FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
The following is a summary list of improvements that have been made on POA that improve service
delivery across several areas and enhance the ways of working with POL. The items are grouped into
categories and are not, at this stage, fully described.
HU) PROGRAMME
* March 2021 — Fujitsu assigned a named point of contact to help coordinate POL's HU
improvement initiatives
*@ March 2021 — Whilst this was being formulated by POL, Fujitsu delivered and led a POL focussed
Postmaster First improvements initiative to jointly address several issues. This involved
proposing initiatives, driving progress, reporting on status, and briefing POL and KPMG weekly:
o SME knowledge sessions on POL selected subjects to enhance POL understanding
©. Aligned CBIF with HDR in August 2021 to consolidate views of defects (See HDR
below)
o Offered guidance and teaching sessions on POL reconciliation actions (POL never
responded)
Supported POL high-level discussions on UAT
Reviewed and contributed to POL planning around its test strategy, test policy and
regression testing approach (see TESTING)
© Supported POL in its thinking of its new governance model (POL never concluded
this)
e August 2021 — POL revised their HU plans and took ownership of tracking progress issuing a
weekly progress call — which in the main was just POL chasing progress on RTQs and CWOs and
not the initiatives proposed that would deliver small and steady improvements. At no point was
this a joined-up programme of work
e January 2022 — the weekly POL led HU calls were proving to be of increasingly low value and POL
cancelled them
HORIZON DEFECTS REVIEW (HDR
© —§Q4 2018 — Fujitsu introduced the Horizon Known Error Review Forum (HKERF) in late 2018 to
provide POL with early visibility of branch impacting defects
© POLconsidered ending this in 2019 (Martin Godbold)
o POLrequested transfer of chairmanship to POL in Q1 2021 with a new name HDR —
started February 2021. Fujitsu agreed
© The HDR meeting scope includes Fujitsu defects and defects from other parties, so
Fujitsu does not attend the whole meeting and the minutes POL issue did not until
February 2022 differentiate between the Fujitsu defects and others and Fujitsu had
declined to accept the minutes from POL until February 2022
May/June 2021 the ToR for HDR was updated and the interaction formalised
POL did not seek to ‘sign off’ the ToR instead assuming its acceptance — which was
reasonable but not formal
©. In November 2021 Fujitsu proposed a new format for the HDR minutes that would
allow Fujitsu to sign off on them. This included a recommendation that the weekly
©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL — INTERNAL USE Ref: See Title
Version: 0.9
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED PageNo: 1 0f 6
FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
meeting started with an agreement of the minutes — POL agreed although POL
action awaited
© In January 2022 Fujitsu amended the ToR to reflect all recent changes to ways of
working (v2.3) and proposed to POL that this version is formally signed off — POL
agreed v2.4 and said it would be issued as v3.0 — this is still awaited
e In 2018, Fujitsu introduced an internal weekly review of any new Knowledge Base Articles that
could potentially refer to defects to ensure a Peak/Incident was in place if needed and POL
notification of the Peak was provided where branch impacting. This fed into the HKERF.
©. This evolved to be more system driven in May/June 2021
= Now it is driven by Peak/Incident tagging
= Al support specialists are aware of the tagging and key fields to update
"This is a cultural shift in how POA considers postmaster implications
¢ November 2021 — Fujitsu proposed and introduced a target dataset for defect notification to POL
and implemented it receiving POL acceptance
©. This saw many new attributes captured and shared: release dates; release numbers;
screenshots; description of workarounds; and many fields describing the defect to
help POL understand and prepare postmaster comms
©. In February 2022 this was implemented in Peak to ensure all HDR updates are
system driven
e HDR reporting has included all Deferred Defects (approved at a release closure meeting with
POL) and major project defects (specifically PBS) which are also discussed in project steering
groups. This was to ensure POL’s defect team had a complete view of all HDR defects regardless
of source
LIVE DEFECT MANAGEMENT
Continuous improvement focus — not a new activity
@ May 2021 - Agreed definition of Live Defect and branch impacting defect with POL
e June 2021 - Fujitsu provides an enhanced Fujitsu created report on all branch impacting defects
to POL weekly as well as attending the POL weekly HDR meeting to review progress
@ May-September 2021 —Shored up the internal Live Defect Management processes to enable
process analysis and reporting — making several changes within teams to improve efficiency
o Added features to the TfSNow and Peak toolsets to enable better management of
Live Defects & HDR Defects to enable greater visibility for POL
o Ran workshops with all support, development, test and release management teams
to embed improved processes
© Changed model for Live Defect delivery to include option for a rapid deployment
option. Although highly manual we now convene sessions to consider rapid
deployment and have offered at least 2 to POL in September 2021 (not taken up)
© October 2021 - Introduced checklists for support staff and stack owners to drive
rigour into the Live Defect management of tickets in the systems
© October 2021 — introduced monthly management overview of progress of Live
Defects to increase leadership awareness and involvement
©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL — INTERNAL USE Ref: See Title
LY Version: 09
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED PageNo: 20f6
FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
o November 2021 - Resurrected the standard assignment and use of maintenance
releases to ensure all defects have a route to live as quickly as possible
o November 2021 - Introduced weekly formal checks and reports from the MAC team
(was previously more manual and ad hoc) to prompt people to keep the systems
updated — many fields are manual with automated anomaly checks not being
available so regular checks were introduced to improve quality
o January 2022 — extended the use of Demand Planning to show ALL releases to which
defects had been assigned
© February 2022 — changed BIF/PTF from weekly to daily to speed up process of
assigning Peaks to releases
December 2021 — Fujitsu provided POL with a complete view of all Live Defects and their stage in
the process and invited POL to decide how they would use the report if it was made regular.
January 2022 POL responded with a format for the report but not what they intended to do with
it. A proposed report format was then shared with POL to capture their wishes and a series of
other helpful fields. POL feedback and a discussion on the use of the report is still awaiting POL
feedback
February 2022 — Live Defect reporting added to the POA executive business review pack
Q4 2021 - Defined a role for a Defect/Quality Manager and appointed a Defect/Quality Manager
from 1° January 2022
PRIVILEGED ACCOUNT IMPROVEMENTS
H2 2020 - Introduced additional monthly reporting of numerous types of physical and user
account privileged usage in the monthly SecOps report to give POL greater visibility — Fujitsu
initiated
Q2 2021 - Reviewed assignments of user accounts with elevated privileges and rationalised it
from 56 to 34
May 2021 - Introduced additional weekly reporting for POL on PAM account status. This is also
now part of the monthly SecOps report to POL
Q2 2021 —- Enhanced the monthly PAM verification processes to record more evidence of actions
taken — updates applied to SVM/SDM/PRO/0012
November 2021 - enhanced the monthly SecOps report included activity related to the releases
of “breakglass” Last Resort accounts by POA SecOps — mentioned in RTQSRO003429 and offered
by Fujitsu
November 2021— monthly SecOps report was enhanced to include activity related to failed
remote connections to the Horizon SSNs — mentioned in RTQSRO003429 and offered by Fujitsu
Q4 2021 — Fujitsu commissioned its ECS team to do a review of PAM accounts and activity. This
concluded in December 2021 and a remediation plan was proposed
January 2022 - Fujitsu SecOps starts reporting on “breakglass” Last Resort accounts weekly to
POL
January 2022 — POA commissioned the ECS remediation project to run February 2022-May 2022
inclusive
April 2022 (WIP under CP2831) — Fujitsu changed all non-BRDB default privileges for SSC support
staff to be read only with validating logging when rights escalated to WRITE to perform approved
‘©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL - INTERNAL USE __ Ref. See Title
Version: 0.9
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED PageNo: 3 0f 6
FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
h as reconciliation and OBC, or other POL pre-approved
ENQUIRY SUPPORT
September 2020 - Introduced communication channels to help POL seek Fujitsu support
July 2021 - Introduced a simple enquiry mailbox for POL and its legal representatives and
assigned a multi-skilled team to be available to review and actions (PO.Enquiries@)
March 2021 - Offered to work with POL to check it is using all the Horizon content it has access to
to best support an inquiry from a postmaster. Interactions were very slow with POL actions
frequently being the cause of the delays/lack of pace
July 2021 — January 2022 — Supported POL’s Investigations team to identify a series of new
requirements to improve their processes (CW00474)
January 2022 - POL commissioned this work and a response was sent back in February 2022
under CWO0562 suggesting a design study and stating many dependencies that POL need to
investigate
APPSUP
October 2016 - Removed the default privilege APPSUP on BRDB under MSC 043J0451867 on
18.10.2016 at 18:00 and made it an on-demand controlled allocation of temporary rights
Note - APPSUP is not used to correct branch balance discrepancies or to amend financial
transactions. Corrections relating to branch balance discrepancies are performed by POL using
the POL Transaction Correction Process. APPSUP is used for non-balance impacting actions (such
as stock unit associations, emergency branch opening, or monthly tidying of despatch reports).
Some APPSUP actions can indirectly lead to a balance impact (such as deleting a corrupt
recovery message that is causing a logon loop). Where an action being taken by Fujitsu using
APPSUP could lead to a balance impact, it is POL that decide if any balance discrepancy
correction is required with the branch and it is POL that take any corrective action required.
© Note: APPSUP can be used to correct branch balance discrepancies and to amend financial
transactions but a decision was made, but not documented or dated, that Fujitsu would NOT use the
privilege to do this. A note is being added to any current work instructions and KBAs to ensure it is
clearly stated that we do not use APPSUP for that purpose and that that has been the case for many
years
May 2021 - Implemented a new jointly defined and agreed process for APPSUP usage (Horizon
Data Change process) that ensures a new POL approval process can be integrated and evidence
of action taken provided
COUNTER ACCESS RIGHT
October 2021 — Fujitsu sent a recommendation to POL to work with CC to ensure that Fujitsu
privileges using the CSASSH account used when connecting to counters for support purposes has
READ ONLY level capabilities and CANNOT affect counter operations. Proper access controls at
the end point and that is all we need. Calls held with CC and POL and even in March 2022 there is
no know plan of action
FUJITSU SYSTEMS — TC TOOL and FJ KEYLOGGER
‘©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL - INTERNAL USE __ Ref. See Title
Version: 0.9
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED PageNo: 4 of 6
FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
@ = 13 May 2021 (CW00425) — Fujitsu fully decommissioned the Transaction Correction Tool with
POL involvement throughout. Done under Release 21.51
RISK MANAGEMENT
® Q4 2019 and ongoing - Continued process improvements to the POA risk management processes.
to ensure greater alignment and clearer action tracking across all areas
@ =~ May 2021 - Introduced enhanced risk management with POL - expanding it to cover all domains.
Fujitsu led with monthly report issued from POA risk portal
e February 2022 — POL look to have taken more ownership of the monthly risk management
meetings and are aligning better internally
@ May 2021 - provided proposal to POL to digitise the delivery of ARQ responses. Work was
commissioned and started
@ =~ March 2022 - This is still underway under CWO0426 but has been extremely delayed by POL
procuring, installing, and configuring the required desktop PGP software
DSAR
e February 2022 — defined process to search multiple historical repositories to service 2 DSAR
requests. Process documented and posted to Dimensions as SVM/SDM/PRO/4404 in March 2022
HEADCOUNT & CAPACITY
* October 202 - Added 35 heads to better support POL in its change aspirations predominantly to
build capacity to deliver the PBS and BEX critical strategic projects as well as recruited specialists
to aid the transition to a hybrid delivery model
* 2018 - ASM was introduced to enable POL to prioritise the utilisation of 4" line resource on
project work over lower priority BAU work.
© 61 potential projects were then identified for consideration by POL (extract
thumbnail shown below)
‘> ‘neha tment pain) nrc ioumnts s/n ie /tpnap teragpen Swern)
©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL -INTERNAL USE Ref: See Title
Version: 0.9
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED PageNo: 5of6
.
FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
April 2020 onwards - Increased the scope of funded resource provided by Fujitsu to cover £1.2m
pa (£90k per month of testing, PM and Architecture resource from circa April 2020)
o Identified potential options to improve the service such as a mechanism for the
counter to check in to see if it is the latest version, thereby enabling shorter lead
time for releases
HORIZON AUDIT
January 2021 - March2021 - Delivered 6 detailed reports on Fujitsu ways of working to assure
POL of the current Fujitsu working practices on:
o =SDLC
o Testing & QA
o BED Management
o Remote Access
© Robustness
© Detailed update on the 29 BEDs
March 2021 — April 2021 - Follow up questions were sent by POL and Fujitsu responded to all of
those formally too
Each report contained several recommendations which POL have not sought to discuss or overtly
action
Fujitsu was assured it would receive formal feedback on these reports, but this has never been
shared by POL
PROJECTS & CHANGE
Identified the need for a POL Demand Planning forum and setup the governance with POL and
inputs to enable this to progress and mature
Fujitsu had to take on a more active leadership of Demand Planning to apply more rigour and
help POL better manage workload and change
© Fujitsu project workload tracking improved to enable better feed into Demand
Planning
°. This includes validating if work by Fujitsu is in fact the right option, challenging the
purpose and whether IT is the right route or whether business process amendment
may be more suitable
© Fujitsu initiated review of all open work items to identify any that would affect the
BEX delivery dates that POL are keen to achieve
© Fujitsu provides a POAP to help POL understand the overall demand landscape
More focussed project weekly reporting set up, highlighting risks and dependencies for POL to
manage and monthly finance forecasting provided to POL PMs
PCI Change Request meeting set up to track key changes / additions / new requirements to
support PCI initiative
Fujitsu offered considerable additional support to POL to help it manage its 3 parties — to try
and reduce the frequency of plan changes needed due to POL 3” party issues
Projects to support Postmasters:
© Rename Settle centrally (CW00415)
©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL — INTERNAL USE Ref: See Title
Version: 0.9
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED PageNo: 6 of 6
FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
e Trained & accredited POL and project teams in SAFE agile methodology to help ensure DDS ways
of working are optimised to enable delivery. Funded external coaches full time to assist the
entire delivery mechanism from POL product managers/owners to scrum team engineers
GOVERNANCE/COMPLIANCE
e April 2019 - A Weekly Priority Meeting was requested by Fujitsu and introduced to enable POL to
clearly its priorities — face to face — so Fujitsu could be clear on the context and ask questions to
avoid any confusion from emails, meetings, and other ad-hoc discussions
© Additionally this helps POL stakeholders to be aware of the breadth of activities that
Fujitsu are undertaking.
TESTING
@ May 2021 —June 2021 - Fujitsu assisted POL to confirm that all 62 issues comprising the 29 BEDs
cited in the Horizon Issues were closed. This was successful
« With the appointment of a new POL Head of Test we introduced a more collaborative approach
to testing. Each release now has a joint test team POL/Fujitsu/Any appropriate 3rd party to
discuss/agree scope of activities for the changes under test.
© Good examples of this were the 29 BED testing, PRE-PAID MI and Computacenter
Data Centre migration where we worked closely with POL Test / Accenture / KPMG /
CC to complete these activities
e We have contributed to the Post Office Test Strategy, Test Policy and Regression testing
approach to help shape testing process at all levels
« We made many recommendations in the TESTING & QA REPORT as part of the Horizon Audit
MONITORING
e The following HORIce graphs were introduce (following Incident reviews). They are used to
assess impact/observe symptoms of ongoing live issues and are used by Service Management
«These are visible to POL on its HORIce dashboard
©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL -INTERNAL USE Ref: See Title
Y Version: 09
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED Page No: 7of6
FUJ00232842
FUJ00232842
FUJITSU CONFIDENTIAL — INTERNAL USE ONLY
TITLE: POA IMPROVEMENTS LOG (WIP)
Figure 1: This is looking at the BMX metrics for Java heap memory _‘Figure 2: This is looking at the PODG transfer logs (via. a HTTP
in the HBS (kiosk) servers. ifthe Java cannot free used memory interface) to detail the number of completed file transfers
quickly enough it leads to issues
Figure 3: This is looking at Tivoli events harvested from the
BlueCoat-ProxySG, it is looking for a specific error text ‘Scheme
was not delimited’ that can affect kiosks
REPORTING
¢ Horizon Defect weekly reporting
* See MONITORING section as the additional events monitored are presented as HORIce reports
¢ Fujitsu provides a POAP to help POL understand the overall demand landscape — this is used at
the Demand Planning forum
POTENTIAL — Ideas yet to be formalised and delivered
BC (still an idea) — “What is in the Audit Archive?” Provided POL with a full list of data available
‘0 them in the Audit Archive - to support POL's postmaster investigation processes. May be
Superseded by the Tactical and Strategic SAN workstreams
BC (still an idea) - Enhanced the ARQ query process to align it to the contents of the
Audit Archive by using a menu system on the request form to make it much easier
March 2022 (WIP) - Monthly Horizon ALL Defects reporting — once POL confirm the process they
ill adopt once the report is made available}
©Copyright Fujitsu Services Ltd 2022 FUJITSU CONFIDENTIAL — INTERNAL USE Ref: See Title
Version: 0.9
Date: 01-MAR-2022
UNCONTROLLED IF PRINTED PageNo: 8 of 6