POL00021457
POL00021457
Post Office Limited
ARC Committee Meeting
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE (THE
“COMMITTEE”) OF POST OFFICE LIMITED (THE “COMPANY”) HELD ON TUESDAY, 31 JULY
2018 AT 20 FINSBURY SREET, LONDON EC2Y 9AQ AT 09.30AM
Present: Carla Stent (by phone) Committee Chairman I
Tom Cooper (TC) UKGI, Non-Executive Director
Tim Franklin (TF) Independent Non-Executive Director
Ken McCall (KM) Senior Independent Director
Item
In
Attendance: Tim Parker (TP) Group Chairman
Paula Vennells (PV) Group Chief Executive (CEO)
Alisdair Cameron (AC) Chief Finance and Operations Officer I
(CFOO) I
Jane MacLeod (JM) Director, Legal Risk and Governance I
Lisa Toye (LT) Assistant Company Secretary I
Johann Appel (JA) Senior Manager Internal Audit
Micheal Passmore Financial Controller
(MP)
Jonathan Hill (JH) Compliance Director
Mick Mitchell (MM) IT Security & Service Director (Item 9.1)
Jason Black (JB) IT Programme Director (Item 9.1)
Apologies: Jenny Ellwood (JE) Risk Director
Rob Houghton (RH) CIO
1. WELCOME AND CONFLICTS OF INTEREST I
A quorum being present, TF opened the meeting on behalf of the Chair (due to the
difficulties of chairing a meeting remotely). TF declared a potential conflict as a
member of the POI Board and all other Directors declared that they had no conflicts
of interest in the matters to be considered at the meeting in accordance with the
requirements of section 177 of the Companies Act 2006 and the Company's Articles
of Association.
All papers were taken as read in advance of the meeting.
2. MINUTES, MATTERS ARISING AND ACTIONS LIST
The minutes of the meeting held on 17'* May 2018 were approved and authorised
for signature by the Chairman.
The actions status report was noted as accurate. There were no actions due which
had not been addressed in advance of the meeting or through the meeting papers,
other than the IT Security policy action which JM recommended should be closed
as it had been approved at RCC and TF concurred. j
Strictly Confidential
1 I
POL-0018087
4.1
5.1
5.2
5.2 (i)
POL00021457
POL00021457
Post Office Limited
ARC Committee M
UPDATES FROM SUBSIDIARIES
POMS ARC Committee Report
TF provided a verbal update and noted that the main item in the update, branch
selling of Easy Life product reviewed by mystery shoppers, was covered in agenda
item 7. The Committee noted that the EY audit was substantially complete and
that no material items had been brought to the attention of POMS ARC.
APPOINTMENT OF THE EXTERNAL AUDITOR
Audit Tender and Appointment
CS confirmed that a detailed and full process had been completed and she was
comfortable with the outcome and happy with the recommendation. ARC had
seen the scoring and were all comfortable. KM noted that PWC are also
remuneration advisors to REMCO and this was not seen as a conflict. It was also
noted that Andrew Paynter, the PWC audit partner is the audit partner at
Morrisons where PV is a NED. Given the potential for there to be perception of a
conflict of interest, it was agreed that an additional partner from PWC will be
assigned to support Andrew ensuring dual attendance at ARC. The Committee
also considered the role of PwC in relation to Bol and FRES and concluded this did
not cause a conflict.
Agreed to approve recommendation to the Board.
INTERNAL AUDIT
Internal Audit Co-Source Appointment
A detailed tender process had been undertaken and 8 firms had submitted written
bids which were scored for price and quality. The 3 highest scoring eligible bids
were taken to presentation stage. PWC were initially invited but had been
excluded following the decision on the External Auditor appointment. A
recommendation was made to appoint Deloitte who were the highest scoring
bidder, awarding a 2 year contract with the option to extend by a maximum of a
further 2 years. This had been approved via email by all ARC members on 18th
July and the meeting_ratified this decision.
Internal Audit Report
The report was taken as read and Committee members were asked for comments
or questions to JA.
IT Governance & Risk Management
CS noted the reference in the report to the implementation of the IT controls
framework and the statement that as a result it is not possible to determine the
overall impact on IT governance within the organisation. CS queried whether this
was related to the ongoing concerns around timelines CS queried whether we
have the right people generally on Change and do we have effective succession
planning in place. CS also noted that there are a few overdue audit observations
and asked whether action needs to be taken. JA responded that a full test of IT
Controls framework is planned for Q4 and key improvements have been identified.
CS expressed concern over whether we can wait until Q4 and with big
programmes running we need the right governance. JA agreed that we would
Strictly Confidential
leeting
2
POL-0018087
POL00021457
POL00021457
Post Office Limited
ARC Committee Meeting
prefer not to wait until Q4 but until the controls are embedded it is impossible to
test them. PV added that in Rob Houghton’s absence she had had a response
from Catherine Hamilton relating to management of these risks - particularly with
the move to Cloud hosting. PV informed the Committee that she and RH have a
weekly call with the CEO of Fujitsu to address issues relating to programme
implementation. In addition, GE review the IT incidents weekly. PV commented
that JA was right to call out the forward risk. JM suggested that the matter be
included in the October ARC agenda with internal governance having happened
prior to that. TF asked whether project management and controls was a theme
of concern, and whether there was a link back to the programme office. JA
responded that there has been a review by Deloitte to improve areas within the
Change Governance process and Project Trafalgar is underway to enhance One
Best Way. JM added that she is satisfied that plans are in place for improvements
and an update will be presented to the Committee.
5.2 (ji) EUM
5.2
(iii)
(iv)
JA noted that of 17 actions, 14 are now complete. There was a bottleneck on
testing and more test environments are being implemented. PV noted that with
regard to Smart ID, 1900 of 11,500 branches are not complete and that the call
centre capacity has been increased in order to get these complete. CS asked
whether we will get to a point where there are sanctions against branches for
non-completion and PV confirmed that this would happen and that branches
and/or individuals would have access withdrawn pending completion of training.
BCM
There are plans in place to address the weaknesses and an update will be brought
to the October ARC.
Overdue Actions
There were 2 remaining outstanding actions highlighted in the report: Data
classification and lack of data owners, and lack of data leakage prevention
solution.
Data ownership is being addressed through the GDPR project and Project Arrow
- owners have been identified, however work is ongoing to clarify the
responsibilities of data owners. Tools have been identified for data loss prevention
and are being tested. The action will be extended to the end of October.
JA noted that 2 reports were being finalised - Telecoms and Pensions. On
Telecoms, the final report had been issued on 30th July, with a focus on the
customer journey and improvement to Fujitsu continuity management. ACTION
- JA to circulate the report to ARC. On Pensions there was one outstanding issue.
PWC subject matter experts had been engaged to review and currently the
findings were being cleared with management. Agreement will be needed on
concerns around compliance with pension regulations, certificates of auto
enrolment and what actually constitutes pensionable pay. AC confirmed that he
would follow up and update ARC ahead of the October meeting.
5.2 (v) Back Office Transformation
TC asked whether there were any other issues on Back Office Transformation that
needed to be addressed. AC responded that a substantial review was required
which IA had helped with, seeking to learn lessons from other programmes. The
Strictly Confidential
RH
IM/
IM/
SY
JA I
AC
3 I
POL-0018087
POL00021457
POL00021457
Post Office Limited
ARC Committee Meeting
programme had been re-planned and there had been changes to the testing
regime. The IA report had not missed anything but was describing a moving
target. AC confirmed that there were no surprises in the report. JA relayed that
the IA work was done from May to July and that IA were working closely with the
programme. Most actions were now complete and good progress had been made.
IA confirmed that the planned September go-live date was not feasible. TC noted
that the risks highlighted did not include ‘unknown unknowns’ and JA confirmed
that some had now been identified and were being resourced accordingly, for
example clearing the POLSAP suspense accounts. AC stated that should any other
issues be identified during User Acceptance Testing or Integration Testing,
implementation will be delayed. AC assured the Committee that significant work
was underway to ensure we understood and had addressed issues such as
overnight batch processing times, inventory etc. This work will continue until the
go-live decision immediately before the last weekend in October. KM reiterated
that we will know by the end of October whether we intend to go-live this year or
next year. The Committee agreed that November would be too risky. AC will AC
update ARC in October whether we are on track, although the go / no-go decision
would not be made until the day. We are getting reassurance from Accenture
and the new provider on the switch over.
RISK UPDATE
Risk Report
JM updated the Committee on the new consolidated report format and advised that
the aim is to build on it to include external risks and risks to our North Star plans.
The October report will include ‘risks of the moment’ for the organisation and how
we are managing them, as well as a full roll-out of the Placemat across the whole
business.
TF enquired whether there was any update on GDPR beyond “effective compliance”.
IM
Strictly Confidential
4
POL-0018087
POL00021457
POL00021457
Post Office Limited
ARC Committee Meeting
JM
COMPLIANCE UPDATE
Compliance Report
The report had been taken as read. Pertaining to the actions list, TF asked JH for
an update on the Easylife product. JH assured the Committee that the issue was
being taken very seriously and was a conformance matter. The issue relates to the
questions that CRMs are required to ask and the extent to which the tablet journey
facilitated these questions. Some branch staff have not been asking the follow up
questions which therefore could have a customer impact. JH advised that all
customers are being contacted to follow up on this matter; the product was
launched in February this year so the number is manageable. There are remedial
actions and a ‘route to green’ plan. The issue is that the sales are app-based with
the CRMs, and the app is controlled by Royal London. There is an update due in
September which will address the issue and we are trying to bring this forward.
TF noted that the app should make the CRM ask all the questions and all agreed
with this. JH assured the Committee that there will be more mystery shopping on
the EasyLife product, although not at the risk of reducing other areas. TF asked JH JH
to circulate the report as this matter has been escalated by PO Insurance. TC asked
whether this is an issue with online applications or only in branch and JH confirmed
that there is a better audit trail of questions and responses online and at the call
centre. The difficulty is in branch and particularly where we have CRMs who are
not full time FS specialists but are also performing other branch duties.
JH noted that there were some updates to other matters subsequent to the issue
of the paper. HMG have issued a future telecoms review and the impact of this is
being considered by Meredith Sharples. JH also provided an update on FCA and
PRA and banking resilience. CS asked whether there was an update on the
requirement for POL to retain copies of ID for Bureau de Change transactions for
more than £2,000. JH confirmed that he and JM had met with HMRC and discussed
the requirements. HMRC had now agreed that copies did not need to be retained.
All agreed that this was a positive outcome. Nevertheless HMRC still required Fit I
& Proper data to be submitted on a monthly basis, and this is proving challenging I
for POL given the size of the network and the various types of agents and I
individuals who are subject to the requirements. Somita Yogi is looking to support
on this from a data perspective. JH confirmed that we are currently compliant.
KM raised a query on the external threats on Travel Moneycard. The May attack
was deemed to be a ‘brute force’ attack rather than targeted at POL; no data was
obtained
ACTION - Provide an update to the forward looking regulatory agenda in section 20
of the Compliance report (JH). JH
Strictly Confidential
5
POL-0018087
7.2
7.3
7.4
8.1
8.2
8.3
POL00021457
POL00021457
Post Office Li
mited
ARC Committee Meeting
Vulnerable Customers Risk Assessment and Gap Analysis
The papers were taken as read. CS asked whether the Committee were happy with
the policy as presented and whether we have plans in place where there are gaps.
JH confirmed that we have identified gaps and actions to close these gaps, and are
currently looking at budget issues JH advised the Committee that the CMA are
carrying out a vulnerable customers review particularly in relation to digital
markets, low income and mental health. One of the findings is that people in these
groups need time to understand transactions, which POL are in a strong position to
be able to support. KM asked why the CMA were reviewing this area and JH
responded that all regulators are looking into it. TC asked whether we train post
masters. JH replied that NFSP are working with the Alzheimer’s Society and
‘Dementia Friends’ training will be offered. Vulnerable customers is part of our
training and it is critical we engage with external agencies and so this will be part
of our focus. ACTION - update Comms material at next ARC (JH)
Whistleblowing Annual Report
TF was pleased to note that the report indicated no systemic issues. JM added that
we have a process for all reports received and all are investigated and none appear
to be systemic failures. TC asked whether we have analysis of closed cases to
understand the nature of the issue and what the outcome was, and JM confirmed
that we do. JM noted that through the Whistleblowing line we also get bullying
complaints which are passed to HR for resolution. If there is a complaint against
an agent, it is referred to the Network team. JM noted that allegations of fraud are
addressed through our BAU process. These are mostly low level with no particular
themes and no individual cases that are likely to result in reputational damage. PV
noted that all incidents of bullying and harassment or sexual harassment are
reported to her and dealt with appropriately. PV encourages staff to speak up and
be objective and noted that there has been a single serious issue.
Gifts and Hospitality Annual Review
KM noted that LRG team were the biggest recipient of hospitality. JM noted that
this tends to be where the entire Legal team are invited to attend an event, rather
than one or two individuals attending many events.
POLICIES
Review of Anti-Bribery and Corruption Policy Report
The report was taken as read. It was noted that with the Newcall acquisition of
business, no changes were required but with the Panther acquisition all policies will
need to be rolled out.
Anti Bribery and Corruption Policy
The policy was approved.
Review of Whistleblowing Policy Report
The report was taken as read.
Strictly Confidential
JH
6
POL-0018087
8.4
9.4
10.
POL00021457
POL00021457
Post Office Limited
ARC Committee Meeting
Whistleblowing Policy
The policy was approved.
UPDATES FOR NOTING
Compliance with Payment Card Industry Data Security Standards
MM and JB joined the meeting. The paper had been submitted late so it was not
assumed that it had been read.
JB advised the Committee that in parallel with addressing outstanding issues with
each of Fujitsu and Computacenter, we are also exploring other options which
would address the wider PCI concerns. In particular, these relate to the
replacement of the Ingenico supplied pinpads. There is a strategic solution
however it will take some time to ensure this is properly scoped. TF asked when
the Committee will be updated on the timing and the plan both for regulatory and
security issues. JB responded that the overlay of activities and timeline was in the
report. TF requested that for the next ARC meeting the Committee should have a
clear view of key activities with timeline and view of when we will achieve
compliance. ACTION - update at October ARC. TF and TC reiterated that we are
currently non-compliant as the date has passed, this has been the case since
December 2017 and that currently we have no date for when we expect to achieve
compliance. Qi 2020 for the cessation of the Belfast Data Centre was agreed to
be too far away to achieve compliance.
ANY OTHER BUSINESS
CS requested that digital data culture be added to the risk report for future agendas.
There being no further business the Chairman declared the meeting closed at
10:50am.
Strictly Confidential
POL-0018087
MM/
JB
JM
7