain is due to
start on March 4" 2013. Recruitment for the IT Audit manager is at interview
stage and the search process for the third role is just completing.
3.2 Due to notice periods, it is unlikely that the team will reach full compliment before
May 2013.
3.3. The business has used approximately 400 man days of the 500 originally agreed
with Royal Mail. This is mainly due to delays and some cancellations of audits
earlier in the year. Royal Mail have indicated that they would be prepared to run
this over into Q1 if required.
3.4 The co-sourcing arrangement has recently commenced tendering through
government procurement processes. This is likely to run through to May before
finalised.
3.5 Recommendation 1
It is recommended that rather than a “hard break” with the Royal Mail on the 31%
March 2013 as originally planned, that the remaining contracted 100 days be
utilised to good effect in Q1 2013/4 while the POLIA team arrives and is
inducted. The exit from Royal Mail support will be completed by 30" June at the
latest. This provides the following benefits:
Allows POLIA to complete recruitment, proper arrival and induction.
Maintains internal audit activity.
Allows POLIA audits to commence in the branch and cash areas.
Smooths the transition.
Utilises contracted days as far as possible.
The 2013/14 plan therefore provides for Royal Mail to conduct follow up work on
its 2012 audits and complete remaining work.
The ARC is requested to approve the resourcing recommendation
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 2 of 4
13" February 2013
POL00184703
POL00184703
Confidential
4. Construction of the Internal Audit Plan 2013/2014
4.1 The traditional approach for formulating an audit plan would take into account the
organisation's information in its risk registers, the Board’s top risks complimented
by Internal Audit’s own views based upon management input and previous
experiences and audits.
4.2 However, The company risk management processes are still evolving with
bottom up risks yet to be fully complimented by a top down review — the company
view of risk is thus still in formation. Therefore the 2013/2014 internal audit plan
has been built based on the following.
¢ Risks structured around risk types.
¢ Risks identified during induction and visits to business sites and discussions
with POL management.
e Risks documented by the risk and compliance team and presented to the
Risk and Compliance committee.
e lA review of risk registers
e Discussions with the Royal Mail Internal Audit team and Director.
4.3 The plan for 2013/14 recognises the following outlined in section 3.
¢ POL internal Audit team recruitment in progress, staff will be arriving during
Q4 2013 and early Q1 2013/2014 and going through induction.
Some finalisation to 2012/2013 Royal Mail IA work needed.
Flexible approach required.
ARC to review at each quarter.
Co-sourcing going though tender for availability post April 2013.
The need for the POL IA team to gain knowledge of PO processes through
the year.
5. Summary of Plan and candidate list.
5.1 The Committee is referred to the “Plan on a Page” in Appendix 1. This shows a
“candidate list’ with suggested priorities. The list is deliberately more than the
team will be able to conduct in the year so that the audit committee can input on
priorities and preferences. The committee is also referred to appendix 2 which
explains the reviews in more detail.
5.2 The audit plan is currently weighted for quarters 2 and 3. This six month period
will be when the POLIA audit team gains traction. Quarter 4 (Jan to Mar 14) is
left as light to allow for changing business risks and priorities, requests from
management or the ARC which will arise or to accommodate Q3 audits that
require more time than anticipated. The plan assumes an annual man day
availability of 200 man days per audit manager but plans for 80% (160 days).
5.3 The plan should allow for advisory work and ongoing support to business areas
besides specific audits.
5.3.1. The Committee should note that the team will be involved in supporting
key areas such as the development of the risk management framework.
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 3 of 4
13" February 2013
POL00184703
POL00184703
Confidential
5.5 The plan will be reviewed quarterly with the ARC to allow for repriortisation as
necessary.
5.6 Any request received from management which upon review requires significant
resource or reorgansiation of the plan will be discussed with the Audit Committee
Chairman. Small requests that can be easily accomodated and are of sufficient
risk, will be managed by the team.
5.6 The main themes for the POLIA in its first full year are to:
+ Providing on-going assurance over the change programmes
including Finance SAP, Network Transformation, the IT Change
programme and the overall management by the Strategic Programme
Management Office.
+ Establishing stronger assurance over the management of cash in the
supply chain, supply chain compliance teams and examination of the
effectiveness of the branch auditing methods, scope and techniques.
+ Focus on key IT risks including security, protection of personal data
and access and governance around the System Integration.
+ There is a mix of strategic areas complimented by assurance work
over operational areas.
Recommendations 2
6.1 The Audit Committee members are requested to:
e Review the proposed plan.
e Determine the relative priorities as suggested.
e Provide any necessary direction or amendment.
e Approve the plan and the flexible resourcing approach.
6.2 An approved copy will be circulated to the Risk and Compliance committee and
Executive Committee members.
Malcolm Zack
13" February 2013
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 4 of 4
13" February 2013
POL00184703
POL00184703
Pol + FF
se & x Sy & FB
/e $ < & s = s € Sy $ Ga
SS F&F — FF FES Fl
FS & SEES EF B/E
ap cfg © & CPF LE SC C/F
}Q1 Royal Mail IA - Follow ups of 2012 audits e n/a
Royal Mail IA - Completion of LINK review. e n/a
Royal Mail IA - Completion of Critical Business Controls Framework I @ n/a
Royal Mail IA - ISO 27001 review of AE system (mgt request) e
Network security configuration e v 20
Cash Centre Audits - Observation of approach - level of assurance
Jgained from 2nd line defence team e v vvv 25
Swindon Stores - Operations Review e v 20
}Q2 Benefits Realisation - Management and Methods e v v v 25
Management of the SPMO e v 15
Data Security - controls around protection of personal data. e v v v 30
ITreasury - Review of procedures and control framework e 20
Branch Audits - Assessment of approach used by the Network Audit
lteams and Assurance gained. e v vv 30
Software Licence review e v 15
SAP Security - POL SAP - short random reviews e v 7
ISAP Security - HR SAP e voev 15
Eagle Contract - Application of controls and processes agreed. ° v v vvy v 20
1Q3, Business Continuity - Readiness assessment e v viv vw vv vw 20
Policy Compliance assessment - Anti - Bribery and AML e v v 30
systems Integrator- Review of Governance model employed. e viv v vv 15
Branch Audits and Losses e v v 20
ITransformed branches - review of value vs investment e v v v v 20
Branch Profile Model - review of use e 10
Foreign Exchange - management of end to end process ° v v v 25
Manchester Cash centre - management of closure ° v v 15
Information Security Governance - review of improvement plan and
its application e v v 15
IT change management e v 15
Board effectiveness review/Executive Committee Effectiveness e v v 10
laa Social media - management of risk ° v v v 7 15
Complaints Management e v v 0
Expense Management e v )
Penetration Testing e v )
PCI - DSS e v v 0
OR - ROLL OVER OF Q3 audits if more time needed
}Q1-04 IProject/Programme Audits
Finance Systems - SAP - Core Finance/MI e vv vw v 40
Network Transformation Programme e vv vw v vv vv 40
IT & Change programme e vow rn An A A A 40
}Q1-04 E&Y liaison 5
1-04 —_IRisk Management support to business/liasion with Head of Risk 20
101-4 —IObjectives and personal development requirements 10
}Q1 Royal Mail - IA - finalisation/adminstrative work 5
IQ1-Q4 _ICommittee support (ARC, R&CC etc) 5
Man Days assigned 617
Budget - 3 managers at 160 days (pre contingency) 480
Contingency 120
Total Days@ 200 man days per year 600
To allocate -137
Appendix 2 Details of Proposed Reviews
POL00184703
POL00184703
Page 1
Type Description Outline of Review Risk Sources
Strategic Benefits Realisation - Management and Methods [A review of the overall approach for transformation , and Transformation Programme Risk
application of guidance issued to selected individual projects, and IMap “Benefits of Crown
the measurement methods being used. transformation are not realised to
IThe risk is that projects and programmes don’t apply sufficient —_Isupport breakeven objective”
ldata/metrics before and during the programme to enable the
project to be properly assessed during and post implementation "Benefits planed as part of the
lagreed business cases are not
robust and are not realised as
lplanned"
BAU top 12 risks "Risk that benefits
from strategic programmes are not
implemented or achieved"
Strategic Management of the Strategic Programme Management [The SPMO provides the programme management for the internal Audit Assessment. The
Office. Transformation Programme. Its information and guidance to the ISPMO is a key coordinating body for
Transformation Board is critical for decision making. As part of _Ithe strategic programme
Ithe Internal Audit ongoing review of projects and progarmmes in
Post Office, this function needs to be amongst the first reviews so
that the overall state of management control can be confirmed.
Strategic Transformed Branches Branches that have been converted. How has performance internal Audit Assessment. The
altered? Are benefits being measured and are the results as Royal Mail internal audit focused
expected? lon financial controls for selecting
land evaluating branches for
conversion and the investment to
be made available. This review is
effectively a post implementation
lassessment
Strategic systems Integrator - Governance A key change in the management of the IT infrastructure isthe —IIT Team/CIO Risk Discussion with
establishment of a Systems Integrator to manage the key
suppliers to Post Office IT. Governance of the relationship
between the Si, Post Office and the 3rd parties will be an
lessential componant of the future IT operations. Area of risk
identified by ClO
internal Audit
POL00184703
POL00184703
Appendix 2 Details of Proposed Reviews Page 2
Type Description Outline of Review Risk Sources
[Strategic Finance Systems - Finance Road Map/SAP. [Ongoing programme/project assurance role focusing through the [Transformation Programme Risk
programme on governance, risk management, issue Map. "Finance Transformation -
Imanagement, control design, IST, UAT, Go/No go criteria, PIT Emerging IT separation/support
services approaches impact current
FTP business case and plan"
Finance Risk Map (Dec 12) -
Strategic Network Transformation Programme Ongoing Programme/project assurance role focusing on internal Audit Assessment
governance, risk management, issue management, branch
conversion role out, changes in process and link to the network
audit team work
Strategic IT and Change Programme Ongoing Programme/project assurance role focusing on Internal Audit Assessment
governance, risk management, issue management, changes in
systems which will feed into future IT audit work.
IT Network security configuration A review of the security of the local area network and how IT Internal Audit Assessment and Top
prevent unauthorised access to sensitive data. Compliment to _I12 BAU risk Map " IT&C Information
security reviews conducted in 2012 on SAP and Horizon security governance, processes and
resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data"
IT ISAP Security - POL SAP random audits Randomised short reviews to ensure actions taken following the IInternal Audit Assessment and Top
lexternal audit review in 2011 y/e remain effective. SAP Security
jand User Administration ~ random checks of key parameters ~
longoing assurance/identification of changes.
12 BAU risk Map " IT&C Information,
security governance, processes and
resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data"
Appendix 2 Details of Proposed Reviews
POL00184703
POL00184703
Page 3
Type Description Outline of Review Risk Sources
IT SAP Security- HR SAP. B SAP security in past years was not reviewed within the HR system [Internal Audit Assessment and Top
- only POL SAP (Finance and Supply Chain).Basic configuration 12 BAU risk Map " IT&C Information
review plus review to ensure appropriate segregation of duties security governance, processes and
land control of access to personal data resourcing is not adequate to
leffectively protect the Post Office
from accidental damage, theft or
misuse of its data"
IT Data Security - controls around protection of data. A [Derived from the IS Information Security review underway as at [Internal Audit Assessment and Top
1Q3 2012/3. The top 12 information assets have been defined by I12 BAU risk Map " IT&C Information
IT. This review will test the logical and physical controls being __Isecurity governance, processes and
placed around the personal data at risk. resourcing is not adequate to
leffectively protect the Post Office
from accidental damage, theft or
misuse of its data"
" POL fails to complay with Data
Protection Legislation
Ir Software Licence review B [Due to the separation of Royal Mail and Post Office, there internal Audit assessment
remains some risk that software licences may have not been
properly assigned or applied. Software Licencing review.
lUnlicenced risks, duplication and cost risks, process for obtaining,
granting, managing and removal of licences, legal.
Guidance of users Tools for detecting.
Breach of licencing can result in fines and penalties but most
siginificantly in damage to reputation.
IT Information Security Governance B IReview of the application of recommendations anticipated from IInternal Audit Assessment and Top
the 2012/3 Deloittes review following Project Buffalo
12 BAU risk Map " IT&C Information.
security governance, processes and
resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data"
Type
Appendix 2 Details of Proposed Reviews
Description
Outline of Review
POL00184703
POL00184703
Page 4
Risk Sources
[Core Operations
Branch Audits - Assessment of Assurance
Detailed examination of the branch auditing processes.
[Assessment of scope, branch coverage and auditing techniques.
Assessment of the degree of assurance that the board can obtain
from current approaches
internal Audit Assessment
[Core Operations
Swindon Stores - Operations Review
Swindon is a core operational site supporting the valued and non
valued stock distribution across Post Office. It was last reviewed
in 2010. Some parts significantly automated, others manual. Key
risks include security, financial loss, continuity to branches and
general operations.
internal Audit Assessment
[Core Operations
Supply Chain Compliance _- Cash Centres Assessment of
Assurance.
Detailed examination of the cash centre auditing processes.
Assessment of scope, branch coverage and auditing techniques.
Assessment of the degree of assurance that the board can obtain
from current approaches
internal Audit Assessment
[Core Operations
Business Continuity - Readiness assessment
Assessment of the actual plans in place across key operational
land business sites in POL. Whilst a project is underway to
lestablish a full Business Continuity Management, process and
policy, documents and plan exist in various locations. The audit
will determine the company’s readiness and ability to react
quickly after notification of a major incident.
Review of current in progress BCM policy and procedures and
future plans.
Link to management of company reputation.
includes IT Disaster Recovery/Incident management
internal Audit Assessment and top
12 BAU risk Map - "Loss or
lunavailibility of IT Infrastructure"
Core Operations
Management of Branch Losses
Linked to the network audit assessment. Review of how the
Management sugge:
company captures, assesses, prevents and recovers cash losses jassessment
identified in the branch network. May be extended to the cash
centres.
[Core Operations Branch Profile Model Linked to Branch Auditing, fraud management, losses and TA Assessment
physical security. The model helps the Security team and Finance
loperations identify branches that may need specific audit
attention or investigation. The model has been recently
revamped and improved. Review to determine its effectiveness
in driving branch selection and identifying anomolies.
POL00184703
POL00184703
Appendix 2 Details of Proposed Reviews Page 5
Type Description Outline of Review Risk Sources
Finance [Treasury - Assessment of management processes Review of the goverance, risk management, processes and 1A assessment - complexity of risk
controls employed by the newly established POL treasury jand discussion with Treasury
function following the separation from Royal Mail Management
Finance Treasury - Cash Management process and controls Review of the process, controls, decision making and TA assessment - complexity of risk
authorisation for managing the amount of cash to be held in the and discussion with Treasury
branch network vs balances in cash centres or with the Bank of —IManagement
England. Optimisation of interest earnings vs sufficient stock in
the network
Finance/ Management of Foreign Exchange End to End review of the management of foreign exchange in TA Assessment
Core Operations
branches, to cash centres inclduing Hemel Hempstead and
compliance to Treasury decisions and policy.
IGovernance
Policy Compliance assessment
ARC request to test compliance to policies. As there are over 100
business policies, this review cannot test compliance to all of
them in one review. Some of these will form part of other
reviews. It is proposed to select 3-4 key policies for testing in
2013. Suggested areas include AML, AntiBribery and Data
Protection compliance
JARC request. - Nov 13 2012
meeting
IGovernance
Board/Executive Committee effectiveness review
The POL Board and Executive Committee, will be in their second
year of operation since separation. The board and its committees
fare an essential part of corporate Governance. This review has
lbeen suggested by the head of HR and Corporate Services. It may
benefit by being a joint review with the Head of Internal Audit
land an specialist 3rd party evaluator.
Areas include; role of the Board and Directors, Board support and
role of company secretary, Decision making, composition and
succession planning, performance evaluation, Audit, Risk and
Remuneration, Relations with Shareholders,
Management suggestion and IA
jassessment
Financial Services
Eagle Contract
Review of application of controls agreed in contract, payments
land operation of governance.
Management suggestion. - subject
Ito further discussion
POL00184703
POL00184703
Appendix 2 Details of Proposed Reviews Page 6
Type Description Outline of Review Risk Sources
Other Operational [Complaints Management C [Complaints are aggregated by Service Management and reported [Management sugges’
lupwards. Due to the customer service and reputation risks assessment
involved, effective complaints management can build
lopportunity from customer feedback, encourage company
learning and correct process and policy. The review will focus on
the completness of the information gathering, the analysis and
reporting and the action taken by affected business areas.
Other Operational _ Expense Management C [Expense Management. Approx £5-£6m processed annually IA assessment Can be considered
through the SAP HR system ( excludes direct booked with Capita). low risk/impact by management but
Whilst not a large business risk, expense fraud and irregularities is]a common problem with
common among organisations. Much is may be of low reputational risk
materiality but for public organisations abuse/misuse of expenses
by management especially senior management has reputational
impact. (MPs, local authority leaders for example). This can be as
damaging on the organisation as it is on the individual regardless
lof the levels involved
Other Operational _ISocial media - management of risk B [Social media presents opportunity for Post Office. The IA Assessment - emerging trend
immediacy of social networks and tools and instant
communication increases the risk of reputational damage either
Imalicously or unintentionally. Review of company policy over
lusage by communications staff and general staff and its
application. - Assessment of the residual risk facing the
organisation
[Other Operational Review of Penetration Testing C [Penetration testing is usually exercised by third parties who IA - Assessment - link to general
jattempt to break through an organisation's firewalls and logical information security risks
defences. Weaknesses identified should be followed up by
Imanagement. This review would focus on the scope of
penetration testing employed, the results and action taken by
management. Links to general information security and data
security/governance activity underway in the business.
Type
Description
Appendix 2 Details of Proposed Reviews
Outline of Review
POL00184703
POL00184703
Page 7
Risk Sources
[Other Operational
Management of Manchester closure
B IThe Cash centre may be closed during 2013. As this will hold
significant assets, there is some risk of loss. A short review of the
approach and methods of business transfer to other sites could
be considered, including verification of physical assets and
equipment for transfer, sale or disposal.
TA Suggestion
[Other Operational
Review of PCI DSS compliance audits
B [Overview of the PCI compliance programme managed by
Information Security.
TA - Assessment - link to general
information security risks
POL00184703
POL00184703
Strictly Confidential
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Information Security and Data Asset Review
1. Purpose
The purpose of this paper is to:
1.1 Provide the Committee with an update on developments, progress and actions with
the Information Security agenda for Post Office. It is for noting purposes only.
2. Background
2.1. Since our update to the Committee in November, we have been progressing three
strands of Information Security activity, with the majority of actions completed and a
new plan generated:
e Priority action plan: this covers a range of priority activities that are focused on
improving our current Information Security controls and management;
e Data asset review: this is focused on producing an initial assessment of Post
Office’s top 13 supplier/partner contracts. These were categorised by potential for
significant reputational risk should we encounter a loss of our business
information;
e Independent review of Post Office’s Information Security: this was to provide an
independent view of Post Office’s information security approach and a road map
of improvement activity.
2.2 This paper provides an update and actions on each of the above areas.
3. Priority action plan
3.1 The following priority actions have been completed since November:
. Post Office staffs have been reminded about the importance of protecting
information by Data Protection awareness communication.
* The Privacy / Data Protection Governance structure has been presented and
approved by the Risk & Compliance Committee.
. The Major Incident Management process has been reviewed, and
improvements have been implemented, to ensure an early alert mechanism
for escalating potential security breaches to the attention of senior managers .
. The Clear Desk and Screen Policy has reviewed and communicated via the
senior leadership team; assurance activity is in place to ensure compliance.
. Information Security training for new staff and annual refresher training for all
staff has been finalised and will be rolled out in March.
Information Security and Data Asset Review Lesley Sewell Page 1 of 5
February 2013
POL00184703
POL00184703
Strictly Confidential
. The Post Office Information Security Policy has been reviewed and will be
published through the Risk & Compliance Committee.
. A Data Protection Handbook providing guidance and process has been
drafted and will be rolled out to branches via Horizon and Branch Focus in Q1.
4. Data Asset Review
4.1. We have continued the review of our top ranked data assets held by third parties on
behalf of Post Office. A model has been developed to enable a quantitative
assessment to be carried out and this work has identified the top-13 risk areas which
are viewed as having the highest risk of brand damage and customer privacy
protection. The core contracts have been reviewed by our external law firm, and the
Information Security risk has been assessed internally; other supplementary contracts
in the chain are in the process of being reviewed. From the review the following points
are noteworthy:
4.2 Bank of Ireland whilst not currently ISO 27001 compliant are working towards this
standard and they are two thirds of the way through the process. At this stage in the
review we have not identified any significant areas for concern, but we are continuing
our work with Bank of Ireland to understand more detail of their supply chain.
4.3 RAPP who manage and host the Marketing database for Post Office hold a
significant amount of personal and account data. We understand their security
architecture which is SO 27001 certified and the measures they take to protect Post
Office data. We are currently reviewing the amount of customer and account data
being maintained, to ensure it is appropriate and further review of the contract is
underway.
4.4 Our top 13 contracts have been reviewed with regard to Data Protection and
understanding our position from an ICO (Information Commissioners Office)
perspective, whether we are likely to be considered as controllers of the data or a
processor. In the majority of cases the contracts are clear, however there are some
exceptions which do require further investigation. Further work is required to clarify
whether operational practices accurately reflect the contractual clauses (as the ICO
takes both into consideration), and an action plan to address any gaps will be
prepared.
4.5 Most third parties have capped their liability in relation to data issues and in some
instances there are specific exclusions or limitations in addition to a cap. Where the
core contract forms part of a larger chain (e.g. POCA) there are two instances where
Bond Pearce have identified that our entitlement to recover from the third party is
capped at a sum lower than our potential liability to the end customer (POCA / HP and
DVLA / Cogent). In terms of indemnification for data issues, we benefit from
indemnities in some but not all of the contracts reviewed; some of these indemnities
are uncapped (e.g. Cogent) - which is in our favour.
4.6 The first stage of the review is scheduled to complete at the end of February, and
the minimum Information Security standards will be implemented for all top 13
contracts and an action plan for our suppliers will be agreed during March.
5. Information Security — Independent Review Findings
5.1 Deloitte have been engaged to complete a review of Information Security within Post
Office, covering a maturity and gap analysis against information security standards
Information Security and Data Asset Review Lesley Sewell Page 2 of 5
February 2013
POL00184703
POL00184703
Strictly Confidential
(IS027001/2)'. The high level findings have been agreed. The details are currently
being reviewed by all key stakeholders within Post Office and a detailed plan
encompassing the activities currently underway and future road map has been
prepared.
5.2 The key findings from the review are as follows:
e The Information Security team is significantly under resourced and there is
insufficient internal resource to provide appropriate security input into new and
on-going projects; or assurance activities with our key suppliers/partners. The
recruitment of a Head of Information Security is underway, and to support our
recent separation from RMG additional security specialists are being recruited.
« We do not have a comprehensive view of the Information Security risk
environment and the existing Information Security policy set is incomplete.
There is a mixture of legacy RMG policies and gaps in the policy set.
¢ On-going training and awareness across Post Office is not currently proactively
managed and there is no rolling security awareness campaign of Information
Security policies.
e There is a need for greater oversight and a formal assurance programme of our
third parties Information Security controls. Whilst there are some assurance
activities such as PCI (Payments Card Industry) compliance testing and
governance structures for our suppliers/partners, it is not consistent. A standard
framework is required for the management of Information Security controls
operated by third parties.
« There were gaps identified in the existing Information Security governance
forums, it is recommended that an Executive level forum will be created which
will report through to the Risk & Compliance Committee quarterly .
5.3 Deloitte have recommended an action plan, outlined in Appendix A. This has been
reviewed by the project team to assess the level of resources and support required.
In addition, we have aligned the plan with the activities currently underway. The plan
includes:
e Mobilising the Information Security team to ensure that the POL Information
Security objectives are met, with clear accountabilities and structure.
e Improve the Information Security risk control and review framework, which will be
aligned to the wider risk activities across Post Office.
e Implement a high level Information Assurance Strategy and supporting policies,
and wider monitoring and compliance to the Data Protection Act.
¢ Develop a framework of security management (including audit rights and clarity
of contracts) for our suppliers, and implement controls to address the risks
inherent in legacy contracts.
1 1§027001/2: An International Standards covering the specification of and management of an organisation’s
Information Security Management System. The guidelines and general principles for initiating, implementing,
maintaining, and improving information security management within an organisation.
Information Security and Data Asset Review Lesley Sewell Page 3 of 5
February 2013
POL00184703
POL00184703
Strictly Confidential
e Conduct a training and awareness programme, including the development of
campaigns to address identified risks.
e Aligned to our Separation activities review the current security infrastructure
protecting the key components such as our network and asset management.
6. Summary
The Committee is asked to note the positive progress which has been made and it is
proposed that quarterly updates are provided to ARC and the Risk and Compliance
Committee on progress.
Lesley Sewell
February 2013
Information Security and Data Asset Review Lesley Sewell Page 4 of 5
February 2013
POL00184703
POL00184703
Strictly Confidential
Appendix A — Deloitte proposed Information Security transformation roadmap
The Deloitte POL Information Security Review proposes the following Information Security
roadmap:
>
OBJECTIVES QUICK WINS Q1 2013 Q2 2013 Q3 2013 Q4 2013 Qt 2014 KEY MILESTONES
Work Seam 1 Responsibities
pe Mobiive ° for seculy
+ Team Moblisation Aeserptions Securty Team located
ry 15 Risk Strategy
Defined
as Vida Det iS auc ik ame :
(inct Governance) Strategy
ics 0 PO Security
Key: Work Steam 3 Strategy Defined
‘Articulate 8
+ Seounty Strategy and efing 18 Produce Secuny Policies
ae Pokies foment andro ous Ral of Secty
‘ Omen
etna ° tute pet
as ‘Asstes Key "pawn Leggy secu controls
e + Supplier Management II supplier: "Supple standards Develop and oct raework for new implemented
security sac tienick ‘suppliers with he ve plas appraoch
. @ Training and
: ‘developed
ve ‘Tralning& Awareness
5 TEA assis Rating renesscaneign Infrastructure
Q identfied
‘Vuinerabity
Network risk ‘Security Rol out framework ‘management
+ Security Inrastrucure tscovery Infrastructure forvuinerabity fonevork
Review ‘exercise Review ‘management implemented
1. Team Mobilisation is development of job descriptions and recruitment of the required
Information Security staff.
2. Information Risk review includes definition of the underlying data relationship and
baselined security controls.
3. Information Security Strategy and Policies includes a refreshed policy set, and
Information Security minimum standards.
4. Information Security Supplier Management implements the minimum standards with the
top 13 suppliers and ensures a consistent governance structure.
5. Training and Awareness is for both Head Office staff and the staff in the branches.
6. Security Infrastructure Review - to review the current security infrastructure for our
network and implement where appropriate regular vulnerability assessment process.
This will be aligned with our separation from RMG.
Information Security and Data Asset Review Lesley Sewell
February 2013
Page 5 of 5
POL00184703
POL00184703
SECRET
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Bank of Ireland (UK) plc Capital & Liquidity
1. Purpose
The purpose of this paper is to:
41 update the Committee on the Bank of Ireland (UK) plc’s capital and liquidity
position against its regulatory and Eagle contract (FSJVA) requirements,
following the request at the Committee meeting in November 2012. The update
is set out in the presentation attached.
2. Background
24 As part of the requirements of the FSJVA the Bank of Ireland (UK) plc (the Bank)
is required to meet capital and liquidity standards, providing Post Office Ltd with
comfort that our customers’ deposits are secure.
2.2 The Bank’s capital and liquidity reports are part of the early warning system that
would enable Post Office Ltd to take action in accordance with the termination
provisions of the agreement, should this become necessary.
2.3 Certain information in the presentation has been provided with specific
permission of the Bank and is commercially sensitive. The Committee is asked
to treat the information as secret.
24 As requested at the previous Committee, Nicholas Kennett presented the
attached paper to Alasdair Marnoch, Tim Franklin and Chris Day in January
2013.
3. Conclusion
3.1 As advised at the November Committee, the Bank’s capital and liquidity
attestation has met the terms of the FSJVA and no further action is required.
We will continue to monitor the position.
4. Recommendations
The Committee is asked to:
44 note the update as set out in the attached presentation.
Nicholas Kennett
Director, Financial Services
6" February 2013
ARC Bank of Ireland (UK) plc Capital & Liquidity Nicholas Kennett Page 1 of 1
6" February 2013
POL00184703
POL00184703
PROJECT EAGLE
SECRET
Eagle
Bank of Ireland (UK) plc Capital & Liquidity
23" January 2013
Eagle_BO! capital & liquidity POL ARC Feb 2013 v0.1 O
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
Agenda &
1.Bank Capital Requirements
2.Bank of Ireland (UK) plc capital status
3.Bank Liquidity Requirements
4. Bank of Ireland (UK) plc liquidity status
5.Post Office termination rights in the FSJVA
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
1. Bank Capital Requirements
Bank Capital
The difference between the value of a bank’s assets and its liabilities. The bank capital represents the net
worth of the bank to investors. The asset portion of a bank’s capital includes cash, government securities and
interest-earning loans like mortgages, letters of credit and inter-bank loans. The liabilities section of a bank's
capital includes loan-loss reserves and any debt it owes.
Bank Capital is made up of Tier 1 capital (Core Tier 1 (now Common Equity Tier 1) capital and non-Core Tier
1 capital) and Tier 2 capital. The most critical of these is Tier 1 capital.
Tier 1 Capital
+ The predominant form of Tier 1 capital must be common shares and retained earnings. The remainder of
the Tier 1 capital base must be comprised of instruments that are subordinated, have fully discretionary
non-cumulative dividends or coupons and have neither a maturity date nor an incentive to redeem.
* Common Equity Tier 1 must be at least 4.5% of risk-weighted assets at all times.
+ Tier 1 Capital must be at least 6.0% of risk-weighted assets at all times.
+ Total Capital (Tier 1 Capital plus Tier 2 Capital) must be at least 8.0% of risk weighted assets at all times.
@
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
®
1. Bank Capital Requirements — Basel III (from January 2015)
Total
Tier 1
6.0%
2.0%
1.5%
Counter-
0%-2.5% cyclical
Buffer
Capital
2.5% Conservation
Buffer
Tier 2
Capital
i
4 Capita Total
Capital:
8.0%
Common
Equity
Capital
Minimum
Capital
Requirement
Implementation of
Additional Buffers
+
Tier 2
Capital
Core Tier 4
Capital
Minimum
Capital
Requirement
inc. Buffers
2.0%
1.5%-7.0%
7.0%
The minimum common equity capital
requirement will rise from 2% to 4.5%
Tier 1 capital , which includes CET1 capital,
will increase from 4% to 6%
The “capital conservation buffer’, which sits
above the regulatory minimum, will be 2.5%
and will consist of common equity
The “counter-cyclical buffer” ranges
between 0% and 2.5% of common equity
capital (or other fully loss-absorbing capital)
" This only comes into effect when there is
excess credit growth
= It will be implemented on a national basis
Systemically Important Financial
Institutions (SIFls) may be required to hold
additional capital on the basis that they are
“too big to fail”
Source: Association for Financial Markets in Europe
Post Office®
©
IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
®
1. Bank Capital Requirements — Phasing the move to Basel Ill
Phase-In arrangements for Basel Ill changes to regulatory capital requirements ©)
Percentage of risk-weighted Percentage of required
assets deductions
100
BB Capital conservation buffer
90 (left-hand scale)
ee Minimum CET1 capital ratio
80 (left-hand scale)
70 & Phase-in of deductions from CET1 capital
(right-hand scale)
60 ~{- Minimum Tier 1 capital ratio
(left-hand scale)
50
40
30 a) Phase-In arrangements will be effective
from 1st January each year
20 b) Current FSA regulatory Core Tier 1 capital
10 requirement
0 c) Basel III will strengthen capital definitions
2012 13 14 15 16 17 18 19 2012 13 14 15 16 17 18 19 through new CET1 capital deductions
Minimum CET1 capital plus Phase-in of deductions from
capital conservation buffer CET1 capital(©)
Source: BIS and BoE (2012)
@)
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
2. Bank of Ireland (UK) Capital Status (as at 30° September 2012)
POL00184703
POL00184703
yA Tier 2 Capital
fo ier 2 Capita 3.5%
e “Eagle Buffer”
15% 34
L Core
I_Total Capital: Tier 1
Total 8.0% Capital
Tier 1: (Cet)
6.0% 45% 4 Common 45% 3
Equity Capital
Minimum Regulatory
Capital
Requirement
(1st January 2015)
Minimum FSJVA
Requirement
r- 8.0%
r 9.0%
Bol (UK) Actual
(as at 30" September 2012)
Post Office®
IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
3. Bank Liquidity Requirements
Bank Liquidity
Cash and other financial assets that banks possess that can easily be liquidated and paid out as part
of operational cash flows. Examples of core liquidity assets would be cash, government bonds and money
market funds. Banks typically use forecasts to anticipate the amount of cash that account holders will need to
withdraw, but it is important that banks do not over-estimate the amount of cash and cash equivalents
required for core liquidity because unused cash left in core liquidity cannot be used by the bank to earn
increased returns.
The Liquidity Adequacy Rule, the Individual Liquidity Guidance, the Liquidity Coverage Ratio and the
Net Stable Funding Ratio
Liquidity Adequacy Rule
= “4 firm must at all times maintain liquidity resources which are adequate, both as to amount and quality to ensure
that there is no significant risk that its liabilities cannot be met as they fall due’ - FSABIPRU 12.2.1R
= “4 firm must ensure that it maintains at all times liquidity resources sufficient to withstand a range of severe stress
events which could impair its ability to meet its liabilities...” - FSA BIPRU 12.2.3R
Individual Liquidity Guidance
= At least annually a Bank must carry out an Individual Liquidity Adequacy Assessment, which is then
reviewed by the FSA (the Supervisory Liquidity Review Process or SLRP). The outcome of this process is
the FSA‘s Individual Liquidity Guidance (ILG), which sets out the FSA’s guidance as to the amount and
composition of the liquid assets buffer a bank should hold.
= If this is breached and a remediation plan not agreed then the Guidance can turn into a Requirement ©
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
3. Bank Liquidity Requirements
The Liquidity Adequacy Rule, the Individual Liquidity Guidance, the Liquidity Coverage Ratio and the
Net Stable Funding Ratio (continued)
Liquidity Coverage Ratio (LCR)
= From 1% January 2015 the LCR will come into effect, replacing the measures employed by the FSA but still
managed by them or by then the FCA & PRA. Revisions to the minimum standards have been agreed on
6" January 2013. The LCR is part of the Basel III framework.
=" The LCR aims to ensure that a bank has an adequate stock of unencumbered high quality liquid assets
(HQLA) which consists of cash or assets that can be converted into cash at little or no loss of value in
private markets to meet its liquidity needs for a 30 calendar day liquidity stress scenario.
= The range of assets that can be included in the HQLAs has been widened as part of the new changes,
ostensibly to try and free up bank lending and prevent a return to global economic recession.
Net Stable Funding Requirement (NSFR)
= The NSFR requires that available stable funding (equity and liability financing expected to remain stable
over a one-year time horizon) at least equals the matching assets, i.e. Illiquid assets which cannot be
easily turned into cash over the following 12 months. As a result of the agreement on the LCR the “Group
of Governors and Heads of Supervision” (GHOS) will now focus on developing the NSFR framework.
The aim is to introduce the NSFR in 2018.
Post Office®
IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
®
4. Bank of Ireland (UK) Liquidity Status (as at 30° September 2012)
Bank of Ireland (UK) is substantially exceeding its regulatory minimum liquidity requirement and currently
holds a surplus of:
£2.994
billion
Surplus over the regulatory
liquidity requirement
(as at 30°" September 2012)
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00184703
POL00184703
5. Post Office termination rights in the FSJVA
As previously presented to the Board, Post Office has a termination right if:
= Bol’s minimum core tier one capital ratio falls below the threshold;
= Bol fails to maintain liquid assets required by the regulator;
= Bol breaches the Net Stable Funding Ratio (NSFR) (to the extent that these rules apply to Bol when they become
operational from 2018); or
= Bol, or its parent, becomes insolvent.
To support these rights, Bol must inform Post Office immediately of any threshold breach; failure to do so is in
itself a breach of the contract.
To provide the Post Office with some notice of the potential that Bol may breach a termination benchmark,
Bol must provide Post Office with regular updates of its financial position, including:
= Formal update on its capital and liquidity status and immediate notice if it becomes aware of any capital or liquidity issues
that might give rise to a termination event.
= 15 days after each public announcement of annual and half yearly results and any interim management statement Bol must
provide a certificate stating:
= Its Minimum Core Tier One Ratio, the actual Core Tier One Ratio and any Common Equity Tier 1 (CET1) Capital buffers or
other requirements applicable to Bol;
= Bol’s regulatory liquidity requirement and its position against the benchmark;
= Any NSFR requirement and Bol’s position;
= That Bol is not in breach of the termination obligations, or of any remediation plan agreed with the regulator.
= After each half year financial announcement a senior Bol executives must provide a trading performance update.
= Bol must provide a presentation of its annual results, including a summary of any Recovery and Resolution Plan (RRP)
submitted to the regulator and summaries of any ARROW Letters received from the FSA as far as they relate to the Post
Office or Bol’s obligations to the Post Office. (9)
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE