EXPG0000006_R
REPORT 1
REPORT 1
FOR THE POST OFFICE HORIZON IT INQUIRY
EXPECTED AND BEST PRACTICE IN RESPECT OF THE STANDARDS OF GOVERNANCE,
MANAGEMENT AND LEADERSHIP IN COMPANIES SUCH AS THE POST OFFICE
COMPANIES
DAME SANDRA DAWSON
DR KATY STEWARD
26 MARCH 2024
(UPDATED 11 NOVEMBER 2024)
Page 1 of 133
EXPG0000006_R
CONTENTS
Introduction
Governance Principles and Codes
1.1. Historical Context: Corporate Governance Foundations in Rights of Owners
1.2. Corporate Governance in the UK: the Development of Codes of Practice
1.3. The Applicability of Corporate Governance Codes Developed for Listed Companies to Other
Forms of Ownership and Organisation.
1.4. The Governance of Businesses which are Largely or Wholly Owned by Government.
1.5. Role of NEDs and Boards in Government Departments.
1.6. Governance and Management Arrangements in, and of, the Post Office Business, 1999-2019
1.7. Questions Arising from Section 1 Relevant to POHI
Accountability
2.1. Principles of Accountability
2.2. Board Role Accountabilities
The Board as a whole
Board Committees
Chair of the Board
Non-Executive Director
Senior Independent Director
Chief Executive Officer (or equivalent most senior Executive)
Other Executive Board Members
Company Secretary
2.3. The Role of the Shareholder
2.4. The Role of the Executive
2.5. Strategy at the Heart of Board Accountability
2.6. Questions Arising from Section 2 Relevant to POHI
Page 2 of 133
3.
Monitoring and Audit
3.1. Introduction
3.2. Guidance on Monitoring and Audit in Public and Private Bodies
3.3. Board Audit Committee
3.4. Internal Audit
3.5. External Audit
3.6. Questions Arising from Section 3 Relevant to POHI
Risk
4.1. Introduction
4.2. Executive Role in Risk
4.3. Board Role in Risk
4.4, Board Risk Committee
4.5. The Role of the Shareholder
4.6. Questions Arising from Section 4 Relevant to POHI
Governance and Management of Technically Complex Major Projects
5.1. Introduction
5.2. Characteristics of Major Projects
5.3. The Role of the Executive
5.4. The Role of the Board or other Governing Body in Major Projects
5.5. Questions Arising from Section 5 Relevant to POHI
Governance and Management of Whistleblowing
6.1. Introduction
6.2. The Role of the Executive: The Management of Whistleblowing
EXPG0000006_R
Page 3 of 133
EXPG0000006_R
6.3. Guidance and Regulation
6.4. The Role of the Board: The Governance of Whistleblowing
6.5. Questions Arising from Section 6 Relevant to POHI
. Stakeholder Management
7.1. Introduction
7.2. Identifying Important Stakeholders
7.3. Considerations in Stakeholder Relations
7.4. Managing Stakeholders: The Role of the Executive
7.5. Stakeholder Relationships: The Role of the Board
7.6. Key Stakeholder Relationships
7.7. Questions Arising from Section 7 Relevant to POHI about Relationships with:
Government
Fujitsu
Sub Post Masters
Experiencing Governance and Management
8.1. Introduction
8.2. Authority, Power, Interest, Influence and Conflict
Questions Arising from Section 8.1 Relevant to POHI
8.3. Leadership
Questions Arising from Section 8.2 Relevant to POHI
8.4. Culture
Questions Arising from Section 8.3 Relevant to POHI
8.5. Communication
Questions Arising from Section 8.4 Relevant to POHI
Page 4 of 133
EXPG0000006_R
Annex A Chronology of Laws, Governance Codes and Guidance 1998-2019
Annex B Chronology of Ownership and Governance of the Post Office Business 1999-
2020
Annex C Glossary
Annex D Acronyms and Abbreviations
Annex E Sources
Annex F Qualifications and Expertise of Dame Sandra Dawson and Dr Katy Steward
Annex G Statement of Truth
Page 5 of 133
iii.
vi.
EXPG0000006_R
Introduction
We are instructed to provide a report which sets out what might typically be expected/best
practice in respect of the standards of governance, management and leadership in companies
such as the Post Office Companies. Annex F provides a summary of our expertise and
qualifications relevant to undertaking this work.
This report makes few observations on the specifics of the issues under investigation by the
POHI. It deals with generally expected standards. In concluding each section, we have posed
a serious of questions which might assist the Chair, Counsel and Core Participants as they
consider the evidence they will be seeing in the coming phases of the Inquiry.
Annex A provides a chronology of the laws and guidance on governance of companies which
applied during the relevant period 1999-2019. The material is presented chronologically, split
into columns. On the left-hand side are the requirements and guidance which apply to
companies, with special attention to publicly listed companies. On the right-hand side are the
requirements which apply to companies and other entities which are wholly owned or
controlled by the government.
Whilst there are differences between publicly listed and publicly owned companies, it is
notable that in matters of governance during the relevant period, one finds the requirements
and expectations for all organisations in the UK have tended, and tended to be encouraged by
governments and regulators, to follow the approach adopted in law and guidance for publicly
listed companies. It is these laws and guidance which have set generally accepted standards,
which are then adapted in detail, but not in principle, for the situation of companies wholly
owned by the government. There are additional, and occasionally alternative, laws and
regulations which apply to government ownership and oversight (right hand columns of
Annex A). These add complexity and layers to governance, but do not undermine the
principles set out in the lefi-hand columns.
Furthermore, there are considerable interlocking directorships within and between publicly
owned and publicly listed companies in this period. This reflects a trend to introduce senior
people with experience of governing and running businesses in publicly listed companies into
the governance and management of publicly owned companies. For example, some of the
Executives and Board members in the Post Office Organisations during the relevant period,
either had held or were currently holding, positions in listed companies.
Beyond identifying specific requirements and guidance for governance as summarised in
Annex A, we have commented on what might be normally regarded as known reasonable
practice in governance, management, and leadership. Our commentary on ‘known reasonable
practice’ is based on our expertise and experience, and on widespread discussion and some
consensus in the public domain on what constitutes good management and leadership. Such
commentary is found in popular business literature, media commentary, and discussion
documents issued to their mailing lists of senior executives and directors by professional
service companies, e.g. search consultants, strategy and management consultants, lawyers,
and accounting firms. Except on the occasions where we have cited research or reports listed
in Annex E, we have not provided specific references to support our expert view.
Page 6 of 133
vii.
EXPG0000006_R
Our observations on what might be expected in respect of the standards of governance,
management, and leadership in companies such as the Post Office Companies are set out in
general terms under the following sections.
1.
Corporate Governance, Principles and Codes
Accountability
Monitoring and Audit
Risk
Governance and Management of Technically Complex Projects
Governance and Management of Whistleblowing
Stakeholder Management
Experiencing Governance and Management
Page 7 of 133
EXPG0000006_R
1 Governance Principles and Codes
1.1 Historical Context: Corporate Governance Foundations in Rights of Owners
1.1.1 UK corporate governance regulations, standards and codes have developed over time.
Originally constructed for commercial companies, they have formed the foundations for
codes and accepted practice in other forms of organisation, including those of the Post
Offices businesses, which are wholly owned by the government. We start therefore with a
summary of developments for commercial companies.
1.1.2 Historically roots of contemporary governance lie in the development of ‘limited liability’
companies, and the creation of equity to increase investment through selling ownership
shares of a company to investors not directly involved in its running. With owners now no
longer ‘sitting on the premises’, concerns were raised that executive management might
pursue their own interests, rather than those of the company. This separation of
‘ownership and control’ prompted governments and owners to find ways to retain some
owner oversight of current operations and future strategic direction, in order to safeguard
investments.
1.1.3. The underlying question guiding corporate governance developments is: who is most
likely to hold Executives to account and, if necessary, replace them, if they are found to
be ineffective, incompetent, negligent, or single mindedly self-interested, and thereby,
jeopardising the company’s assets and the owners’ investment.
1.1.4 The response in the UK to this underlying question has predominantly been to focus on
the owners (in practice, the holders of relatively large numbers of shares), to require (or
enable) them to appoint, reappoint, or retire their representative directors as Chairs and
Non-Executive Directors to the Company Boards.
1.2 Corporate Governance in the UK: the Development of Codes of Practice
1.2.1 UK practice is to have a unitary Board of Executive and Non-Executive Directors, in
which at least the CEO and often one or two other Executives sit as full members of the
Board, alongside a majority of Non-Executive Directors.
1.2.2 The rights, duties and responsibilities of the Board and its members, as Chair, NEDs and
Executives, of companies, have an outline foundation in statute', supplemented by codes
and guidance.” This provides a framework of company ‘self-regulation’ within constraints
set by statute, principles and guidance developed within a market environment.
1.2.3. Contemporary modes of corporate governance are founded in the recommendations of the
Cadbury Committee (1992)°, which together with the Greenbury (1995) and Hampel
(1998) Committees, became enshrined in the Combined Code (FRC 1998, 2003, 2008)*.
' See Annex A, Section 1.1 (Companies’ Act, 2006)
2 See Annex A, Sections 1.2 ~ 1.20.
3 See Annex A, Section 1.2.
+ See Annex A, Section 1.4b, 1.7a, 1.10, 1.12, 1.13, 1.14.
Page 8 of 133
EXPG0000006_R
1.2.4 The Combined Code (FRC 2003, 2008), through its principles and provisions, gives a
well-established base set of regulations and guidance on?
a) The structure and operation of Boards of Directors, including roles and
responsibilities of Chairs and Chief Executives; and
b) Roles and responsibilities of Shareholders (particularly institutional shareholders with
relatively large shareholdings).
1.2.5 Boards in their public annual reports have to either ‘comply or explain’ why, in their
‘special/individual circumstances’, the Code’s requirements and recommendations are not
in their view appropriate or advisable in their circumstances.°
1.2.6 Important underlying assumptions of the Combined Code:
a) Good governance at Board level is the foundation of good executive management
which in turn is the foundation of strong corporate performance;
b) Those who ‘own’ the capital of the company are the natural guardians of good
governance and thereby good management;
c) The owners will elect NEDs to safeguard the owners’ (financial) interests;
d) Ifthe financial assets are secure then, other things on which the business depends (eg
strategy, talent, technology, skills and workforce, operations, supply chain), will also
receive strong oversight because financial success depends on management paying
due regard to these things.
e) The shareholders and their elected NEDs will have sufficient access to relevant
information to enable them to discharge their duties;
f) Transparency in public reporting of key aspects of the business will ensure full
disclosure and scrutiny of relevant specified information which will reveal if there is
“good governance’ and if this ‘good governance’ has delivered ‘good management’
and met expectations of performance; and
g) If there is a failure of performance, shareholders will use market mechanisms and sell
stock and/or change Board membership.’
1.2.7 None of these assumptions necessarily always hold. For example, they may not hold if:
a) Shareholders (and their elected NEDs) are not assiduous or diligent in discharging
their responsibilities;
5 See Annex A, Sections 1.7a and 1.10.
® See Annex A, Section 1.2.
7 See Annex A, Sections 1.2, 1.4a, 1.4b, 1.6, 1.7a, 1.9a and 1.18.
Page 9 of 133
EXPG0000006_R
b) Short term financial gain, or the outcome of present operational decisions, may be at
the expense of longer-term sustainable performance; and
c) Emphasis on financial targets may encourage poor management of other assets
(people, subcontractors, investments in technology, safeguarding the planet).
1.2.8 As imperfections and misalignments became clear (often through corporate failures),
additional regulations and codes were introduced. In the last 25 years for example, there
has been greater emphasis on reporting on Executive remuneration and the evaluation of
Board and Board member performance (Greenbury, R 1995), disclosure on progress in
policies in diversity (FRC, 2012) and whistleblowing (Financial Conduct Authority,
2016) reporting and risk oversight (Walker, D, 2009; FRC 2009, FRC 2014a, FRC
2016b).*
1.3 The Applicability of Corporate Governance Codes Developed for Listed Companies
to other Forms of Ownership and Organisation
1.3.1 It has become increasingly accepted that Corporate Governance codes for commercial
companies offer guidance to other forms of ownership, notably:
a) Privately and family-owned companies, where shares are not listed or offered on an
open market. In this context the owners decide the extent to which they wish to
follow the codes. The governance of these type of organisations are not relevant to
our instructions.
b) Charities, where the Board are ‘trustees’ of the charity’s assets and the charity
commissioners, as regulators, have a key role (acting in a sense for ‘the public’
owners/donors) in setting out corporate governance requirements. These are not
relevant to our instructions.
c) Publicly owned assets, where the owner is the national government (or local
authority) and a major element of funding comes from the taxpayer, sometimes in
combination with additional revenue from commercial activity. The governance of
such publicly owned companies is central to our instructions.°
1.4 The Governance of Businesses which are Largely or Wholly Owned by Government
1.4.1 The government has drawn on corporate governance for publicly listed companies to
provide a framework for how the governance of an array of public bodies should be
governed. To quote, ‘good corporate governance is fundamental to any effective and well-
managed organisation and is the hallmark of an entity that is run accountably and with the
long-term interest clearly in mind’ (HM Treasury, 2005). '°
8 See Annex A, Sections 1.3, 1.12, 1.13, 1.16 and 1.18.
° See Annex A, Sections 2.3, 2.4, 2.5, 2.10a and 2.13.
1 See Annex A, Section 2.3.
Page 10 of 133
EXPG0000006_R
1.4.2 Although there are a variety of accountability relationships (and an NAO (2015) report
hinted at the array and inconsistency in structures), the government may offer specific
guidance on their governance to companies in government. In doing this it borrows from
corporate governance:
a) HM Treasury (2016) guidance on Audit and Risk Assurance in Central Governance,
2016 has this opening sentence: ‘Under the Corporate Governance Code in Central
Government’.
b) Guidance from 2020 between BEIS, POL and UKGI (Department for Business,
Energy and Industrial Strategy, March 2020), specifically provides for Board
Composition governed by the Corporate Code for Government: ‘In line with the
Government Code of Good Practice for Corporate Governance, it is agreed between
the Shareholder and POL that the Board will include a Non-Executive Chair, a Group
Chief Executive, a Chief Finance Officer and a number of Non-Executive Directors
(“NED”), one of whom should be a Senior Independent Director (“SID”) ."'
1.4.3. Where the government is the majority or sole shareholder in a company, the government
should establish some way of providing shareholder oversight. This might involve direct
control through appointment of Directors and/or indirectly through a specialist entity.
This was the rationale for the formation of the Shareholder Executive in 2003.
The Shareholder Executive 2003-2016
1.4.4 The Shareholder Executive was created as part of the Civil Service. Originally located in
the Cabinet Office, it subsequently moved into the former Department for Business,
Innovation and Skills. It was given responsibility for managing the government’s
financial interest in a range of state-owned businesses, including Post Office businesses.
1.4.5. It had a combined turnover of £25M in 2007 (National Audit Office, 2007).
1.4.6 Its aim was to improve government’s ability to act as an effective shareholder. An NAO
Report ‘The Shareholder Executive and Public Sector Business’ 2007, noted it was doing
well but could expand to cover all public sector businesses and be given greater
independence from political influence.
1.4.7 The Shareholder Executive ‘Annual Review 2014/15’ described its activities: ‘We
manage the Government 8 shareholder relationships with businesses owned or part-
owned by the Government. We offer corporate finance expertise and advice to
Government departments to ensure the taxpayer gets best value from the assets it owns.
We deliver growth and boost the economy in new and innovative ways ~ via entities like
the Green Investment Bank, investing in green projects, or the British Business Bank,
helping finance markets to work better for smaller businesses’. The corporate finance
aspect of its role appears to be given greater prominence than its corporate governance
role.
UKGI (UK Government Investments) 2016 to Date
1.4.8 In 2016 UKGI was formed from the merger of the Shareholder Executive with UK
Financial Investments (UKFI), under a single holding stand-alone company. UKGI was
placed within the HM Treasury group to offer ‘our unique and invaluable blend of civil
41 See Annex A, Sections 2.3 and 2.10a, Department for Business, Energy and Industrial Strategy, March 2020
in Annex E
Page 11 of 133
EXPG0000006_R
service and corporate finance experience’. It was to be the ‘government centre of
excellence in corporate governance and corporate finance’. (UKGI 2017)
1.4.9 The corporate finance function was prominent; it was to have a ‘central part of the
government s plan to deliver the biggest ever sale of publicly-owned corporate and
financial assets’. It was also ambitiously assertive about its governance role, identifying a
purpose as ‘delivering a shareholder function that seeks to drive continuously improving
and sustainable asset performance’. (UKGI Annual Report 2017).
1.4.10 The UKGI website on 11 Jan 2023, reiterates that the UKGI ‘act(s) as shareholder for,
and lead establishment of, UK government arm’ length bodies’. It identifies that it will
be in the lead of governance by paying attention to the following, which mirror the codes
and practices which are current in commercial companies.
a) Governance structure and documentation: Driving accountability and effective
shareholder relationships by working with assets and departments to put in place best
practice and fit for purpose corporate and government governance frameworks;
b) Objectives, business planning and performance: Supporting and challenging assets
to produce fit for purpose business plans, performance metrics and reporting, and so
drive increased accountability and improved planning between assets and HMG;
c) Corporate capability: Challenging and monitoring our assets’ internal systems and
processes to help identify and mitigate risk and promote best practice internal
governance, culture and organisational health;
d) Effective leadership: Applying senior corporate expertise to influence ALB
recruitment and remuneration processes, Board reviews and succession planning to
help shape strong and fit for purpose capability in our assets’ Boards and Senior
Executive;
e) Effective relationships: Facilitating effective, pragmatic, and transparent
relationships between our assets and government, through formal and informal,
senior-led, regular interactions; and
f) Experienced Shareholder Non-Executive Director: Acting as Shareholder NED,
contributing deep governance and government expertise to our assets’ Boards, and
facilitating the relationship and understanding between asset Boards and their
departments.
Accounting Officers in Government
1.4.11 In parallel with corporate governance requirements, there is the government structure of
Accounting Officers. The Accounting Officer is the person whom Parliament holds to
account for the public spend. It is an individual to whom HM Treasury formally delegates
responsibility for the stewardship of resources used by a government body, including a
specific duty to account to Parliament for how public money has been spent. AOs
personally sign the published financial accounts of their department or organisation and in
doing so, acknowledge that they have a personal responsibility to ensure their
Page 12 of 133
EXPG0000006_R
departments and any Arm’s Length Bodies they sponsor, operate effectively and to a high
degree of probity.
1.4.12. The Accounting Officer is likely to be the Permanent Secretary in a central government
department. The AO oversees a system of accountability which might include the Chief
Executive of a company wholly owned by the government, whom the AO can designate
to be an Accountable Officer.'*
Government Companies
1.4.13 Accountability arrangements for government companies is complex.
1.4.14 A government company may be led by an AO and also a Chairman and/or Chief
Executive, who may be one and the same (and may also be a company director). The AO
has personal accountability for the use of public money, but legally, company directors
have a collective responsibility to the company’s owners to manage it on their behalf.
1.4.15 HMTreasury guidance (2012) Managing Public Money recognises the potential conflicts
of interest and provides guidance on managing the ‘sensitivities’ about the role of an AO
in a company.'*
Values in Public Life
1.4.16 The standards expected of all those who hold public appointments and are employed by
the state are subsumed under the general category of expected ‘standards in public life’.
These ‘Nolan’ principles and standards in public life (Nolan, 1995) form part of the Terms
of Appointment for Senior Executives, Chairs and NEDs of public bodies.'*
1.4.17 On the basis of the sections above, we assume that from 2016 those companies who were
overseen by UKGI were expected to follow the codes as stated. Prior to 2016, less
codified expectations were that wholly owned government companies with independent
governance would, where possible, follow the corporate code.
1.5 Role of NEDs and Boards in Government Departments
1.5.1 Where the government is the sole or majority shareholder in a company, in addition to
participation at arm’s length, there are also links into the sponsoring government
department. This was arguably more important and direct before the formation of the
Shareholder Executive in 2003; it is however still relevant after 2003 as there were still
formal lines of communication between Arm’s Length Bodies and government owned
companies and their sponsoring department.'*
1.5.2 The governance of sponsoring government departments appears to be influenced by the
corporate governance framework, with the introduction of NEDs and Boards."
a) NEDs were introduced to government departments in the 1990s.
!? See Annex A, Sections 2.5 and 2.9.
13 See Annex A, Sections 2.5, 2.9 and 2.11 (NAO 2016).
14 See Annex A, Sections 2.2, 2.11 and 2.12.
15 See Annex A, Sections 2.3, 2.4, 2.5 and 2.13.
16 See Annex A, Sections 2.3, 2.4, 2.11 and 2.13 and HM Government, June 2012 in Annex E
Page 13 of 133
EXPG0000006_R
b) Roles were broadly defined in the corporate governance code for central government
departments (and accompanying guidance note).
c) In 2005, the first corporate governance code for government departments
recommended (but did not require) each department to have at least 2 NEDs to sit on
department Boards, which were then chaired by the Permanent Secretary. In 2005
there were 37 NEDs in 14 departments.
d) The 2011 Code significantly revised and relaunched the framework, following a
review of operation of civil service.'”
e) In 2011, the Department Boards were now to be chaired by the Secretary of State, not
the permanent secretary. There was to be increasing emphasis on recruiting NEDs
with private sector commercial experience.
f) There was to be an overarching lead NED to convene all NEDs across the
departments.
g) All government department NEDs were to meet from time to time, and ensure
learnings about policy making, governance and management from one department
could be shared with others.
h) NED roles were described in terms of: advice on performance delivery and strategic
leadership and participating in a network to be a conduit for sharing best practice and
innovation.
1.5.3 In 2023, Public Administration and Constitutional Affairs Committee of the House of
Commons (2023) produced a report on the role of NEDs in government. This is beyond
“the relevant period’ however it comments that current trends had their origins in an
earlier time. The report noted the role of NEDs to:
a) ‘Provide advice and challenge to Secretary of State chaired departmental boards on
issues such as strategy, performance and the delivery of policies;
b) ‘Bring commercial experience into running complex organisations and projects’; and
c) Recommend ways of ‘improving consistency, accountability and effectiveness’.
1.5.4 The report noted that there was little transparency in what the NEDs actually do and
recommended increasing transparency in appointment and operation of NEDs. It
expressed concerns that NEDs were becoming overly politicised, and of questionable
independence, and that there was some function creep to unaccountable areas. The
increasing numbers of NEDs who had been former special advisers to ministers was
noted.
1” See Annex A, Section 2.4.
Page 14 of 133
EXPG0000006_R
1.6 Governance and Management Arrangements in, and of, the Post Office Business
1999-2019
1.6.1 This section provides a textual commentary on Annex B which gives a summary of
governance and management arrangements in the Post Office Business as the authors
currently understand them. It indicates accountability relationships in successive stages of
ownership at a high level. It does not cover specific details eg in various company
Articles. It is written on the basis of information currently known to the authors and
indicates the authors’ current understanding of accountability relationships in successive
stages of ownership.
Four Levels of Accountability
1.6.2 We are concerned to understand accountabilities at four levels as shown in Annex B.
1.6.3 LEVEL 1: POB (Post Office Business): The Executives and, when present, the
Board, Chair and NEDs who were running POC/ L
a) POCI/L Executives were directly responsible for running the PO business including
the sub postmasters’ network and the commissioning and roll out of HORIZON.
b) POC/L governance evolved from being an executive team, to having an independent
non-executive chair, to the development of a full board with NEDs.
c) POCY/L’s place within oversight and ownership structures and thus the structures for
accountability, reporting and communication upwards, significantly changed during
the relevant period.
d) POC/L had accountabilities ‘upwards’ to Level 2 (until 2013), to Level 3 (from 2003)
and to Level 4 (the Government) for all the relevant period.
1.6.4 LEVEL 2: OPOD (Intermediate Ownership of POB): The Executives and, when
present, the Boards, Chairs, NEDs of various intermediate oversight (eg POA) and
ownership (eg RMH) entities
OPOB had responsibilities ‘downwards’ to Level I (their ‘subsidiary’: POC/L) and
‘upwards’ to Level 3 acting for government shareholder, to whom they were accountable
for corporate performance and for corporate governance for some of the relevant period
and to Level 4 (the Government) for the whole of the relevant period.
1.6.5 LEVEL3: AGS (Active Government Shareholder): The Executives and, when
present, the Boards, Chairs, NEDs of investor organisations (ShEx, UKGI) acting
for the government as shareholder
AGS had responsibilities ‘upwards’ to Level 4, their sponsoring government departments,
‘downwards’ to fulfil the role of shareholders to their investments in Level 1 and/or in
Level 2.
Page 15 of 133
EXPG0000006_R
1.6.6 LEVEL 4: Government: The ministers and senior civil servants in the relevant
sponsoring government departments on whose behalf investors were providing
oversight
Government had responsibilities downwards to their statutory authorities (POA until
2001) and their wholly and directly owned companies (variously Consignia, RMH 2001-
12, POL 2012-2020), and within Government, upwards to Parliament.
Three Phases in Accountabilities Between the Four Levels
1.6.7 Simplifying one can identify 3 phases during the relevant period. This high-level
summary does not detail specific variations in the transition years between Phases. The
transitions often did not occur at exactly the end of calendar years. We have taken the
dates to ‘the nearest calendar year’ to describe the phases.
1.6.8 PHASE 1: 1999-2001
a) Level 1 and its relationship to Level 2: POC and POL were each a ‘subsidiary’ of
The Post Office Authority, a Statutory Authority, or Consignia ple, a company wholly
owned by the government. POC and then POL was one of three principal businesses
within the Post Office Authority and Consignia. POCLs Articles of Association
provided the POA with powers over POCL, including:
i. Director appointments;
ii. Providing information to the POA;
iii. To do, or refrain from doing, any specific things asked for by the POA Board.
In the absence of any other information to the contrary, one would expect the
Executives of POC to:
i. Agree strategy and goals with POA;
ii. ‘Run their business’ within the strategic and financial parameters agreed with
POA;
iii. Establish the structures, internal controls and culture which will enable POC
operations;
iv. Seek approval from POA for any matters beyond the levels and scope of its
delegated authority; and
v. Report on business performance, key risks and any other matters it
considered the POA should know.
One would expect POC Executive to meet all the formal reporting and consultation
requirements specified in any agreement with the POA, and to maintain sufficient
informal communication, so that POA was alerted to any major concerns which could
jeopardise achievement of goals, predicted financial performance or reputation. One
would not expect POC to have an independent Board.
Page 16 of 133
EXPG0000006_R
b) Level 2 and its relationship with Level 4: The Post Office Authority was a statutory
organisation with powers limited to those conferred by statute and overseen by the
Post Office Minister on behalf of the Government. There was no level 3.
1.6.9 PHASE 2: 2001 - 2012
a) Level 1 and its relationship to Level 2: POL Executive was directly accountable to
the Royal Mail Group and during the period, oversight and key decision-making
responsibility sat variously with Consignia Holdings, The Royal Mail Holdings ple
(the Holdings) and RMG Board, (which only met for statutory purposes). Group level
governance is modelled on the corporate governance of commercial companies,
including
i A fully functioning Board, a Chair and NEDs;
ii. Group Board committees: including Audit and Risk, Remuneration,
Nomination and Pensions;
iii. I Group Executive, headed by the Group CEO with MDs/CEOs of subsidiaries
including POL, and various Group Directors eg Finance, IT, and Strategy;
iv. POL adopted new Articles of Association in 2001 which gave Level 2
Consignia (Parent) and Level 3 (the Special Shareholder, the Government)
powers over POL:
- POL upon request to meet the Parent or the Special Shareholder
- POL was precluded from creating a charge or securing government
securities held by it without written consent of the Parent.
b) Levels 1& 2 and their relationship to Level 4: Appointments to positions of CEOs,
Chairs, NEDs and other Directors would normally be appointed with the express
approval of the SoS, or delegated minister. The PAO of the sponsoring government
department could choose if they wished to appoint AOs in government owned
companies within the purview of their department. There would be such other means
of reporting ‘up’ and ‘down’ as were specified from time to time, eg an annual letter,
an annual meeting. The dominant mode of governance was according to the
Corporate Code (LHS of Annex A), whilst acknowledging aspects of the Code for
Government departments and entities (RHS of Annex A).
c) Levels 1&2 and their relationships to Level 3: Various Holding Companies at
Level 2 stood between POC/L (Level 1) and the Government (Level 4). In 2003 the
government created the Shareholding Executive (SHEx) as an AGS at Level 3 to
discharge the government’s shareholder duties. Routes for SHEx to exercise formal
and informal oversight of RMG group, including POL included:
i Regular meetings;
ii, Regular reports from the Executive on policy matters as well as financial
matters;
iii. Signing off on strategy;
Page 17 of 133
EXPG0000006_R
iv. Recruiting Chair, CEO and NEDs; and
v. New articles of Association created in 2000 and in 2002.
The dominant mode of governance was according to the corporate code (LHS of Annex A),
whilst acknowledging aspects of the Code for Government departments and entities (RHS of
Annex A).
d) Level 3 and its relationship to Level 4: ShEx was constituted as a part of
government; its officers were Senior Civil Servants, and the departmental Permanent
Secretary was the PAO who could choose if they wished to appoint AOs in
government owned companies within the purview of their department.
1.6.10 PHASE 3: 2013 - 2019
a) Level 1 and its relationship to Level 2: It was only in the final phase of the relevant
period (2013-onwards) that POL had its own holding company and thus in a sense
Levels 1 and 2 became solely concerned with the POB. Through a change in
corporate structure, POL became a Public Corporation with its own Articles and own
Board of Directors, with an independent Chair, Independent Non-Executives,
including a Senior Independent Director and 2 Executives (CEO and CFO). The POL
Board provided first line of accountability and oversight via:
i. Board committees, including Nominations Committee, Pensions and Senior
Remuneration Committee; Audit, Risk and Compliance Committee;
ii. I The CEO established their own ‘Executive or Management committee’,
comprised of CEO and their direct reports, supported by three specific
‘Executive Committees’ as follows:
iii. Risk and Compliance Committee, Transformation and Cost Reduction
Committee, and Pay and Reward Committee.
b) Levels1/2 and their relationship to Level 3: Relations with Level 3 (AGS) over
2013 — 2019 are divided into two periods. The POL Board had a shareholder
relationship first with ShEx (until 2016) which had a shareholder NED on the Board
of POL and was located in the government department. In 2016 the government
shareholding responsibilities were transferred to UKGI, itself a government company
wholly owned by HM Treasury and no longer part of the Civil Service. ShEx
continues as in Phase 2 (until 2016) to maintain a relationship with POL including
oversight of, and through:
i. Risk;
ii. I Remuneration of senior roles;
iii. Quarterly reviews with CEO and CFO to assess performance against
government objectives, especially around network sustainability;
Page 18 of 133
EXPG0000006_R
iv. Shareholder NED on the Board; and
v. POL Articles give Government consent rights over appointment and removal
of Directors, borrowing, approval and implementation of the strategic plan,
disposals and winding up.
In 2016 oversight passes to UKGI which also had a shareholder NED on Board of
POL. For 2016-2018, UKGI seems to act as the sole shareholder relationship. In
2018, an MOU, between BEIS and UKGI makes clear that responsibility for Policy
oversight sits with BEIS and Corporate Governance oversight with UKGI. In 2020
(outside the relevant period) it is encapsulated in a formal framework agreement
between UKGI and POL (BEIS,2020). This is the first time we have seen a formal
framework agreement, however we have found confirmation that as the Principal
Accounting Officer, the Permanent Under-Secretary of the Department of Business
Energy and Industrial Strategy, in 2019 designated POL Chief Executive as the
Accountable Person for the Post office Limited’.'* The First Witness Statement of
Rachel Scarrabelotti, Company Secretary at POL shows POL board Terms of
Reference (POL00362127) for January 2013, as stating ‘the Board remains
accountable for performance to the [ShEx]’ (WITN11120100, paragraph 61). This
suggests that between 2016 — 2019 POL CEO was entrusted with the running of the
network. Accountability is also identified in terms of: :
i. Shareholder meetings two times a year, to be attended by CEO and CFO of
POL;
ii. I POL Board has operational control accountable to the shareholder for the
performance of POL, and is responsible for ensuring public access to 11500
branches;
iii. I The Special Share owned by the SoS gives SoS special rights in relation to
meetings, Chair or CEO appointments and removals, the strategic plan,
changes in remuneration, strategies, plan, cashflow;
iv. Group plan to be mutually agreed;
v. Articles; and
vi. I Governance guidance (both for Corporate and Accountable Officer).
c) Level 3 and its relationship to Level 4 Whilst ShEx maintains shareholder relations
the PAO is DTI Permanent Secretary. From 2016 when UKGI assumes shareholder
relations, UKGI has its own Accountable Officer. In 2019 the BEIS Permanent
Under-Secretary as the Principal Accounting Officer designates the POL CEO as
Accountable Person suggesting POL AO accountability is to the Department. .
Conclusion
+8 Appointment letter, 6 September 2019 to Nick Read from Alex Chisholm, title: ‘Accountable Person:
Instruction from BEIS Permanent Secretary to the CEO of Post Office Ltd on Accountabilities and
Responsibilities’ (POL00288398).
Page 19 of 133
EXPG0000006_R
1.6.11 In conclusion, based on the guidance (Annex A), and the information available to the authors
as summarised in Annex B and in the text above. From 2001, one would expect governance
structures in Levels 1 (POB) and Level 2 (OPOD) to be modelled on the corporate
governance of commercial companies with fully functioning Executive and (where
applicable) Board Structures including NEDs, Board committees etc, whilst also paying
regard to aspects derived from their public ownership by the government.
1.7 Questions Arising from Section 1 Relevant to POHT
1.7.11 What codes and principles of governance and management did the principal players
consider they were bound by?
1.7.12 What variation did the principal players see in the governance of a publicly listed
company and governance of a publicly owned company? What impact did this have on
the way they discharged their responsibilities?
1.7.13 How did the principal players perceive the dual accountability of Accounting or
Accountable Officers and membership of Corporate Boards? Were there times and issues
where Conflicts of Interest were manifest and how were they resolved?
And more particularly,
1.7.14 How did the various Holding Company boards in Level 2 and the POL Board navigate,
deal with, and develop the knowledge and understanding to handle the sorts of Conflicts
of Interest which are inherent in the ownership of public bodies by government?
Page 20 of 133
EXPG0000006_R
2 Accountability
2.1 Principles of Accountability
2.1.1 I Accountability refers to a formal obligation, informal expectation, or voluntary choice to
accept responsibility and to account for one's actions to a third party. The key governance
question to be asked of any organisation is: who is accountable for what, to whom?
2.1.2 Directors of all companies have a wide range of statutory responsibilities under the
Companies’ Act, 2006. Director duties exist in law and are irrespective of the ownership
of the company. Directors are individually accountable, for exercising judgement and
bringing their experience and skills to bear, and collectively accountable for the
performance of their organisation.
2.2 Board Accountabilities Arising from the Corporate Code
The following summarises the key accountabilities in the Combined Code and identifies any
deviations for the post office businesses.
Board as a Whole
2.2.1 UK custom is to have a unitary Board, in which NEDs are in the majority, and the CEO,
and possibly other Executive Directors, sit as full voting members of the Board.
2.2.2. Where the company is a subsidiary of a company with a unitary Board, for example, as
was the case of POL when it was a subsidiary of RMH, the parent company may choose
to establish a subsidiary Board and may choose to appoint NINEDs and /or NEDs of that
board, but is not normally obliged to do so. Should a subsidiary Board be established, the
Parent will determine its composition, powers and relationship with the parent board.
2.2.3. The Board is typically accountable to shareholders through annual reports presented at
AGMs and relevant votes thereon and any nonroutine reports or proposals on which a
shareholder vote, or approval, is required through a shareholder general meeting or vote."
2.2.4 The Board, as a whole, is accountable interalia for:
a) Providing oversight and overarching Governance, Risk and Compliance (GRC)
frameworks;
b) Nominating the Chair, who will subsequently be elected by a shareholder vote in
commercial companies and whose appointment would be approved prior to
appointment by ministers in government companies;
c) Hiring and firing the CEO (Chair and NEDs only);
d) Approving the strategy;
e) Approving the corporate risk register;
1° See Annex A, Sections 1.1, 1.2, 1.6, 1.7a and 1.11 for a selection of guidance on shareholder communication
Page 21 of 133
EXPG0000006_R
f) Announcements and proposals for shareholders;
g) Annual report and annual financial statements;
h) Executive remuneration policy, schemes, awards and clawback;
i) Oversight of operational performance, including through reports of ‘necessary items’
(e.g. financial and risk reports), and suggested or requested reports which the Board
chooses to review (e.g. staff or customer satisfaction surveys, or reports on major
projects);
j) Review, approve and scrutinise certain policies which must be held at Board level,
e.g. whistleblowing, health and safety, modern slavery; and others which the Board
choses to hold at Board level;
k) Approval of ‘matters reserved to the Board’;
1) Note (and enactment) of requirement of any matters which require a shareholder vote,
or in the case of public bodies, approval from relevant government minister or
Accounting Officer;
m
Approval of schemes of delegation for decision making: identifying people or
positions and scale of items, usually in financial terms;
n) Approval of Board Committee structures: number, remit, membership, and terms of
reference;
o) Ensuring that Board members have appropriate knowledge, skills and expertise to
fully participate in Board and Board Committee work, including arranging for
induction of new members and ongoing training of all members;
p) Approval of nominations for Board Committee membership;
q) Receipt, discussion and approval of Board Committee reports;
r) Review and evaluation of the effectiveness of the Board and its members; and
s) Establishing working groups and other ad hoc arrangements for specific purposes and
projects, where the Board considers their oversight responsibilities need special
focus.”
Board Committees
2.2.5 Boards will establish several committees, to which it will delegate certain responsibilities.
The following Board Committees are normally constituted:
a) Audit committee (BAC) (a requirement of the Corporate Code);
20 See Annex A, Sections 1.1-1.19 and 2.3, 2.4, and 2.13.
Page 22 of 133
EXPG0000006_R
b) Remuneration committee (BRemC) to determine remuneration of Senior
Executives (a requirement of the code);
c) Nominations committee to nominate people to be Board members and Board
Committee members; and
d) Risk committee (BRC) required by regulation in financial institutions, voluntary
for non-financial institutions. Where there is no BRC, Board risk responsibilities
are usually handled through a combined Audit and Risk Committee.
2.2.6 Other Board Committees may be approved from time to time for example, Environmental
and Social Responsibility, Ethics, Compliance committees.
2.2.7 I Whatever the board committee structure, the Board should pay attention to ensure
coverage of key areas for the business and to avoid confusing ‘duplication’ or ‘gaps’
between committees.
2.2.8 The terms of reference (including powers and delegated authority) and membership for
each Board Committee should be published on the company website.
2.2.9 The Chair with support of Company Secretary is responsible for ensuring all committees
have sufficient support to conduct their business effectively, e.g. with timely and
appropriate papers and minutes.
2.2.10 Each committee should, inter alia:
a) Report to the Board on the nature and content of discussion, on
recommendations, and on actions to be taken;
b) Oversee any investigation of activities which are within its terms of reference;
c) Work and liaise as necessary with other Board Committees to maintain links and
manage overlaps between Board Committee responsibilities;
d) Ensure that each committee should have full knowledge of work of other
committees through reports to the Board and, if possible, by appointing at least
one member of a committee to each of the other committees;
e) Committee Chairs should seek engagement with shareholders on significant
matters related to the committee’s areas of responsibility at AGMs and other
times;
f) Ensure a periodic evaluation of the committee’s performance is carried out;
g) At least annually, review its constitution and terms of reference to ensure it is
operating effectively, and recommend any changes it considers necessary to the
Board for approval; and
h) Ensure minutes of all Board Committees, once approved by the committee, are
made available to all members of the Board.
Page 23 of 133
EXPG0000006_R
2.2.11 Committees may:
a) Request the attendance of any employee at a meeting of the committee and/or
seek any information it requires from any employee of the company to perform
its duties; and
b) Obtain, at the company’s expense, independent legal or other professional advice
on any matter within its terms of reference if it believes it necessary to do so.
2.2.12 The effectiveness of the Board Committee structure depends inter alia on:
a) Clarity of specific terms of reference and how to handle inter-committee
interests; and
b) Relationships and communications: ensuring open two-way communications
and good relationships between the Board Chair, Board Committee Chairs, NEDs
and the CEO.”!
2.2.13 Specific responsibilities of the Board Audit Committee are discussed in Section 3, Board
Risk Committee in Section 4 and Remuneration Committee briefly in Section 8.4:
Culture.
Chair of the Board
2.2.14 Chairs are accountable to those who appoint them (shareholders in listed companies or
ministers in government owned organisations).
2.2.15 On appointment Chairs will be declared either: Independent (i-c., having played no
executive part in the company or its owner prior to appointment) or Non-Independent
(i.e., having played an executive part in the company or its owner prior to appointment).
2.2.16 Once the Chair has taken up office their independent status may change. As reflected in
their letter of appointment, they may become:
a) Non-Executive and still Independent, as they have no part in the operations of the
company;
b) Non-Executive (but not Independent); and
c) Executive, where they take explicit Executive responsibility, and the named
Senior Executive (normally CEO or MD) has a subordinate executive
accountability to the Chair).
2.2.17 Chairs are accountable for running of the Board, i.e. for ensuring that the Board:
a) Through its conduct of business, fulfils its accountabilities in a timely and
effective way;
2! See Annex A, Sections 1.7a, 1.13, 1.18, 1.9a, 2.3 and 2.4 for a guidance on roles
Page 24 of 133
EXPG0000006_R
b) Maintains a balance between its strategic responsibilities and oversight of
operational matters, for which the Executive is responsible;
c) Maintains a balance between oversight and scrutiny, on the one side and support
of the Executive team on the other. This is especially important in determining
how the Board handles ‘bad news’ or crises (see Sections: 6 Whistle Blowing, 8.4
Culture and 8.5 Communications);
d) Reviews its effectiveness, including the effectiveness of individual directors and
takes account of such reviews in proposing changes to the conduct and culture of
Board meetings;
e) Ensures there is active succession planning for CEO, and with the CEO, their
Executive Board colleagues, all other Board members i.e. SID, INEDs, and
where applicable NINEDs. However in cases like the Post Office Businesses,
NINEDs will be appointed by the owner/oversight body or sponsoring
government department and the Chair may have little say in their appointment);
and
f) With the Company Secretary, ensuring that movement on and off the Board is
accompanied by appropriate induction (training and familiarisation with duties of
Board membership and company strategy, operations and risks) and exit
(confidentiality, equipment, access controls) procedures.
2.2.18 The Chair plays a vital part in building trusting, productive relationships within the Board
and particularly with the CEO, the CEO’s Executive team and the NEDs.
2.2.19 The Chair/CEO relationship is especially important. It includes formal aspects, e.g:
a) Leading on the hiring and, if so determined by the Board, firing of the CEO;
b) Conducting CEO annual appraisals; and
c) Making recommendations, or providing comment, on CEO remuneration and
reward.
2.2.20 And informal aspects, e.g:
a) Being a ‘sounding board’ for ideas;
b) Responding to requests for advice;
c) Offering advice; and
d) Giving and receiving feedback on any aspect of individual and corporate
performance.
2.2.21 Being supportive, does not mean condoning bad behaviour or major errors. It does mean
listening, not jumping to blame, whilst fully scrutinising reports and events, and ensuring
clear ‘follow up’ reporting and scrutiny.
Page 25 of 133
EXPG0000006_R
2.2.22 Similar relationships may characterise the Chair’s relationship with members of the
CEO’s Senior Executive team. If Executives are members of a unitary Board, they have
individual responsibilities as Board members and (technically) an independent
relationship with the Chair and other members. They also have Executive responsibilities
for which they are accountable to the CEO as their operational ‘boss’. If Senior
Executives are not members of the Board, their accountability is singly to the CEO.
Nonetheless the Chair, with the support of the CEO, will probably seek to establish good
informal relationships with other senior executives.
2.2.23. The Chair’s relationship with NEDs as individuals, and as an informal collective, should
be open and productive. Some groups of NEDs like to meet with the Chair without the
Executive Directors present as a matter of course, so that when crises or matters of great
confidentiality arise, and the Chair or a NED decides they cannot or should not be shared
with the whole Board, ‘NED-only’ slots are already a normal part of Board life.
2.2.24 ‘NED-only’ sessions, whether routine or by exception, can be sources of tension and
suspicion between the Executive and the NEDs; the Chair’s role in mediating this
relationship and aiming to keep it open and productive is important.
2.2.25 Depending on remuneration and evaluation policies and procedures and the remit of the
remuneration committee, the Chair and NEDs may meet at least annually to consider and
decide:
a) The evaluation of CEO performance;
b) The setting of CEO objectives for the next year; and
c) Approval of the CEO remuneration proposals from the Remuneration Committee.
2.2.26 At times of CEO succession, the Chair and NEDs are likely to meet to consider the
essential and desirable specifications for the next incumbent, and to be involved as agreed
in the search, selection and appointment process.
2.2.27. The Chair will also
a) Consult with NEDs on committee membership, ensuring they have the skills,
induction and training which will enable committee members to be effective;
b) Conduct reviews of individual NED performance and provide feedback on areas
for development;
c) Ensure relationships are sustained with representatives of any ‘intermediate’
ownership or oversight entity (e.g. RMH, UKGI, Government department)
including discussing appointments and expectations of NINEDS to serve on the
Board; and
d) Cooperate with the SID in an annual evaluation of the Chair’s performance and,
expect and participate in feedback from that evaluation.
2.2.28 The debate about how much time Chairs should give to the Board and whether they can
Chair more than one Board has swung around over the relevant period. Between 2003 —
Page 26 of 133
EXPG0000006_R
2008 the guidance restricted Chairs of FTSE100 companies to chairing no more than one
FTSE100 Board. The Chair, like all Board members must assure the Board that they have
sufficient time to be actively engaged in their Board roles.””
Non-Executive Director
2.2.29 NEDs do not have any responsibility in day-to-day operations of the company. They
receive remuneration at agreed levels for their Board membership, but not as employees
of the entity. They fall into 2 groups:
a) INEDs are Independent of any part of the operations including being independent
of any Executive or Board responsibility in any oversight or ownership entity.
They are accountable to the Board and the owners for:
i, Bringing an independent perspective to the Board; and
ii. Bringing specialist relevant experience/expertise to the Board.
b) NINEDs: May be EITHER:
i. Nominated by shareholders, with whom they have some special
relationship, e.g. through employment or as special representatives. The
nominating shareholder expects they will:
- Keep the shareholder regularly informed about matters of
concern;
- Keep the shareholder in touch with what is going on in the
business;
- Consult with the shareholder prior to major decisions;
- Create and sustain 2-way communication channels between the
Board (especially Chair and CEO) and the shareholder; and
- Like their INED colleagues, bring their own specialist relevant
experience/expertise to the Board.
OR
ii. Have previously held executive positions in the entity or its owner in the
recent past. Nonetheless, the Board judges that their special expertise,
experience or networks are of such value that they should be retained in a
Non-Executive capacity. Their appointment would require ‘explanation’
to shareholders as it would not comply with the code, which indicates
that their very involvement in the operations of the company may cloud
their views on what is in the best future interest of the company. For
example, in the recent past, they are likely to have been in part architects
of the strategy and responsible executives in operational matters which
will come under board scrutiny.
2 See Annex A, Sections 1.10.
Page 27 of 133
EXPG0000006_R
Senior Independent Director
2.2.30 Since Hampel (1998), it has been normal for the Chair to consult with NEDs about
selecting a NED to serve as SID, to be accountable to shareholders and the Board, for:
a) Stepping into Chair role in the Chair’s absence;
b) Convening the nominating process for the ‘next’ Chair;
c) Convening the process for evaluating the Chair’s performance;
d) Ensuring an avenue ‘independent’ of the Chair, for representatives of
shareholders/owner/oversight entities to raise concerns about the Chair or the
company;
e) Working with the Chair to develop/oversee the process of Board evaluation;
f) Acting informally as a ‘convenor’ of the NEDs if they wish to raise issues with
the Chair; and
g) Acting informally for any Board member to raise concerns about the conduct of
business of the Board.”*
Chief Executive Officer
2.2.31 The CEO is accountable to the Board for:
a) Bringing forward strategic proposals;
b) Running the Company and it’s business, providing operational leadership,
management and oversight of all functions, departments and delegations;
c) Creating an organisation structure, and as appropriate restructure, which is fit for
purpose for the business, reflecting strategy, priorities and risks, so that
appropriate operational oversight and direct management is secured and
maintained;
d) Ensuring an organisation structure in which all employees know to whom they
are accountable, with ultimate Executive accountability resting with the CEO;
e) Sharing plans for Senior Executive succession planning;
f) Consulting or informing the Board on Senior Executive appointments at one level
down from the Board;
g) Ensuring the financial viability of the business and reporting deviations from
plan;
?3 See Annex A, Sections 1.4a.
Page 28 of 133
EXPG0000006_R
h) Active management and reporting of the corporate risk register, in light of
changing circumstances;
i) Ensuring crisis and risk mitigation and contingency plans are up to date and can
be realistically deployed;
j) Ensuring good communications with the Board about operational matters,
through regular and exceptional reporting and follow up;
k) Meeting expectations about the communication (receipt and supply) of real, or
potential, bad news;
1) Setting and living the culture and values which guide behaviour in the
organisation. In this matter, the CEO’s role is crucial but not solo, it is much
influenced by their experience of relations with the Chair and their observations
of behaviour within the Board (see Section 8.3 Culture);
m
Playing their part in building open trusting relationships within the Board; and
n) Paying close attention to communications within the organisation (see Section
8.5) and with stakeholders(see Section 7)."*
Other Executive Board Members (e.g. CFO, COO, CRO)
2.2.32. The CEO is accountable to the Board for: The number and remit of additional Executive
Directors on the Board is a matter for the CEO to agree with the Chair and Board. If
appointed, they share in generic Board membership duties and powers and (technically)
have an independent relationship with the Chair and other members. They also have
Executive accountabilities directly to the CEO as their operational ‘boss’. If Senior
Executives are not members of the Board, their accountability is singly to the CEO.
Company Secretary
2.2.33. A Company Secretary is an officer who is appointed by the company’s directors to advise
the board on all governance matters and codes”*. They will normally seek to ensure
compliance with the company’s legal obligations. Their accountability is to the Board
and the Chair to ensure that all appropriate governance measures are brought to the
Board’s attention. As regards the functioning of the Board, they are technically
independent of the CEO, and accountable to the Chair. However, as an Executive
colleague (and in a sense subordinate to the CEO) they need a very good working
relationship with the CEO, who is likely to be very influential in their relationship.
2.2.34 A Company Secretary’s accountabilities normally include:
a) Maintaining the company’s statutory books, including registers of directors and
shareholders;
4 See Annex A, Sections 1.2, 1.4b, 1.7a and 1.11, 1.12 for role of the CEO in the board
°5 See Annex A, Institute of Directors, 2018 (Annex E)
Page 29 of 133
EXPG0000006_R
b) Working with Chair to ensure that all Board members are aware of their duties
and powers;
c) Providing secretarial services to the Board and all its committees, including
arranging meetings, minuting meetings,
d) Working with the Chair on the Board agenda; and
e) Arranging participation of non-Board members for specific items in Board
discussions (including handling sight of relevant minutes, timing of Board
appearances, follow up).
2.3 The Role of the Shareholder
2.3.1 I Shareholders should be the quiet drivers of governance. Technically they are all powerful
in that it is they who elect (or appoint, in government owned companies) the Board who
will approve the strategy and oversee operations to a plan which will have been approved
by the shareholders at the AGM, or by some other means in Government owned
companies e.g. via an Annual Letter or Review.
2.3.2 In publicly listed companies, the shareholder who is dissatisfied with the company’s
performance, or has no faith in the strategy, or considers the risks to the business are
outside their own risk appetite, can consider four options.
2.3.3 The first is to have informal discussions with the Chair or SID, to express their disquiet
and seek to influence the Board in its proposals about Board membership, strategy,
operational oversight and financial plan. This is available to the government as
shareholder, although there is always sensitivity about undue political influence and is
one reason why the ‘intermediate’ role of an oversight/ownership body is attractive to
governments. Nonetheless where the government is the shareholder, it should understand
and enact such means as it can, in order to ensure its views are known.
2.3.4 The second is to cast their votes against the recommendations of the Board for the
appointment of the Chair or other Board members, thus voting to change the Chair, Non-
Executive or Executive members of the Board.
2.3.5 The third is casting their votes against other recommendations of the Board, e.g. voting
against the annual report, voting against accepting the accounts, voting against the
remuneration report or voting against any other motions put before the AGM, or EGM.
2.3.6 The Fourth, one might say, ultimate, option is to sell the shares. This is not one which is
likely to be undertaken lightly, as it may impact the company’s share price and business
viability. But it is always an option. This option is not readily available to the government
as the sole shareholder. There are of course instances where a publicly owned company is
sold through a public listing or private sale. This requires the business to be able to
demonstrate it could survive, or even thrive in the commercial space. Furthermore, where
the company is considered to provide a public service, a possible sale becomes a major
political matter with arguments arising , for example, over the safeguarding of citizens’
access to public services. For these reasons, one could argue that the shares the
government holds are much more ‘sticky’ than those held by shareholders of publicly
listed companies, and that this should incline the government, as shareholder, to be even
Page 30 of 133
EXPG0000006_R
stronger in its shareholder role in holding the Board of government companies to account
for their current performance and future strategy.°°
2.4 The Role of the Executive (CEO and Senior Leadership Team)
2.4.1 In listed companies, where corporate governance codes unequivocally apply, the CEO
will (and possibly other Executives may) be part of the Unitary Board. In addition to their
Board responsibilities, they crucially have individual Executive responsibilities and
accountabilities to run the business of the company.
2.4.2 These executive responsibilities include proposing strategy to the Board, establishing
structures, internal controls, communication networks and culture within the company to
enable it to meet its strategic goals, including maintaining oversight of all its business
lines and holding all management lines to account for their performance, including their
risk management.
2.4.3. Executives typically make choices about the type of structure they adopt on the basis that
they believe some forms are more appropriate (a better fit) for some types of work,
bearing in mind the history, culture and performance of their business.
2.4.4 By way of illustration, one can identify some basic choices about distinct and yet
interactive organising principles. For example, placing the organisation on a scale of
centralisation to decentralisation for executive action and decision making, that is, the
extent to which the organisation is hierarchical/pyramidal or ‘flatter’.
2.4.5 The flatter the organisation, the more there is dependence on the knowledgeability and
capability of people in the organisation to act relatively autonomously, in situations for
example where there is a need for timely, innovative solutions to problems.
2.4.6 Another choice would be the relative dominance in executive reporting lines and
decision-making structures given to product lines, functions, or major projects.
2.4.7 There is no one universal right way to organise; restructures occur over time, fashions
change and there is often a blend of different principles. It is the Executive’s job to
determine at any time, the structure, systems and processes which they consider best
enables them to achieve the organisation’s goals and strategy, given history, culture,
performance and stakeholder pressures.
2.4.8 CEOs often establish their own ‘Executive Committee’ (or similarly named grouping)
which constitutes their Senior Executive Leadership team of first line reports. The
Executive Committee would normally sit at the apex of lines of management
accountability throughout the business. Its membership and terms of reference are
normally listed on a company’s website.
2.4.9 Where the company is a subsidiary of a company with an independent Board, as in the
case of POC and POL when it was a subsidiary of RMH, the Executive of the subsidiary
is still expected to ‘run’ the subsidiary company in ways, and within limits, given by the
Board of the parent company and, if it exists, the board of the subsidiary company.
?6 See Annex A, Sections 1.2, 1.6, 1.7a and 1.11.
Page 31 of 133
EXPG0000006_R
2.4.10 Where there is no Board with NEDs, in situations where there are no external
shareholders, or the shareholders that own unlisted stock in the company do not wish to
have independent representation on a Board, the appointed or self-appointed Executives
are still required to run the company in accordance with relevant laws and regulations.
2.4.11 In summary one may say that Executives have responsibilities and accountabilities to ‘run
their businesses’ whatever the ownership. Variation in ownership impacts reporting and
oversight, but not the basic requirement to ‘run the company’.””
2.5 Strategy: The Heart of Board and Executi ccountability
2.5.1 Strategy provides the framework for determining future direction, evaluating past
performance, and determining the scale and nature of business operations.
2.5.2 The Board’s role is to discuss, approve, review and evaluate the company strategy and the
underlying business model.
2.5.3. The Executive’s role is the operational management of company resources to deliver the
business plan and corporate strategy. It is also accountable for providing data which will
enable the Board to oversee the Executive’s operational management of the business.
2.5.4 The Shareholder’s role is to approve (or not) the Board recommended strategy, as it is put
as part of the narrative reporting in the Annual Report, and as it is reflected in the
financial and risk statements and any other recommendations from the Board.
Approval by the Board
2.5.5 The Board’s process for approving strategy is normally undertaken in the context of sets
of papers provided by the Executive, which will include commentary on past and present
business context and performance, and proposals looking out 3-5 years.
2.5.6 A short-term business plan and annual budget for the next financial year is normally the
most granular part of future plans. It is the delivery of this 1-year business plan and
budget to which the Executive will be specifically held to account within any one year.
2.5.7 The 35-year outlook provides a view on the direction of travel and an early look at
operational demands. Within the forward plan, the Executive would normally provide an
account of present and past performance, including:
a) Review of business performance (financial and non-financial), having regard to
agreed strategic plans and goals;
b) Review of business landscape (including competitors, stakeholders, customers,
regulators), to provide foundations of a SWOT (Strengths, Weaknesses,
Opportunities and Threats) analysis, which leads inter alia to a
27 See Annex A, Sections 1.1.
Page 32 of 133
EXPG0000006_R
c) Review of Risks (in terms of probability and degree and direction of impact) and
Mitigants; and
d) Review of internal capabilities (workforce skills, organisation structure, current
technology).
2.5.8 And a summary of future plans, including:
a) Plans for the business (areas for growth, innovation, retrenchment, exit, entrance)
and associated risks;
b) Resourcing plans (for workforce, skills, technology, business as usual structure,
major project management structure) to deliver the plans for the business, within
the parameters of:
c) Financial plans (income and expenditure); and
d) Capital plans for major investment, including any major projects which are
materially significant for the business.
2.5.9 I The Executive also need to assure the Board that:
a) They can provide sound progress data, giving line of sight to key risks and
operational performance;
b) The company has the financial resources and operational capabilities (e.g.
structures, skills, contracts) required to realise the strategy, including sourcing
any significant technical or other specialist knowledge, systems and equipment
from third party contractors; and
c) Where third party contractors are key to the strategy, the contract is fit for
business purpose, and they have a management approach to contract delivery
which is aligned with the delivery of strategic plans: on time, within budget and
to the required costs.
Reporting and Review
2.5.10 The Board will agree the frequency and nature of reports, through which the Executive
will keep the Board informed of progress with realising the strategy.
2.5.11 This is normally done annually, often facilitated by a ‘Board away day’, in which there
will be free wide-ranging discussion without any of the ‘normal’ operational agenda
items. Should the company hit serious unanticipated problems or opportunities which
require a mid-year reappraisal of the strategy, or a revision of the current plan, additional
sessions for strategy review and business re-planning should be incorporated into the
Board’s meeting schedule.
Reporting Performance
Page 33 of 133
EXPG0000006_R
2.5.12 Reporting progress against strategic targets and plan objectives is the Board’s consistent
source of knowledge about in-year business operations, performance, and risks. Where
unexpected /unplanned serious operational matters arise which threaten the delivery of
strategic and operational plans (interalia because of crystallisation of financial or
reputational risk), key questions are:
a) When and how did the CEO and Senior Executive team become aware of the
issue, how did they handle the emerging problems and crucially when and if the
CEO informed the Chair, and when and if the Chair (or CEO) informed the
Board; and
b) What are the reasons and detail of any required replan, and in particular, does the
Board consider the Executive should have foreseen the obstacles which are now
appearing, and are they capable of rectifying them?
Judgement, Culture and Communication
2.5.13 Statements of Board accountability for the development, approval and oversight of
strategy and Executive accountability for the operational management of the company to
realise that strategy, are clear in governance codes and in many companies’ annual
reports. However, what actually happens in any organisation is that the statements will be
understood and enacted by the players in various ways, which will be much influenced by
the culture and communication landscape which is both a legacy of the past and the
ongoing creation of current players, (see Sections 8.4 Culture and 8.5 Communications).
2.6 Questions Arising from Section 2 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which
ran and oversaw POC/L. The questions below are taken to apply to all relevant organisations in
the chronology.
2.6.1 On matters of Strategy, what were the mechanisms for reporting and feedback in the
chain of oversight and ownership described in Annex B, e.g., the use of Annual Reports,
AGMs, Regular and ad hoc meetings, Regular reports, Annual appraisals? With what
consequences and follow up?
2.6.2 On matters of Operations, what were the mechanisms for reporting and feedback in the
chain of oversight and ownership described in Annex B, e.g., the use of Annual Reports,
AGMs, Regular and ad hoc meetings, Regular reports, Annual appraisals? With what
consequences and follow up?
Particular Aspects of POC/L Structure
Page 34 of 133
EXPG0000006_R
2.6.3. Where did oversight of, and accountability for, the investigations and prosecution
functions lie? How was this accountability demonstrated?
2.6.4 Where did oversight of, and accountability for, the contractual and personnel management
of SPMs lie? How was this accountability demonstrated?
2.6.5 Where did oversight of, and accountability for, the response to the growing body of
evidence that there were faults in Horizon system which made its records unreliable, lie?
Page 35 of 133
EXPG0000006_R
3. Monitoring and Audit
3.1 Introduction
3.1.1 Requirements for monitoring and audit are embedded in company law and regulation and
custom and practice. Executives are required and expected to monitor and report on the
financial flows in and out of the company, including verifiable data to show such things
as their tax liabilities and payments, their turnover, allowable expenses and profit - in
simple terms how they have acquired and spent money.
3.1.2 As the complexity of a business grows and ownership structures provide for the
separation of ownership and control. The way Executives need to account for their
finances becomes more complex, and subject to more regulation, which becomes both
more specific and extensive. Additional requirements for reporting non-financial aspects
of the company’s operation also develop over time, for example with regard to money
laundering, equality, and modern slavery.
3.1.3. Monitoring and audit have become part of the normal functions expected in all
companies. The perspective is predominantly one of looking back, accounting, with clear
data, for what has happened in the last financial year and detailing compliance with legal
requirements. An underlying assumption is that by requiring accounting for past
performance, one inculcates behaviours which ensure compliance in the present.
3.1.4 As requirements for Boards and Executives to assess risks to the company, and internal
operational, as well as strategic, imperatives to look forward, became evident, the work of
audit expands to include requirements to assess risk, for example, confirming the ‘going
concern’ requirement, solvency and liquidity risk and non-financial risk (Financial
Reporting Council, 2009, Financial Reporting Council, 2016a, 2016b) and
recommendations to increase transparency with stakeholders.”*
3.1.5 This section concentrates on monitoring and audit. It deals with risk in so far as Audit has
responsibilities for reporting and assurance of risk. Risk management saw significant
developments during the relevant period, and these are the subject of section 4.
3.2 Guidance on Monitoring and Audit in Public and Private Bodies
Guidance on Corporate Monitoring and Audit
3.2.1 I Guidance on corporate monitoring and audit has developed over time
3.2.2 Early codes focused on audit and in 2002, the FRC established a committee headed by Sir
Robert Smith (Smith, R, 2003) which developed the existing guidance for audit
committees. The purpose of the audit committee was to:
a) Monitor the integrity of the accounts.
?8 See Annex A, Section 1.4b, 1.5, 1.7a, 1.7b, 1.11a, and 1.17
Page 36 of 133
EXPG0000006_R
b) Review internal financial control and risk management systems.
c) Monitor and review effectiveness of internal audit; where there is no such function
there should be an annual review of the need for this.
d) Recommend to the board the appointment of the external auditor; approve auditors’
remuneration and terms of engagement.
e) Monitor external auditors’ independence, objectivity and effectiveness.
f) Develop and implement policy regarding use of external auditor to supply non-audit
services.
g) Ensure that appropriate plans are in place for the audit.
h) Review the external auditors’ findings.
i) Review significant financial reporting issues and judgements involved in the
preparation of:
o Annual accounts;
o Interim accounts;
o Preliminary announcements;
o Other formal statements.
j) Review clarity and completeness of disclosures in the annual accounts.
k) Where the audit committee has concerns about any issues within its remit it should
refer these to the board.
3.2.3. The Combined Codes (1998, 2003) noted that the Board is entrusted to uphold 3 core
principles. Boards should:
a) Present a balanced and understandable assessment of the company’s position and
prospects;
b) Maintain a sound system of internal control to safeguard shareholders’ investment
and the company’s assets; and
c) Establish formal and transparent arrangements for considering how they should apply
the financial reporting and internal control principles and for maintaining an
appropriate relationship with the company’s auditors.
3.2.4. The Turnbull (1999) Guidance provided the original framework for overseeing internal
control and risk management systems.
3.2.5 In 2005 the Turnbull Guidance was updated as "Internal Control: Guidance for Directors
on the Combined Code’ (FRC 2005).
Page 37 of 133
EXPG0000006_R
3.2.6 In 2014, the FRC's Risk Guidance” combined Turnbull*® and Going Concern; Liquidity
Risk: Guidance for Directors of UK Companies (FRC 2014a).*! It superseded the
Guidance for Directors of Listed Companies that was issued in 1994. The 2014 guidance
reflects a stronger role for the Board on internal controls, driven by its strategic
responsibility for risk.
3.2.7 The Board must ask itself: what risks face the organisation? And then two further
questions follow: which controls are significant? How do we assure ourselves on these
controls? The Board should now provide absolute clarity on where responsibility for
providing and assuring internal controls sit (i.e. with risk or audit committee).
3.2.8 In some companies, assurance on internal controls will be provided by internal audit.
3.2.9 Some companies develop assurance maps to identify the different sources of information
around the key risks and controls.
3.2.10 In 2016 FRC® gives specific guidance in relation to Group Audit (i.e. where there is a
group parent and subsidiary companies), indicating it will usually be necessary for the
audit committee of the parent company to review issues that relate to particular
subsidiaries or activities within the group (FRC 2016a).
3.2.11 The 2019 Brydon review* into the quality and effectiveness of audit contributed to the
Government’s commission on restoring trust in governance (Restoring Trust in Audit and
Corporate Governance, Department of Business, Energy and Industrial Strategy, 2022).
They highlight that a stronger controls framework was required to help directors take
control of their own internal controls, especially key elements of assurance, risk and
fraud.
Government Guidance on Auditing Public Money
3.2.12 The chronology on the right-hand side of Annex A deals with accountability for public
money. However, in 2001 POL became a subsidiary company within Consignia, which
subsequently became RMH, as shown in the more detailed chronology in Annex B. Since
2001 Corporate Governance guidelines have been dominant, and guidance on auditing
Public Money has been secondary.
3.2.13 The auditing of public money and efficient use of ‘taxpayer’ resources is an important
part of the accountable relations in public bodies. Accountability for public money is
maintained at every level all the way up to Parliament thus:
a) All public bodies have a board which is usually chaired by a Non-Executive
director with significant board experience (Accountability to Parliament for
taxpayers’ money, NAO, 2016);
?8 See Annex A, Section 1.14.
3° See Annex A, Section 1.5.
34 See Annex A, Section 1.15.
32 See Annex A, Section 1.17.
33 See Annex A, Section 1.19.
Page 38 of 133
EXPG0000006_R
b) A public body’s audit and risk assurance committee (ARAC) is responsible for
assuring the Board as to the standard of governance and risk management;
c) Some Executives agencies, that are more closely aligned with their sponsor
department, may have a purely Executives Board, without NEDs, and without
their own ARAC, in which case the ARAC of the sponsor department will
provide the agency with assurance on standard of governance and risk
management;
d) While ministers must account to parliament for the performance and “overall
effectiveness and efficiency” of the public body, the Principal Accounting Officer
(normally the departmental permanent secretary) is accountable for the
management of public money delegated to the department, including spending by
its public bodies;
e) The Accounting Officer (AO) in the Central Department (usually the Permanent
Secretary) will be held to account by Parliament sometimes directly, or
alternatively through an intermediary like the Public Accounts Office;
f) HM Treasury (2012, 2018) outlines the expectations and duties of AOs in its
guidance on Managing Public Money, including the principles underpinning the
role;
g) InArm Length Bodies and other Executing Agencies, it is traditionally the Chief
Executives who is the Accountable Officer; and
https://www. instituteforgovernment.org.uk/article/explainer/public-bodies-
scrutiny-accountability
h) While the ultimate responsibility lies with those in the sponsor department, public
body leaders can be called to account to parliament, usually through the relevant
select committee, for their decisions and are “personally responsible and
accountable to Parliament for the use of public money” (Institute for
Government, 2022).
3.2.14 In this way, a virtual chain of accountability for public money ideally runs all the way up
to Parliament from executing agencies.
3.2.15 The Permanent Secretary for DTI was the Accountable Officer whilst ShareEx was
performing shareholder functions within DTI.
3.2.16 The ARAC in central government departments supports the Accountable Officer in audit,
risk and internal controls. The scope of the ARAC committee and their relation to audit is
closely modelled on the corporate requirements on companies for their Annual Report.
3.2.17 The ARAC Chair has a pivotal role in keeping a close eye on how well the system of
internal control, governance and audit is working. Because not all work happens in
committees, the ARAC Chair should meet regularly, bilaterally, with the Accounting
Officer, Director of Finance, the head of Internal Audit and the External Auditor.**
¥ See Annex A, Sections 2.2a, 2.3, 2.4, 2.10a and 2.13 for guidance on audit in public bodies
Page 39 of 133
EXPG0000006_R
3.3 Board Audit Committee (BAC)
Functions and Duties of BAC
3.3.1 Establishment: The Code states that Boards should appoint an audit committee with
clear Terms of Reference.
3.3.2 BAC Membership: Members are appointed by the Board to be a minimum of three
independent Non-Executives Directors (two for smaller companies). Since 2018, there
should be at least one member with recent and relevant financial experience. The audit
committee as a whole should have competence, relevant to the sector in which the
company operates.
3.3.3 With the emergence of risk as a major governance consideration in 2010 (FRC 2010),*°
BACs often specifically included risk in their title and Terms of Reference, unless and
until, a separate BRC is established. (Risk management is the subject of section 4,
although there is inevitably some overlap in this section).
3.3.4 Boards should determine and publish the BAC Terms of Reference on its website. Many
BAC duties are prescribed, others may be added by the Board. Some duties required of
the Board, which interact with monitoring and audit, may be carried out by another Board
committee. BAC Duties normally include:
a) Financial Reporting: Monitor and approve all financial statements, review and
report to the Board on significant financial reporting issues and judgements
contained in those statements, having regard to matters communicated to it by the
external or internal auditor, paying attention to:
i. The clarity and completeness of disclosures and the context in which
statements are made;
ii. All material information presented with the financial statements,
including the strategic report and the corporate governance statements
relating to the audit and to risk management.
b) Narrative Reporting: Where requested by the Board, the committee should
review the content of the Annual Report and Accounts and advise the Board on
whether, taken as a whole, it is fair, balanced and understandable, and provides
the information necessary for shareholders to assess the company’s performance,
business model and strategy and, whether it informs the Board’s statement in the
annual report on these matters.
c) Internal controls and risk management systems (unless these are specifically
the remit of a BRC or are matters reserved for the Board).
35 See Annex A, Section 1.12.
Page 40 of 133
EXPG0000006_R
i. Review the company’s internal financial controls systems that identify,
assess, manage and monitor financial risks, and other internal control and
risk management systems;
ii. I Review and approve the statements to be included in the Annual Report
concerning internal control, risk management, including the assessment
of principal risks and emerging risks, and the viability statement.
d) Compliance: Make arrangements to ensure compliance with regulations,
including speaking-up (whistle blowing), fraud, and the Modern Slavery Act,
where these are not the responsibility of the BRC.
With regard to whistleblowing, new rules were issued by the Prudential
Regulation Authority (PRA) and Financial Conduct Authority (FCA) in 2016.
These require affected firms to assign responsibilities to a Non-Executive
Director to be its whistleblowers’ champion (part of Non-Executives’ supervising
role and the Board’s collective responsibilities). That champion needs to be in
good communications with Chair of the BAC or BRC, whichever already has a
responsibility on this matter (see section 6).
e) Internal Audit:
i. Monitor and review the internal audit function, and assure itself of the
competence and independence of IA;
ii. I Agree an annual work plan for IA;
iii. Receive interim and final reports on IA investigations and monitor
required management actions for remediation/ improvement against their
due dates; and
iv. Annually to consider, where there is no internal audit function, whether
there is a need for one.
f) External Audit:
i. Recommend the appointment or replacement of external auditors and
review the effectiveness of their work;
ii. Develop and implement policy on the use of the auditors for non-audit
services; and
iii. Report in the annual report how the BAC has assessed the effectiveness
of the external audit process; the approach taken to the appointment and
reappointment of the external auditor; and the information on the length
of tenure of the current audit firm and when a tender was last conducted.
3.3.5 In performing their duties in respect of EA, BAC should:
Page 41 of 133
EXPG0000006_R
a) Set clear expectations with external auditors about the annual scope of work and
the fee;
b) Meet regularly with the auditor, without the management present, ensuring
ongoing dialogue between BAC Chair and auditors to deal with on-going issues,
ask candid questions, inquire about sensitive topics and have confidential
conversations;
c) Receive the EA’s annual management letter which communicates matters arising
from the audit. Management letters are less formulaic than audit opinions, more
tailored to individual company circumstances and provide insights on, and
recommendations to improve, the companies’ governance, accountability, risk
management and control arrangements;
d) Receive the auditor’s report on the annual accounts which will include a
statement as to whether the accounts give a true and fair view of the company’s
financial affairs (unqualified) or is qualified because of issues concerning the
accounting policies or the financial position; and
e) Show clearly how relations with the external auditors are managed and what is
done to ensure their independence. As the volume of audit and risk work grew,
the practice of using external auditors to perform non-audit services also grew,
and with it, concerns about conflicts of interest. Boards (through BAC) must now
scrutinise the volume and type of non-audit work an EA may undertake and
explain how shareholders’ interests for independent verification have been
achieved, the special circumstances which justify their appointment for non-audit
services and the arrangements in place to monitor their effectiveness,
independence and objectivity.
BAC role in Communications
3.3.6 Communications with shareholders: the BAC Chair should engage with shareholders at
the AGM, and at other times they consider it advisable.
3.3.7 Communications with External Auditors: the independence of external auditors is
fundamental to corporate governance. Nonetheless the BAC Chair will maintain open
lines of communication with the External auditor normally through the external audit lead
partner.
3.3.8 Private Sessions: As part of custom and practice, BAC meetings will normally conclude
with a ‘private’ session (all the Executives having left, except for the head of Internal
Audit) with IA and EA. The BAC may also choose to have separate private sessions just
with either Internal Audit or External Audit present. Discussion in these private s
normally revolves around ‘is there anything you are worried about to which you wish to
alert us, and which has not come up in the meeting?’ This is an informal way of ensuring
that both [A and EA may comment in confidence on any concerns about individual or
corporate performance, and any looming risks which are not yet on the audit and risk
agenda.
sions
3.3.9 BAC communications within the Board and the Executive: the BAC Chair should aim
to establish strong and open communications with the Chief Executive, the Finance
Page 42 of 133
EXPG0000006_R
Director and other Executives, the Board Chair and Non-Executives, and the head of
internal audit. This is in addition to the regular reports of BAC activities and business
which the BAC makes to the Board, and the minutes of BAC which, once approved, are
circulated to the whole Board. Executives should not wait for BAC to ask for
information. The Executives should ensure that the BAC is kept informed of relevant
matters and take the initiative in supplying information to it.*°
3.4 Internal Audit
3.4.1 The function of [A has emerged as a specialism in the broad field of accounting, designed
to offer separate, independent assurance. The head of IA is appointed as part of the
Executive team (i.e. they are directly employed by the organisation) and in employment
matters is accountable to the CEO. However, the head of IA should also maintain an
independence from the CEO, CFO and all other Senior Executives, and have a direct line
of accountability and communication to the Board Chair and to the Chair of BAC.
3.4.2 The BAC (ifno BAC, the Board, and if no Board, the CEO) should agree an annual work
plan for Internal audit. This plan will be informed by data on past performance and
considerations on future risks. It drives the work of internal audit and should highlight
areas of concern for Board/BAC and Executives. The BAC, or if none, the Board, or if
none, the CEO, will receive interim and final reports on IA investigations and be able to
monitor required management actions for remediation/improvement.
3.4.3 The scope of IA work will depend on perceived priority given to IA (reflecting Board and
Executives understandings of risks in present and future) and the resources (human and
financial) made available to IA. The extent to which IA’s scope will be extended, for
example into technical and IT matters will be an important decision which would
normally be discussed with a recommendation by both the CEO and their team and the
BAC/Board.
3.4.4. One customary item for those commissioning IA reports will be ‘to review progress of
completion of remediation/improvement items against their due dates’. In practice a
record of the volume and nature of ‘overdue, incomplete management actions’, arising
from IA reports, may be taken as rough measure of management effectiveness. This
record can provide great insight into both the strength of the Executives and the culture of
the company.
3.4.5 Providing the plan of work reflects major areas of concern, providing the investigations
have been adequate and proportionate, and the recommendations are clear and relevant,
the management response in terms of timely, full remediation is instructive. These
provisions are often the subject of robust contention between IA and the area of Executive
responsibility under investigation. Any Board or alert Senior Executives will want to
know of any major areas of contention and if there are systems for really rectifying
identified problems with controls and risks.
3.4.6 Internal audit activities should enable:
56 See Annex A, Sections 1.7a, 1.7b, 1.14, 1.17, 2.3, 2.4.
Page 43 of 133
EXPG0000006_R
a) Shareholders and directors to have some means of independently verifying that
financial and nonfinancial statements are accurate and are not subject to fraud or
misappropriation.
b) Provide Executives with the capacity to undertake internal investigations which
help management keep track of transactions, tax compliance, reporting to
regulators, audit, reviewing processes and compliance in third party suppliers
(e.g. with respect to child labour) or in legislation including those relating to
counter-fraud, such as the Fraud Act 2006, Theft Act 1968 and Bribery Act 2010.
3.4.7 How will Boards and Executives know their Internal Audit function is effective? The
guidance given in the Combined Code 2003 still stands:
In publicly listed companies the BAC should monitor and review the effectiveness of the
internal audit activities. Where there is no internal audit function, the BAC should
consider annually whether there is a need for an internal audit function and make a
recommendation to the Board. The reasons for the absence of such a function should be
explained in the relevant section of the annual report.*”
3.5 External Audit
3.5.1 _ EA is provided at the company’s expense to provide the shareholders, through the Board,
with independent objective analysis and conclusions. In lay summary, EA has the duty to
report on the integrity of financial statements; whether the annual report and accounts,
taken as a whole, is fair, balanced and understandable, and provides the information
necessary for shareholders to assess the company’s performance and prospects; and
whether the company’s systems and controls are adequate.
3.5.2 BAC duties in respect of EA are summarise above.
3.5.3 An issue of current concern is that as interest in companies grows, and a wider pool of
stakeholders across society (activists, investors, staff groups) shows an interest in annual
reports and governance, there is a widening expectation gap, as audits may fail to reflect
the societal and environmental interest of stakeholders in the sector in which the company
operates.**
3.6 Questions arising from Section 3 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which ran
and oversaw POC/L. The questions below are taken to apply to all relevant organisations in the
chronology.
Boards in the Organisations which Ran and Oversaw POC/L
37 Annex A, Section 1.7a.
58 See Annex A, Section 1.19.
Page 44 of 133
EXPG0000006_R
3.6.1 How did the Boards discharge their auditing and monitoring responsibilities, particularly
when audit identified problems with internal controls?
BACs in the Organisations which Ran and Oversaw POC/L
3.6.2. Did BACs evaluate BAC effectiveness? And consider and implement any
recommendations to increase effectiveness?
3.6.3 Did BACs show knowledge of whistleblowing arrangements, and how whistle blowing
was perceived in the organisation? What whistleblowing records were shared with BAC?
Internal Audit in the Organisations which Ran and Oversaw POC/L
3.6.4 When and how (including resources) was an internal audit function established?
3.6.5 Was there an annual JA plan? With follow up on items?
3.6.6 Did IA annual plans of work ever reference HORIZON or SPMs?
Horizon and SPMs Issues in the Organisations which Ran and Oversaw POC/L
3.6.7 Did BACs or Boards commission/receive reports about any matters concerning Horizon
and SPMs issues, including compensation claims (and when?), and did they respond to,
or act on, the findings?
3.6.8 I Did BACs or Boards receive unsolicited information about any matters concerning
Horizon and SPMs issues, including compensation claims (and when?)
3.6.9 What, if any, and when, were provisions or notes made in the financial statements in
annual reports or AGMs in respect of any financial aspects of Horizon and SPMs issues?
3.6.10 What, if anything, and when, did the organisations which ran and oversaw POCIL, say in
the narrative reporting in their annual report, or at their AGM, about the SPMs set of
issues?
3.6.11 Did IA annual plans of work, or reports, ever reference HORIZON or SPMs? When?
With what results?
3.6.12 Was whistle blowing ever referenced by or with IA?
Investigations and Prosecutions in POL
3.6.13 Did Boards or BACs commi:
Investigations or Prosecutions of SPMs? If so, what outcomes followed the reports?
ion/receive reports about any matters concerning
External Auditor in the Organisations which Ran and Oversaw POC/L
Page 45 of 133
EXPG0000006_R
3.6.14 Did EA annual programmes of work ever reference HORIZON or SPMs? If so, who
reviewed resulting work and with what results?
3.6.15 Were any matters relating to HORIZON or SPMs ever mentioned in annual management
letters from EA? If so, when? And with what results?
3.6.16 Was whistleblowing ever discussed with External Audit?
Page 46 of 133
EXPG0000006_R
4 Risk
4.1 Introduction
4.1.1 Risk is an executive function, a vital area of Board oversight, and of fundamental
importance to shareholders. Whoever is making strategy, whoever is responsible for the
operational realisation of that strategy and, whoever is investing in the delivery of that
strategy, should understand and make judgements about their appetite and tolerance of
risks, which may derail strategic achievement and operational performance.
4.2 Executive Role in Risk
4.2.1 Risk is a fundamental and necessary part of Executive responsibilities. The identification,
analysis and management of risk lies at the very heart of running a company, contributing
directly to effective management and corporate performance. Historically, risk was rarely
designated as something specifically identifiable in Executive responsibilities; it was
simply a key part of running any business. In the last 50 or so years, risk has become an
important named area of management at all levels, as well as a specialist function to
support Executives in identifying, assessing, and managing risk. It is an Executive
responsibility to build an integrated and dynamic understanding of the company’s risk
profile which is effectively communicated to the Board and to shareholders.
4.2.2 Corporate risk management is rooted in the fact that companies will take financial risk so
they can grow. Although most risks, if crystallised, will have a financial impact, their
origins may be outside the corporate financial system and their impact felt in many areas
of corporate life. Risks may originate anywhere in the company e.g. in technology,
markets, employment or sales practices, the handling of third-party suppliers, or in the
wider environment, e.g. war and conflict, pandemics, or climate change. Risks may
crystalise into financial or reputational damage, with impacts interalia on business
performance, capacity to recruit and retain staff, customer loyalty, and company
survival.*°
4.2.3 As no one can know or predict everything which may happen, those running the company
need to make judgements on the likelihood and impact of risks, on risk mitigation and
risk ownership and come to a view on risk appetite. These executive judgements and
supporting data need to be clearly and fully shared between the Executive and the Board,
and between the Board and the shareholders.
4.2.4 The tools most commonly used in the executive management of risk are those associated
with the creation of risk registers which identify and rank risks to the organisation (or part
thereof) in terms of a multiple of judgements about the ‘likely’ magnitude and nature of
impact on the company (or part thereof), and the likelihood of the risk actually occurring
(crystallising in the lexicon of risk management). Registers also note mitigations to
reduce magnitude or impact and who ‘owns’ the management of the risk.
4.2.5 Depending on the structure of the company, ‘subsidiary’ risk registers may be compiled
and owned in different functions or business lines, and at different tiers in the hierarchy.
Each register will relate to the risks of that part of the company and be owned by those
* See Annex A, Sections 1.2, 1.4b, 1.5, 1.7a, 1.7b, 1.8, 1.11, 11a, 1.12, 1.14, 1.15, 1.17, 1.18 and 1.19.
Page 47 of 133
EXPG0000006_R
responsible. A crucial question then becomes how subsidiary risk registers are scrutinised
and adjudicated by higher levels in the hierarchy, to build a comprehensive risk picture
for the company, which is then owned and managed by the CEO and their senior
leadership team.
4.2.6 At any one time, risk registers are a ‘snapshot ‘of judgements made at a particular time
about the future. The register becomes dynamic over time, as Executives track the way
their judgements change about the rank and criticality of items on the register. Paying
attention to the direction of travel for any identified risk is a vital Executive function. This
can be facilitated by identifying entrances, movements, and exits of risk items, and
plotting trajectories of change on a two-dimensional map of impact on one axis, and
probability of occurrence on the other.
4.2.7 With the help of hindsight, Executives can get an indication of the accuracies of their
predictions of the trajectories of identified risks, and a view on the comprehensiveness of
their horizon scanning capacity to place, or move risks on and off, their register. Such
hindsight can be employed to improve Executive capacity for foresight, which is a central
art of risk management.
4.2.8 The effectiveness of risk identification and analysis in hindsight or foresight is not simply
a matter of technical excellence in the construction and use of risk registers. It depends to
a large part on the Executives’ curiosity, openness to learn from signals inside and outside
the company, and to challenge assumptions. Without this openness, looming problems
may not make the register until ‘unexpectedly’ they hit the organisation; or they may stay
down in the ‘low impact’ and/or ‘low probability of crystallisation’, when they are
becoming increasingly likely to occur and /or have major impact. Executives’ approach to
risk is in part, both the creature, and the creator, of the company’s culture (see Section
8.4, and Power et al 2013).
The Organisation of Risk in Companies
4.2.9 Following an FSA statement in 2003, the organisation of risk is often described in terms
of three lines of defence, to stop risks crystallising and obstructing the achievement of
company strategic objectives. The first line of defence is the line managers who own and
manage the risk in their (part of the) business. The second line of defence is the risk
specialists who remain part of ‘management’ and provide advice, analysis and control,
including securing compliance with internal controls designed to manage risk. The third
line of defence is Internal Audit, which is not part of ‘management’ per se and provides
internal independent assurance, monitoring, and challenge, including specifying and
monitoring management actions to improve risk management processes and internal
controls (see section 3.4). This section focusses on the position and place of the second
line of defence (risk specialists), and their relationship to the first line.
4.2.10 Section 2.4 described how the CEO makes decisions about the organising principles
underlying the operational structure of their company between, for example, business
lines, specialist functions and major projects. Implications of such choices impact the
company’s approach to risk management, since they indicate the primary lens (for
example, business lines, functions, or major projects) through which risk is first viewed.
Whatever that perspective, however, effective CEOs normally want to check on other
Page 48 of 133
EXPG0000006_R
perspectives and ensure that there are integrating mechanisms to build an overall
company perspective on risk.
4.2.11 Company-wide integration of risk management is a development from a traditional
approach of more piecemeal assessment of risk in particular areas, (e.g. health and safety
on the production line, or sofiware bugs in technology failures), which were seen as the
responsibility of specific divisions supported by specialist risk personnel from other
functions, (e.g. compliance, internal audit, finance, corporate services).
4.2.12 The development of the corporate executive risk function arises in part, from experience
of corporate failure and crises, which led professional services consultants and regulators
(e.g. Financial Conduct Authority 2003) to draw attention to the need to see risk as
embedded in core Executive responsibilities and to require an integrated approach across
the company. The study of disasters (e.g. Turner 1978, Dawson 1991), illustrates the
consequences which could arise if there was a failure to connect different sources of
information, and in particular the importance of viewing data about technologies in
interaction with considerations of culture and behaviour.
4.2.13 As the perceived need for corporate risk management grew, two trends emerged. The first
was that the risk responsibilities for all Executives become centrally placed in their job
specifications. The second was an enhanced profile for those with specialist risk
responsibilities, including perhaps, the decision to appoint a CRO as part of the senior
leadership team. Risk specialists began to be seen variously as ‘partners’ in any business
unit or major project, independent advisers to line management, and even change
facilitators, rather than simply skilled technicians in a specialist function.
4.2.14 Whatever the structure, tensions are commonplace between ensuring a technically
excellent risk function, and risk as a core Executive responsibility. For example, there is a
danger that core business Executives may feel they can ‘in-source’ their risk
responsibilities, handing them over to specialists, relinquishing accountability for their
own risks, and at the same time complaining that the risk specialists are ‘too cautious’ and
inhibiting corporate growth. It is the CEO’s job constructively to manage these tensions
to secure a system of risk management, where the risks are owned by those who are
making business decisions and are doing so with access to the best, trusted specialist
analysis.
4.2.15 Essentially there is no one right answer for the place or remit of risk. Big questions to be
answered in any company are:
Does the structure and culture around risk enable it to be identified and managed
effectively?
Are people in the business ‘educated’ in how to identify and handle risk?
How do risk specialists manage their ‘independence’ and autonomy, and yet work in
partnership with the business and support business decisions?
Do Executives understand that the management of risk involves behaviour and
culture, as well as ever more sophisticated data acquisition and analysis?
Page 49 of 133
EXPG0000006_R
4,3 The Board Role in Risk
4.3.1 Where the company is publicly listed, the Board has specific duties and responsibilities
for Risk.
4.3.2 The Board’s role in Risk derives from its core duty to approve strategy, in which risks are
embedded, and oversee operations wherein risks will be manifest, and should be
controlled through internal controls. The Board is responsible for determining the
company’s risk appetite, that is, the nature and extent of significant risks which it is
willing to take in achieving its strategic objectives. The Board should seek to anticipate,
and guard against, major losses by risk reduction and mitigation.*°
4.3.3. The system of risk management outlined in the corporate codes is fundamentally aimed at
ensuring transparency to shareholders, so that they will be in an informed position to
decide whether (to continue) to invest.*!
4.3.4. The Board should present a balanced and understandable assessment of the company’s
position and prospects (for ‘prospects’ one can read ‘risk’). This principle was supported
in 2010 by a new provision requiring Directors to state in annual and half-yearly
statements, whether they considered it appropriate to adopt the ‘going concern’ basis of
accounting and, to identify any material uncertainties to the company’s ability to continue
to do so over a period of at least twelve months, from the date of approval of the financial
statements (FRC2010).”
4.3.5 In the wake of failures in banks in the period from 2007, The Walker Review (2009) of
“Corporate Governance in UK Banks and other Financial Institutions’, had ramifications
beyond financial services.** Greater emphasis was placed on the need for Boards to
engage in realistic discussions about what will happen to the firm in the future, to get
assurance that risk is being managed and to make clear to shareholders how the Boards’
judgements on risk were being made. Ensuring the quality of the data was central to these
developments with their increasing emphasis on the Executive responsibility to provide a
true and fair picture of the risks (Walker 2009).
4.3.6 Expectations of all parties rose. Executives expected the Board to provide a clear strategic
direction on risk, to be supported in tackling problems, and to appreciate that the Board
must be fully part of building a consensus on what constitutes risk and how it will be
mitigated. Executives were expected to ensure NEDs had access to information which
communicated risk in ways that were understandable, insightful and timely and to ensure
the effectiveness of underlying controls and processes.
4.3.7 The Walker (2009) review also shone a spotlight on the importance of ‘risk culture’ and
the ways in which risk is ‘embedded and socialised’ throughout the company. This
generated a proliferation of new tools to assess and manage risk culture, to be added to
the armoury of risk management expertise. It also widened the Board’s potential scope of
interest in risk and suggested that the Chair and the Board had a key role in setting the
context for open and honest conversations about risk culture between Executives, their
* See Annex A, Sections 1.2, 1.4a, 1.7a, 1.8, 1.10, 1.12, 1.14, 1.17 and 1.18,
41 See Annex A, Sections I.4a, 1.7a, 1-8, 1.10, 1.12, 1.14, 1.17 and 1.18.
*? See Annex A, Section 1.12.
3 See Annex A, Section 1.11, I-L1a and 1.12.
Page 50 of 133
EXPG0000006_R
risk specialists, and NEDs. There is much debate on whether risk management ‘leads’
business decisions or ‘follows’, but the essence is that it doesn’t really matter, so long as
it is jointly debated, and risk is integrated into the Board’s decision making.
4.3.8 These developments are reflected in the 2014 Combined Code (FRC2014b)*. Principle
C2: ‘Risk Management and Internal Control’, has two new provisions to drive a stronger
narrative about the principal risks facing the company and how they have been assessed.
The language on ‘going concern’ is strengthened. Directors must sign off on the ‘going
concern’ statement and report in the Annual report on any material uncertainties that they
might have on the companies’ ability to be a ‘going concern’ over the next months.
4.3.9 The FRC 2018 Code (re) states that: ‘the Board should [...] establish a framework of
prudent and effective controls, which enable risk to be assessed and managed [and] the
Board should carry out a robust assessment of the company’s emerging and principal
risks’.**
4.4 Board Risk Committee (BRC)
4.4.1 I The codes do not prescribe how the Board is to discharge its duties to provide effective
controls to ‘enable risks to be assessed and managed’. Regulations required Banks and
financial institutions to establish a BRC, but companies in other sectors were at liberty to
determine how they would meet their risk duties. Increasingly nowadays, organisations
tend to have Board Risk Committees (BRC), whereas in the late 90s and early 2000s, this
was much less common. Faced with explicit duties for the assessment and management of
risk, many Boards initially relied on their BACs to undertake relevant oversight. At that
time, there was also considerable uncertainty in Board rooms about what exactly a risk
committee, if constituted, would do, and how it would not duplicate, or add unnecessary
complexity to, the work of the BAC.
4.4.2 As Risk management became more clearly defined through practice, some companies
chose to amend the BAC terms of reference to make explicit reference to risk and some
chose to do that and to rename their BAC, ‘Board Audit and Risk Committee’. Yet others,
and over time, a larger group, chose to establish a Board Risk Committee (BRC). Board
decisions to separate audit and risk committees reflected inter alia, the size of the
company, the levels of risks, stakeholder expectations, regulations, and resources.
4.4.3 In time a distinction between BACs and BRCs became clearer. Audit committees
typically look back ensuring compliance, whilst Risk committees typically look forward,
with a view on risk appetite, where risk will arise, and how best to mitigate it. In the
absence of a BRC, Boards must assess the effectiveness of the BAC to undertake the
Board’s risk duties, taking account of the workload of combined Audit and Risk.
4.4.4 Even where a BRC is established, Audit committees are still required to review the
company’s internal financial controls and other material controls, including risk
management controls as part of their audit role, independent of management.
“4 See Annex A, Sections 1.14 and 1.15.
45 See Annex A, Section 1.18.
Page 51 of 133
EXPG0000006_R
4.4.5 If Boards decide to have a separate BRC, they must determine its responsibilities and
delegated powers in the committee’s terms of reference which must be publicly available
(normally now through the website). Boards should also determine BRC membership,
which would normally have at least three members, who are all independent NEDs,
including at least one member of the audit committee and/or remuneration committee.“°
Duties of Board Risk Committee
4.4.6 In summary, BRCs are normally established to:
a) Advise the Board on the company’s overall risk appetite, tolerance and strategy, the
principal and emerging risks the company is willing to take to achieve its strategic
objectives, and any changes to risk profile and appetite which are consequent upon
proposed changes to strategy. Risks will be specific to the company’s circumstances
but are likely to include: Threats to the business model or future performance;
Operational risk; Capital risk; Insolvency risk; Market risk; Conduct risk;
Reputational risk; Risks from ethical, environmental, social and governance (ESG)
issues; IT operations, including cyber risk; Health and safety and pandemic risk;
Business continuity risks; Regulatory, litigation and legal risks; and Terrorism or
major accident.
b) Advise the Board on the likelihood and the impact of principal risks materialising,
and the management and mitigation of principal risks to reduce the likelihood of their
incidence or their impact;
c) Advise the Board on the accuracy of narrative reporting on risk and internal controls
in the annual report and other public statements.
d) Monitor and review the effectiveness and value of the company’s risk management
and internal control systems, including seeking assurance that corrective action is
taken when necessary;
e) Monitor and review the appropriateness of the company’s values and culture and
reward systems for managing risk and internal controls, and the extent to which the
culture and values are embedded at all levels of the company; and
f) Work and liaise as necessary with other Board committees, ensuring interaction
between committees, and with the Board, is reviewed regularly, taking account of the
impact of risk management and internal controls on the work of other committees.””
4.5 The Role of the Shareholder
4.5.1 The shareholder(s) have a right to expect to receive timely accurate information on risks
which impact the company’s ability to achieve its strategic aims.
4.5.2 The government as shareholder should be active in seeking and receiving relevant
information on risk, and where it was not satisfied that either the information was not
46 See Annex A, Sections 1.11, 1.15 and 1.18.
47 See Annex A, Sections 1.14 and 1.15.
Page 52 of 133
EXPG0000006_R
forthcoming or it was inadequate, then to engage with the Board Chair (and with their
appointed NEDs), or in the absence of a Board, the CEO, to seek out the information.“*
4.5.3 Central Government Departments“ manage risk through the AO who is expected to
oversee internal controls and audit. Risk management features in the Code for Central
Government Departments from 2011 (HM Treasury and the Cabinet Office, 2011) which
indicates that AOs in Public Bodies should be supported by an Audit and Risk Assurance
Committee (ARAC) (HM Treasury, 2012).
4.6 Questions Arising from Section 4 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which
ran and oversaw POC/POL. The questions below are taken to apply to all relevant organisations
in the chronology.
Executive Arrangements for Risk Management
4.6.1 What arrangements for risk identification, management and assessment were practiced at
Executive level?
a) Where did risk become integrated into lines of accountability in the business?
b) Where, if at all, were risk specialists located in the organisation? When?
c) Were risk registers created and reviewed? When?
d) How did Executives construct an integrated view of company-wide risks?
e) How did Executives ‘report up’ to relevant Executives and Boards on risk?
Board Arrangements for Risk Management
4.6.2 What arrangements for risk identification, management and assessment were practiced at
Board level?
4.6.3 Were risk registers used as a means of reporting to BAC and/or BRC? If so, when did this
start?
4.6.4 How did Boards develop an integrated view of their Risk Profiles and Risk Appetites?
How frequently were they reviewed and amended, and ‘reported’ to the next level of
oversight? If reported ‘up’, did feedback and discussion follow?
4.6.5 Did Boards consider the risk culture in their risk assessments?
4.6.6 What internal controls were in place to mitigate the risk of fraud, were these
internal controls effective?
48 See Annex A, Sections 2.4, 2.5 and 2.10a.
* See Annex A, Sections 2.2a, 2.3, 2.4, 2.7 and 2.10a.
Page 53 of 133
EXPG0000006_R
Horizon
4.6.7 Did (when?) Boards, BRCs, BACs introduce any special arrangements for risk oversight
of the Horizon project? (with what data and scope?)
4.6.8 When and how did the Horizon project feature on risk registers? What were the identified
risks and mitigations? How did this change over time?
4.6.9 Did Boards, BRCs, BACs introduce special arrangement for risk oversight of the SPM
issues? (When? With what data and scope?)
4.6.10 How (it at all) did SPM issues feature on risk registers? What were the identified risks
and mitigations? How did this change over time?
Page 54 of 133
EXPG0000006_R
5 Governance and Management of Technically Complex Major
Projects
5.1 Introduction
5.1.1 From time-to-time Boards initiate, approve, and oversee major projects as part of their
strategy. Executive management and control of major projects requires special structures,
systems, and capabilities. It is for the Executive, in consultation with the Board, and/or in
the case of government owned companies, the government entity to whom they are
accountable, to decide how best to achieve project delivery, so that they maintain
effective management and control of both ‘business-as-usual’ and the major project.
5.1.2 Such projects will be time limited between origination and completion and may relate, for
example, to major infrastructural technology driven change, re-branding, or corporate
activity (e.g. M&A). The introduction and roll-out of the Horizon computer system by the
Post Office was a technically complex major project, originally designed and operated by
ICL Pathway Ltd, which was subsequently integrated into Fujitsu, a third-party supplier.
5.2 Characteristics of Major Projects
5.2.1 Three characteristics of major project management present particular challenges.
Uncertainty, Complexity, and Scale
5.2.2 Complex projects are never straightforward; there is always a degree of uncertainty about
delivery to plan. This partly reflects the optimism of those who propose the project, who
are often inclined to emphasise the imperatives to do the project, the advantages which
will flow from it, and that the risks of not doing it outweigh the risks of doing it. Such
optimism is often sustained by considerable uncertainty about exactly what the project
will involve, in terms of resources, innovation, problem solving capacity and accessible
knowledge.
5.2.3 Uncertainty may increase for internal reasons (e.g. unexpected shortage of skills or
unexpected/apparently intractable technical problems) or externally (e.g. political
upheaval, economic shocks, or changes of government). Things which may derail a
project may be unknown or unknowable at the time of project approval; they may not be
represented in risk registers.
5.2.4 There will also be unanticipated consequences of the very actions that have been taken
for good management practice, e.g. unexpected incentives and disincentives which arise
from contract clauses, or remuneration structures; or regular reporting structures which
can lead to information being ‘siloed’ and not shared between reporting lines.
5.2.5 Complexity and uncertainty are exacerbated by scale. The magnitude of the challenge
posed for the Executive who are also ‘running’ their regular business means they are, as it
were, running two very different organisations which can incur ‘indirect costs’ on routine
business. This is often not fully appreciated, especially as these ‘indirect costs’ are not
always visible, or the subject of curiosity, by those who are proposing the project.
Page 55 of 133
EXPG0000006_R
5.2.6 The Board and the Executive, in their different roles, should each be assuring themselves
they have the right level of oversight in place, including their readiness’ to spot and reveal
unexpected or unplanned problems as they are emerging, their readiness to take remedial
action, and their readiness to secure their own specialist advice where they consider they
are dealing with matters outside their own expertise and experience.*”
Inherent Tensions and Trade-Offs
5.2.7 Inherent in most major projects are tensions between (putting it very simply) cost, quality,
and time. At various times in the project life cycle, the Executive, the Board, Government
sponsor and the contractor, each in their different roles, will need to consider such trade-
offs. Major projects may overrun on their original timetable, overrun on their original
budgets, and not deliver the specified scope, or specified quality in the specified, or
revised, time.
5.2.8 For example, delivery to the announced timetable may result in an interruption to other
critical paths in business-as-usual plans; delivery to the announced quality standards may
require delays to allow for problem solving; delays may increase costs and so on. These
trade-offs will be viewed differently at different stages in the project life cycle, depending
on one’s role and position in the organisation and the complex stakeholder landscape.
5.2.9 The degree to which the Executive can determine an optimum approach to trade-offs will
depend inter alia on:
a) The interests of stakeholders and their capacity and inclination to work together to
find common solutions;
b) The openness of discussions about the trade-offs;
c) The nature of contracts;
d) The availability of additional resources;
e) Stakeholder judgements on the balance of risks posed in different trade-off scenarios;
and
f) The relative power, legitimacy and authority of external stakeholders and internal
players.
The characteristics of key stakeholders are discussed further in Section 7.
Contracting with Third Party Specialist Suppliers
5.2.10 The scoping and delivery of major projects normally depend on third-party contractors,
with all the requirements for their management and control. A further consideration will
be how much of the organisation’s own project management and control will be
undertaken ‘in house’ and how much will be contracted to specialists, independent of the
5° See Annex A, Sections 1.1, 1.2, 1.4a, 1.4b, 1.6, 1.7, 1.12, 1.14, 1.15, 1.19, 2.1, 2.2a, 2.3, 2.4, 2.5, 2.7 and 2.9.
Page 56 of 133
EXPG0000006_R
contractor. The higher degree of specialist knowledge and capability, and the greater the
quantum of additional resource required, the more likely it is that significant elements of
‘internal’ project management, will be outsourced.
5.2.11 For every major piece of outsourcing, the Executive must decide, and may agree in
contract:
a) Specified deliverables (inter alia cost, quality, time);
b) Risk: which parties bear and share the recognised risks in the project;
c) Reporting: matters and schedule;
d) Evaluation: data and criteria; and
e) Escalation: when and how problems are regarded as sufficiently serious to ‘go up
a level’.
5.3 The Role of the Executive in Major Projects
5.3.1 I The Executive who are responsible for a project’s delivery may not necessarily have been
centrally involved in the decision to proceed. It is an additional complexity if the
organisation which is proposing the project (e.g. government) is different to the
organisation which will be building and using the project (e.g. a government company)
5.3.2 The proposing Executive will be responsible for producing a full project appraisal,
including the following as a basis for Board (or other governance) approval:
a) Business Case: the contribution of the project to delivering the company’s
strategy, including problems it will solve, opportunities it will open and why
alternative options are inferior;
b) Risks to the business of a) proceeding and b) not proceeding with the project;
c) Resourcing plan (skills, knowledge, specialist technical capacity, finance,
space); and
d) Opportunity costs (impact on other priorities).
5.3.3 Once approved the delivery Executive needs to produce, inter alia, :
a) A sufficiently granular project plan, detailing milestones and stages and a matrix
of progress chasing, reporting, monitoring, logging and follow up of problems
and plan deviations, to enable the Executive to keep track of progress and risks,
and to be prepared to explain the imperative for reappraisal of risks or replan of
project;
b) Statements and enactments of the systems, controls and structures of roles,
relationships, and communications to enable effective project management,
Page 57 of 133
EXPG0000006_R
including attestations that ‘stages’ have been completed and gateways to the next
stage may be ‘opened’;
c) Risk register system, to identify, track, and evaluate project risks in a dynamic
and integrated way;
d) Risk register system, which will integrate the project risks with the risk profile of
the company, and, if part of a group, the Group as a whole;
e) Contracts with third party suppliers, which are aligned with the business case and
risk analysis for the project, and which provide sufficient powers for managing
the contractors for effective delivery;
f) Escalation: clarity on when and how problems are regarded as sufficiently serious
to ‘go up a level’; and
g) Authority to approve and expectation to be informed: clarity on matters within
Executive delegated authority levels, matters which require Board/higher
approval, matters on which the Board expects to be informed.
Culture, Leadership and the Reality of Project Management
5.3.4 The items above outline the characteristics of an effective project management
organisation which one would expect to see documented. If they are absent, there is no
basis for believing the project will be well managed.
5.3.5 Their presence as documents, however, does not necessarily mean one has effective
project management. The documentation may not result in their enactment because, for
example
a) Although there are reports, problems are not followed up;
b) Communication of progress and problems ‘upwards’, including to the Board, is
patchy and superficial;
c) There is little effective internal scrutiny through e.g, internal audit;
d) The culture does not encourage people to speak up if they foresee, or see,
problems or issues arising;
e) There is little transparency of required reporting and communications with
stakeholders; and
f) Bad news (e.g. failures on time, quality, cost expectations, or any unanticipated
problems which may be outside a narrow project remit) is downplayed or hidden
and this becomes a habit.
5.3.6 These considerations bring us to the subjects of culture, leadership, and the experience of
those working on project delivery and oversight. A culture which is very quick to blame,
in which people do not have courage to be accountable, or covers up ‘bad news’, becomes
Page 58 of 133
EXPG0000006_R
pervasive and will undermine any formal structures which proclaim they are securing
transparency and accountability.
5.3.7 The Executive role is fundamentally important in building and sustaining a culture which
will support effective project management in conditions of high complexity and
uncertainty. This often means managing tensions between two opposing forces. On the
one hand the need to encourage innovation and problem solving and on the other to keep
a careful eye on progress with the project plan. Matters of leadership and culture are
discussed further in Section 8.
5.4 The Role of the Board, or other Governing Body, in Major Projects
5.4.1 Whereas it is for the Executive to determine how it will manage, organise, and control the
delivery of major projects. It is for Boards or other governing bodies, to decide whether a
major project will be approved (assuming it is requires Board approval, being above the
limit for Executive decision making), how the Board will maintain effective oversight of
project process and delivery, support the Executive in its work, and intervene if the
project gets into difficulty.*!
5.4.2 In discharging its oversight responsibilities in relation to major projects, the Board would
normally be involved as follows:
Pre ‘go-ahead approval’: Board discussion and decision about:
a) Overview on the project’s place and importance to the strategy (what it promises
to deliver; why this is important, what it will deliver, at what direct, indirect and
opportunity cost, and in what time frame);
b) Evaluation of risks and scrutiny of risk profile and anticipated impact in an open
way, unconstrained by current forecasts. A phrase sometimes used at an early
stage of project risk analysis is to construct a ‘pre-mortem’, (the opposite of a
‘post-mortem’) i.e. looking behind the project plan to ask what might result in,
and result from, project failure;
c) Consideration of whether the Board encourages curiosity which might spot the
emergence of unanticipated consequences;
d) Sufficiency and sources of information provided to the Board about the project
preapproval; consideration of any additional work, analysis, or specialist advice
required?
e) The capability of the Executive to deliver the project, including project
management structure and capabilities, technical competence in-house, and
access, choice, and management of outsourced technical capabilities; and
f) How the Board will maintain oversight and support of the Executive.
5! See Annex A, Sections 1.7a, 1.12, 2.3 and 2.5.
Page 59 of 133
EXPG0000006_R
As part of ‘go-ahead approval’ (or about the time of that approval): Board
discussion and decision about
a) The level and type of involvement the Board and its committees will institute to
oversee the Executive’s planning and management of the project, including the
Executive degree of ‘reach’ into contractors. Essentially how the Board will
ensure that it has sufficient line of sight into what is going on (especially what
may be going wrong, as they will certainly hear about what is going right); how
progress in relation to plan is being evaluated and reported, without unduly
interfering in project operations and without skewing the ‘normal business’ of the
Board?
b) How the Board will use its existing committee structure and its existing
independent advice and monitoring (from Internal audit, External audit, and other
independent advisers and consultants already retained), to maintain oversight of
project progress to delivery (is responsibility clear and how will it be reported?);
c) Whether, and how, the Board will seek its own specialist advice, which is
independent of the Executive and the contractors. This will depend on such things
as the degree of specialist knowledge already available to the Board, complexity,
materiality and risks inherent in the project, and the internal capabilities of the
organisation;
d) The nature and timing of reports on fulfilment of project plans, according to
agreed major project milestones for the Board (involving evaluation against plans
and risk register);
e) Any specific review points, or deep dives into project progress, where Board
reaffirmation of the decision to undertake the project will be formally considered;
f) Understanding how crises and serious concerns about deviation from project
plans will be escalated. Will there be candid and timely assessments of what’s
gone wrong? And what are we going to do about it? Will we also request ‘post
hoc’ reports at different stages, e.g. to examine: How did we do? And what
lessons can we learn?
2) How will the Board informally keep in touch, and be available for support, and as
a sounding Board, to the Executive?
Once the project is underway
The outcome of the Board discussions and decisions above should mean that over the
project life cycle, the Board should have a clear understanding of, and pay attention
to:
a) Roles and responsibilities for the Chair, CEO, Board and its committees, as well
as independent specialist advice in maintaining oversight of the project;
b) Project Reporting: schedule and subjects of reports from Executive;
2 See Annex A, Section 1.11.
Page 60 of 133
EXPG0000006_R
c) Board Committee reporting, and including follow through of issues;
d) Milestone approval: schedule and subjects of any milestone approvals, including:
i. Attestations of phased completion or delays
ii. _ Risk revisits: opportunities for intelligent interrogation of the risks posed
by and in the project.
iii. I Supporting the Executive in balance with oversight
Culture, Leadership, and experience of The Board**
5.4.3. Just as at Executive level, the existence of a formal structure of systems and controls for
project oversight at Board level is a necessary part of an effective Board, but it is not a
sufficient condition.
5.4.4 Does the culture and leadership at Board level encourage effective enactment of these
systems and controls, and especially, does it encourage the Board to look with curiosity
beyond them?
5.4.5 How and who is maintaining a curiosity driven enquiry into the unexpected?
5.4.6 Are members encouraged to take an enquiring look into the unanticipated consequences
of the good faith decisions taken by the Board and the Executive?
5.4.7 How is the hint or the reality of ‘bad news’ greeted between the CEO and the Chair and
within the Board more generally? These considerations bring us once more to the subjects
of culture, leadership, and the experience of those working on project delivery and
oversight which are discussed further in Section 8.
5.5 Questions arising from Section 5 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which
ran and oversaw POC/POL. The questions below are taken to apply to all relevant organisations
in the chronology.
5.5.1 I What did each organisation consider to be the risks of Horizon? Was there an integrated
view of the risks between each of the four organisational and governance levels described
in Annex B?
5.5.2 How did each of the four organisational and governance levels described in Annex B,
maintain oversight of Horizon?
5.5.3. What, if any, conflicts of interest arose between the 4 organisational and governance
levels in Annex B in association with Horizon? And how were they raised and managed?
53 See Annex A, Sections 1.11 and 1.18.
Page 61 of 133
EXPG0000006_R
5.5.4 At what point did SPM issues become ‘part’ of the risk reports on Horizon project?
Page 62 of 133
EXPG0000006_R
6 Governance and Management of Whistleblowing
6.1 Introduction
6.1.1 A Whistle blower is a person (usually in their capacity as an employee at work) who
discloses (passes on information) what they perceive as wrongdoing in the workplace.
Their disclosure should be in the public interest, that is, it must affect others, for example
the general public, stakeholders in the company or other employees, and not be a matter
of individual grievance.
6.1.2 Whistleblowing is the term used when the whistle blower passes on information to a third
party, with allegations of matters of public interest caused by misconduct, wrongdoing,
criminal activity or mismanagement in the organisation, and which the whistleblower
believes has caused, or is likely to cause, harm to others, e.g. the health and safety of
workers, miscarriages of justice, damage to the environment, employee rights, covering
up information or failure by Executives or managers at any level of the organisation to
comply with legal obligations.**
6.1.3 Whistleblowing can relate to damage to reputation, financial performance, intellectual
property, operational failures and business resilience, e.g. because of loss of engagement
with a staff group, or incompetence or lack of capacity amongst employees or contractors.
Examples of conduct with direct implications for the business, on which the whistle may
be blown, are falsifying information, denying errors in systems and accounting, and
inflating sales.
6.2 The Role of the Executive: The Management of Whistleblowing
6.2.1 The role of the Executive is to run the company, so that it achieves its strategic goals and
to keep the Board (or other governing body) informed of all major risks to the
organisation achieving its business goals, including those which come to light through
whistleblowing claims. Whistle blowing is a source of knowledge which the Executive
must ensure is made easily available to them.**
Systems and Environment
6.2.2 An executive responsibility is to create the environment where people can ‘blow the
whistle’, without fear of reprisal, and in a way which allows the company to learn and
take timely remedial action, and which encourages others to speak up in the future.
Enabling whistleblowing has been a requirement on organisations since the 1990s, when
the 1996 Employment Rights Act and 1998 Public Disclosure Act provided statutory
protection to workers speaking up or whistleblowing in the public interest.°°
6.2.3. Managing whistleblowing involves a proactive approach, which the FSA captured in their
2005 guidance (see FCA Handbook 2024) and Department for Business, Innovation and
5# See Annex A, Sections 1.0 and 2.0
55 See Annex A, Sections 1.0, 1.7a, 1.9, 2.0, 2.2, 2.4 and 2.10.
56 See Annex A, Sections 1.0, and 2.0.
Page 63 of 133
EXPG0000006_R
Skills captured in their 2015 guidance (Dept for Business, Innovation and Skills, 2015).°”
It involves:
a) Providing rights to protection for certain categories of workers but not all. For
example, workers who have a contract with an employer are covered, but the self-
employed are not. Self-employed members of the workforce are more likely to be
contracted to provide services over a certain period of time for a fee and be ina
business in their own right. Managing whistleblowing involves considering which
other categories might be covered and where there are employee groups where
whistleblowing protection might also be extended (FCA Handbook 2024 suggests key
contractors).
b) Distinguishing the difference between whistleblowing and reporting a grievance.
Whistleblowing involves allegations about matters of public interest, caused by
wrongdoing or incompetence, and which the whistleblower believes has, or is likely
to, cause harm to others. A grievance is a complaint or allegation by an individual (or
group believing they share the same grievance) about unfair treatment or other causes
of distress, which employees raise with their managers or higher levels in the
company, and which stakeholders (e.g. customers) may raise with a company.
c) Setting up systems and processes so whistleblowing is managed effectively, i.e.
having written policies, codes of conduct, including:
i. I Naming a choice of individuals to whom disclosures may be made;
ii. I Making and interrogating reports of investigations, including ensuring they
are conducted;
- Proportionately;
- Independently of the people and matters identified by the whistle
blower; and
- Are fully followed up.
iii I Ensuring employees are clear about their rights and processes; and
iv. Dealing with concerns strictly confidentially and ensuring anonymity in any
reports
d) Collecting, analysing, evaluating, and reporting data. The processes of collating,
recording, evaluating and regularly and openly reporting anonymised data to the
Executive and to the Board is essential if there is to be learning, change and justice
from whistle blowing. Data should show, inter alia:
i. The number of disclosures;
ii. Their reasons;
57 See Annex A, Sections 1.9 and 2.10.
Page 64 of 133
EXPG0000006_R
ili. The outcomes;
iv. Adherence to the process;
v. Justifications for any disciplinary actions / suspensions / exclusions; and
vi. Lessons learnt.
As understanding of human factors and diversity and inclusion evolves, an
appreciation of the importance of assured fair and transparent processes for
monitoring becomes even more important.
Culture and Behaviour
6.2.4 There are additional important behavioural and cultural requirements for effective whistle
blowing, which extend beyond formal systems and controls. They include:
a) Communicating with employees and others who may wish to blow the
whistle. Executives should use multiple channels to convey to workers their
protection from victimisation for speaking-up. A written policy was
recommended by FSA in 2005 (FCA Handbook, 2024a); this can be
supplemented by training and induction and informal means.**
Those responsible may identify specific channels, emphasising freedom to speak
up or blow the whistle. It is important that organisations train line managers as
well as central functions, e.g. HR on whistleblowing rights, duties, and processes.
If the size of the organisation warrants it, the role of a central whistle blowing
team also needs to be explained, so it becomes widely understood as being part of
the process but not absolving any others of their responsibilities.
b) Learning about the lived experience of whistleblowers. To increase the
likelihood that others will speak out, the organisation must understand how it is
handling whistleblowing and the lived experience of whistleblowers, after they
have blown the whistle. This requires that feedback is sought from the whistle
blower by someone independent of the matter concerned and support offered to
them, regardless of whether their allegations are found to be proven. Cases where
the allegations are not proven and are said to be mischievous or malicious or
inconsequential need careful review by a third party after the initial
consideration. Nothing in the way any cases are handled should discourage others
from coming forward with their concerns.
c) Challenging the assumptions that may be being made at any stage in the process
and which can introduce bias and influence outcomes. For example, assumptions
about:
i. The nature of the concern/ complaint;
ii. The status and veracity of the people against whom the allegations are
made;
58 See Annex A, Section 1.9.
Page 65 of 133
EXPG0000006_R
iii. The status and veracity of the whistle blower;
iv. Complexity of the complaint and the assumed benefit to investigating it;
v. The need to limit the scope of the complaint;
vi. The time required and evidence available for investigation;
vii. I Competence and experience in handling whistleblowing.
d) Keeping the Board up to date. Traditionally this has taken place through the
Board Audit Committee for listed companies, in compliance with the Combined
Code (2003). The BAC and Internal Audit may take a closer look at the
effectiveness of the whistleblowing function. The Chair of BAC should also be
told of any whistleblowing disclosures and depending on the risk to the
organisation, these should make their way onto a risk register for monitoring.
Such monitoring is usually done by BAC for the Board, although the Chair of the
Board would usually also be told of Whistleblowing incidents in an anonymised
way.°?
6.2.5 This section has covered the Executive role in creating the environment, systems, and
culture for enabling and sustaining whistle blowing and must be kept completely distinct
from any Executive role in any specific whistle blowing case. Any actions, or direct
involvement, or conflicts of interest arising from specific cases of investigated or
discovered wrongdoing, including taking disciplinary action, dismissal and the
involvement of law enforcement agencies should always be handled in accordance with
the overall remit of Executive responsibilities, systems and procedures.
6.3 Guidance and Regulations
6.3.1 This short section on the key guidance and legal requirements for organisations on
whistleblowing sets the context for the Board’s role in governance of whistleblowing that
follows.
6.3.2 The Public Interest Disclosure Act (PIDA) 1998, which applies to public, private and
voluntary sectors, states that if a worker who discloses their concerns in the public
interest has any form of reprisal or mistreatment from their employer, after raising a
concern, they have the right to compensation in an employment tribunal. PIDA covers the
rights of workers to disclose, through regulatory and wider channels, including
disclosures to MPs and public disclosure through the media. It signalled a change in
culture towards promoting and protecting public interest whistleblowing. This was part of
a cultural shift towards transparency in public life, which the Committee on Standards in
Public Life (Nolan, 1995) also addressed through the Nolan Principles.
6.3.3 The UK Corporate Governance Code 2003 and all subsequent versions, recommends that
listed companies have whistleblowing policies in place i.e. they must comply, or explain
See Annex A, Section 1.7a.
6 See Annex A, Sections 1.0, 2.0, 2.2, 1.7a, 1.9 and 2.10.
Page 66 of 133
EXPG0000006_R
why not. Although there is no legal requirement for all organisations to have
whistleblowing written policies, guidance is clear that a written policy is good practice,
particularly in larger organisations.
6.3.4 Guidance by the Department for Business Innovation and Skills (2015) for public entities,
places a premium on having the right culture and especially communication at all levels.
Through communication, people will be encouraged to speak up: written policies, training
and support, effective processes and above all quick responses to issues raised are all
parts of the culture of good practice.
6.3.5 In addition, since 2016 there has been guidance about the appointment of a NED as a
whistle blowing Champion. Rules for affected firms and guidance (2016) by the FCA for
all organisations it serves, required a company to appoint a Non-Executive Director as
their ‘whistleblowers’ champion’.“' The role is designed to be supportive of NED’s
supervisory oversight role, and the Board’s collective responsibilities, and not to mean
that a NED will take on operational responsibilities or be expected to be the only person
on the Board who is really concerned with whistle blowing.
6.3.6 Looking forward, it seems that the direction of travel is for more protection of employee
rights and a greater role for NEDs in overseeing whistle blowing.
6.4 The Role of the Board: Governance of Whistleblowing
6.4.1 The Board as a whole has major responsibilities for whistleblowing, with relevant duties
also following for BAC and BRC (see Sections 2,3,4).
6.4.2 To illustrate the individual and collective roles:
a) Executives and managers prepare reports on the effectiveness of whistleblowing
systems and controls for the Board;
b) The NED Whistle blowing Champion (if it exists), is responsible for ensuring
that a report is made to the Board at least annually, and may comment on its
adequacy and quality in preparation;
c) Ifno NED Whistle blowing Champion exists, the Board must still ensure a report
is made to the Board at least annually; and
d) The whole Board will consider the report and decide as a Board what action, if
any, to take in light of the report.
Collective Board Responsibility
6.4.3. The Board has three overall tasks to perform in enabling it to do its job of holding those
in the company to account for enabling, responding to, and learning from,
whistleblowing. All of these tasks involve the basic Board skill of knowing how their
6! See Annex A, Section 1.16.
© See Annex A, Sections 1.7a, 1.9 and 2.0.
Page 67 of 133
EXPG0000006_R
Executives are likely to think and act, and to be ready supportively to oversee, and
rigorously to challenge, their decisions and actions:
i. Maintaining focus on whistleblowing and being alert to any issues which are
serious enough to be shared with the Board, which do harm to people, finance,
operations and reputation, and have not surfaced through whistleblowing even
though they could have done so. The role of the Board (and BAC) is to provide
excellent challenge and interrogation to whistleblowing data, the quality of
investigations and effectiveness of whistleblowing processes, in ways which
encourage people to speak up.
ii. Ensuring the Board is not complacent, is open to new perspectives, will carefully
consider criticism of current practices and is curious to learn. If the Board can
develop these attributes, then it will be more likely to engender a similar outlook
in the Executive, encouraging them to be more inclined to be open with their
NED colleagues. Whistle blowing by its nature is likely to disclose allegations or
evidence of wrongdoing, which are unpalatable or threatening to some people. A
natural defensiveness from those who feel threatened is to be expected. It is very
important the Board is not pulled into a defensive stance, and keeps an open mind
on the matters raised, whilst still being both supportive and interrogative with the
Executive.
iii. Appreciating how whistleblowers are treated, their lived experience and how
whistleblowing is handled. How people see whistleblowing being handled,
effects whether others will speak up. When managers are asked about the
experience of whistleblowing they may answer along the lines of ‘we’re one big
team here, everyone can speak freely’. Whereas closer investigation may show
bias in the whistleblowing process, with not all voices treated equally and some
staff groups ‘counting’ more than others. Understanding the reality means being
curious about a wider range of information than the summary of cases brought to
the Board. This will be helped if NEDs make occasional visits to meet people
outside the Board room, dropping into various company activities or asking to see
evidence of anonymised responses to whistleblowers. This will give different
perspectives on what is going on, whilst demonstrating they understand their
governance role in overseeing, but not encroaching on the Executive’s role.
Culture and Behaviour
6.4.4 All the ways in which the Board, its members and its committees, approach and govern
whistle blowing will have a profound effect on how the culture of the company is
experienced and the inclination of everyone to relate and report wrongdoing, as well as
real and potentially bad news, which may not be the result of whistle blowing.
6.4.5 It is an ill-defined responsibility, implicit in their governance function, for Boards to be
alert to cues which indicate how the Executive is likely to approach whistle-blowing
incidents as reported to them, and how they are likely to report to the Board. This is
further discussed in Section 8.4 Culture.
6 See Annex A, Section 1.16.
Page 68 of 133
EXPG0000006_R
6.5 Questions Arising from Section 6 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which ran
and oversaw POCYL. The questions below are taken to apply to all relevant organisations in the
chronology.
The Role of the Executive
6.5.1 I What Policies and arrangements for whistle blowing existed? How, if at all, did they
change over the relevant period?
6.5.2 Did the Executive seek to understand the perception of whistle blowing in their
organisation?
The Role of the Board
6.5.3 Did the Board /BAC ask for, and receive, information on whistleblowing?
6.5.4. Who led for whistleblowing on the Board?
Whistleblowing, with Specific Regard to Horizon and / or SPM Issues
6.5.5 How could SPMs raise any concerns about wrongdoing in POC/L?
6.5.6 Is there a record of whistle blowing cases which referenced Horizon?
a) Who reviewed such reports/record and with what consequences?
6.5.7 Is there a record of whistle blowing cases which referenced SPM issues?
a) Who reviewed such reports/record and with what consequences?
Page 69 of 133
EXPG0000006_R
7 Stakeholder Management
7.1 Introduction
TAA
All organisations exist in a landscape in which there are external stakeholders who are not
directly employed by the organisation, and internal stakeholders who, although employed
by the organisation, are not directly part of its governance. ‘Stakeholders’ are defined by
their belief, and /or the fact, that they have a stake or an interest in what the organisation
does, i.e. its business, how it does it in the present, and what it may or will do in the
future.
Internal stakeholders typically include:
a) Employees who may see themselves, or be seen as, a single group with common
interests or as members of several groups (e.g. general workforce, specialists, middle
management);
b) The elected or designated internal representatives of employees in trade unions or
other associations.
External stakeholders typically include:
a) Customers/ clients who ‘buy’ goods and services through sales from the
organisation;
b) Suppliers of goods, equipment, and services (including professional services of
audit, legal, management and technical consultancies) to the organisation;
c) Distributors of goods and services provided by the organisation;
d) Funders through grants/ subsidies (e.g. government, charities and other bodies);
e) Funders through equity (stock investors, owners);
f) Funders through debt (banks and other creditors);
g) Trade unions or other associations who represent employees;
h) Regulators and law officers; and
i) Representatives of ‘public opinion’, citizen ‘watchdogs’ and media
commentators.
Stakeholder management, as an identified activity for Boards and Executives, has grown
as a subject for attention in the last 30 years, even though it has always been implicit in
governing and running companies. This trend has come with increasing sophistication in
risk management, and more recently, increasing emphasis on the importance of Boards
taking account of non-financial, workforce related and wider considerations like
Page 70 of 133
EXPG0000006_R
sustainability, human rights and equality. For organisations which are wholly owned by
the government, the emphasis on wider public interests is more likely to have an impact.
7.1.5 For example, in POL, securing a universal network of post offices is a public good and a
policy goal of great interest to the government, whereas it may not sit easily with the
corporate strategic objective to run an efficient network.
7.2 Identifying Important Stakeholders
7.2.1 The list of stakeholders to which a Board or Executive are required to consult, or report is
usually short, and limited by specific laws and regulations. For example, reporting to
shareholders, consulting with recognised trade unions, or negotiating on the terms of
specific contracts with suppliers, customers or employees.°*
7.2.2. Nonetheless it is considered good practice for Boards and Executives to pay attention to
key stakeholder relationships, beyond specific requirements, for the simple reason that
their capacity to deliver their company’s strategic goals and to run the company depends
in part on building good stakeholder relationships.
7.2.3. A Board’s or Executive’s attention will focus on stakeholders who:
a) Have rights in law to be consulted and to receive reports;
b) Are powerful, with strength which can significantly impact the organisation’s
financial performance, growth, or reputation. The power of any stakeholder rests
in part in law and contract, and often reflects the ease with which they can be
replaced, and the strength of their voice in the Board room, in media, and in other
contexts, where their views can positively or negatively impact the organisation.
7.3 Considerations in Stakeholder Relations
7.3.1 I Once a stakeholder is identified as one who must, or should, not be ignored, the following
considerations come into play, although not usually in a formal explicit way:
a) Strength and Base of Relationship:
i Power: source and strength (e.g. market scarcity, the law);
ii. Influence: source and strength (e.g. history, connections); and
iii. Legitimacy: the basis of their ‘right’ to be involved.
b) Interests: Aligned, Conflicting, Unrelated:
i. Areas of conflict/ compatibility/ complementarity/ synergy of interests,
goals and priorities;
ii. Inclination to support, delay, obstruct each other’s goals;
iii. I Compatibility of perceived risks, and their mitigation;
See Annex A, Sections 1.1
6 See Annex A, Sections 1.1, 1.2, 1.6, 1.7a, 1.18 and 1.19 illustrative guidance stakeholder engagement
Page 71 of 133
EXPG0000006_R
iv. Sources of tension in the relationship on either side; and
ve On balance, are they allies, enemies or bystanders?
c) Impact: Positive, Negative, Neutral:
i. Contribution of technical, human, financial, reputational resources/
networks?
ii. How scarce is their resource, are there multiple alternative suppliers?
iii. I Relevant knowledge: What? How much? How crucial?
iv. _ Relationships, networks and coalitions: how do they fit within the wider
network of stakeholder relationships of allies, enemies and bystanders?
d) Mechanisms for Management:
i. Communications: formal and informal means of maintaining two-way
communications? Are the topics constrained by law or regulation?
ii. Raising concerns: opportunities, encouragement, discouragement for
either party to raise concerns, highlight tensions or report major
problems?
iii. Planning: mechanisms for sharing plans and seeking views?
iv. Conflict: mechanisms for identifying and resolving conflict?
e) Culture and History:
i. What assumptions have grown and prevail about each party’s integrity
and honesty, competence, skills, sense of common purpose?
ii. Is the relationship governed by contract? And if so, where does it stand
on a scale from exclusively transactional (governed solely by contract,
with each party believing they should maximise their separate benefit), to
being part of a wider relationship in which specific contractual
obligations are a part?
iii. I Whether governed by contract or not, is the relationship seen as one in
which there is scope/ expectation for the parties to work to a common
purpose?
iv. _ Trust: is either or both parties trusted by the other?
7.3.2 The list above illustrates the complexities and choices involved in stakeholder
management. It is not prescribed in any code, and it is not exhaustive in practice. It
indicates the sorts of considerations which are made, often in piecemeal ways by
Executives and Boards. These considerations over time become part of the culture. (See
section 8.4).
7.4 Managing Stakeholders: The Role of the Executive
7.4.1 Stakeholder management is a key part of the Executive’s responsibility to run the
business to achieve the company’s goals. The Executive makes implicit or explicit
choices about with whom, and how, to build relationships, and who internally will be in
the ‘front’ line of relationship management and maintenance. This is rarely formalised.
Some relationships will fit into functional responsibilities (e.g. HR leading on
relationships with trade unions, PR with media, operations specialists with IT suppliers,
investor relations with shareholders), others will be led by line management (e.g. for
Page 72 of 133
EXPG0000006_R
workforce and suppliers), and others will go with specific accountabilities (e.g.
Accounting Officer for Government, contract management for contractors).
7.4.2 It is generally considered good practice that specific functional relationships will not
absolve ‘line’ management from creating and maintaining relationships in the normal
course of their business.
7.4.3 The higher up the organisation one goes, the wider and more diverse the stakeholder
landscape and the greater the inclination to delegate and to make choices about ‘relative
importance’.
7.4.4 I When there are multiple points of contact with any one stakeholder, the Executive should
pay attention to the extent to which information is shared and synthesised within the
company and should maintain an eye to omissions in communication to avoid an
assumption that ‘someone’ else is dealing with, or knows, something, which ends up
being ignored by all.
7.5 Stakeholder Relationships: The Role of the Board
7.5.1 As with all areas of Executive responsibility, the Board has a responsibility to oversee
how the Executive is managing key stakeholders and to call the Executive to account for
any problems. For example, if, through BAC or BRC, The Board was to find that internal
controls governing reporting and control of third-party suppliers are not working as they
should, it would expect the Executive to put in place remedial action and to report back
on the matter. Given the organisation’s stakeholder landscape is wide, the Board needs to
maintain a wide interest in the Executive’s performance in stakeholder management and
keep an eye out for unexpected developments.
7.5.2 At the same time, the Board itself will hold some key relationships and there should be
clarity and good communications between those involved. For example, the Group Chair
of a listed company would be expected to have relationships with large shareholders and
with the Chairs of wholly owned subsidiaries. If there is a major supplier contract, the
Chair would probably want to open up direct communications with the Chair of the
supplier. If there is a wholly owned subsidiary company, with a Board, it would be
reasonable to expect the Chairs of parent and subsidiary Boards to have open
communications. Other relationships will be led by other Board members, e.g. the Chair
of BAC with the lead partner of the External Auditor; or the Chair of Remuneration
committee in direct contact with large shareholders or their representatives, in order to
explain remuneration policy and its application in remuneration decisions
7.5.3 These Board level relationships are often informal and not part of any formal governance
arrangements. Their existence means there are already open channels of communication if
tensions and problems arise. They do not always exist, and they are not always successful
in alleviating tensions and solving problems.”
6 See Annex A, Sections 1.1, 1.2, 1.4a, 1.4b, 1.6, 1.7a, 2.1, 2.2 and 2.3.
67 See Annex A, Sections 1.4b, 1.6, 1.7a and 1.11.
Page 73 of 133
EXPG0000006_R
7.6 Key Stakeholders in the POC/L
7.6.1 As there is no guide/ code for identifying and managing stakeholders, those involved in
any context make their own decisions about how best to navigate the stakeholder
landscape.
7.6.2 Taking the relevant period 1999-2019, and the matters before the POHI, three external
stakeholders stand out for attention:
a) The government, and its representatives, as owner;
b) Fujitsu as key supplier contractor; and
c) SPMs.
7.6.3 Building on the list of considerations in stakeholder relations (7.3 above), questions
which are relevant to POHI are identified for each of these three stakeholders.
7.7 Questions Arising from Section 7 relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which ran
and oversaw POCYL. The questions below are taken to apply to all relevant organisations in the
chronology.
The Government
7.7.1 I The government, albeit at arm’s length, was the only shareholder in POC/L.
7.7.2 The government dealt with POC/L though intermediary oversight and ownership entities,
as shown in Annex B and Section 1.6. At any one time there were relationships with up to
four levels.
7.7.3 The questions below relate to characteristics of the relationships within this quartet of
levels.
a) Strategic Interest and Goals
i. Were the interests and goals of the POC/L and the Government aligned?
If there was divergence, was this discussed? And were suggestions made
for resolution?
ii. Even if they went unvoiced, were tensions between strategies and goals,
and conflicts of interest, identified?
b) Power and Authority
Page 74 of 133
EXPG0000006_R
i. Once the strategy and goals were known, did the POC/L at Level 1 feel
and act as if it were relatively independent, or were its operations subject
to detailed scrutiny and instruction from the government or its
representatives?
c) Maintaining Relationships
i. Which roles in the Executives and Boards at each of the 4 levels were
expected to maintain an appropriate relationship with the others?
ii. Was the nature of any of these relationships ever discussed in Boards?
Fujitsu
7.7.4 Fujitsu was a key major contractor.
7.7.5 The Horizon IT system contract was highly material to delivering the strategy and
operations of the PO, and, we assume, highly material to Fujitsu’s financial performance
and reputation. Each had a great deal invested in the relationship. Relative power
depended on the nature of the contract, and symmetry (or not) of knowledge of the
progress and problems.
7.7.6 The questions below relate to characteristics of the relationships between POB
organisations identified in Annex B and Fujitsu:
a) Contract
i. What was the nature of the contract and the legitimacy, rights, and duties
of each side?
ii. To what extent did the contract enable the interests and goals of PO and
Fujitsu to be aligned?
b) Authority and Accountability
i. What were the rights of each party to knowledge of progress and
problems, and to meet the financial and operational consequences of
problems?
ii. I What were the sources of power and authority in the relationships with
Fujitsu?
iii. I When inevitable tensions arose between the parties, how were they
resolved/ mitigated?
c) Board Oversight
i. I How was Board oversight maintained, relations built and any identified
problems interrogated?
Page 75 of 133
EXPG0000006_R
Sub Post Masters
7.7.7 POC/l was highly dependent on the network of SPMs for delivery of its operations. The
SPMs were dependent on the POC/L for their capacity to run a PO.
7.7.8 The questions below relate to characteristics of the relationships between POC/L and
SPMs, and in so far as they were involved, the other 3 levels identified in Annex B:
a) Goals and Interests
i. In what ways were the goals and strategies of SPMs aligned with the
goals and strategies of the POC/L?
ii. I Was any attention given to addressing tensions in the relationship
i. Was there a scarcity of people who wanted to be SPMs?
ii. I Could SPMs speak with an independent collective voice in negotiations
or raising concerns?
c) Contract Conditions
i. How was risk in the contract divided between SPMs and PO?
ii. Arrangements for Training and Induction of SPMs.
d) Communication
i. POC/L communications: normally ‘two-way’, ‘down’, ‘across’ or ‘up’ to
SPMs?
ii. Reporting about relations with SPMs from POC/L to other levels of
accountability in AnnexB? To whom? About what?
iii. I Opportunities, encouragement, discouragement for SPMs and any other
party to raise concerns, highlight tensions, report major problems?
iv. Position within the wider POC/L organisation: which levels and functions
typically interacted with SPMs or their representatives?
e) Place in POC/L Culture
i. What attitudes and beliefs prevailed about SPM’s skills, integrity,
motivation, honesty, competence, and replaceability?
ii. Degree of trust assumed in the SPM /POCIL relationship?
Page 76 of 133
EXPG0000006_R
8 Experiencing Governance and Management
8.1 Introduction
8.1.1 Sections 1-7 have been constructed around the scaffolding provided by the laws and
codes which deal with the governance and management of companies in private and
public hands (Annex A), paying particular attention to the accountability relationships
current in POB during the relevant period (Annex B).
8.1.2 Section 8 takes a different perspective. It addresses governance and management from an
experiential perspective. It discusses concepts to highlight the actual experience of
working, managing and governing in POC/L and associated organisations as outlined in
Annex B.
8.1.3. It has 4 sub-sections:
a) Authority Power, Interest, Influence and Conflict;
b) Leadership;
c) Culture; and
d) Communication.
8.1.4 Each of these concepts is important in illuminating how the accountabilities and expected
practices which are at the heart of governance and management and described in Sections
1-7, become part of the lived reality of companies.
8.2 Authority, Power, Interest, Influence and Conflict
Authority
8.2.1 Authority derives directly from formal structures of roles and relationships, controls, and
systems. It has face value validity in formal titles and positions. For example, Chair,
CEO, NED, or Head of specialist IT function has authority to act and to take decisions as
specified in various documents for someone in their position. Authority bestows a
legitimacy to act within codes of governance and management. It provides the basis of
accountability (Section 2).
Power
8.2.2 Power is related to authority, but it is not an exact replication, as there are sources of
power which are beyond formal authority and their relationship to authority may be
consistent, opposite, or independent. Sources of power, beside or beyond authority, may
be considered in three categories:
a) The first is the provision, control and access to scarce and valued human, social,
financial, and material resources.
Page 77 of 133
EXPG0000006_R
b) The second is force, punishment, and negative sanctions. There is some linkage
between these two: withholding the first, e.g. by denying promotion or restricting
access to essential technical problem-solving skills, may provide the base for the
second.
c) The third source of power is in the characteristics of individuals: their personality,
powers of persuasion, reputation and what may be called ‘charisma’ or personal
capacities (irrespective of resources or force) to get others to follow.
8.2.3. These 3 generic sources of power are not necessarily related to legitimate authority
structures, although there are often links, particularly when it comes to the first, namely
the provision, control, and access to scarce and valued resources, which is often aligned
to authority structures.
Power and Authority
8.2.4 Power and authority can be viewed together as providing the capacity in a company to
secure decisions, to take actions and to get others to play a part in enabling these
decisions or actions. Whereas authority is vested in formal structures of legitimacy, power
strays beyond the confines of legitimate authority, and may extend to the capacity to
create situations in which formal accountability may be obscured.
8.2.5 Legitimate authority is predicated on a view that the structures in which it is embedded
are designed to create conditions in which the organisation will be effective, and in which
conflicts of personal interest will be transparently managed.
8.2.6 Power has no such foundation and indeed may create conditions which are aligned with
interests which are not those of the company. Company interests are based in approved
corporate strategies and operational plans. Power can be used to pursue other interests
(including self-interests) which may negate, frustrate or impede the interests of the
company.
Power and Conflict
8.2.7 Power and conflict interact in a fundamental way. Power is a property of social
relationships, in situations where there is some divergence of, and conflict between, those
involved. Conflict in companies may arise over who is going to make a decision or take
an action; and over who is able to forward options to be considered or to set the agenda. If
there is complete unanimity (no conflict) on both points, power is redundant, because
there is agreement on who legitimately has the authority in that given situation to take the
decision or action, and agreement on who legitimately has the authority in that given
situation to put forward options for consideration and set the agenda. This emphasises the
importance of having clear lines of authority and accountability as setting the context in
which decisions and actions are taken.
Interests
8.2.8 I Power relationships may be exposed, or hidden when the voices, desires, or interests of
one party are frustrated by the decisions, actions, interests of another party. Power play
may be particularly evident in organisations where there is a lack of clear lines of
Page 78 of 133
EXPG0000006_R
authority and an opaqueness or major disagreement about the company’s strategies and
operational plans.
8.2.9 In such situations it is unclear what is really in, and not in, the company’s interests, as
well as being unclear about how such conflicts will be resolved. Advancing ‘other
interests’ may also be thought to relate to individual or group ‘self-interest’, as well as
advancing alternative views of what is in the company’s best interests. Without a clear
strategy, which is well communicated throughout the organisation, and without clear lines
of accountability, there is plenty of scope for power play and conflict to become
embedded and inhibit effective decision making and operational performance.
8.2.10 Codes of governance and conduct stress the vital importance of having clear policies on
declaring and handling conflicts of interest, which are implemented and regularly
reviewed.
Influence
8.2.11 Influence can be viewed as the process by which the views and preferences of dissenting
voices become aligned with those of another party or parties and thus agreement is
reached without any exercise of authority or overt power.
Overt and Covert Power and Influence
8.2.12 The words ‘overt power’ is a reminder that conflicts of interest are not always manifest in
open disagreement or contradictory actions.
8.2.13 Dawson describes five scenarios created by different conditions of overt or covert
expressions of conflict, the exercise of power and the extent to which there is shared and
symmetrical knowledge about the issue.” In the first scenario, there are overt expressions
of conflict, shared and symmetrical knowledge about the issue on which there are
conflicting views, and each interested party will/can press its own interest. This, together
with a clear strategy and plan, lays the foundations for an effective process of decision
making and operations.
8.2.14 There are 4 more scenarios (2 to 5) of increasing degrees of covertness of conflict and
power which interact with access to relevant information. In Scenarios 2 and 3, there is
full symmetrical knowledge of the issue, but some parties choose not to speak their views
or press their interests. Two reasons normally prevail here. The second scenario returns to
the concept of legitimate authority in that although parties disagree with the position
taken by others, and may suffer some damage from it, they consider that the other parties
are legitimately in ‘authority’ over them and therefore they have no legitimacy to
challenge and so they keep quiet. In the third scenario the decision is taken not to press an
alternative view because of fear of consequences, for example, they will lose the
argument anyway, they won’t be given a fair hearing, they will jeopardise some other,
more important, aspect of their personal position, or they will suffer reputational damage,
and so they keep quiet.
8.2.15 A greater degree of covertness is found in the fourth scenario where the issue is not
known or fully understood by at least one of the parties. This may reflect the intentions of
© Figure 7.1 Dawson, Analysing organisations 1986.
Page 79 of 133
EXPG0000006_R
others to keep information from them, or it may be that they have simply not been in the
communication flows where the issue is known. Whatever the cause of knowledge
asymmetry, some parties are excluded (sometimes deliberately, sometimes not) from
pressing their interest and raising their voice, because they do not have any or much
knowledge about what is going on and miss the opportunity to press their interests.
8.2.16 The most obscure forms of power and conflict (the fifth scenario) are found embedded
within the prevailing culture. In this scenario, the ‘issue’ which would be contested if it
were seen and understood, is simply not raised or discussed; it is part of the taken for
granted assumptions of how an organisation operates. Information is ‘institutionally’
obscured and in so doing, excluded parties are disadvantaged in ways of which they are
ignorant. Following Bachrach and Baratz, whose studies of political institutions can be
directly read into work organisations, this is sometimes known as ‘non decision making’
which is ‘the practice of limiting the scope of actual decision making to safe issues by
manipulating the dominant community values, myths and political institutions and
procedures’.”
8.2.17 There is no reason why academic analyses of power and conflict should be known by
Boards and Senior Executives in companies. However, the underlying principles of
coherence of strategy, clarity of accountability, articulation of the company’s purpose, a
culture of openness, transparency, challenging assumptions, curiosity and listening which
we have discussed in the preceding sections draw attention to the role of Boards and
Senior Executives in living these principles. People at all levels in the company know
through their experience whether authority is respected as legitimate, whether people are
held to account for their actions, whether there is much political intrigue and power play,
whether assumptions are challenged, whether contrary voices are heard and even sought,
and whether there is open discussion of major issues including considerations of
anticipated and unanticipated consequences which may seriously damage the company,
its workforce or external stakeholders. Paradoxically against a background of clear
coherent strategies and structures, an open debate in which many voices may be heard,
can lead to everyone coming together and supporting the decisions which are made.
8.2.18 Similarly, it is reasonable to expect the Board and Senior Executives to be alert to
patterns of power and influence within their organisations, which are outside the
legitimate authority structures and lead to the unusual dominance, isolation, or
subjugation of any part, or parts, of the organisation.
Questions arising from Section 8.2 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which ran
and oversaw POC/L. The questions below are taken to apply to all relevant organisations in the
chronology.
8.2.19 Where do we find knowledge, interest or curiosity in understanding the situation of SPMs
who were contesting their convictions or civil claims?
8.2.20 What were the authority and power relations between SPMs (either individually or
collectively) and those in POC/L to whom they were accountable?
% 1963, p632.
7° Quoted in Dawson 1986, p 152.
Page 80 of 133
EXPG0000006_R
8.2.21 What were the authority and power relations between SPMs (either individually or
collectively) and those in POC/L with whom they routinely dealt?
8.2.22 Where and over what was there conflict between the 4 levels of accountability
summarised in Annex B?
8.2.23 In what ways were the strategic interests of each of the organisations identified in Annex
B aligned or misaligned?
8.3 Leadership
Introduction
8.3.1 Leadership is a word found in almost every discussion about management and
governance. It is the subject of many definitions, thousands of books, articles and papers,
hundreds of testing tools, and features as a set of skills in nearly all job specifications for
middle and senior level appointments in most organisations.
8.3.2 As a topic in personal training and development, it is often said that leadership is not
necessarily synonymous with formal position; that leadership can be embodied by anyone
who is practicing the art of getting others to come with them (the leader) to achieve
something or make changes they (the ‘others’) may not otherwise choose to do.
8.3.3. For this report however, we are dealing with a much more restricted focus on the
behaviours and attitudes of those who were ‘in charge’, because they held formal
‘leadership’ positions as Board members, Executives, and managers in the relevant
organisations. In Section 2 on accountability, we dealt with the formal expectations
associated with these leadership roles. In this section we deal with how the behaviours
and attitudes of people in formal leadership roles are experienced by those who are junior
to them.
The Leadership Impact of those in Senior Leadership Positions
8.3.4 Weare interested in the set of behaviours, attitudes, and beliefs which the senior leaders
in the organisations described in Annex B displayed (whether intentionally or not), and
the impact of their behaviours, attitudes and beliefs on others. For example, Leadership
may be experienced:
a) As dictatorial (being told the task, what to do and feeling no opportunity to
question or alter the commands, or broaden or redefine the nature of the task);
b) As consultative (being asked for views on the task in hand and having
suggestions being considered before being told what to do); or
c) As empowering (being given a task, and support and autonomy in deciding how
to undertake it or redefine it).
Page 81 of 133
EXPG0000006_R
8.3.5 Leadership may also be seen as ‘effective’, ‘good’, ’strong’, or ‘ineffective’, *poor’,
*weak’. The prevailing subjective view of what is ‘effective’, ‘good’, and ‘strong’
changes over time and space; it is context specific and is much influenced by prevailing
beliefs in wider society, experience of leadership in organisations which have delivered
and sustained strong performance, external commentary, and the results of research on the
leadership behaviours, attitudes and beliefs which will deliver better performance.
8.3.6 What can be said for all times is that the impact of leadership (in whatever guise) is
always present. People will always be looking at what those ‘above them’ are doing, how
they are doing it and draw their own conclusions about what this means for how they
should and will behave and act. In most organisations there are documents and procedures
which describe what and why the organisation has done, is doing and will do in the
future. People’s experience of leadership reveals to them what they come to believe the
organisation is really doing and seeking to do.
8.3.7 Here are 5 illustrative examples of the real impact of leaders in formal positions of
authority:
a) Whilst there will be statements about an organisation’s purpose, vision, priorities
and direction, people’s experience of their leaders will show them what is really
important;
b) Whilst there will be statements of values and principles, the leader’s behaviour
and attitudes will show which values and principles are really rewarded,
encouraged, discouraged, or sanctioned;
c) Whilst there will be procedures for handling failures and problems, the leaders’
actual response when problems arise, or there are identified failures, or there are
implicit hints of problems/failures, will show if there is likely to be a quick jump
to blame, or to learn lessons, or to close down discussion, or to open up a broad
investigation;
d) Whilst there will be many procedures and policies governing employment, and
there may be a ‘people strategy’, members of the workforce will experience the
reality of these procedures through their interactions with their leaders; and
e) Whilst there will be clear procedures for the identification, reporting,
management and mitigation of risk, people’s experience of their leaders’
engagement with risk, will show them if these risk processes are mainly tick box
exercises, or living management tools which may lead to reassessment of risks.
8.3.8 It is for the CEO and their senior team to decide the leadership style they believe best
serves the organisation in any given time. Their decisions may be explicit or may simply
emerge from the way they behave. In making their choice they should be mindful of their
judgements about many things, including their employee expectations, experience and
skills profiles, the amount of discretion and autonomy people need to do their jobs
effectively, and the risk profile of the company.
Page 82 of 133
EXPG0000006_R
Questions arising from Section 8.3 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which ran
and oversaw POC/L. The questions below are taken to apply to all relevant organisations in the
chronology.
8.3.9 I What behaviours, attitudes and beliefs were believed to characterise those in leadership
positions in each of the organisations which ran and oversaw POC/L?
8.3.10 What was the impact on the POC/L of the behaviours, attitudes, and beliefs of those in
leadership positions in any of the other organisations in Annex B?
8.3.11 What was the impact of those in leadership positions in organisations which ran and
oversaw POCIL on:
a) The management of HORIZON;
b) The handling of investigations and prosecutions of SPMs; and
c) The SPM’s claims of miscarriages of justice?
8.4 Culture
Introduction
8.4.1 Culture in an organisation refers to the collection of attitudes, values, behaviour, and
beliefs which characterise the everyday experience of employees and those who regularly
interact with companies as customers and suppliers. There is a strong overlap with the
experience people have of their senior leaders (section 8.3), but culture is broader than
that and embraces the whole organisation, as is illustrated by two examples.
8.4.2 Culture is experienced by employees when they feel encouraged to speak up on matters
of concern about someone’s conduct, knowing their bosses and colleagues will listen and
consider their views or, in a different culture, where they feel inhibited from speaking up
about their concerns, fearing that they themselves may be ignored, humiliated, or even
victimised.
8.4.3 Ina second example culture is experienced by contractors when they feel welcomed into
a social environment which encourages collaborative joint problem solving with respect
for everyone’s views or, where they feel barely noticed and discouraged from making
suggestions.
8.4.4 These experiences are not constrained by formal statements or contractual terms. Indeed,
where experience and formal statements or contracts are contradictory, the experience
always triumphs in influencing what people think about the culture of their organisation.
Thus, in the first example (8.4.2), the experience of discouragement in the context of a
statement that the organisation is committed to ‘listening and learning’ contributes to an
experience of cynical alienation.
Page 83 of 133
EXPG0000006_R
The Role of the Executive in Culture
8.4.5 The Executive’s role is to run the company in ways which will achieve the company’s
strategic goals. Culture, being the attitudes, values, behaviour and beliefs, which are
experienced in the company, is likely to have an impact on corporate performance. The
Executive has a responsibility to attempt to ensure that the company has a culture which
will support its strategy. However, whilst the Executive role in creating culture is crucial,
its very nature means that culture cannot be created or managed by the Executive alone.
This makes it especially important that the Executive seek ways to establish for itself, the
real nature of the culture. This can be challenging as enquiries instigated voluntarily may
reveal evidence which is unpalatable.
Statements, Experience, and Enqui
8.4.6 Culture reflects what is said by Executives e.g. in publicised statements about the
company’s values, written codes of workplace conduct, formally reported structures and
control systems or contractual terms, but it is neither limited by these statements, nor
necessarily aligned with them. A statement that ‘we are a learning organisation always
eager to improve’, may actually be experienced as ‘they say they want our ideas, but no-
one ever listens to us’.
8.4.7 Where the experience does not reinforce the statement, especially if the experience is on
the negative side of the statement, the experienced culture may lead to cynical
disengagement from what is seen as hypocritical or disinterested leadership. In cases
where there is no misalignment and the experience matches or even exceeds the rhetoric,
the culture is an asset creating a shared commitment to promulgated values and codes of
conduct.
8.4.8 Executives who want to look beyond their rhetoric to find ways to check the experience
of the people in their company may do this by inviting candid feedback from their
subordinates in situations where there is no indication that negative feedback will elicit a
‘punishing’ response; or by seeking the results of independently conducted anonymised
staff or customer or contractor feedback and satisfaction surveys; or by independently
conducted 360 degree feedback, or simply having their ‘eyes and ears’ open to what is
going on.
8.4.9 Even if there are no statements about values (as was normally the case 40 or so years ago)
culture still exists, but without the added dimension of comparison with what is said or
written.
Status and Stories
8.4.10 A good indicator of culture is the stories of those who are congratulated or ignored when
there are corporate gatherings or other opportunities for collective social activity. These
will reveal what, or who, is highly valued and may influence many people’s future
behaviour.
8.4.11 It is not unusual for stories and stereotypes about particular groups in a company to
become part of the culture, even though there is no basis in anything written or planned.
Examples of shared beliefs include: ‘W group is very aloof” or ‘X group is very clever but
they are really helpful if you ask them’ or ‘no one ever stays long in Y group’ or ‘be
Page 84 of 133
EXPG0000006_R
careful you can’t really trust Z group’. Such beliefs are built over time and reflect, inter
alia, the nature of people’s work and careers as well as reflecting some of the issues of
power and interest discussed in section 8.2. They do not necessarily reflect the reality, but
they are real in their consequences. It is for the Executive to look beyond these
stereotypes, to establish the reality in any area of the company and then, if they can, to
address their root foundations and ensure standards of conduct and openness are upheld.
8.4.12 If left unchallenged, inaccurate and unhelpful stereotypes continue; some groups are
unfairly ignored, others are unfairly championed.
8.4.13 A set of such assumptions may incline authority (at any level) to privilege the views and
positions of certain groups who may be the subject of complaint because they are seen as
more important to the business than others, more trustworthy than others, more invested
in the core business or some other reason. Similarly, a set of assumptions may incline
authority (at any level) to disregard the views, raised concerns and positions of certain
groups who are deemed to be easily replaceable or untrustworthy or more attached to
their own interests which diverge from the interests of the company.
8.4.14 Not all Executives want to open themselves and their cultures to challenge, or to spend
the time and resources on understanding more about culture. They may feel the culture is
fine, or even if there are problems, they are relatively inconsequential or best left
undiscussed.
8.4.15 Good practice is that culture does matter and that Executives should seek ways to
investigate its impact and attempt, through their own example, to align it to support
corporate performance.
The Role of the Board in Culture
Board Oversight
8.4.16 As with all aspects of the operations of the company, the Board has a responsibility to
oversee, challenge and support the Executive’s role in securing whatever will achieve the
company’s strategic goals. Formal guidance relating to the Board’s specific role in
overseeing culture in an organisation is limited and generic. The Board has responsibility
for safeguarding the financial success of the company and other decisions are expected to
flow from this.
8.4.17 Many Executive teams will report on the cultural aspects of strategy, only when they are
specifically asked about matters which can indicate culture, for example: workforce
perceptions of leadership in key areas, issues of talent acquisition and retention, staff
feedback and more generically whether aspects of culture pose any risk to the prospects
of the organisation.
8.4.18 The Board however, may choose to require the Executive to undertake particular surveys
or use focus groups or other means to access culture. The fact it is not a required reporting
matter means that a NED scrutinising role may be critical. The Board may decide it wants
to ensure some direct NED oversight involvement in these activities.
8.4.19 The separation of roles of operations and oversight in respect of culture can be illustrated
in the context of Whistleblowing (see Section 6). NEDs should ask about the perception
Page 85 of 133
EXPG0000006_R
of the whistleblowing processes and challenge whether the organisation is doing enough
to safeguard an open culture. The Executive are responsible for reporting whether and
how the whistleblowing processes are used, and for creating an open culture.
8.4.20 Discussions of other company’s scandals and crises create an opportunity for Boards
collectively to consider whether they have sufficient oversight of the culture and in
particular, to assure themselves that the organisation has suitable processes for listening
and detecting problems. The guidance produced by the BEIS in 2015 (BEIS, 2015)
emphasises the need for these processes.”!
Statements of Ethics and Conduct
8.4.21 Modern governance codes dating back to the Cadbury (1992) reference the requirement
for Boards and management teams to have a shared expectation of the standards of
conduct expected of them and the Executive. The idea is that the Board should be able to
trust that the Executive have principles or ethical standards which may be written down,
so that a company Executive and its Board can recognise when such principles are being
followed on not.
8.4.22 Ethics statements provide a framework for behaviour within and by the organisation. The
practice of involving staff in developing such statements has grown over time so that
mutual expectations are set and understood, technically thereby making it easier for
anyone to call out behaviour which is misaligned with the company’s values and purpose.
Whether this happens or not, and whether the rhetoric of the statement is matched by
experience, are matters for the Board to consider.
The Culture of the Board Room
8.4.23 The Combined Codes (1998, 2003) guide the Chair to ensure the Board functions
effectively. The Board and particularly its Chair, has an implied responsibility for
ensuring that the culture of the Board is fit for its purpose of fulfilling its role in
oversight, challenge, and support of the Executive.
8.4.24 This responsibility means enquiring into members experiences of the Board itself. For
example, do NEDs feel that the Chair allows sufficient time for discussion and challenge?
Are questions which challenge accepted ways of doing things, encouraged? Are there
questions which probe people’s experience of behaviour and values in the company and
including the extent to which they are aligned to formal statements and the pursuit of the
company’s objectives?
8.4.25 The Board’s responsibilities for evaluating its own performance (see section 2) are
relevant at two levels. The effectiveness of the Board will depend to some extent on its
own culture, and its effectiveness as a Board, impacts its effectiveness in enquiring into
the nature of the culture of the company.
8.4.26 There are dangers that the culture of the Boardroom may discourage exactly the
behaviours which are identified as important in effective boards. For example: are
conformity, obedience to hierarchy or the peer process of group-think encouraged? This
can lead to the disregard of available evidence, a failure to look beyond accepted
7 See Annex A, Section 1.16.
Page 86 of 133
EXPG0000006_R
available evidence, poor quality decision making and a very limited view of the Board’s
agenda. In contrast, if there is open debate, open horizon scanning, interrogation of
reports and challenge to accepted assumptions, within well managed meetings which give
time for discussion and yet ensure clear decisions are made, the quality of decision
making is likely to be enhanced.
8.4.27 A particular aspect of Board culture will be experiences of sharing bad news. It is always
in the company’s interests for the Board to be appraised of real, or potentially, bad news.
However if the Executive is fearful the Board will, as the Executive see it, over-react, and
the Executives will get disproportionately ‘sucked’ into the blame, they may be less
inclined to full disclosure.
8.4.28 Fear of consequences increases when the Executive(s) are actually aware they are
‘culpable,’ so there may be an inclination to ‘cover up’. Even Executive teams in genuine
‘learning organisations’ with risk and learning at their core, often find reporting bad news
to the Board difficult. The Chair and NEDs have a responsibility to establish they will be
thoughtful and measured in their response to bad news. Neither quick to blame, not to
condone, but to investigate and support and come to the right decisions for the company.
Remuneration and Culture
8.4.29 The Board’s role, normally delegated to the Board Remuneration Committee (BRemC), is
to develop and implement the remuneration policy, as it applies to Senior Executives.
This becomes directly relevant to culture in so far as incentives and disincentives are built
into every remuneration policy and are likely to result in Executives giving priority to
some aspects of performance and behaviour, and less attention to others. The FRC
guidance (2016c) offers as ‘helpful advice’ that BRemC and the Board should regularly
assess culture and ensure alignment of Executive rewards with corporate culture. Such
advice should be heeded if the Board wishes to ensure that the incentives and
disincentives in remuneration reflect those which will serve the company’s interests. It
must think carefully if there are any unanticipated consequences which could skew
behaviour and culture.
8.4.30 The BRemC may also have a watching brief on the overall approach to remuneration for
the whole company, although this is not a requirement. In any case, the Board’s
operational oversight responsibilities should encompass knowledge of any particular
remuneration practices which are likely to impact the culture of the organisation. For
example, if there are bonus or commission arrangements, what sorts of behaviour do they
encourage?
Page 87 of 133
EXPG0000006_R
Questions arising from Section 8.4 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which ran
and oversaw POC/L. The questions below are taken to apply to all relevant organisations in the
chronology.
On the Culture of their Organisations
8.4.31 When if at all, did the Executives or Boards:
a) Have written statements on values, codes of conduct, and behaviours, which were
available to all employees?
b) Seek to gauge the culture of their organisation?
c) Review & report on policies & procedures for employee consultation or
‘speaking up’?
d) Review the impact of remuneration arrangements on the culture of the company?
8.4.32 What evidence is there of Executives or Boards:
a) Listening to views of those employed in their organisations?
b) Displaying curiosity to learn in ways which might challenge taken for granted
assumptions about the nature of problems?
c) Being open to consider the identification of problems and possible solutions in
non-hierarchical ways?
d) If faced with a problem or crisis, seeking to learn from other organisations or
from those with direct knowledge of the issues?
On the Culture Surrounding the Management of SPMs
8.4.33 What data about SPMs was regularly collected and what of that was regularly reported to
the Board? For example, did reports include:
a) SPM experiences of working with POL?
8.4.34 What evidence is there of institutional assumptions about SPMs:
a) Why (for what?) were SPMs valued?
b) SPM’s presumed motivations? E.g. direct financial benefits, collateral benefits
from sales of other products (e.g. groceries), services (e.g. dry cleaning), and
service to the community?
c) Was anything done to check assumed motivations?
8.4.35 How were SPMs managed and controlled?
Page 88 of 133
EXPG0000006_R
a) Were there tight rules or some discretion?
b) What was their experience of management and oversight?
c) In what ways did their remuneration arrangements impact their behaviour?
On the Culture of the Boards
8.4.36 To what extent and how did they evaluate their own Board culture and address any
issues?
8.4.37 To what extent did they consider the impact of the remuneration policy for the culture of
their organisation?
8.4.38 Was there a culture of ‘attention to governance’, including paying attention to quality of
reporting, monitoring, scrutiny and problem solving.
8.5 Communications
Introduction
8.5.1 Communication is at minimum 2 way. It requires a sender, or senders, of a message or
messages, and a recipient, or recipients, of a message or messages. Sending and receiving
what is apparently objectively the same message does not mean it will be heard or
understood in the same way by sender(s) and recipient(s). There are many filters which
impact sender or recipient understanding, for example, intentions, interests, assumptions,
anxieties, power differentials, authority differentials, level and nature of education,
linguistic capabilities. Strong communications are where the recipient hears and
understands the message as intended by the sender. Strong communications in th
imply nothing about whether the recipient likes and supports the message, simply that
there has been no misunderstanding of what the message means.
ense
8.5.2. Communications in companies can be formal or informal. Formal communications are
normally those which exist, or have existed, beyond the spoken word, in some form of
print media, and form part of the intentional systems and processes in any company. A
minority of formal communications may exist as recordings of the spoken word, for
example in a recorded announcement by the CEO or Chair, but such spoken forms would
normally be followed up with print versions. Formal communications may be required by
law or code, e.g. the Annual Report and Board minutes for listed companies; or voluntary
(e.g. staff newsletters and notices). There is less room for misunderstanding within formal
communications if they are received, but there are limited ways in which the sender can
give assurance that the communications have actually been received by all for whom they
were intended.
8.5.3 Informal communications are often spoken in direct or electronic conversations or
statements, as well as being written in print or social media. They may refer to formal
Page 89 of 133
EXPG0000006_R
communications, whilst also including rumour about what will or has happened;
unsubstantiated and substantiated beliefs about what will or has happened; well-
intentioned, mischievous or malicious observations on matters and people in, and
associated with, the company, and a catch-all of what might be called ‘gossip’. The
evolving world of social media blurs the division of formal and informal
communications. It enables rumour, myth and legend to be more easily shared between
some groups but does not necessarily enable sharing between groups. It also carries with
it limited means of checking the veracity of the sender or the message. Nonetheless
informal communications can be very powerful in their impact. If they are believed,
whether objectively true or not, they are likely to be real in their consequences.
8.5.4 Whilst the Executive and middle management have limited capacity to control informal
communications, they need to ‘keep their eyes and ears open’ to hear it, by listening to
various informal conduits, e.g. that flow through social circles and social media. They
need to be alert to prevailing attitudes and beliefs which are embedded in the culture of
the company and will act as a filter or magnifier for messages and set patterns for
communications flowing in the company. For example, it quickly becomes known
whether one is in, or dealing with, a company in which alternative views, or bad news are
likely to be voiced and disclosed before there is no escape from them.
The Role of the Executive
8.5.5 Key parts of the Executive Role in communications are to:
a) Develop and maintain formal and informal communications internally within the
company, and externally with stakeholders, in ways which will support the
implementation of the strategy and effective operations;
b) Give assurance that internal systems and controls which require or promote good
communications are developed and maintained;
c) Pay particular regard to ensuring appropriate communications are established
with key stakeholders (see Section 7);
d) Attempt to ensure that the messages as sent in formal communications are
understood in the same way by recipients as by the senders;
e) Keep in touch with informal communications, so they may understand various
prevailing concerns, fears and hopes for the company, however ill-founded or
misguided they may regard such concerns, fears and hopes;
f) Realise that the culture of the company, (which they have a key but not the
controlling part in creating, see section 8.4) will encourage particular patterns of
communications, including whether curiosity or challenge to taken for granted
assumptions is encouraged or discouraged; and
g) Whether early and accurate disclosure of bad news is expected/encouraged.
8.5.6 Within the Executive, the CEO has particular responsibility to ensure they:
a) Establish strong, open communications within their Executive team;
Page 90 of 133
EXPG0000006_R
b) Play their part in establishing strong, open communications with the Chair;
c) Play their part in establishing strong, open communications with the NEDs;
d) Set expectations through their own example and through normal processes of
management that all managers will seek to ensure that:
i. I The company’s mission, purpose and priorities are widely communicated
and understood;
ii. The structure of roles and responsibilities is widely communicated and
understood; and
iii. I The company’s operational plans and priorities are widely communicated
and understood.
The Role of the Board
8.5.7 As with all areas of running the company, the Board has a role in overseeing whether
communications are effective and support the achievement of the organisation’s
objectives. They should be interested to understand the prevailing culture and how this
will act as a filter, distorter or magnifier of messages.
8.5.8 I Communication between the Chair and the CEO is an important key to a well-functioning
Board. The CEO is the Chair’s main gateway to understanding what is going on in the
organisation. The Chair is the lead evaluator of the CEO’s performance. How this
dynamic develops over time will incline the CEO to patterns of response. It becomes
especially important when the CEO is in possession of what may be bad news for the
company, but there is imperfect knowledge about the matter, which is still unfolding, and
the potential crisis can only be glimpsed through a degree of ‘fog’ about the real situation.
8.5.9 Various responses are typical:
‘Lets keep the bad news to ourselves and hope we can resolve it’.
‘We are in this together and we will share the bad news before it is too late or leaks
by other means’.
‘As we have this under control, there is no reason to alert the Chair outside our
normal interactions’.
‘There is no need to alert the Chair until we know more’.
8.5.10 The tenor of the response will reflect CEO judgements about the issue itself and the
likelihood of later and fuller discovery. But it will also be influenced by the culture of the
company, the personalities of the Chair and CEO, their past experience, the level of trust
established in their relationship, and the approach adopted by the NEDs.
8.5.11 Chairs and NEDs can also be important in picking up informal communications and
divergent views if they make visits ‘out and about’ the organisation, if they make and take
Page 91 of 133
EXPG0000006_R
opportunities for informal discussions with other Executives and members of the
workforce and, if they have open informal and free flowing conversations with their
board colleagues.
8.5.12 As discussed in Section 7, the Chair and CEO are also important in establishing lines of
communication with external stakeholders.
Questions arising from Section 8.5 Relevant to POHI
NB Annex B provides the chronology of governance and management for the organisations which ran
and oversaw POC/L. The questions below are taken to apply to all relevant organisations in the
chronology.
Communications between Executives and their Boards
8.5.13 How did the Executive assure the Board that internal communications were fit for
purpose?
8.5.14 What was the experience of sharing ‘bad news’ with the Board?
8.5.15 What was the pattern and tenor of communications between the Board and the Executive
team?
8.5.16 What was the pattern and tenor of communications between the Chair and the CEO?
Communications within Boards
8.5.17 What was done to encourage NEDs to request, challenge and scrutinise data?
Communications concerning SPMs Activities
8.5.18 How would the Boards expect to have known if there were serious problems with, or in,
the SPM network?
Page 92 of 133
EXPG0000006_R
ANNEX A
LAWS, GOVERNANCE CODES & GUIDANCE
This Annex summarises governance advice for Boards in private and public regimes from legal
requirements, published codes and guidance. We identify the most important messages in relation to
the actions we believe Boards in all organisations are advised to take to ensure good governance is
achieved.
It provides a chronology of the laws and guidance on governance of companies which applied during
the relevant period 1999-2019. The material is presented chronologically, split into columns. On the
left-hand side are the requirements and guidance which apply to companies, with special attention to
publicly listed companies. On the right-hand side are the requirements which apply to Central
Government (Departments, ALBs, other agencies) and companies which are wholly owned or
controlled by Government. The summary is further divided into the opening section which deals with
legal requirements, and the following section which deals with codes and guidance.
Formal Legal Requirements for Formal Legal Requirements that would
Corporate Governance apply to Public Corporations / Companies
in Government
1998 1998
1.0 Public Interest and Disclosure Act —the I 2.0 Public Interest and Disclosure Act — the
law that protects whistle blowers from law that protects whistle blowers from
negative treatment or unfair dismis negative treatment or unfair dism
PIDA is part of the Employment Rights PIDA is part of the Employment Rights Act
Act (1996) (1996)
2006 2006
Tl Companies? Act 1985, 2006 - 2.1 I Companies? Act 1985, 2006
Legislation that has over 1300 sections Covers companies in Government, i.e.
and governs companies in the UK in most incorporated companies in which
aspects of how the company is run, government is large or sole shareholder.
covering public and private companies. . . ;
2006:Section 172, it is the Directors’
The expected duties of company responsibility to act in good faith to promote
directors’ is laid out ina statutory the success of the company for the benefit of
statement as part of the Act, detailing its shareholder as a whole, including
seven general aspects. They are: interests of employees and how the company
effects customers, suppliers, community and
a) To act within their powers asa the environment.
company director
b) To promote the success of the
company for the benefit of its
members as a whole
c) To exercise independent
judgement
d) To exercise reasonable care,
skill and diligence
©) To avoid conflicts of interest
Page 93 of 133
EXPG0000006_R
f) To not accept benefits from third
parties
g) To declare interest in proposed
arrangements or transactions
with the company
For public companies, there are additional
requirements in respect of annual
accounts and reports, such as
environmental matters, social issues and
any future development if the company is
listed on the London Stock Exchange
(LSE) and specific requirements to
produce financial reports which are
transparent, including disclosing any
major acquisition.
One of the most important sections of the
2006 Act is Section 172, which covers.
how a company acts when promoting its
success. It is the Directors’ responsibility
to act in good faith to promote the success
of the company for the benefit of its
shareholder as a whole, including
interests of employees and how the
company effects customers, suppliers,
community and the environment.
Corporate Codes and Guidance for
Corporations
Codes and Guidance that might apply to
Public Corporations and Companies in
Government based on guidance to ALBs
1992
1992
Cadbury Code: based on Report of the
Committee on The Financial Aspects of
Corporate Governance, (Cadbury,
1992)
Set up in response to investors’ concerns
at a string of scandals in listed companies.
The resultant Cadbury Code, the first
Corporate Governance code in the world,
set out the basic principles of good
corporate governance. Although the code
wasn’t mandatory the ‘comply or explain’
principle, (the recommendation that
companies state in their Annual Report
and Accounts whether they have
complied with the Code or explain why
not) has proved enduring.
Page 94 of 133
EXPG0000006_R
It focused on the control and reporting
functions of Boards, and the role of
auditors. It set out good practice for the
functioning of audit committees and the
strengthening of internal controls.
It included three recommendations which
strengthen independent oversight of firm
performance on behalf of the shareholder:
a) The positions of CEO and Chair
should be separated.
b) Boards should have at least three
Non-Executive Directors
(NEDs), who of whom should
have no financial personal ties to
the Executives.
c) Each Board should have an audit
committee, and this should be
composed of NEDs.
The Cadbury Report was first to
recognise the importance and role of the
institutional shareholders. It was noted
that there is a need for greater director
dialogue and engagement with this group.
From this dialogue would emerge a
greater understanding of the need to
appreciate and respond to the needs of
other stakeholders.
1993 1993
1994 1994
1995 1995
Greenbury Code, derived from Report I 2.2
of the Study Group on Director’s
Remuneration (Greenbury, 1995)
Nolan Principles, derived from Report of
Committee on Standards in Public Life
(Nolan, 1995)
Amended Cadbury to include a 1 Selflessness
requirement for a Board to establish a 2 Integrity
Remuneration Committee for Executive 3 Objectivity
4 Accountability
pay.
5 Openness
6 Honesty
7 Leadership
1996 1996
1997 1997
Page 95 of 133
EXPG0000006_R
1998
1998
14a
The Hampel Report (Hampel, 1998)
Reviewed Cadbury (111992) and
Greenbury(1995) and evaluated their
implementation. It advised against
prescriptive ‘box ticking’ and
recommended a single code incorporating
much of Cadbury and Greenbury.
Recommended the appointment of a
Senior Independent Non-Executive
Director (a SID).
1.4b
Combined Code of Corporate
Governance (FRC, 1998)
Derived from the Hampel(1998),
Cadbury(1992), and Greenbury(1995)
Reports. The Combined Code is
appended to the listing rules of the
London Stock Exchange. As such,
compliance with the code is mandatory
for all listed companies in the UK As
with previous codes it recognises the
separation of management from
shareholders and recommends a unitary
Board comprised of independent NEDs
and Executives. The principles support
strong financial controls. Specific
stipulations require the Board to maintain
a sound system of internal control to
safeguard shareholders’ investments and
the company’s assets. The directors
should at least annually, conduct a review
of the effectiveness of the group’s system
of internal control. Specifically, the main
principles cover:
Section 1: The Board
A.1: The Board: Every listed company
should be headed by an effective Board
which should lead and control the
company
A2: Chairman and CEO: There are two
key tasks at the top of every public
company ~ the running of the Board and
the Executive responsibility for the
running of the company’s business. There
should be a clear division of
responsibilities at the head of the
company which will ensure a balance of
power and authority, such that no one
Page 96 of 133
EXPG0000006_R
individual has unfettered powers of
decision making.
A3: Board balance: The Board should
include a balance of Executive and Non-
Executive Directors, such that no.
individual or small group of individuals
can dominate the Board’s decision
making.
Ad: Supply of information: The Board
should be supplied in a timely manner
with information in a form and of a
quality appropriate to enable it to
discharge its duties.
AS: Appointments to the Board: There
should be a formal and transparent
procedure for the appointment of new
directors to the Board.
AG: Re-election: All directors should be
required to submit themselves for re-
election at regular intervals and at least
every three years,
B: Directors’ Remuneration
B1: Level and make up of
Remuneration: Levels of remuneration
should be sufficient to attract and retain
the directors needed to run the company
successfully, but companies should avoid
paying more than is necessary for this
purpose. A proportion should be
structured so as to link rewards to
corporate and individual performance.
B2: Procedure:Companies should
establish a formal and transparent
procedure for developing policy on
Executive remuneration and for fi
remuneration packages of indivi
directors.
B3: Disclosure: The Company’s Annual
Report should contain a statement of
remuneration policy and details of the
remuneration of each directors.
C: Relations with Shareholders
C1: Dialogue with shareholders:
Companies should be ready, where
practicable, to enter into a dialogue with
institutional shareholders based on the
mutual understanding of objectives.
C2: Constructive use of AGM: Boards
should use the AGM to communicate
Page 97 of 133
EXPG0000006_R
with private investors and encourage their
participation.
ccountability and Audit
D1: Financial reporting: The Board
should present a balanced and
understandable assessment of the
company’s position and prospects.
D2: Internal Control: The Board should
maintain a sound system of internal
control to safeguard shareholders’
investment and the company’s assets.
D3: Audit Committee and Auditors:
The Board should establish formal and
transparent arrangements for considering
how they should apply the financial
reporting and internal control principles
and for maintaining an appropriate
relationship with the company’s auditors.
jonal Shareholders
Section 2 — In:
E1: Shareholder voting: Institutional
shareholders have a responsibility to
make considered use of their votes.
E2: Dialogue with compani
Institutional shareholders should be
ready, where practicable, to enter into a
dialogue with companies based on the
mutual understanding of objectives.
E3: Evaluation of governance
sures: When evaluating
companies’ governance arrangements,
particularly those relating to Board
structure and composition, institutional
investors should give due weight to all
relevant factors drawn to their attention
1999
1999
Turnbull Guidance
Set out best practice on internal controls
and risk management and provided
guidelines for directors on how to meet
their obligations in the Combined Code
(1998). It was updated in 2005 and
superseded by the FRCs risk guidance in
2014.
2000
2000
Page 98 of 133
EXPG0000006_R
2001 2001
1.6 Myners Code 2.2a Management of Risk — A Strategic
. . Overview, rapidly became known as The
Institutional investment and the ; Orange Book (HM Treasury 2001)
importance of good shareholder relations
and dialogue The Orange Book, which is regularly
; ; updated, outlines how risks should be
Principle 6 deals = Hanaparmuey and managed in the public sector, it deals with
reporting and outlines specific practical the assessment of the risks to projects and
guidelines for stakeholder, particularly programmes, and considerations in securing
shareholder communication: the effectiveness of the actions taken to
. a manage these risks. It frames risk and risk
a) Maintain a communication management for Accountable Officers in
policy and strategy; ° "
‘ . government as a requirement for the delivery
b) Ensure all required strategies : .
! all red trategies: of government objectives and sets risk
and policies are published in a £0 " 7
clear transparent manner; and within established frameworks and guidance
c) Annual reports are a for risk management and mitigation.
demonstration of accountability The Orange Book introduction states the
to stakeholders and should be “t Tor creator risk ure sn central
comprehensive and readily need for greater risk management in central
available. government because: ‘In successful
organisations risk management enhances
strategic planning and prioritisation’. It
encourages more managed risk taking and
guidance on risk control in government.
2002 2002
2003 2003
1.7a Combined Code on Corporate
Governance, FRC 2003 updating first
Combined Code (1998), following and
Review of audit committees by Sir Robert
Smith, see 1.7b and Review of the role of
NEDs by Higgs, see 1.7¢
Includes main and supporting principles
and provisions:
A. Companies:
The Board
Chairman and Chief Executive
Board balance and independence
Appointment to the Board
Information and Professional
Development
Performance Evaluation
Re-election
B. Remuneration
The level and make-up of
remuneration
Procedure
C. Accountability and Audit
Financial Reporting
Internal Control
Audit Committee and Auditors
Page 99 of 133
EXPG0000006_R
D. Relations with shareholders
Dialogue with Institutional
Shareholders
Constructive use of the AGM
E. Institutional shareholders
Dialogue with Companies
Evaluations of Governance
Disclosures
Shareholder voting
The 2003 code introduces a new
provision that audit committees should
keep under review the whistleblowing
procedures in the organisation.
1.76
Smith Guidance (Smith FRC 2003)
Addressed auditor independence and
clarified the role and responsibilities of
audit committees. The committee
developed guidance for directors on audit
committees, updated in 2016.
The Independent Review of Non
Executive Directors by Derek Higgs
Reviewed the role and effectiveness of
NEDs, highlighting the importance of
NED independence. The report
influenced the Combined Code (2003)
including the provision that at least half
of the Board excluding the Chair should
comprise independent NEDs. The
FRC(2006) published good practice
suggestions from the report since adapted
into the Guidance on Board
Effectiveness(FRC 2018)
2004
2004
2005
2005
Internal Control: Revised Guidance for I 2.3
Directors on the Combined Code (FRC
2005)
Updated the Turnbull Guidance (1999);
Emphasised
a) the importance of regular and
systematic assessment of the
risks facing the business;
b) The value of embedding risk
management and internal control
systems within business
processes; and
c) The Board's responsibility to
make sure this happens.
Corporate Governance Code in Central
Government departments — Code of Good
practice (HM Treasury and Cabinet
Office, 2005)
The government ‘borrows’ the principles of
the corporate code, adapting them for the
first time in order to codify good practice for
Central Government Departments in relation
to Governance, Board leadership, Board
effectiveness and oversight of ALMs
Main principles:
1. Parliamentary Accountability —
the minister and the head of the
department, its Accounting Officer
Page 100 of 133
EXPG0000006_R
dy
e)
8)
(AO) are both responsible to
Parliament.
Supporting Provisions: roles and
responsibilities including
confirmation of AO role. The AO
should establish a clear allocation
of responsibilities. He or she retains
personal responsibility and
accountability to Parliament for:
a) Propriety and regularity;
b) Prudent and economical
administration;
©) Avoidance of waste and
extravagance;
d) Efficient and effective use
of resources;
e) The organisation, staffing
and management of the
department; and
f) The deployment of Public
Money and consideration
of value for money
The Board — Chaired by or under
the direction of the Minister.
Reminder of the need to act in
keeping with Nolan principles.
Skills — a balance of skills and
experience relevant to directing the
business of the department.
Independent Non-Executives —
should be appointed by the head of
department to whom they are
accountable for their performance,
following ratification of the
selection by the Board as whole.
On appointment an INED should
be provided with written terms of
reference including the
specification of his or her role, line
of accountability and terms of
appointment, informed of how his
or her performance will be
appraised and given an induction
program.
Internal Controls
An audit committee Chaired by an
INED.
An internal audit service.
ALBs ~ there should be robust
governance arrangements in place
with each ALB Board.
Page 101 of 133
EXPG0000006_R
Working relationships with ALBs should be
based on good transparent relationships,
good governance and shared interests in
respect of value for money obligations. This
reflects the spirit of transparency with
shareholder communication in the combined
code (2003).
Guidance on Whistleblowing (FCA
Sets out the requirements on UK firms in
relation to the adoption, and
communication to UK based employees
of appropriate internal procedures for
handling reportable concerns made by
whistleblowers as part of an effective risk
management systems. It sets out the role
of whistleblowers’ champions.
2006
2006
1.9b
Suggestions for good practice from the
Higgs Report (FRC 2006)
Included greater independence of the
Board, and that at least half of the Board,
excluding the Chair, should comprise
independent NEDs.
2007
2007
2008
2008
1.10
Combined Code on Corporate
Governance (FRC 2008)
Changes to the 2003 Combined Code
included: removal of restrictions on
Chairs Chairing more than I FTSE100;
and for smaller companies, Chairman can
be a member of the Audit Committee so
long as s/he was considered independent
on appointment.
2009
2009
1.lla
Walker Review (2009) of the banking
crisis proposed changes to the Combined
Code to strengthen the principles of
stewardship and greater challenge in
financial services, which were taken on
by other sectors. Proposals for alll large
listed companies included:
Embedding ‘a culture of challenge’
into Boardroom behaviour
Page 102 of 133
EXPG0000006_R
a) Paying attention to Boardroom
composition to gain industry
expertise and independence;
b) Providing adequate support for
NEDs typically from the CoSec;
c) Highlighting the key role of the
Chairman and the time
commitment and leadership
required; and
d) Professional training of
Directors and evaluation of the
Board effectiveness
The risk oversight role of the Board
through the establishment of a Board Risk
Committee
Shareholders’ engagement with Boards
should be strengthened, particularly in
Remuneration processes and outcomes
1.11b
Going Concern and Liquidity Risk:
Guidance for Directors of UK
Companies (FRC 2009)
One of the most important issues in
companies is the concept of ‘going
concern’. This guidance brings together
the requirements of the Companies Act
2006, accounting standards and the
Listing Rules on going concerns and
guidance for their application.
2010
2010
1.12
Revised UK Corporate Governance
Code (FRC 2010)
The code was strengthened in two areas:
a) Board diversity to encourage
Boards to be well balanced and
avoid ‘group think’. New
principles on Board composition
and selection were added,
including the need to appoint
directors on merit, against
objective criteria and with due
regard to the benefits of
diversity, including gender.
b) Risk recommendations were
made against the backdrop of
Walker Review (2009) and
Banking Crisis, financial/
economic crisis, including that
the Board should be responsible
for determining the nature and
extent of the significant risks it
is willing to take and a
requirement to present thinking
on going concern.
Page 103 of 133
EXPG0000006_R
2011
2011
24
Corporate Governance Code Central
Govt Departments — Code of Good
Practice (HM Treasury and Cabinet
Office, 2011)
The 2005 version of the Code was revised
by Francis Maude, then Minister for the
Cabinet Office, with the aim to ‘make the
government operate in a more business-like
manner’ by bringing in senior and
experienced leaders from across the private,
public and not-for-profit sectors. It focuses
on the role of Boards for Central
Government Departments which should be
Chaired by the Secretary of State (no longer
the permanent secretary) and be balanced,
with equal numbers of Ministers, civil
servants and Non-Executives from outside
government. Main principles:
Parliamentary Accountability;
The role of the Board;
Board Composition;
Board Effectiveness;
Risk Management.
2012
2012
Update to the Corporate
Governance Code (FRC 2012)
Expects Companies to explain and
report on progress with their policies
on Boardroom diversity. Genuine
diversity in the boardroom is
considered important for Board
effectiveness, reducing ‘group think’.
Other changes include:
- Audit Committees are to provide to
shareholders information on how they
have has carried out their
responsibilities, including how they
have assessed the effectiveness of the
external audit process;
- Boards are to confirm that the
annual report and accounts taken as a
whole are fair, balanced and
understandable, to ensure that the
narrative sections of the report are
consistent with the financial
statements and accurately reflect the
company’s performance;
2.5
Managing Public Money (HM Treasury
2012)
Describes the Essential Duties of the
Accounting Officer. Guidance on the proper
handling of all public funds. Public servants
have a demanding fiduciary duty to use
public money responsibly. Accounting
Officer functions (Chapter 3 of the
publication) sets out the role of the
Accounting Officer (AO) (3.1 below), the
appointment of accounting officers (3.2
below) and special responsibilities of
accounting officers (3.3 below)
3.1 — Each organisation in central
government (department, agency, trading
fund, NHS body, NDPB or ALB) must have
an AO. This person is usually its senior
official. The accounting officer in an
organisation should be supported by a Board
structure in line with the Corporate
Governance Code.
Formally the AO can be called by
Parliament to account for the stewardship of
the resources. The AO is expected to assure
Page 104 of 133
EXPG0000006_R
- Companies are to explain, and
report on progress with, their policies
on boardroom diversity. This change
was first announced in October 2011,
but its implementation was deferred
to avoid piecemeal changes to the
Code
- Companies are to provide fuller
explanations to shareholders as to
why they choose not to follow a
provision of the Code.
Parliament and the public of high standards
of probity.
3.2 — The Treasury appoints the permanent
head of each Central Government
department to be AO, or PAO if that AO
appoints the permanent heads of its
executive agencies or ALBs to be AOs for
their particular bodies for which the PAO
has responsibility
3.3 — Each AO takes personal responsibility
for ensuring that the organisation he or she
manages delivers the standards of probity, in
particular they must personally sign
a) The accounts;
b) The annual report; and
©) The governance statement.
They must approve:
a) Voted budget limits; and
b) The associated Estimates
Memorandum
Section 4 Governance and Management,
identifies best practice for Boards as
deciding risk appetite, monitoring emerging
threats and opportunities, and maintaining
the risk register.
2013
2013
2.6
Orange Book Management of Risk
Principles and Concepts (HM Treasury
2013)
Updated earlier guidance on the main and
supporting principles for risk
management in government. The main
principles are mandatory requirements. They
provide the “what” and the “why”, not the
“how”, for the design, operation, and
maintenance of an effective risk
management framework.
2014
2014
1.14
Revised UK Corporate Governance
Code (FRC 2014b)
Code is amended and incorporates
revised guidance on risk management,
internal control and financial and
business risk reporting described in 1.15
(ERC 2014a)
Page 105 of 133
EXPG0000006_R
1.15
Guidance on risk management,
internal control and financial and
business reporting: The Risk Guidance
(FRC2014a)
Brings together elements of best practice
for risk management; prompts Boards to
consider how to discharge their
responsibilities in relation to the existing
and emerging principal risks faced by the
company; reflects sound business
practice, whereby risk management and
internal control are embedded in the
business process by which a company
pursues its objectives; and highlights
related reporting responsibilities.
It is primarily directed at companies
subject to the UK Corporate Governance
Code
2015
2015
2.7
Accounting Officer Survival Guide,
(HM Treasury December 2015)
Based on 2012 guidance for As in 2.5
above Managing Public Money (HM
Treasury 2012) the guide restates essential
duties for AOs covering:
a) Governance;
b) Decision making; and
c) Financial management
Specifically, it draws attention to inherent
tensions in the role of AOs especially in
Companies in Government, offers guidance
around conflicts of interest in balancing
fiduciary duties and government objectives
with strategic goals of government owned
companies or ALBs. Specific guidance
includes:
a) When parliament calls a public
sector organisation to account, it is
the accounting officer who gives
evidence, others in the organisation
account for their own performance
to the accounting officer in line
with delegated powers.
b) The accounting officer of a public
sector organisation is usually its
permanent secretary or Chief
Executive Officer, who manages
the business day to day. The post
carries personal responsibilities to
manage the organisation efficient
Page 106 of 133
EXPG0000006_R
and effectively and to report to
parliament accurately,
meaningfully and without
misleading.
c) The accounting officer’s touchstone
in assessing any course of action
should simply be: whether the
activity can be justified adequately
if parliament calls it to account i.e.
it meets parliament’s expectations
of handling public funds.
d) The accounting officer should
assess each initiative through the
accounting officer lens to see
whether it meets the four essential
accounting officer standards set out
in 2.5 Managing Public Money
(HM Treasury 2012): regularity,
propriety, value for money and
feasibility expected by parliament
and the public for use of public
resources.
) Each public sector organisation is
led by a Board ... normally the
accounting officer’s duties,
priorities and objectives align with
the Boards. On the rare occasions
where they do not, the AO should
take the distinct and separate view
in line with the AO standards. They
should never act in a way which is
incompatible with legal obligations.
28a
Whistleblowing Guidance and Code of
Practice, from Department for Business and
Skills (DBIS 2015)
Recommends good practice for employers
including having the right culture, written
policies, training and support, quick
responses, and effective processes.
Reminds that Whistleblowing law is
governed by the 1996 Employment Rights
Act (amended by the 1998 Public Interest
Disclosure Act). To be covered by
whistleblowing law, employees must believe
they are acting in the public interest in
disclosing past, current or likely future:
Criminal offences (this may include, for
example, types of financial impropriety such
as fraud);
Failure to comply with an obligation set out
in law;
Miscarriages of justice;
Page 107 of 133
EXPG0000006_R
Endangering of someone’s health and safety;
Damage to the environment; and
Covering up wrongdoing in the above
categories.
2016 2016
1.16 Corporate Culture and the Role of the I 2.8b The HM Treasury Audit and Risk
Board (FRC July 2016c) Assurance Committee Handbook 2016
Provides guidance on the Board's role in It reflects developing best practice in
corporate culture; states that a Culture of governance and to support the provisions of
integrity and diversity are central to the the Corporate Governance in Central
Corporate Governance Code. Principle B Government Departments and associated
requires Boards to establish a corporate assurance needs in the governance of
purpose, values and business strategy and government organisations.
ensure they are aligned with culture.
Boards are also urged to regularly assess
and monitor culture and ensure greater
alignment of executive incentives and
rewards with corporate culture.
New rules on whistleblowing require
affected firms to have assigned
responsibilities to a NED to be a whistle-
blower and offers guidance to non-
affected firms FCA regulates (FCA,
2016).
1.17 Revised Code on Corporate 2.9 Ministerial Code (Cabinet Office 2016a)
Governance (FRC April 2016a)
It includes amendments on the
functioning of Audit Committees:
The head of internal audit should be
(expected to be) invited regularly to
attend meetings of the audit committee
Goining the finance director and the
external audit partner as expected
invitees).
a) If risk management and internal
control responsibilities are
delegated to different
committees the Board should
consider the impact of splitting
those responsibilities.
b) A responsibility to consider the
clarity of audit committee
reporting and to be prepared to
mect investors, as a basis for
ensuring that shareholder
interests are properly protected
in relation to financial reporting
and internal control.
The Ministerial code was first published in
2010 and is updated from time to time. It sits
against the background of the over-arching
duties of Ministers to comply with the law
and protect the integrity of public life.
They are expected to observe the 7 Nolan
(1995) Principles of Public Life. It sets out
the relationship Ministers are expected to
have with civil servants and the collective
responsibility they have for being as helpful
as possible in providing accurate, truthful
and full information to Parliament.
Guidance to the effect that Central
Government Departments should have
Boards, chaired by Secretaries of State.
Policy should be decided by Ministers.
Boards bring strategic clarity, commercial
sense, talented people, results focus, and
management information.
Page 108 of 133
EXPG0000006_R
¢) There are additional reporting
requirements for the audit
committee to explain in its
report how the audit committee
composition requirements have
been addressed and also how the
audit committee has assessed the
effectiveness of internal audit.
Revised ethical standards on auditing.
2.10 Governance Code for Public
Appointments (Cabinet Office 2016b)
This was published following a review of
public appointments and sets out the process
and principles that should underpin all
public appointments. The principles that
should underpin all appointments are:
a) Ministerial responsibility — the
ultimate responsibility for
appointments rests with Ministers;
b) Selflessness — Ministers when
making appointments should act
solely in terms of the public
interest;
c) Integrity — Ministers when making
appointments must avoid placing
themselves under any obligation to
people or organisations that might
try inappropriately to influence
them in their work;
d) Merit — All public appointments
should be governed by the principle
of appointment on merit;
e) Openness — processes for making
public appointments should be open
and transparent;
f) Diversity — public appointments
should reflect the diversity of the
society in which we live;
g) Assurance — There should be
established assurance processes
with appropriate checks and
balances; and
h) Fairness — selection processes
should be fair and impartial
2017 2017
2.11 Corporate Governance in Central
Government Departments Code of Good
Practice (HM Treasury and Cabinet
Office, 2017)
This updated code of good practice builds on
the 2011 code. ‘Since 2011, there has been a
step change in the governance of central
government departments. Secretaries of
Page 109 of 133
EXPG0000006_R
state now Chair departmental Boards,
bringing a high level of focus on issues such
as performance, risk management, talent
and the challenge and scrutiny of major
projects. This departmental Board model is
now embedded as a key element of the fabric
of corporate governance across central
government departments’.
The Board may choose to delegate to its
committees. As a minimum, there should be
committees responsible for audit and risk
assurance (the responsibilities of which will
include reviewing the comprehensiveness of
assurances and integrity of financial
statements), and nominations.
2018 2018
1.18 Revised Code and Guidance on Board I 2.12 Managing Public Money (HM Treasury
effectiveness (FRC 2018) 2018)
This was to stimulate Boards’ thinking on Updated 2012 version and aims to provide a
how they can carry out their role and comprehensive overview of the key
encourage them to focus on continually requirements of HM Treasury in the
improving their effectiveness with a stewardship of public funds.
particular focus on:
a) Board leadership and company
purpose;
b) Division of Responsibilities;
c) Composition, Succession and
Evaluation;
d) Audit, Risk and Internal Control;
e) Remuneration
2019 2019
1.19 The Brydon Review by Sir Donald 2.13 Code of Conduct for Board Members of
Brydon Public Bodies (Cabinet Office 2019)
Reviews the quality and effectiveness of
audit makes 65 recommendations, many
relating to the part played by others in
relation to the audit. Some are applicable
only to the FTSE 350 including:
a) The extension of the concept of
auditing to areas beyond
financial statements;
b) Mechanisms to encourage
greater engagement of
shareholders with audit and
auditors:
©) Suggestions to inform the work
of BEIS on internal controls and
improve clarity on capital
maintenance;
d) A package of measures around
fraud detection and prevention;
Replaces the 201 1code of conduct. Forms
part of the Terms of Appointment for NEDs
of public bodies. Includes new provisions
including that bullying, harassment, or other
discriminatory behaviour will not be
tolerated, that conflicts of interest must be
declared and managed, that boards have
responsibilities towards employees:
use of social media; and responsibilities for
raising concerns.
Page 110 of 133
EXPG0000006_R
¢) Improved auditor
communication and
transparency;
f) Obligations to acknowledge
external signals of concern;
The FRC’s Ethical Standard (2019) 2.14 I Orange Book — from Government
Finance Function and HM Treasury
UK governance relies on the maintenance (updated) 2019
of high ethical standards in audit firms
which are necessary to support trust and
confidence in UK corporate reporting and
audit. This FRC standard applies in the
audit of financial statements and other
public interest assurance engagements in
both the private and public sectors.
Updates 2013 guidance
Page 111 of 133
EXPG0000006_R
ANNEX B
CHRONOLOGY OF OWNERSHIP AND GOVERNANCE OF THE POST OFFICE BUSINESS (POB)
1999-2020.
This Annex has been produced according to our current understanding on the basis of information currently known to the experts or which has been made
available to them. It is not an authoritative or complete schedule.
Level 1 Level 2 Level 3 Level 4
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder I Executive Department”? (POB
e Minister)
Phase1: 1999-2000
1999 Post Office Stuart None The Post None DTI The Right
Counters Ltd ”* I Sweetm Office Honourable
(Co. No. an Authority Stephen
02154540) (in post Statutory Byers MP
Incorporated since corporation
as POC Ltd, a 1996) ‘with powers
subsidiary of to issue
the Post Office directions to
Authority POCL’
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder Executive Department”* (POB
e Minister)
” Provisions in POLs Articles conferring rights and powers on Government.
™ POCL and POL is classified as a Public Non-Financial Corporation (‘Public Corporation’) by the Office for National St
Ministers and government with accountability placed with their own board and executive team, accountable to the SoS as
designated as Accountable Officer [WITN11020100].
4 Provisions in POLs Articles conferring rights and powers on Government.
. Designed to operate at arm’s length from
areholder. POLs Chief Executive is
Page 112 of 133
EXPG0000006_R
2000
Post Office
Counters Ltd
(Co. No.
02154540)
Wholly owned
by POA then
RMG pic
Stuart
Sweetm
an
None
The Post
Office
Authority
Became
Expand
Reserve
Public
Limited
Company
Became
Post Office
Group plc.
became
Consignia pic
Dr Neville
Bain
None
oTI
The Right
Honourable
Stephen
Byers MP
(The Right
Honourable
Alan
Johnson
MP PO
Minister)
Page 113 of 133
EXPG0000006_R
Phase 2 :2001-2012
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder Executive Department’> (POB
e Minister)
2001 Post Office Ltd I Stuart None Consignia plc I John Dr Neville I None DTI owned The Right
(Co. No. Sweetm Roberts Bain majority Honourable
02154540) an Became shares in The Patricia
Holding Co. Hewitt MP
Wholly owned Consignia with a small
by RMG plc Holdings plc. shareholding (The Right
(1 ordinary Honourable
Known as share) held by I Alan
Treasury 7° Johnson
The Holding MP PO
Company Minister)
(Co. No.
04074919)
Wholly
owned
Royal Mail
Group plc
5 Provisions in POLs Articles conferring rights and powers on Government.
76 Indirect powers over POL (with direct powers over Holdings Company). Indirect powers were in relation to POLs Board, to amend POLs Articles of Association (the
Articles) and policy oversight. In 2017 government gained direct powers over POL [WITN11020100].
Page 114 of 133
EXPG0000006_R
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder I Executive Department” (POB
e Minister)
2002 Post Office Ltd I David Allan The Holding I John Allan None DTI owned The Right
(Co. No. Mills Leighton Company Roberts Leighton majority Honourable
02154540) (Now Royal shares in The Patricia
Mail Holding Co. Hewitt MP
Wholly owned Holdings plc) I Adam with a small
by RMG plc Owned Crozier shareholding
Royal Mail (1 ordinary
Group plc share) held by
Treasury
2003 Post Office Ltd I David Sir Mike The Royal Adam Allan ShEx DTI owned The Right
(Co. No. Mills Hodgkinson Mail Crozier Leighton majority Honourable
02154540) Non- Holdings plc shares in The Patricia
Executive 78 Holding Co. Hewitt MP
Wholly owned Chair with a small
by RMG plc Owned shareholding
Royal Mail (1 ordinary
Group Ltd share) held by
pice Treasury
2004 Post Office Ltd I David Sir Mike The Royal Adam Allan ShEx DTI owned The Right
(Co. No. Mills Hodgkinson I Mail Crozier Leighton majority Honourable
02154540) Holdings plc shares in The Patricia
Joined by Holding Co. Hewitt MP
Wholly owned first NED Owned with a small
by RMG plc shareholding
(1 ordinary
7” Provisions in POLs Articles conferring rights and powers on Government.
78 From February 2003 until March 2012 the board of the Holding Company had oversight and key decis
described as the main plc board for RMG), with the RMG board only meeting for statutory purposes during that period [WITN11030100].
n-making responsibility for RMG (The Holding Company was
Page 115 of 133
EXPG0000006_R
Royal Mail share) held by
Group plc Treasury
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder I Executive Department”? (POB
e Minister)
2005 Post Office Ltd I David Sir Mike The Royal Adam Allan ShEx DTI owned The Right
(Co. No. Mills Hodgkinson I Mail Crozier Leighton majority Honourable
02154540) Holdings plc sharesinThe I Alan
Holding Co. Johnson
Wholly owned I (from Owned with a small MP.
by RMG plc March) shareholding
Alan Royal Mail (1 ordinary
Cook Group plc share) held by
Treasury
2006 Post Office Ltd I David Sir Mike The Royal Adam Allan ShEx DTI owned The Right
(Co. No. Mills / Hodgkinson Mail Crozier Leighton majority Honourable
02154540) Alan Holdings plc shares in The Alistair
Cook Holding Co. Darling MP
Wholly owned Owned with a small
by RMG plc shareholding
Royal Mail (1 ordinary
Group plc share) held by
Treasury
2007 Post Office Ltd I Alan Sir Mike The Royal Adam Allan ShEx DTI / BERR The Right
(Co. No. Cook Hodgkinson I Mail Crozier Leighton owned Honourable
02154540) Holdings plc majority John
Owned shares inThe I Hutton MP
Holding Co.
9 Provisions in POLs Articles conferring rights and powers on Government.
Page 116 of 133
EXPG0000006_R
Wholly owned Royal Mail with a small
by RMG Ltd Group Ltd shareholding
(1 ordinary
share) held by
Treasury
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder I Executive Department” (POB
e Minister)
2008 Post Office Ltd I Alan The Royal Adam Allan ShEx DTI / BERR The Right
(Co. No. Cook Mail Crozier Leighton owned Honourable
02154540) Holdings plc majority Peter
shares inThe I Mandelson
Wholly owned Owned Holding Co. MP
by RMG Ltd with a small
Royal Mail shareholding
Group Ltd (1 ordinary
share) held by
Treasury
2009 Post Office Ltd I Alan Donald The Adam Allan ShEx BIS owned The Right
(Co. No. Cook Brydon Royal Mail Crozier Leighton majority Honourable
02154540) Holdings plc shares in The Peter
Donald Holding Co. Mandelson
Wholly owned Owned Brydon with a small MP
by RMG Ltd shareholding
Royal Mail (1 ordinary
Group Ltd share) held by
Treasury
® Provisions in POLs Articles conferring rights and powers on Government.
Page 117 of 133
EXPG0000006_R
2010 Post Office Ltd I David Donald The Royal Adam Donald ShEx BIS owned The Right
(Co. No. Smith Brydon Mail Crozier Brydon majority Honourable
02154540) Holdings plc shares in The Vince Cable
Paula Moya Holding Co. MP.
Wholly owned I Vennells Owned Green with a small
by RMG Ltd shareholding
Royal Mail (1 ordinary
Group Ltd share) held by
Treasury
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder I Executive Department™ (POB
e Minister)
2011 Post Office Ltd I Paula Donald The Royal Moya Donald ShEx BIS owned The Right
(POL) (Co. No. I Vennells I Brydon Mail Greene Brydon majority Honourable
02154540) Holdings plc shares inThe I Vince Cable
Alice Perkins Holding Co. MP.
Wholly owned Owned with a small
by RMG Ltd shareholding
Royal Mail (1 ordinary
Group Ltd share) held by
Treasury
2012 Post Office Ltd I Paula Alice Perkins I The Royal Moya Donald ShEx ® BIS owned The Right
POL (co. no. Vennells Mail Greene Brydon majority Honourable
02154540) Holdings plc sharesinThe I Vince Cable
A Public (co.no. Holding Co. MP
Corporation 04074919) with a small
with own BOD shareholding
and Articles of (1 ordinary
Association
5! Provisions in POLs Articles conferring rights and powers on Government.
® Shareholder NED appointed to POL Board, continues to the end of the relevant period
Page 118 of 133
EXPG0000006_R
Change in share) held by
corporate Treasury
structure, POL
now same
level as RMG,
reporting to
The Royal
Mail Holdings
ple
Phase 3: 2013-2019
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder Executive Department® (POB
e Minister)
2013 Post Office Ltd I Paula Alice Perkins I The Royal ShEx BIS sole The Right
POL Vennells Mail shareholder Honourable
Holdings plc on behalf of Vince Cable
A Public Government, MP.
Corporation Became Sept 2013
with own
board and Postal
Articles Services
Holding
Company Itd
(PSHCL)
2014 Post Office Paula Alice Perkins I Postal ShEx BIS Sole The Right
Ltd. POL Vennells Services Shareholder Honourable
Holding on behalf of Vince Cable
Government MP.
3 Provisions in POLs Articles conferring rights and powers on Government.
Page 119 of 133
EXPG0000006_R
A Public Company Ltd
Corporation (PSHCL)
with own
board and
Articles
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder I Executive Department (POB
e Minister)
2015 Post Office Ltd I Paula Alice Perkins I Postal ShEx BIS Sole The Right
POL Vennells I / Services shareholder Honourable
Tim Parker Holding on behalf of Sajid Javid
A Public Company Ltd Government MP
Corporation (PSHCL)
with own
board and
Articles
2016 Post Office Ltd I Paula Tim Parker Postal UKGI Robert BIS Sole The Right
POL Vennells Services (ALB) Swannell I shareholder Honourable
Holding on behalf of Sajid Javid
A Public Company Ltd Govt MP / The
Corporation (PSHCL) Right
with own Honourable
board and Gregg Clark
Articles MP.
2017 Post Office Ltd I Paula Tim Parker Postal UKGI Mark Robert BEIS Sole The Right
POL Vennells Services (ALB) Russell Swannell I shareholder Honourable
* Provisions in POLs Articles conferring rights and powers on Government.
Page 120 of 133
EXPG0000006_R
Holding on behalf of Gregg Clark
A Public Company Ltd Govt with MP
Corporation (PSHC) direct powers
with own over POL
board and Shares
Articles transferred
to
SoS
Date POB POB POB OPOB OPOB OPOB AGS Active AGS AGS Chair I Sponsoring SoS and if
Senior Chair Ownership Senior Chair Govt Senior Government shown
Executiv of POB Executive Shareholder Executive Department®> (POB
e Minister)
2018 Post Office Ltd I Paula Tim Parker UKGI Mark Robert BEIS Sole The Right
POL Vennells (ALB)®* Russell Swannell I shareholder Honourable
on behalf of Greg Clark
A Public Govt MP
Corporation (Andrew
with own Griffith
board and PO
Articles Minister)
2019 Post Office Ltd I Nick Tim Parker UKGI Mark Robert BEIS Sole The Right
POL Read (ALB) Russell Swannell I shareholder Honourable
on behalf of Greg Clark
A Public Govt MP / The
Corporation Right
with own Honourable
85 Provisions in POLs Articles conferring rights and powers on Government.
86 BEIS acts as POLs policy sponsor, UKGI corporate governance / shareholder sponsor, with its own Board of Directors
Page 121 of 133
EXPG0000006_R
board and Andrea
Articles Leadsom
MP
2020 Post Office Ltd I Nick Tim Parker UKGI Charles Robert BEIS The Right
POL Read (ALB) Donald Swannell Honourable
Alok
A Public Sharma MP.
Corporation
with own
board and
Articles
Page 122 of 133
EXPG0000006_R
ANNEX C
GLOSSARY
Board
The highest level of governance of a company.
A Unitary Board of a listed company would normally include a Chair (independent on
appointment), Non-Executive Independent Directors, possible Non-Executive Non-
Independent directors, and at least one Executive director (normally the CEO).
An Executive Board of a non-listed company may have a Chair (Executive from within the
company or independent on appointment) and Executive Directors. They may choose to have
Non-Executive Directors
A board of a subsidiary (wholly owned) company will have the structure determined by the
parent and by regulation (as in UK banks). It may, or may not, include a Chair (independent
on appointment), Non-Executive Independent Directors, Non-Executive & Non-Independent
directors appointed by the parent and at least one Executive director (normally the CEO)
A Board of a government owned company may have an Accounting Officer, if the PAO in
the sponsoring department chooses to appoint an AO in the government owned business. In
such cases the AO would normally be the Chief Executive or the person responsible for the
day-to-day running of the company. They may also have independent governance
arrangements for example, a Board made up of a majority of independent Non-Executive
Directors from outside government.
Culture
The prevailing attitudes, values and beliefs as experienced by people within the company and
stakeholders who interact with the company.
Executive
The senior people, often called Directors or Chief Officers or Senior Executives in any company,
usually referring to the CEO and their most senior leadership team, usually their direct reports,
often including CFO, CRO, COO, HRD. Together the CEO may constitute them as an Executive
Committee
Governance
Structures and systems by which the company is governed and the mechanisms by which it and its
Executive is held to account by the owners of the company.
Internal Controls
Systems designed to ensure that information, concerning compliance with applicable laws,
regulations, contracts, policies and procedures, is reliable, accurate and timely.
Page 123 of 133
EXPG0000006_R
Leadership
Two meanings, both used in this report:
a) Used in this report to describe the people who are in Senior Positions in a company, also
referred to as the Executive;
b) Used to describe the practices of those who lead others, not directly related to senior
position. Occasionally it is used in this meaning in this report.
Management
Two meanings, both used in this report:
a) The processes and structures through which the company is run;
b) The people in the organisation who have ‘positions as ‘managers’ but are not the most
senior who are referenced as ‘Executives’.
Structure
The roles and reporting relationships which are specified within the company.
Page 124 of 133
ANNEX D
ACRONYMS & ABBREVIATIONS
AGM_ Annual General Meeting
ALB Arm’s Length Body
AGS Active Government Shareholder
AO Accounting Officer or Accountable Officer
ARA Annual Report and Accounts
ARAC Audit Risk and Assurance Committee
BAC Board Audit Committee
CoSec Company Secretary
BERR _ Department of Business, Enterprise, and Regulatory Reform
BEIS Department of Business, Energy, and Industrial Strategy
BIS Department of Business and Industrial Strategy
BRC Board Risk Committee
BRemC Board Remuneration Committee
CEO Chief Executive Officer
CFO Chief Finance Officer
COO Chief Operating Officer
CTO — Chief Technology Officer
DTI Department of Trade and Industry
EGM Extraordinary General Meeting
ESG _ Environmental, Social and Governance
EA External Audit
FCA _ Financial Conduct Authority
FRC _ Financial Reporting Council
FSA _ Financial Conduct Authority
GRC Governance Risk and Compliance
HRD — Human Resources Director
IA Internal Audit
INED Independent Non-Executive Director
MD Managing Director
EXPG0000006_R
Page 125 of 133
NAO National Audit Office
NED Non-Executive Director
NINED Non-Independent Non-Executive Director
OPOB Ownership/Oversight of Post Office Business
PAC Public Accounts Committee
PAO Principal Accounting Officer
POB Post Office Business
POC Post Office Counters Itd
POCIL Post office Counters Itd and Post Office Ltd
POL Post Office Itd
POHI Post Office Horizon IT Inquiry
PIDA Public Interest and Disclosure Act
RMG_ Royal Mail Group
RMH_ Royal Mail Holdings
ShEx Shareholder Executive
SoS Secretary of State
UKGI UK Government Investments
EXPG0000006_R
Page 126 of 133
EXPG0000006_R
ANNEX E
SOURCES
Bachrach, P and Baratz, MS (1963), ‘Decisions and Non-Decisions: An Analytical Framework’,
American Political Science Review, Vol 57, No 3, September 1963.
Brydon, D (2019), ‘Assess, Assure and Inform: Improving Audit Quality and Effectiveness’, “The
Brydon Review”, December 2019.
Cabinet Office (2011), Code of Conduct for Board Members of Public Bodies.
Cabinet Office (2016a), Ministerial Code.
Cabinet Office (2016b), Governance Code for Public Appointments.
Cabinet Office (2019), Code of Conduct for Board Members of Public Bodies.
Cadbury, A (1992), ‘The Committee on the Financial Aspects of Corporate Governance, Report of the
Committee’, “The Cadbury Code”, December 1992.
Companies’ Act 1985.
Companies’ Act 2006.
Dawson, S (1991), ‘Managing Safety Offshore’ in Bufion, Evripidou and Williams (eds.) Offshore
Operations post Piper Alpha: IMaRE/RINA Joint Offshore Group International Conference, 6-8
February 1991, London, England, Institute of Marine Engineers.
Dawson, S (1986), Analysing Organisations, Macmillan, Basingstoke, UK.
Department for Business Innovation and Skills (2015), ‘Whistleblowing: Guidance for Employers and
Code of Practice’ March 2015.
Department for Business, Energy and Industrial Strategy (2020), Post Office Limited: Shareholder
Relationship Framework Document, March 2020.
https://assets.publishing.service.gov.uk/media/5e74fe04e90e073e3 13755cc/post-office-limited-
shareholder-relationship-framework-part-1.pdf
Department for Business, Energy and Industrial Strategy (2022), ‘Restoring Trust in Audit and
Corporate Governance’, May 2022.
Durrant, T (2020), ‘Government Departments’ Boards and Non-Executive Directors’, /nstitute for
Government , May 2020, https://www. instituteforgovernment.org.uk/explainer/government-
departments-boards-non-executive-directors (Accessed 10/01/24).
Employment Rights Act 1996.
Financial Conduct Authority (2016), PS15/24: Whistleblowing in deposit-takers, PRA-designated
investment firms and insurers https://www.fca.org.uk/publications/policy-statements/ps15-24-
whistleblowing-deposit-takers-pra-designated-investment-firms
Financial Conduct Authority Handbook (latest version a), SYSC 4.2 Whistleblowing Practical
Measures shows guidance available for firms (02/04/2005)
Page 127 of 133
EXPG0000006_R
https://www.handbook.fca.org.uk/handbook/S YSC/4/?date=2005-04-02&view=chapter (accessed
25/03/2024)
Financial Conduct Authority Handbook (latest version b), SYSC 4.2 Whistleblowing Practical
Measures shows guidance available for firms, (30/08/2006)
https://www.handbook.fca.org.uk/handbook/SYSC/4/2.html?date=2006-08-30#D36
Financial Reporting Council (1998), The Combined Code: the Principles of Good Corporate and Code
of Best Practice’ Derived by the Committee on Corporate Governance, May 1998.
https://media.frc.org.uk/documents/Combined_Code_June_1998.pdf
Financial Reporting Council (2003), ‘The Combined Code on Corporate Governance’ July 2003.
Financial Reporting Council (2005), ‘Internal Control: Revised Guidance for Directors on the
Combined Code’ October 2005.
Financial Reporting Council (2006), ‘Good Practice Suggestions from the Higgs Report’ June 2006.
Financial Reporting Council (2008), ‘The Combined Code on Corporate Governance’ June 2008.
Financial Reporting Council (2009), ‘Going Concern and Liquidity Risk: Guidance for Directors of
UK Companies’, October 2009.
Financial Reporting Council (2010), ‘Revised Combined Code of Corporate Governance’, May 2009.
Financial Reporting Council (2012), ‘Revised UK Corporate Governance Code’, September 2012.
Financial Reporting Council (2014), ‘Guidance on Risk Management, Internal Control and Related
Financial and Business Reporting’, September 2014.
Financial Reporting Council (2014b), ‘Revised UK Corporate Governance Code’, September 2014.
Financial Reporting Council (2016a), ‘Revised UK Corporate Governance Code’, April 2016.
Financial Reporting Council (2016b), ‘Guidance on the going concern basis of accounting and
reporting on solvency and liquidity risks’.
Financial Reporting Council (2016c), ‘Corporate Culture and the Role of Boards’, July 2016.
Financial Reporting Council (2018), ‘Revised Code and Guidance on Board Effectiveness’, July
2018.
Financial Reporting Council (2019), ‘Revised Ethical Standard’, December 2019.
Financial Services Authority (2003), ‘Operational Risk Systems and Control’ FSA Consultation Paper
142.
Gill, M and Dalton, G (2022), ‘Public Bodies: Scrutiny and Accountability’, Institute for Government,
December 2022. Accessible https://www.instituteforgovernment.org.uk/article/explainer/public-
bodies-scrutiny-accountability (Accessed 10/01/24).
Government Finance Function and HM Treasury (2013), ‘The Orange Book’, May 2013.
Government Finance Function and HM Treasury (2019), ‘Updated Orange Book’, July 2013.
Page 128 of 133
EXPG0000006_R
Greenbury, R (1995), ‘Report of the Study Group on Directors’ Remuneration’, “The Greenbury
Code”, July 1995
Hampel, R (1998), Final Report, ‘The Committee on Corporate Governance’, “The Hampel Report”,
January 1998.
Hazell, R, Cogbill, A, Owen, D, Webber H, and Chebib, L (2018), ‘Critical Friends? The Role of Non-
Executives on Whitehall Boards’, The Constitution Unit, University College London, January 2018.
Higgs, D (2003), ‘Review of the Role and Effectiveness of Non-Executive Directors’, “The Higgs
Report”, January 2003.
https://webarchive.nationalarchives.gov.uk/ukgwa/20121212135622/http:/www.bis.gov.uk/files/file23
012.pdf
HM Government (2012), ‘The Civil Service Reform Plan’, June 2012.
https://assets. publishing. service.gov.uk/media/5a7e4e3c40f0b62305b8223 1/Civil-Service-Reform-
Plan-final.pdf
HM Treasury, (2001), Management of Risk — A Strategic Overview.
HM Treasury (2004), ‘Management of Risk: Principles and Concepts, “The Orange Book”, October
2004.
HM Treasury and Cabinet Office (2005), ‘Corporate Governance Code in Central Government
Departments: Code of Good Practice’, July 2005.
HM Treasury and the Cabinet Office (2011), ‘Corporate Governance in Central Government
Departments: Code of Good Practice’, July 2011.
HM Treasury (2012), ‘Managing Public Money’ May 2012.
HM Treasury (2013), Orange Book — Management of Risk, Principles and Concepts.
HM Treasury (2015), ‘The Accounting Officer’s Survival Guide’, December 2015.
HM Treasury (2016), ‘Audit and Risk Assurance Committee Handbook’, March 2016.
HM Treasury and the Cabinet Office (2017), ‘Corporate Governance in Central Government
Departments: Code of Good Practice’.
HM Treasury (2018), ‘Managing Public Money’ (Revised), September 2018.
Institute of Directors (2018), ‘The Role of the Company Secretary”
https://www.iod.com/resources/factsheets/company-structure/the-role-of-the-company-secretary/
Institute for Government (2022), ‘Public Bodies Scrutiny and Accountability’.
Myners, P (2001), ‘Institutional Investment in the United Kingdom: A Review’ HM Treasury’, “The
Myners Code”, March 2001.
National Audit Office (2007) ‘The Shareholder Executive and Public Sector Business’, a Report
Value for Money
National Audit Office (2015), ‘Companies in Government’, Briefing Paper, December 2015.
National Audit Office (2016), ‘Accountability to Parliament for Taxpayers Money’, Good Practice
Guides February (2016).
Page 129 of 133
EXPG0000006_R
Nolan, M (1995), ‘First Report of the Committee on Standards in Public Life’, “The Nolan
Principles”, May 1995.
Post Office Limited: Shareholder Relationship Framework Document, 2022
https://www.gov.uk/government/publications/post-office-limited-shareholder-relationship-framework-
document
Power, M, Ashby, S, and Palermo, T (2013), ‘Risk Culture in Financial Organisations: A Research
Report’, London School of Economics.
Public Administration and Constitutional Affairs Committee (House of Commons Committee) (2023),
‘The Role of Non-Executive Directors in Government’, Seventh Report of Session 2022-2023, June
2023.
Public Interest and Disclosure Act 1996.
Shareholder Executive (2015) Annual Review 2014 to 2015
Smith, R (2003), ‘Audit Committees Combined Code Guidance: a Report and Proposed Guidance by
an FRC-Appointed Group’, “The Smith Guidance”, Financial Reporting Council, January 2003.
The Cabinet Office (2016a), ‘Governance Code on Public Appointments’, December 2016.
The Cabinet Office (2016b), ‘The Ministerial Code’ December 2016.
The Cabinet Office (2019), ‘Code of Conduct for Board Members of Public Bodies’, June 2019.
The Chartered Governance Institute UK and Ireland (2022a), ‘Guidance Note: Terms of Reference for
the Audit Committee’, May 2022.
The Chartered Governance Institute UK and Ireland (2022b), ‘Guidance Note: Terms of Reference for
the Risk Committee’, May 2022.
The Committee on Corporate Governance (1998), ‘The Combined Code — Principles of Good
Governance and Code of Best Practice’, June 1998.
The Institute of Internal Auditors (2013), ‘The Three Lines of Defence in Effective Risk Management
and Control’, JHA Position Paper, January 2013.
Turnbull, N (1999), ‘Internal Control: Guidance for Directors of the Combined Code’, “The Turnbull
Guidelines”, The Institute of Chartered Accountants in England and Wales (August 1999).
Turner, B (1976), ‘The Organizational and Interorganizational Development of Disasters’,
Administrative Science Quarterly Vol 21, No 3, September 1976.
Turner, D (2022), ‘Three Lines of Defence — is it the Right Model?’, Journal of Financial
Compliance, Vol 5, No, 3.
UKGI (2017), Annual Report and Accounts 2016-17
Walker, D (2009), ‘A Review of Corporate Governance in UK Banks and other Financial Industry
Entities’ “The Walker Review”, November 2009
Page 130 of 133
EXPG0000006_R
ANNEX F
QUALIFICATIONS AND EXPERTISE OF DAME SANDRA
DAWSON AND DR KATY STEWARD
Professor Sandra Dawson BA (Keele Univ.), MA (Univ. of Cambridge), Hon DSc (Keele Univ.),
DBE
Dame Sandra is Professor Emerita at the University of Cambridge. She was formerly Director of
Cambridge Judge Business School (1995-2006), Master of Sidney Sussex College (1999-2009) and
one of the Deputy Vice Chancellors of the University (2008-2012). Prior to moving to Cambridge, she
held academic positions in Imperial College, University of London.
She teaches, writes and consults on organizational behaviour, leadership and governance.
She was invested as a Dame Commander of the British Empire in recognition of her contribution to
higher education and management research.
She has wide practical experience as a Board member in the commercial, public and charitable
sectors. Former Board positions include: Chair, Riverside Mental Health NHS Trust (1992-1995);
Chair, Executive Committee, Social Science Research Council, USA (2009-2019);Trustee and
sometime Vice-Chair, Oxfam GB (2006-2012); Senior Independent Director and Chair of the
Remuneration Committee, TSB Bank (2014-2020); Non-Executive Director and sometime Senior
Independent Director and Chair of Remuneration Committee, Financial Services Authority(2010-
2013); Non-Executive Director and member of the Audit committee, Barclays ple(2003-2009), Non-
Executive Director and member of the Audit Committee, JPMorgan Claverhouse Investment Trust
(1996-2003); Chair, Remuneration Committee and member of the Audit and Ethics Committees, DRS
ple (2012-2016) ; Chair, ESRC Advanced Institute of Management Executive Steering Committee, 2007-12;
Member, Prime Minister’s Council on Science and Technology (2011-2014); Member, Windrush
Lessons Learned Review Advisory Group (2017-2020); Member, Senior Salaries Review Body
(1996-2003), Trustee and sometime Chair of the Academic Affairs and Research Committee,
American University of Sharjah (2014-2023). She currently Chairs the Advisory Board of the
Cambridge Museum of Zoology and sits on the Advisory Board of Cambridge Judge Business School.
Dr Katy Steward MA (Univ of Cambridge), MBA (Imperial College, Univ of London), PhD (Imperial
College, Univ of London)
Dr Steward is currently a Visiting Scholar at Sidney Sussex College, Cambridge. In 2022-23 she was
a Visiting Fellow at Cambridge Judge Business School, University of Cambridge.
She has taught, advised, coached and consulted on leadership, organisation culture and governance for
the past 30 years. Her experience includes:
Head of National Culture and Leadership Program, NHS England, (2021-2022), including advising on
governance, leadership, culture change and whistle blowing.
The Kings Fund, Independent Health Think Tank, (2004-13), including advising and coaching various
CEOs of health and other organisations, Professions’ regulators, an independent care provider and a
Page 131 of 133
EXPG0000006_R
large international development organisation, on leadership, governance, culture change and
organisation structure.
Monitor (Regulator of all NHS Foundation Trust Hospitals) (2003-04), including developing
frameworks for the evaluation of governance and culture.
Membership of Boards in the charity and public sectors, including Non-Executive Director and
member Audit Committee and Nominations Committee UK UNHCR, (2021-date); Non- Executive
Director and Chair, Quality Committee & Board Culture Change Committee, Norfolk and Suffolk
NHS Mental Health Trust ( 2020-23); Trustee and sometime member of Safeguarding Committee,
Oxfam GB (2013-2020); Trustee, Amref,UK (2011-2014); Trustee, The Kaloko Trust (2006-2011).
Membership of various groups, including Member, National Guardians Office Roundtable on
Whistleblowing (2022); Member, NHS England Culture and Leadership Advisory Group (2019-21);
Member, Lord Carter Productivity Review of Ambulance Services and Mental Health (2016-17);
Director, National Foundation Trust Governors’ Association, Advisory Group, Kings Fund (2005);
Chair, NHS Board Chairs Leadership Program Advisory Committee, Kings Fund (2005-13).
Page 132 of 133
EXPG0000006_R
ANNEX G
Report to the Post Office Horizon IT Inquiry by Dame Sandra Dawson and Dr Katy
Steward.
Declaration
We, Dame Sandra Dawson and Dr Katy Steward, declare that:
1) We have been appointed jointly by the Post Office Horizon IT Inquiry to act as expert
witnesses on matters of governance, management, and leadership.
2) We understand that our duty is to give an objective, unbiased opinion on matters within our
expertise in order to help the Inquiry achieve its terms of reference. We have complied, and
will continue to, comply with that duty.
3) We know of no conflict of interest in undertaking this work.
4) Annex F sets out our expertise and qualifications.
5) We have endeavoured in our Report to be accurate. Any matters on which we have expressed
an opinion lie within our field of expertise, and represent our true professional opinions on the
matters to which they refer.
6) This report is provided to those instructing us with the sole purpose of assisting the Inquiry. It
may not be used for any other purpose without our express written permission.
Statement of Truth
The contents of this report are true to the best of our knowledge and belief.
Signed: i GRO Signed:
Date: 11th November 2024
Date: 11 November 2024
Dame Sandra Dawson Dr Katy Steward
Page 133 of 133