POL00021418
POL00021418
Post Office Ltd — Strictly Confidential
RISK.AND COMPLIANCE COMMITTEE
29’September 2005 — Meeting Ref:05
Members:
Sir Mike Hodgkinson (Chair)
Peter Corbett
In Attendance
Rod Ismay
Alwen Lyons
Secretary
Michael Dadra
Apologies’
lan Anderson
Alan Cook
Keith Woollard
SUMMARY ACTION POINTS .
ITEM__I ACTION : [LEAD
I Irrelevant ee
0502 Submit the Terms of Reference and the note on ‘Audit I RI
Recommendations. and Oversight’ to the Post Office Ltd Board
for approvali
0503 :.’ I Branch segmentation to identify undedying high risk’branches I MD q
and a plan of how they could all be audited ina.3year period I! Ei
0504 Update Compliance Matrix for Branch Audit compliance KW
coverage
0505 Update Compliance. Matrix with lead owners for each row and I KW
column, aligned'to the Post Office Ltd organisation chart _.
0506 Update Compliance Matrix to make “Training” more explicit, I KW
and with core lead role through the Sales line in the Chief
Operating Officer's Directorate.
0507 Update. the Vital Few Controls matrix to ensure Sales have I RI
. ultimate responsibility for. product training, and to overlay
Ownership by Business.Function
0508 Perform product reviews.in addition to key control reviews RL
POL00021418
POL00021418
Post Office Ltd — Strictly Confidential
1. MINUTES FROM LAST MEETING
Meeting Ref 04 - minutes approved.
2. STATUS OF ACTIONS FROM THE PREVIOUS MEETING
(TEM ACTION AND UPDATE LEAD
0401 Suspensions — what is the indicative cost of a suspension in I RI
terms of cover pay and overheads?
Closed to
The cost of maintaining a branch varies dependent on the type I business as
of: branch, the number of staff employed, the ‘rent! charged by I usual.
the suspended Subpostmaster-and how importantit is that we
maintain the service. The scenarios vary from:
" Cost largely unchanged — new agent paid in same way or
on past trends
= Agent paid at a premium to secure services, to
= Worst case ‘of no long term solution, and POL-underwriting
the redundancy costs.of the sub postmaster's'staff
The economic cost is:that all options may ‘beicheaper:than-gaps
in the.network. ”
The Service. Team currently considers.: that there’is a
satisfactory. response .. for: suspensions,.’ but ~ is . exploring.
opportunities. with: firms who:may: be:able:to:provide-pools. of}:
trained resource: ee
0402 Revisit ‘Sévenoaks“following new: Branch ‘Manager~and-’Sales I. MD:: =
Account Manager. .
Closed
Audited in June. The new BM has implemented the supervisory I
controls required.
0403 Increase scope of Branch Control forum reports to top 20 I RI
instead of top 10. 2S
. Closed
Done, and similar ranked approach being extended to. other :
areas.
0404 Turnérs Hill — ensure property assets are investigated for I RI *
recovery . .
Closed
Subpostmaster lives in rented accommodation and appears to
have little in assets. Property is investigated ds a matter of
course in all cases .
Irrelevant
POL00021418
POL00021418
Post Office Ltd — Strictly Confidential
Irrelevant I
POL00021418
POL00021418
Post Office Ltd - Strictly Confidential
0409 Destruction and returns —-could’some DMBs.be used to recycle I RI.
. stock from closed offices instead of returning for destruction
centrally? Closed
Our past experience of inter-office transfers led to cessation of
such practices. For cost/benefit reasons it is still not considered
an option.. More accounting, irregularities arose on inter office
transfers than on-central returns.
0410 Corporate Risk Chart - How did we get some of the monetary I RI
value — revisit using inherent risk/residual risk?
Closed to
Values are, best estimates from product and process owners. I business .as
Inherent and residual risk is reported’ by ‘the owner. For I usual:
simplicity, the.chart circulated at the last Committee reflected I...
residual: risk-only:, Values:will’be reviewed:by.the.Head:of Risk:
and: the. Finance, Director,.and’ submitted. to: EC:colleaguesifor. I: ~ -
approval.
involvéd and how is‘the money being stolen?
Closed to
This applies'to accounts where we take on-line cash deposits. business as
e.g,, a fraudulent branch could make a fictitious deposit of £10k I usual
at 11.00am, initiate’a CHAPS payment to-another bank account
at 11.01am and continue to divert the funds'to their Personal’
account. To put the’risk in context,
(a) We have had no:such cases since on-line deposits started;
(b) Partner banks have controls to question funds transfer,
although there is:no proof that they would spot these
4
POL00021418
POL00021418
Post Office Ltd — Strictly Confidential
incidents
(c) Maximum personal banking deposit is £20k and client
agreement is being reached to revise the remaining areas
of business.deposit limits
(d) The Banking Fraud Team analyse large deposits at 0800hrs,
1200hrs and 1.600hrs each working day and would instigate
immediate enquiries if suspicious large deposits arise.
3. MATTERS DISCUSSED AT THE MEETING AND NEW ACTIONS REQUESTED
The issues discussed included the following items (which are expanded on as shown):
3.1 Actions from previous meetings
3:2 Committee terms of reference and communication
3.3 Branch Audit.2005/2006 revised plan.
34 Compliance functions
35 Banking.and Financial Services compliance
3.6 Vital few controls — assurance plan
3.7. Update on major incidents
38 AOB
Actions from previous meetings : s
All actions brought forward were agreed as closed. Regarding action 0401 (agent
“suspensions) there are now higher rates of actual suspension following irregularities
a identified at audit and the Service Team considers that there are adequate
° contingency arrangements to providebranch continuity, %
Action 0501 :
Further correspondence required with DWP regarding dis-satisfaction at product
anti-fraud features and liability.
3.5.2 Committee terms of reference and communication
Proposed terms of réference were circulated and agreed.
Action 0502
Submit the Terms of Reference and the note’ on “Audit Recommendations and
Oversight’ to the Post Office Ltd Board for approval.
3.5.3 Branch Audit 2005/2006 revised plan
Revised audit plan was discussed. The reduction inthe numberof risk audits planned
for 2005/06 compared to the paper reviewed in April is due to headcount reductions
in the Branch Audit team. Revised plan endorsed by committee. But. further
information requested for consideration at future meetings — possibility of
segmenting the network into low, medium and high risk was discussed and the scope
to-ensure all high-risk areas are covered within 3 years. It was noted that.this may
POL00021418
POL00021418
Post Office Ltd — Strictly Confidential
conflict witha pufe-risk based approach'to auditing, but the committee agreed it
would be‘helpfui to review such an analysis
Action 0503
Branch segmentation to identify underlying high-risk branches and a plan of how
they could all be audited in a 3 year period.
3.5.4 Compliance functions
A draft compliance matrix, part of a Banking & Financial Services paper, was
presented to the committee.
Action 0504
Update Compliance Matrix for Branch Audit compliance coverage.
Action 0505
Update Compliance Matrix with lead owners for each row and.column, aligned to the
Post Office Ltd organisation chart.
Action 0506
Update Compliance Matrix to make “Training” more explicit, and with core lead role
through the Sales line in the Chief Operating Officer's Directorate.
3.5.5 Banking.and.Financial Services.compliance..’..
+ QUarterly:performance.was discussed.and:the favourable trendintcompliance noted:
-.but.also:the.worst:performance:being:the lack:of' evidence of:branch:training records.
It was.noted' that Sales-are‘adopting,a tactical.approach.to:anyone visiting a:branch: -
to.ensure all Sales Account. Managers areaware:of training. records and:ask-to:see
evidence of them. The next lowest indicator relates to knowledge of complaint .
handling.
3.5.6 Vital few controls — assurance plan
The paper proposing key control.areas for Post Office Ltd was noted. It was agreed
that-an alternative assurance approach may be based on end-to-end product review
and this is to be considered in.addition to VFCS. '
Action 0507
Update the Vital Few Controls matrix to ensure Sales have ultimate responsibility for
product training, and to overlay ownership by Business Function:
Action 0508 .
Perform product'reviews in addition to key control reviews.
3.5.7 Update on major incidents
Post Office Ltd has a principle of undertaking criminal prosecutions for.all cases
where itis in the public interest, but noting that likelihood of recovery and
circumstances of the defendants and the victims may be relevant to'that decision.
POL00021418
POL00021418
‘Post Office Ltd — Strictly Confidential
The historic inconsistency between Police support in providing Financial
Investigators can be due to differences in approach between local Police forces. Post
Office Ltd now has its own Financial Investigator.
4 ANY OTHER BUSINESS
The committee considered relevant topics for future meetings
Internal Audit and Risk Management (IARM) reviews within POL
Examine level of losses and where they come from
Risk and control around Cash In Transit trunking routes
Major risks reported to ARM
Hostage risk
URWN
An update on the IMPACT program was given. IMPACT is moving ahead to timetable
and targets are being met. As expected some issues have arisen, but remedial action
is being taken. Branch Trading is being rolled out in 4 trenches. DMBs are in the first
tranche. The 3 key issues to date were noted as:
1 Data migration — it was known that there were issues with the data in the old
system and these are being cleaned up
2 There are issues in.the detailed flow of management information including
sales data. There are workarounds, which will give short interruptions to
Service teams but not to customers. The main issues relate to the loading of
sales targets and the definition of data in the warehouses
x 3%.;, Increased calls are expected from agents to NBSC, but so far the calls have es
been more about why they have not received the system yet as opposed to :
technical issues.
5. DATE OF NEXT MEETING
8'" November 9:30-11:30 in 80 Old Street.
Future Agenda Items
CIT trunking routes and Audit coverage at Cash Centre/CIT audits
Attendees to include
Keith Rann