POL00021464
POL00021464
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 26'* JANUARY 2021 AT 20 FINSBURY
STREET, LONDON EC2Y 9AQ AT 08.30AM (VIA CONFERENCE CALL)*
Present:
Carla Stent (Chair)
Ken McCall (SID) (KM)
Invited Attendees:
Sam Banks (Analyst Independent Audit): Observer
Richard Sheath (Partner, Independent Audit):
Observer
Tom Cooper (NED, UKGI) (TC)
Sally Smith (Money Laundering Reporting Officer &
Head of Financial Crime): Item 5 (SS)
Zarin Patel (NED) (ZP) (to 10:00am only)
Regular Attendees:
Ian Holloway (Director of Risk & Compliance, Post
Office Insurance): Item 6 (IH)
Tom Lee (Head of Finance Financial Accounting and
Controls): Item 7 (TL)
Tim Parker (Chairman, POL) (TP)
Christine Kirby (Financial Controls Manager): Item
7 (CK)
Nick Read (Group Chief Executive Officer) (NR)
Alisdair Cameron (Group CFO) (AC)
Ben Foat (Group General Counsel) (BF)
Andrew Paynter (Audit Partner, PwC) (AP)
Andy Jamieson (Head of Tax): Item 8
Amanda Jones (Retail & Franchise Network
Director): Items 9 & 10 (AJ)
Tim Perkins (Service and Support Optimisation
Director): Item 9 & 10 (TP)
Declan Salter (GLO Director): Item 11 (DS)
Sarah Allen (Senior Manager, PwC) (SA)
Rosie Clifton (Senior Manager, PwC) (RC)
Johann Appel (Head of Internal Audit) (JA)
Mark Baldock (Head of Risk) (MB)
Jonathan Hill (Compliance Director) (JH)
Rebecca Whibley (Senior Assistant Company
Secretary) (RW)
Hugo Sharp (Deloitte Partner) (HS)
Graham Hemingway (Historical Matters Portfolio
Lead): Item 11 (GH)
Tony Jowett (Chief Information Security Officer):
Item 12 (TJ)
Apologies:
Zarin Patel (from 10:00 onwards)
Action
1. Welcome and Conflicts of Interest
1.1
A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call
Government guidance on home working.
requirements of the Company’s Articles of Association, the location of
the meeting was agreed to be the Company’s Registered Office.
given the current
However, given the
1.2
The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
1 Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
requirements of section 177 of the Companies Act 2006 and the
Company’s Articles of Association.
Policies: Investigations Policy
21 Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. The following points were discussed:
- The existing policy had not been used for some time and as such,
the policy has been completely overhauled, following an industry
approach.
- The policy sets out minimum standards for how Post Office will
conduct investigations wherever they might take place in the
business to ensure a consistent approach, building on comments
in Fraser J‘s judgment.
- The Chair noted that an issue that was made clear from the
Group Litigation Order (GLO) was the attitude of the investigator.
Whilst issues like the duty of good faith would only apply in the
Post Office/Postmaster _ relationship (not commercial
relationships), it was agreed that the attitude of the investigator
should be addressed in the policy.
- It was also noted that matters such as the independence of the
investigator and the level of expertise needed should also be
clear in the policy. It was explained that the policy was simply a
framework and other policies were still relevant such as Conflicts
of Interest. Nonetheless, it was agreed that these matters should
be made clear in the policy, including references to other policies
as appropriate.
- Ken McCall questioned whether the policy considers service level
agreements (SLAs) with Postmasters and Board/Committee
review of the relevant metrics in this regard. Ben Foat explained
that such matters were for specific Postmaster polices and this
policy was very much a minimum standards framework.
- Ken McCall was also concerned about the accessibility of the
policy, particularly for Postmasters, and how the policy would be
rolled out. It was explained that this was an internal policy, rather
than Postmaster facing. Nonetheless Compliance was developing
a one to two page summary to make the policy more accessible
as well as engaging with relevant Policy Owners to ensure they
understand the requirements and can evidence compliance.
- Tom Cooper requested that the policy also be externally
reviewed.
Accordingly, the Committee APPROVED the Investigations Policy,
subject to:
i. The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent
and have the appropriate expertise and appropriate
references to other relevant policies; and
ACTION:
BF
STRICTLY CONFIDENTIAL 2
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
ii. The policy being externally reviewed, and the results of this
review being considered and included as appropriate.
Previous Meetings
3.1 The minutes of the meeting of the Audit and Risk Committee held on
24 November 2020 were APPROVED and AUTHORISED for signature
by the Chair.
3.2 Progress against the completion of actions as shown on the action log
NOTED
Irrelevant.
update paper was provided to the Committee (see para 9). The action
was closed.
Note: Action 7 in the papers was a duplicate of Action 2 above (due to
copy and paste error).
STRICTLY CONFIDENTIAL
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
Irrelevant
Specerons TROT 2 “WU VENTOEY LVEO (para "De 7 “Ws Ney” ayeyare}
Compliance Risk Appetite): The Legal & Compliance Risk Appetite paper
has been developed and has been shared with the Chair. However, this
is still a work in progress and as such, the Committee was not asked to
approve the Risk Appetite statement at its January meeting.
Accordingly, the Committee may discuss and feedback as required in
the meeting. The further iteration was to be shared with the Committee
prior to its next meeting if so required. (See para 4.2 below). The action
remained open.
elements have been completed and the report was approved by the
Board for publication. The action was closed.
Irrelevant
STRICTLY CONFIDENTIAL
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
Action 17 from 24 November 2020 (para 9.1) Historical Matters Unit
(RACI Matrix): Discussions concerning UK Government Investments
(UKGI)/Department of Business, Energy & Industrial Strategy (BEIS)
involvement in Historical Shortfall Scheme (HSS) approvals, which
directly affects the operation of the schemes, have continued during
December and were expected to be finalised during January. A verbal
update was provided to the ARC (see para 11 below). Further update
will be provided in March 2021. The action remained open.
Action 18 from 24 November,
rols):
and the Project team
- see Appendix 1 in the paper as per para 11 below.
3Closed.
Action 19 from 24 November 2020 (para 9.2) Historical Matters Unit
(Eligibility extract attached in Appendix 1 of the paper as per para
11 below). Information relating to identification of fraudulent claims has
been shared as part of the Criminal Cases Review Commission (CCRC)
Board packs from 14th January 2021. The action was closed
Irrelevant
Action 21 from 24 November 2020 (para 12.1) Deep dive:
Transformation Office Change Update 2020: Dan Zinner and Saira
Burwood met with Tom Cooper on 15 January 2021 to discuss the action
regarding metrics on Change controls. Mark Baldock also joined the
meeting as he was transitioning all the controls into a new tool
(ServiceNow) which would then be able to provide a suite of reports on
the controls. These reports and dashboards would be provided to ARC
on a regular basis once ServiceNow transition was complete and Mark
agreed to give Tom early sight of these when available. The action was
closed.
3.3
The draft minutes of the Risk and Compliance Committee held on 12
January 2021 were NOTED.
Risk, Compliance and Internal Audit Updates
STRICTLY CONFIDENTIAL
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
41 Risk Update
Mark Baldock introduced the paper, which had been circulated
previously and was taken as read. The key points were summarised as
o Operational: Postmaster risks were already articulated,
but further work was to be carried out, as well as
considering whether other risks had an impact on
Postmasters. The Chair noted a discussion in the Internal
Audit meeting that morning about how to implement
controls around Postmaster risks and how to validate GLO
initiatives. Mark Baldock was asked to pick this up with I ACTION:
Jonathan Hill with an update to be provided at the March I MB
meeting. Multiple partner fragility was also noted as a key
operational risk due to the economic threats to the high
street.
STRICTLY CONFIDENTIAL 6
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
4.2
Ken McCall requested that the following be reviewed:
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about
funding;
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of
material long term industrial action; and
- Paragraph 27 relating to adverse external economic factors,
noting that much of this was outside Post Office’s control and
that, some elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with
Ken McCall and provide an update for the next Committee meeting.
The Committee NOTED the current status of key risks and GRC
implementation and APPROVED the proposals on the role of the Board
and ARC with respect to oversight of Post Office risk management as
set out in paragraph 31 of the paper.
Risk Appetite Statement: Legal & Compliance
STRICTLY CONFIDENTIAL
ACTION:
MB
POL-0018094
POL00021464
POL00021464
POST OFFICE LIMITED
ACTION:
BF
ACTION:
BF
ACTION:
BF
The Chair noted the extensive work that had gone into the paper and
questioned whether, given the resourcing pressures, it was better to
work on KRIs to trigger a red/amber/green rating. The Committee
agreed but noted that Legal and Compliance and Postmaster related
activity were important areas in which to have risk appetite statements.
There was also a suggestion that areas that were less under pressure
in the short term could also be considered (such as finance). As such,
Mark Baldock was asked to look at identifying the KRIs for Postmasters I ACTION:
with the Network team and consider working on statements for one or I MB
two other areas for update at the March Committee meeting (in the
usual Risk Paper).
Otherwise, the Committee NOTED the draft corporate Legal &
Compliance Risk Appetite Statements which will be shared with the
Senior Leadership Team so that these can be further refined and
assessed within the business in commercial decision making.
STRICTLY CONFIDENTIAL 8
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
4.3
Compliance Update
Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. It was summarised as follows:
- Controls Framework: Work was being undertaken with the
Historical Matters Unit (HMU) to ensure the correct controls were
embedded into the relevant areas, so as to meet obligations
arising from the Common Issue Judgment (CIJ), Horizon Issue
Judgment (HIJ) and the stamps review. There was an existing
controls framework in Finance and IT (although the latter was
being overhauled), but there was no consistent approach across
the rest of the business. This was what the Framework was to
provide, such that the business could self-assess controls with
assurance provided by Compliance. Ken McCall noted that the
report outlined that there had been changes to the Postmaster
Onboarding process and questioned whether this meant the
onboarding process was quicker. Jonathan Hill was asked to
confirm this point for update at the next meeting. This area was
ultimately owned by Dan Zinner, Group Chief Operating Officer,
but supported by Amanda Jones (Retail and Franchise Network
Director), Finance and Legal. Nick Read highlighted that
recruitment of the Postmaster Director and the Customer
Experience Director was critical but would require careful
recruitment criteria.
In response to questions from Ken McCall raising concerns about
the wording of this section in the report (paragraph 11), it was
confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than
the controls themselves. Key was evidence of controls and a
consistency of approach. The HMU team was working with the
relevant business areas to address this. However, the Chair
asked Jonathan Hill to further consider before the next meeting
any underlying issues (not just related to mapping), what
controls were in place and whether or not they were appropriate.
Zarin Patel also requested that the Committee have sight of the
KMPG review of the HIJ when this was ready, noting that there
were a lot of papers regarding Postmasters before the Committee
and the Board and therefore questioned whether the issue was
under control. Al Cameron explained that much work had been
done to ensure legal compliance with the judgment, but work
was on-going and KMPG and Deloitte were likely to raise issues
that had not yet been considered. As such the controls
framework was very important and must be sustainable.
- Data: The site review was now coming to an end and the main
focus was now on disclosures required for 5 February 2021. So
ACTION:
JH
ACTION:
JH
ACTION:
JH
STRICTLY CONFIDENTIAL
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
far, nothing had been found in the reviews that had not already
been disclosed. However, work was on-going.
- Cookies: Previous direction was that Post Office should look to
be in the “middle of the pack” when it comes to cookies. The
recent decision in France against Google and Amazon Europe was
noted and it was explained that typically (pre-Brexit), the
Information Commissioner's Office (ICO) aligned with Europe. As
such, the Digital and Compliance teams were looking at the
commercial impact of tightening the approach to cookies, with a
view to still remaining in the “middle of the pack.” The Chair
requested that the team carefully consider appropriate
benchmarking in a post Brexit world.
- Fire Risk Assessments: The Committee requested to be kept up
to date regarding the outstanding actions in respect of fire risk
assessments undertaken in June and July which are currently I ACTION:
being investigated by the Head of Health & Safety. This was to I JH
be included in the Compliance report for the March meeting.
The Committee NOTED the Compliance update, in particular:
- The Controls Framework update;
- The Data Management activities; and
- Post Office’s approach to cookies.
STRICTLY CONFIDENTIAL 10
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
Irrelevant I
- Interim Report on Historic Matters - CIJ Operations Improvement
Programme: It was noted that the chart in the report was
outdated and there were now 23 green actions, 10 amber and 1
red. The key finding was that there was no formal handover
process between the HMU and Operations. Nick Read highlighted
that in this area, the business was legally compliant, but not
necessarily fit for purpose. This was a key focus for the next six
months to ensure Operations, IT and culture were all fit for
purpose. A GLO Dashboard would be presented to the Board on I ACTION:
Scheme - Claims and Payments and Strategic Platform
Modernisation were due to be deferred from March 2021 to the
next audit year as evidence was not yet available.
Otherwise, the Committee NOTED the Internal Audit update,
specifically progress being made with delivery of the Internal Audit
programme and completion of audit actions.
Zarin Patel left the meeting.
Irrelevant
STRICTLY CONFIDENTIAL 11
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
Irrelevant
STRICTLY CONFIDENTIAL 12
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
Irrelevant
6. Update from Subsi
ries: verbal update
Post Office Management Services (ARC)
6.1 The Committee NOTED the update from the Post Office Insurance (POI)
ARC.
Annual Report & Accounts Update
7A Al Cameron introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Work was actively progressing to complete the Annual Report
and Accounts (ARA) for the financial year end 29 March 2020.
The ARA was largely drafted but needed some considerable
updates given the events over the last six to eight months.
Outstanding issues included:
1. A provision for Post Group Litigation Order and the
calculation of the accounting estimate in respect of the HSS,
as well as disclosure updates in respect of this scheme, the
contingent liability for Starling litigation and subsequent
events disclosure for the historical criminal cases.
2. Impairment on insurance business investment which was
likely to be around £15-20m
3. A provision for hard to place branches, which might be up to
£30m, although there was a question as to whether this was
a past event or a new decision for inclusion in accounts to the
financial year end 29 March 2020. (Tom Cooper noted that
this was a joint reputational issue for Post Office and the
Government and needed to be discussed at the Board). Note:
This was subsequently discussed at the Board meeting later
on the same day.
4. The wording regarding contingent liabilities needed to be
discussed.
5. The Committee would need to agree that the CCRC issue was
included as a subsequent event (as it was in the future as at
29 March 2020).
STRICTLY CONFIDENTIAL 13
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
- Adetailed going concern assessment then needs to be completed
for a period of 18 months (rather than 12 months) from accounts
submission. Therefore, forecasts were being examined. PWC
have made it clear that unless a viability statement covers a
period of 18 months, they would likely include an emphasis of
matter paragraph in their opinion. Tom Cooper remarked that his
team were discussing this disclosure with BEIS Finance.
- The intention was for the Committee to review the accounts for
approval (for onward submission to the Board) on 26 February
2021.
- The sections relating to Risk and Remuneration would largely be
unchanged but the CEO and Chairman's report were being
completely redrafted.
The Committee NOTED:
i. the status of the Post Office Limited Group Annual Report and
Accounts for the year ended 29 March 2020
ii. the key items required for completion and signing of the ARA;
and
iii. the plan for completion and signing.
9.1 Tim Perkins introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Performance has continued to be positive. Average loss per
branch has fallen from just under £135 per trading period per
branch to £63.44 per trading period per branch. This has been
STRICTLY CONFIDENTIAL 14
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
driven by proactive intervention, less cash in network, timeliness
of corrections and improved training.
- Next steps were to continue with these interventions and see
what can be done to improve the speed of corrections and
improvement in stock. Work was being done with HMU to remove
the “settled centrally” terminology from Horizon and add a
dispute button at the point of settling.
- Tom Cooper queried when the minimum value that can be settled
centrally would be changed from £150 to £0, noting he thought
this had been removed previously. Tim Perkins explained that
Accenture had just quoted to do this, and it was requested that I ACTION:
Tim Perkins provide the date as to when this would happen to I TP
the Committee once he is advised of it.
- In response to further questions about branches being able to be
‘rolled’ into the next trading period and how disputed items were
dealt with, Tim Perkins explained that balances are moved to a
Postmaster account to allow an investigation to take place to
establish the cause of the loss. A button would also be added to
Horizon to allow immediate dispute.
- Age of the transaction error was the crucial, rather than the
number of errors. At present, measurements were based on
transactions over two months old. A measurement of 45 to 60
days (depending on the type of transaction) was being
considered to take into account how long client reconciliation
takes.
- At the request of Ken McCall more detail was provided on the
process where a cash declaration had not been done for 10 days
or for trading period roll overs (where not done for 60 days).
First, the Postmaster would be called by the team (bearing in
mind any branch closure) and the issue would be escalated to
the Area Manager. Where repeated contact has to be made, the
branch will also be visited to ensure they understand the
requirement and to understand the barrier(s) to completion.
There would also be a conversation with the contract advisor
team about contract performance.
- It was confirmed that branches with high cash holdings or highest
levels of cash deposits have excellent compliance with the branch
accounting requirements. However, for branches with high levels
of cash deposits, more transaction errors were seen, and this was
an area of focus, particularly as to whether better equipment
could be provided. Additional support from Area Managers and
Security Managers was being provided with a visit every month.
The Committee commented that key was to tackle this issue at
source. Al Cameron explained that any proposed changes had
been postponed given ongoing process reviews in this area.
- The Chair noted that it was good to see the figures decreasing
but that it would be useful to see a dashboard of branch balances
and transaction corrections, possibly as an addition to the
STRICTLY CONFIDENTIAL 15
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
reporting on post GLO remediation. (Tim Perkins and Amanda I ACTION:
Jones to action for the next Committee meeting). TP/AJ
- Via email outside the meeting, Zarin Patel also suggested that I ACTION:
route cause analysis should be undertaken into the gross I TP/AJ
losses/gains and net balances as these seemed very high
(paragraph 8 of the paper). (Tim Perkins and Amanda Jones to
consider for update at the next Committee meeting).
The Committee NOTED the update on balances posted to Postmaster
customer accounts following a request at the Committee in September
2020.
10. Postmaster Policies
10.1 Amanda Jones introduced the paper, which had been circulated
previously and was taken as read. It was explained that these three
policies were being proposed to formalise the improvements made to a
number of processes in response to the CIJ. Each policy was taken in
turn:
The Chair questioned
why the Risk Appetite section was missing. It was confirmed that
the risk appetite was averse, but that this linked back to the
earlier discussion regarding the risk appetite statement for
Postmasters and the need for clear KRIs, which were particularly
required to judge if the policy was being embedded and enforced.
This section should be added into the policy in line with the work
to be completed on KRIs for Postmasters (see action above in
paragraph 4.2).
ACTION:
TP/AI/
MB
ACTION:
There was also an action to carefully consider references to TP/AJ
“employee” throughout the document.
It was also confirmed that this was an internal policy (not
Postmaster facing), but a similar version would be created as
part of the Postmaster manual. It was explained there would be
an overarching document demonstrating how the policies fit I ACTION:
together and it was agreed this would be presented to the I TP/AJ
Committee in March 2021 with the Chair requesting that it be
clear in this document who was the audience of which policy.
- Postmaster Account Support Policy: ay
A different approach was being taken by the
former loss recovery team, which was to be supportive and
understanding of discrepancies.
It was explained that the three policies interfaced to provide
support to Postmasters. The Network Monitoring policy related to
STRICTLY CONFIDENTIAL 16
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
investigation, Account Support was for proactive support and
Dispute Resolution sets out the tiers of support provided in the
event of a discrepancy (section 4 of the policy).
The Chair questioned the wording of the risk appetite section and
it was requested that this was reviewed before the policy was
published/implemented.
With respect to the writing off of discrepancies, it was explained
that the team were working hard to reduce the number and size
of discrepancies. There were no caps on amounts that could be
written off over a period of time as the controls to approve the
write offs ultimately formed part of the finance processes.
Tom Cooper questioned whether after the Tier 3 support level
(section 4 of the policy) litigation was the only option,
considering that the amount could be small. Tim Perkins
explained that the account support processes were used to
consider how the discrepancy should be dealt with and whether
it should be written off, with a lot of engagement with the
Postmaster. Where there were persistent losses or carelessness,
then this would be dealt with from a contractual performance
perspective i.e. termination on notice.
The Committee requested that the following elements were
included in the policy:
1. A suggested timetable for decision-making;
2. Who would be involved in making decisions under Tier 3
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records,
Horizon data etc.);
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
Zarin Patel (by email outside of the meeting) also raised the following
points:
i.
Both the Postmaster Account Support Policy (para 2.5 and
4.1) and the Network Monitoring and Audit Support Policy
(para 2.5) referred to “reasonable and fair investigations”
without adequately defining this; and
The Network Monitoring and Audit Support Policy should
address skill set and attitude of lead auditors and how the
ACTION:
TP/AI/
MB
ACTION:
TP/AJ
ACTION:
TP/AJ
STRICTLY CONFIDENTIAL
17
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
new culture would be embedded so they did not approach the
audit with preconceived biases.
Accordingly, the following policies were APPROVED by the Committee:
e Postmaster Account Support Policy (subject to a review of the
wording of the risk appetite section and addition of a definition
of a “reasonable and fair investigation”); and
e Network Monitoring and Audit Support Policy (subject to the
addition of a risk appetite section and a definition of a
“reasonable and fair investigation” as well as the skill set and
attitude of the lead auditors and how the new culture would be
embedded).
The Postmaster Accounting Dispute Resolution Policy was to be revised
in line with the Committee's discussions (including a review of all risk
appetite references) and approved by written resolution after the
meeting.
11. Historical Matters Unit: Fraudulent Claims Controls & Delegation
of Authority
11.1 Declan Salter and Graham Hemingway introduced the paper which had
been circulated previously and taken as read. The key points were
highlighted as:
- Responsibilities, accountabilities and decision-making
authorities: Work was being done to produce an operating
charter and a RACI, including delegated authorities and
accountabilities. This has taken longer due to engagement with
BEIS and UK Government Investments (UKGI). A ways of
working document has been agreed, but a decision-making flow
chart was still being updated. Once complete, it was to be I ACTION:
circulated to the Board at its CCRC meeting. Further discussions I GH/DS
were being held on reporting to BEIS/UKGI.
Mitigations against risk of fraudulent claims:
Project team as set out in
appendix 1 of the report. By way of email outside the meeting,
Zarin Patel suggested that the team consider best practice for
fraudulent claim controls, such as those used for Payment
Protection Insurance (PPI) claims. Graham Hemmingway
provided the following response: the mitigations have been
compiled and reviewed by his team, which included programme
and project managers as well as business analysts with
experience of managing PPI-type claim schemes at Lloyds
Banking Group, Barclays, Nationwide, RBS and Co-op Bank.
Further Declan Salter’s experience has also fed into the ongoing
risk management activities, particularly around risk of
interception of emails. Internal Audit or an external team could
review the mitigations as part of their planned reviews.
STRICTLY CONFIDENTIAL 18
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
Data relating to fraudulent
Information relating to identification of fraudulent
claims has been shared as part of the CCRC Board packs since
14 January 2021. In response to questions from the Committee,
Graham Hemingway further explained that eligibility checks were
a standard under the Terms of Reference of the HSS. Work was
still being done to work through the data and evidence available
on each claim, which was difficult due to the age of some claims.
It was also
counsel_to
Otherwise, the Committee NOTED how risks relating to fraudulent
claims are being managed in the Historical Shortfall Scheme (and the
Stamps Scheme) and that controls were in place to confirm the
eligibility of claims.
12. IT Controls Assessment
12.1 Tony Jowett introduced the paper, which had been circulated previously
and was taken as read. The main focus of work in the IT Controls was
the Internal Audit Report actions and focus of the improvement effort
was on the controls of greatest risk, namely those areas connected with
the management of the third-party estate through the lens of Post
Office’s crown jewel systems. The Committee requested that there be
a detailed review of this, and this review would be reported to the I ACTION:
Committee, targeting the next meeting. Tj
On resource constraints flagged by the Internal Audit report, Tony
Jowett further explained that the size of the team had been doubled
and someone had been appointed to the business continuity role but
was not yet in post.
The Committee NOTED the status and plans regarding the reduction of
risk associated with IT Controls.
13. AOB
13.1 There being no further business, the meeting was closed at 11:27.
14. Items for Noting
14.1 The following papers were circulated to the Committee prior to the
meeting, but were not discussed at its meeting and NOTED by the
Committee:
- Pensions Controls
- Success Factors
- Cyber Security
-__ Joiners, Movers, Leavers (JML)
STRICTLY CONFIDENTIAL 19
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
- Law & Trends
- Accountable Person*
- Mails Fraud Update**
*Outside of the meeting, Tom Cooper requested that paragraph 18
needed to be amended to remove the following line: “There is a UKGI
representative on the POL Board, who have oversight of the Group
Executive ("GE”) and are able to challenge and review relevant
decisions made by the AP and the GE team" as his role on the Board
was not linked to the role of the Accountable Person.
** Subsequent to the meeting, Tom Cooper questioned whether power
outages (affecting label printing) had implications for the integrity of
branch accounting and accuracy of postmaster balances. Declan Salter
has confirmed that, absent fraudulent activity, there would be no
financial loss. Furthermore, that, in this regard, there are no system
related integrity issues.
leeting Actions:
Para
No.
Action Detail
Action
2.1
Investigations Policy: Accordingly, the Committee APPROVED the
Investigations Policy, subject to:
i. The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent and
have the appropriate expertise and appropriate references to
other relevant policies; and
The policy being externally reviewed, and the results of this review being
considered and included as appropriate.
Ben
Foat
4.1
Risk Update: The Chair noted a discussion in the Internal Audit meeting
that morning about how to implement controls around Postmaster risks
and how to validate GLO initiatives. Mark Baldock was asked to pick this
up with Jonathan Hill with an update to be provided at the March meeting.
Multiple partner fragility was also noted as a key operational risk due to
the economic threats to the high street.
Mark
Baldock
4.1
Risk Update: Ken McCall requested that the following be reviewed:
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about funding;
Mark
Baldock
STRICTLY CONFIDENTIAL
20
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of material
long term industrial action; and
- Paragraph 27 relating to adverse external economic factors, noting
that much of this was outside Post Office’s control and that, some
elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with Ken
McCall and provide an update for the next Committee meeting
4.2
4.2
k Appetite Statemen
k Appetite Statement: Legal
4.2
4.2
Risk Appetite Statement: Legal & Compliance:
Risk Appetite Statement: Legal & Compliance: As such, Mark Baldock
was asked to look at identifying the KRIs for Postmasters with the Network
team and consider working on statements for one or two other areas for
update at the March Committee meeting (in the usual Risk Paper).
Ben
Foat
Ben
Foat
Ben
Foat
Mark
Baldock
4.3
4.3
Compliance Update: Ken McCall noted that the report outlined that there
had been changes to the Postmaster Onboarding process and questioned
whether this meant the onboarding process was quicker. Jonathan Hill was
asked to confirm this point for update at the next meeting.
Compliance Update: In response to questions from Ken McCall raising
concerns about the wording of this section in the report (paragraph 11),
it was confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than the
controls themselves. Key was evidence of controls and a consistency of
approach. The HMU team was working with the relevant business areas to
address this. However, the Chair asked Jonathan Hill to further consider
before the next meeting any underlying issues (not just related to
mapping), what controls were in place and whether or not they were
appropriate.
Jonatha
n Hill
Jonatha
n Hill
4.3
Compliance Update: Zarin Patel also requested that the Committee have
sight of the KMPG review of the HIJ when this was ready, noting that there
were a lot of papers regarding Postmasters before the Committee and the
STRICTLY CONFIDENTIAL
Jonatha
n Hill
21
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
Irrelevant
hat int
business was legally compliant, but not necessarily fit for purpose. This Read
was a key focus for the next six months to ensure Operations, IT and
culture were all fit for purpose. A GLO Dashboard would be presented to
the Board ona a monthly b basis to give a an overview of progress.
9.1 Update on branch losses and balances on Postmaster accounts: I Tim
Tom Cooper queried when the minimum value that can be settled centrally I Perkins
would be changed from £150 to £0, noting he thought this had been
removed previously. Tim Perkins explained that Accenture had just quoted
to do this, and it was requested that Tim Perkins provide the date as to
when this would happen to the Committee once he is advised of it.
9.1 Update on branch losses and balances on Postmaster accounts: I Tim
The Chair noted that it was good to see the figures decreasing but that it I Perkins
would be useful to see a dashboard of branch balances and transaction I /
corrections, possibly as an addition to the reporting on post GLO I Amanda
remediation. (Tim Perkins and Amanda Jones to action for the next I 2°"eS
Committee meeting).
9.1 Update on branch losses and balances on Postmaster accounts: Via I Tim
email outside the meeting, Zarin Patel also suggested that route cause I Perkins
analysis should be undertaken into the gross losses/gains and net I /
balances as these seemed very high (paragraph 8 of the paper). (Tim I Amanda
Perkins and Amanda Jones to consider for update at the next Committee Jones
meeting)
10.1 Postmaster Policies: It was confirmed that the risk appetite was averse, I Tim
but that this linked back to the earlier discussion regarding the risk I Perkins
appetite statement for Postmasters and the need for clear KRIs, which /
were particularly required to judge if the policy was being embedded and I Amanda
enforced. This section should be added into the policy in line with the work I 20€S /
STRICTLY CONFIDENTIAL 22
POL-0018094
@
POST OFFICE LIMITED
POL00021464
POL00021464
to be completed on KRIs for Postmasters (see action above in paragraph
4.2).
Mark
Baldock
10.1
Postmaster Policies: There was also an action to carefully consider
references to “employee” throughout the document.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: It was explained there would be an overarching
document demonstrating how the policies fit together and it was agreed
this would be presented to the Committee in March 2021 with the Chair
requesting that it be clear in this document who was the audience of which
policy.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: The Chair questioned the wording of the risk
appetite section and it was requested that this was reviewed before the
policy was published/implemented.
Tim
Perkins
Amanda
Jones /
Mark
Baldock
10.1
Postmaster Policies: The Committee requested that the following
elements were included in the policy:
1. A suggested timetable for decision-making;
2. Who would be involved in making decisions under Tier 3
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records, Horizon
data etc.);
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: Zarin Patel (by email outside of the meeting) also
raised the following points:
i. Both the Postmaster Account Support Policy (para 2.5 and 4.1)
and the Network Monitoring and Audit Support Policy (para 2.5)
referred to “reasonable and fair investigations” without
adequately defining this; and
ii. The Network Monitoring and Audit Support Policy should address
skill set and attitude of lead auditors and how the new culture
would be embedded so they did not approach the audit with
preconceived biases.
Tim
Perkins
/
Amanda
Jones
Historical Matters Unit: Fraudulent Claims Controls & Delegation
of Authority: A ways of working document has been agreed, but a
decision-making flow chart was still being updated. Once complete, it was
Graham
Heming
way /
STRICTLY CONFIDENTIAL
23
POL-0018094
POL00021464
POL00021464
@
POST OFFICE LIMITED
to be circulated to the Board at its CCRC meeting. Further discussions I Declan
were being held on reporting to BEIS/UKGI. Salter
12.1 IT Controls: The main focus of work in the IT Controls was the Internal I Tony
Audit Report actions and focus of the improvement effort was on the I Jowett
controls of greatest risk, namely those areas connected with the
management of the third-party estate through the lens of Post Office’s
crown jewel systems. The Committee requested that there be a detailed
review of this, and this review would be reported to the Committee,
targeting the next meeting.
STRICTLY CONFIDENTIAL 24
POL-0018094
POL00021464
POL00021464
Voting Results for January Minutes
The signature vote has been passed. 1 votes are required to pass the vote, of which 0 must be independent.
Vote Response Count (%)
For 1 (100%)
Against 0 (0%)
Abstained 0 (0%)
Not Cast 0 (0%)
Voter Status
Name Vote Voted On
Stent, Carla For 01/04/2021 21:01
POL-0018094