POL00021427
POL00021427
Strictly Confidential
POLARC13 (6")
13/36 - 13/45
POST OFFICE LIMITED
(Company no. 2154540)
(the Company)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE held
on Tuesday 19 November 2013 by conference call
Present:
Alasdair Marnoch Chairman of Committee
Neil McCausland Senior Independent Director
Tim Franklin Non-Executive Director
In attendance:
Paula Vennells CEO
Chris Day CFO
Chris Aujard General Counsel (GC)
Alwen Lyons Company Secretary
Sarah Hall Head of Financial Control and Compliance
David Mason Head of Risk Governance
Malcolm Zack Head of Internal Audit
Lesley Sewell Chief Information Officer (Minute 13/40 only)
Jeremy Midkiff Senior Manager, Ernst & Young (Minute 13/42 only)
POLARC INTRODUCTION
13/36
A quorum being present, the Chairman of the Committee opened the
meeting and welcomed all those present.
POLARC MINUTES OF THE LAST MEETINGS AND MATTERS ARISING
13/37
(a) The Committee approved the minutes of the meetings held on 12
September 2013 for signature by the Chairman of the Committee.
(b) The Committee noted the actions list dated 12 November 2013.
POLARC RISK MANAGEMENT - TOP COMPANY RISKS
13/38
(a) The Committee had received an ExCo report on key risks from David
Mason, Head of Risk Governance, in the papers for the meeting. The
CFO explained that further work had been undertaken since publishing
the papers and asked that this be the focus of the Committee's
discussions.
(b) The Committee discussed the top six risks as identified by the Business:
e Allegations relating to the integrity of the Horizon system;
¢ Failure to deliver top line growth in line with strategic plans;
e Operating Model faits to deliver requisite cost savings;
Page 1 of 7
POL-0018057
POL00021427
POL00021427
Strictly Confidential
¢ Inadequate people capability or capacity to deliver transformational
change and the strategic plan;
¢ Non-delivery of Network Transformation Programme; and
¢ Strike action within Supply Chain could damage ability to distribute
cash to network (Industrial Relations/the CWU)
(c) In addition to the above risks, the Business identified three further risks
which would be monitored:
«the risk of regulatory action or reputational damage from FS mis-
selling;
«the risk of not maintaining the security and integrity of Post Office
data; and
« the risk of unsuccessful delivery and operation following IT
transformation
(@) The CEO explained that the Business had owners for all the risks and was
reviewing the actions and assurance processes which were in place to
reduce the risks. The Business would also be reviewing the top risks at
the ExCo on a quarterly basis.
(©) The Committee thanked the CEO, noted that a lot of progress had been
made on risk identification and review and applauded the proposed
approach. The Commitee acknowledged that although good progress had
been made to date it stressed the need for further progress to be
delivered at a rapid pace.
© it was agreed that the Chairman of the Committee would update the
ACTION: Board at the next meeting. The detail of the risks presented was captured
Alasdair in an update for the Board which is shown as an addendum to these
Marnoch minutes and would be discussed at the next Board meeting.
ACTION: (9) The Chairman asked that the Business go back 18 months and review the
Dave Mason 6 top risks and the 3 further risks to see how many would have been
identified at that stage.
(h) The Committee noted and supported the developing approach to risk
management in the Company.
POLARC CORPORATE AND NETWORK AUDIT
13/39
(a) The Committee received a paper from Malcolm Zack, Head of Internat
Audit, outlining the principles of internal auditing and options for the
future, including assurance that a plan was in place to deal with the
issues raised.
(b) The CFO explained that the Business had recognised the need for
additional resource in the Internal Audit (IA) function but also the need to
commission a short piece of external work to look at IT risk and audit. The
Committee supported that approach as the IT transformation was
Page 2 of 7
POL-0018057
POL00021427
POL00021427
Strictly Confidential
complex and an external audit would give the Business assurance.
ACTION: (c)
Chris Aujard
ACTION: (d) The Committee asked that the Director of Financial Services also be
Nick invited to the next ARC for this discussion.
Kennett
(e) The Committee agreed that the Risk Management and IA teams should
be focussed on the top 6 risks and 3 further risks and that enough
resource should be provided to fulfil this requirement. The CFO explained
that the structure for internal network audit would also be reviewed but
that this would. be done at a later date and did not stop the Business
moving on strengthening the corporate IA function.
(f) The Committee noted the plan outlined in the Committee paper.
POLARG IT AUDIT FINDINGS —- SOFTWARE LICENSING AND IDENTITY
13/40 ACCESS MANAGEMENT
(a) The Committee welcomed Lesley Sewell, Chief Information Officer, to the
meeting.
(b) The Committee received a paper from Malcolm Zack summarising the
most recent internal audit reports on Identity and Access Management
and Software Licensing and assurance that an action plan was in place to
deal with the issues raised.
(c) The Chairman thanked the Head of Internal Audit for the frank reports
CTION:
ner which clearly identified the areas of concern. The Committee asked that
Zack future reports included deadlines for all actions identified.
(d) Lesley Sewell explained that both audits were important as a baseline for
the Business as it separated from Royal Mail Group suppliers and would
enable her -to~ ensure the new suppliers fulfilled the audit
recommendations as they took over the service.
(e) The Committee noted the outcomes of the reports.
(f) Lesley Sewell left the meeting.
POLARC PROJECT SPARROW AND PROSECUTING AUTHORITY
13/41
(a) Chris Aujard, General Counsel, updated the Committee on the approach
to prosecutions brought by the Post Office. He explained that, currently,
the Post Office brings criminal prosecutions under s.6(1) of the
Prosecution of Offences Act 1985, which empowers any individual or
company to bring a private criminal prosecution. He sought the
Committee’s views on potential changes to the prosecutions policy and
further work proposed before any formal recommendation could be made
for any changes to the prosecutions policy.
Page 3 of 7
POL-0018057
POL00021427
POL00021427
Strictly Confidential
(b) The Committee discussed the alternative approaches to prosecution but
were concerned that if any changes were agreed the timing might
influence the mediation process by raising questions on previous
prosecutions.
(c) Chris Aujard explained that one of the issues was the perception that
subpostmasters had of the Post Office bringing prosecutions for false
accounting rather than theft, which was easier to establish. The
Committee asked whether the business would still be able to recover
branch losses through the Civil Courts. Chris Aujard explained that this
would still be open to the Business but it may be slower and not recover
as much. He explained that the Business was working to put in controls to
support subpostmasters and stop any debts escalating. The Committee
supported this but was nervous about changing the approach to
prosecutions as in their view this acted as a deterrent.
(d) The CEO thanked the Committee for the helpful challenge. She stressed
that the Business was not saying that it would never bring prosecutions,
but that it would be more circumspect in the cases it chose to take. She
agreed that the current approach was a deterrent but explained that there
were other deterrents such as suspension or termination of contract.
(e) The Committee noted that it expected that the number of prosecutions
would reduce over time regardless, as a result of the Business’
improvements in the overall control framework around the branch network
and the provision of support to sub-postmasters, in line with Project
Sparrow and Network Transformation.
ACTION: (f) It was suggested that the decision on the Company's prosecuting policy
Chris Aujard should be taken to the January Board.
(g) The CEO updated the Committee on Project Sparrow. She explained that
the lesson learned review was complete and the report would be available
late November/early December. The CEO drew the Committee's attention
to two risks to the delivery of the Project.
(h)
The first risk highlighted was that the Business had envisaged that the
final number of cases would have been under 100, but as the scheme
neared the deadline for application the number of applications was nearer
150, with nearly 50 received in the last couple of days before applications
closed. As a result, the timetable will have to be extended as each case
will need individual investigation and Second Sight will need to be with us
for longer. There will also be a resource cost to the Business which the
CFO is aware of.
@
The second risk that had arisen concerned the compensation that
subpostmasters believed they were entitled to. It had become clear from
the applications for mediation that there was an expectation gap which the
Business needed to mitigate where possible.
The Committee emphasised the need to reach conclusion as quickly as
possible and to constrain the costs. It was noted that the Board would
receive an update at the November Board meeting.
Page 4 of 7
POL-0018057
POL00021427
POL00021427
Strictly Confidential
Page 5 of 7
POL-0018057
POL00021427
POL00021427
Strictly.Confidentiah nee
POLARC PAPERS FOR NOTING
13144
ACTION: (a) The Committee noted the Information Security and Assurance Group
CEO Specific Update on Brands Database. The CEO said that she would
check again that we had the right controls in place for the Brands
ACTION: Database. The Committee asked the Business to test whether information
Chris Aujard security for international payments was covered by the FCA.
(b) The Committee noted the Internal Audit activity update, status of agreed
actions.
(c) The Committee noted the report on the Committee’s first self-
assessment.
(d) Finally, the Committee noted the report on the annual review of the
Committee's terms of reference and the Internal Audit Charter and
agreed that:
«the terms of reference be ratified; and
« the Charter be approved with the changes detailed in the report.
POLARC CLOSE
13/45
Page 6 of 7
POL-0018057
POL00021427
POL00021427
Strictly Confidential
There being no further business, the meeting was declared closed.
I Alastair Marnoch
Page 7 of 7
POL-0018057