FUJ00080950
FUJ00080950
o Quality Management Report
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
Document Title: Quality Management Report (December 2016)
Document Reference: PGM/PAS/REP/0798
Release: Not Applicable
Abstract: Monthly Report on Quality Management across the Post Office
Account.
Document Status: APPROVED
Author & Dept.: Bill Membery/Abi Loveday
External Distribution: None
Security Risk YES, security risks have been assessed, see section 0.9 for details.
Assessment Confirmed
Approval Authorities:
Steve Bansal Senior Service Delivery
Manager
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGMIPAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version’ 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: tof 1
FUJ00080950
FUJ00080950
o Quality Management Report
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY) €
0 Document Control
0.1 Table of Contents
0 DOCUMENT CONTROL. 2
0.1 Table of Contents. 2
0.2 Document History. 3
0.3 Review Details... 3
0.4 Distribution List following Approval.. 4
0.5 Associated Documents (Internal & External). 4
0.6 Abbrevia 5
0.7 Glossary. 5
0.8 Changes 6
0.9 Accuracy. 6
0.10 Security 7
1 PURPOSE.........s:scscsssessssesesesesssssscscsesssssssscassessessassescsssenessseessneneseeseseseesneesesseecseesees 7
2 MANAGEMENT SUMMARY.........ccscsesesssssssesssscsssesesasensrsensenseretecseesseracecessnsenesecanens 7
3 INTRODUCTION..
4 WAIVERS & LETS.......s:scsssssssssssssssssstseessserscssesenssesasssseseeceeereceeesessseecesesseneneseseren 8
5 ASSESSMENT G.........cccssssesessescsesesnensnssessscsssssssssseseseesescesseeesceseneneecesensseesacasesseseneees 8
5.1 Assessments Conducted..... wee
5.2 Assessments/Health Checks Plannes
6 QUALITY AND COMPLIANCE FRAMEWORK.........c:sccsssseseessseesseesssssseestestseeeter 10
6.1 Document Management........... 10
7 CORRECTIVE ACTION STATUS......:s:ecsssssssscssssssssssensesseseeserererseesenssnesesseseneees 1
7.1 POA INDUCTIONG.........s:0000008 14
8 MEASUREG.........cscssessessssesenersessseseenensssessssssesesacasseseneesenearenscnesseetseesesensenseasarenees 12
8.1 QRT/POA Scorecard Process......
8.2 Voice of the Customer (in depth
9 — ACTIVE UPDATE.........ecessessssessesesesersssrseseesensnsesssassesseasaesrsnsenseneseeteeensneseasaseeanee 13
10 COMMUNICATION..........ccscsesecsessstsesessesssssssssesessescnsssseseneesenteceseneasetetssaseeseneeasae® 13
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Versi
ersion: 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: of 1
FUJ00080950
FUJ00080950
o Quality Management Report
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
0.2 Document History
Only integer versions are authorised for development.
Version No. Summary of Changes and Reason for Issue Associated
Change -
CP/PEAK/PPRR
Reference
For full history, see previous revisions in
Dimensions.
2015-11.1 20-Jan-2016 Draft version of January 2016 report (reviewed
template and amended).
2016-01 17-Feb-2016 I Approved version of January 2016 report.
2016-01.1 10-Mar-2016 Draft version of February 2016 report.
2016-02 10-Mar-2016 I Approved version of February 2016 report.
2016-02.1 23-Mar-2016 I Draft version of March 2016 report. Removed
Keith Smith from distribution list.
2016-03 23-Mar-2016 I Approved version of March 2016 report.
2016-04.1 25-May-2016 I Draft version of May 2016 report.
2016-05 07-Jun-2016 Approved version of May 2016 report.
2016-05.1 08-Jul-2016 Draft version of July 2016 report.
2016-07 31-Aug-2016 I Approved version of July 2016 report.
2016-07.1 07-Sep-2016 I Draft version of August 2016 report.
2016-08 22-Sep-2016 I Approved version of August 2016 report.
2016-08.1 10-Sep-2016 I Draft version of September 2016 report.
2016-09 14-Oct-2016 Approved version of September 2016 report.
2016-09.1 11-Nov-2016 I Draft version of October 2016 report.
2016-10 11-Nov-2016 I Approved version of October 2016 report.
2016-11 13-Jan-2017 Draft of December 2016 report.
2016-11.1 13-Jan-2017 Draft version of December 2016 report.
2016-12 02-Feb-2017 I Approved version of December 2016
0.3 Review Details
Review Comments by:
UVa uCch oem Bill Membery + Post Office Account Document Management
Mandatory Review
Role Name
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGMIPAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version’ 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: 3of 1
FUJ00080950
FUJ00080950
Quality Management Report
[ee
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
Senior Service Delivery Manager Steve Bansal
Quality and Compliance Manager Bill Membery
‘ional Review
Role Name
Document Manager Matthew Lenton
(* ) = Reviewers that returned comments
0.4 Distribution List following Approval
Issued for Inform:
n following approval
Name
Alan Flack
Alex Kemp
Brian McCann
Carol Dunford; Post Office Account Commercial Mailbox
Chris Harrison
Ewan Hill
Gavin Bell
Geraldine Houlihan
Ken Westfield
Mark Ascott
Martin Cornell
Nick Lawman
Pete Newsome
Pete Thompson
Ray Wodhams,
Stephen Godfrey
Steve Bansal
Tony Wicks
0.5 Associated Documents (Internal & External)
References should normally refer to the latest approved version in Dimensions; only refer to a
specific version if necessary.
Reference Version Date Source
PGM/DCM/TEM/00 I See See note above I POA Generic Document Dimensions
01(DO NOT note Template
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGMIPAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Versi
/ersion 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: 4of 1
FUJ00080950
FUJ00080950
o Quality Management Report
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
REMOVE) above
PGM/DCM/ION/00 POA Document Dimensions
01 (DO NOT Reviewers/Approvers Role Matrix
REMOVE)
0.6 Abbreviations
De ion
Business Assurance
Fujitsu Business Management System
BV Bureau Veritas — Fujitsu's external compliance auditors
CAS Client Assistant Schedule
css Customer Satisfaction Scorecard
E&Y Ernst and Young
FJ Fujitsu
Iso International Organisation for Standards
LASISS LINK ATM Scheme Information Security Standard
NC Non Conformance
PCI Payment Card Industry
PCI DSS Payment Card Industry Data Security Standard
POA Post Office Account (Fujitsu)
POL Post Office Ltd
QMR Quality Management Review
SOW Statement of Works
SP SharePoint
SoCR Statement of Compliance Report
CAP Corrective Action Plan
NC Non Conformance
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version’ 2016-12
UNCONTROLLED IF PRINTED ORLOCALLY pate 02-FEB-2017
PageNo: Sof
FUJ00080950
FUJ00080950
o Quality Management Report
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
0.7 Glossary
Term D ion
ISO 9001 Quality Management Systems — Requirements (International Standard)
BS OHSAS 18001 Occupational Health and Safety Management Systems — Requirements
(British Standard)
ISO 14001 Environmental Management Systems - Requirements for use (International
Standard)
ISO 27001 Information Technology — Security Techniques — Information Security
Management Systems — Requirements (International Standard)
ISAE 3402 International Standards for Assurance Engagements - Assurance Reports
on Controls at a Service Organization
Health Check A quick, focussed, short duration review of critical processes to confirm their
capability and identify improvement opportunities to the efficiency and
effectiveness of the process in meeting business goals.
PCI The Payment Card Industry for data security standard (DSS).
ISO 22301 The business continuity standard.
ISO 20000 The service management standard.
BMS Fujitsu’s business management system.
0.8 Changes Expected
Cee
0.9 Accuracy
Fujitsu Services endeavours to ensure that the information contained in this document is correct but,
whilst every effort is made to ensure the accuracy of such information, it accepts no liability for any loss
(however caused) sustained as a result of any error or omission in the same.
0.10 Security Risk Assessment
Security risks have been assessed and it is considered that there are no security risks relating
specifically to this document.
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref.
Limited 2017 (FUJITSU EYES ONLY) Versi
/ersion:
UNCONTROLLED IF PRINTED OR LOCALLY pate:
STORED
Page No:
PGMIPAS/REP/0798
2016-12
02-FEB-2017
6of1
FUJ00080950
FUJ00080950
Quality Management Report
Fe)
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
Purpose
This document is the monthly report on the suitability, adequacy and effectiveness of the Quality
Management system across the Post Office Account (POA).
This management system includes:
1. Fujitsu Business Management System (EBMS)
2. POA local processes and procedures
3. POA Second and Third Parties
This document is the main input to the regular management review of the POA’s Management System
which is undertaken in compliance with ISO 9001 clause 5.6 Management review and ISO 27001 clause
5.1.
1 Management Summary
Item Summary Details
1 A document detailing both external and internal audits has been published. This
is stored on POA Audit High Level Plan 2015 _16
. POA IAS
2 BV - There are currently have 0 outstanding observations and non-conformities. 5915 76 —
PCI - POL — Notified on 3° January by Adam Moss that Post Office had
received their attastation of compliance and remedial work and changes to
prepare for the 2017 audit were to be planned in January/February 2017.
ISAE 3402 — This was placed on hold by Mark Nash at Post Office on 22"
December 2016 and is currently under discussions commercially.
BA 1S022301 — The next audit for this will be on 23° February 2017.
ISO 27001 —The next audit for this will be undertaken in 2017.
ISO 9000 — The next audit for this will be on 23° February 2017.
EBMS - A full history of the EBMS Updates can be found at BMS Change
History and recent changes have been provided to all teams with required
actions.
Local Health Checks — No progress on these to date and EBMS policy and
processes now require the Account to call in assessment services if these are
required.
Quality & Cl — Focus is on delivering contractual obligations, reducing costs
and providing employees with transferable skills and knowledge but may change
dependent on Project Trinity and the strategy currently being developed.
Transition —- The scope and responsibilities for any future Audits have not
been clarified despite repeated requests at the ISMF to Post Office Limited and
ATOS. This may change dependent on project Trinity.
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version:
jersion: 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: of
FUJ00080950
FUJ00080950
Quality Management Report
Fe)
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
2 Introduction
This section of the report covers the Fujitsu EBMS which defines how we work. The key components of
the BMS can be found on Café VIK at EBMS Processes.
Updates to the EBMS are received from Group Quality each month. These updates are being cascaded
to the Leadership Team via the Monthly Quality Report. The Quality and Compliance Team is ensuring
that future updates have been cascaded to Process Owners/Leads.
A full history of EBMS Updates can be found at EBMS Change History.
The Account is required to produce for this, a lessons learned quality review and a quality management
highlights and lowlights reports.
3 Waivers & Lets
The EBMS Waiver List shows the current Waivers and Lets from Fujitsu’s BMS process and are subject
to review by the Account Process owner three months prior to the expiry of the Waiver or Let. Due to
recent changes in the BMS, the Account may need to consider waivers against these because of the
timescales required to deliver them.
4 Assessments
The Account is subject to assessments (audits) from various sources:
1. External to Fujitsu
e Fujitsu's certification body (currently BV) who conduct assessments where initial
registration to standards is being sought, surveillance assessments for standards to
which Fujitsu is already registered. This currently includes the standards listed here.
e POL who may conduct audits as they are allowed to do under the terms of The
Agreement with Fujitsu.
2. External to the Account
e Assessement Services and Security Governance conduct assessments as part of
Fujitsu’s agreement with Fujitsu’s certification body (currently BV) to reduce the amount
of assessment carried out directly by the certification body. Assessement Services and
Security Governance sometimes carries out additional assessments at the request of the
Account to help prepare for external assessments.
3. Internal to the Account
e POA Quality Management conduct local health checks on the Account to ensure that the
account is complying with local processes and procedures, with the EBMS and the
standards and that the Account is required to comply with under the terms of the
Agreement.
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version: 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY pate: 02-FEB-2017
STORED
PageNo: 8 of 1
FUJ00080950
FUJ00080950
o Quality Management Report .
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
Assessments Conducted
The following assessments have been conducted on the Account during 2016:
Non. Link to
Date Type Assessor Scope Conformances Observations Reports
November ISAE 3402
2015- Ernst and ISAE 3402 ——
February 'SAE3402 “Young Completed report
2015-2016
2016
November- Pcl Additional Report
December Additional Razorthorne owned by
2016 Audit found by POL.
PEN test "
Audit of
Bureau Helpdesk Security
April 2016 ISO 27001 Veritas functions Audit April
and staff at 2016
Stevenage
Audit
Iso i - POA PCI
June 2016 27001/ Pcl Security Preparation PRE Audit
DSS Governance _ for external 2016
PCI audit “—
ISO 27001 Security Governance Report
4.1 Assessments/Health Checks Planned
Health Checks are a quick, focused, short duration review of critical processes to confirm their capability
and identify improvement opportunities to the efficiency and effectiveness of the process in meeting
business goals.
The POA Compliance Framework has identified areas which, based on previous external and internal
non-conformities, observations and ISO 27001 Health Checks, require further investigation and these
have been included in the integrated assessment plan.
The following assessment and Health Check has taken place and has not yet been finalised:
=
November 2016 — ISAE ei, On hold at Post
February 2017 3402 External E&Y (Provisional) I Office request.
February 2017 BV 9000 External Bureau Veritas
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version:
jersion: 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY — pate 02-FEB-2017
STORED
PageNo: of 1
FUJ00080950
FUJ00080950
Quality Management Report
Fe)
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
5 Quality and Compliance Framework
POA has contractual, legislative and compliance requirements placed upon it by its stakeholders and
evidence that these are met is required as part of its assurance to the Stakeholders. This is achieved via
its internal and external compliance and accreditation audits and Health checks.
The controls required to meet its accreditation and compliance are documented in Fujitsu’s EBMS and
this document.
POA has undertaken a review of these controls to provide Post Office Limited (POL) with an ISAE 3402
Statement of Compliance Report in March 2016. This work was undertaken in conjunction with Ernst and
Young (E&Y) and (POL) and is repeated annually.
This ISAE 3402 SOCR coupled with the Account’s ISO 27001 and assisting POL’s own accreditation to
the PCI DSS standards have provided the framework and assurance needed to both Fujitsu and POL.
5.1 Document Management
These reports are compiled and managed by the Document Manager but we are responsible for the
Quality elements of it.
Links to Document Management Reports are here:
Dimensions Document Index
Issued for Review in last 10 days
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version’ 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: 10of 1
FUJ00080950
FUJ00080950
Quality Management Report .
Fe)
FUJITSU
FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
Corrective Action Status
Full details of these are on SharePoint — POA Corrective Action Log and on the Group Quality
Assessment Database.
POA Corrective Action Status 17-Jan-2017
Health Checks
‘Type of Finding
‘Major Non-Conformance
Non-ConformancsI
‘Observation!
Good PracticeI
elolololo} Total
TOTAL
Status: ISome Corrective Actions are Overdue
Ss} Some Corrective Actions are Open but none are Overdue
[Al Corrective Actions are Closed
[_ ICompleted by POA, but awaiting Verification
[GE Total number of outstanding non-conformances and observations
5.2 POA INDUCTIONS
All new joiners to the Post Office Account are required to complete an induction within 90 days of joining
the Account.
This summary is reported monthly after each POA Induction. The next report is due at the end of
January 2017.
umber of secur induction
incidents (people who havent
received an nucton within 30 dos : Requiring te) ne we
ofjpning the nero)
‘We curently have no security induction indents. We received 100%
coaformance from January 2018 - September 2016. we ae stil wating
‘on the 90 day period to complete the report fr October, November and
December
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version:
jersion: 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: 110f1
FUJ00080950
FUJ00080950
Quality Management Report
Fe)
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
6 Measures
6.1. QRT/POA Scorecard Process
Oct-Dec 15 Jan-Mar 16 Apr-Jun 16 Jul-Sep 16
Operations - Quarterly Scorecard
Operations - Quarterly Relationship Tracker
Oct-Dec 15 Jan-Mar 16 Apr-Jun 16 Jul-Sep 16
[Programme - Quarterly Scorecard 8.8 8.8 TBA TBA
Oct-Dec 15 Jan-Mar 16 Apr-Jun 16 Jul-Sep 16
[customer Led STAR Awards 7 TBA TBA TBA
6.2 Voice of the Customer (in depth reviews)
The annual VoC In-depth Review was conducted with Steve Beddoe (Post Office) during December 2015
and the results are highlighted below. The feedback provided by Steve Beddoe has been evaluated and
used to create the 2016 VoC Service Improvement Plan which is now underway and can be located on
the POA Portal alongside the Chime VoC Report.
KPI Results
Wearelikely to continue working with I er
ae rapt Zam a
4
Iwoudlconse Rew tories TS ia aa
}
I would be happy to provide a reference for I
Fujitsu
27% Feedback provided to Fujtsu is acted on Ce I
4
I
Fujitsu makes it easy for me to work with \ yp
them Ie
I
#) woud recommend uit TT i am
mi a2 a3 m4 as
Strongly
disagree egree
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017 (FUJITSU EYES ONLY) Version:
jersion: 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: 120f1
FUJ00080950
FUJ00080950
Quality Management Report
Fe)
FUJITSU FUJITSU CONFIDENTIAL (FUJITSU EYES ONLY)
7 Communication
Communication of all Quality details is provided through the EBMS updates which are on SharePoint, via
this monthly report, and the Quality Management Reviews. External communications with the customer
are through the Joint Audit Group Steering meetings.
© Copyright Fujitsu Services FUJITSU CONFIDENTIAL Ref: PGM/PAS/REP/0798
Limited 2017
‘imi (FUJITSU EYES ONLY) Version: 2016-12
UNCONTROLLED IF PRINTED OR LOCALLY FEB.
sroReD Date: 02-FEB.2017
PageNo: 130 1