POL00021463
POL00021463
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 24™ NOVEMBER 2020 AT 20 FINSBURY
STREET, LONDON EC2Y 9AQ AT 08.50AM (VIA CONFERENCE CALL)!
Present:
Carla Stent (Chair)
Ken McCall (SID) (KM)
Tom Cooper (NED, UKGI) (TC)
Invited Attendees:
Tom Lee (Head of Finance Financial Accounting and
_ Controls) (TL)
Meredith Sharples (Director of Telecoms): Item
3.2 (MS)
Mark Underwood (LCG Operations Director): Item 4
(MU)
Zarin Patel (NED) (ZP)
Regular Attendees:
Christine Kirby (Financial Controls Manager): Item
_6 (CK)
Amanda Bowe (Post Office Insurance ARC Chair):
Item 7 (AB)
Tim Parker (Chairman, POL) (TP)
Nick Read (Group Chief Executive Officer) (NR)
Ed Dutton (Product Portfolio Director - FS, ID &
Insurance & Managing Director - Post Office
_ Insurance): Item 8 (ED)
Declan Salter (GLO Director): Item 9 (DS)
Alisdair Cameron (Group CFO) (AC)
Graham Hemingway (Historical Matters Portfolio
Lead): Item 9 (GH)
Ben Foat (Group General Counsel) (BF)
Andrew Paynter (Audit Partner, PwC) (AP)
Sarah Allen (Senior Manager, PwC) (SA)
Rachel Owens (Senior Manager - Digital Audit,
PwC) (RO)
Johann Appel (Head of Internal Audit) (JA)
Andrew Goddard (Managing Director - Payzone):
Item 10 (AG)
Amanda Jones (Retail
Director): Item 11 (AJ)
Katie Secretan (Strategic Partnerships Director):
Item 11 (KS)
Dan Zinner (Group Chief Operating Officer): Items
11 & 12 (DZ)
Saira Burwood (Head of SPO): Item 12 (SB)
& Franchise Network
Mark Baldock (Head of Risk) (MB)
Jonathan Hill (Compliance Director) (JH)
Rebecca Whibley (Senior Assistant Company
Secretary) (RW)
Apologies:
N/A
Action
1. Welcome and Conflicts of Interest
1.1 A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call given the current Government
guidance on home working. However, given the requirements of the
Company’s Articles of Association, the location of the meeting was agreed
to be the Company’s Registered Office.
a Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
requirements of section 177 of the Companies Act 2006 and the
Company’s Articles of Association.
Previous Meetings
The minutes of the meeting of the Audit and Risk Committee held on 22
September 2020 were APPROVED and AUTHORISED for electronic
signature by the Chair.
Progress against the completion of actions as shown on the action log was
NOTED, namely:
Action 1 from 22 September 2020 (para 4.1) Risk Appetite Statements:
Mark Baldock advised that Legal & Compliance, Technology & Operations
will be brought in January 2021, with further specific appetites thereafter.
Actions 2 & 3 from 22/09/2020 (para 4.8) GLO/Freedom of Information
Requests/GDPR_and data protection: Ben Foat updated the GE on the
matter in early October 2020 and a paper was included for noting ahead
of the November Committee meeting (see para 14 below). The actions
=
a }
©
(D
<
9)
5
=P
Action 7 from 22 September 2020 (para 7.1) Suspense Accounts: A paper
was provided to the Committee (see para 4 below). The action was
therefore closed.
Action 8 from 22 September 2020 (para 7.3) Suspense Accounts: This
action was to be addressed at the January Committee meeting and
therefore the action remained open.
Action 9 from 22 September 2020 (para 7.4) Suspense Accounts: The
Chair, Nick Read and Declan Salter met on 5 October 2020 and discussed
the governance issue. The action was therefore closed.
STRICTLY CONFIDENTIAL 2
POL-0018093
@
POST OFFICE LIMITED
POL00021463
POL00021463
Action 12 from 27 July 2020 (para 5) Suspense Accounts: A paper was
provided to the Committee (see para 4 below). The action was therefore
closed.
Irrelevant
2.3 The draft minutes of the Risk and Compliance Committee held on 12
November 2020 were NOTED.
Risk, Compliance and Internal Audit Updates
3.1 Risk Update
STRICTLY CONFIDENTIAL
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
Mark Baldock introduced the paper which had been circulated previously
and was taken as read. The key points were summarised as:
Irrelevant
The Committee questioned what the risk trends were, the direction of
travel and whether Post Office was actually moving forwards with its risk
management. Al Cameron noted that the current risk profile was the
highest he had seen in his time at Post Office. The business was making
progress on funding, but the Group Litigation Order (GLO) was raising
uncertainty. There were extensive commercial uncertainties and 3"
parties were also under economic pressure. Whilst there was a great deal
of movement, ultimately, the risk profile was rising.
Mark Baldock was asked to review the dashboard and make key (bigger .
picture) risks and trends clearer, pulling this out from the detail already I Action:
in the dashboard and including the “so what” factors. The revised MB
dashboard approach should be presented to the January 2021 Committee
meeting.
The Committee NOTED the Risk Dashboard.
Irrelevant
STRICTLY CONFIDENTIAL 4
POL-0018093
@
POST OFFICE LIMITED
POL00021463
POL00021463
Jonathan Hill introduced the paper, which was taken as read and had been
circulated previously. The key points were summarised as follows:
Telecoms: Meredith Sharples joined the meeting. There was an incident
between February and September 2020 whereby, because of an issue with
the Fujitsu system, inbound (7,000) and outbound (over 100,000)
customer communications were not seen/sent. Some outbound
communications were regulatory but were otherwise largely bill reminders
or welcome letters. The team has worked hard to identify the issues and
make sure the customer harm was mitigated via customer credits. All
outbound communications have been reviewed and around 100 inbound
communications were still being reviewed. The issue had resulted in 51
customer complaints. As soon as the issue was discovered the Regulatory
Breach Protocol was instigated and the team was now working with Fujitsu
STRICTLY CONFIDENTIAL
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
to ensure that this did not happen again. Ofcom have been informed and
the team would provide them with a further update later this week. There
has been no response yet from Ofcom as to any action to be taken against
Post Office.
The Committee raised concerns about why the business did not find out
about this issue quicker and whether work could be done to close down
weaknesses in other areas of Fujitsu. In response, it was explained that
the issue was a sporadic one, not a complete failure, so this was why it
was not picked up sooner. It had demonstrated that Fujitsu did not have
adequate controls in place for logging inbound communications. This
control has now been implemented. Meredith Sharples explained that he
could not comment on the broader Fujitsu relationship but that he was
confident that, for the telecoms contract, the same weaknesses did not
exist elsewhere.
The consequences for Fujitsu were also questioned and whether there
could be some liability for them. Meredith Sharples explained that he was
expecting a compensation offer from Fujitsu covering all customer credits
and Post Office resource costs. It was noted that the contract was not
strong on commercial consequences. Ken McCall particularly highlighted
that it was incredulous that the fault had occurred due to a file size issue
and better performance must be demanded from Fujitsu. Meredith
Sharples confirmed he already made this point very clearly to Fujitsu.
The Committee also questioned what the regulator thought of Fujitsu
given this and previous issues. It was explained that ultimately, Post Office
was the regulated party and was accountable for its outsourced provi
it was dependent upon (like most others in the telecoms market).
Tom Cooper also questioned the speed of Post Office’s response to the
issue and it was explained the team began working on the missed
communications as soon as the issue came to light. There was then
dedicated resource placed on the inbound and outbound communications
backlog. 100 pieces of inbound communications were still to work through.
STRICTLY CONFIDENTIAL 6
POL-0018093
POL00021463
POL00021463
POST OFFICE LIMITED
STRICTLY CONFIDENTIAL 7
POL-0018093
@
POST OFFICE LIMITED
POL00021463
POL00021463
Suspense Accounts
4.1
Mark Underwood introduced the paper, which had been circulated
previously and was taken as read. The paper was summarised as follows:
i. KPMG have completed their review of the historical operation of
suspense accounts and their conclusions were:
a. The Agent Creditor Suspense Account: From their review,
they have found #Rere-was no evidence to suggest that
amounts posted to this account relate to discrepancies which
should have been repaid to Postmasters.
b. The Customer Creditor Suspense Account: A_ robust
resolution process appeared to have been in place for each
product type that was posted into this account, which was a
holding account for customer’s money. KPMG did however
identify the following two issues which had the potential to
impact Postmasters relating to the incorrect recording of
payment (cash vs cheque), and the then two part
cancellation process for MoneyGram transactions.
ii. No further work in relation to suspense accounts was
recommended, as KPMG have advised that further investigation
into the two potential issues is unlikely to add any further
information to that already included in their report.
iii. and-It was noted that the Historical Shortfalls Scheme provided
the natural mechanism for any potentially affected Postmasters.
iv. The Committee were asked to consider whether or not to disclose
the full findings of the KPMG reports to the Government Inquiry.
Suspense Accounts was not within the Inquiry’s terms of reference,
but some questions on their operation had been included in the
latest batch of questions received from the Inquiry. Further, the
issue has also been raised in the House of Lords.
4.2
Tom Cooper questioned the conclusions of the report. The Committee
concurred that Post Office should not assume that this review meant that
there were no discrepancies in the suspense accounts, but no evidence of
harm to Postmasters had been evidenced in the review.
The Committee also felt that the disclosure of the report to the Inquiry
should be a Board decision given the potential broader implications of the
decision to disclose the report.
4.3
Accordingly, the Committee:
i. NOTED the findings from KPMG’s review of Post Office’s
historical operation of suspense accounts; and
ii. AGREED to recommend the full disclosure of the KMPG
Suspense Accounts reports to the Inquiry and the
to the Board for approval,
, but
that prior to disclosure:
Action:
Chair
STRICTLY CONFIDENTIAL
POL-0018093
POL00021463
POL00021463
POST OFFICE LIMITED
a. KPMG should review the wording in their report and the I Action:
conclusions; MU
b. KPMG should ensure any conclusions made were caveated
appropriately by reference to the review they have
undertaken; and
c. it be made clear that the conclusions outlined in the report
were that of KMPG and not Post Office.
STRICTLY CONFIDENTIAL 9
POL-0018093
POL00021463
POL00021463
POST OFFICE LIMITED
STRICTLY CONFIDENTIAL 10
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
Irrelevant
STRICTLY CONFIDENTIAL 11
POL-0018093
@
POST OFFICE LIMITED
POL00021463
POL00021463
Historical Matters Unit (HMU) Governance Review
Graham Hemmingway and Declan Salter introduced the paper, which had
been circulated previously and was taken as read. The key points were
outlined as:
- The HMU governance structure has been based on the core
elements of the existing Strategic Portfolio Office (SPO) framework
with changes to the approval processes.
- Procurement have provided training to the team.
- Risk was being managed from a portfolio perspective through
SNOW, but formal links (both ways) with the Risk and Compliance
Committee and the ARC were still being developed.
- Further work would be undertaken to respond to the actions
outlined in the upcoming Internal Audit Report.
- Responsibilities, accountabilities and decision-making authorities
were still being clarified with RACI matrixes. The Chair noted that
the delegation of authority to the HMU needed to be clearer. It was
agreed that this would be presented to the January 2021 ARC
meeting.
Action:
GH
9.2
Zarin Patel highlighted discussions that have been had at the Criminal
Cases Review Commission (CCRC) Board meetings relating to fraudulent
claims and eligibility criteria controls, and it was agreed that Graham
Hemmingway would bring a further noting paper on this issue to the
Committee in January 2021. Following discussion, it was also agreed that
live fraudulent claims and eligibility data would be appended to the CCRC
Board pack on a weekly basis. Declan Salter explained that be believed
that currently reasonable controls were in place, but these would be tested
by Internal Audit and, subsequently, PwC.
With respect to the Internal Audit review of the HMU, Johann Appel noted
that it had been recognised that this was an entirely new business unit
and that thus far, it had not operated without governance and controls.
However, Internal Audit was now working with the team to ensure that
the governance in place was appropriate and the team has been very
responsive to the initial audit recommendations. The key
recommendations from the interim report related to formalising the new
relationships i.e. responsibilities, delegated authorities, which policies
were being adopted and which policies were being revised for HMU. The
Action:
GH
Action:
GH
STRICTLY CONFIDENTIAL
12
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
final report was in progress and would be presented to the Committee in
due course.
Mark Baldock also confirmed that the Risk team had discussed the second
line support and the need to overlay the business risks to the programme
risks. This work was on-going. Declan Salter explained that the new
Operations Director was due to start on 2 January and this would allow
work to be done more constructively and methodically. Declan further
confirmed that he was seeking to ensure that the unit was adhering to
policies and procedures whilst still allowing it to challenge the historic Post
Office processes.
STRICTLY CONFIDENTIAL 13
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
Irrelevant
STRICTLY CONFIDENTIAL 14
POL-0018093
@
POST OFFICE LIMITED
POL00021463
POL00021463
Irrelevant
12.1
Dan Zinner and Saira Burwood introduced the paper, which had been
circulated previously and was taken as read. It was explained that the
last update had been presented to the Committee in September last year
and since then much had improved and support for further improvements
was requested from the Committee.
Saira Burwood highlighted the key points from the paper:
- A lot of work has been done with a focus on people, process and
perception. This has been largely directed at the change
community.
- With support from Internal Audit, a new Change Control Framework
has been developed with 53 controls including the checks,
challenges and reports to enable projects to deliver on time, on
budget and to quality, enabling benefits to be realised. To date, 27
controls were effective, 14 were partially effective and the rest have
remediation plans in place.
- The Framework has been used to decide the team’s focus for the
coming months:
i. Wider business education: spreading the message of processes
and controls to the wider business to ensure responsibilities are
understood.
ii. Benefits: looking at how benefits were forecast, how they were
tracked and whether assumptions that underline them were
valid.
iii. Supply capability and IT interlock: addressing the issue of when
suppliers were not able to provide the service required and
ensuring the Change team links in with the IT team (initial
discussions have been had and the plan was to ensure there was
IT representation on the Project Review Board (PRB)).
iv. Control framework: continuing to embed the Framework and
support the business to do inflight assurance as well as post
implementation reviews.
12.2
Zarin Patel noted that the controls and strategies implemented were
comprehensive but questioned whether it was really a question of internal
and supplier capability. Particular mention was given to what was required
for the SPM, Dan Zinner acknowledged that controls could only go so far,
and it was important to take the time up front to align across the entire
organisation as to what needed to be achieved. The SPM programme has
taken a different approach to most projects as it is cross functional. There
are external resources leading the project to ensure it is separate from
STRICTLY CONFIDENTIAL
15
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
BAU. This could not be done for all projects but was key for SPM. Time
had been taken to check what the goal of the SPM programme should be,
ensuring alignment across the Group Executive and all business units. The
Chair highlighted that it was key that the business was engaged,
understood the goal and what good looked like.
Tom Cooper noted that huge progress had been made and questioned how
improvements would be measured or tracked. Saira Burwood explained
that the number of projects was down by 25% but that the amount of
control and governance had increased significantly. However, much of the
measurement was subjective and as such the metrics needed more
thought. There are controls that can be measured such as overspend but
it was more difficult to measure quality. It was agreed that Dan Zinner,
Saira Burwood and Tom Cooper would have an offline conversation on the
metrics that could be used to measure/track improvements in this area. A
update on this action would be provided at the January 2021 Committee
meeting, noting that having the correct mix of business and technical
resources was critical.
Action:
DZ &
The Committee NOTED the update on improvements implemented to
better manage Change and ensure its effective delivery, and supported
the further work on the continuous improvement programme.
13. AOB
13.1 It was noted that due to agenda pressures, it was likely that the
Committee would need additional meetings next year, although this linked
into the on-going, wider conversation between the Chair and the Executive
around what matters should be directed to the Committee. Discussions
would continue and members would be updated on any requirements for
additional meetings.
There being no further business, the meeting was closed at 11:31.
14. Items for Noting
The following papers were circulated to the Committee prior to the
meeting, but were not discussed at its meeting and NOTED by the
Committee:
- PCI-DSS
- Cyber Security
- Joiners, Movers, Leavers (JML)
- Belfast Datacentre (Horizon) DR Post Test Briefing
- Data Retention Policy & Digital Data Governance
- Law & Trends
- Agreed Upon Procedures
- Procurement Governance & Compliance Report
STRICTLY CONFIDENTIAL 16
POL-0018093
POL00021463
POL00021463
POST OFFICE LIMITED
Chair Date
Meeting Actions:
Para Action Detail Action
No.
Irrelevant
STRICTLY CONFIDENTIAL 17
POL-0018093
POL00021463
POL00021463
@
POST OFFICE LIMITED
4.3 Suspense Accounts: Accordingly, the Committee:
i. NOTED the findings from KPMG’s review of Post Office’s
historical operation of suspense accounts; and
ii. AGREED to recommend the full disclosure of the KMPG
Suspense Accounts report to the Inquiry and the I ss
to the Board for approval,
but that prior to
disclosure:
Chair
a. KPMG should review the wording in their report and the I MU
conclusions;
b. KPMG should ensure any conclusions made were caveated
appropriately by reference to the review they have
undertaken; and
c. it be made clear that the conclusions outlined in the report
nd_no'
9.1 Historical Matters Unit: Responsibili
making authorities were still being clarified with RACI matrixes. The Chair
noted that the delegation of authority to the HMU needed to be clearer. It
was agreed that this would be presented to the January 2021 ARC
meeting.
9.2 Historical Matters Unit: Zarin Patel highlighted discussions that have I GH
been had at the Criminal Cases Review Commission (CCRC) Board
meetings relating to fraudulent claims and eligibility criteria controls, and
it was agreed that Graham Hemmingway would bring a further noting
paper on this issue to the Committee in January 2021.
9.2 Historical Matters Unit: Following discussion, it was also agreed that I GH
live fraudulent claims and eligibility data would be appended to the CCRC
Board pack on a weekly basis. Declan Salter explained that be believed
that currently reasonable controls were in place, but these would be tested
_I by Internal Audit and, subsequently, PwC.
STRICTLY CONFIDENTIAL 18
POL-0018093
@
POST OFFICE LIMITED
POL00021463
POL00021463
12.2
Deep dive: Transformation Office Change Update 2020: Tom Cooper
noted that huge progress had been made and questioned how
improvements would be measured or tracked. Saira Burwood explained
that the number of projects was down by 25% but that the amount of
control and governance had increased significantly. However, much of the
measurement was subjective and as such the metrics needed more
thought. There are controls that can be measured such as overspend but
it was more difficult to measure quality. It was agreed that Dan Zinner,
Saira Burwood and Tom Cooper would have an offline conversation on the
metrics that could be used to measure/track improvements in this area. A
update on this action would be provided at the January 2021 Committee
meeting, noting that having the correct mix of business and technical
resources was critical.
DZ &
SB
STRICTLY CONFIDENTIAL
19
POL-0018093