FUJ00080737
FUJ00080737
Assessment Control Page
Assessment Type Internal Assessment Reference GHQ/UKCB/POA/FEL
01/300805
Area UKCB-POA Processes Assessed Various (See Scope of
Assessment)
Contact(s) Jan Holmes Process Owner(s) Various (See Scope of
Assessment)
Planned Date 30/08/05 Lead Assessor Alan Clapson
Start Date 30/08/05 Full Report Title
Assessment Summary
1. Objectives of Assessment
This Fujitsu Services Internal Assessment focused on key business functions performed in the Post
Office Account and considered, through the assessment of local processes and working practice:
= The compliance of those functions with the Fujitsu Services Business Management System
(BMS).
= The compliance of those functions with relevant aspects of the ISO 9001:2000 standard.
= Any areas suitable for promotion as good business practice across Fujitsu Services.
In addition, every opportunity was taken to give advice and guidance on ISO 9001 and corporate
process deployment.
2. Scope of Assessment
This Fujitsu Services Internal Assessment was conducted over 3days, within the FELO1 offices, and
involved the following members of staff :
Function / Role
Interviewee
Top Management
Clive Morgan
Change Management
Ken Westfield
Quality Management
Jan Holmes
HR Claire Findell, Terri McCartney,
Sandra Houghton
Security Bill Mitchell
Release Management John Budworth
Testing Peter Dreweatt
Service Introduction
Graham Welsh
Business Continuity & Disaster
Recovery
Tony Wicks
Problem Management
Carl Marx & Mike Stewart
Customer Service Management
Dave Baldwin
Account Management / Business
Development
Liam Foley & Kevin Spence
Note: The assessment was based on random samples and therefore nonconformities may exist which
have not been identified.
3. Management Summary
During this Assessment a total of: 3 Non-conformances and 3 Observations were raised.
In summary, the main findings, and recommendations where appropriate, were as follows:
©... There is good evidence of top management strategic planning, the cascade of direction through
the organisation and effective internal communications. The management team are also very
customer focused, as shown by the customer’s continued willingness to act as a reference for
Fujitsu Services.
Please see section 4.1 for further details.
‘© ...Some concerns were raised regarding the level of management review of, and involvement in,
the POA’s business management system. There has been little progress in some areas
highlighted in previous assessment reports and some maintenance aspects of the local BMS are
slipping. While these issues are being flagged in management reports, there is little evidence of
management action to address them.
ISO 9001 puts an emphasis on the need for management commitment to the establishment,
review and continual improvement of the management system.
Please see sections 4.1 and 4.3 for further details.
« — ...In common with other accounts, the approach to integrating Business Unit and Core Services
staff objectives is still not clear. The assessor took an action to ask Group HR to issue better
guidance on the subject, but in the short term it was recommended that the POA Solution Centre
HR rep. join a workshop on the subject being held between HR managers associated with the
NHS Account.
That said, the POA was seen as being in a good position generally in the lead up to the next [iP
assessment.
Please see section 4.4 for further details.
e _ ...The Service Introduction Team demonstrated a good level of control over their operation,
together with excellent internal and customer communications. This was highlighted by the 5/5
scorecard result received for their work on the S80 release rollout.
Please see section 4.8 for further details.
«While account plans were produced at the beginning of the company year for the key business
areas within POL, they have yet to be reviewed and have not been approved at a POA or BU
level, as required by the corporate Manage Account Plan Process.
Please see section 4.12 for further details.
« — ...Records associated with business evaluation and approval (CSLC 1-6) are still difficult to audit
trail and some are missing. While some progress has been made since issues in this area were
flagged in previous assessment reports in terms of structured, shared, repositories having been
created, there is still a need to ensure record sets are complete and checked as part of the approval
process.
Please see section 4.12 for further details.
FUJ00080737
FUJ00080737
4, Assessment Commentary
4.1 Top Management
Assessment Criteria : [SO 9001 (4.2, 5, 6, 7, 8)
Strategic Planning (MTP), Cascade of Objectives, Management Review (assessment C/As, BMS
effectiveness, etc), Corrective / Preventive Action Process, Improvement Initiatives, Internal
Communication (Grad Team ?),JiP / Performance Plus, KPIs, Measurement & Analysis, Involvement
in BEP / BAP, Resourcing
© Good evidence was seen of strategic planning and cascade of direction through the POA
organisation. Meetings have been held at the UK Commercial Business and POA levels to
develop the programme’s contribution to the Mid Term Plan (MTP) and appropriate themes
can be traced from QMM briefings through to MTP input. Account level documents.
describing the strategy have also been produced to brief staff as part of the preparation for the
TiP assessment at the end of Sept.
© Quarterly staff briefings by the management team were also seen to be held. These are
generally timed to coincide with the top level QMM briefings so that information can be
cascaded (example slide sets seen).
¢ In addition to the briefings, a monthly “Fact File” is sent to all staff. This was seen to
include items keeping staff up-to-date with the current contract re-negotiations.
* While the position with the new contract was discussed, it was noted that delivery to the
current contract is regarded as being of a high standard by the customer, who is happy to act
as a reference for Fujitsu Services. The maintenance, and continued improvement, of service
delivery was seen to be included in the MTP input.
© The progress of Performance Plus activities is monitored at the POA Management Team
Meeting (later confirmed by HR) and the account appears to be in a good position with only
very new joiners having not having been appraised and had personal objectives set (examples
from DRs seen to be on Perf + system). There is, however, still a recognised issue over the
interaction between Core Services generic practice objectives and account specific
assignment objectives (see HR section for further details). NB this is a common issue across
the major accounts.
© The primary mechanism for top management review of the local business management
system (BMS) is a quarterly report issued to the management team by the Quality Manager.
This was seen to be a comprehensive report and included coverage of the key elements of the
system, progress of key initiatives and the status of corrective actions resulting from internal,
external and local assessments (see Quality Management section for further details). In
addition to the report, the Quality Manager has access to the monthly Management Team
Meeting on request to present / discuss any specific quality related items.
* On reviewing some aspects of the BMS, e.g. progress on assessment corrective actions,
document authorisation and process review, during subsequent interviews (see Quality
Management section below and non-conformance 1) it was recommended that the
management team take a more active role in the system’s management.
¢ — It was stated that, while corrective actions were being initiated to address any issues raised
(eg. via recovery plans) they tended to be carried out in isolation and top management rarely
had a consolidated view of all that were underway at any one time. In support of continual
improvement (ref. FS Quality Master Policy and ISO 9001 section 8.5), it was suggested that
a process be put in place to filter key corrective actions up for management team review and
consideration of preventive action that should take place in other areas of the account, as a
result of this corrective action in one area. This could apply to any corrective actions, not
just those associated with assessment findings.
4.2 Change Management
Assessment Criteria : /SO 9001 (4.2, 6, 7.1/2/5, 8)
Interaction with Customer, Internal Evaluation / Approval, Measures of Success, Adherence to
“Manage Service Change”, Objectives, Impact of CMMi.
e The Change Management area appeared under good control and well organised. All records
requested were readily available, easily accessible and up-to-date.
FUJ00080737
FUJ00080737
FUJ00080737
FUJ00080737
e As the focal point for all requests for change from the customer, and response to them, the
team have established good working relationships with their PO counterparts and internal
contributors.
¢ It was encouraging to see that the Commercial Forum, run jointly with the customer, has
progressed to the position where they are considering lessons learnt and implementing
improvements to working practice on both sides.
© The weekly Change Status Report (“Kens Bible”) was seen to be the primary tracking
mechanism within the unit but reports were also seen to be produced for the Demand
Planning Forum, the Commercial Forum, the Programme Control Change Board (PCCB)
and the Change Control Board (CCB). CCB packs containing full details of all changes up
for review were seen and audit trails between these, approved paper forms, PVCS material
and email notifications / authority to proceed, were successfully followed (CP4037 was
sampled)
¢ The POA Programme Office, of which the Change Management Unit is part, maintains a
process and procedure set which, although it makes reference to, is separate from the POA
BMS. The processes are managed via a Programme Office “QMS Index” and held on a
shared drive. The index is detailed and includes reference to process maturity and uses a
“Quality Records Register” to define key records associated with the area and their controls
(in-line with ISO 9001 requirements). Process measures are defined in document
PM/PLA/081 (Programme Office Process Measurement Plan (V5)). In essence the process
set therefore meets the main requirements of ISO 9001, but not in-line with POA local
process management processes (PA/PRO/038) or the corporate requirements documented in
the corporate PMM and associated Process Template. (See non-conformance 2 for further
details)
* It is recommended that processes in this area be brought in-line with higher level
requirements as part of their next formal review (see Quality Management section for further
details).
© The Change Manager is part of the Project Management professional community but role
definitions defined in it do not match the role he performs. A local JD has been produced to
supplement this shortfall but this is currently out of date and in need of review. Given that
staff in the area are leaving and soon to be replaced, it is recommended that role descriptions,
required competencies and training plans are documented as soon as possible. It was stated
that, while processes exist for all key activities, a considerable handover / bedding in period
is required for new joiners. Unit specific induction packs might therefore also be considered.
4.3 Quality Management
Assessment Criteria : ISO 9001 (4, 5.5.2, 5.6, 8)
Structure of local BMS, Linkage to other parts of BMS, Corp.BMS Awareness, Business Awareness,
Doc. / Record Management strategy, Corrective / preventive action process, Approach to
Cont.Improvement, Adherence to PMM, , Management Interface / Reporting, BMS Review, Change
Control, Local Assessment, Interaction of assessments, Quality Master Policy, PMM.
* While the POA level of the BMS is not held as a CafeVik community like most other local
levels across the company, it does still contain links to material at other levels (eg. corporate
policies & processes) where appropriate.
* While being added to as required by new initiatives (eg. ITIL, CMMi) the established system
requires continual maintenance in terms of review and revision of existing processes. The
PVCS system generates prompts when processes are due for review and they are routed to the
appropriate process owner (the Period Process Review Record (PPRR)). On a quarterly basis
the Quality Manager produces a management report, which includes the review status of
BMS processes. However, there was evidence that reported slippages were not being acted
upon by management. For example, the year-end summary for 2004 showed 40 processes in
the CS area alone had not been reviewed and the Quality Manager was not aware of any
action taken to address the situation. As the PVCS prompts are not accumulative , i.e. they
only show those for review in that period, not those also outstanding, it is recommended that
the management team review the status of all processes to obtain a full picture of the current
situation.
NB. This was the subject of a non-conformance raised during the last internal assessment,
(GHQ/POA/FELO1 — BRAO1/Aug04 — N/C 1) which had been closed but will now be re-
opened. (See non-conformance I for further detail)
e In addition, a weekly report is generated on outstanding document approvals. In general,
documents on this list have already been reviewed (including by the authoriser) and are just
waiting final sign-off by the appropriate manager. The report sampled showed that some
documents had been waiting over 120 days for signature.
© During previous internal assessments (eg. August 2004), non-conformances were raised
regarding POA processes not following the corporate Process Management Method (PMM)
and the associated Process Template, in particular with regard to the identification of key
records and their control, and process measures. Corrective actions associated with those
non-conformances were closed on the basis that the local Process Management & Control
process (PA/PRO/038) had been updated to specify the need to define records and measures,
and that processes would be updated as they were reviewed as part of the PPRR. Sampling
during this assessment showed that, while PA/PRO/038 had been updated, processes were
not being updated as a result of annual review. (See non-conformance 2 for further detail).
¢ — Given the extent of the local process set, conversion of all processes to the full corporate
template would be a very large task. It was therefore agreed that the Quality Manager should
compare the current format commonly used across POA with the corporate template and
identify the gaps. He will then produce a local POA process template, agree its content with
the PMM owner in Business Assurance, and, with POA management support, update all
POA processes to the template structure as part of the next review. Progress could then be
tracked via the Quality Manager’s Quarterly Report.
e Apart from those relating to records and measures, the introduction of sections relating to
“Applicable Policies & Standards” and “Related Processes” should prompt local process
owners to consider embedding links to other parts of the FS BMS. PA/TEM/087 specifies
the requirements of the PPRR. It was recommended that this be updated to include a
standard requirement to conversion processes to the new template.
¢ — Given issues raised during the last internal assessment regarding corrective action closure,
observations from the last assessment (GHQ/POA/FEL01-BRA0O1/Aug04) were reviewed
with a view to verification of closure.
= Seq 1 : Not verified — Was closed as being addressed by the on-going PPRR process and
routine management review — observed during this assessment as still not happening.
- Seq 2 : Not verified — Was closed as being addressed during annual process review —
observed during this assessment as still not happening.
- Seq 3 : Verified as closed.
- Seq 4: Verified as closed.
- Seq 5: Verified as closed.
- Seq 6: Verified as closed (Supplier Management to be re-assessed at next assessment)
- Seq 7: Verified as closed (Nb. cross references to Seq 1&2 above)
- Seq 8 : Verified as closed.
- Seq 9 : Verified as closed.
= Seq 10 : Verified as closed
© It was recommended that, in-line with the guidance issued with the Assessment Database,
the “Reviewing Manager” for corrective actions be the line manager responsible for the part
of the business impacted by the non-conformance or observation, rather than the Quality
Manager.
e — Given the turn around of staff in POA, it was recommended that the Quality Manager review
the Quality / BMS section of the Induction Packs. It was also suggested that, in-line with the
corporate BMS Awareness campaign, a local awareness campaign be conducted to ensure all
staff are aware of the BMS structure and their part in it.
© The local assessment plan maintained by the Quality Manager was seen to be well
maintained and containing details of external and internal assessments, as well as local.
Local assessments were seen to be being conducted on the basis of status and importance.
¢ — It was notes that a POA EPG is being established. The level of “peer” review and approval
that should be achieved by such a group should assist in process improvement.
4.4 HR
Assessment Criteria : JSO 9001 (4.2, 6.2, 8)
Involvement in Strategic Planning, Programme wide initiatives, Management of Performance Plus
(quantitive & qualitive measures), Management of Account / Dept.Training (incl. evaluation),
Management of Competency Records, liP Activities / monitoring, Induction Process, Interaction
between BU & Core (assignment objectives?).
FUJ00080737
FUJ00080737
FUJ00080737
FUJ00080737
© HR responsibilities within the POA are spread between Business Unit and Capability Unit
HR reps, with approximately 110 staff directly employed by the programme and 200 staff on
long term assignment from Core Services.
¢ Further to the assessment of the Account Director, the BU HR reps confirmed that
Performance Plus activities were complete for all but very recent joiners. While the numbers
of objectives set were being monitored (via the on-line Perf + system), it was recognised that
improvements could be made in sampling the quality of objectives being set (eg. are they
SMART, do they reflect the account strategic direction, etc). While personal development
plans not subject to direct sampling either, an invitation has been issued to all account staff
to discuss training and development with HR or the Account Director.
© The approach being taken to integrating Practice and Account objectives for staff by the POA
Solution Centre (SC) is for the SC manager to feed account specific objectives to AS Practice
Managers, for them to include in the personal objectives of staff assigned to POA. It was
stated that non-AS Core Services staff (eg. those assigned from P&PM) would have generic
Practice objectives set, and would then agree and document assignment Terms of Reference
with the POA assignment manager.
© The need to establish a more standard approach to integrating objectives was also recognised
during a recent assessment within the NHS programme and a workshop is planned between
BU and Core HR reps. It was recommended that the POA SC HR rep. attend this workshop
so as to add another programme’s viewpoint to the debate.
¢ While confident that the majority of Performance Plus activities were complete, and
documented in the on-line system, the HR representatives did not have figures to-hand of
actual compliance. Regular stats are available on CafeVik at a BU / CU level but these do
not go down to the programme / account level.
© The “Post Office Account — 2005/06 Plan” and the “Development Plan — Customer Services
POA” were seen as example documents being used by managers to prepare staff for the
imminent liP assessment. They were seen to include: business strategy, organisation, key
activities, training and evaluation.
© Induction is, in general, handled by the POA HR team and includes any new assignees from
Core Services. An “A to Z Guide” and the “POA Induction Handbook” were seen to include
comprehensive details of the POA programme and a good level of detail regarding the
corporate BMS. Additional material relating to management induction is also available
along with checklists for line managers to use during staff induction. An induction event is
held approximately every 3 months and includes presentations and Q&A sessions with senior
POA managers. New joiners to the account are obviously known to HR and new assignees
from Core Services are identified from time recording system reports.
¢ — It was stated that all Core Services and Account staff use the corporate Skills Database to
maintain their competency records. Subsequent sampling later in this assessment showed
that most staff were using the DB, but most admitted that records were rarely reviewed and
updated (despite auto email prompting from the system). It is recommended that manager /
individual review of Skills DB records be incorporated into the annual appraisal to ensure
records are updated / reviewed at least once a year. (See observation 3 for further details).
It was noted in subsequent interviews that the POA Account Management team were not
maintaining Skills DB records and were not keeping any other form of competency records.
4.5 Security
Assessment Criteria : BS 7799
Local process interaction with corporate Security Policies
¢ The POA contract requires that the programme comply with BS 7799, but does not demand
registration to the standard. In response the Security Manager has used BS 7799 as the basis
for the security aspects of the POA BMS, in particular the governing “Horizon Security
Policy (V 10.1)” which follows its clause titles and their requirements.
¢ The Horizon Security Policy acts as the Fujitsu Services working interpretation of the
customer’s “Post Office Community Information Security Policy for Horizon” and is
reviewed and approved by the PO Security Manager. The Security Manager is a member of
the FS Information Security Steering Group (ISSG) and has ensured that corporate policies
are reflected in POA working practice wherever possible.
© While there are a considerable number of supporting documents, two other key security
documents are the “Horizon Access Control Policy” and the “Security Functional
Specification”. The basis behind access control is that all users are associated with system.
roles so, while some maintenance is required regarding leavers, access is controlled at the
front end.
¢ — It was stated that all deliverables to the customer should be subject to security testing.
Subsequent sampling in the Testing Unit confirmed that there were staff that specialised in
testing the security aspects of any solution.
© — The initial risk assessment, associated with the establishment of any Information Security
Management System (ISMS), was carried out in POA before the Security Manager joined the
programme. However, the system (embedded as part of the POA BMS) was developed to
address the findings of that initial assessment. Any security risks identified now are
managed through the programme’s central Risk Register and subject to management review
and action.
© — Security incidents are managed through the programme’s normal problem management
processes (see Problem Management section below). More serious incidents (eg. thefts,
break-ins, viruses, etc) are reported to the customer and feed into FS Group Security. A full
audit trail of all transactions through all Horizon systems is kept on audit servers, housed
and managed from high security rooms in FELO1.
© — Security was seen to be part of the POA Induction packs and the Security Manager
contributes to the 3 monthly induction briefings. All staff working on the POA have to be
security cleared and the security unit receive a regular HRA listing from HR detailing all
movers and joiners to confirm clearance.
¢ These records, along with others associated with security processes, are spread across a
number of repositories, including the Security Manager’s laptop. It was recommended that
the security process set be reviewed with a view to them being brought in line with the
requirements of the corporate Process Management Method (PMM). This would include the
definition of all key records and their controls, and consideration of process measures. (see
Quality Management section and non-conformance 2 for more details).
e As this the first internal assessment visit to the Security Unit, and given that the Security
Manager was leaving the company on the day of the assessment, it was agreed that security
should be visited during the next internal assessment to look at the success of handover and
to look at specific security areas in more detail (eg. access control, interface to development,
incident reporting & closure, risk management)
4.6 Release Management
Assessment Criteria : /SO 9001 (4.2,7.3,7.5, 8)
Release Cycle, Problem Identification, Corrective Action, Review & Approval, Testing, Record
Control, Use of PVCS.
© The release of any changes associated with problem / bug correction, between major releases
of the system, are subject to release management control and testing. Problems reported on
the PEAK system are impacted by the support / development teams before being reviewed at
the weekly Release Management Forum. This is attended by representatives of Release
Management(RM), the SSC, Development, the Live System Testing (LST) and the QFP
(Quality Filter Process), All PEAKs on the agenda are pre-viewed by attendees prior to
discussion at the forum. Any appropriate action and the timing of release of the fix is
captured in the meeting minutes (examples from 14" July and 24" Aug. seen).
* The standard cycle for any agreed change is : new code produced by Development and put
into PVCS, the PIT package the change and add installation instructions, RM register
change on RM database, LST perform validation tests, RM release change to Live
implementation. During the cycle an audit trail is maintained through the PEAK system and
through the document set lodged in PVCS.
¢ The full cycle of PEAK 123065 was successfully followed through PEAK, PVCS and the RM
DB.
¢ Guidance relating to Release Management was seen to be documented in the “Release
Management & Release Testing Scheduling” work instruction (CSRM/WK/011) and the
“Release Authorisation & Distribution Process for Software Fixes” (CS/PRD.012).. It was
noted that neither of these documents complied with the corporate Process Management
Method or the associated Process Template. As a result, neither defined the key records
FUJ00080737
FUJ00080737
FUJ00080737
FUJ00080737
associated with them, or their controls, and there was no clear definition of process
performance or effectiveness measures (see Quality Management section and non-
conformance 2 for further detail).
4.7 Testing
‘ssment Criteria : Requirement, Test Criteria, Records, Re-test, Internal Communications,
Configuration Management, Authorisation to proceed, Customer Communications & Acceptance,
Process Management Method, Interaction of Processes, Record Management Performance Plus
Guidelines, ISO 9001 _ sections: 4.2.4, 5.5, 6.3, 7.1, 7.2.3, 7.3.6, 7.5.3, 8.2.4, 8.3, 8.4.
= The manager for POA test is responsible for independent testing of developments to determine
that they are fit for purpose. This is done by test analysis and checking test cases against the
customer requirements.
= Unit testing is verified by the DELT Manager who is the approval authority for unit testing
reports. RS/TRP/009 unit test report V0.1 dated 25/08/05, logged within PVCS, was seen as
currently out for review to the DELT Manager. Unit testing appears to be covered and satisfies
the observation raised during the last BSI assessment in November 2004. Comments from the
GHQ/POA/FEL01-BRAO1/Aug04 assessment report regarding link testing were discussed and
evidence provided to show that the test report quoted in the earlier report was compliant with the
DELT process.
= Post Office Account System Integration Life Cycle Process — DE/PRP/003 V6.0 dated 09/0/05 is
an approved document that contains links to BMS policies but does not link to the Test Planning
and Preparation Process logged within the BMS. The Post Office Account System Integration Life
Cycle Process was seen to be non-compliant with the Process Management Method contained
within the BMS. (See non-conformance 2 for further details)
= A Test Strategy is produced by a test designer within the POA Test Team and filed within PVCS
where all POA Test Team members can access relevant testing documents. The test strategy for
release $90 was sampled and found to be under adequate document control. The test strategy
indicates appropriate test streams and cycles and leads to the production of High Level Test Plans
(HLTP). HLTP S90 Release — VI/TSC/486 V0.1 dated 08/08/05 was seen to be WIP and referred
to both the test strategy and the Post Office Account System Integration Life Cycle Process. On
approval of HLTP low level plans and test scripts are input into Test Director which is used to
track the progress of the test scripts.
= Errors in testing are logged in the PEAK Incident Management System and are routed back to the
appropriate developer. When reported errors are rectified the appropriate unit testing takes place
and the result reported via the DELT report and passed back to the testing team for retest.
= The POA Test Team contains specialised security testers who test against the security
requirements set by the security development team, such as platform access codes.
= The POA Test Manager had only received top level objectives from senior management the day
before the assessment interview and therefore did not have personal objectives for 2005 logged on
Performance Plus. This was also the case for the 20 + members of the POA Test Team as the
Testing objectives have not yet been cascaded to the team. An objective report created by a peer of
the POA Test Manager stated that “/00% of employees to have agreed objectives for 2005/6 by
30/09/05". (See observation 4 for further details)
However the POA Test Manager was unaware of the QMM cascades.
The POA Test Manager has his CV and skills logged on the skills database although they have not
been updated within the last 12 months. However, the POA Test Manager believes that his CV
and skill set is accurately reflected within the skills database. (See observation 3 for further
details)
4.8 Service Introduction
Assessment Criteria: [SO 9001 sections 5.5, 2 7.1, 7.2, 7.5, 8
SDM Community Guidelines, Performance Plus Guidelines, Handover Process, Customer Comms.,
Reviews, KPIs, Acceptance, CSLC 7-9, Process Management Method, Interaction of Processes,
Record Management,
= The Service Introduction Manager within the Post Office Account Customer Services area is
responsible for the delivery of new services and infrastructure to Post Office counters and the two
data Centres located at Wigan and Bootle.
= Objectives for the Service Introduction Manager and his team for 2005/6 were seen to be available
on Performance Plus. In addition the Service Introduction Manager and his team have CVs and
skill sets logged within the skills database and the Service Introduction Manager has recently
received a reminder to update his records within the skills database.
FUJ00080737
FUJ00080737
= Service Introduction teams reporting to the Service Introduction Manager are all aware of the
three monthly internal management briefings and the latest management briefing shared the
details of the July QMM and included notice of the forthcoming IiP assessment in September. In
addition the 10 point iP questionnaire had been completed by the Service Introduction Manager
and his team.
= The Service Transformation Team — Implementing ITIL Best Practice is producing a number of
processes which are identified within the POA Service Management Process Blueprint. The
Manage Release Process V0.2 (draft) dated 25/08/2005 was WIP and detailed process steps but
was seen to be non-compliant with the Process Management Method contained within the BMS.
(Sce non-conformance 2 for further details)
= A Change Control Board exists to approve changes and new releases. Release authorisation with
the customer — review per release 1 for Data Centres and 1 for the Post Office Counters. The S80
release authorisation from the customer for the Data Centres dated 25/08/05 was sampled and seen
to be in order.
= The Operational Readiness Review (ORR) for S80, a PowerPoint presentation was presented to the
customer. The ORR is a RAG document and highlighted risks that led to the recommendation not
to proceed with the S80 release. However, the customer decided to go ahead with the release due
to operational constraints and agreed to authorise a CCN, relevant to the SAP environment only
(S80), which waived the SLTs and OLAs for POL FS file transfers. The POL FS element is
supplied by the Prism Alliance who are delivering the POL FS element directly to the customer. A
recovery action plan has been agreed between Prism and the customer and includes input from the
POA Service Delivery team. The POA Service Delivery Team is also involved in the regular
review of this recovery action plan.
= Service Introduction is involved in the bid process and provides input relevant to the
implementation of changes and releases to the POA.
= The status of the observation raised during the BSI 4534027 assessment report from November
2004, regarding moving towards an account approach to ProjectWEB, was reviewed. The $90
release is utilising ProjectWEB for project and development records and PVCS is used for
controlled documents, but prior to release S90 documents were stored on shared drives and PVCS.
= Transition is described within the sampled Service Support and Definition Introduction document
V0.2 dated 16/06/05. Facilitated workshops and meetings take place prior to a release and the
frequency of review meetings increases as the release date approaches. Plans for service
introduction within the data centres and the Post Office counters are approved by the Service
Introduction manager.
= During the $80 release rollout the Service Introduction team received a 5/5 scorecard from the
customer which has led to a crate of champagne being provided to the Service Introduction team.
= Team strategy for the achievement of team objectives involves team building via ITIL training. A
number of Service Introduction Team members have completed a combination of ITIL foundation,
Green Badge and Red Badge training and similar training is planned for other members of the
Service Introduction Team. All planed training is included in Personal Development Plans.
= Overall good control together with good internal and external communications was demonstrated
within the Service Introduction Team area.
4.9 Business Continuity & Disaster Recovery
Assessment Criteria: [SO 9001 sections 4.2, 7.2, 8
Performance Plus Guidelines, CPM31 Business Continuity, FS Process Management Method,
Interaction of Processes, Record Management.
= The Business Continuity Manager for the POA is part of Customer Services and is responsible for
business continuity contractual requirements which include: - creating business continuity plans,
testing business continuity plans to an acceptable standard, creation of test scripts, development of
validation logs during business continuity testing, creating test reports and disaster recovery of the
POA infrastructure.
= The Business Continuity Manager did not have objectives set for 2005/6 logged on Performance
Plus. (See observation 4 for further details).
The Business Continuity Manager was not aware of QMM briefings but was aware of local
management briefings but not within the last three months.
The Business Continuity Manager has logged his CV and skills on the skills database but has not
updated them for over two years. Recent ITIL training is not reflected within his skill set. (See
observation 3 for further details)
FUJ00080737
FUJ00080737
= POA Business Continuity plans are stored on PVCS and distributed to POA Duty Managers, POA
Service Delivery Managers and Capability Units. The Horizon Services Business Continuity Plan
V3.0 dated 07/12/04 (current issue) was sampled and is currently being reviewed in light of the
S80 release and other document changes that are required.
= A yearly business continuity testing schedule is in place which is stored on a shared drive
(Project WEB is not used) and is subject to local control with the date of each version included
within the title of the file. On completion of scheduled tests the yearly business continuity
schedule is updated. It is recommended that the POA Programme Assurance Manager advise the
Business Continuity Manager on the merits of PVCS control
= During the assessment the status of GHQ/POA/BRA01/090304 Sequence No. 2 was reviewed.
The earlier observation sampled Business Continuity 2003 Operational Test Plan — CS/PLA/078
—draft 0.2 — 19/12/03 and Business Continuity 2003 Operational Test Report — CS/REP/151 —
Draft 0.2 — 19/12/03 and was raised because of the draft status of these documents. During this
assessment it was found that the cited documents are still in draft. However, it was noted that
subsequent business continuity test plans and reports were approved:
- The Business Continuity 2004 Operational Test Plan was registered within PVCS as awaiting
approval by the Service Support Manager since 22/02/05,
- The Business Continuity 2004 Operational Test Report was registered within PVCS as
approved 07/03/2005.
- The Business Continuity 2005 Operational Test Plan — CS/PA/096 was registered within
PVCS as approved 07/03/2005.
= The POA Service Management Process Blueprint identifies a number of processes that follow ITIL
disciplines. The Service Continuity Management Process — CS/PRD/0031 V3.0, last updated
11/04/2003, was seen to be non-compliant with the Process Management Method contained within
the BMS. (See non-conformance 2 for further details)
* Disaster Recovery plans for BRAOI and FELOI are in place and approved by the customer services
Director.
4.10 Problem Management
Assessment Criteria: Manage Problems Process, Performance Plus Guidelines, Manage Call &
Incidents Process, Customer Communications, Measurement and Continual Improvement, Record
Management, Process Management Method, Interaction of Processes ISO9001 sections 4.2, 5.5, 7.2,
7.5.1, 8.
= The Service Delivery Manager for On Line Services (on line cash services offered by the Post
Office) is responsible for problem management relevant to the Post office on line services.
= The Service Problem Management Process — CS/PRD/021 — Approved — 02/08/05 was dated
02/08/05 was seen to be non-compliant with the Process Management Method (PMM) contained
within the BMS. This process has been rewritten at Version 4.1 and has missed an opportunity to
comply with the PMM as mentioned in the last internal assessment report, GHQ/POA/FELO1-
BRAO1/Aug04. (ISee non-conformance 2 for further details)
= The BSI4534027 assessment report from November 2004 noted that there was recognition of the
need to understand the business criticality of problems from a customer perception. Since the BSI
assessment The Service Delivery Manager for On Line Services has attended workshops with the
customer with the objective of achieving a better understanding of the customer’s critical business
requirements. One example of this was a workshop with the customer regarding timeout of
transaction approval and rejection due to congestion which resulted in the Post Office being held
financially responsible for mobile telephone credit transfers.
= The Power Help system is used to log calls and incidents and, where appropriate, problems are
raised and allocated to the relevant Service Delivery Manager. Software problems reported by
Post Masters are stored within the PEAK Incident Management System via an OTI link between
Power Help and PEAK. The Problem Management Database is used to register and track
problems that originate within the Post Office and have a POL reference number. A front end
system called Phoenix, referred to within the Service Problem Management Process, is being put
into place to grab multiple incidents recorded within Power Help and problems recorded within
PEAK and place them all in the Problem Management Database.
= Records relevant to problem management are stored within the Problem Management Database
and the PEAK Incident Management System as appropriate. In addition, Major Incident Reports
are created, as appropriate, and logged on PVCS. Major Incident Report CS/RFP V0.3 dated
16/02/2005 was sampled and section 8 was seen to contain a corrective action plan. The problem
logged on the Problem Management Database will not be closed until all the actions in section 8
of the Major Incident Report are completed. This action partly addresses the comments made at
the last internal assessment as reported in GHQ/POA/FELO1-BRAO1/Aug04 section 4.8. The
Service Problem Management Process — CS/PRD/021 section 5 further addresses the comments in
section 4.8 of GHQ/POA/FEL01-BRAO1/Aug04 by applying process measurement and reporting
back to the process owner.
= Customer Service Improvement Plans (CSIPs) are held by Service Delivery Managers and lessons
learned from problem management are reflected within the SIPs and reviewed with the customer.
4.11 Customer Services Management
Assessment Criteria : [SO 9001 (4.2, 5, 6, 7, 8)
Involvement in Strategic Planning, Cascade of Objectives, Practice & Assignment Objectives,
Performance Plus, Training & Development, KPIs, Measurement, Management Review, Involvement
in BEP / BAP, Resourcing
¢ The Customer Services Director interviewed demonstrated a good level of control over his
area of responsibility and an obvious customer focus. His hands-on approach was seen to be
balanced by a comprehensive set of reports, trend analysis and improvement activities.
© Observing him dealing with an urgent issue that had arisen during the course of the
interview, he was seen to be making good use of the pro-active monitoring tools available to
him (eg. Tivoli Management Monitor), internal comms routes in terms of obtaining updates
on the problem, and customer communications in terms of keeping his counterpart in the PO
up to date with progress.
© The Weekly Reports and Monthly Service Reports were seen to be RAG’ed for ease of
management review and to contain reference to corrective actions taken as a result of any
failures. It was encouraging to see some graphs including “process” as root cause of failure,
indicating a need to introduce or revise processes or address staffs’ awareness of them.
Network issues highlighted in the Monthly report were successfully tracked through
correspondence with Energis and onto subsequent BT corrective action statements.
e Ata top level, the unit’s strategic approach is documented in the “Business & Organisation
Challenges, Actions Planned & Support Requirements — Post Office Account — CS”
document. Development requirements specified at this top level were successfully followed
through to DRs’ Personal Development Plans. All Performance Plus activities have been
completed for CS staff, as evidenced by stats produced by HR.
© Recognising the need to develop more pro-active Problem Managers, the CS Dir. has held a
recent OMR to review the competencies of the unit. Output from this included development
plans for appropriate staff.
© The local process set has been revised to ensure ITIL compliance and the interaction of
processes is defined in the CS “Process Blueprint”. The sampled Incident Management
Processes did not identify process records and their controls, or processes measures, as
required by the corporate Process Management Method.
e The CS Dir. is extremely dis-satisfied with the service being provided by Core Services to the
account, especially IS Networks, and has raised an internal Amber alert to escalate the issue.
4.12 Account Management & Business Development
Assessment Criteria : SO 9001 sections 4.1, 4.2, 5, 7.1, 7.2, 8
Account Planning, Link to Strategic Direction, Account Review, Analysis of Key Measures &
Improvement Actions, Manage Account Plan / Account Plan Review & Manage Customer
relationships Processes, Involvement in business development (CSLC 1-6), Record Repository (use of
Siebel), Account Management Community Guidelines
¢ Senior Account Management attention has been focused on the HNG submission for some
months now. New staff have been brought into the area over the past year and have been
focusing on account management within Post Office Limited business areas and the
development of new opportunities within the Royal Mail Group.
* — Filestore structures have been created on a shared drive relating to the key account areas (eg.
Banking, Financial Services, Home & Personal, Travel & Leisure, Direct Sales) and each
contains an account plan in the recommended corporate format.
Although it was stated that account plan reviews are planned for November, there is
currently no evidence that the plans have been reviewed, or approved, at either a POA or
UKCB level (as required by the corporate Manage Account Plan Process (section 4.3)). It
FUJ00080737
FUJ00080737
FUJ00080737
FUJ00080737
was recommended that they be reviewed and approved at a POA level as soon as possible and
the decision taken as to whether they warrant review at a UKCB level.
Ata top level, the draft Mid Term Plan input from POA (V 0.2) was seen to contain
reference to targeting new opportunities at the Royal Mail Group level. There is also a “Post
Office Account Relationship Plan” which includes details of POL and FS counterparts at all
levels within the organisation.
While there are a number of customer forums in place, the key, formal, interface for account
management is the Contract Management Meeting. Due to both side’s focus in HNG, this
has not been held since May. There are no minutes or actions documented as a result of this
meeting. It is recommended that at least internal filenotes be captured from such meetings
and files in the appropriate section of the account management shared filestore. This was
seen to be the practice with customer meetings held at the lower level (example seen from a
Financial Services meeting).
Since the last visit to the POA account management unit, an “Information Sharing
Guidelines — Sept 2005” document has been introduced to identify what type of
documentation should go into the different POA repositories. Some work has also been done
to establish a shared filestore structure to hold documents associated with the CSLC.
Only 2 opportunities are currently using Project Web as their record repository. The account
managers stated that they found Project Web difficult to use and would therefore use the
shared filestore repositories for all future opportunities. It was recommended that, as Project
Web is the recommended corporate tool, the team feed all their issues into the Project Web
support team to ensure they are registered.
Currently, the majority of opportunities come from change requests which are managed
through the POA Change Management Process (see section 4.2 for further details).
However, new business opportunities over £1m are logged on Siebel and follow the CSLC
business approval route. It was highlighted that the CSLC requirements is that all new
business opportunities are logged on Siebel, with the option to “bundle” together smaller
value work orders on a regular basis. It is recommended that the “Siebel Operational Best
Practice Guide” on CafeVik be reviewed to ensure that all appropriate opportunities are put
onto Siebel.
Locally, a sales funnel spreadsheet is used to register opportunities, linking them to account
specific information (eg. associated CT / CP numbers, etc). An Opportunities Matrix is also
maintained and used with delivery units to identify resources required for any opportunity.
The audit trail in Project Web associated with the HNG opportunity (Siebel ref
POAKSO001) was sampled. There was no record of an initial Opportunity Review but there
were records of Bid no Bid reviews (Sept 04) being held at a UKCB and Group level (packs
and subsequent actions seen, also updates to actions). Subsequent BAR packs and actions
from March and June 05 were seen and the last BAR pack from Sept 05.
Although recently submitted to the customer, there was no record of the approval of the last
proposal from the Sept. BAR. It was recommended that a copy of the minutes be requested
from BA to ensure the bid record set is complete.
It was noted that all action updates were recorded on POA produced forms, those from Group
reviews having been transcribed from the original output from BA. It was recommended that
the originals be retained to ensure a complete record set. The original BA output from June
BAR was available and stated that re-review was required before submission to customer.
There was no record of any re-review and approval in the document library.
The top ten risks were included in the later BAR packs and associated P&Ls, however there
was no risk register or risk plan held in, or referenced from, the Project Web document
library.
It was recommended that the HNG document library on Project Web be reviewed against the
expected record set associated with the CSLC and any gaps identified. Appreciating that
POA uses a number of document repositories, it was further recommended that, where the
master record resides elsewhere (eg in PVCS), an entry containing a link to it be put into the
bid document library so that completion of all appropriate CSLC activities can easily be
verified, and for ease of management review.
Also, particularly given the unit’s strategic aim of growing the business within the Royal
Mail Group and more large opportunities could be forthcoming, it was recommended that the
filestore structure in shared filestore be reviewed to ensure it has sufficient guidance
embedded in it to ensure all bid records are produced (eg. by having pre-defined entries for
all documents expected at each stage of the CSLC). It was suggested that this should start
FUJ00080737
FUJ00080737
with those records mandated by the CSLC and be expanded to include any POA / UKCB
specifics.
e Although some progress has been made with the establishment of the filestore structures,
observations relating to the management of business development records have been recorded
in internal assessment reports from as far back as 2003.
5. Observations & Non-conformances
The following Observations and Non-conformances were raised during the course of this assessment :-
FUJ00080737
FUJ00080737
Reference / Sequence 1 Date of Observation 30/08/05
Category Non-conformance Standard / Section Iso 9001 I 5.6
Corporate Process Assess & Review BMS _I Local Process
Unit POA Country UK
Location FELOL Di UK CB
Interviewee Clive Morgan Interviewee's Role Account Director
Area Contact Jan Holmes Assessor's Name Alan Clapson
Observation
While mechanisms are in place within POA for reporting the status of the local business management
system to the management team, there is little evidence that issues and non-conformances are being
addressed in a timely manner.
Examples highlighted during this assessment include the slippage of process reviews (the PPRR
process), timescales associated with document sign off and the appropriate review of corrective action
completion before closure.
Please see sections 4.1 and 4.2 of the Assessment Commentary for further details.
Notes
The issues around document / process review are of concern because some of the processes /
documents concerned may be contractual.
Insufficient review of corrective action completion resulted in 5 observations from previous
assessments being re-opened during the 2004 Internal Assessment and 2 non-conformances raised
during that assessment not able to be verified during this visit (GHQ/POA/FELO01-BRAO1/Aug04 :
sequence I & 2). Both were closed on intent to carry out actions which were not completed (please
see section 4.3 for further detail).
It was recommended that the POA management team take a more active role in reviewing the
effectiveness of corrective actions and that a process be put in place to filter key corrective actions up
to the management team. C/A review could also involve consideration of preventive action that
should take place in other areas of the account, as a result of corrective action in one area. This could
apply to any corrective actions, not just those associated with assessment findings.
Tt was also recommended that, in-line with the guidance issued with the Assessment Database, the
“Reviewing Manager” for corrective actions be the line manager responsible for the part of the
business impacted by the non-conformance or observation, rather than the Quality Manager, and that
the Quality Manager attend the Management Meeting more regularly so as to highlight key aspects of
his quarterly report where appropriate.
Corrective Action Details
Corrective Action To Be Taken
Actionee Reviewing Manager
Forecast Completion Date Actual Completion Date
FUJ00080737
FUJ00080737
Verified By
Date Verified
FUJ00080737
FUJ00080737
n_ Details
Reference / Sequence 2 Date of Observation 01/09/05
Category Non-conformance Standard / Section Iso9001_ I 4.2
Corporate Process PMM Local Process PA/PRO/038
Unit POA UK
Location FELOL UK CB
Interviewee Various Interviewee's Role Various
Area Contact Jan Holmes Assessor's Name Alan Clapson
Observation
Local processes sampled in all units visited do not comply with the corporate Process Management
Method or the associated corporate Process Template. As a result most do not sufficiently define the
key records associated with the process, their controls or process measures (as required by ISO 9001,
section 4.2).
See sections 4.2, 4.3, 4.5, 4.6, 4.7, 4.8, 4.9 and 4.10 for examples relating to units visited.
This has been raised during previous assessments and is still an issue because, despite being closed,
the stated corrective action on GHQ/POA/FELO01-BRAO1/Aug04 — non-conformance 2, has not been
actioned.
Notes
Given the extent of the local process set, conversion of all processes to the full corporate template
would be a very large task. It was therefore agreed that the Quality Manager should compare the
current format commonly used across POA with the corporate template and identify the gaps. He will
then produce a local POA process template, agree its content with the PMM owner in Business
Assurance, and, with POA management support, update all POA processes to the template structure
as part of the next review. Progress could then be tracked via the Quality Manager’s Quarterly Report
and the management team meeting.
Corrective Action Details
Corrective Action To Be Taken
Actionee Reviewing Manager
Forecast Completion Date Actual Completion Date
Verified By Date Verified
FUJ00080737
FUJ00080737
Obse: n_ Details
Reference / Sequence 3 Date of Observation 01/09/05
Category Observation Standard / Section Iso 9001 [6.2
Corporate Process Manage People Process I Local Process
Unit POA UK
Location FELOL UK CB
Interviewee Various Interviewee's Role Various
Area Contact Jan Holmes Assessor's Name Alan Clapson
Observation
While there was evidence of most staff using the corporate Skills Database to record competency
records (training, education, experience, skills), all those sampled were in need of update and there is
no mechanism for management review of the records.
The POA Account Management team were not using the Skills DB, or any other mechanism, for
recording staff competency records.
Please see sections 4.7, 4.8 and 4.12 for further details.
Notes
It was suggested that review of staffs Skills DB entries might be incorporated into the annual
appraisal and/or mid-year / quarterly objectives reviews.
Corrective Action Details
Corrective Action To Be Taken
Actionee Reviewing Manager
Forecast Completion Date Actual Completion Date
Verified By Date Verified
FUJ00080737
FUJ00080737
Obse: n_ Details
Reference / Sequence 4 Date of Observation 01/09/05
Category Observation Standard / Section Iso 9001 [6.2
Corporate Process
Performance Plus
Local Process
Unit POA UK
Location FELOL UK CB
Interviewee Various Interviewee's Role Various
Area Contact Jan Holmes Assessor's Name Alan Clapson
Observation
Some members of staff do not have personal objectives recorded on the corporate on-line Performance
Plus system, as mandated by Group HR.
These include the POA Testing Team and the Business Continuity Manager. (see sections 4.7 & 4.9)
Notes
During the assessment of HR, it was also highlighted that a standard approach to integrating Core
Services Practice and account specific objectives has not been established across FS. A workshop
between Core and BU HR reps is being organised in the NHS account and it was recommended that
the POA Solution Centre HR rep try to attend to give another account’s input to the debate.
Corrective Action Details
Corrective Action To Be Taken
Actionee
Reviewing Manager
Forecast Completion Date
Actual Completion Date
Verified By
Date Verified
FUJ00080737
FUJ00080737
Obse: n_ Details
Reference / Sequence 5 Date of Observation 27/09/05
Category Observation Standard / Section Iso. 9001 [4.2.3
Corporate Process
Manage Account Plan __I Local Process
Unit POA UK
Location FELOL UK CB
Interviewee Liam Foley Interviewee's Role Account Manager
Area Contact
Jan Holmes
Assessor's Name
Alan Clapson
Observation
POA Account Plans, most having been established at the beginning of the company year, have not
been reviewed or approved at a POA or UKCB level.
Notes
It was stated that the plans were planned top be reviewed in November but there is evidence that they
had been approved at BU level (as per step 4.3 of the Manage Account Plan Process).
Please see section 4.12 for further details.
Corrective Action Details
Corrective Action To Be Taken
Actionee
Reviewing Manager
Forecast Completion Date
Actual Completion Date
Verified By
Date Verified
n_ Details
FUJ00080737
FUJ00080737
Reference / Sequence
6
Date of Observation
27/09/05
Category Non-conformance Standard / Section 1s0.9001 I 4.2.4
Corporate Process CSLC 1-6 Local Process
Unit POA UK
Location FELOL UK CB
Interviewee Kevin Spence Interviewee's Role Senior Account Manager
Area Contact
Jan Holmes
Assessor's Name
Alan Clapson
Observation
Records associated with bidding for new business (CSLC 1-6) are not complete and readily available
in the document libraries used.
In particular, some approval records were not available and evidence of closure of actions raised
during approval reviews.
Please see section 4.12 for further details.
Notes
Observations regarding record management in this area have been raised in previous internal
assessment reports (eg. June 2003) and while some progress has been made in establishing shared
filestore structures to contain CSLC records, it is still difficult to audit trail an opportunity and some
records are still missing.
Please see recommendations in section 4.12.
Corrective Action Details
Corrective Action To Be Taken
Actionee
Reviewing Manager
Forecast Completion Date
Actual Completion Date
Verified By
Date Verified