POL00397450
POL00397450
Re)
FUJITSU
Post Office IT Solutions Framework
Response to ITT
15th June 2012
Part A — Checklist and Requirements Response
shaping tomorrow with you
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
CONTENTS
CONTENTS.........04+
Introductiot
Contact Information. eesaee eseaee
Bidder ITT Response Checklist and Statement of ITT Compliance...........
Requirements Documents...........
Solution Delivery ITT Requirements Response.
1.0 Direct Call Off Services: Scoping, Feasibility and Initiation.
Case Exampl
Fujitsu’s Business Benefits Approach....
2.0 Direct Call Off Services: Business Requirements Capture and Analysis.
ISEB Business Analysis certifications.
ISEB related disciplines certifications...
Complementary analytical certifications from other bodies....
3.0 Delivery: Solution Design, Build and Configuration..................
4.0 Delivery: Solution Architecture...
5.0 Delivery: Product Based Solutions.
6.0 Direct Call Off Services: Testing.
7.0 Delivery: Implementation.
8.0 Direct Call Off Services: Release Management..
9.0 Direct Call Off Services: Service Integration and Management.
10.0 Delivery: Manufacturer's Guarantee and Warranty.
11.0 Direct Call Off Services: Hosting........
12.0 Direct Call Off Services: Application Maintenance....
13.0 Direct Call Off Services: Programme/Project Management and PMO.
14.0 Delivery: Project Closure. we
15.0 Direct Call Off Services: Business Change.
16.0 Direct Call Off Services: Quality Assurance...
17.0 General Requirements: Collaborative Relationships.
18.0 General Requirements: Security Management.
19.0 General Requirements: Data Protection....
20.0 General Requirements: Health & Safety...
Page 2 of 101
Re)
FUJITSU
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
INTRODUCTION
This response is set out in accordance with the order indicated in Part A of the POL IT Solutions ITT. The
various documents and tables requiring completion under Part B of the ITT have been provided as separate
files, as tabulated under the section ‘Requirements Documents’ herein.
CONTACT INFORMATION
If you have any queries regarding this proposal, or require any further information, please contact:
Stuart Finnes
Fujitsu
Page 3 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
BIDDER ITT RESPONSE CHECKLIST AND STATEMENT OF ITT
COMPLIANCE
Bidders are required to complete the tables below to confirm the number of proposals being submitted within
the Tender, and that all required documents have been completed and returned as part of the submission.
The table below should be replicated and filled out and responses provided.
BIDDER NAME: Fujitsu
Bidder Submission. Required Documents Completed and
Jes of Propose! Included Returned
General Documents to be N/A Anti-Collusion and Non-Canvassing
Completed and Returned Certificates
YES
Form of Tender Certificate
(including confirmation of acceptance of the
Contract under the terms of this ITT)
YES
Data Protection Act Registration
Declaration
YES
(See following table for filenames)
POL Proposal YES Requirements Response
YES
Commercial Response Form
YES
(See following table for filenames)
Pagedof101 oe
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
REQUIREMENTS DOCUMENTS
Please provide the filenames of each Specification document for which responses have been provided.
No. from ITT I Specification Document Filename
aa B-2+ Part A — Checklist and Requirements Response.doc — this document
Part B-6.3 Part B - Commercial Response Sheet.doc
Part B-6 Part C - RAID Table.doc
PartB-6.5 Requirements Table — this table
PartB-3
and Annex 1 — Certificates and Declaration.doc (containing anti-collusion and non-
canvassing certificate, and Data Protection declaration)
PartB-5
Part B-4 Annex 2 - Form of Tender Declaration.doc
Issued on Annex 3 — Declaration of Adherence.doc — to be completed and returned by 29"
14" June June 2012 following release of revised Terms and Conditions from POL, and as
2012 per the timetable published on the e-sourcing portal on 14 June.
Page Sof 101 _ - _ _
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
SOLUTION DELIVERY ITT REQUIREMENTS RESPONSE
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
1.0 Direct Call Off Services: Scoping, Feasibility and Initiation
14 POL is a large and complex organisation and you will be required to deliver within this environment
engaging at all levels to ensure a successful outcome is achieved. Please explain your proposed
engagement model in working with POL in the development of the initiation stage.
Fujitsu’s approach to engagement with POL during the key project initiation stage will be based upon the
current established processes we have with POL, utilising the existing PMO and project delivery best
practices. We have a long, well established relationship with POL and successfully engage at all levels in
our organisations.
Fujitsu recognises that the initiation stage is very important in ensuring that projects have a solid foundation
for progressing through to successful delivery. Key to this is ensuring that the project stakeholders have a
shared and agreed view of the project objectives and the plans for achieving them. This includes ensuring
that the joint POL and Fujitsu project organisation is in place to support the effective management and
governance of the project.
The key aspects to be addressed and baselines to be established jointly during this stage are:
« WHY - Business case or justification (benefits plan);
WHAT - The scope/solution and the constraints and risks
(requirements catalogue, solution blueprint and risk register);
«WHO - The joint delivery organisation;
« HOW — The approach and methods for delivery (quality plan);
# HOW MUCH - What are the key costs (resources/finance plan);
e WHEN - The schedule including dependencies and resources
(project plan).
The current established Fujitsu approach is aligned to the POL project delivery framework (PDF) processes
and the acceptance gates. The project management and governance
model has been built around established levels of engagement between Loe
POL and Fujitsu as illustrated. The main formal governance meetings SteeringBoard
will be:
« Joint Executive Steering Board - I
Providing a point of contact
where the executive teams %
from POL and Fujitsu review Fede
the health of the relationship,
KPIs and act as an escalation
point; I
e Joint Programme Review Board -
Aimed-at monitoring the pat I
progress of and providing clear Checkpoint
direction to Fujitsu Programme Reviews
deliveries. Manage
programme level risk and
conflict between projects. Facilitating the escalation of issues into
POL. Chaired by the POL IT & Change Programme Manager with
POL Business Area Representatives and joint Programme/ Project
Managers;
« Project Checkpoint Reviews - Detailed weekly project status reviews
between the POL and Fujitsu Project Managers monitoring
progress against plans and discussing the risks and issues.
Page 7 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
These meetings will be supplemented with less formal regular meetings and discussions between the teams.
During the initiation stage, Fujitsu will typically hold detailed joint workshops with POL with project and
business experts, and sponsors to address the key aspects referred to above. The outcome of these
sessions will be reflected in the Project Initiation Document (PID) and associated documents to form the
foundation of the project moving forward into delivery.
Page 8 of 101
48 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
4.2You may be asked to produce a Project Initiation Document [PID] and/ or Programme Definition
Document [PDD] document
a) Please describe your approach/ methodology for the production of a Project Initiation Document
[PID] for POL, with particular emphasis on developing the business case section. Please provide a case
example.
Within our existing Account team for POL, Fujitsu maintains a core practice of experienced project
managers used to working with POL. We have established with POL proven and repeatable processes,
consistent with those in our wider project management practice. These ensure POL will be able to rapidly
progress from the project start-up phase to the project initiation phase.
The key component of this is the Project Initiation Document (PID) which will define the project scope and
direction and be used as the basis for the project authorisation, management and finally in assessing its
success. The document details all the foreseeable areas of the project, such as goals, scope, risks, controls
and budget.
During the start-up phase of a project, Fujitsu will utilise and leverage its existing and established PMO and
project best practices to ensure the POL gets swift and accurate information regarding the:
« Purpose of the project;
e Estimated timescales of the project;
« Indicative costs of the project;
e Resources required for the project;
¢ Initial risks and their mitigation factors of the project.
Although these elements will contribute to the overall PID and management of the project these are
important elements particularly to the business case section, which will look at overall costs and
benefits/returns and will aid the go/no go decision making process on particular projects and also on
subsequent reviews throughout the project.
The PID will contain information that is fundamental to the success of a project. If these areas are not
defined clearly from the outset, there is a high probability that the project will fail either in its entirety or
specifically in, for example, costs vs. budget, timescales, and consequently the business case will also fail.
The combined Fujitsu/POL PID will cover (at least) the following areas:
Project Definition and Approach;
« Business Case;
« Project Management Team Structure and Role Descriptions;
« Quality Management, Configuration Management and Risk
Management Strategies;
« Communication Management;
« Project Plan and Controls;
« Any customised processes.
Fujitsu’s approach therefore is to ensure that the Project Initiation Document (PID) is as comprehensive and
accurate as possible to ensure that the proposed project is fully understood and authorised by all
stakeholders. The PID will provide an audit trail and serve as a baseline for the ongoing management of the
project and also serve as an input to the project closure report and the subsequent Lesson Learned
workshop
Case Example
Page 9 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Fujitsu has many examples of PIDs, not least the PID prepared for POL for the successful PIN pad project.
In this instance a PID was prepared at the initial stages of the project and agreed with POL. This PID was
subsequently used as the baseline for management and control of the project throughout its lifecycle and
ultimately in the post project review(s).
This particular PID is a large document (and will breach the response page restriction) and a full copy can
be made available to the POL at a later stage if required.
This document was published to POL as Document ID PGM/MGT/PID/1801. Other PIDs can also be made
available if required.
b) Please describe your approach/ methodology for the production of a Programme Definition
Document [PDD] for POL, with particular emphasis on developing the business case section. Please provide
a case example.
A key component of the PID (described above) will be the Project Definition Document (PDD). Fujitsu's
approach is to ensure that the PDD is as comprehensive and accurate as possible to ensure that the
definition of the proposed project is recorded and understood by all stakeholders. The PDD will also provide
an audit trail and serve as a baseline for the ongoing management of the project and also serve as an input
to the project closure report and the subsequent Lesson Learned workshop.
The PDD will detail what the project is required to achieve, including (but not limited to) the:
e Project background — Why the project is required, what events
have caused the need for the project;
e Project objectives and desired outcomes —Describing the specific
outcomes expected of the project following project completion.
« Project scope and exclusions — Detailing the boundaries for the
particular project. Specifically detailing what is included and what
is not included to avoid any confusion or misunderstandings with
stakeholders later in the project;.
« Constraints and assumptions — Restrictions or limitations, either
external or internal, to the project that have to be factored into the
project that are beyond the projects control. This will also include
the assumptions that have been made and what bearing they may
have a bearing on the project.
e Users and interested parties - PRINCE2 defines users as “those
who, after the project is complete will use the products to enable
them to gain the intended benefits”. Other interested parties could
include suppliers and sponsors.
« Interfaces — Describing what interfaces and interactions the project
will have, either internal or external to POL as well as links to
other related projects.
The PDD also serves as a critical input to the business case, albeit at a more detailed level, allowing
stakeholders to have a full understanding of the scope (and exclusions) of the project, the constraints and
assumptions and the desired outcomes and again providing input to the go/no go decision making process
on particular projects.
For the business case, we employ an approach that links required outcomes and benefits to business
objectives, identifies the steps necessary to deliver the benefits, cost of ownership and then identify how
those benefits can be measured.
Case Example
Fujitsu has many examples of PDDs, not least the PDD prepared for POL for the successful PIN pad
project. In this instance a PDD was prepared as part of the PID and agreed with POL. This PDD was a
Page 10 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
critical element of the PID which was used as the baseline for management and control of the project
throughout its lifecycle and ultimately in the post project review(s).
This particular PDD has a number of pages (and will breach the response page restriction). This document
was published to POL as Document ID PGM/MGT/PID/1801. Other PIDs can also be made available if
required.
Page 11 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
. foe)
1.3 In order for the correct solutions to be delivered into the Post Office there could be a requirement to
produce feasibility studies on behalf of the Post Office.
a) Please explain how you would undertake and produce a feasibility study
b) Please provide a case example to illustrate
Fujitsu has a structured but flexible approach to all its feasibility study assignments. The actual approach
will be dependent upon the complexity and structure of each individual study. However we would expect
each study to be based on the following generic structure:
« Identify and document the current situation or issue(s);
« Identify and engage with stakeholders, participants and customers to
confirm current and required scenarios;
« Identify tools, techniques and methodologies that will be deployed as
part of the study;
« Document the existing technical and business architectures;
* Observe, analyse and document existing approach or process;
« Identify potential solutions including considerations for financial
impact, risk, security, strategic direction and objectives, and legal
and compliance assessment;
« Identify costs and timescales for potential solutions;
«Recommend an optimal solution based upon agreed requirement,
strategic objectives and any constraints or inter-dependencies with
other projects or initiatives. This step will also recognise that the
optimal solution may be not to proceed with any change;
« Document the technical and business architectures for the optimal
solution;
« Where relevant, conduct benchmarking and proof of concept
activities;
« Plan and document testing requirements;
« Plan and document high-level considerations for introduction into live
service and post-implementation support.
Fujitsu also utilises a number of industry standard and industry leading techniques and methodologies in
support of analytical initiatives undertaken. The overall approach is designed to be flexible and can be
adjusted in terms of scale and complexity of techniques deployed to suit the requirement as it develops. Our
over-arching framework is Macroscope® which is a methodology and toolset that Fujitsu uses as the
foundation of all its consultancy work. It consists of an integrated suite of business and IT methods designed
to address four key questions:
« Are we doing the right things?
« Are the things we are doing providing value to the business?
« Are we doing things the right way?
« Are we getting things done?
The knowhow captured in Macroscope translates into tangible benefits and enables our practitioners to:
Page 12 0f 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Minimise the risks associated with implementing changes that may
result from a feasibility study;
e Ensure a feasibility study provides good strategic alignment and is fit
for purpose;
« Ensure the development of a feasibility study takes advantage of the
right tools to do the job whilst minimising unnecessary waste (the
feasibility development process is Lean through predictability,
reuse and higher quality of outcomes);
« Provide users and stakeholders with ongoing access to industry best-
practice processes and experience.
Case Example:
Fujitsu was requested by a major high street mobile phone retailer to conduct a pilot study into challenges
they were experiencing with point of sale transactions. The results of this study would be used as part of a
significant change in their customer interactions across the UK.
Working together with the customer a number of analysts from Fujitsu and the customer organisation
identified initial perceptions of the issues by informal stakeholder interviews with the four senior owners of
the retail area within the customer organisation. Among the Issues identified were:
« Unacceptably long and complex processes to complete a sales
transaction;
« Lack of real-time online processing;
« Slow handset upgrade process;
Disjointed order and dispatch systems.
The estimated impact was that the customer was missing up to one third of potential transactions that could
take place and was suffering from unnecessarily high costs.
The analysts observed key transactions in a selected customer outlet to ratify their initial findings. Each key
process, for example a new handset, top-up, new contract, repair, upgrade, was documented in terms of
steps, existing performance factors, customer observations (from POS interviews) and potential quick wins.
At the end of the study the findings were presented with summary conclusions and recommendations for
next steps which included ratification of findings with the customer Management Board and a
recommendation to conduct benchmarking exercises against key competitors. The customer also used the
results and recommendations to formally conduct a wider study across a larger number of stores and
transaction types in order to improve their core processes and customer interactions.
Fujitsu remains engaged with the customer and has submitted a proposal for implementing the proposed
improvements as part of a wider change programme. Fujitsu will provide delivery activities and also function
as a systems integrator for activities that will be carried out by a partner organisation.
Notwithstanding our approach to feasibility studies Fujitsu also recognises that feasibility studies generally
lead to change and transformation in the customer business organisation. Change without benefits cannot
be sustained and benefits cannot be delivered without change. This philosophy underpins our approach to
feasibility studies and particularly our Business Benefits Approach:
BENEFITS CANNOT BE
DELIVERED WITHOUT CHANGE
CHANGE WITHOUT BENEFITS
CANNOT BE SUSTAINED
Page 13 of 101 a
48 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Fujitsu’s Business Benefits Approach
Our experience in business change and transformation tells us that successful change programmes
routinely include key elements which drive them towards successful delivery, and without which change is at
tisk. These elements combine people, process and technology aspects. Fujitsu will be pleased to discuss
this further at the next stage if required.
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
2.0 Direct Call Off Services: Business Requirements Capture and Analysis
21 The ability to capture and translate customer requirements into clear specifications of change for the
Post Office can prove challenging
a) Please describe how you will approach requirements capture and analysis activities that cover both
Post Office and its customer base to ensure that both the needs of Post Office and customers are
addressed when delivering Solutions.
Establishing Business and Operational requirements is part of Fujitsu's proven and established
Requirements Management process that has been successfully used with POL for many years and across
many Releases of Horizon functionality.
Using our experienced Business Consultants, Fujitsu regularly engages with POL Stakeholders and
Business Analysts to assess, define, refine and baseline requirements and their associated solution
response. With many years of practical experience of the POL business and with a solid foundation of well
established Horizon business applications, products and services Fujitsu will help POL identify the primary
needs and features of new opportunities, products or potential service changes. These will be developed
through workshop techniques and expressed as either "use cases” or requirements statements which are
then gradually refined as the assessment of solution options progresses.
Initial engagement may often result in a feasibility assessment where outline requirements and solution
options are assessed and indicative costs provided to support POL’s business case. These will then be
matured through further engagement to establish a set of requirements and associated acceptance criteria,
which are categorised by priority or importance as necessary.
The requirements management process then typically progresses through a period of iteration whereby the
initial requirements baseline is reviewed and refined alongside the emerging solution design to ensure clarity
of interpretation and agreement of assumptions, constraints and phasing.
Requirements are recorded in the POL DOORS repository and synchronised with the Fujitsu DOORS
system which in turn synchronises with the Quality Centre test management system. This ensures
consistency across the requirements lifecycle and provides an audit trail of test and acceptance evidence
back to the original requirements.
Managing change is recognised by Fujitsu and POL as a fundamental feature of the process and is
achieved via either formal change management processes or via locally agreed ‘minor changes’ to minimise
the impact on the project timescales. In either case a full audit trail is maintained.
b) Please provide an illustrative example showing how you will achieve this for Post Office, which
includes, a requirements catalogue and acceptance criteria
Recent examples of requirement capture carried out between POL and Fujitsu include the complex Post
Office Data Gateway file transfer service, channel integration enabling connection into the Horizon data
centres from third party POS (at Tesco, for example), new regulation-compliant PIN pads with near-field
communication, network routers for branches, the Horizon data centre topology, and products and future
strategy. Fujitsu has used the methodology outside POL with these additional customers: The Home Office,
Mitchells and Butlers, UKTI, and Fujitsu’s own internal IT service and software provision.
A typical example of the contents of a requirements catalogue will include the following information:
« Requirements priority;
« Value proposition;
« Area of the requirement;
Solution notes;
« Team impacted;
Page 15 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Outstanding assumptions;
« Dependencies;
« Source of the requirement;
« Date required;
¢ Sign off Owner..
Page 16 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
2.2 Please explain how you will document and track business requirements throughout the project
lifecycle, to ensure full traceability and that all requirements are linked to the objectives, scope and deliver
against planned business benefits.
a) Please describe examples of the value add tools and techniques that you will use to undertake
business analysis.
Fujitsu’s Benefit Realisation approach is a systematic means of enabling POL to identify and manage the
delivery of benefit from its investments. It is designed to address the issues of identifying, tracking and
delivering benefits and can be deployed at any stage of the investment lifecycle. By complementing
conventional project management tools and techniques that are already in place at POL, it greatly increases
the likelihood that valuable business outcomes will be delivered.
The processes, tools and techniques that underpin Fujitsu’s Benefits Realisation approach engage a wide
range of stakeholders in an active process. There are three fundamentals that must be applied if benefits
realisation is to be successfully embedded in programmes designed to bring about change:
e Identification - of the appropriate business outcomes and benefits,
aligned with business objectives;
e Accountability - for delivery of the outcomes (intermediate and
final) that are necessary steps on the journey to full realisation of
benefits;
« Measurement - to ensure that desired business outcomes are
achievable and measured; and to provide evidence that they have
been realised (or not).
Fujitsu uses its LINK IT process to provide accountability and focus to business change and benefits
realisation and this process is illustrated below:
Linkage
Accountability
defined
Clear understanding
of the business
outcomes and how
they are achieved
ee eee
Focus on
measurement
Link IT enabled capabilities with Business
Change to deliver business benefits
Page 17 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
There are three other tools that Fujitsu uses for benefits realisation and tracking. These are:
« DOORS from Telelogic - Which is a requirements managing tools
and provides full traceability through the design stage to test to
end state;
« The Hoshin Process - Which is a methodology and toolset that is a
simple approach to align long term business objectives with short
term (project based) initiatives. This approach will help POL rank a
list of planned projects in the context of its long term goals;
« The House of Quality - borrowed from a manufacturing approach.
Essentially it uses four houses of quality and each house has
“demanded quality” (aka. “customer requirements” or ‘the whats’)
and the “quality characteristics” (aka. "functional requirements" or
"hows"). The intersection between each requirement is allocated a
correlation score and this allows the most important ‘what's’ and
‘hows’ to be quickly determined.
b) Please provide an example that illustrates your capability in the application of no more than two of
these tools
Fujitsu has used the DOORS process and toolset extensively within its large defence sector for many years.
We can provide examples on request but these are subject to approval and security clearances. For this
response, we are instead able to provide examples of where we have employed the LINK IT process.
UK Environment Agency - we ensured the benefits of their Flood Warning Investment Strategy could be
identified, measured, monitored and realised. This meant that desired business outcome of making flood
warning a more effective process was the focus, rather than the technology.
“In fact, benefits realisation is now embedded in our culture, which means more people get better warnings,
faster, reducing flood damage to UK plc and loss of life.”
Doug Whitfield, NFFS Benefits and Project Manager, Environment Agency
Highland Council - Fujitsu provided benefits management leadership and support to projects, programmes
and people development. As a result, the Council was able to develop clear, holistic and inclusive business
cases whilst increasing their own internal skills. This allowed them to maximise business benefits from
investments and develop their own capability to articulate, handle and drive improvements with minimal
medium-term external support.
Newcastle City Council - Fujitsu used its benefits realisation approach and tools to work closely with the
Council to apply a ‘Value Assurance’ methodology. Building on Fujitsu's core set of best practices and
international standards this ensures effective governance. It also helped to identify structure, monitor, and
measure and ultimately realise the benefits of a project through the appropriate application of IT. By
recognising the relationships and interdependencies of people, processes and systems and how they impact
on service delivery, Fujitsu’s approach also identifies and exploits opportunities for business process
improvement and re-engineering. This means staff have the necessary skills and technologies to support
new ways of working.
Page 18 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
2.3 Please demonstrate the professional capability of your analysis team quoting relevant qualifications
e.g. Information Systems Examinations Board [ISEB] Business Analysis
ISEB Business Analysis is an over-arching description for a range of capabilities and certifications from
Foundation through to a Business Analysis Diploma. Our staff possess a broad range of skills, experience
and accreditation in key disciplines and technology areas required to design, implement and support our
managed services. In particular the following qualifications and certifications are relevant to analytical roles:
ISEB Business Analysis certifications
Fujitsu staff have enjoyed a long relationship with the British Computer Society/ Chartered Institute for IT.
The following table summarises employees who have certification(s) in the area of Business Analysis:
Foundation Business Analysis 5
Practitioner Business Analysis Practice 4
Modelling Business Processes 1
ISEB related disciplines certifications
We believe the following disciplines also contribute significantly to the role of an analyst during the
development of feasibility studies and related consulting activities:
Foundation Software Testing 112
Intermediate Software Testing 26
Practitioner Software Testing 11
Advanced Business Strategies Management 2
Information Security Management 15
IT Architecture 3
ITIL v3 Continual Service Improvement 3
IT Operational Support & Analysis 4
Release, Control and Validation 4
Service Design 10
Complementary analytical certifications from other bodies
ISTQB Advanced Analyst 2
Advanced Test Manager 2
Foundation in Software Testing 7
ISACA Information Security Manager (CISM) 9
Information Systems Auditor (CISA) 5
OGC/MSP Managing Successful Programmes Practitioner 172
Managing Successful Programmes Advanced Practitioner 27
Fujitsu can provide details of our professional capabilities in other areas of IT Solutions Delivery if required
by POL at a later stage.
Page 19 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
3.0 Delivery: Solution Design, Build and Configuration
3.1 Please explain the differences in your approach in delivering the following
a) A bespoke/ specialist technical solution to a client that required a degree of customisation to meet a
unique set of requirements.
b) A commercial off the shelf [COTS] product integrated it into an existing business’ IT infrastructure.
Fujitsu undertakes an appropriate combination of bespoke application development and application package
configuration to provide the necessary applications and application services to meet our client's
requirements. These are integrated into the client's existing business ICT landscape to deliver complete
solutions for them.
We acknowledge that no single approach to software development can meet the needs of every project. To
support these needs, whilst retaining the benefits of a proven approach, Fujitsu employs a methodology
framework that brings together the most appropriate tools and proven practices that best fit the needs of the
project. Our methodology framework is called Apt. Apt provides a set of Application Lifecycle Management
(ALM) tools that feature: Process automation, Traceability, Reporting and analytics to synchronise
development activities, Integrates practitioner tooling into a fully connected multi-disciplinary environment,
Test Driven Development, and Continuous Integration.
We use Apt across the full range of solution types, from bespoke ‘ground-up’ developments, through legacy
modernisation projects, to the configuration and deployment of commercial off the shelf (COTS) products.
Apt provides the backbone methodology for common disciplines and practices. Apt also acts as an
integration framework into which specific solution methods and practices can be plugged — for example in
an SAP solution the Accelerated SAP (ASAP) method will be employed for the core design and
implementation of the SAP components and Apt will provide the context framework for the full lifecycle
development and for the non-SAP elements that are needed to deliver the full end-to-end solution.
The key differences between our delivery approaches for bespoke and COTS solutions are described below.
The comparison is based on the lifecycle stages after the build/buy decision has been made (so, for
example, a COTS package has been selected because of its functional match to business requirements).
The COTS approach is illustrated using our methodology for SAP implementation, but the principles apply
to all our COTS deliveries (although the names for the stages may be different)
(a) Bespoke/ specialist technical solution to a client that required a degree of customisation to meet a
unique set of requirements:
The key to successful bespoke development is turning a complex set of requirements into manageable
deliveries that have a clear relationship to business imperatives.
The Fujitsu Apt method is a modern agile approach that lends itself very well to development of tailored and
bespoke solutions across a wide range of delivery technologies. This method breaks the delivery into
subsets or modules with a focus on value to the business. Apt encourages iterative development with
frequent demonstration of results to stakeholders. Our approach comprises:
« Requirements management - For bespoke developments we make
extensive use of business and system use-cases. As well as
communication and agreement with the client, the use-cases are
the basis of subsequent development activities hence the amount
of effort put into their development is greater than for a COTS
delivery. As the development progresses, the traceability to the
use-cases is maintained and, throughout the lifetime of the
solution, business change impact can be assessed through the
relationship of use-cases to the deployed solution;
« Business Design - Under Apt we take a component-based approach
to design. The method allows cost-effective component buy /
reuse / build decisions to be taken within each module. For
Page 20 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
example, a business requirement could be met by accessing a
commercially provided web service, integrated into the solution
design;
« Technical and Integration Design - The biggest difference between
bespoke and COTS solution design is concerned with the amount
and level at which the design activity takes place. Bespoke design
requires:
oService-based design at the level of sub-components, components, and component
groups;
oA considerable amount of internal process-to-process interface design.
The management of design for complex bespoke solutions can be a considerable undertaking in its
own rights. Apt provides us with the tools to manage complex designs throughout the solution life
cycle.
« Implementation - Implementation of a bespoke solution typically
requires levels of additional technical integration testing and
performance testing beyond that required for a COTS solution.
This requires the provision of additional test environments that can
be dedicated to system integration testing and proving the
performance of the system under stress.
Apt has a very strong emphasis on testing, in particular test-driven development and continuous
integration.
b) A commercial off the shelf [COTS] product integrated it into an existing business’ IT infrastructure
Successful COTS implementation is built on getting the most out of the standard product and minimising
and isolating any customisation work. Over the solution lifetime one of the main benefits of a COTS solution
is the ability to take advantage of new product features that are incorporated into new releases.
Customisation immediately becomes an obstacle to upgrading unless it can be carefully isolated.
Fujitsu has proven expertise in SAP, Oracle, and Salesforce implementation. Our success is based on our
expert in-depth understanding of the product offerings and their roadmap futures. Our approach comprises:
« Requirements management - One of the key differences with a
package solution is the ability to utilise the software during the
early stages of the project to prototype requirements. Also,
requirements can be crystallised through reference site visits to
existing users of the software.
Business use-cases are an important tool to describe the business environment in which the solution
must operate. However the use of more detailed use-case diagrams is usually limited to those aspects
of the solution that will not be covered by the COTS component.
« Business Design - The core package functionality is a ‘given’.
Therefore the emphasis for business design is to agree with the
client how the package will be configured to deliver the business
requirements.
In a SAP project this is known as the ‘Business Blueprint’ stage. The Business Blueprint covers
« How the business processes are to be implemented in the package
« Which elements of the solution can be delivered by configuring standard functionality and which
elements of the solution require an element of development
The business interfaces into and out of the solution
« How the organisation structure and key business reference data are
to be represented in the package
« The required user roles and authentications
Page 21 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Technical and Integration Design - The focus of technical and
integration design is to provide the right platform for hosting the
software and to design the interface architecture (online and
batch) for inputs and outputs. The technical solution must also
address how the COTS package will be supported by the vendor
or their agent, adding third party security access requirements to
the design.
There is typically a wealth of information and best practice information available from the COTS
provider and from previous implementations of the solution, so the technical design can be done by
matching the non-functional requirements to benchmark performance data and reference architecture
configurations.
« Implementation - In the case of SAP and a number of other COTS
vendors the supplier will carry out inspections of the system pre
and post go-live as part of the implementation process. In the SAP
case this is called the SAP early watch diagnosis service and is a
pre-requisite for ongoing support by the vendor.
Page 22 of 101 -
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
3.2 Please explain how you would use your experience and industry knowledge to assist Post Office in
the delivery of innovative and best-of-breed solutions that represent optimum value.
Fujitsu has a broad knowledge and experience base to help drive innovation and sustainable solutions into
all aspects of Post Office's business. As a global business we serve every market somewhere in the world.
We source and supply products for all our customers and either manufacture products ourselves or draw on
our significant partnerships with major suppliers as well as seek innovation through our small/ medium
enterprise program. We are able to bring that knowledge to support POL's diverse product offerings and
business.
Fujitsu also has a long history of innovative research and development with 1,500 people employed in our
researchand development laboritories. This investment has delivered products ranging from the world’s
most powerful super computer, servers and storage, smart phones and tablets through to software solutions
for automatic business process discovery. Often these developments have lead to industry awards such as
the recent SAP Pinnacle Award as Technology Innovator of the year due to one of our servers breaking the
Virtualisation world record and our inclusion in the Gartner top quartile value governance methodology
By working in partnership with our customers we are able to design solutions that deliver business benefit,
for example with Auchan, the global retail chain, to reduce queuing by 40% through innovative EPOS and
check out services including self service kiosks and separating scanning from payment. In financial
services our customers have met the regulatory need for mobile recording by using the service we provide
with Natterbox, a small independent technology company with whom we have partnered. Companies have
improved their reporting and business intelligence using SAP HANA, a new hardware platform we have
developed in partnership with SAP. POL has recently ordered a CRM solution we are delivering as a hybrid
cloud solution meeting UK data protection rules while still getting the value for money benefits of the cloud.
POL has already benefitted from our approach to delivering innovative solutions, i.e., the current Horizon
Next Generation EPOS system has its own rapid deployment development language enabling POL to
deliver complex products to market in short timescales without incurring unnessary development costs.
However it is not just being able to produce industry leading knowledge and products but understanding how
these products can be integrated and exploited to achieve lasting business benefits that really count. As
with all customers we would expect to work closely with Post Office and set up a joint project team. The
team would define both the business and technical requirements and map these to the business vision and
roadmap. Fujitsu uses a process called “results chain” to ensure the business outcome and benefits from a
particular project are achieved (as described in our response to Question 2.2).
Fujitsu’s professional sourcing capability combined with the knowledge in the existing Post Office Account
team will enable us to reach out through Fujitsu’s own organisaiton as well as our supplier and partner base
to source solutions that meet POL's requirements at a price point that represents best value. The joint
project team would be involved in overseeing this process and signing off on key stages such as prototypes,
production samples etc., as well as overseeing any rollout program to ensure disruption to normal business
and the number of revisits are kept to a minimum. For larger programmes a joint Governance board would
be in place to oversee the process, This was used recently in the procurement of the unique PIN pads that
Fujitsu has sourced for POL that deliver ATM as well as EPOS functionality.
Page 23 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
3.3 Describe how you would ensure that all solution configurations are robust and scalable.
Fujitsu's credentials for developing robust and scaleable solutions are based on our engineering methods
and processes, our engineering experience, our re-use of proven designs and our access to subject matter
experts (SMEs) within Fujitsu, within key suppliers, for example Oracle, SAP, Microsoft, and within
specialised companies around the world.
Methods and Processes
The Architecture Development Methodology (ADM) is the Fujitsu standard approach to the development of
Solution, Enterprise and Offering architectures. ADM is aligned to The Open Group Architecture Framework
(TOGAF™) version 9 (as described in our responses to questions 4.1 and 4.2 below) and includes:
« Reference architectures;
« Proven architecture principles;
« Engineering and technical master policies for design of solutions.
These reference architectures, principles, and policies are intended for application to enterprise scale and
process/mission critical systems. The principles and policies cover important common activities for
delivering robust and scalable solutions. There are also guidelines and reference architectures for specific
solution and technology types, for example:
« Process control systems;
« Web and E-Commerce;
« High security/High integrity systems.
Engineering experience:
As the world’s third largest IT services provider Fujitsu has considerable engineering experience with
designing and delivering very large scale, highly scaleable, highly available, and highly resilient solutions.
For over a decade Fujitsu has been creating the building blocks for cloud computing, investing over $2
billion in creating a global cloud capability with cloud data centres, clouds for sensor-based computing, cloud
interoperability and cloud security. Fujitsu has created some of the world’s largest and most advanced cloud
environments for both commercial and government organisations.
Fujitsu has extensive experience in delivering enterprise solutions to POL, including the Horizon Online™
system. This is a high scale, highly available, and highly resilient system that processed over 2 billion
counter transactions in 2011 including 17.3 million transactions on the peak day.
Re-use of proven designs — Fujitsu TRIOLE
Fujitsu TRIOLE is our method for creating industrialised IT solution and service designs, making them more
efficient, more reliable, quicker to implement and easier to manage. Our TRIOLE designs have well known
and understood performance characteristics and are a very important resource for creating reliable, robust,
and scaleable solutions based on the principles of re-use thereby reducing costs and risks during the design
and implementation stage.
Access to Subject Matter Experts (SMEs):
We also have access to performance specialists within Fujitsu and within our strategic partners including
Oracle, SAP and Microsoft giving us access to vital resources and sources of engineering excellence that
we can call upon for guidance and peer design reviews. We also have a good understanding of product
roadmap developments that are critical to planning solutions that span releases of component solutions
during their lifetime. We also have close partnership relationships with specialised solution providers, for
example imaging and biometric scanning.
We therefore have the capability to care about the whole IT stack, its implementation, and its operation.
Page 24 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
4.0 Delivery: Solution Architecture
44 Please explain how you would integrate and adhere to Post Office’s architectural principles for
solution designs.
Integration of customer architecture principles
The Architecture Development Methodology (ADM) is the Fujitsu standard approach to the development of
Solution, Enterprise and Offering architectures. ADM is aligned to The Open Group Architecture Framework
(TOGAF™) version 9, and includes a set of proven Fujitsu architecture principles as well as engineering and
technical master policies for design of solutions.
When integrating customer architecture principles into the solution design, our first step is to work with the
customers architect team to compare the customer's architecture principles with Fujitsu best practice and
identify any principles that are not already incorporated into, or aligned with, the ADM framework.
Where additional or mis-aligned policies are identified, these are discussed to ensure there is a clear
understanding of the intention of the policy and whether, or not, it is relevant and significant for the solution
design to be delivered
The next step is to document the agreed combined set of best practice and customer architecture principles
that will be employed for the solution design. The key principles are documented within an Architecture
Overview Document (AOD), a standard deliverable from the ADM, as:
Principles set by the customer;
« Fujitsu additional principles.
The full principles are further documented in a dedicated document for the solution, Solution Architecture
Principles.
Adherence to customer architecture principles
The Fujitsu solution owner plays an important role in the integration of Post Office principles into the
solution design and, during the development phase of the solution, ensuring that the solution design and
build teams all adhere to the agreed architecture principles.
The solution owner is the author of the Architecture Overview Document and Full Principles Document.
Dependent upon on the scale of the solution the solution owner may establish a Design Authority/Approval
Board (DAB) that will approve solution designs and change proposal designs. Adherence to the agreed
architecture principles will be a key criteria in the DAB review. On smaller scale solutions the DAB role will
usually be carried out by the solution owner.
All DAB decisions are minuted to leave a clear audit trail.
Integration and adherence to Post Office Architecture principles
In the case of Post Office, because of our position as one of Post Offices main IS/IT suppliers, the Fujitsu
architecture team has a very good understanding of POL architecture principles and we have developed a
very close working relationship with POL architecture and programme management community.
Our solution design and development teams therefore are very experienced at working to these principles
and policies, delivering robust and scalable solutions for Post Office and our architecture principles and
engineering policies are strongly aligned with delivery of solutions into POL business and technical
environment.
Page 25 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
4.2 Please demonstrate your level of competence and capability to operate within the ‘The Open Group
Architecture Framework’ [TOGAF].
Capability and competence
As a former Silver member of the The Open Group, Fujitsu actively participates in the development of
TOGAF, including the Architecture Development Method (ADM). Fujitsu has over 20 TOGAF accredited
architects in the UK who act as subject matter experts (SMEs) to the wider architecture community.
Fujitsu’s approach to Enterprise Architecture is aligned to The Open Group Architecture Framework
(TOGAF™) version 9 and incorporates Archimate® Version 1.0, the Open Group Technical Standard
defining a flexible modelling language for Enterprise Architecture.
The Fujitsu ADM builds upon TOGAF and is used in Fujitsu to drive standardisation, consistency and good
practice in the development of architectures across Fujitsu. The processes within ADM cover the
development of business, application and technology architectures according to well defined requirements
established early on in the process and managed throughout. The ADM also ensures governance models for
implementation and architecture management are defined and their establishment planned.
Through the ADM, Fujitsu aims to:
e Ensure architects consider all parts of architecture development to
enforce completeness;
e Ensure architectures are correctly and fully documented as they are
developed, thereby improving efficiency and reducing confusion
during implementation stages;
« Align architecture development with specific external standards;
e Ensure architectures are aligned real business requirements and
can be traced through the development process;
« Improve governance of implementation and architecture changes;
« Create one main reference point thereby improving communication
of an architecture and reducing workload.
Our level of compentance and capability can be cited by our work in Her Majesty's Revenue and Customrs.
The Government drive to reduce cost without sacrificing service has led us to work closely with our
customers to innovate in ways to achieve this. For HMRC, where we act as the owner of the Infrastructure,
aggregating other suppliers services within this scope, we addressed the ‘more for less’ challenge by taking
a radical approach to the underlying technical server infrastructure and hosting component.
We took an architecture-led approach, applying the TOGAF-based ADM, to model the as-is and to-be
architecture and to build a benefits-led transformation roadmap for services to meet the value challenge. The
result was an innovative programme to replace the server platforms currently hosted in data centres
originally built by the customer but now maintained by Fujitsu with new equipment focussed upon virtualised
services hosted in our modern Tier II Gold Standard data centres.
Key outputs from the architecture development work for HMRC include:
«A future ICT strategy for the delivery of desktop and infrastructure
services;
« Principles and policies for technical delivery;
e Standards and templates for application throughout the development
lifecycle;
« System and service architectures — as-is and target architecture
models used to guide the scope and shape of technical and
service enhancements;
Page 26 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Technology roadmap — future planning for upgrade, retirement or
replacement of software and hardware based on vendor lifecycles
and business needs.
4.3 Please demonstrate how you would design a solution to ensure performance against pre-defined
KPIs and SLAs, include detail on:
a) the factors you will consider when designing the solution and how these differ from your usual
approach to solution design.
With the increasing adoption of commodity computing models including cloud computing and software-as-a-
service, the service characteristics of the platforms are a ‘given’ and the onus is on the customer to decide
whether, or not, the service on offer will meet the businesses requirements. Fujitsu speculates that the
reasons in the future for customers requiring bespoke/custom solutions will become limited to critical
business requirements where the required service performance cannot be met through commodity options.
Fujitsu’s disciplines for engineering a solution to meet tightly defined KPI’s and SLA’s will apply to both
customer bespoke services and also to the creation of new commodity computing services. The factors we
consider in design include a wide range of business factors that will drive technical design and service
design and include (but are not limited to) the following:
« Business requirements for the solution/service: understanding the
market in which the solution must operate and the true business
impact of unavailability, data loss, data corruption, security
breaches;
« Understanding the business continuity requirements including Return
To Operation (RTO) and Recovery Point Objective (RPO) for the
solution;
e Understanding how service availability and service performance
will be measured, for example what is measured, and over what
time period, and the exceptional situations in which performance
measurement against SLA's will be suspended;
« Understanding the service penalties and liquidated damages regime
for the service;
« Understanding how the solution may need to adapt to business
change and growth in the future including the business vision in
terms of growth, globalisation, and competitor direction;.
« Understanding the benchmark performance expected of the solution
starting with total cost of ownership and the value that the
business puts on having a robust and reliable solution;
« Understanding the constraints on how the solution can be supported,
for example hours of operation, availability of emergency
maintenance slots, change freezes;
« What design limits can be agreed for the solution, for example total
throughput and peak throughput;
« Security requirements including customer accreditation requirements
(including PCI compliance), permissible levels of sharing of
resources, what levels of security clearance are required and what
elements of support may be provided by offshore resources.
When the business and service requirements are fully understood the technical design can proceed, taking
into account:
Page 27 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Architecture and Operations best practice, principles, and policy from
Fujitsu Architecture Development Method
« The engineering characteristics of services and components to be
employed in the solution including;
« Performance prediction models;
Resilience and failover modes;
Availability statistics, and time to fix statistics.
« The service performance characteristics of any standard service
components that will be deployed in the solution;
e The tools available to measure service availability, performance,
and to report against KPI's.
b) any additional steps involved in the design process to validate your assumptions and ensure that
your design principles will achieve a solution that is fit for purpose and exceeds the pre-defined target
operational state
There are several key areas where additional effort and techniques are employed when the cost of getting it
wrong (to the client and to Fujitsu) are potentially high.
« System availability design based on component analysis;
« Throughput modelling;
Early integration performance test (prototype);
« Highly formalised service design, including design for business
continuity;
« End-to-end design walkthrough.
These are described in more detail below:
System Availability Design (for systems with high availability requirements) - This step models the system
availability by looking at the network of connected/interdependent hardware and software modules that
combine to deliver the critical services. The method requires information on mean time between failure and
mean time to recover for the key modules — not always the easiest information to obtain (especially for
software that is yet to be designed) but can usually be estimated by analogy with similar components. The
result gives a scientific basis for decisions on the required resilience model to be employed in the design
example for example the number of parallel nodes required to deliver the required availability levels.
Throughput Modelling (for high throughput/high performance solutions) -This involves modelling the
throughput characteristics of the hardware, network, middleware, and business software that make up the
end-to-end solution to ensure that peak performance can be achieved. Where possible, Fujitsu's solution
designs are based on standard components and sub-systems with known operational performance
characteristics. Our TRIOLE method is at the heart of our approach to re-use and continuous improvement.
Fujitsu invests much effort in creating standard builds that can be re-used to deliver reliable solutions.
Early Integration Performance Test (prototype) - Sometimes modelling calculations are not enough to be
fully confident about resilience and throughput, for example it is often critical to understand the amount of
communication traffic that will actually be generated between nodes, particularly slower WAN links, and this
is where it may be important to create an early prototype. The integration prototype can also be used to
examine the actual performance of the solution in a failover situation, for example where one node
becomes unavailable.
Page 28 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Highly Formalised Service Design - Where a solution operates in a multi-supplier environment it is vital to
underpin the service level agreement with the client by putting in place supporting operating level
agreements. The overall service is only as good as the weakest link in the solution chain.
End-to-end Design Walkthrough - Fujitsu carries out formal design walkthroughs for the different
dimensions of the solution, for example:
« Technical design against the performance, resilience, availability
criteria;
e Service design against the SLA and business KPI criteria;
« Business continuity design walkthrough against business impact
assessment criteria.
Formal walkthroughs are an excellent and proven technique for testing the overall solution design and
helping ensure that the solution delivers against all client and Fujitsu criteria.
We believe that these additional steps in the design will validate our assumptions and ensure that our
design principles are fit for purpose and exceed the pre-defined target operational state.
Page 29 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
5.0 Delivery: Product Based Solutions
5.1 Please explain how you would develop and produce product specifications to enable products to be
sourced from the market place.
Fujitsu will use a structured, monitored and proven approach to solution design in order to meet POL’s
specific objectives. Fujitsu’s technology portfolio provides a consolidated view of information about
products and technologies which have been approved for use within Fujitsu and its key clients, importantly
with links out to key information stores and departments.
The Technology Portfolio includes Fujitsu technologies (from FTS/TPG, and elsewhere within the Fujitsu
Group of companies); technologies from key supply partners; tools; and niche service providers that
maximise Fujitsu's key offerings.
Understanding POL’s objectives and requirements therein is key as this forms the fundamental basis for any
solution. POL will be engaged to refine and clarify requirements so that the end solution will best meet key
objectives. If what is required sits outside of Fujitsu’s proven in-house solutions, the most appropriate
supplier partners will be engaged to leverage specific expertise from Fujitsu’s approved supplier base.
It is recognised that development of a solution will be an iterative process involving POL, Fujitsu, and one or
more suppliers where unique or complementary products or services are required.
The team working on the specification will consist of technical experts, project managers, Commercial and
Procurement from Fujitsu, plus key suppliers where applicable.
The role of the Procurement team in the process is to:
e Source suppliers, and stringently validate their appropriateness for
use.
« Where more information is needed to form potential solutions,
conduct the relevant methodologies set against requirements to
establish the best options to meet POL's objectives and known
requirements.
« Where competition is possible, appropriate tenders will be run to
ensure the most cost effective solution, whilst maintaining a fit for
purpose proposition.
« Leverage of key cross country supplier relationships and volume to
obtain optimum pricing.
« To bring together the technical, project management and commercial
aspects in to contract and final specification in order to de-risk the
project to protect POL and Fujitsu by:
o Ensuring there is clarity in what is to be delivered to what standard, at what cost,
and by whom (defining which party is responsible for what, including interactions
with other suppliers).
o Defining operating processes and reporting for the project and ongoing contract /
supplier management, i.e. acceptance criteria, project reviews, reporting, change
control, dispute resolution, SLAs, progress and performance monitoring etc.
o Negotiation of strong underpinning contract terms (inclusive of any customer
required flow-down contract terms) that reinforce delivery of the specification which
includes deliverables, timescales and costs and mitigate and manage risks.
Page 30 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Fujitsu will always consider an existing and proven solution that starts with a scope document which is
developed by our Sourcing Group and agreed with the business sponsor, requirement owner and technical
lead. The scope looks at the requirement starting from a high level geographic and organisational overview,
then works down to the POL's particular detailed requirements taking into consideration existing solutions,
the Fujitsu knowledge base, previous RFI’s and research and links to any design architecture or technical
specifications.
The scope also considers expectations, needs and wants, the POL’s overall business strategy, milestones
required, the critical success factors and the methodology to be used.
Consideration is also given to the make or buy decision within Fujitsu's internal resources and also wider
business solutions. Where there is only a single source supplier and the risks associated with this, if there is
a case for adopting a partnering approach with a key vendor to the benefit of all parties this process will be
undertaken to ensure the best result. The requirement is then considered as below and the responses are
then ranked as Business Ideal, or Business Minimum, or Agreed Target which identifies the best approach:
« Fujitsu Strategy
« Preferred Supplier Relationships
« Assurance of supply and logistics
* Quality
« Service levels achieved or expected
« Innovation
* Cost
* Overall risks
« Timescales
« Implementation
Page 31 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
5.2 Please demonstrate your capability to run procurements on a regular basis for the sourcing of IT
products including Hardware and Software.
Fujitsu, as one of the world’s leading IT companies, has developed reliable and efficient systems for the
sourcing, provisioning and support of enterprise-standard hardware and software, including its own
innovative range of industry-leading products.
Our SupplierConnect service manages procurement activity on a customer's behalf. It covers the entire
procurement cycle, including selection, management and measurement of all third party suppliers and,
where appropriate, involves the TUPE of staff as part of the service. It will offer POL a professional
procurement consultancy with in-depth experience of procurement strategy, governance, category
management, cost-down initiatives, supplier management, business process re-engineering and e-
procurement, through to operational management. It brings together the various elements of supplier
management in a simple, easy-to-manage approach including:
«A defined and managed Premier Supplier Listing;
Supplier management processes;
«Supplier scorecards, updated every quarter as a minimum;
«Review of all suppliers’ corporate responsibilities and business
continuity processes, as well as financial and commercial
offerings.
Fujitsu's procurement team uses a structured and proven approach to procurement which, through discrete
process steps, develops the model and approach to be used to provide the best outcome. This process is
applicable to any external supply and the strategy is flexible to allow for any project size or complexity.
Fujitsu’s procurement team can review and seek to renegotiate existing agreements, engage new suppliers,
agree technology and service roadmaps and assess cost implications.
SupplierConnect benefits from our many long-standing, strategic and operational relationships with all Tier 1
volume hardware, service and software suppliers, and with numerous distributors. We work effectively with
these suppliers, sharing mutual aims and values for the benefit of customers. Our suppliers, with whom we
have extensive commercial, contractual and business development relationships at all levels, include:
~ fa) Cisco SysTEMS
BE] cic FM DELL emc
I™ Global Crossing" L@ I = Ee
LEXMARK Microsoft ORACLE oO STORAGETEK
Our corporate agreements with many leading software vendors include:
Checkpoint — Premier Partner and Certified Service Citrix — Gold Partner
Provider
McAfee — Authorised Reseller Novell — Business Expert Reseller, Platinum Systems
House
Peregrine (HP) — Global Alliance Partner, Authorised Seagate Software — Authorised Reseller
Reseller
Siebel — Global Solutions Partner BMC - Elite Reseller
Page 32 of 101 _ 7
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Microsoft - our relationship extends beyond gold
partner status, owing to the close relationship which
has been developed through the Fujitsu-Microsoft
Alliance. This offers a unique level of cooperation
between both organisations, since Fujitsu is one of
only three major partners with Microsoft in the UK
Oracle — we are a global Oracle Platinum Partner
and have over 2,000 SAP professionals worldwide
and over 400 in Europe. Fujitsu is one of three IT
services companies worldwide that is certified as a
Global SAP Services, Technology, and Hosting
Partner, and we are a Global SAP-Certified Provider
of Cloud Services.
Our relationships across the marketplace have also allowed us to develop our Independent Software Vendor
(ISV) programme, designed to transform traditional on-premise software applications to a cloud based
Software as a Service (SaaS) offering (see 17.4 for details on our enterprise-class ‘App store’).
We have commercial and contractual frameworks in place with most hardware manufacturers and value
added resellers and distributors as shown below:
3Com — Authorised Systems Partner Brother — Accredited Reseller
Dell — Authorised Service Reseller, Alliance Partner Epson — Accredited Reseller
Hewlett Packard — Gold Partner, Authorised Reseller Hypertec — Authorised Dealer
IBM — Global Business Partner, EMEA Systems Integration Partner Tier
1
Intel — Networking Reseller
Kingston — Authorised Reseller Motorola- Platinum Partner
Panasonic — Accredited Reseller
OKI — Accredited Reseller
Nokia — Authorised Reseller
Portable add-ons — Authorised Distributor
The benefits that POL may expect from Fujitsu's procurement experience and relationships across the
marketplace include:
e Immediate and significant cost savings - both by optimising prices and by ensuring the right
products, licenses and services are supplied with the right levels of service;
e Better risk management — understanding and sharing the risk with suppliers, and the ongoing
management of that risk;
e« Amore responsiveness service - from product and service delivery through to problem escalation
and resolution;
e Reduced management overheads - reducing the cost and management burden by outsourcing the
procurement operation;
e — Economies of scale — achieved by consolidating or rationalising the supplier base;
e Corporate Responsibility - ensuring that requirements are cascaded throughout the supply chain;
e Greater compliance - enabling legislative and regulatory requirements to be met;
« Innovation — leveraging supplier relationships to benefit from more innovative products, services
and methodologies:
e — Schdeuling of product suppler — providing a specialised solution in the forecasting and scheduling of
product supply to meet POL's required delivery dates.
Fujitsu employed its procurement team when it was engaged by POL in 2011 to procure 30,000 Pin Entry
devices to upgrade the existing branch counter estate. The requirement had a considerable number of
technical issues to be evaluated, bespoke DDA design requirements, the requirement to reuse existing
installed counter components, connect to existing supplier power supplies, add device capability and ensure
that it was future proofed for Post Office business planning. The Fujitsu process ensured that the best
market competitive offer was obtained by using their template RFP and structured evaluation approach. The
Page 33 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
device selected met every requirement and the equipment was delivered in time to meet testing,
accreditation and 2012 planned rollout.
Page 34 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
5.3 Please explain how you would provide the logistics, delivery and distribution of products to any UK
location, as required by the Post Office.
Fujitsu recognises the potential diverse delivery requirements of POL, particularly in terms of POL’s
widespread geography, and the need for quick and efficient deliveries. Fujitsu will work closely with POL to
ensure that service options are tailored to meet required both in terms of timing and geographic location.
Fujitsu’s service options are always designed to meet specific customer requirements.
Logistics and Storage
In terms of logistics, our Technical Integration Centre (TIC) is one of the largest IT logistics facilities in the
UK, and can provide a range of collection and delivery options for POL. Based in Warrington, Cheshire, it is
a purpose built facility, opened in January 1997, which provides safe and secure storage for customer
assets. The Technical Integration Centre meets the Ministry of Defence (MOD) List X standard, ensuring
processes that have been developed by Fujitsu comply with a List X approach.
There are in excess of 10,000 pallet spaces, and 4,500 racks for small parts, various decks, and a carousel,
will enable POL to have specific storage location in the centre, if desired. The TIC operates a two-tier live
storage and operating facility. It operates on a 24-hour, Monday to Friday basis, but with the capacity to
operate 24 hours, 7 days a week, if and when required. Fujitsu therefore has the necessary logistics in place
to support any project POL may choose to run, and to different timescales.
Transport
Fujitsu will arrange and administer all transport services using our approved third party carrier partners.
Deliveries to the UK mainland can be made on a next day basis, if POL requires this. Our standard delivery
and collection times are during business hours Monday to Friday. If and when required, we can also manage
deliveries and/or collections outside of normal working hours. This may include weekends and/or Bank
Holidays. Fujitsu can also deliver to POL locations based in the Highlands and the Isles. In this case, next
day cannot be guaranteed due to ferry crossing times, particularly during out of season and/or during
adverse weather conditions.
For project-based high volumes, managed deliveries are typically delivered as part of a deployment project.
The project manager will, on behalf of POL, agree a specific delivery schedule with our transport services
management team.
Additional services can also be provided. An example might include delivery to a desk and unboxing of
equipment. If necessary, we can also arrange with the carrier to remove all packaging for recycling. We can
collect waste equipment with approved carriers as part of our recycle services for redundant equipment.
Should POL require moves of existing IT equipment, including moves from desk to desk, and relocation
from site to site, Fujitsu will be able to provide this. Our specialist carriers can provide equipment to move
large items such as racks and storage equipment. For these larger scale operations, Fujitsu will recommend
that site surveys are carried out as part of the planning to ensure no unforeseen issues of delays are
incurred.
In terms of security, Fujitsu provides a fully secure delivery and collection service using dedicated,
unmarked vehicles, using personnel with security clearance. Secure delivery comprises one or two
dedicated personnel with a dedicated vehicle driving point-to-point. This will ensure that the security of
POL’s deliveries is maximised
Page 35 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
5.4 Please explain how you would integrate, configure and install products in accordance with business
requirements
Fujitsu will establish a Project Management and Co-ordination Team (PMO) who will be responsible for
managing the integration, configuration, delivery and installation of products in accordance with POL
business and operational requirements. This team will be scalable and can be flexed in order to meet
demand.
Fujitsu’s own configuration services manage the pre-delivery configuration requirements for IT and
Networking infrastructures. Our services cover all aspects associated with configuration activities from
technical builds, through to physical re-packaging requirements. These services can also be performed to
Government and military security standards within our ListX configuration facility and our expertise extends
past traditional IT equipment to include for example, non-standard products such as kiosks, POS and
vending machines.
Configuration of products is primarily handled by the Fujitsu’s Configuration Centre at our main warehousing
facilities in Warrington and is integrated into our standard warehouse operations enabling the fast and
efficient supply of products to customers. As much pre-configuration work as possible, including testing, on
hardware and software will be done at our Configuration Centre. This reduces the amount of work that is
required to be completed on individual sites and filters out “dead on arrival” (DOA) instances and early life
failures thus minimising the adverse impact on installations.
Specifically, Fujitsu’s configuration service begins with the testing of a customer specific system build. This
build can then be packaged, ready for volume imaging as required by either the customer's SLA or project
schedule. Our service model is proven, yet flexible enough to take into account any POL specific
requirements. Fujitsu is able to deliver a service tailored to each project or requirement and will configure
equipment according to role, department or even individual needs.
If necessary data communications links, communications equipment and build servers may be installed in
the Configuration Centre to support the software installation and test processes and Fujitsu will work with
POL to understand exact requirements. It may also be necessary to modify bench layouts and power and
data circuits within the Configuration Centre dependent upon security, hardware and communications
requirements.
In terms of resources requirements will be forecast to ensure that the correct number of appropriately skilled
engineers is available to meet POL demands. Fujitsu will also ensure that our configuration (and installation)
engineers are fully trained on our configuration (and installation) procedures before being allocated to POL
projects.
Overall our Configuration Centre is a semi-production environment which has been designed to deliver
scalable configuration services, enabling customers to benefit from our economies of scale. However, unlike
an original equipment manufacturer (OEM), Fujitsu has no minimum or maximum order thresholds and our
processes ensure that the latest approved build version(s) is always deployed.
The Project Management and Co-ordination Team will liaise with POL to plan the delivery and installation
work and develop operational procedures which take into account POL's business and operational
requirements, dependencies and constraints. A Fujitsu Project Engineer will be assigned to work with POL
to develop the procedures for hardware and software configuration and testing, installation and final testing.
All procedures will be documented, signed-off by Fujitsu and POL and be managed under version control.
Additionally a Stock and Warehouse Management System will be set up to manage POL products. This will
include the creation of part numbers and logical stock locations so that POL’s stock can be identified,
accessed and stock levels managed and reported.
Fujitsu also has an established portfolio of transport providers who offer the full range of services required in
terms of product size and weight, delivery times and geographical coverage. Services include Same Day
Couriers, Overnight Couriers, dedicated point-to-point collections and deliveries, specialist movers for large
items, for example ATMs and Certified Waste Carriers. Fujitsu will work with POL to select the most
appropriate transport services for both one-off installations and projects.
Page 36 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Fujitsu takes a flexible and collaborative approach to planning and scheduling deliveries and installations.
Consequently where we are delivering and installing hardware as part of a larger project, it is essential that
we understand and appreciate the overall plan, constraints and dependencies in order to integrate our
activities with those of the POL as efficiently as possible. This will be achieved by working closely with
POL, and if necessary their partners and/or suppliers, to plan and schedule deliveries and installations. In
order to avoid any “failed deliveries” and/or aborted visits, Fujitsu will work with the POL project/site contact
to monitor progress and check that the site is ready for the delivery and subsequent installation.
Fujitsu will also consult with POL to identify any constraints which affect physical deliveries. These can (but
not limited to) include:
« POL’s (local) procedures for accepting deliveries;
¢ The availability of site contacts;
« Vehicle dimensions, weight and manoeuvrability in relation to site;
« Parking/loading restrictions;
« Evening and weekend delivery restrictions;
« Physical site access, for example local restrictions, provision of
additional resource and manual handling equipment to move large
items;
« The availability of storage space on site.
Wherever possible, our engineers will take the items to be installed with them. This will remove the need
for a separate delivery and storing the items on site.
Any other constraints identified as part of the planning process will also be taken into account when
scheduling and organising deliveries and if necessary we can call the (POL) site contact at a pre-agreed
time ahead of the delivery and installation to advise or remind them of the date and time that the activities
will be taking place.
Fujitsu is also familiar with working on secure sites and will adhere to POL’s processes and procedures.
Fujitsu will also ensure that where necessary our personnel will:
« Have the relevant security clearance and are able to demonstrate
this when on site;
« Wear the relevant security passes at all times when on site;
« Provide names and vehicle registration details as and when required:
« Take into account notice periods for gaining entry into secure sites
when planning and scheduling work.
If necessary we can also provide and distribute notices for display in locations which advise when work will
be taking place in order to set expectations with POL’s staff and their customers and allow them to avoid
those times.
It is recognised that POL will have specific business and operational requirements and that these may vary
from site to site. Fujitsu will work closely with POL to understand the specific business and operational
requirements to ensure minimum risk and minimum disruption is caused by deliveries and installation
activities and we will also work with the POL to schedule work that avoids, for example peak trading periods
and change freezes. Fujitsu will take into account any peak operational times during the day. If necessary
activities can be undertaken out-of-hours during the week, at weekends and Bank Holidays.
Page 37 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
6.0 Direct Call Off Services: Testing
6.1 Please explain how you will work with Post Office to define a test strategy, including detail on how
you would identify elements for automation, explaining why the manual elements are not suited to
automated testing and how you would plan your testing to deliver both manual and automated elements.
Please include an example of a documented test strategy and plan to support your response
The test approach covers, either directly or indirectly, all the test verification and validation activities
required through the software development life cycle, starting from the initial involvement of test analysis in
the requirements stage through to testing activities up to acceptance and deployment to production.
The first key deliverable in the test lifecycle is the Test Strategy, which shall be jointly defined between POL
and Fujitsu. The Test Strategy objectives will be identified via workshops attended by appropriately skilled
resource from both teams. The expected output from the workshops will be an overarching strategy for
testing across the programme and will define a common understanding of the terminology, scope,
standards, processes, and progression of testing. This is a good example of collaborative working and
indeed how the Joint Test Team works on the Post Office Account today.
Central to the test approach is to drive all aspects of the work based on achieving the test objectives in an
efficient and effective fashion. To achieve these objectives a combination of manual and automated testing
will be used. Test automation facilitates a cohesive approach through the test lifecycle and brings many
benefits:
« Once created, automated tests can be run over and over again at no
additional cost
« Automation reduces the time to run repetitive tests from days to
hours. A time savings that translates directly into cost savings
« Improve accuracy as automated tests perform the same steps and
record detailed results precisely every time
« Automation can improve test coverage by increasing the depth and
scope of tests. Large numbers of different and complex test cases
can be run during each test run providing coverage that is
impossible with manual tests.
These and other benefits can be realised with the introduction of an automated framework. The objective of
the Automation Framework will be to arrange for as much testing to be automated to aide repeatability,
identify specific areas of regression, improve execution timescales avoid unnecessary levels of human error
and ultimately improve product quality.
This is familiar ground for the Post Office Account Joint Test Team. A bespoke test automation framework
was recently developed and deployed in the test environments. The framework was developed based on a
set of requirements from the Joint Test Team and is now an explicit part of the Account Test Approach.
Test Automation compliments the manual testing that is performed for each project, as an example the Core
Regression test pack that covers all component parts of the solution is fully automated. When a change is
introduced to the test environments the appropriate test scripts are selected and a test pack is created for
execution through each test cycle. The test objective being to prove that the change has not had a negative
impact on existing functionality. Elapsed time to execute and resource effort are both improved and as a
result resources can use their time to generate both manual and automated tests to exercise the change
being introduced.
As already identified, some tests are well-suited for automation; indeed some cannot be performed manually
in a meaningful way. Conversely, other tests are more effective when done manually, or can only be done in
this way.
One-off tests, where the costs to execute are high, is an indicator that a test should be done manually.
Another is the need for human judgment to assess the correctness of the result or intervention to keep the
test running. Accordingly the following are a good fit for manual testing:
Page 38 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Installation & setup, operation & maintenance or tests where the
tests involve loading media such as CD's or tapes, changing
hardware, or other manual input from the tester
« Configuration and compatibility tests that require configuration of
systems and networks, software and hardware installations, again
all requiring human intervention
« Usability, human judgment is needed to check for problems with the
user interface and workflows
« Error handling, resilience and recovery, here errors need to be forced
perhaps powering off a server, so again requiring the tester to
remain engaged throughout the test
« Documentation and help. checking documentation such as support
guides, requires tester input.
Currently the Post Office Account Joint Test Team performs a mix of manual and automated tests. Where
a quantifiable benefit can be seen, tests are considered for automation. The existing Test Strategy is
building on the recently introduced automation framework and expanding its use into other test teams, such
as Live System Test and Web Service Client Take-on, ideal candidates since both require the same tests to
be repeated. For example, maintenance tests for Security patch across multiple platforms requires the
same tests to be run on multiple platforms, with the introduction of automation framework, both the time and
precision can be improved.
Page 39 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
6.2 Please explain how you would define, organise and implement a Risk Based Testing Strategy.
The cost of assurance and test activities is offset by the level of risk associated with the product or service
under test: the higher the cost of defects, the more it is worth spending on validation and verification. A
balance of cost and quality is required.
To create this balance the Supplier has a standard approach to testing, the objectives of which are:
« Measuring product quality against agreed acceptance criteria;
« Attempting to identify defects in products;
« Providing information to help management and the team make risk
based decisions;
e Providing information about risk levels associated with products; and
« Providing information about whether IT systems are fit for purpose.
These objectives are not achieved by exhaustive testing of all the artefacts.
The Test Strategy applies an appropriate level and type of assurance activity to address defined risks. The
objectives of the strategy are achieved by risk-based static testing, which is carried out by reviews and
assurance of products, and risk-based dynamic testing, which is carried out by executing tests.
Validation and verification activities shall be prioritised against the risks, with the highest risks being
addressed earliest and most thoroughly by choice of techniques and coverage for the product/service under
test. New and changed functionality shall be assessed for the risks associated with the change to the
product as a whole.
Risk Based Testing is a continual process and will involve test specialists from both Supplier and Client
organisations from project inception to project Acceptance. The following are examples of the criteria
applied when determining risk:
e Risk to the customer's business, impact if a business function fails
for example during Christmas retail operation;
Risks to and from technology and technical activities;
Risks to the accuracy, suitability and functionality of the systems;
Risks to the performance of the systems to the business delivery
(response times, throughput, stress, volume, limits);
Risks to the usability of the products (accessibility, learn-ability, task
effectiveness and efficiency);
Risks to the security of the business, both Client and Supplier
(confidentiality, integrity, availability of data);
e Risks to the operation of the delivered solution (availability,
reliability, recoverability, resilience, fail over etc);
Risks to the supportability of the products (maintainability, stability,
intrinsic quality, testability, interoperability, installation and de-
installation);
« Risks to and from project management and process and
« Commercial risks.
The above are all criteria that are applied for projects in the existing Post Office Account Test Approach.
The method that is most commonly used is for testing to be prioritised based on a risk assessment of the
Page 40 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
business impact and technical likelihood of failure of the area under test. This assessment is consistently
applied across artefacts within each Project and where feasible, is derived from weightings applied to project
requirements. Reporting and metrics incorporate the risk assessment and the severities of any resulting
defects are determined by the risk assessment.
Page 41 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
6.3 Please explain how you will provide Post Office with testing services that include, but are not limited
to, unit, functional, non-functional, system and user acceptance test phases. Explain how you will ensure
that Post Office are able to perform witness testing on some or all of the activities undertaken and how you
would manage the testing phases, including defect management and resolution processes, any tools used to
manage both manual and automated testing and documentation that will be provided to Post Office, e.g.
test exit reports. Support your answer with examples where possible.
As described above in answer to questions 6.1 & 6.2, Fujitsu has a standardised testing approach that is risk
based, ensuring identification and assessment of product and service risks (business and technical),
enabling prioritisation of tests and ensuring the most important, highest risk, areas are tested as early as
possible. The testing approach will cover functional and non-functional requirements across all test life
cycle phases, so, unit, system and integration testing, operational testing, user assurance testing and
regression as a discrete test type thought each test phase. Each “product” will be assessed on its
requirements, and, based on this assessment, appropriate test stages will be planned. For example, a “light
touch” for infrastructure based changes, to full assurance for functional changes and business process
change that will enhance the user experience.
Fujitsu already has an established working relationship with POL as previously highlighted; a Joint Testing
Team is in place. Testing Services for the Account are provided by staff from both Supplier and Client
teams and we see no reason why this working relationship should not continue for any other programmes of
work.
Under the existing POL contract the agreed Test Strategy has matured over many years. A Test Plan is
defined for each project and draws on the principles from the Test Strategy:
e Joint Working;
« Collaboration;
« Risk Based Testing;
« Consistent Test Management and Automation Tooling;
« Adherence to gateway criteria such as test stage entry criteria;
« Progressive, incremental development, testing and acceptance.
To deliver each Test Plan, there is an abundance of experience in the Joint Test Team effectively
combining business knowledge and testing skills. The combined skills and experience between POL and
Fujitsu staff provide a well balanced team across the various roles in testing - POL staff providing business
input and a conduit to the various POL and external project stakeholders, and Fujitusu staff providing
technical expertise and coordination across the various teams within the wider Fujitsu organisation.
Test processes are governed by organisational engineering and test policies, based on industry good
practise, and managed within a controlled Business Management System (BMS) at the organisational level.
Process improvements are identified during project test activities and controlled via periodic updates to the
BMS, in consultation and cooperation with all other life cycle processes and disciplines to ensure process
integration.
Effective test management, planning and control provide visibility of plans, schedules, dependencies, risks
and issues. The existing Programme Governance Framework facilitates joint forums across all delivery
teams. Test governance is a key example of how we work seamlessly within the Joint Test Team. The test
governance forum meets on a weekly basis and its purpose is to provide direction for all testing activities.
The attendees are from both the Supplier and Client organisations. Each meeting discusses all current
Projects, Live Service Maintenance and future projects. Risks and Issues are a key part of the meeting
where those that are test affecting can be discussed and understood. This forum provides an effective and
formal interface to Post Office test governance as well as providing the teams with time to discuss how they
can better deliver test services in a collaborative way.
Page 42 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
As part of test governance, test metrics on progress (planned, executed, passed, failed tests), along with
defect status reports, which inform on the test coverage and status are collated and reported daily to the
respective organisation project teams. This facilitates an informed judgement on product and service
quality and progress through the life cycle stages and ultimately into deployment.
Responsibility for all test collateral is shared. All test documentation produced is subject to internal test
review by the Joint Test Team and the Senior Test Managers for both organisations share approval
authority for all documents produced. This further supports the collaborative and open book approach to
test on the Post Office Account.
Test Management Tooling is a shared resource hosted by Fujitsu but managed jointly between POL and
Fujitsu teams. The tooling of choice is Hewlett Packard Quality Centre. The modules used are Test
Management, Defect Management and Requirements Management. The Post Office Account has bespoke
tooling for defect management and there is managed interface between the Test Tooling and the Account
Tool. Similarly, there is an interface between the Test Tooling and the Account Requirements Repository
which facilitates both requirements coverage reporting and supports the Requirements Acceptance Process.
Traceability to requirements, solution designs and product risks are provided from test cases to ensure
coverage is visible and managed.
Witness testing is not currently undertaken on the account as we have the Joint Test Team and work
together within the bounds of the Account Test Strategy, Test Governance and Test Process and
Procedures. We have hosted Business Assurance where project teams have attended a demonstration of
the software to support their activities in relation to a product being introduced to the live estate, for example
production of user guides and training material. Depending on the objective of the test witnessing, for
example to gain assurance that the Test Strategy and Test Processes are being adhered to, this should be
discussed and agreed at the workshops for creation of the Test Strategy for the programme of work.
It is essential to the success of any project to have collaborative working as this enables clear
communication and coordination of work streams, and effective communication with stakeholders (Project
Managers, Architects, Designers, Developers, Support staff and Client representatives), to ensure plans,
deliverables, progress, risk and issues are proactively managed throughout, in close liaison with the Client
teams.
The combination of a mature Test Strategy, robust test procedures and processes and a Joint Test Team
working collaboratively with stakeholders results in an effective and efficient delivery of test services.
Page 43 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
6.4 Please explain your approach to quality in a testing environment. .
Quality is intrinsic to software testing, improving the quality of the product through to quality assurance of
the test process. The Supplier delivers test services to meet quality criteria but for the purpose of quality in
the test environment this response will focus on the quality processes that govern the test execution phases.
It is recognised that before deliverables enter into test they must be of sufficient quality and functional
stability. Fujitsu will agree with POL a set of acceptance criteria which all parties responsible for the delivery
of products shall meet. This will be done before the product enters into the test phases which form the test
life cycle.
These acceptance criteria will form part of the entry criteria for each phase of testing and will be
documented and agreed in the Test Plan(s). The agreed acceptance criteria will include the provision of
satisfactory evidence of completion of all work products, including but not limited to:
« Design documentation;
« Technical documentation;
Unit tests;
« System tests;
Integration tests;
« Operational and User Acceptance test;
« Regression tests;
« Test documentation;
« Help and User Guide documentation and
« Verification and validation activities.
Entry into each test phase (or test cycle within a test phase) will be subject to a Test Readiness Review
where an assessment against a pre-defined and agreed set of criteria is performed. Similarly, testing within
each test phase will not be considered complete until the testing is adequately reported and a resolution
path for all outstanding issues is understood.
Test processes are governed by organisational engineering and test policies, based on industry good
practise, and managed within a controlled Business Management System (BMS) at the organisational level.
All test artefacts are version controlled, and configuration management disciplines applied to ensure
currency and control.
For the test execution phases there are a number of controls put in place to ensure quality of the testing in
order to meet test objectives. These controls are facilitated by the use of both tooling and governance. The
controls are:
Defect Management - ensuring test issues are raised and managed. The existing Joint Test Team uses HP
Quality Centre for the recording and management of all defects raised through the test life cycle up to and
including pre deployment test. The Defect Management process identifies the roles and responsibilities and
the process has representation from both Fujitsu and POL Teams. When a defect is raised it is subject to a
Quality Filtering Process to review and confirm the correct priority from a test progression perspective but
also the severity from a business perspective. Fixes for defects will be installed between test cycles ready
for retesting. During test execution there are times when a defect may be subject to deferral. On the Post
Office Account today joint forums are established to discuss and agree defects and whether deferment is
appropriate. Defects agreed for deferral are included in the formal acceptance process and remain in the
defect management system for later correction.
Page 44 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Test Environment Management is facilitated in a number of ways. Firstly all test environments are closely
controlled. They are prepared in compliance with environment specifications, and configured in accordance
with the Test Plans for each test phase. Environment baselines are strictly controlled using the
configuration management toolset and all defect corrections are delivered under the control of this regime
so the code-set status for any test is always known and recorded. No informal code delivery or configuration
is permitted. For all deployments, both hardware and software, to the test environment, Health Checks are
performed to confirm that the test environment is ready for test execution to commence. These include
Verification of code delivery against release note
« Confirmation that all platforms and services are running
« Confirmation that all databases are functioning
« Confirmation that File Shares are established, directory structures
and file permissions applied
« Localisation of configurations based on the test environment
capability
Test Metrics on progress (planned, executed, passed, failed tests), along with defect status reports, will
inform on the status, enabling an informed judgement on product and service quality and progress through
the life cycle stages and ultimately into deployment. Test metrics are collected and published throughout the
test life cycle and includes:
«deliverables completed against plan;
« test coverage achieved;
« defects raised, closed, and outstanding; and
« any defect trends.
There are regular test meetings attended by both POL and Fujitsu teams to discuss the testing progress and
agree the daily reporting information to be published. A Test Report is produced on completion of each test
phase. This details the planned test coverage successfully achieved, the defects involved and their status
and a risk assessment relating to coverage not achieved and defects that remain outstanding. Progression
from one Test Stage to the next will be governed by formal readiness reviews, assessing the specified
Entry/Exit Criteria and acting as Quality Gates. On success the Test Reports are subject to formal review by
Supplier and Client project teams as well as approval by the POL and Fujitsu Test Managers.
Process improvements are identified during project test activities and recorded so that periodic updates to
test collateral, procedures and processes can be made in readiness for future test activities. Process
improvements are also subject to Project level reviews in consultation and cooperation with other life cycle
processes and disciplines to ensure process integration.
Internal process maturity is measured, and the intention is to progress external accreditation by BSI /
1SO29119 or TMMi, as an independent assessment of maturity of processes.
Page 45 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
6.5 Please demonstrate your level of competence of your test resources in respect to Information
Systems Examinations Board [ISEB] and International Software Testing Qualifications Board [ISTQB]
training standards.
Fujitsu's test community extends to more than 300 professional testers, 95% of which have achieved the
ISEB / ISTQB Foundation testing qualification, The remaining 5% are undergoing training to receive this
accreditation. The existing Joint Test Team, Fujitsu’s resources are all hold formal qualifications from either
ISEB or ISTQB.
Approximately 40% of the community have achieved higher level ISEB / ISTQB accreditation, whether
ISEB Intermediate, ISEB Practitioner (prior to ISTQB), or more latterly IQSTB Advanced / Test
Management.
To complement these formal qualifications and support the development of Fujitsu's test resources each
individual has a Personal Development Plan. With support from a line management structure within the test
community, learning and development needs are identified and appropriate training arranged.
Within the Post Office Account Joint Test Team the delivery of quality test services is achieved with the
combination of each individual's skills and working and leveraging from each other, skills, knowledge and
experience both business and technical. Part of the philosophy of the team is to use the collective
experience which ultimately brings about the collaboration within the team..
Page 46 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
7.0 Delivery: Implementation
71 Please provide a case example of a multi channel implementation plan covering both business and
system related activities and explain how you would adapt this accordingly for an organisation such as Post
Office.
By means of illustration, Fujitsu is providing a narrative of our recent highly successful JD Williams
implementation project (http://www.nbrown.co.uk/jd_williams), which is shortlisted for the 2012 Retail
Technology Awards in category “Multichannel Integration of the Year”.
Background
In a marketplace of intense competition, consumer choice and pressured margins, more retailers have been
leaving the high street than joining it. JD Williams is an exception to the rule: notwithstanding their mature
online and catalogue shopping presence with brands such as Figleaves, SimplyBe, and Jacamo, in 2011 the
company decided to venture onto the high street. This was to seek out an opportunity for business growth,
and to further increase recognition and penetration of its best performing online and catalogue brands. Two
pilot stores were planned, and Fujitsu was awarded the business to design the in-store technology roadmap,
to select and integrate leading edge technologies, and deploy, implement, service, and support the stores.
The key challenge was to ensure that the transition to face-to-face retailing enhanced the core proposition,
and provided a range of seamless channel choices for customers. The objective of opening pilot stores on
the high street was to increase the number of channels to market, which would provide an additional
customer recruitment opportunity, and increase the volume of sales of key product lines. The catalogue and
online shopping experience appeals to customers seeking a comfortable, non-threatening experience, free
from direct and overt sales approaches. Bringing this experience to a store and adding to it means that both
technology and human interaction must be of the highest quality and seamless.
The technology selected to underpin the experience therefore needed to support delivery of the
‘experience,’ and recognise customers with accounts, giving them the option to pay from their online
account or in store. The solution was chosen as a Fujitsu implementation of Enactor POS.
JD Williams set ambitious targets. There was a window of only six months to open the first store to the
public. Fujitsu has the people, processes, and technology to adapt project plans to meet the needs and
culture at POL, as well as those of specific projects in order to meet desired business outcomes. This
particular project required an innovative and rapid development path, which Fujitsu has delivered
successfully.
Further details of this project are provided in our answer to 7.2 below.
Page 47 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
7.2 Please explain how you would undertake a pilot as part of the implementation. Provide an
illustrative example of a pilot, illustrating how the success of the pilot influences the remaining
implementation plan.
As highlighted under 7.1 above, Fujitsu has recently provided a successful implementation project for JD
Williams,which has been shortlisted for the 2012 Retail Technology Awards in category “Multichannel
Integration of the Year”. The timescales defined by JD Williams meant that a full technology overhaul was
not realistic. The technology supporting the retail environment had to mirror what was currently available in
other channels. JD Williams had already embarked on an SOA approach to systems integration which
enabled agile coupling together of existing functionality with new in store capability. Fujitsu therefore
recommended Enactor POS owing to its out of the box capability, providing an extremely fast deployment
capability, coupled with its SOA based process development tools for rapid integration and future change.
It was decided that a vanilla configuration of the software would be deployed, but the flexibility of the
software meant that the implementation team had to be strict as to which areas would be implemented in
Phase 1 in order to meet the timescale. It was essential to deliver true integration to the JD Williams
Customer Account functionality from day one, but with a view that functionality could be changed in the
future without wholesale re-design. This approach was made possible by the flexibility to change and extend
processes in later phases as opportunities to enhance the offering to the customer were identified.
In integrating the online and store-based environments it was important that the “feel” of the online
experience was transposed into the high street. Using high quality digital media presentations, building on
existing “online digital assets” and the provision of in-store kiosks linking customers with their online
accounts provided part of this integrated experience.
In addition, a new hands-on experience was made available, in the form of the “Magic Mirror”, recently
shown at the 2012 Retail Week awards show. This allows customers to see themselves in the clothes they
have selected and then share the images on line with friends via social media (facebook, Twitter, email)
integration. In the next release of the software, this will be a virtual experience, using kinetics gestures to
pull apparel from a virtual shelf at head office, and see how they appear on the shopper.
Fujitsu delivered the technology, including both hardware and software, together with associated business
processes, into the new pilot stores. By doing so, we helped JD Williams achieve the integration required in
a very short time. Working alongside some of the UK's most talented store designed, the implementation
teams were able to deliver the fully integrated environment on time. The Fujitsu solution provided a full
multi-channel customer experience, rather than a traditional retail store environment. The experience
gained from opening these pilot stores has further helped inform the business case.
Business & Customer Benefits achieved by integration
The benefits are measured not only in the light of the performance of the Stores themselves but also the
impact they have on brand performance in the other channels. Early indications from customer feedback
and new customer recruitment are encouraging and show good indications that the stores will be a valued
component of the JD Williams’ multichannel strategy. Immediately on opening, the first 2 pilot stores (of 7
planned), JD Williams won an award for the most innovative store format from Planet Retail.
The SOA nature of the systems architecture means that the company can offer a hugely agile response to
change and new opportunities. Bringing this together with a responsive and targeted delivery of Digital
Media and Kiosk processes, enables the business to flex and change in line with customer demand.
Enactor's ability to allow the business to manage promotions and business processes such as coupons and
gift cards without recourse to expensive system management means that a very rapid and real response to
market demands can be achieved.
In addition, offering customers additional facilities such as the option to pay their online account balances in-
store, created an enhanced and integrated experience. It was a successful and rapid deployment.
The JD Williams team, working with Fujitsu and its partners, was able to deploy the first stores in record
time. This was not only due the strong input of the business, but also to the investments made by the JD
Williams IT team in establishing a SOA environment — enabling new capabilities to be added really quickly.
Page 48 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
This allowed account integration on day one, which was essential for offering a true multichannel
experience.
Sales or Customer Loyalty improvements
The highly integrated nature of the Pilot Simply Be stores brings a number of improvements to both
customers and the business. These include:
For the customer.
« Store staff provide a comfortable environment in which customers
can understand the correct fitting of their clothes and footwear.
« Arrange of payment choices; customers can decide to pay either
from their online account or in store.
« Customers can pay off balances on online accounts while in store.
« The ability to see and touch the merchandise increases the likelihood
of buying, and if the correct sizes are not in stock, a well tried
home delivery process can ensure a very timely delivery of the
right apparel in the right size.
« Familiar processes, which are common to online and in-store
purchasing, gives customers a feeling of security which means
that they are confident to buy.
For the business:
Store staff can be confident that customers have the credit available
to buy because the processes mirror those used online.
« The Magic Mirror involves customers and their peers more closely,
using social media to both increase brand recognition and turn
shoppers into advocates
This movement of an online Customer experience to an in store customer journey has increased the loyalty
of targeted customers. They now can use the in store style consultants who deliver the online experience
with a personal touch, reinforcing the style offering.
As the bricks and mortar pilots become more mature, the Enactor software will allow specific loyalty
operations above and beyond those normally available in stores. Clientele operations will allow greater
personalisation through “follow up” capabilities either by the assistant who served the customer or a central
call centre.
Page 49 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
7.3 Please explain how you would work with other Third Party suppliers, for example a service
integrator to ensure implementation of the final solution is completed. Provide an illustrative example of
successful transition to another supplier.
Fujitsu has an excellent record of working collaboratively with other service providers for the benefit of our
customers. We have partnered with other leading providers such as EDS, IBM, Accenture, Cap Gemini, and
Logica, in both prime and subcontractor roles.
Fujitsu has frequently carried out the complex role of Prime Contractor/Systems Integrator leading on to
subsequent service delivery. The role covers overall programme and project management for projects
which involve the installation and integration of hardware and software, into both green-field and pre-existing
system environments, which have been supplied by several manufacturers, usually in conjunction with
services which are performed by other third parties. Our project management methodology specifically
addresses the unique requirements, which arise in the management of third parties, and in successfully
carrying out the Prime Contractor/Systems Integrator role.
To ensure Fujitsu can bring the best end-to-end integrated solutions, seamless support and outstanding
value, Fujitsu maintains global alliance partnerships with all Tier 1 vendors. Fujitsu holds the highest levels
of accreditations with EMC, NetApps, CA, Microsoft, CISCO, Oracle, Vmware, Symantec, HP and CA.
Fujitsu is the largest global partner of several of the companies listed (please also see our answer to 5.2)
and sits on many partner development councils, with joint engineering and R&D agreements. Our model is
designed to align and to motivate the right corporate and operational behaviours. We employ shared and
open governance frameworks designed to ensure successful delivery of end to end operations in both single
and multi-vendor environments.
Fujitsu recognises that successful transition requires strong customer and supplier relationships based on
trust: In recognising the importance of good governance to the success of Fujitsu and our customers, we
have built a comprehensive best practice governance model.
Fujitsu’s Governance Model
= Stent ; + Strategic
Fn Mision, ignont
\ Ststeay pues Porto
of Service emroraye Strategy Mam
+ Potio Ry Service
Assessment [ia oe 8 investments ¢
a = Wa Architecture pig S aoa Project pene
in innovation (F=4 Fal) Management ae ay
Ey E am
id 8
. EY + change
PARES Md Programme pill S ten
oBenetts BML NTE sore
Bevery iad Delivery 3 hs
Sense
TRIOLE) and
Service for I Respond}
* Continual mac mm © Continual
Improvement Improvement Improvement
iowieden sheing [ msP Managing Sucesstul Programmes I
I ITIL U7 lnfrastructure Library
I Vall - Valuing LT. Framework (Governance)
I CobiT - Control Objectives fr Information
I and related Techr
I TRIOLE - Fujitsu's Industrialsation Methodology
Examples of where we work collaboratively
Page 500f 101 an _
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Fujitsu merged its contract with HMCE into the Aspire contract,
delivering value to HMRC through the establishment of a single
contractual arrangement for the provision of ICT services to help
achieve HMRC’s overall objective rather than protecting our prime
contractor position
« At DVLA as a result of the continuous development of services, there
is a complex mixture of legacy mainframes and web-based
applications. The technical capability to develop, maintain and
support these is provided by a joint IBM/Fujitsu Development
Maintenance and Support Organisation (DMSO), where
responsibilities are jointly discussed and agreed. One particular
feature of this is the close working relationship and trust between
Fujitsu and IBM, with a “best person for the role” policy, ensuring
DVLA receives optimal service.
We have a proven engagement approach used at LloydsTSB, Ford, HMRC, MoD, DVLA, Home Office and
other customers that is designed to ensure close interworking with our customers and their providers.
Fujitsu interfaces to customers, suppliers and partners existing service management framework using its
Service Design and Build Methodology (SDBM) to ensure that all parties involved in the delivery of service
work together seamlessly and effectively.
For a Transition to another supplier Fujitsu uses SDBM to build a Service Transfer Exit Plan. A High level
customer example is shown in the diagram below.
NEW SUPPLIER
fandover 7 Deliver New
New Supplier
Integration Service
w Supplier
Delivery Service
- . New Supplier
General Operation (BAU) B2B & EDI Service
B2B &EDI Service
The Service Transfer Exit Plan is designed to:
« Maintain continuity of Services and Service Levels during the period
of transfer of the Services away from Fujitsu
« Provide POL and the replacement supplier with such reasonable
information and assistance as is required to facilitate the overall
Transition Plan.
Pagestoit
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Fujitsu will appoint a manager to act as a Transition Manager to manage and control the overall transition
and who will have the authority to act as the Single Point of Contact (SPOC) for engagement with POL and
the new supplier.
An Extensive Transition to ATOS of high complexity, highly critical business applications for a government
customer has recently been successfully completed using this methodology without impacting on the service
to the end customer.
Page 520f 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
8.0 Direct Call Off Services: Release Management
8.1 Please describe your Release Management Approach and provide an illustrative example of a
Release Strategy.
Fujitsu's approach to Release Management aligns with ITIL standards and is to focus on the activities of
managing releases and their distribution into the live estate and to ensure all releases are properly
assessed, deployed and reviewed in a controlled manner from request to closure.
We do this by taking a holistic view of a change, or changes, to the IT service and to ensure that all aspects
of a release, both technical and non-technical, are considered together. This includes:
« Planning and overseeing the successful roll-out of new and changed
software and associated hardware documentation;
Liaison with our change management and configuration
management functions to agree the exact content and roll-out plan
for the release;
« Ensuring that all items being rolled our or changed are secure and
traceable via the CMDB;
« Ensure that back-out arrangements are in place in the event of a
failing release.
« Managing the customer's and users’ expectations of releases and roll-
outs
Release Management in the Post Office Account acts as a gateway to allow a new release of software
and/or hardware to be deployed onto the live estate. The process ensures that a number of formal checks
and validations are completed before the decision to deploy is made in order to protect the live
environment.
A Release comprises a set of mainly related underlying changes that are to be implemented at the same
time to deliver specific business requirements. The process to plan a release starts at the earliest
opportunity, for example at the project PID, although detailed work and the raising of the actual Managed
Service Change (MSC) will not happen until later.
As an illustrative example, there are three main types of release on POL HNG-X environments::
Major Releases — these are managed by Post Office Account Programme Team and will normally deliver
significant new functionality, scheduled with understanding of the requirements of POL. There are three or
four major releases during a year. A Major Release may contain one or more of the following types of
change:
« Change(s) to business functionality requested by the customer
(including a new service)
Infrastructure changes (including major changes)
¢ Non-critical fault fixes
Service level improvements.
Emergency fixes — these are applied direct to the live estate to resolve operational issues.
Maintenance Releases — these usually do not add significant new features or content, and are applied to
address minor problems or security issues. These are applied frequently and there may be twenty or thirty
between each Major Release. A Maintenance Release may contain one or more small changes.
implemented between Major Releases:
¢ Service improvements
Page 53 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
¢ Non-critical fault fixes
« Security patch management
Fujitsu recognises that the need to protect the live environment at all times remains paramount.
PageS4of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
8.2 Please demonstrate your ability to create a Release Control and Distribution process, aligned with
ITIL standards.
Fujitsu already has release, control and distribution process standards aligned with ITIL in many of its
existing customer accounts, including the Post Office Account. We have an extensive Manage Release
process embedded in our Business Management System.
For example, the main forums that plan and control releases on the Post Office Account are the Release
Governance Board and the Release Planning Meeting. These are described below.
Release Governance Board
The Release Governance Board is held fortnightly. It will discuss forthcoming major releases, expected
deployment dates, and review current releases and deployment plans.
Release Planning Meeting
The Release Planning Meeting is held twice weekly. It will include representatives from all teams engaged in
the release management process, from development, integration, test, release management and service
management, and will cover:
« The overall schedule of maintenance releases;
« Changes to the existing release plan;
¢ The inclusion of business change proposals into maintenance slots at
the appropriate stages;
« A review of forthcoming Releases including:
« Confirm development and Integration deliveries are on target;
« Confirm fixes are targeted at the correct release for the deployment
group that will take the fix;
« Confirm fixes are progressing through the process as expected;
« Highlight anomalies to the attendees for resolution;
« Check that releases are on target to hit their test and deployment
dates;
« Review release plans;
« Discuss business change proposals;
« Flag any changes to dates of maintenance releases;
« Addition of new maintenance releases;
« Review platforms associated with a deployment group;
« Review frequency with which each deployment group is scheduled;
« Changes to the platform hardware instance list and their possible
impact;
Our release control and distribution processes for our other accounts are similar to the above Post Office
processes and and although each is tailored to individual customer requirements they all align with ITIL
standards.
Page 55 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
8.3 Please explain how you will monitor the release management process and collate information from
this monitoring to provide MI for key stakeholders on both the release process and operational run.
A release policy document will be produced jointly by Fujitsu and POL to clarify the roles and responsibilities
of release management for POL projects to ensure that there is no ambiguity in, for example, roles and
responsibilities, timing and scale.
The deployment of new releases will be closely coordinated with the POL and the acceptance criteria for the
all releases will be agreed and defined on a joint basis.
To ensure effective and auditable monitoring of the process a master managed service change (MSC) will
be raised to cover the release in its entirety and sub-changes raised for the testing and deployment phases.
Authorisation from the Change Advisory Board (CAB) for release into the live estate is only given after
testing, including user acceptance testing where necessary, has been successfully concluded.
Fujitsu will agree the release KPIs with the POL prior to any release. The actual KPIs agreed will be
dependent upon the type of release, for example Major, Emergency, Maintenance, Delta, Package.
However, suggested KPIs can be (but not limited to):
« Number of incidents caused by a release
« Number of remediated (backed out) releases
« Number of problems reported by the Service Desk and fixed
At all stages Fujitsu will ensure that POL, or other key stakeholders, is kept fully aware of the developments
and progress of release packages, whatever the size/type. At the conclusion of the release process POL will
be provided with a report on the success, or otherwise, of the release process
Page 56 of 101
48 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
9.0 Direct Call Off Services: Service Integration and Management
9.1 Please explain how you will support the network of over 11,500 branches and where you envisage
adapting your service model to support solutions across the entire network.
Fujitsu already provides services to POL’s extensive network of branches and will continue to do so.
Specifically we have been providing the Horizon, and then Horizon Online™, EPOS solution that has
successfully been supporting up to 18,000 Post Office branches during the past 10 years, and more
recently, the complete estate of 29,938 counters spanning 11,373 branches.
Additionally we already provide and support the branch hardware, the applications and networks used in
branches to serve customers, as well as transactions carried out by other devices in branches. We also
maintain the data centres supporting these applications and transactions
There are currently over 300 people providing service to POL on a daily basis, including, but not limited to,
Account Management, Service Delivery, Service Desk, Release Management, Reference Data, Security,
Business Support, Change Management, Capacity Management, Software Support, System Monitoring and
Sourcing and Supply Chain.
Fujitsu has been working very closely with Post Office to create an innovative branch experience, ranging
from flexible touch-screen counters to trialling self service kiosks, so customers benefit from multiple
channels and greater payment options that Fujitsu can provide. For example, to cater for the needs of small
rural communities, Fujitsu supports a network of fully equipped Post Office vans and unique mobile counters
and trolley-based terminals to ensure customers can still be part of the community. A satellite connection
also ensures that customers in even the most remote of places can be served.
We believe that our existing service model fully supports the existing POL environment and we do not
envisage any major adaptations to our service model to support additional solutions across the network. In
fact we will plan to exploit our existing POL skills and experience to meet the requirements of additional
projects.
However it remains part of our culture to seek “continuous improvement” and not to be complacent in our
service delivery and we will work with POL on specific projects to ensure that the existing model is indeed fit
for purpose. Where it is agreed that adaptations may be necessary we will discuss and agree these with
POL on a project by project basis. Impeccable service delivery remains paramount in our ambitions to meet
the POL delivery requirements.
Page 57 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
9.2 Please explain how you will design the support model for a solution and calculate the total cost of
ownership of the solution (including costs to establish the support model and the operational life)
As modern businesses have become increasingly dependent upon their IT infrastructures, it has become
increasingly important that IT projects are designed and delivered in a way that minimises the impact to the
business and delivers the benefits promised.
One of the ways in which this can be achieved is by the application of a proven and consistent approach to
these projects which delivers best practice from previous projects and ensures that the teams involved in
delivering these projects are agreed on the way forward.
Fujitsu’s Infrastructure Design and Build Methodology (IDBM) builds on Fujitsu's experience of successful
infrastructure projects going back more than 40 years, from small projects through to some of the world’s
largest IT projects.
Fujitsu IDBM defines a three stage approach to infrastructure projects:
e DEFINE — which maps out the infrastructure requirements, the
current environment and the overall shape of the target solution
e DESIGN and DEVELOP - which carries out the detailed designs
needed for infrastructure solutions, the integration of the
components making up the solution, preparation for
implementation, preparation for operational running and testing.
Verification and validation is an ongoing activity throughout this
stage
e DELIVER - this describes the deployment of the solution within the
live environment, including any initial pilot, full deployment and
ongoing exploitation and support.
In addition, the high level processes identify some of the parallel activities taking place involving senior
managers, project management, service management and end-users.
This methodology outlines best practices and outputs for each stage, as well as the gateway criteria for
moving between stages and a number of principles have guided the development of the methodology:
« Re-use - to build on the best of what already exists in both design
and best practice; minimising risk by using tried and tested
methods and improving time to deliver
« Flexibility - to be applicable to a wide range of types of projects
Scalability - to be applicable from the smallest to the largest
customers and projects
« Lightweight — to provide a standard approach, language and a set of
tools and templates but without the need for large amounts of
training
e Evolution - to be able to incorporate tools and best practices as they
are developed in the future
« Comprehensive — to cover the end-to-end process required to
provide a solution from original requirements through design and
build to ongoing support.
This is a tried and trusted methodology currently being used by Fujitsu and we would propose using this
methodology in its development of the POL projects. The diagram below illustrates the key deliverables in
this approach which will ensure that the POL has a full support model for all solutions/projects being
delivered by Fujitsu.
Page 58 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
IDBM — Key Deliverables ; ; :
vip et Bean pet Bai enone sinensis
vaca scene I ea nl Satan eee
Requremen: Outine Bil of Materiats Detailed Bil of REM ieee
‘racy abc ‘oon eto 0) Process
en
IDBM Design & Build Process
Teil Errmet 2 Test Rapos Dept aero
onsen TED)
Test Site Tat ce Tet Dt
ann Son IDBM Testin;
a IDBM Test Planning & Preparation Process 2
Friese
eo won postage
vassal IDBM implementation Planning & Preparation Proces: greg
IDBM Definition Marsaranc Gide IDBM Delivery
Process Process
DBM Operational Service Planning & Preparation Process
aay vw Aron et
one Soe mass
1DBM Governance Process
IDBM Key Deliverables
Fujitsu also has a standard framework for evaluating all costs, direct and indirect, incurred throughout the
lifecycle of a solution, including; procurement, operations, licensing, maintenance and product end of life
management.
An example of Fujitsu’s capability is the ability to use known data against hardware products of various
types to determine Mean Time Between Failures (MTBF) of a given product. This drives the incident
volume which can be used to extrapolate the support costs which at the minimum include Service Desk,
Engineering, Logistics and Repair.
For new products Fujitsu would look not only at the cost of the product but also at the broader design of the
Service to be wrapped around a product and account for service introduction and training required to
implement and support. This would cover not only the support teams but also the users.
Also where possible the under pinning contract support teams would seek to leverage any warranty
manufacturers or repairers or service team to minimise any costs associated with early life failures or repeat
visits. In addition to this, Fujitsu would look to understand the root causes for failure and seek to eliminate
them in order to reduce the long-term cost of ownership.
Fujitsu has many robust and proven cost models to calculate the total cost of ownership, including set-up,
transition, transformation, training and on-going service delivery over the term of the contract and we will be
happy to share these with POL if required
Page 59 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
9.3 Please explain how you will work with POL and/or its Third Party suppliers to define operational
service requirements, including processes to track and report service levels, manage and resolve incidents,
manage scheduled maintenance and any additional maintenance required to resolve issues with a solution.
Establishing business and operational requirements is part of an established requirements management
process that has been successfully used with POL for many years and across many releases of Horizon and
SAP total solution and service functionality as well as for many of our other customers
Using experienced Business Consultants, Fujitsu regularly engages with POL stakeholders, including third
parties, and business analysts to assess, define, refine and baseline requirements and their associated
solution response. With many years of practical experience of the POL business and with a solid foundation
of well established Horizon and SAP business applications, products and services Fujitsu already helps
POL identify the primary needs and features of new opportunities, products or potential service changes.
Fujitsu's award winning Horizon Service Desk currently provides full end to end incident management to
Post Office branches across the country. We use a Fujitsu-developed Service Management toolset named
TRIOLE for Services (TfS), which is based on ISO/IEC 20000 and ITIL v3 standards and frameworks and
incorporates Fujitsu’s Sense and Respond and Lean methodologies, to carry out incident, problem and
request management. The tool is used globally throughout Fujitsu to gain maximum efficiency and deliver
improved IT performance benefits from cross tower knowledge consolidation and all accounts’ instances are
fully segregated from each other to comply with ISO 27001.
The Post Office Account derives performance information for a number of its Service Level Agreements
(SLAs) from TRIOLE data, primarily those relating to engineering and network targets.
Due to the complexity of SLAs, such as ‘incident completed within 4 (service) hours of ticket transfer to
engineering’ combined with complex Post Office opening hours, for example ‘branch open two hours per
day Monday-Wednesday’, the account has developed an in-house reporting system which takes a data feed
from TRIOLE and filters out agreed exceptions in order to provide detailed, accurate information. This
information is then used to manage service performance across various services, for example by increasing
the number of engineers covering an area or arranging a preventative maintenance visit to a branch which
has recently raised a disproportionate number of issues.
We believe that the existing arrangements provide POL with a satisfactory operational service and have the
necessary processes to track and report service levels, manage and resolve incidents, manage scheduled
maintenance and any additional maintenance required to resolve a solution, including working with Third
Parties or other stakeholders.
For future projects Fujitsu would intend to build upon the existing services, including the Horizon Service
Desk, to ensure that current standards are maintained or bettered.
Page 60 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
9.4 Please explain how you will work with POL and its Third Party suppliers to transition a solution into
service demonstrating that you understand some of the potential issues that may arise as part of the
transition to BAU.
Fujitsu already works with the POL and has successfully transitioned many projects into service. We have
done this by using our tried and tested Fujitsu transition methodology and this coupled with our and
extensive experience of transition, including POL transitions, enables us to respond to the unique aspects of
POL’s business.
Our approach will be to manage transition through three discrete phases:
Phase 1 - Initiate
We will work with POL to finalise the objectives, scope and plans for individual transition projects as well as
setting up, and agreed with POL, the project specific governance and controls, in line with the programme
governance and controls set up during mobilisation.
Phase 2 - Validate
If applicable, Fujitsu will work with POL to understand the detail of how the in-scope or solution services are
currently being delivered and then, utilising that understanding, further refine the activities we will conduct
during the execute phase to transition the services. We will also validate the TUPE information, an activity
not to be underestimated, and commence activities to transfer, if applicable, any in-scope employees from
any incumbent suppliers. The validate phase will require a considerable amount of interaction with the POL
and, if any, incumbents. We will also be requesting, again if applicable, access to existing processes,
procedures, work instructions as well as some of the existing employees.
Phase 3 - Execute
This phase is about implementing the transition of the ‘in-scope’ or solution services based on the
information identified and documented in the Validate phase. There will also be a requirement for Fujitsu to
spend time with employees from any incumbent suppliers. To minimise impact on any existing service
delivery significant emphasis will be put on scheduling time with these employees around their day-to-day
activities and where possible utilising non-invasive methods, such as shadowing, for knowledge capture.
Post service commencement there will be a stabilisation period, the length of which will be agreed with the
POL, that is utilised to complete any activities outstanding from transition. It will also be used to monitor the
service delivery, by way of the “business as usual” service reviews, to ensure that the services are being
delivered as expected
Finally, and after the stabilisation period Fujitsu will formally seek approval from the POL to close down the
Transition project. This will include holding a ‘lessons learned’ review with all parties to ensure that lessons
are documented and available for future projects.
Fujitsu has successfully completed many transitions each of which has had its own discrete problems and
issues, many foreseen but also some unforeseen. We believe that successful transition involves something
more than just great project and programme management and that there are a number of key principles
critical for real demonstrable success.
e Plan for the risk and interdependencies - All big projects or
programmes have a number of risks and interdependencies and
the key is to understand these. Transition is in many ways a
process of discovery. There is a sizeable requirement to find out
the ‘as is’ state, which in itself can provide surprises — but far
better to work out exactly where you stand upfront, rather than for
these to surface later with more damaging consequences. Only by
getting a true, objective and comprehensive view of the ‘as is’
service can we plan a realistic path ahead;
Page 61 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Recognise what can be standardised - The detail of POL transitions
will be unique. However, the process itself should not be a matter
of re-invention. There are standards and best practices that can
and must be followed. From Fujitsu’s extensive experience, we
have recognised that there are a number of ‘components’ required
within a transition. By documenting these, our best practice
framework provides a tried and tested structure to a transition
programme. This means a successful transition can be delivered
more quickly and cost-effectively. Most importantly, the framework
has embedded in it previous experiences and learnings — risks and
uncertainties are lowered. This can only be achieved by adopting
standard components, and thereby avoid expensive, slow, risky
and unnecessary re-invention;
« Focus on what needs to be tailored - By adopting standardised
approaches to many of the component parts of a transition
process, we focus resource and energy on understanding those
little differences and nuances specific to POL. This focus will allow
us to appropriately tailor the transition process and focus the
outsourcing partner on the areas we need most help with.
Ultimately, this will optimise the effectiveness of POL’s investment
in an outsourcing partner;
« Take a partnership approach - The word partner has been used
many times. That is because a transition is far more likely to fail if
there is a ‘them and us’ culture. Contracts are obviously
fundamental, but there needs to be a spirit that goes beyond this
(from both ‘sides’) which must involve an attitude and commitment
to making the transition a success for both organisations;
« Focus on people first, technology and process second - Despite
typically large-scale technology and extensive process design,
transition is ultimately about people. If people are not carefully
guided through what is potentially a significant change for them,
then the project can still be ‘seen’ internally as disruptive or
unsuccessful. This requires a number of aspects: good, clear and
transparent communication, commitments that are adhered to,
and a genuine desire to ensure employees’ day-to-day job roles
are actually enhanced by moving to a new employer.
« Be utterly tenacious about governance - Throughout the transition,
there must be an agreed framework for all decision-making. This
needs to be more than just agreed to — it needs real understanding
and commitment. This also ensures all communication is
transparent and streamlined — which is an area we see most often
let down during even a well run transition. At a basic level,
governance also ensures that transition plans and costs are strictly
adhered to and any exceptions or risks addressed in a timely
manner.
Each transition is unique and will raise different issues and problems. Fujitsu believes that by employing the
above principles issues and problems will be minimised.
Page 62 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
10.0 Delivery: Manufacturer’s Guarantee and Warranty
10.1 Please explain how you will provide a complete after sales service for manufacturer's guarantee and
warranty, including provide documents and reports to POL regarding Third Party warranties and support
POL in the identification of changes to Third Party warranties.
The key to a successful service is that there is agreement upfront about what faults the manufacturer
guarantee or warranty will cover and what happens if there is disagreement about the cause of the fault.
Our standard end-to-end process on items with manufacturer warranty is:
« The engineer visiting site checks that the hardware to be replaced is
actually faulty to avoid unnecessary replacements and No Fault
Found charges from the manufacturer;
« The engineer makes a record of the observed fault and any details
required to make a warranty claim. This record is attached to the
faulty hardware;
¢ The faulty hardware is returned to our warranty filter process where
we can make a second check that the hardware is faulty and the
fault will be covered by the manufacturer's warranty. At this stage
we take one of the following actions:
Return the item to Good Stock if no fault is found;
‘Quick Fix' the item on the bench if allowed and more cost-effective than using the manufacturer
warranty;
Send the item to the most cost-effective non-warranty repairer if a warranty claim is unlikely to be
successful;
Send the item to the manufacturer warranty agent if the warranty claim is likely to be successful with
all the appropriate paperwork.
For items that are sent to the manufacturer's warranty agent there will almost always be some warranty
claim rejections unless an all-inclusive service is purchased. Some faults are not consistently repeatable,
customer damage and misuse is not always clearly definable and sometimes items are damaged in transit.
The management of these rejections is key to all parties feeling that they have received fair treatment.
The key items to agree are that there will be gray areas on warranty claims, that a disagreement about
cause does not stop the part being repaired and available for use and that POL continues to be involved and
use their influence as the manufacturer's end-customer to ensure that warranty terms are honoured.
Fujitsu has extensive experience in this area with warranty specialists in multiple areas who deal with all the
main desktop, POS and more specialist manufacturers.
Fujitsu has one of the largest field-based maintenance team capabilities within the UK IT services market
with approximately 950 engineers operating across the UK. This team completes more than 20,000
hardware fixes per month for over 220 different customers in retail, hospitality, local and central
government, telecoms, travel, financial services, manufacturing and utilities industries.
In line with the terms of the specific purchase, Fujitsu will provide POL with the appropriate documentation
that details the warranty provided by the manufacturer.
We will also maintain an overall record of all purchases and their associated warranty entitlements. This
database of information shall be used to provide management information to POL regarding warranty
entitlements and could be used to:
« Compare warranty agreement structures between different purchases
to ensure that POL is getting a consistent level of agreements to
meet its business demands;
Page 63 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« Bench mark the price of warranty agreements against previous
purchases;
« Provide baseline requirements for future purchases to reduce the
effort involved in ‘standing up’ a new agreement;
Identify when warranty entitlements are ending and allow POL to
plan discussions around warranty extensions, estate refreshes or
alternative support routes, thus enabling a proactive view for
technology and estate road maps.
Fujitsu shall support POL in the identification of changes to third party warranties in the following ways:
« Through our extensive range of channel partners we have the
relationships in place to ensure that we are informed when a
manufacturer is proposing to amend/change the terms of standard
warranty agreements
« Where a purchase specific warranty agreement is put in place Fujitsu
shall work with POL to put in place the required commercial and
operational relationships required to manage changes to the
agreement that are driven by either:
eA change in POL business drivers or requirements, or
e By the manufacture.
« Through our extensive experience as a manufacturer provide
recommendations to POL on industry best practice for the
structure and provision of warranty agreements
Fujitsu shall provide this support and guidance through a combination of Service Management reviews and
notifications, as well as targeted consultancy as agreed with POL.
Page 64 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
11.0 Direct Call Off Services: Hosting
11.1 Please explain how you will identify options available to POL for hosting a solution, including
designing and ensuring that all environments are aligned to POL Architecture, to provide a smooth transition
into designated data centres.
Fujitsu has worked with POL to establish a Joint Architecture Board, the purpose of which is to provide and
agree governance and direction in architecture and design, to ensure alignment within Post Office IT and
Change, and Fujitsu. To also ensure that architecture and designs are progressed in line with architecture
and strategy to realise potential synergy reuse and to identify opportunities to achieve strategic objectives.
In the wider Fujitsu business we have extensive experience in migrating IT infrastructures, workloads and
services from customer or third party facilities into its data centres and operational control. Such migrations
often form part of a broader consolidation or business transformation project.
The migration approach is usually tailored to the specific customer business and technical drivers. These
typically include cost, time, resource, business cycles, service resilience design and acceptable downtime
windows.
The key transition stages include:
« Audit: Review of current systems and customer business
requirements to specify the project scope and services affected;
« Engage: with relevant technical, service, security and 3rd parties to
gather knowledge and establish a cooperative relationship around
the transition;
« Assess: service, technical, business, IT risk, priorities and
contingencies;
« Options: identify transition approach locations and options;
Design: relocated solution and service architecture;
« Plan: Establish a specialist project management team and create a
transition project plan including solution, service, people and
security components. Significant focus is placed on the protection
of customer business functions and on the continuity of service
levels, including;
« Agree a joint transition plan, with a shared risk register and acceptance criteria;
Consolidate system management functions to establish standardised monitoring and control;
Assess use of ‘swing kit’, and/or the pragmatic use of DR and/or business continuity servers to aid
the transition process;
Implement Transition;
Procure equipment (if required);
Transition workloads to lower cost environments;
Consolidate workloads on retained environments;
Relocate systems at selected data centre(s);
Enforce Configuration and Change Management to maintain integrity and control;
Take on people, capabilities and management responsibilities as appropriate;
« Acceptance Test: unit, integration, security, failover, user acceptance testing against agreed criteria;
Page 65 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
e Post project review and Handover to Fujitsu operational service.
By working with the POL on the above stages and understanding the current environment and the “to be”
environment a number of options can be identified and discussed and agreed. These options can be based
on cost, time, resource, business cycles, service resilience design and acceptable downtime windows or any
combination of these. .
Pages6of101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
11.2
POL00397450
POL00397450
Re)
FUJITSU
Please explain how you will ensure that solution availability is monitored and reported regularly
against KPIs and defined service levels. Include detail on your processes for identifying and resolving
problems with performance.
As an ITIL and ISO/IEC20000-1 conformant supplier, Fujitsu is experienced at deploying, and managing a
conformant Availability Management Process for POL. An overview of our availability management process
is illustrated below:
Manage Availability Summary Diagram
Steps 1-8
1. Identity Availability
Requirements
boy
y__
ueig Ammqeneny
i
é
.
Z
i
q
c — eh
oo mare
Project Phase
2. Design the Solution
3. Propose & Agree the
Solution
5, Build & Validate the
Solution
Process Steps
y
I
Customer Solution Lifecycle(CSLC)
6. Monitor & Alert
7. Report & Review
ii
Fujitsu's Availability Management Process Overview
Fujitsu's Availability Management Process will be used to ensure that services are available POL as agreed.
It does this by assuring the capability of both the IT infrastructure and the supporting organisation to deliver
a cost effective and sustained level of availability that enables the business to satisfy its objectives.
The scope of the Availability Management Process covers the design, implementation, measurement,
management and improvement of IT service and component availability. The process does not cover those
elements covered by our security policy although there are strong links between the two processes. The
security elements of availability are covered in the security policies and processes and also in the Post
Office Account specified policies and processes.
Availability management commences as soon as the availability requirements for an IT service are agreed
with POL and interested parties. It is an ongoing process, finishing only when the IT service is
decommissioned or retired.
The aims and objectives of Fujitsu's Availability Management Process are:
Page 67 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« There is a documented manage availability process, a procedure and
an availability plan;
Availability requirements will be identified and agreed with POL and
interested parties;
e Fujitsu will document the requirements within the availability plan to
reflect the current and future needs of POL and/or interested
parties;
« The POL agreed Availability requirements will also include the
following criteria:
Access rights to services;
Service response times;
e End to end availability of services;
Service level agreements;
Risks to services and targets;
Definition of downtime;
Service restoration;
e Report production;
Backing up the service and frequency.
¢ Fujitsu will create, implement and maintain the availability plans;
« Changes required to the plan or new services will be managed and
controlled in accordance to Fujitsu's change management process;
e Fujitsu will assess impact of all changes to the availability plan, in
particular performance and the capacity of all services and
resources;
« Fujitsu will ensure the availability plans are tested against the
availability requirements and the plans are retested after major
changes to the service environment in which POL operates.
Actions and results from the test will be recorded and where
deficiencies are identified, reviews will be conducted after each
test and actions to report on the actions taken;
Fujitsu will ensure the agreed POL service availability achievements
meet the agreed targets by managing the services and resources
related to availability performance;
¢ Fujitsu will continually monitor, measure, analyse, report, review
service component availability and compare them with the agreed
target, where service components are unavailable instigate
remedial actions;
« Fujitsu will ensure proactive measures to improve the availability of
services are implemented wherever it is cost-justifiable to POL
and/or interested parties;
« Fujitsu will assist with the diagnosis and resolution of POL availability
related Incidents and related Problems
¢ Fujitsu will provide advice and guidance to all other areas of the
business and IT on all availability-related issues.
Page 68 of 101 7 7
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
With respect to Problem Management, Fujitsu recognises that the management of problems is crucial in
order to identify the root cause of multiple Incidents and to pro-actively prevent Incidents occurring. We
follow the ITIL approach to the management of problems and within the Fujitsu TRIOLE for Services
methodology have developed a proven repeatable solution for its delivery.
Please see our response to question 12.2 for more detail on the Fujitsu Problem Management process.
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
12.0 Direct Call Off Services: Application Maintenance
12.1 Please explain how you will provide application maintenance services for POL solutions, including
how you will work with Third Party suppliers and Sub-contractors to undertake root cause analysis and
present options to resolve problems.
Fujitsu currently provides the following application maintenance services which form part of the Application
Support Service (Fourth Line) agreement on the current HNG-X contract with POL. This support includes:
e Software configuration management
* Document management
e Development management
e Testing of Application Support Service (Fourth Line) bug fixes
prior to release distribution into the live estate, (including
management, design, validation and integration)
« The management of updates to Fujitsu Services' third party
products including the procurement of third party hardware and
software maintenance for the HNG-X service Infrastructure
« The management of Fujitsu’sinternal hardware and software
requirements; and release distribution support
Fujitsu will manage the problem management process across all agreed service desks, suppliers and third
parties. Fujitsu will own the definition of the policy, processes and ensure compliance by all parties who are
participating in the fulfilment of the process. During transition Fujitsu will establish the appropriate
governance stakeholder bodies with the defined POL and supplier representatives and including:
e Review the existing policies, processes, use of toolsets to
understand the current capability, map against Fujitsu’s standard
process and procedure, whilst identifying specific drivers for the
process, for example ITIL conformance and the move to a ‘lean’
approach;
e Define, and agree the proposed process policy, processes,
procedures including the ‘touch-points’ to other key service
management processes with POL’s suppliers and third parties.
Define the governance body and the nominated representatives
from all parties actively involved in the problem management
process to review potential changes including process
improvements;
e Implement a set of designs for:
« Problem management policy including compliance, monitoring and review, escalation, training and
support;
Definition of priorities and impacts / urgency, a major Incident;
A contacts list for all organisations delivering services and systems who will be impacted by and
support the problem management process;
« Updated processes that define the high-level process, roles and responsibilities;
The error management module is part of the problem management process from a formal root
cause analysis (RCA) approach.
e Define, design and document a technical solution for problem
management toolsets. This will comprise of Fujitsu's TRIOLE for
Page 70 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Services product. The design will incorporate technical interfaces
to other required tools such as incident management and
reporting. In particular, Problem management will need to be able
to analyse trends in Incidents to identify common underpinning
root causes.
Once agreed Fujitsu will take responsibility for deployment of the new solution and:
e Deploying the new process, procedures, including briefing of all
impacted staff in POL, suppliers, third parties and toolset
interfaces for example incident and configuration tools
e Establishing the organisation to manage and operate the problem
management capability:
Fulfilment of the requirements of the communications and training plan;
Implementing and populating the toolset;
Managing the agreed escalation process;
Monitoring process compliance through review and measurement of the process and associated
procedures;
Reviewing potential improvements and / or non-compliances within the process with the stakeholder
group.
The objectives for this process will be to ensure:
e All services and SLAs are maintained by use of the standard
templates to support POL with OLAs and/or Underpinning
Contracts;
« The business and user satisfaction meet the changing business
needs reflecting the internal, external agreements whilst ensuring
service quality is continually measured, improved and recognising
the need for business and user satisfaction;
« The problem resolver groups have the responsibility to accurately
diagnose, resolve Incidents, problems within SLA, deal with
changes in accordance with the change management process;
« The knowledge manager has the responsibility to manage the
knowledge base used by the problem management (and error
management) processes. This will include the known error
database that can be used by all authorised personnel.
The principles of this process will be to:
e Monitor the process compliance through review, measurement of
the process along with the associated procedures including
resolution of all problems across the different suppliers and
functions
e Ensure that new problems are informed to the Service Desk and
from there to agreed parties with the inclusion of Major Problem
reviews. Lessons learnt, work-arounds and trends and agreed
reports, as a minimum reported monthly
« Review potential improvements and / or non-compliances within
the process with the stakeholder groups including any proposed
improvements escalated to the Service Improvement Process
(SIP), a key success of the service.
Page 71 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Listed below is an example of where Fujitsu has worked with POL and third parties in order to undertake root
cause analysis and present options to resolve problems.
Fujitsu —- POL - Logica - IBM
Fujitsu maintains the infrastructure and owns the relationship with IBM. Logica are a third party of POL’s,
and are responsible for maintaining the application.
On this occasion, an issue within the software resulted in the need for joint party working to resolve the
issue. This was managed end to end by Fujitsu through the problem management process, with regular
updates and weekly meetings with POL to ensure that they were kept fully informed of progress and
resolution.
Post Office IT & Change Reference: POL172
Page 72 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
12.2 Please explain how you will support POL in identifying the impact of changes when undertaking
application maintenance, including detail on the documentation you would expect to provide to POL and
how you will work with POL to minimise the risk.
For every application maintenance change affecting live service, a Managed Service Change (MSC) record
will be provided to POL describing the change and requesting approval to proceed.
The MSC documentation includes a non technical overview of the change, a justification for the change,
details of the platforms affected, the proposed date, time and duration of the change, and the regression
path and duration period for regression. The services affected by the change and the timing and extent of
any impacts to live service are described as accurately as possible.
We will work with POL by supplying the MSC documentation seven days prior to the change (where
possible) in order that POL can provide sufficient notice to any of their customers and suppliers that may be
impacted. In addition we will provide an initial assessment of the risk and a recommendation where
additional POL testing, for example using Model Office, may be appropriate.
The initial risk assessment may be modified by further assessment by Fujitsu support teams, and in the
twice weekly Fujitsu Change Approval Board (CAB). On request, a CAB will be held with POL to allow
further discussion of the change and the associated risk and if it can be mitigated further.
In addition to the establish process detailed above, Fujitsu will also review the proposal against the current
High Level and Low Level document and other Infrastructure and/or service documentation which may
identify previously unidentified risks. When reviewing proposed changes the Fujitsu subject matters experts
will also review the latest patches that have been proposed and review their applicability.
Fujitsu succeeds by managing risk throughout its business and the value chain. We proactively anticipate
and manage the major risks to our objectives, and those of our customers, to help us deliver impeccable
service and to achieve the expected business results. To be successful requires everyone to be risk aware.
The Manage Risk Process, by which a Risk Plan is created and maintained, is mandatory for all bids,
projects and services. Risks identified in MSC will be captured in a Risk Plan that is pertinent to the specific
application maintenance. The Risk Plan, for each risk, will state:
e Description of the risk;
© Owner of the risk;
« Causes — reasons why this risk may occur;
« Containment Actions;
e Detailed Progress;
e Impact of the risk to POL;
e Impact of the risk to Fujitsu;
« Impact of the risk to 3rd parties;
« Fallback Actions;
« Probability;
* Closure Statement.
Fujitsu’s Risk Management process is a constituent element of the company’s Business Management
System (BMS) - an inter-related set of policies, processes and accompanying assets that are managed to
maintain conformance with a number of external standards, models and codes of practice, verified by
accredited third party registration bodies. These include 1S09001:2000, ISO/IEC20000, ISO/IEC27001,
CMMI Maturity level 3.
Page 73 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Fujitsu’s approach to Risk Management endorses Commitment 7 of the Intellect IT Supplier Code of Best
Practice to ‘rigorously identify, analyse and manage risks and seek to agree solutions with the customer that
offer the best ownership and risk mitigation strategy’ supporting a professional approach to the joint
consideration of risk with customers.
Our approach to risk is illustrated below:
@
3 Be Assess Assess the Business Identify the
= Customer Environment e.g. risks
= %~ — andFujitsu _* Business Situation
- Xe, objectives © Stakeholders
fo, Expectations
%. glen * Corporate Responsibility
%, .
Sey ‘ag 4, \dentify Prioritise Risks
er. Uy ee,
Review Game
ciate Customer, Fujitsu
sams or Subcontractor
Implement Ss =
Actions = a
& a Pa Assign Fujitsu
in approval 5 abet : owner
for actions I
For priority risks
if an
items requiring Plan all impacts
escalation Sr
3 Identify Reactive Identify
erecta Responses Proactive Responses _
Contingency Determine Cost —_ Include cost .
of Threat in budget
Fujitsu's Process to Manage Risk
Our processes in identifying the impact of changes when undertaking application maintenance, including
detail on the documentation we will provide to POL and how we will work with POL to minimise the risk are
based on existing proven methodologies.
Page 74 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
13.0 Direct Call Off Services: Programme/Project Management and PMO
Please explain how you will:
13.1 establish a project and programme management office to control the delivery of
projects/programmes on behalf of POL, ensuring that regular progress reports are produced to track:
* expenditure against budget
* progress against milestones
+ deliverables and other agreed outputs
Fujitsu proposes the use of the existing programme management office (PMO) within the Fujitsu Post
Office Account team to control delivery of in-scope projects. This will provide POL with experienced, low
risk, and trusted resources to deliver future projects.
As a result expenditure reports, milestone reports and expected deliverable reports will be produced from
within that team and will follow the format, stricture and detail of those that are already agreed and produced
for existing Post Office-Fujitsu projects.
The reports will be produced by the assigned project manager and will have the input from several sources
such as commercial, technical and project delivery. These reports will be produced weekly, monthly or at
the end of each project stage dependent upon the needs and priority of the project. In all cases the format of
the reports will be agreed with the POL.
Escalation and contact points will be within the PMO team, with resources being pulled in from the wider
Fujitsu capability as and when required to provide POL with the assurance that suitable resource(s) will be
‘on tap’ as required.
Page 750f 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
13.2 define, agree and embed governance procedures that compliment POL processes and align with
POL's existing governance boards
Fujitsu will utilise the existing PRINCE2 and ITIL based governance processes and procedures that are
already aligned with POL’s governance boards. The Fujitsu approach to project management (Manage
Project) is aligned with PRINCE2 and Fujitsu PMs are trained and accredited in PRINCE2. This is to ensure
a ‘critical mass’ of project managers are available so as to allow for a cost-effective, rapid start up, re-use of
expertise and experience and also to provide project teams that understand POL’s needs and culture
These procedures will ensure the appropriate level of engagement and involvement at all levels within the
Fujitsu/POL partnership.
Specifically, regular checkpoints and meetings will be followed according to the schedule below.
Project Meetings POL and Project Team Meetings
Weekly individual project/ release checkpoint I Weekly individual project checkpoint meeting with
POL PM - using extract from weekly slide pack
used in the Internal checkpoint
Fortnightly programme level review (Future Weekly progress update (informal) with POL Senior
Releases Board) Management
Monthly Internal Programme Board Monthly Joint Programme Board
Monthly Finance Reviews Monthly Resource Meeting with POL (Demand
Planning Forum)
In addition Fujitsu generates, for each project, reports and processes that feed into the designated joint
programme board.
As with all reports and governance boards these will be agreed/confirmed with POL before any projects are
started.
Page 76 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
13.3 plan and deploy project teams to deliver transformational change within POL for:
a) projects with a value of up to £500,000
b) programmes with a value of up to £10,000,000
Fujitsu will use the same processes for both projects up to £500,000 and up to £10,000,000. This will ensure
each project is run with the same degree of quality and accountability regardless of cost. In general terms it
is not the value of the project, but it’s complexity that will define how many resources, stages, reports and
reviews a project will generate and require. Fujitsu utilises a process to tailor the project approach and
processes where necessary to the needs of the client and to reflect the scale and complexity of the projects
being undertaken, in line with PRINCE2 principles. Tailoring is a key element within Project StartUp
(Initiation) and helps to ensure that the correct and reasonable level of management and governance is
applied to the task recognising that one size does not fit all.
For example, a large rollout of a single product in a single location may cost £9,000,000, but is actually
easier to manage than a smaller multi-tower, multi-region project and so would potentially require fewer
project management resources.
It is during the start-up (SU) phase that the requirements of the project will be defined and which steps, if
any, may need additional focus. Also the start-up phase will define the resources needed to deliver each
stage of the project and these will be requested and supplied as per the existing and proven Fujitsu-POL
resource process.
The management of these teams will reside within the Fujitsu PMO and, dependent upon the requirements
of the project/programme one or a number of qualified project managers will be established to support the
project. These teams will follow Fujitsu’s Programme and Project Management PRINCE2 and ITIL
methodology through to delivery and final acceptance where the project will be handed over to service
delivery.
Page 77 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
13.4 manage risks, issues, assumptions and dependencies effectively to minimise any potential impact
on delivery and ensure a comprehensive record of how issues are resolved throughout the lifecycle of the
project.
Risk management is a key component of Fujitsu's project management process. It follows the overview
illustrated (also described in our response to Question 12.2).
Firstly, identification discovers what the potential
risks, assumptions, issues and dependencies are.
These are usually collated using a risk checklist
which includes their categorisation and an estimate
of the impact. This is then fed into the subsequent
steps and included in the risk register.
The risks, assumptions, issues and dependencies
are then evaluated and where appropriate assigned
an impact and probability which are entered into the
formal Risks, Assumptions, Issues, Dependences
(RAID) log which forms part of the overall risk
profile, a measurement of the severity and
likelihood of the risk in the project or solution.
Identifying these risks, assumptions, issues and
dependencies at this early stage will allow the
project team to develop mitigations to the risks,
confirm, or otherwise with the projet owner the
assumptons and dependencies and resolve the
issues, the last being confirmed with the project
team as being resolved or, if not, moved to the risk
register. As well as risks mitigations, risks are
allocated a “probility of the risk occurring” and a
contingency value associated with that risk.
Identify.
responses
Fujitsu believes that risks should be allocated to the . . .
party best placed to manage the risk so in some instances risks may be transferred, with their agreement, to
another party to manage, for example a sub-contractor, third party or customer.
Once these stages have all been completed and the RAID populated, the risks and dependencies need to
be managed and this is performed in the following steps:
« Plan and resourcing - Details what and who is required to mitigate
the risk or resolve the dependencies. This is typically tracked from
within the overall project plan;
Verification of the assumptions, or acceptance of them - This will
often use, for example subject matter experts, customers
resources, third parties, to ensure the assumptions do not affect
the project in averse ways;
« Monitoring and reporting - The continual process of validating the
risk/dependency, checking it's progress and then feeding those
updates back to the project team via the RAID.
The above process is part of Fujitsu’s best practice in idendifying and managing risks, assumptions, issues
and dependencies. In this way Fujitsu will ensure that risks, assumptons, issues and dependencies are
correctly managed to a timely and structured process.
Page78of101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
13.5 establish and maintain project change control to effectively govern changes requested throughout
the project/programme, including but not limited to, changes to scope, timescales, benefits and budget
A key role of the project manager and their team is to manage changes as and when they occur within the
scope of the project. This change control and configuration management (CM) process details how each
proposed change is to be catagorised and managed. The types of change this process will manage are:
Request for change (RFC) - Which comes from the POL or end user and is a request to change one of the
project baselines in some way. Since all RFC's are a change to what had been originally agreed, it is
normally the project board alone who have the authority to agree such changes.
Off Specifications - These detail some aspect that should be provided by the project, but currently is not,
or is forecast not to be, provided. This might include products or deliverables that are missing, or a product
not meeting its specification or quality criteria.
Once the type of change has been agreed, it will be subject to the below process:
« Whenever a change or issue is raised, it will be categorised and
prioritised and then entered in the issue/change register.
e An impact analysis will be carried out, and will normally involve
subject matter experts as well as the project manager. Typical
topics of impact analysis are:
« Time
© Cost
© Quality
« Scope
Business Case
Benefits
e Risk
« The change or issue should be prioritised, first, by the originator, and
secondly, after impact analysis. It is important when carrying out
the above impact analysis, that representatives from the project
business area, the users of the end products, and those who are
supplying resources to the project are fully involved so that a
balanced decision can be reached.
« Having understood the full impact of the change or issue, the next
step is to consider alternative options and proposing the best
actions to take in order to resolve the issue or implement the
change. A balanced view is needed and consideration should be
given all these options on the projects duration, cost, quality,
scope, benefit, and risk performance targets. The advantages
gained should be balanced against the impact of implementing the
issue or change.
« A decision is now needed on whether, or not, to implement the
change or issue. For a request for change, this would normally
need escalating to the project board for their decision, whereas an
Off-Specification may be decided by the project manager if they
have sufficient authority. Alternatively this can be referred to the
project board.
Page 79 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
During implementation, the project manager will ensure that its status is reported to the project board up to
the point when the issue or change has been fully implemented.
Page 80 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
13.6 manage and work with Third Party suppliers and/or sub-contractors to deliver solutions on behalf of
POL defining and maintaining clear lines of responsibility, clear and regular communication across all
parties and ensuring delivery against agreed timescales.
Fujitsu has decades of experience in managing third parties on behalf of its customers and ensuring that
they deliver what is required, when it is required and to the desired quality. For the POL, management of
third parties will be owned and performed by the existing Fujitsu PMO. During the project phase it uses the
techniques below to ensure success in delivery.
Firstly Fujitsu will ensure a suitable contract is in place between it, the POL and the third party. This ensures
both legal and commercial protection for all parties. This contract typically concentrates on the following
clauses.
Definitions - This ensures all parties agree on the meaning of the
various activities and objectives and have a common point of
reference;
« Process and procedures - This focuses on what procedures,
reporting and governance processes are to be put in place;
« Documentation. This determines the content, format and standards
of detail required from the project or agreement
e Witnessing - This outlines the management and checking processes
of each stage of the project or delivery;
« Milestones and stages - This will detail each milestone or stage,
along with when it is expected to be achieved and what the
acceptance criteria is of each milestone or stage.
In addition to the contract Fujitsu expects the third parties to deliver a number of overall reports on a regular
basis so that progress against time and budget can be managed and tracked. These reports can include,
reports on testing, overall progress reports using a red, amber, green (RAG) dashboard format, Regular
updates to the risk register (RAID plan see our response to question 13.4 above) and updates to any other
associated documentation.
When these reports are received these will be reviewed by Fujitsu and the third party, with the POL being
involved if required in order to provide a go-nogo decision, provide additional detail as to the contents of the
reports or agree on any mitigation or exception actions.
At the end of each stage, Fujitsu and if required, the POL will sign off on the third party's deliverable(s) and
any milestone payments etc., due to be paid.
The process of report, review, sign off will continue until final acceptance of the project into steady state.
In order to facilitate speedy and a ‘light touch, low cost’ project delivery method the majority of management
of the third parties will be mostly by exception. By ensuring the regular updates and reviews are performed
and agreed, issues and risks can be identified and mitigated early before they start to have any significant
impact on cost, quality and timescales of delivery.
Fujitsu currently manages several third parties for the POL and the overall process is not expected to
change from this proven one and indeed may not need new contracts, tools or processes to be developed.
Any changes that are required will be agreed with the POI before implementation.
Page 81 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
14.0 Delivery: Project Closure
14.1 Please provide what you consider to be the key elements of project closure and provide a case
example of project closure reports and any associated documentation.
There are a number of key elements to project closure. The level of detail and sophistication of each is
dependent upon the size and complexity of the project(s). However in all projects the key actions involved
project close-out are (also described below):
e — Identify lessons learnt;
« Reviewing and documenting the project (including the Project
Closure Report);;
« Archive project records;
Disburse resources.
Identifying Lessons Learnt - These are identified, discussed and recorded in a “Lessons Learnt
Workshop”. This workshop can be an informal gathering of the key project people or a large, formal meeting
including: the project team, stakeholders (internal and external), executive management, supervisors and
operations staff. The output from this workshop will be included in the Post Implementation Review report.
The output will also be shared across our professional communities (anonimised if necessary) as part of our
continuous improvement culture for future projects. Our response to Question 14.3 describes our lessons
learnt process in more detail.
Reviewing and Documenting the Project - There are several elements of project documentation that will
be covered, i.e., Project Closure Report, Post Implementation Review Report and project data archiving.
The success factors (in terms of outcomes) of the project will already have been defined at the early stages
of the planning process and these will be reviewed to determine whether, or not, these have been achieved,
and to what degree. There may also be other factors which need to be reviewed, including (but not limited
to):
e Did stakeholders view the project outcomes in a positive light?
e Was the project completed on time and to budget?
« Was the project well-managed (from both an internal and external
viewpoint)?
« Was there clear direction from the management team on what was
required?
« Did team members work well together?
The Project Closure Report is a document which formalises the closure of the project. It will be prepared by
the Project Manager and presented to POL or the project sponsor for formal sign-off that the project has
indeed been completed to their satisfaction. It will also contain input sought from the entire project team,
POL and/or end-users and other stakeholders.
The Project Closure Report also provides confirmation that the project has met the success criteria and
specifically a Project Closure Report will include:
«A formal list of completion criteria and confirmation that each criteria
has been met;
«A list of outstanding business activities, risks and issues;
« A set of closure actions, for example hand over
deliverables/documentation, terminate suppliers, release
resources.
«A formal project closure request.
Page 82 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
When the project activities have been completed, a Post Implementation Review will be undertaken to
measure the success of the project and record lessons learnt for future project (again described in the
answer to question 14.3).
Collecting and Archiving Project Data
Following delivery of the Post Implementation Review Report, the project database will be archived.
Building a repository of past projects serves as both a reference source and as a training tool for our project
managers. Project archives can also be used when estimating future projects and in developing metrics on
probable productivity of future teams.
Typically, the following project data is archived:
e Post Implementation Review Report
e Project Plan Project
« Management Control Documents, for example correspondence,
relevant meeting notes, status reports, contract files, technical
documents.
Disbursing Resources - There are additional smaller tasks that must be completed to physically close the
project. These might include, for example completing any outstanding paperwork, filing required reports,
briefing anyone who needs to be briefed, clearing project rooms and returning any equipment borrowed or
leased.
Typically a closure report will be 5-15 pages long (and hence inclusion will breach the response page
restriction). However an example of a project closure report completed recently for Santander Bank
contained reports on the following areas:
1. Project Summary
1.1 Baseline Requirement- A brief description of the scope and requirements
2. Management Review
2.1 Achievement of Objectives — What the success criteria was
2.2 Financial Profile - An overview of and measure against the business case
2.3. Schedule, Planning and Estimates — a report on how the project did against milestones and
objectives
2.4 Contractual and Commercial Summary - Any commercial or legal issues encountered
2.5 Customer Relationships - Suggestions and a report on how relations were maintained or improved
2.6 Third Parties —- Report on the quality of third party input and deliverables
2.7 Quality - Were the quality objectives achieved.
2.8 General Impact of Change — The overall impact of the
2.9 Issues, Changes and Off-Specs - What was changed from the original scope and specification and
why
2.10 Residual Issues and Risks —Any risks or issues that should be carried on after the life of the project
2.11 Agreed Follow-up Actions
2.12 Lessons Learnt- See response 14.3 for an example
3. Technical Review
3.1 Solution —- Was the technical solution changed and what was different
3.2 Engineering Model(s) - Any changes to the support model
3.3. Performance - How did the solution perform against specification and design
Page 83 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
The full report is available for examination should the POL wish to view at a later stage.
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
14.2 Please explain how you would define, agree and undertake a post implementation review.
Fujitsu's best practice in post implementation reviews is to hold a Lessons Learnt Review at the end of each
stage of the project so that any lessons learnt, good and bad, can be integrated into the next stage if
required or incorporated into the plans for the next project.
At the end of each stage the following will be developed and produced by the project manager:
« End Stage report - The project manager will provide the POL and the
PMO with a report summing up the final stage costs, information
pertaining to the quality of the deliverables and any issues to carry
forward into the next stage.
« An updated business case - The project manager will update the
business case with new costs, estimates and a report on the levels
of risk. This is to ensure the business case is still valid and
remains appropriate.
« An updated risk log - The project manager will update the risk log
and check if the level of risk is still acceptable and that the
mitigations in place are still valid and viable.
e A review of the plan for the next stage - This is a ‘go, no-go’ review
which considers if the next stage should be proceeded with as
planned or if an exception plan should be generated. An exception
plan is a replacement for the next stage’s plan that replaces the
out of date one and that corrects the issues outlined in this review.
At the end of each project, the following will be produced by the project manager:
e End of Project report - This report will outline to POL how the project
went, and provides information on final costs and benefits already
realised;
« Post Project review plan - This sets down who will measure the
benefits after the end of the project, how, when and who reports
back to the project sponsors. This plan also defines the agenda,
contents and scope of this report;
« Lessons learned report - This report details what has worked well,
what went wrong and how future projects can benefit from the
experience gained. This report is circulated via the project
manager to the Fujitsu PMO, POL management and to the
appropriate project sponsors;
Follow on Actions and recommendations - This details what actions
are required following the project and could include: Proposals to
change the project management process, rationalisation of
reporting and project templates. These recommendations will then
be discussed and agreed via the Fujitsu PMO and Post Office
management.
At this stage the project will be formally closed.
Page 85 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
14.3There will be an emphasis on capturing lessons learned from panel vendors. Please describe your
lessons learned process and provide a case example of a lessons learned report.
As an integral part of project closure Fujitsu will always host and run a “Lessons Learned Workshop” which
will be facilitated by the existing Fujitsu PMO. The review will include the project sponsor, the project
manager and any other attendees that have played a significant part in the project. The output of these
reviews will be condensed into a lessons learned document that will be shared across our professional
communities.
The lessons learned document will contain information about all the project life-cycle processes but most
importantly the “executing and controlling” processes. Process improvements, communication
failures/ambiguities/misunderstandings, or any other information that may help improve the performance of
next project will be noted here. Typically the lessons learned document will included (but not be limited to)
the following:
« How the project management processes were used throughout the
project and how successful they were in planning and tracking
progress;
« How well the project plan and project schedule reflected the actual
work of the project;
« How well the change management process worked and what might
have worked better;
« Why corrective actions were taken;
« Causes of performance variances and how they could have been
avoided;
* Outcomes of corrective actions;
e Risks response plans that were implemented and whether, or not,
they adequately addressed the risk events;
e Unplanned risk events that occurred;
e Mistakes that occurred and how they could have been avoided (no
blame should be attached to a person or group, simply the
processes used);
« Team dynamics, including what could have helped the team
perform more efficiently;
e Anything else that would improve the next project undertaken.
The lessons learned document will be stored in a shared knowledge database with all the other project
information. It will also be available to our professional communities for their information as part of our
continuous improvement culture. One of the first items the next project should review is a review of the
lessons learned document.
The lessons learned document will also feed into a Post Implementation Review Report which documents
the history of a project and provides a record of the planned and actual budget and project schedule. It
should also contain recommendations for other projects of similar size and scope. The Post Implementation
Review Report should (but not be limited to) document the following analyses:
e Project organisation including staffing and skills;
« Schedule effectiveness;
e Successful risk assessment and mitigation techniques;
« Processes used for change control, and quality management;
e Techniques used for project communication;
Page 86 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Techniques for handling customer expectations;
Success factors and how they were met;
Financial data — planned and actual;
Lessons Learnt (from lessons learnt workshop);
Recommendations to future project managers.
Again the document will be available to our professional communities as part of our continuous
improvement culture.
Typically a Lessons Learnt document can extend to many pages (and hence inclusion will breach the
response page restriction). However an example lessons learned overview is illustrated below, A more
detailed document is available on request
‘ Action
2 . Raised I Changes oes -
Ref Learning Point by From Plan Contributing Factors Action owns
Requirements/Design
Customers SAP
requirements not as
sea [lockottroceapnty I) I peraton Requirements I 6 coy
difficult to do formal P (SAP) traceability in
acceptance and Blueprint
disputes about faults
vs change
Ensure
adequate
allowance is
made for
Time ‘fo establish Major areas of new work I Requirements
‘a FOOG - which are not driven by I stage anda
LR-2 I longer than expected I J Soap " C Cole
for some of the GWSs a clear business gateway
requirement checkpoint
changes 4 included in the
plan before
progression to
the next stage
Planning
During estimating and Ensure
planning customers SAP I customer
Customer SAP and operat and infrastructure was resources are
start of project management and impacting and
communication was not I planning is done
as good as required jointly
Development/Test
FOOG - Risk accounted for in
Data CP Impacts from the A means of
Persistenc I degree of perceived eeiuncertaint
Development spending J e uncertainty did not ‘as part of
uD-1 wwere significantly under Harriso I FOOG - materialise. Was not on C Cole
impacts n Script from I evident form the Impact shot He
a Script how much was ‘normal’ included in the
FOOG - confidence impacting rocess
Encryption I and how much pr °
Page 87 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
[represented risk. I
Page 88 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
15.0 Direct Call Off Services: Business Change
15.1 Please describe your stakeholder management approach across the end to end project lifecycle and
the tools and techniques deployed and provide,
a) a case example of a stakeholder management strategy
b) a case example of a stakeholder management plan
Fujitsu has a long history of providing IT solutions comprising hardware, software, network and applications
to a wide range of customers in such diverse environments as retail, telcos, travel, banking and
government. Our approach combines best-in-breed standards, whether vocational, technical or security-
related, with experienced award-winning project and service management teams, to ensure that solutions
are designed and delivered in close collaboration with our customers, partners and suppliers.
Specifically Fujitsu has over 60 skilled Business Change and Transformation consultants in the UK. A major
area of their expertise is stakeholder management and communications. For POL, Fujitsu will develop a
stakeholder management strategy in support of individual project plan(s). The strategy will include aims,
objectives and KPIs, as well as setting out principles, house styles, and channels for communication.
The strategy will drive a stakeholder management plan and it will set out activities that will be undertaken in
a specific period, with a detailed calendar of activities and interventions. These activities will need to focus
around ensuring that stakeholder groups are identified, engaged and communicated to in a way appropriate
to them and that meets the governance needs of the project(s).
Fujitsu will make use of its own proven Change Management, Engagement and Communication toolkits.
These toolkits have a comprehensive range of collateral. However, we anticipate developing and making
use of tools for POL that, whilst based on our experience with a range of customers, will be specific to POL
and the particular context of the IT Solutions Framework.
Typically, our toolkit would include:
« Stakeholder analysis tools
« Temperature and commitment measures
« Communications Plan templates
« Organisational Readiness Assessment
« Alignment maps
« Event management and facilitation guides
* Awareness surveys.
Engaging effectively with groups of employees throughout a project lifecycle is a continuous process. We
will provide tools and templates for Fujitsu and POL to monitor and measure both the effectiveness of the
communications and the success of the approach to engagement. Typically, this would be measured based
on stakeholder feedback on the relevance, clarity and understanding of communication alongside
demonstrable evidence of change adoption and ownership.
As shown in the diagram below, the stakeholder management process is repeated on a regular or event-
driven basis throughout the project to build stakeholder support and commitment.
Page 89 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
@
Re)
FUJITSU
This is an iterative process that will continue throughout the project.
Analyse Implement
Identify Key >I Understand Key Plan Key Stakeholder I +>) Define Key {>I Execute Stakeholder
‘Stakeholders ‘Stakeholder Issues Activities Messages Management Plans
+ Identy a stakeolders «Determine where + Map stakehoier + Define messages key to” Monto key
(riera' 8 extoma Stakeholder ntorests le” poatons 8 ok or projet milestone
Idem ty stoners ane teyporeve Cierng etures Sts - Prope cack
(internal & extemal) impending changes + Plan actions to leverage + Plan communication "
pending ‘oes influencers, mitigate schedule with + Revisit key stakeholder
+ Collet and anayse barners Communications Team postens
information on position + Identify new behaviours + Target leadership + Update and revise
and issues of key actions with key project ‘Stakeholder &
stakeholders + Escalate potential nsks activities ‘Communications Plan
+ Assess data, segment
key stakeholders, define
expectations & issues
+ Identity resistance in
terms of causes,
severity
+ Assess change
leadership capabilities
Fujitsu’s Stakeholder Management Process
We adopt this style of approach with most of our clients, or alternatively we can adopt their preferred in-
house approach, should one be in place. HPC Wales is a good example of where Fujitsu developed a strong
stakeholder management plan. HPC Wales has a very complex stakeholder structure due to the network of
HPC nodes providing a distributed service to all the colleges and universities in Wales, as well as
bureau/outreach services to wider industry throughout Wales. All these potential stakeholders needed to be
taken into account when developing the plan to ensure that the project was a successful one.
Fujitsu’s approach to tailored stakeholder management is further demonstrated by our work with the Ministry
of Defence. We took our toolkit and then implemented stakeholder engagement and communications
frameworks appropriate to the customer's organisation. This included a stakeholder engagement and
communications strategy and plan, and appropriate communication channels and activities such as
workshops, briefings, web portal creation, newsletters, presentations and promotional events. We also
ensured feedback loops and evaluation of engagement effectiveness through surveys, interviews and
questionnaires.
Fujitsu’s commitment to working with each client in order to tailor a plan appropriate to their business, while
continually evaluating and tuning from real-life experiences, ensures that our process is responsive and
effective
Page 90 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
15.2 Please describe your approach to communicating project related messages to a diverse audience
such as exists within POL outlining how you would tailor the style/format to ensure key messages are
disseminated effectively and any feedback mechanisms you would employ
In order to share key messages with our customers, Fujitsu takes an open and honest approach to
communication. Our long-term service and project relationships, including that with Post Office, ensure a
common understanding of the current project status, future objectives, and possible developments for our
client. In order to communicate messages effectively, we define and document requirements jointly, hold
joint programme boards to agree acceptance gateways and share risk and issue plans. Throughout the life
of a project boards and updates are held with the frequency and audience justified by the scope/size of the
project, with key messages tailored to the respective audiences to ensure the fullest possible understanding
of the project status.
Over the past 16 years, Fujitsu’s relationship with POL has been strengthened by consistent, comprehensive
communication about the status of the various projects and services. We communicate openly with the
various diverse teams, such as the Chesterfield cash teams, the Dearne Service Management teams, and
the London project management community, as well as with other stakeholders such as the National
Federation of SubPostmasters. Communication is tailored to the recipient to ensure the best possible
understanding of the message, such as the level of detail and technical descriptions of issues or successes.
Our proven and tested methods of communication with Post Office should promote confidence in Fujitsu’s
systems.
Fujitsu will specifically seek to identify communications channels for specific stakeholders that will be
required, based upon an assessment of their effectiveness. Typically we would expect to use channels and
media such as newsletters, direct mail (where appropriate), posters, emails, DVDs and team meetings to
cascade information. Whatever the channel or media, this will be agreed with the appropriate stakeholder(s)
before being introduced.
The engagement of POL managers and their staff can be tested for the most appropriate mode of
communications but we recognise that this may change over time as individuals and teams move from
awareness of a project, to an understanding of, and then support for the project, to their involvement and
commitment. Additionally the mode of communication may change as the project progresses, for example
from early stage communication to (say) management to later stage communication to (say) end users
Page 91 of 101
48 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
15.3 Please describe your training approach and associated channels/tools that will ensure that the
training your project requires are effectively deployed to a geographically diverse user base. Please include
the method you would employ to measure both the deployment and effectiveness of the training
Fujitsu has experience of training end users in a wide range of environments, from banking to government
to hospitality, with a variety of training methods such as DVD-based walkthroughs, individual trainer-client
sessions and train-the-trainer. Within the Post Office Account a number of projects and services have been
delivered to end users with appropriate training from various different sources, for example the Epson
Counter Printer rollout (2005) with installation engineers training individual Post Masters; the Horizon Online
(HNGx) application rollout where Post Office's Horizon Online trainers attending individual branches; and
the Self Fix proof of concept project, where engineers spent two hours at each office to train Post Masters.
Throughout these projects the effectiveness of the delivery method was tracked to measure the
effectiveness, through sign-off sheets, customer satisfaction surveys and analysis of the incidents logged by
the sites involved. Deployment tracking by scheduling teams is a vital, essential part of any project to
ensure accurate analysis of the benefits gained or issues uncovered by new functionality or equipment, and
especially to ensure that the whole estate is reached; this is particularly important with POL estate, due to
the size and geographic dispersal of Post Offices and accessibility issues, such as the availability of ferries
or air transport to islands.
Page 92 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
16.0 Direct Call Off Services: Quality Assurance
16.1 Please describe your project Quality Assurance approach
Fujitsu's Post Office Account team manages both Fujitsu's and POL’s Quality and Compliance needs
through a Quality and Compliance Framework, which identifies key areas needed to ensure it meets the
obligations of these stakeholders and that they are planned, operated, managed, monitored and reviewed.
To supply services to POL, the Post Office Account uses shared resources from within the whole of Fujitsu;
therefore Post Office Account is mandated to follow the frameworks, process and procedures documented
by Fujitsu Business Assurance, Fujitsu Quality Management, and Fujitsu Development Assurance.
It also follows the ISO methodology of Plan, Do, Check and Act (PDCA model) to ensure Post Office
Account maintains its accreditation for ISO 27001 and assists POL retain the PCI DSS and the Vocalink
LASSIS 1.6 standards.
Inputs to the Quality and Compliance framework are broken down into the following areas:
« Legislation & Regulations
« Customer Standards
« Fujitsu Standards
Post Office Account Standards
These are the building blocks of governance as they are the basis for all controls that Post Office Account
must build into its solutions, services, management and reviews.
The framework enables all stakeholders too clearly understand their obligations with regards to meeting any
legislative or compliance requirements and ensure that any new projects, or changes to current systems,
identify, agree and document all the legislative or compliance Identify agree and document the
responsibility for the management and updating of legislative and compliance requirements.
These requirements ensure documentation for all the services provided to POL the roles and
responsibilities, Finances, standards, review methodologies and management and reporting of Quality and
compliance findings or risks raised.
POL and Post Office Account Senior Management receive regular reports of the status of the Quality and
Compliance framework to enable informed decision making based on the metrics and measurements
made.
Page 93 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
16.2 Please provide a specific example of a recent quality plan you have produced and explain the
linkage/flow through to quality assurance reviews.
Fujitsu's Post Office Account already has in place a quality plan which covers the activities of the
Engineering Process Group (EPG) instructions of the Post Office Account Design, Development and
Integration (DDI) Teams.
According to Fujitsu's Corporate Engineering Master Policy: “All groups must use an approved, documented
process to guide the development, maintenance and support of software, system and service solutions for
customers.” The DDI Teams also ensure they are compliant against requirements.
Stakeholders cascade policies, standards, contractual, and legislative requirements to the business unit. The
business unit captures these and manages implementation. The Account and DDI teams measure how
successful the implementation of these controls are, and continuously review them.
DDI teams develop software to the FJS corporate standards laid out in the BMS as ADBM v4.0, tailored by
the Post Office Account Business Unit as HNGx-DBM. This is with the aim of moving, in the medium term,
towards the ‘Apt’ framework and methodology. The document therefore:
records approach taken to effect changes potentially required to HNGx-DBM, to accurately reflect
the current process position of the Post Office Account BU, but limited to the activities of the DDI
teams, and not teams which precede or follow those activities in the project lifecycle
*® measures compliance within the current working practices of the individual DDI teams to the HNGx-
DBM standards and other relevant standards
« documents current activities and progress being made to ensure compliance
documents the approach taken to effect general improvement in working practices and processes
e identifies work instructions and local, bespoke procedures which sit outside of the HNGx-DBM based
framework / BMS
e lists resources and repositories for process and evidence of compliance to process (the collateral of
development).
It also follows the ISO methodology of Plan, Do, Check and Act (PDCA model) to ensure Post Office
Account maintains its accreditation to ISO standards.
Page 94 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
16.3 Please demonstrate how you would establish and maintain documented procedures for planning,
implementing and undertaking internal and external quality audits to verify whether quality activities and
related results comply with expected results and which determine the effectiveness of the Quality System.
Fujitsu's Post Office Account ensures that audits undertaken by POL agents, and Fujitsu Business
Management Systems, are supplied with adequate information, resources and evidence to complete their
audits. Each audit undertaken by POL has differing requirements dependent on the purpose of the audit and
therefore the outputs will vary dependent upon the scope jointly agreed with the auditor and owner of the
audit.
Prior to each audit the scope is reviewed with the relevant interviewees and an assessment is made of
whether the requirement is for an interview, a documentation review, whether the auditor wants to observe a
process or action or state being undertaken or whether observation of data, system settings or
configurations are required.
In principle each audit will consist of the following details and evidence they are in place will be provided to
the auditor:
« Requirements are clearly understood, documented and defined for
the following areas:
«¢ Compliance
« Systems
Information
« Documentation
« Roles and Responsibilities
e Evidence that a Plan, Do, Check, Act Methodology is followed
« Technical Evidence of compliance to our documentation and
standards requirements
« Projects are managed, costs controlled and risk monitored
« Projects have acceptance processes across all levels of Fujitsu's
Customer Service Life Cycle for issues and risks and a final
acceptance into live processes are in place and are agreed and
approved by POL
« All types of Changes across Fujitsu’s Customer lifecycle are
managed and controlled and an audit trail exists for them
«Issues are managed and controlled with root cause analysis and
lessons learned identified
e Risks are managed and controlled across all areas of the Customer
Lifecycle
« Regular reviews take place with all our third parties including internal
ones where risks, issues and service improvements are discussed
and documented
e Regular reviews and authorization takes place by senior
management and the audit owners or their delegates of change,
risk, resources, issues and finance
Page 95 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
16.4 Please explain how you will provide resources to support the external audit processes required by
POL, including, attendance at meetings, provision of information and records to support the audit,
responding to questions and requests for additional information, logging and completing actions and
supporting POL to make changes identified as part of an audit report.
To communicate, Fujitsu and Post Office meet regularly at joint boards to review the effectiveness of the
quality management systems. Clear terms of reference define the roles and responsibilities of these boards.
Minutes are recorded and action lists maintained to ensure that risks, service improvement plans and
escalations, where required, all take place.
These boards ensure quality is maintained across hosting, all the functions and services provided to POL.
In addition to these boards, Fujitsu assigns specialists teams with the relevant expertise to work with Post
Office to plan, check and act upon specific audits requested by them and their auditors. These teams:
« arrange, co-ordinate and facilitate resources and evidence for the
auditors and with the specialist experts provided for interviews
assist in resolving auditor queries
« present with Post Office the findings of the audit
«action any appropriate remediation through risk plans and service
improvement plans and challenges to the auditor.
Page 96 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
17.0 General Requirements: Collaborative Relationships
17.1 Please explain how you would leverage influence, buying power, supplier networks and use your
reputation to achieve the best value for the Post Office in supplier negotiations and sourcing activity.
‘SupplierConnect' is Fujitsu's professional procurement service for managing a client's supply chain from
establishing initial requirements and tendering, through to delivery and contract compliance. It allows Fujitsu
to manage the supply base at two distinct levels; firstly, at a corporate level; leveraging the buying power it
has across its accounts, and then, at a detailed account level; using its focused approach to meet a
customer's specific needs.
Fujitsu believes that, for a customer's organisation, effective supplier management is an important factor in
enabling a customer to manage its cost base, identifying opportunities to deploy innovative propositions and
ultimately, to remain competitive.
The Fujitsu Procurement Team is highly professional and qualified. It is widely recognised across the
industry that Fujitsu's Procurement Team operates at a level of industry leading good practice, taking care
of corporate governance, risk management and embracing continual improvement to.
« Assess all third party suppliers required for the provision of in-scope
services
« Identify opportunities to rationalise the customer's supplier base
« Fully leverage Fujitsu's existing supplier relationships to reduce cost
and increase value for money
e Work with third party suppliers to create agreements that will mitigate
potential risk or exposure
« Negotiate best value pricing, leveraging previous deals and strength
of relationship for the customer's benefit
« Run competitive tendering, where appropriate, to demonstrate best
value for money
« Provide a comprehensive view on current market pricing using our
extensive network of suppliers.
Fujitsu has established relationships in the UK, often underpinned with formalised supply agreements, with a
wide range of product suppliers. Our size, and the value of business we transact, enables us to leverage this
“buying power” for the advantage of our clients.
As outlined under 5.2 above, Fujitsu has many long-standing, strategic and operational relationships with all
Tier 1 volume hardware, service and software suppliers, and with numerous distributors with whom we hold
established trading relationships. Fujitsu can engage with over 250 suppliers to meet POL requirements to
deliver value for money and reduce TCO. Fujitsu Procurement can review and renegotiate existing
agreements, engage new suppliers, agree technology and service roadmaps and assess cost implications.
Our relationships include:
> Cisco SysTEMS
BT © 2. iM DOLL emc
} Global Crossing: L@ I =
avent
Page 97 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
LEXMARK Micresoft ORACLE oO STORAGETEK
Each major suppliers will have a dedicated Fuijtsu Procurement Manager. This ensures that we remain
informed as to the suppliers roadmaps and have quick and direct escalations routes in place to facilitate
effective working together.
The resource to manage quotes and orders are provided from a multi skilled and experienced existing team
who understand our fulfilment systems and processes, and those of our major suppliers that deal with
revenues of some £250m per annum, relating to product fulfilment activity.
To add value to the order process we have a dedicated Supply and Operational Management team, which:
« Monitors and reviews supplier operational performance and drives
service improvement plans
« Drives supplier delivery performance improvements
« Updates and manages customer delivery dates
« Minimises and controls inventory risk
« Provides buying function for hardware and software products based
on professional purchasing practice
« Works closely with our sourcing capability to establish a cost
effective supply base.
Page 98 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Please explain how you would provide assistance with the design of the optimal sourcing and
commercial models with respect to software licensing, business-wide roll out and refresh programmes,
future proofing and total cost of ownership.
Fujitsu’s Procurement team uses a structured approach for procurement which through defined process
steps develops the model and approach to be used to provide the best POL outcome. This process is
applicable to any external supply and the strategy is flexible to allow for any project size or complexity.
These process steps consist of the following:
« Research the requirement
o Sourcing Project Research Summary
o Market Summary
o Market Profile by Commodity
o Summary, comments, risks and recommendations
o Identify Suppliers to whom an RFI should be issued
« Pre-Tender Investigations
o Issue suppliers and document responses
« Approve Business Requirement Specification
o Review as part of the Local Business Approval Review process
o Review strategy with Business Assurance
o Create project plan with key steps
« Design the Sourcing Strategy
o Background
o Business Requirement
o Make / Buy decision
o Competitive Tender
o Timetable
o Suppliers
o Proposed Solution
o Methodology
o e-Auction suitability
o Supplier evaluation criteria
o Identify risks.
All Fujitsu Procurement professionals attend a formalised training academy to ensure a consistent high level
of skilled procurement resource. The procurement team will be supported by the appropriate Subject Matter
Experts (SMEs) to ensure that the sourcing approach followed takes full account of the POL’s overall
requirements including long term TCO aspects not simply initial acquisition and rollout cost.
Page 99 of 101.
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
17.3. Please explain how you will work collaboratively in a multi-supplier environment in order to achieve
a successful outcome using all available skills and capability. Please provide an illustrative example
Working collaboratively in a multi-supplier environment is fundamental to the success of any service
transition, service transformation and ongoing service delivery. Fujitsu already works collaboratively in
many of its contracts both in the private and public sectors and in national and international businesses.
Where Fujitsu accepts responsibility for the management of a service, or services, in a multi-supplier
environment Fujitsu will protect the integrity of the service(s) being provided by ensuring that our business
and contractual relationships with the customer and other suppliers provide clarity on the elements listed
below and are proactively managed in a fair and equitable manner.
e Service scope —clearly define the delivery requirement;
e Service levels -agree volumetrics and appropriate KPIs;
« Service boundaries — ownership and handover points;
e Service processes — how delivery will be achieved and problems
avoided;
e Exception handling — agree escalation points of contact and how
both parties will react to problems;
e Service change — how service variation will be seamless and
professionally managed;
« Commercial impacts — by being transparent; preserving the rights
of the customer and/or other suppliers and Fujitsu while
acknowledging our responsibilities and obligations.
However Fujitsu strongly believes that effective service delivery in a multi-supplier environment is not just
about contracts. Dependent upon Fujitsu’s role, for example service integrator or specific service(s) supplier,
Fujitsu will seek to either manage, as a service integrator, the whole business relationship with the customer
and other suppliers, or as a specific service(s) delivery agent to be part of a collaborative consortium of
suppliers working as “one team” to deliver the services to the customer in a seamless and transparent
manner.
An example of where Fujitsu works collaboratively with other suppliers is in our HM Revenue & Customs
(HMRC) contract which brings together HMRC, Fujitsu and Capgemini. Fujitsu manages a large scale
desktop and hosting infrastructure for HMRC, supporting 70,000 users across 400 offices. Capgemini
operates as the service management integrator. Capgemini also operates the service desk as first point of
contact for all calls and provides most applications maintenance services. Fujitsu provides resolver groups
to manage and resolve infrastructure service calls. The enterprise management systems for both suppliers
are integrated for technical configuration management and alerting allowing seamless handover of calls
between supplier resolving teams. In this case the customer SLA is measured across the complete service.
Overall Governance with the HMRC was implemented via a Joint Delivery Board and Programme Board.
“The collaboration, innovation and “can-do” attitude of the project team made this a tremendous success",
Phil Pavitt HMCR ClO
Fujitsu recognises and welcomes that being able to work in a collaborative multi-supplier environment is
part of business as usual in the ITC industry and we already have many examples of successful
collaborative working in both the private and public sectors and in national and international businesses.
Page 100 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
17.4 Please explain how you could leverage your existing customer relationships to bring benefits to the
Post Office
A key strategic aim for POL is to become the “Front Office of Government” (FOoG). POL already provides
many counter services for Government, such as Driver and Vehicle Licensing and passports. The aim for
POL is to grow revenue in this area by £200m.
We are actively supporting this initiative by leveraging our large client base in Government to POL’s
advantage. We are currently working with POL to identify revenue opportunities and engage clients. In
some cases these can be to generate revenue by attracting more transactions to POL through counter
services, electronic identity, and document management. In other cases, these opportunities are for
reducing costs through shared infrastructure, cloud services, and supply chain benefits.
We are supporting POL's bid for DVLA. We operate DVLA’s existing back office systems and infrastructure.
This has enabled us to support POL by offering insight into key issues and drivers, future needs and strategy
and gain informal insight into the bid. We have also identified areas where we have common infrastructure
across a number of government departments involved in the bid, such as scanning services, which may
enable a reduction in transaction costs. Further detail can be provided by Spencer Chapman, Bid Manager
for POL.
In addition, we have created an Independent Software Vendor (ISV) programme to allow small companies to
take advantage of the scale and support of Fujitsu. As clients of our services, we enable ISV's to transform
traditional on-premise software applications to a cloud based Software as a Service (SaaS) offering. To
support this we also offer, where appropriate, to broker new relationships between our ISV community and
our clients. Clients then get the benefit of access to innovative and agile solutions, with the protection of an
agreement with Fujitsu.
Through an enterprise-class ‘App Store’, known as the Business Solutions Store (BSS) and due to go live in
July 2012, POL can find best-of-breed software to meet their business needs, and subscribe to these as a
utility, on a service model. Fujitsu’s BSS manages the complexity of subscription; provisioning, billing and
reporting whilst providing a highly available, scalable cloud infrastructure. This allows niche software
providers who have either sector specific or horizontal market offerings to leverage Fujitsu's relationships in
the enterprise and government marketplaces, and allows our clients to leverage Fujitsu's relationships in the
software vendor arena at a managed level of risk.
“As a leading Optimisation-as-a-Service vendor, we were looking for a partner we could really trust to help
launch our cloud offering into new markets. We were attracted by Fujitsu's reputation for reliability, uptime
and security, but most important to us is that Fujitsu really understands how to collaborate with early stage
high-tech companies and we admire their experience of getting innovative ISVs exposed to valuable
opportunities. We completely trust Fujitsu with all of the infrastructure and merchanting processes, which
means we can concentrate on our value-add with the end-customer.” Daniel Hulme, CEO, Satalia
Fujitsu’s ISV programme is a disruptive influence on the applications market offering tangible, proven,
benefits to POL including easy adoption, reduced time to value, lower costs of delivery and a pay-as-you-go
operating model aligned to their business — whether it be per user per month, transactional or value-based.
Examples of niche clients and ISVs with whom we work include:
« Northgate — vehicle hire. Fujitsu uses Northgate for flexible vehicle
hire, and, in return, provides Northgate with IT services;
« PerspecSys — a company which mitigates risks around data
residency for Salesforce.com;
« AuraQ — providing a digital pen solution.
Page 101 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
18.0 General Requirements: Security Management
Please explain how you will:
18.1 comply with POLs Information Security Minimum Standard as set out in the Framework Agreement,
including Payment Card Industry (PCI) compliant Products and services.
Fujitsu recognises the absolute importance of security for its customers, and the need to comply with
various security standards. As a result, our security team will agree with POL the security policies, standards
and regulations which will need to be complied with as part of the service. Regular technical and procedural
audits will take place to identify any areas of non-conformance and ensure ongoing compliance of the
infrastructure and services being managed on behalf of POL by Fujitsu. These activities will be managed by
the Chief Security Officer and undertaken by the Security Auditor and Security Technicians.
In order to ensure that Fujitsu provides a service in accordance with the agreed POL security policies and
standards, the Fujitsu Operational Security team will either adopt existing operating security standards or
develop new ones as required. These standards will be discussed and agreed with nominated POL security
personnel and utilised by Fujitsu Service Towers Units in the provision of service to POL. These activities
will be managed by the Chief Security Officer and undertaken by the Security Administrator with support
being provided by the Security Technicians.
Fujitsu can implement a control framework that includes technical and operational PCI controls for the
assets identified as within the PCI DSS estate or connected to the estate. This framework would cover the
building and maintenance of secure networks, protecting the Card Holder Data, maintaining a vulnerability
management program, implementing strong access controls, regularly monitoring and testing the network
and maintaining an Information Security Policy.
To achieve this each service tower and function or third party would follow the framework with agreed
Service Requirements, Defined Project Requirements, Service Delivery Goals and for each agreed KPIs
and metrics to measure and jointly review with POL. Changes to the service due to incidents, requirement
changes, project fixes or business as usual changes would be subject to an agreed joint change
management and incident management process.
Resources and assets used in the delivery of the service physical, technical and people would be subject to
appropriate vetting for their roles only. Access, Authentication and logging of these assets would occur with
jointly defined and identified errors and thresholds to raise incidents against Confidentiality, integrity and
availability. Internal audits in conjunction with business as usual reporting would identify areas for
improvements with remediation plans and service improvement plans put in place.
Page 102 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
18.2 provide mechanisms that monitor and report compliance with POL Security Requirements including
all relevant legislation, industry regulation, required standards and industry best practice.
As part of the current obligations under our existing contracts with POL, Fujitsu has introduced toolsets to
collect, aggregate and trend the controls implemented to ensure compliance and ensure these have the
correct interfaces to adjust them from technical recording logs and error management toolsets and Help
Desk calls.
To make sure that the regularity standards and controls are followed, POL and Fujitsu agree risks from
these and prioritise and agree clear ownership across Fujitsu Towers and Functions, suppliers and third
parties and ensures SLAs and OLAs include defined risk reduction, Risk Acceptance, Risk Transfer and Risk
Avoidance.
As an illustration, Fujitsu already adheres to POL’s security requirements across the following areas:
e ISO/IEC 27001:2005 — the management system that is intended to bring information security under
explicit management control. POL required Fujitsu to comply to the ISO 27001 security standard as
part of its contractual obligations. Fujitsu’s management team decided to take this one stage further
and to have the account fully accredited to the standard, which it subsequently achieved, and which
underlined our commitment to POL.
To achieve this accreditation Fujitsu had to show that it followed the “plan, do, check, act”
methodology, documenting its ISMS and its scope and how it would review and monitor the assets
that fell within this scope. It had to evidence its Senior Management Team had Security
Management had allocated security responsibilities and that they were committed to support and
review these. Resource management, training competencies, evidence of continual improvement
and corrective actions were also required to be evidenced.
The external Auditor also checked that the following were being met and that evidence was
available to show that the security principles of confidentiality, integrity and availability were applied
appropriately in the following areas:
oSecurity Policies
olnternal Organisation structures
oExternal Parties
oAsset Management
olnformation Classification
oHuman resources Security
oPhysical and Environmental Security
oOperational procedures and responsibilities
oThird Party Service Delivery
oSystem Planning and Acceptance
oProtection against malicious and Mobile Code
oBackup
oNetwork Security Management
oMedia handling
oExchange of information
Page 103 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
« PCI Data Security Standard — created by the Payment Card Industry Security Standards Council to
increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of
compliance is done annually through the Post Office Account by an external Qualified Security
Assessor (QSA). Fujitsu has over the past three years worked with POL to review the technology,
processes, policies and physical environments used to protect the processing, storage and
transmission of Track2 data and PAN Data held within the card holder environment.
The standard required Fujitsu to:
Col
Build and Maintain a 1. Install and maintain a firewall configuration to protect
Secure Network cardholder data
2. Do not use vendor-supplied defaults for system passwords and
other security parameters
Protect Cardholder 3. Protect stored cardholder data
Data
4. Encrypt transmission of cardholder data across open, public
networks
Maintain a 5. Use and regularly update anti-virus software on all systems
Vulnerability commonly affected by malware
Management Program
6. Develop and maintain secure systems and applications
Implement Strong 7. Restrict access to cardholder data by business need-to-know
Access Control
Measures 8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and 10. Track and monitor all access to network resources and
Test Networks cardholder data
11. Regularly test security systems and processes
Maintain an 12. Maintain a policy that addresses information security
Information Security
Policy
The QSA worked with both Post Office Ltd and Fujitsu in ensuring that each of the high level
controls above were met and that each sub control could be evidenced through either
Documentation, Interviews, observations of a system state, observation of a process action or state,
sampling and traffic monitoring. Fujitsu are now preparing for the second PCI Audit which will
include the regular reports that it provides to the joint Post Office Ltd Service Review Boards and
Information Security Forum.
e LINK — POL required Fujitsu to implement controls to protect the messages and transactions in the
LINK Network which contain both cardholder sensitive data and related financial information, in
particular the protection of transmitted PIN data from the PIN pads. Cryptography is used to protect
PINs and PIN keys to reduce the risk of financial loss by fraud, to maintain the integrity and
confidentiality of the network, and to instil cardholder confidence in the use of the LINK network and
ATMs in general.
Page 104 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
18.3 ensure that your staff including any and all sub-contractors will be trained in compliance with all
Security Requirements including all relevant legislation, industry regulation, required standards and industry
best practice ; how this will be reviewed and refreshed annually and how this will be monitored and reported.
Fujitsu's Post Office Account and sub-contractors’ training function is mandated and managed using the
following processes, and includes an appointed Security Manager:
Training
Fujitsu is engaged on an ongoing staff training programme to communicate its compliance with all relevant
security industry standards, relevant legislative regulations and Best Practices throughout. There is
mandated training for all account employees that addresses all Security Training needs prior to employment
on the account.
The Security Manager is responsible for implementation of the Training process for:
1. Development and publication of Security related guidelines
2. Development of training programmes to reflect the requirements of all Security legislation
currently in force
3. Regularly reviewing compliance with good management practices involving Stakeholders within
both the account and Fujitsu corporate.
4. Atleast Annual refresh of the Post Office Account Staff training requirements are performed to
make sure that obligations are met with regard to Knowledge and skill sets
5. All training requirements are monitored by Line Management and senior executive level
together with HR functions where this is recorded to identify skill gaps and resource needs.
6. Representing Fujitsu Services to the Office of the Information Commissioner and appropriate
professional organisations.
Compliance at all levels of the organisation is mandatory.
Audit
A key factor in the implementation of Fujitsu compliance programme is compliance auditing. We have an
internal audit framework that has a fairly detailed but also layered set of questions depending on the kind of
audit and the specific business unit.
Page 105 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
18.4 — ensure that staff working in a Post Office environment will be vetted in accordance with POL Policy,
including provision of SC-cleared staff to install and maintain Products that are identified by POL as needing
SC cleared staff, e.g. POLs’ Biometric Equipment.
All applications for employment shall be screened in order to assess reliability. Applicants’ identities and
references are to be checked as stated in the Fujitsu Policy Security Checking in HR Shared Services
Processes (Ref: HRS1). Equivalent checks will be applied to all subcontractor staff and third party
Engineers, as appropriate, and where applicable follows POL vetting procedures.
Requirements for further pre-employment checks for Post Office Account Staff are outlined below. It is the
responsibility of the hiring manager to ensure that employees have the appropriate level of security for their
role.
«Additional security checks, in accordance with POL vetting
procedures, must be performed for all Post Office Account
engineer staff that requires access to Post Office locations in order
to undertake development, support or maintenance activities.
Satisfactory Credit Reference Bureau checks will be required for
all Post Office Account Staff who have access to financial
information contained within Post Office systems.
Criminal Record Checks will be carried out on Post Office Account
Staff. This will be done as part of a UK Government specified
Baseline Standard check.
Higher level UK Security Clearance may be required for individuals
who have access to POL information classified as Strictly
Confidential. Advice should be sought from the Chief Information
Security Officer who will confirm the requirement with POL ona
case by case basis.
All new vetting cases will be reported to POL via the monthly
Information Security Management Forum (ISMF) to provide
assurances that Vetting procedures have been followed.
When an existing Fujitsu employee transfers to work on the Post Office Account the hiring manager must
ensure the employee has either satisfied the checks above or that the checks are performed if the employee
has not already been fully checked.
Page 106 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
19.0 General Requirements: Data Protection
Please confirm:
19.1 you will comply with the Data Protection Act 1998, when you are conducting any activities with the
Post Office. If you have been investigated by the ICO for lack of compliance with the DPA , subject to
Enforcement action or an Undertaking from the Information Commissioner. Please Provide:
i) number of investigations
ii) details of any Enforcement Action
iii) details of the Undertaking
iiii) and information on how these issues have been resolved
Fujitsu confirms that it will comply with the Data Protection Act 1998. Fujitsu Services Limited has a current
Notification in the Information Commissioner's Register of Data Controllers. Its registration number is
26251262 and the registration expires on 3 February 2013.
Fujitsu has not been investigated by the ICO for lack of compliance with the DPA, subject to Enforcement
action or an Undertaking from the Information Commissioner.
19.2 whether you have an appointed individual who in responsible for Data Protection and whether this
formally documented in the individual's role description?
Yes. Fujitsu Services Limited employs a Privacy Manager within its Legal Group, who is responsible for
ensuring that Fujitsu complies with all aspects of the Data Protection Act.
19.3. whether you have a Data Protection Policy in place readily accessible to staff and whether you
provide training to members of staff on handling personal information, which is compulsory for all staff with
access to personal information and refreshed regularly.
Fujitsu has a Data Protection Master Policy which applies throughout Fujitsu. A copy of this Policy is
available on request. Concerning customer information, it states that “information from our customers must
be used only in accordance with the terms and conditions defined and specified in each contract with them,
including those terms and conditions which specify intended use, management and duration of confidentiality
of such information”.
There is also a Fujitsu Data Protection Code, the objective of which is to provide adequate and consistent
safeguards for the handling of personal data by Fujitsu.
A Legal Compliance Master Policy, attached, lists in outline the legal obligations of employees in relation to
a number of areas of law, including data protection.
Fujitsu Services Limited aims to follow internationally accepted good practice in the area of Information
Security, and complies with IS017799, the international Standard for Information Security Management.
Our policy on Monitoring / Investigation of IT and Communications complies with the following control in
ISO/EC27001:
« Monitoring System Use 10.10.2
* Collection of evidence 13.2.3.
As detailed under 18.2 above, Fujitsu's Post Office Account is already accredited to ISO/IEC27001:2005, as
well as PCI security standards, and LINK best practice controls for PIN pad data transmission. All Fujitsu
Master Policies are accessible to all staff via the company’s intranet site called Café VIK.
Page 107 of 101
48 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
19.4 what checks you have in place to ensure the reliability of staff and Sub-contractors who have access
to personal information.
The Group Securities team of Fujitsu Services Limited is responsible for all Fujitsu UK Pre-Employment
Screening (PES). This screening is done for all new permanent employees, and would include checks on
whether the person has the right to work in the UK.
Using Dunn & Bradstreet’s Portfolio Manager, Fujitsu’s Supply Base, where financial stability is concerned,
is monitored on a monthly basis. This can result in alerts being issued by D&B when they consider a supplier
is either like to fail financially and go into administration or are highlighted as part of the statistical analysis
D&B carry out on Fujitsu's supply base to determine ‘likely failures’ often as far out as 5 months from the
projected financial failure is likely to occur.
The Fujitsu Supplier Assurance Programme will be used to record basic information from all its suppliers
(new and legacy) involving Social Responsibility. The information obtained will be used to form the basis of
a new supplier review and site visit schedule. The information can also be used to provide an internal trail
for any audits Fujitsu's end customers may carry out on them.
Fujitsu operates a zero tolerance policy where bribery and corruption is concerned and expects its Legacy
Third Party Vendors to follow its Code of Ethics in all of its dealings with Fujitsu. Legacy Third Parties are
directed to a Fujitsu Website where copies of the Global Business Group Business Standards and Master
Policies can be found.
For all New Third Party requests, Fujitsu has implemented a robust process which includes; Integrity Due
Diligence, involving Dunn & Bradstreet’s databases, for both Financial Risk and Anti-Money Laundering
(AML) checks, as well as requiring the prospective third party to complete and sign a Disclosure Letter for
exposure to ‘Supply Chain’ Risk. Once a prospective Third Party has been successful in meeting the needs
and requirements of the process, a Certificate of Compliance is issued. Depending upon the level of
findings, an on-site audit of the prospective third party may be required to validate their policies concerning
anti-bribery and corruption.
19.5 whether you have a Data Protection incident/Breach Management policy and process and how you
would ensure any breaches are reported to POL immediately.
Fujitsu Services Limited is registered under the Data Protection Act 1998 with the registration number
26251262. Compliance with the DPA is an integral part of corporate responsibility within Fujitsu. Awareness
of the Act is a contractual requirement imposed by many customers and is also regarded by Fujitsu as an
essential part of the way we do business.
Fujitsu has a Data Protection Master Policy which applies throughout Fujitsu. This Master Policy is owned by
the Fujitsu UK & Ireland Director, Commercial, Legal & Compliance and managed on his behalf by the
Privacy Manager. There is also a Fujitsu Data Protection Code, the objective of which is to provide
adequate and consistent safeguards for the handling of personal data by Fujitsu.
A Legal Compliance Master Policy lists in outline the legal obligations of employees in relation to a number
of areas of law, including data protection.
Fujitsu Services aims to follow internationally accepted good practice in the area of Information Security,
and complies with 1S017799, the international Standard for Information Security Management.
Our policy on Monitoring / Investigation of IT and Communications complies with the following control in
ISO/IEC27001:
« Monitoring System Use 10.10.2
* Collection of evidence 13.2.3
It is a requirement of the Fujitsu Data Protection Code that employees working with personal data must be
aware that breaches of data protection laws can be legally punishable, and can lead to claims for
compensation or damages. Employees who are found responsible for the breach will be dealt with according
to applicable provisions of law and company policy.
Page 108 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
Should an incident occur Fujitsu and Post Office Limited already have the procedures and processes in
place for communication and ongoing incident management.
Page 109 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
20.0 General Requirements: Health & Safety
Please describe the following:
20.1 your organisation's health and safety policy, providing an overview of the organisation's
arrangements for health and safety.
Fujitsu’s Health and Safety Master Policy (CPM14) is available via the company’s intranet. It is reviewed
annually and following any significant amendments to legislative or other relevant standards. Fujitsu
engages the services of both health and safety and occupational health consultants. It is Fujitsu policy that
all sites, including customer sites, have at least one Health and Safety Contact. The Fujitsu Health and
Safety Management System follows the principles as defined within BS8800/BS OHSAS 18001
Occupational Health & Safety management standard and HSG65. Fujitsu has achieved registration for its
London HQ and Bracknell sites, and its Warrington and Manchester campuses.
The Company's Board of Directors has ultimate responsibility for Health and Safety at work. The Company
is responsible for providing and maintaining a safe and healthy working environment for all its employees,
and for promoting a positive health and safety culture. Duncan Tait, CEO UK & Ireland, has overall
executive responsibility for Health and Safety, and he requires all directors, managers and employees to
play an active part in the development and implementation of procedures and other measures to protect the
health and safety of everyone who may be affected by the Company's activities.
The Health and Safety Master Policy states that Fujitsu UK and Ireland is committed to:
e Achieving a high standard of health and safety in all its operations
e Taking all reasonable steps to protect the health and safety of employees from risks in their work or
working environment
e Safeguarding the health and safety of others with whom the Fujitsu may have contact in its business
activities, and
« Complying with health and safety laws in the countries in which the Fujitsu operates.
In order to achieve the goals set out above, the Policy states that Fujitsu will:
« Promote a business culture that gives a high priority to the health, safety and wellbeing of
employees and is committed to the prevention of injury and ill heath,
« Manage health and safety risks actively and effectively, and promote positive attitudes to identifying
and reducing risks and to safeguarding health
« Make employees aware of their responsibilities for health and safety, and develop the competences
necessary to carry out their work effectively and safely
e Set and document appropriate objectives that are communicated and implemented throughout the
company.
e Implement an effective health and safety management system that ensures:
oRisks to the health, safety and welfare of employees and others are identified and
eliminated, or reduced to acceptable levels where elimination is not possible
oSafe and healthy working environments are provided and maintained, and that
workplaces and equipment incorporate appropriate health and safety features
oEmergency response procedures are in place for foreseeable incidents, and that
employees and others understand information on procedures relevant to them
Page 110 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
oWork-related hazards, risks, injuries, illnesses, near-misses and opportunities for
safety improvement are systematically recorded, reported, investigated and acted
upon, and any necessary remedial or other action is taken promptly
oContinual improvement in health & safety management and performance
e Inform and consult with employees, their representatives and with working partners on health and
safety matters, and encourage them to participate actively to achieve the Fujitsu's goals.
e Report openly and transparently on health and safety performance to employees, working partners,
customers and other stakeholders
« Provide employees with health, safety and welfare support through professionally resourced health,
safety and employee support services.
The Master Policy is supported by subsidiary policies and procedures as required to meet Fujitsu's Global
Business Standards, legislation and guidance, to reduce risks and promote a positive health and safety
culture at Company, Country, Business Division, Function, and contract or site level.
Fujitsu will seek to ensure that its working partners, and any joint ventures or consortia in which it is
engaged, have the required management systems in place to achieve high standards of health and safety
performance.
Page 111 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
20.2 how you will identify and assess significant health and safety risks and develop and implement
controls such as safe systems of work and method statements when conducting any activities for the Post
Office.
Fujitsu undertakes regularly site surveys in order to conduct risk assessments in the workplace and
undertakes work in compliance with a pre-defined set of method statements. When an engineer attends a
POL branch, they will always carry out a visual inspection of the item they are due to replace/repair in order
to ensure that they are not putting themselves or anybody else at risk before they begin any work.
Engineers are provided with the correct tools to do the job and a full training manual that describes the
approach that they should follow when working on any piece of equipment in branch.
Some basic principles apply, and are followed by the engineers when on site; these include making sure that
the base unit is powered down and unplugged before they start connecting and disconnecting cables at the
back of the unit.
Engineers are also provided with anti static straps should they have any requirement to work on open base
units which may give an opportunity for a shock, and they have received instructions on when and how to
use them.
Before a piece of kit is returned to the user, it is tested by the engineer to prove it works.
Cable ties are provided to engineers, and as part of the exchange/repair they are instructed to make sure
that the cables are left in a suitable condition and do not create a trip hazard to the user.
Engineers are also encouraged to report back via the Horizon Service Desk if they see anything on site
which they believe may be a H&S risk, and this is then addressed between the appropriate people within
Post Office Limited and Fujitsu as necessary.
Our engineers are not electricians, and therefore we do not get involved in any work outside our remit as
hardware engineers. In the event that a branch had to be closed due to flooding for example, we would not
send an engineer to site until the branch has been able to produce an electrical safety certificate to confirm
that the branch is safe to attend. Details of these processes can be found in the ‘Enforced Closure Process’
which details the agreed processes that must be followed in the event of an enforced branch closure.
Only the plug sockets installed for the Horizon equipment which run on an isolated line to the offices other
electrical sockets are used for connecting our own Horizon equipment, and Postmasters are advised not to
use the Horizon power sockets for non Horizon equipment.
Whilst rare, the occasional use of a ladder is required to reach things such as the HUB box within a large
branch (Cambridge, for example); if we are required to attend a call for this fault at a branch that has a
requirement for a ladder, then two engineers are assigned to the call.
In addition, Fujitsu undertakes as part of the contractual arrangement with Post Office Limited, full Portable
Appliance Testing (PAT) at every branch in the UK (11,000) and on all 30,000 counters on a regular basis;
the last nationwide check was carried out between August 2011 and April 2012.
Page 112 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
20.3. what health and safety related documentation will you provide to Post Office, following completion
of your project/ programme.
Upon completion of the work on site, we will test that the equipment is working before handing it back over
to the PM to use to serve customers. Upon request we are able to provide documentation that shows our
processes and procedures for dealing with different issues that arise from time to time, and some of those
will have a Health and Safety link.
Our documentation and service descriptions are reviewed by both parties. We have our own security team
who will pick up any issues that are flagged to them that relate to potential security or health and safety
breaches. These may have been identified by Postmasters or by engineers whilst on site.
All parts exchanged from a branch should have a completed PRF (Product Return Form) and this ensures
that any product returned to repair has a description of the fault contained within it; this is especially
important if the part removed from site failed because of a power surge, for example, or has glass/water
damage from a flood or robbery situation. In addition, the box would also be clearly marked when an item is
being returned as faulty following potential H&S damage/impact.
Page 113 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited
POL00397450
POL00397450
Re)
FUJITSU
20.4 the system your organisation employs for monitoring your health and safety procedures, for auditing
them at periodic intervals, and for reviewing them on an ongoing basis.
Fujitsu employs a team of both Health and Safety and Occupational Health professionals. All Health and
Safety personnel are qualified to degree, diploma or certificate level, variously in occupational health,
hygiene and / or safety disciplines. This team is responsible for administering the compilation, consultation
and issue of all corporate health and safety related documentation. Company divisions / departments and
the facilities management department administer divisional / departmental and the site-related health and
safety documentation respectively.
The Fujitsu Health and Safety Master Policy (CPM14) is owned by the Head of Occupational Safety &
Health, on behalf of the Chief Executive Officer of Fujitsu UK and Ireland and the Regional Human
Resources Director. It is subject to change control and reviewed regularly, before its expiry date. The
current expiry date is 13 November 2012.
All Company health and safety policies, procedures and other information are subject to change control and
are available on Fujitsu's Intranet service. They are principally conveyed to employees by electronic means.
Additionally, employees are made aware of such information during training sessions, local briefings or team
meetings.
Page 114 of 101
15 June 2012
FUJITSU RESTRICTED
Commercial in Confidence
© Copyright 2012 Fujitsu Services Limited