POL00021462
POL00021462
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 22"° SEPTEMBER 2020 AT 20 FINSBURY
STREET, LONDON EC2Y 9AQ AT 09.00AM (VIA CONFERENCE CALL)!
Present: Invited Attendees:
Carla Stent (Chair) Barbara Brannon (Procurement Director): Item 2
(BB)
Ken McCall (SID) (KM) Lisa Cherry (Group Chief People Officer): Items 5
&5 (LC)
Tom Cooper (NED, UKGI) (TC) Daisie Jope (Head of HR Organisation Effectiveness
Project Lead): Item 5 (DJ)
Zarin Patel (NED) (ZP) Helen Rhodes (Head of HR _ Organisation
Effectiveness Project Lead): Item 5 (HR)
Regular Attendees: Maxine Cross (Head of Reward and Pensions): Item
6 (MC)
Tim Parker (Chairman, POL) (TP) Giannis Waymouth (Solicitor, Norton Rose
Fulbright): Item 6 (GW)
Nick Read (Group Chief Executive Officer) (NR) Tim Perkins (Head of Security, Safety & Loss
Prevention): Item 7 (TPE)
Alisdair Cameron (Group CFO) (AC) Ian Holloway (POI Director, Risk & Compliance):
Item 8 (IH)
Ben Foat (Group General Counsel) (BF) Mark Dixon (Treasurer): Item 9 (MD)
Andrew Paynter (Audit Partner, PwC) (AP) Andy Bear (Account Manager, Locktons): Item 9
(AB)
Sarah Allen (Senior Audit Manager, PwC) (SA) I Jeff Smyth (Interim Group Chief Information
Officer): Item 11 (JS)
Johann Appel (Head of Internal Audit) (JA) Tony Jowett (Chief Information Security Officer):
Item 11 (TJ)
Mark Baldock (Head of Risk) (MB) Rob Wilkins (Cloud Services Director): Item 11
Jonathan Hill (Compliance Director) (JH) Hugo Sharp (Deloitte Partner) (HS)
David Parry (Senior Assistant Company Rebecca Whibley (Assistant Company Secretary)
Secretary) (DP) (RW)
Apologies:
Action
1. Welcome and Conflicts of Interest
Ll A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call given the current Government
guidance on home working. However, given the requirements of the
Company's Articles of Association, the location of the meeting was agreed
to be the Company's Registered Office.
1.2 The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
1 Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL 1
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
requirements of section 177 of the Companies Act 2006 and the
Company's Articles of Association.
Irrelevant
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
Irrelevant
STRICTLY CONFIDENTIAL 3
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
igs
3.1 The minutes of the meeting of the Audit and Risk Committee held on 27
July 2020 was APPROVED and AUTHORISED for signature by the Chair.
3.2 Progress against the completion of actions as shown on the action log was
NOTED.
3.3 The draft minutes of the Risk and Compliance Committee held on 10
September 2020 were NOTED.
Risk, Compliance and Internal Audit Updates
4.1 Risk Update
MB presented the Risk Update.
He explained the dashboard (taken from Archer) presented the key risks
to POL and that going forwards, risk trends would be presented to the
Committee, driven by data taken from the monthly meetings with GE
members. Updated risk appetite statements for Legal, Compliance &I Action:
Governance and technology would be presented to the Committee inI MB
November and further statements would be brought before the Committee
in January and March 2021.
4.2 He noted engagement levels with business units have increased as the
business units have become more aware of their role as the first line of
STRICTLY CONFIDENTIAL 4
POL-0018092
@
POST OFFICE LIMITED
POL00021462
POL00021462
defence. However, risk articulation (being clear on the cause, event and
impact of risk), alignment (ensuring risks are managed through Archer as
a single source) and RAG ratings (to ensure they reflect Group standards)
are areas requiring address.
protection: The team is extremely busy dealing with requests related to
Historic Shortfall Scheme and related/linked FOI requests. He advised of
39 FOI enquiries considered vexatious which would be reviewed
accordingly.
4.3 The following risks were noted by the Committee:
e There are 473 central risks as at 31/8/20.
e There are 15 enterprise (strategic) risks. Key enterprise risks
include Commercial risk (lack of attractive proposition for potential
post masters); Covid19; GLO (legal risks associated with this); and
. Financial (cash flow and funding). .
4.5] Compliance Update mm
JH presented the Compliance Update with the following points noted:
4.8 IGLO/Freedom of Information (FOI) Requests/GDPR and data,
STRICTLY CONFIDENTIAL
POL-0018092
POL00021462
POL00021462
POST OFFICE LIMITED
Of serious concern and Committee discussion, was the discovery of 31,000
boxes previously unknown he wider organisation, which ar in
reviewed
The Committee questioned whether management had a handle on data
management controls such as archiving, and remarked on the lack of
accountability within POL.
Action:
NR remarked that this was an unacceptable incident and that he did not I NR/BF
expect this to brought to the Committee's attention by compliance. AI /DZ
paper on data controls is expected at GE for discussion.
The Committee recommended _a data amnesty be organised for all Post I Action
Offices be considered. BF
4.12 Internal Audit (IA)
JA presented the IA update.
4.13 He advised of the positive progress against the 2020/2021 IA programme
with seven reviews (five in POL, two in POI) completed since the last ARC
meeting in July and no contentious issues to report. The plan would be
reviewed against POL’s new purpose recently published.
4.14 The Committee noted the following audits have been reviewed since the
last ARC meeting (27/7/20):
¢ GLO Historical Shortfall Scheme ~Data Validation
STRICTLY CONFIDENTIAL
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
Irrelevant
STRICTLY CONFIDENTIAL 7
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
Irrelevant
Suspense Accounts
7A Tim Perkins joined the meeting.
TP presented the suspense accounts report and advised that findings from
the historical suspense accounts review would be presented to ARC in
November.
Following a request from ARC in July, he explained the report would look
at:
STRICTLY CONFIDENTIAL 8
POL-0018092
@
POST OFFICE LIMITED
POL00021462
POL00021462
1) The information presented to Postmasters regarding their customer
accounts.
2) The trends prevalent or emerging in Postmaster customer accounts.
3) Any other processes/products that can be reviewed which would give
rise to similar issues to those identified with stamps.
7.2
Regarding Postmasters accounts, TP advised these are settled centrally at
the end of a trading period and that branches are expected to complete
trading period accounting 12 times a year on a 5-week, 4-week, 4-week
schedule at the end of each trading period.
Site visits, increased monitoring and support has reduced the need for
chaser letters to be sent out, and all revised processes and letters have
been independently reviewed
A thorough review of POL’s Loss Recovery policies and processes is now
underway, and consideration is being given to other opportunities, such
as the use of Branch Hub, to allow Postmasters to monitor the balances
on their customer account(s). This review will conclude in Q3 2020-21.
7.3
With regards to trends, the year on year balances settled centrally by
branches has fallen in each trading period over the last 20 months. The
reduction in balances settled centrally is driven by a reduction in both the
volume of branches settling balances centrally and the average value
being settled centrally.
TC believed the balances settled per branch was high and could be
reduced. The Chair requested that ways to reduce balances should be
investigated and it was agreed that an update would be provided to the
Committee in January 2021.
Action:
TPE
7.4
In terms of reviewing similar products that could be considered at risk
similar to stamps, no further products/processes had been identified.
However, TP remarked that a high-level review of the product portfolio
would be conducted instead, reviewing current and historical processes
where known.
The Chair recognised that governance had improved since last year, but
recommended that she, NR and Declan Salter (GLO Director) have
conversations to establish clear governance structures prior to the next
Committee meeting. Additionally, a process is required where a chaser
letter is sent to a Postmaster regarding their balances, which is then
disputed.
Tim Perkins left the meeting.
Action:
NR &
Declan
Salter
STRICTLY CONFIDENTIAL
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
Irrelevant
STRICTLY CONFIDENTIAL 10
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
Irrelevant
STRICTLY CONFIDENTIAL 11
POL-0018092
POL00021462
POL00021462
@
POST OFFICE LIMITED
11. Law & Trends
The Committee noted the paper.
Any member comments questions are to be passed to BF.
12. Bi-Annual Legal Risk Review (Non GLO/Starling)
The Committee noted the paper.
Any member comments questions are to be passed to BF.
Irrelevant
STRICTLY CONFIDENTIAL 12
POL-0018092
@
POST OFFICE LIMITED
POL00021462
POL00021462
The Committee agreed that an additional meeting would be required to
review going concern and the risks associated with GLO. Once funding
talks are concluded, a meeting will be arranged.
14.2
The Chair thanked DP for his contribution to ARC and wished him well in
his future endeavours. RW (who would act as ARC Secretary going
forwards) was welcomed to the meeting.
14.3
There being no further business, the meeting was closed at 11.32am.
i
24/11/2020
Date
Action Detail
Governance and technology would be presented to the Committee in
November and further statements would be brought before the Committee
in January and March 2021.
“MB
4.8
GLO/Freedom of Information Requests/GDPR and data
protection: A paper on data controls (following the identification of
31,000 boxes of data) is expected at GE for discussion.
Zin
/Dan
/ BF
ner
STRICTLY CONFIDENTIAL
13
POL-0018092
@
POST OFFICE LIMITED
POL00021462
POL00021462
4.8
GLO/Freedom of Information Requests/GDPR and data
protection: The Committee recommended a data amnesty be organised
for all Post Offices be considered.
BF
Irrelevant
71
Suspense Accounts: TP presented the suspense accounts report and
advised that findings from the historical suspense accounts review would
be presented to ARC in November.
TPE
7.3
Suspense Accounts: The Chair requested that ways to reduce balances
should be investigated and it was agreed that an update would be provided
to the Committee in January 2021.
TPE
7.4
Suspense Accounts: The Chair recognised that governance had
improved since last year, but recommended that she, NR and Declan
Salter (GLO Director) have conversations to establish clear governance
structures prior to the next Committee meeting. Additionally, a process
is required where a chaser letter is sent to a Postmaster regarding their
balances, which is then disputed.
NR /
Declan
Salter
STRICTLY CONFIDENTIAL
14
POL-0018092
POL00021462
POL00021462
Voting Results for September Minutes
The signature vote has been passed. 1 votes are required to pass the vote, of which 0 must be independent.
Vote Response Count (%)
For 1 (100%)
Against 0 (0%)
Abstained 0 (0%)
Not Cast 0 (0%)
Voter Status
Name Vote Voted On
Stent, Carla For 30/11/2020 11:10
POL-0018092