POL00026954
POL00026954
Group Executive Agenda
(Bate: ] I Monday 12 November 2018 I Ti 09.00 - 14.00 1.19 Wakefield ]
ee (ether Attendees! 1 Apoiogies I
Paula Vennells (Chair) ¢ Rob © Sarah Koniarski * Chrysanthy Pispinis I * Veronica Branton
Houghton
© Alisdair Cameron *@ Mo Kang Micheal Passmore ¢ Mick Mitchell
* Debbie Smith © Mark Davies I ¢ Tom Moran ¢ Martin Hopcroft
* Owen Woodley * Jane MacLeod I ¢ Martin Kearsley © Martin Edwards
Emma Springham
ction ad iming
1. Finance Discussion Al Cameron / 09.00 - 09.20
Performance — Financial Results & Review of Business Micheal Passmore
Scorecard
2. Retail Strategy (including Agent Remuneration) Debbie Smith / 09.20 - 10.00
Tom Moran
3. Future of Cash - Banking Framework 2 Debbie Smith/ 10.00 - 10.30
Approval for Board ,
Martin Kearsley
4. Marketing Effectiveness, Efficiency and Relevancy ‘Owen Woodley / 10.30 - 11.00
Emma Springham
BREAK 11.00- 11.10
5. Bol Negotiations (Verbal) Discussion Owen Woodley / 11.10- 11.25
Chrysanthy Pispinis
6. IT Security Strategy Rob Houghton / 11.25- 11.45
Mick Mitchell
7. Health and Safety Report (including violence and Approval for Board I Al Cameron / Martin I 11.45 -12.00
robberies) Hopcroft
8. Postmaster Litigation (verbal) Discussion Jane MacLeod 12.00 12.15
LUNCH 12.15 - 12.30
9. Contract for Approval: Digital Identity Approval for Board Martin Edwards 12.30 - 13.15
10. Compliance with PCI-DSS: Approval for an Interim Approval for Board I Debbie Smith/Rob I 13.15 — 13.30
Solution Houghton
11. Verbal Updates from Committees and Steering Groups GE Lead
12. Review of GE Minutes, Action Points and Updates Discussion Sarah Koniarski
13.30 - 13.40
13. Investment Committee Terms of Reference Approval Rob Houghton
14. Items for Noting
14.1 Forward Agendas Noting Sarah Koniarski 13.40 - 13.50
15. Any other Business All
13.50 14.00
The GE meeting will be followed by the Annual Crisis Workshop facilitated by Tim Armit, Business Continuity Manager.
(14.00-15.30)
STRICTLY CONFIDENTIAL
@
2 of 87
POL00026954
POL00026954
PAGE 1 OF 2
DISCUSSION PAPER
POST OFFICE LIMITED
GROUP EXECUTIVE
October 2018 (P7) - Financial Performance
Author: Micheal Passrnore Sponsor: Alisdair Cameron Meeting date: 12 Novernber 2018
Executive Summary
Context
The purpose of this paper is to outline our financial performance in P7. A detailed
slide-deck is attached.
How did we do in P7?
em Period 7.
‘Actual Budget Variance Forecast Variance YoY ‘Actual Budget Variance YoY
Retai 5220 18 o4 522 3220 22
FSAT (net, Insurance) 297 = 3047) 299 1967 64}
Telco overstatement 00 0S @8) eo 30 30)
identity 54 44 07 44 303 44
Suppiy Chain/other 14 00 12 84 (06)
Total Revenue 84 (0.4) 5605 (3.4)
Cost Of Saies (18) 03 (754 Pe)
Net income 768 02 485.4 (2.5)
‘Agents Pay era) et 34
Staff C G67) (08) 25)
Non staff Cost 214) 29 84
FRES 34 (02) os
Other Income 14 a4 at
Trading Profit 408 27 73
Network Subsidy Payment 58 00 00
EBITDA 166 27 73
Depreciation @2) 64 (465) 71.8)
interest (7) 02) (49) 3}
Change Spens (64) (14) 80) (59.1) 9.1)
investment Funding 192 oo 182 409.2 cr)
Profit On Asset Sale 17 17 00 30 30.0%
Profit Before Tax 26 223 (07) tA 60.4 (14.2) 104%
P7 revenue was £88.4m, £0.9m favourable to forecast in the month. This was driven
by greater than expected Home Office volumes as well as a delay in the Verify price
decrease being agreed with GDS. Overall, underlying revenue is £3.2m adverse to
budget YTD, when you also exclude the Telco budget overstatement and one-offs.
P7 trading resulted in a profit of £10.9m, £1.2m better than forecast resulting from the
Identity upside. YTD trading profit of £31.7m is £7.9m ahead of plan, despite the £3.0m
telco budget error.
In Verify, LoA2 (Level of Assurance) volumes are on forecast, with the upside of
£0.4m due to the new GDS pricing tiers going live on the 3 week of October (rather
than the 1st). Two identity providers (Royal Mail/GBG) dropped out of the Verify
federation after the new call off which has led to an increase of market share,
particularly for LoA1.
Resident permits (BRP) and paper passports are driving the strong performance in
Home Office. BRP was driven by the tail end of the student surge period (Sept- Oct)
and the early effects of Brexit leading to strong trading results (+£0.2m). YoY volumes
are up by 18%. The contract is expiring this financial year and volumes will start to
divert to the new supplier from P8. Volumes for Paper passports and Digital check and
send are 20% higher than forecast.
POL00026954
POL00026954
POST OFFICE PAGE 2 OF 2
Telco customer numbers at end of the period were 500,531, down 313 on forecast, but
increased by 2,307 customers since P6. Underlying ARPU is also down contributing to
£0.5m adverse variance in period. We are working with Fujitsu to understand what has
driven this.
MoneyGram underperformed by £0.2m in period as total volumes of 280k were 40k
below forecast. Send volumes to Eastern Europe have specifically reduced as a potential
impact of Brexit. Blended rate of £6.13 is in line with forecast.
Travel money is favourable £0.1m to forecast predominantly due to increased branch
currency sales. Though Travel hub income remains below £0.1m, it was up on
forecast in the period.
PO Insurance revenue is £0.1m favourable to forecast in the period resulting from
stronger General insurance renewal performance on both volumes and income per
policy.
Home Shopping Returns volumes are -0.3m to forecast, but remain up on budget and
are expected to pick up again in P8. YoY growth remains strong at+25%. ATM
volumes are slightly behind (-0.1m) and availability levels 1.4% less than forecast.
Staff costs are -£0.9m adverse to forecast due to an incorrectly forecasted recharge in
FS&T (£0.2m), POI costs that did not meet capex criteria (£0.1m) and Identity project
costs that will be transferred to change in P8 (£0.2m). The underlying staff cost
projection for the remainder of the year is being assessed.
Depreciation charge for October includes YTD catch up of c. £4m which had been
phased across the rest of the year in the forecast.
Profit on asset of sale relates to the sale of four properties which had been forecasted
as Change spend reduction, but recognised in profit on disposal whilst the correct
accounting treatment is agreed.
Network numbers (September) were 11,557, being 57 above the commitment and an
increase of 10 compared to year end. Reduction of 9 from August driven by 50
temporary closures, 31 re-openings and 10 new network locations. New network
locations are 27 behind budget YTD as at September.
Net funding position has decreased by £36m from prior period, helped by the receipt of
Q2 investment funding from UKGI and significant work performed by supply chain team.
P7 Change spend (Capex and Exceptional) was £20.6m, £2.2m behind forecast.
Underspend in period predominantly relates to timing of spend on Project Everest and
Property programmes. Benefits are largely on track YTD against forecast.
Conclusion
Overall, we remain ahead of forecast in period and budget YTD, but expect a
proportion of non-staff cost savings to reverse in future periods. There are also
possible trading challenges from Telco to address, along with IT cost challenges.
Confidential
POL00026954
POL00026954
Period 7 FY18/19 Financial Performance
Group Executive
12 November 2018
POL00026954
POL00026954
P7 Scorecard
Post Office Business Scorecard - FY18/19
Period 7 Year to Date
Full Year
Budget Forecast
Actual Variance Forecast Variance Actual Variance RAG
Budget
Budget
Deliver Profit
Total Gross Income (exci NSP) £m 884 885 (0.1) 874 o9 & LA 557.2 5605 (3.4) 3 965.1 9567
Trading Profit £m 109 82 27 9o7 12 @ WAN 316 238 78 eS 50.0 51.0
Headroom £m (vs Board minimum limit) 380 200 180 200 180 & >£200m I >£200m
Change benefit deliverym og 36 (27) 17 (og) @ / 402 36.4
Mails - Total Labels Volume m 158 155 02 15.7 O41 e 935 93.0 06 e 163.4 1676
Mails - Home Shopping Returns Volume m 42 44 o4 45 40.3) @ a 279 246 33 e 450 507
Banking Volume (m) 128 424 o7 124 04 ® 175 756 19 130.2 133.4
closing Telecoms Customer Base (#) 500531 508,777 500,844 ods 494,823 I 494,823
Grow our Network - Customer
Number of Branches (mth in arrears) 11,557 ~ 11,500 11,500
INew Network Branch 20
Become the Partner of Choice - TT
Customer
Ease of Doing Business with (Effort) 1 a 83.0% 82.0% 0%
No. of Horizon Customer Sessions per week 10.2 100 02 10.0 02 e 100 10.0 0.0 e
I# of Sev1/Sev2 incidents 13 8 (5) 8 5) e f 81 56 e <96 <96
Number of failed SLA's (mth in arrears) 3 3 0 3 0 o A a7 18 cy <36 <36
[Actual Incident Volumes 7,669 10,000 2.331 10,000 2,331 @ . 69065 70,000 935 e <120,000 I <120,000
#of Sevi/Sev2 incidents - 5 Computacenter incidents relating to user access to software, 4 Accenture back office
issues relating to systems (e.g. MDM), also items with Genesys, Verizon, RMG and Centrica.
Actual incident volumes — reduction largely due to impact of Project Nelson.
(2)
ar
Post Office® Post Office Limited — Commercial in Confidence
POL00026954
POL00026954
P7 Scorecard
Post Office Business Scorecard - FY18/19
Period 7 Year to Date Full Year
Actual © Budget Variance Forecast Variance Trend I Actual Budget Variance RAG Budget Forecast
Digital Innovation - Customer
Trading income from customer Hub (Em) of 00 o4 F f 02 06 ) 12
# of Registered customers on app 31,290 27726 © 3,564 . 122,615 158,484 (35,869)
319,410
# of All Product pages website visits 1,810,038 1495072 314,966 1,495,072 314,966 @ SS, [14,053,917 12,558,818 1,497,099
Website Conversion ratio 114% 12.8% = (14%) 12.8% =——(1.4%) " 100% 108% (0.8%) 14.1%
Care for our Peopie
Line Manager index" 4% 62%
Female Representation in Senior Roles (3a & abo 11% 41.6%
IBAVE Representation in Senior Roles (3a & above] 9 %) 9.8%
[Senior Vacancies filed by internal Talent (71%) 80.0% . 44.9%
[Absence 0.1% 3.3% a 3.2%
Safety LTIFR 0.200 0.200 ay 0.143,
7 Line manager index calculation is based on the weighted average results
2. Our ambition is to achieve 50% by 2020. Full year target of 43% is based on a linear increase over 3 years; this equates to replacing 16 Males with Females in Year 1 based on 460 population. Discussion to be
held over changing Senior Roles to Level 4 and above (population would decrease 250 and female ratio would be 30%)
3.014% is the percentage of people in the UK who describe themselves as BANE, (Source: Most recent ONS Census, 2011). Our ambition is to achieve 14% by 2020. Full year target of 11.1% is based on a linear
increase over 3 years; this equates to replacing 11 white to BANE in Year 1 based on 460 population. Discussion to be held over changing Senior Roles to Level 4 and above
Absence - Monthly absence decreased in P7 to 3.19% from 3.38% in P6. Long Term sick absence is being reported
lower than P7 in 2017/18. This year there are currently 109 absences open incurring 6746 hours reported by Success
Factors. Additional focus and case management support is being provided by OH Assist to review and progress our
longer term absences.
Safety LTIFR - There were 4 employee related accidents in Post Office during P7 compared to 2 during P7 in prior
year. There were zero lost time accidents in P7 and there have been a total of 7 YTD against 12 YTD in FY17/18.
(3
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
P7 Trading Profit +£1.2m v forecast; YTD +£7.9m v budget
38d
em
Actual Budget Variance Forecast Variance YoY Actual Budget Variance YoY
Retail 52.2 518 04 52.2 0.0 1% 324.2 322.0 22 0%
FS8q (incl. Insurance) 29.7 30.4 (0.7) 29.9 (0.3) 4% 1903 1967 (6.4) 4%
Telco overstatement 0.0 05 (0.5) 0.0 0.0 nia 0.0 3.0 (3.0) nia
Identity 54 44 07 44 10 6% 34.8 30.3 44 11%
Supply Chain/Other 14 14 0.0 12 0.2 % 78 84 (0.6) 6%
Total Revenue 88.4 88.5 (0.1) 87.4 09 2% 557.2 560.5 (3.4) 2%
Cost Of Sales (41.6) (41.9) 03 (14.8) 02 3% (74.3) (75.4) 09 5%
Net Income 76.8 76.6 0.2 75.7 44 2% 482.9 485.4 (2.5) 2%
Agents Pay 27) (326) (01) 3.2) 04. -3% (208.1) (241.1) 3A %
Staff Cost (16.7) (46.1) (06) (15.8) (0.9) 4% (109.7) (107.3) (25) 3%
Non staff Cost (214) (24.0) 29 © (21.6) O05 -21% (167.1) (175.2) 84 A%
FRES 34 33 (0.2) 3.2 (0.0) -9% 254 248 08 27%
Other Income 14 1.0 O4 14 0.0 439% 83 72 LA 327%
Trading Profit 10.9 82 27 97 41.2 309% 37 23.8 79 nia
Highlights:
+ FS&T - underperformance in Telco and MoneyGram; Travel Money ahead of forecast
* Identity - delay in GDS price decrease hence additional unplanned Verify benefit
* Staff costs - increased costs across all areas, refer to slide 19
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Retail Scorecard
Home shopping returns volume down; banking volumes up but revenue under forecast
pod - &
Year to Date Full Year ig Full Year
RAG
Actual Budget Variance Forecast Variance FOST Actual Budget Variance RAG FOT Budget
Gross income £m 622 518 04 522 oo @ 3242 3220 22 @ 5697 5686
Trading Proftem 26 W7 08 422 os @ 753 682 72 @ 1343 128.2
Hails - Priority Volume m 10 14 (04) os o1 @ 58 65 08) @ 104 116
Mails - Total Labeis Volume m 158 15.5 2 157 o1 @ 935 93.0 0 @ 1676 163.4
Mails - Click & Collect Volume m 04 04 o4 oa co) Oo 23 22 02 @ 47 a4
Mails - Home Shopping Retums Volume m 42 44 ot 45 ©3) & 279° (a 33° 8 507 450 ES
Banking Volume (m) 28 124 or 124 04 _ @ 175 786 19 _ 1334 1302
No. of Horizon Customer Sessions. per week 10.2 100 02 10.0 02 @ 10 410.0 oo @ 00 os)
No.of Rea Transactions per session coe TITTI « oo 00
Ease of Doing Business with (Effort) 84% © 820% «18% =~ g2% 2%» © 83.0% 620% 10% @ 820% 820%
No. Complaints* 2,378 3,126 748 3.126 m4 @ 16.134 16.882 748 @ 15,530 15,530
Number of Branches (nt in arrears) 11957 145005? 11.600 oe WI « 11500 14.600
New Network Branch 20 20 © 20 es 143 4170 @7) @ 338 338
Branch standards - Losses identified in Audit" i o(05) oo 5) @ 40 oo 49) oo oo
*month in arrears.
Post Office®™ Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Retail: P7 Trading Profit +£0.3m to forecast ; YTD +£7.1m to budget
Income trends continued at same trajectory
em Period 7
‘Actual Budget Variance Forecast Variance YoY ‘Actual Budget Vatiance YoY (1)
Mails Trading 28 = 265 co 26.3 1506 1602 (08) 4%
Maitwork 08 oo o8 0) 0%
Mails Otner 00 oo oo 15
RMAnnual Fee 43 o4 48 09
GitCards 04 00) oa 0.2)
Lottery 26 4 29 20
Poca 25 o4 26 (03)
Payment Services 24 (02) 23 (05)
ATMs 28 = 4} 28 173 a4)
Banking Services 90 02 93 878 12 S
Other Retail 04 02) 03 19 7) 61%
Total Revenue He oa 622 Baz Bow
Cost Of Saies O70) 8) (z6) 00-21%
Net income 50.4 04 50.4 3116 22 1%
‘Agents Pay (28463) 1)—«28G) 758) 23 19%
Staff Costs 71) 4) (75) (467) 15) 6%
Staff & Agent Related Costs (02) 0) (3) (3) 01 25%
Consultancy & Advisory Services: (0.1) (0.1) (01) (0.4) (0.1) 83% O)
IT infrastructure & IT Services 2) (04) 02} 25) (13) 84%
Managed Sermoes - Penalties (0.4) co I @4) (28) (0) 100%
Postage (05) oo © 3) @7) 00-55%
Finance & Losses (13) 02 (13) an 14 10%
Change Opex (0.5) os oo 00 29 0%
Otner Opex (1.9) 64 8) 89) 01 9%
Other income 10 04 14 8.26 44 nia ®
Trading Profit 7 os 122 75.3 7a na
Remains a shift from 1c to 2c
labels. Home shopping
returns volumes down due to
consumers waiting for Black
Friday deals; therefore
increased volumes expected
in P8.
ATM volumes slightly down
on forecast (-0.1m) and
availability levels 1.4% below
forecast.
Banking services adverse to
forecast in period but
expected to over perform
against full year budget.
Reduced agents pay
predominantly relating to
ATMs.
Timing of IT spend on mails.
Expected to catch up in P8.
2 Post Office®™
Post Office Limited ~ Commercial in Confidence
3S
POL00026954
POL00026954
®
FS&T Scorecard
Actual Budget Variance RAG Actual Budget Variance RAG Budget
Value of Mortgage Applications (£m) 297 313 (16) @ 1298 «1678 = (381) @ 3,050
Value of Morigage Completions (£m) 148 219 1) @ 612. 1,175 = (63) @ 2,135
Total value of Savings balances (£m) 13,702 14,200 (498) © 13,702 14,200 «= (498) @ TBC
Number of new Credit Card applications 3412 8804 (5,392) @ 37,005 54,588 (17,583) @ 91,568
Credit Card application accept rate 74% 58% 16% @ 73% 58% 16% @ 58%
Number of new Loan applications 7618 6,755 363 46,996 41,884 5,112 @ 71,608
Loan application accept rate 53% 58% (4%) @ 57% 58% (1%) @ 58%
Number of MoneyGram Send transactions 249,537 285,567 (36,030) @ 1,607,382 1,670,435 (63,053) © 2,895,484
Closing Telecoms Customer Base (#) 500,531 508,777 (8,246) © 500,531 508,777 (8,246) © 494,823
Telecoms ARPU 24.5 26.3 8) @ 24.5 26.3 as) @ 26.2
Telecoms Customer Chum (18%) (1.6%) (0.2%) @ (12.0%) (10.3%) (1.7%) @ (17.8%)
Net Telecoms customer additions 2,307 (1,938) 4245 @ (6,044) 9,364 (15,408) @ (4590)
Number of Postal Orders sold 282,700 286,165 (3.465) —@ 1,713,825 1,741,929 (28,104) © 2,800,000
Forecast KPIs not yet available so actuals measured to budget
©)
Post Office®™ Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
FS&T: P7 Trading Profit (0.1m) adverse to forecast; YTD (£2.0m) v budget
Telephony continues to underperform
38d
:
fm ‘Actual Budget Variance Forecast Variance YoY ‘Actual Budget Variance YoY. (0) Travel hub revenue of £70k against
Po ine Pot a4 40 40 (Os 9% 268 26.4 17 forecast of £40k which relates to
navel Money 28 ar 6 7 189 208 (19) 10% .
MoneyGram 24 23 155 180 05 2% weekend true up. Remainder
Telephony 144 184 B85 928 (4.2) 4% predominantly relates to increased
Postal Orlers 13 12 7B 7208 AY
Teico Overstatement 60 05 0.0 33 (3.3) nla branch currency sales.
Total Revenue 247 264 487A. 1844 e7)] ah
Cost Of Sales (84) (8.9) (52.0) (64.2) 22 2% @) Actual volumes 280k v forecast
ekPa ons pes) __o volumes of 320k. Rate in line with
StallCost (10) (@a) (0.8) 5% forecast with blended rate of £6.13.
Staff & Agent Related Costs (0.1) (0.0) (0.2) 19%
Brand & Marketing (09) 05} nO) .
Consultancy & Advisory Services 1) (03) 12 1% ARPU remains below forecast due to
I infest ure & IT Serices o) @.) A « * retention discounts offered in period
fanaged Services 5 2.8} . 0
Postage on oo on om and lower ARPU across all categories
Finance & Losses (00) 3) 60-28% for part of the month. These rose back
fag oe os up in the first week of P8. We are
Trading Profit 7054914} 2.0) ah working with Fujitsu to understand
what has driven this. Customer
numbers at end of P7 of 500,531 v
. . . forecast of 500,844.
© Forecast for project opex spend in consultancy, of which £100k
relating to database management has been spent in marketing. @ Forecast included £0.2m credit for POI
£100k forecasted for Eagle provision uplift but not required in P7 has recharges which have been recharged
spend on target for minimum commitment. below trading profit. Also action taken
oe) . . on contractors who rolled off programs
£200k forex gain in period in period.
©
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Telephony Analysis v forecast
Reduced customer gap from P6; similar ARPU gap
PL P2 P3 Pa PS. P6 °7
lendof period customer 502,996 501,222 499,367 «498,429 +~—«497,707+~—=«A98,224 «500,531, P7 customer gap to forecast only 313 -
3 avg. customer 504,785 502,109 500,295 «498,898 «498,068 «497,966 «499,378 c. £10k. This is a decrease from 12.5k
& IARPU 25.7 237 25.0 24.5 25.2 24.4 25.1 customer gap to budget at P6.
Revenue 14,939,259 10,976,713 11,518,232 14,079,313 11,535,746 11,180,403 14,417,370
IP impact (adjusted in . .
p2, Pa) (754,000) 600,000 0 17,889 0 0 0 Underlying ARPU gap of £0.9 slightly
JAccrued Income down from £1.1 gap v budget in P6.
adjustment 300,000 0
lUnderlying Revenue 14,185,259 11,576,713 11,518,232 14,257,202 11,535,746 11,480,403 14,417,370 . . -
lUnderlying ARPU 24.4 25.0 25.0 24.8 25.2 25.0 1 We are working with Fujitsu to
understand what has driven this.
_ [end of period customer 500,844
al “\I There are a number of emerging risks
= Revenue 14,950,706 and opportunities which broadly
prac in budget balance, but which we are working
Restated Revenue 14,950,706 .
Restated ARPU 360 through to confirm.
[Underlying customer Gap Giz)
Underlying ARPU Gap (0.9)I
[Underlying Revenue gap (533,335)
jo/w volume (9,358)
jo/w rate (523,977)
©
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
PO Insurance Scorecard
Actual Budget Variance RAG Actual Budget Variance RAG Budget
Policies Sold: Post cooling off period (k) 7 74 3 8 709 727 (18) 997
Policies Renewed (k) 26 26 o ® 170 172 @ 275
Policies in-Force "live" (k) 688 708 (20% © 684
Net Promotor Score (Post Office insurance) 33 36 3) @ 36
* Policies in-Force variance shows lower figure than total variances of policies sold and renewed as the policies
cancelled mid-term is doing better than expected.
(40)
©)
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
POI: P7 Trading Profit +£0.4m to forecast; YTD (£1.2m) v budget
Travel insurance in line with forecast; general insurance favourable; YoY net income +37% in P7, +13% YTD
38d
em TG) General Insurance (Car, Home &
Actual Budget Variance Forecast Variance YoY Actual Budget Variance YoY Van) £0.2m ahead due to
Travel insurance 14 18 (04) 14 00 8T% we 384) 2% stronger renewal performance on
Carinsurance 10 09 ot 09 o4 6% 65 64 o4 P
Van insurance 02 02 oo 02 oo @ 7% 15 14 ot both volumes and income per
Home insurance 410 10 (0.0) 09 on 3% 87 59 02) policy
Life - Over 508 10 08 oa 10 00 147% 45 43 02
Life- St 03 03 oo 04 (0.1) @ror 14 15 4) Term Life £0.1m adverse due to
Ofer insurance ot 28 oe oe oo We oa ot 28 lower sales volumes and delayed
Total Revenue 50 48 02 49 Of 29% 329 356 (27)
Cost Of Saies (0.8) (0.8) oo (0.9) o4 © A% (59) 5.3) (0.6) aggregator launch (have now
Net income 42400240 OR 8% za_%04 G3) launched)
Siaif Cost 7 8) (0.0) 5) (04) aim 69) 4) 05
Brand & Merketng 09) 4) (08) (10) 02 G) 55% BD 44 07 © £0.1m favourable due to true-up
Consuitancy& Adwsory Servoes oor) o aot ist =H) HOY of Remark (Direct Mail) costs for
T Infrastructure & IT Services @ay 02) 01 @1) oo” 11% (ty (12) on i"
Managed Services 07) (0.8) 00 (0.7) oo (85) (5.9) 04 Life Over 50s.
other Oa) (02) 04 @4) 00 7) 12) 05 22%
Trading Profit 17 18 (0.4) 13 04 146 128 (4.2) 2%(@) Adverse due to project staff costs
not meeting capitalisation criteria.
© £0.2m favourable primarily due to
timing of activity and spend.
© £0.1m favourable as no Disrupter
or Nike spend in month.
()
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Identity Scorecard
Actual Budget Variance Forecast Variance RAG Actual Budget Variance RAG FO7 Budget
cross inoome £m 54 44 07 aq 106 @ 303 @ 502 473
Trading Profit m 6 477 9 oo oo
Paper Passport Volumes 849,194 @ 1,652,960 4,325,118
Paper Passport Market Share 28% e 26% 28%
Digitai Check & Send Volumes 1,287 18,571 (17,264) 400 1187S 128.523 @ 0
lUKVi Volumes 72202 61419 10,783 61419 «= 10783 @ 301,490 ® 402,998
[Secure Collect Volumes: 51375 45,610 5765 47,958 3AI7 EJ 213,665, & 301,080,
Frax Renewal volumes 09.418 519,234 160,164 506414 193.000 «@ 4 238.852 @ 6940514 6.057.814
Oy Renewal Volumes 33,208 24420 «8879 20101 «= 13,198 @ 198,042 213817 ° 289,504
Service Penalties £ 84,189 41.000 4to00 43.189 @ 329,726 287,000 ® 500,000
LoA2 Volumes 79409 38,263 78,959 ar 404,942 254,471 6 390,408
oA? Market Share iH 50% % 30% @ 50%
LOA 2 Conversion rate 56% 55% 1% e 54% 55% * e 55%
LOA Volumes 10193 18.593 7,102 301 4e8t0 92449 (43640) @ 180,211
LOA 1 Market Share 37% 40% 40% (3%) re) 33% 40% (7%) e 40%
1.oA 4 Conversion rate 75% 74% 74% % @ 78% 74% 0% 74%
Re-Registation Volumes 0 1,500 14,650 (14,650) & 23,244 10,057, 13,187 e 71,541 30,790
Services Live 18 20 20 2 @ 18 20 eQ @ 20 20
Identity - Over performance mainly driven from Home Office +£0.3m and Verify +£0.4m (Net
Income).
Home Office - Paper passport and Digital Check and Send Volumes are up against P7 forecast by
+20%. YoY volumes are down by (27%). PO market share has dropped YoY by (10%).
DVLA - Tax Vehicle volumes are up against forecast in P7 by +38% and 10yr Tax Renewals are up
+66% (this is expected to reduce back down in P8).
Verify - LoA2 volumes are in line with forecast in P7. PO remains Market Leader with 55% market
share and 56% conversion rate.
@
¢
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Identity: P7 Trading Profit +£0.7m to forecast; YTD +£3.2m v budget
Delay in Verify price decrease provided unexpected benefit
38d
£m
Actual Budget Variance Forecast Variance I YoY Actual Budget Variance YoY
Home Office 24 22 02 03Q@)-10% 166 153 13-15%
DFTIDLA 06 05 o4 O14 13% 42 40 02 6%
Identity Services 06 04 02 33 28 05 33%
Verity 15 13 02 10.0 77 23 145%
Enivonment Agency 00 00 (0.0) 07 06 02 -9%
Total Revenue S41 44 07 348 303 44 41%
Cost Of Sales (0.7) (05) 0.2) G9) 4) (0.8) 64%
Net income 44 39 0.5 30.9 27.3 3.6 Th
‘Agents Pay (07) 6) 04) 67)‘ 64) @3) ‘ala
Staff Cosis (0.4) (02) @2) (14) 4.2) (02) nla
Managed Services - Penatties (0.1) (01) 0.0) @4) 4) 01 0%
Postage (0.3) (0.3) 0.0 (21) 1.8) 03) 16%
Other 04 (@.1) 02 0.0 123%. (05) 8) 03-11%
Trading Profit, 34 27 04 07 2% 20.8 477 32 8%
@ BRP enrolments and Paper Passports are driving the Home Office strong performance (£0.3m).
In P7 we see the tail end of the BRP surge period.
Digital Check and Send has launched successfully with 2k+ completed transactions to date .
@ Verify upside (£0.4m) is due to the new GDS pricing coming to effect from mid October rather
than the beginning of the month.
© Staff costs that are exceptional in nature will be re-classified in P8.
Post Office® Post Office Limited ~ Commercial in Confidence
£8 £
Identity: Home office & Verify
POL00026954
POL00026954
4.080.088
28000
3.n0q.00 ‘ss
25000888
09.06
2.000.000
3.600
Paves Bevlog? eruad 8 Rawuesd Be
Kens Pima? Gaed ® AaetatS Rede Read te ene
em Pansgoree RE LANE ame Total ages ok Nome Olin BPR Yoraldoracact
Home Office :
UKVI BRP was driven by the tail end of the student surge period (Sept- Oct) and the early effects of Brexit
leading to strong trading results(£0.2m}. YoY volumes are up by 18%. The contract is expiring this
financial year and volumes will start to divert to the new supplier from P8
Volumes for Paper and Digital are 20% higher than forecast. YoY volumes have dropped by (27%). The
price differentiation that Home Office implemented earlier this year to_ its Digital Channel has lifted its
market share by 20% (YoY , YTD figure) whilst Post Office Paper channel has dropped by 10%.
erify fncame
sane Ree
sown
8088
e088 s oe v
soageo
290,000
Reisth Puiod? Paring Puntos Pesiokt PoriedG Paring? Peviad® Revie Fey
iA 1G Foceab t Pores ut
rae eit et nse poet
2 inn See 8S
Ve
Although LoA 2 volumes were on forecast, the upside of £0.4m was due to the new GDS pricing tiers
going live on the 3° week of October ( rather than the 1st).Two identity providers (Royal Mail/G8G)
dropped out of the Verify federation after the new call off which has led to an increase of market share.
Post Office®™
Post Office Limited ~ Commercial in Confidence
©
POL00026954
POL00026954
Finance & Operations: P7 Trading Profit in line with forecast; YTD
(£0.9m) v budget
" wear bak @ Accrual for CWU pay award
™ ‘Actual Budget. Variance Forecast Variance YoY Actual Budget Variance YoY not included in forecast.
Revenue 14 14 58 63 5) “T Working through the full
“a ~ _ SB Heme nia year implication on this but
Income 4. 4 x 6. (0.4) 1% int
Staff Costs a2) 3) @s) Ws) «00 ~=H it's expected to be c £0.5m.
Staff & Agent Related Costs 3) 2) (6) 45) 02) 11% This is partially offset by
Property & Facilities Managemen 3.4) (3.2) (209) (22.2) 13 14% credits relating to prior
Postage 8) 8) 41) 4) 0.4) 5% ‘ i
Stationery 7) 03 64 2 3) 27% year project spend showing
Finance & Losses (04) (08) (0) 64) 04 7% in period.
Vehicles (0.3) (0.3) (1.8) (2.0) 02 2%
Other O41 __(05) (28) __@0) __(08)_4%* @) Rate refunds received and
Trading Profit (8.3) (9.0) (63.8) (62.9) (0.9) 2%,
rent lease expiries not
included in forecast. One
off items not anticipated
© £0.2m robbery losses from 3 unusually high value robberies offset by reduced cost in and we continue to work
former agent and other losses. The increase in successful robberies is starting to be with BNP to better forecast
a concern and we may be seeing a risk to forecast. A further £0.1m loss related to these.
ATM attack in P8. Rolling out fogging kits etc. during H2 as a counter measure.
@® Credits from release of Croydon and other personal injury claims as Post Office deemed
not liable. These high value cases have outlined that we don’t have an adequate
provision policy in place and we are currently working on developing this to avoid any
potential future costs and credits impacting trading.
©® Overall in period costs are in line with forecast, but we are seeing some early risks &
opportunities crystallising and netting out and do not see an overall risk to the forecast.
@
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Operating expenses: IT
Actual Budget Variance Forecast Variance YoY Actual Budget Variance YoY
Staff Costs 0.5 0.5 (0.0) 0.5 (0.0) (23%) 3.4 3.5 0.1 (30%)
Staff & Agent Related Costs 0.4 0.0 (0.1) 0.4 (0.0) (94%) 0.3 0.3 0.0 (85%)
IT Infrastructure & IT Services 5.5 7.0 1.4 5.6 0.1 39% 48.0 53.0 5.0 15%
Managed Services 0.2 0.2 (0.0) 0.3 0.0 50% 2.2 2.0 (0.2) 22%
Consultancy & Advisory Services 0.0 0.1 0.1 0.1 0.1 2147% 0.8 0.7 (0.1) (65%)
Other (0.8) (4.2) (0.4) (0.9) (0.1) (104%) (0.8) (3.0) (2.2) (114%)
Total Operating Expenses 5.6 6.6 1.0 5.6 0.0) 53% 54.0 56.6 2.60) 13%
(0) P7 upside from £0.5m accrual releases from Computacenter incidents volumes as a
result of agreed settlement Also lower ATOS volumetrics compared to re-forecast.
Incidents being driven down by service team to below 9000 for last couple of months
therefore release of £0.07m over accrual. Offset by security taking the full SOC cost
catch up of £0.4m YTD.
= © Full year out turn in forecast expected to be (£2.5m) adverse to budget. Expectation
/ to minimise adverse variance to circa £2m.
Post Office® Post Office Limited ~ Commercial in Confidence
Operating Expenses: HR, LRG, Communications, Group Change,
Central
Timing of group change project recharges
POL00026954
POL00026954
(RW ctual Budget Variance Forecast Variance YoY ‘Actual Budget Variance Yor () Timing of change spend being off
Staff Costs 16 1.5 0.1) 15 (0.1) (6%) 108 103 (6.6) (1%) charged to capex and exceptional
Staff & Agent Related Costs 06 06 0.0 05 (04) (101%) 17 20 0.3 (27%) projects. Therefore adjusted for in
Finance & Losses @2) 03 05 0.2) 0.0 (420%) 14 18 0S 20% Ind i
Other o4 oO 00) 04 (me 05 05 0.0) 21% period in Central.
Total Operating Expenses 24 25 0.4 19 4) 15% 44.3 14.5 02 0%
Period 7 YID.
LRG. ‘Actual Budget Variance Forecast Variance YoY ‘Actual Budget Variance YoY
Staff Costs 06 06 (0.0) 06 (0.0) (22%) 44 4.0 (0.1) (16%)
Staff & Agent Related Costs 0.0 0.0 0.0 0.0 0.0 (28%) O41 04 0.3 46%
Consultancy & Advisory Services 0) 04 0.4 0.0 0.1 (396%) 04 05 0.1 39%
Legal Costs 0.2 01 (0.0) 0.0 (0.1) (24%) O7 1.0 0.2 177%
Other (0.0) (0.0) 0.0 0.0 0.1 (213%) 0.3 0.4 0.1 0%
Total Operating Expenses. 07 08 04 0.7 (0.0) 2% 5.6 6.2 0.6 18%
1D
Actual Budget Variance Forecast Variance YoY ‘Actual Budget Variance YoY
Staff Costs on 0.2 0.0 02 0.0 ™% 12 14 1) (23%)
Staff & Agent Related Costs 0.0 00 ©.) 0.00.0) 87%) 01 0.0 1} 23%
Brand & Marketing 2) 04 03 0. 0.3 (389%) 14 24 07 37%
Other @.0) 00) 2)_—0.0 0.0 (506%) 0.1 4) (0.5) _ (65%)
Total Operating Expenses 0.2 0.3 04 0.3 0.4 294% 29 2.8 {0.0) Th
Actual Budget Variance Forecast Variance YoY ‘Actual Budget Variance YoY
Staff Costs 03 0) 3) 2) 4) G)40%) 05 0.2) (0.6) (62%)
Other 0.0 0.0 0.0 (0.0) _(0.0)_* (68%) 01 02 0.0 __ (52%)
Total Operating Expenses 0.3 0.0 3) (0.2) (0.5) (42%) 06 0.0 (0.6) (60%)
Actual Budget Variance Forecast Variance ~YoY ‘Actual Budget Variance YoY
Staff Costs (0.3) 03 06 02 05 Wrox) 1.6 22 06 (19%)
Finance & Losses. (0.1) 0.0 0.1 (0.4) (0.2) 282% (1.0) (4.0) (0.1) 12%
Growth Fund 08 08 0.0 08 00 © 35% 56 55 (0.0) (61%)
Brand & Marketing (0.1) 0.0 0.4 0.1) 0.0 09 05 {0.5} (43%)
Other (0.2) 0.0 0.2 (0.2) 0.0 191% 4.2 0.4 (4.1) 243%
Total Operating Expenses 04 44 4.0 0.3 0.2 (149%) 84 73 (4.4) (27%,
Post Offi Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Operating Expenses: Summary
‘Actual Budget Variance Forecast Variance YoY Actual Budget Variance YoY @ Timing of marketing
Retail uo) 113 02 109 = @.1) 6% 689 70.4 18 “5% spend and activity.
FSaT 52 47 (08) 52 on 2% 327 B68 -4%
PO Insurance 25 22 (0.3) 27 02 N% 15.5 17.6 24 -22% Py
Identity 07 0.6 (0.0) Os (0.2) Qs 43 42 (0.1) 40% 6) Staff costs that will be
F&O 94 10.0 06 94 0.0) 17% 69.7 69.2 5) 2% charged to change
T 5.6 6.6 1.0 5.6 0.0 35% 54.0 56.6 26 93% project in P8.
HR 24 25 04 19 @1) 13% 430 145 02 70%
LRG 07 08 o1 0.7 (0.0) 2% 5.6 6.2 06 3% — G) Group change spend
Communications 0.2 03 on 03 on 75% 29 28 (0.0) 42% - .
2 Central O41 414 10 03 0.2 303% 84 73 (1.1) 29% which will be off
. SPO 03 0.0 (0.3) (0.2) (0.5) © 11% 06 0.0 (0.6) -1748% charged to projects in
2 TOTAL 37.7 40.4 23 37.4 (0.3) 12% 276.8 282.5 87 1% future periods.
@ See slide 19 for
‘Actual Budget Variance Forecast Variance YoY ‘Actual Budget. Variance YoY : ‘
Staff Costs 16.7 16.1 (0.6) 15.8 (0.9) (0) 3% 109.9 107.3 (2.7) -3% detailed analysis of
Staff & Agent Related Costs 14 12 (0.2) 1.2 (0.2) -168% 58 63 0s 3% P7 staff costs.
IT Infrastructure & IT Services 63 75 12 60 (0.3) 23% 531 57.0 39 10%
Property & Facilities Management 3.0 3.2 02 3.2 02 16% 21.2 22.5 1.3 12%
Managed Senices 38 3.9 1 38 0.0 5% WA 273 0.0) -9%
Postage 1.6 16 (0.0) 15 (0.2) 17% 18 11.3 (0.5) -12%
Brand & Marketing 29 3.0 o1 34 05 27% Bil 147 17-85%
Consultancy & Advisory Senices 04 08 03 0.9 05 15% 45 5.0 05 — -56%
Legal Costs 0.2 0.2 0.0 0.1 (0.1) 27% 13 17 04 49%
Finance & Losses 11 27 1.6 14 0.2 66% 15.5 17.9 24 8%
Other Operating Costs 02 (0.2) @4) O11) 68% Ba 115 (1.9) 17%
TOTAL 377404 23 37.4 (0.3) 12% 276.8 282.5 57 A%
©)
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Operating Expenses: P7 Staff Costs v forecast
@ _ Forecast included £0.2m credit for
Actual Forecast Variance Actual Budget Variance POI recharges which have been
Retail 75 75 0.0 46700 45.1 (15) recharged below trading profit.
FS&T 1.0 0.8 (0.3)@ 64 5.6 (0.8)
PO Insurance 07 0s (0 @ 3.9 44 05 © __ Relates to contractor resource
Identity 04 0.2 (0.2) @) 14 120 (0.2) working on various POI projects
F&O 42 41 wonG@ 29 299 0.0 which were expected to be
T 0.5 05 (0.0) 3.4 35 0.1 capitalised (hence not in forecast).
HR 16 1s (0.1) 108 103 (0.6) No material future risk deemed for
LRG 0.6 06 (0.0) 41 40 (0.1) remainder of year.
Communications 01 0.2 0.0 10 1. ot
reus Change e oni ag oe on) on © _ Digital Identity project exceptional
: “ = . : which will ffchart
TOTAL 16.7 15.8 (0.9) 109.7 107.3 (2.5) costs whic be offcharged to
project in P8 hence no risk to
trading profit.
@® _ Accrual for CWU pay award which
has not been included in forecast.
®_ Timing of change spend being off
charged to capex and exceptional
projects. Therefore adjusted for in
period in Central.
©
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
®
YTD spend is overall on track with latest forecast, but with key variances in individual projects in Retail,
F&O & IT.
616 Forecast 6+6 Forecast Actual Forecast Forecast FY1819 1819
Retail 5538 1 494 oi 57 57040328 Variance combines two attributes: £1.3m
Mails Programmes O41 06 (0.5) 05 (05) - . : - : adverse in Onerous contract provision due to
Cash & Banking Services . - - - . successful sublet of branch, as well as a
Bill Payments os Os (0.1) 25 2 (oa) - - - 1 change of accounting treatment for three
Automation 03 03 (0.0) Ww 17 (0.9) oa on vacant leases.
OMB 1a 1 03 wi ns 03G) 47 47 a3 97 Offset by £1.6m of property sales as
Network Development 19 18 o1 90 89 oa 10 10 . 20 20 forecasted but not yet recognised as correct
Network Transformation 1842 03 ae 888 : . . . . accounting treatment is being agreed.
er Retal 03 od (000) 3837 (00) - - - os . " -
Financial Services & Telecoms 49 2305) _ 335 33.95) 00) 325 Project has been completed. Final cost will
Fag! 03 Oa (0.1) 08 08 (0.1) a - 3) be recognised upon cost reconciliation with
Telecoms 03 os (0.2) 54 55 (0.1) as 8s (00) 13.7 116 suppliers in November.
‘Other 13 15 (0.2) 73 75 (0.2) (0.1) (0.1) 0.0 (0.3) 09
wen O32 ot S335 __04 _06 cnet 48 Overspend due to AEI payment for earlier
TS Digital 88 oF (0.9) 554 563 (0.9) 1624 (0.8) 6D 73. (gga than forecast completion of Central
EUC Branch Deployment 05 16 (2) wis ile OS mr 08 Infrastructure upgrade.
IT Back Office 212s 137 - 0a os -
IT Networks (0.2) - 0.5) (0.2) . . - - Cloud dual run costs being pushed lower
Other IT 24 13 02 fo) 1.3 [than forecast by combining build and
prclest Everest ae 13 08) 7 “0 maintenance 3rd party costs.
Relecamart of Counter Recap ip rrr 13 0a 04 07 os Underspend caused due to delay in business
Fnsnca h Ops 09 ot " [ey case approvals related to security systems
Finance 02 O38 upgrade projects.
Operations 02 oa -
Property 02 18 6 Delay in recognition of Everest restructuring
Supply Chain 03 00 credit whilst accounting treatment is
Human Resources oa 09 2a a5 35 4 aa
Lega Risk & Governance 1g 48 (0.0) 309 finalised (timing).
Central 0205 (03) 03 :
Grand Total 206 228 @2 ao 186 3) 364 a2. YTD Benefits are £1.5m adverse
Anticipated savings or slippages to FY29/20 : - ~ to budget, mainly attributable to
Total Change FY 2018/19 20.6 22.8 (2.2) 143.0 445.2 (2.2) AB 18.6 {0.8} 36.4 40,2 PO Insurance delay in benefit
ofw " ‘
Caper wea 14.7 @39 84.2 (0.3) realisation.
Exceptional 61-80 591 610 {19) lan
20
< Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
Cash Holding Position
Prior Year Prior I Reporting
Year End Period_-I Period Variances
Perod? Period? Periods I Period? ve ys ve i i
‘» reste Ties Geis I GS I cere © Branch cash holdings remain
scsi ss se es es sf ns I se ne under im.
Network Cash Inventory (before Demonet.)
Branch G @ Government loan reduction of
£ Cash Holdings 4035 I 471 (53.7) (74.8) (42.1) £122m from prior period as
FX Cash Holdings 82.0 (123) “ A
“pepe ce ogee [om ae received Q2 investment
‘otal in Branc! 5. (. a
cash Centres funding in P7.
hhward Roms ; 724 212 53.4 49.9 (22.2) 287 (3.2) @® Net funding position has
‘Outw ard Rems in Transit 36.2 552 28.9 408 46 (144) 11.9 duced by £164.5m fi P7
Machine Room Awaiting Processing 25.4 35.4 144 48 (206) (306) (9.6) reduced by .om from
Old £1 Coins 46 1 04 04 (4.2) (0.7) - in prior year.
Total in Cash Centres 138301129 96.8 96.9 (42.4) (17.0) (0.9)
Total - Buffer (Cash Centres) 108.2 134.5 65.5 52.3 (55.9) (82.2) (13.2)
Total - Other 285 34.2 27.4 29.5 1.0 (17) 24
Network Cash (before Demonet.) 883.3 © 881.8 755.2 718.8 I (164.5) (163.0) (36.4)
Funding Position ~ ~ ~
~ Cash Available to Treasury o7 04 06 07 1.0 08
~ Government Loan (588.0) (623.0) (692.0) 18.0 530 1220
~ NRF Usage (2347) (2376) (156.6) 70.4 73.0 (8.0)
~ WC Funding Network Cash Inventory (613) (216) 92.8 757 360 (78.4)
‘Net Funding Position (e833) (881.8) (755.2) “4645 1630384
©)
Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
®
Balance Sheet & Headroom
g
Balance Sheet
em Period 7 Period 6 ype I PIZFYI7 I vP12 I Period7FVI7 I vPY
Fixed Assets 524 531 @) 478 46 451 73 ba
Debtors 354 365 (19) 336 18 315 40 g
cash 573 618 (45) 655 2) 661 (87) £
Creditors (561) 20] anh tse) 28 sea] 22 @
Pension Surplus 3 3 : 3 0 1 a
Provisions (60) 62) 3 (66) 6 (65) D
lother 1 10 A 9 1 8 %
Loan (570) (692) 122 (623) 53 (588) 18 =
Net Assets / (Liabilities) 274 253 2 204 n 200 75 S
Balance Sheet Headroom Fa
tm Period 7 Period 6 TG eR) Balance sheet headroom of £180m, £53m
[Government Loan - Available Amount, 950 950 : 950 : 950 increase from P12 and £18m up from P7
[Government Loan - Drawn Amount (570) (692) 122 (623) 53 (588) as]; <
Headroom 380 258 122 327 53 362 ae] [1 prior year.
Target Minimum Headroom 200 200 : 200 : 200
Headroom Above/(Below) Target 180 58 12 127 53 162 18
Security Headroom
em Me Period Period 6 vps I PIZFVI7 I P12. I Perlod7 FIT I vPY
Network Cash 554 599 (44) 644 (90) 649 (24)
Icash at Bank- POL 1 1 ° o 1 0 1
client Debtors 146 133 6 132 “4 141 5
HTrade & Other Debtors - Business Debtors 205 229 (23) 188 7 170 35,
otal Security 907 961 (54) 964 ) 960 (53)
[Government Loan (570) (692) 122 (623) 53 (588) 18
Santander (95) (4) (I__ 09) 5 (104) 8
Total Obligations (665) (786) qa (723) 58 (692) 26
Headroom 242 176 66 244 i 269 27)
@)
i Post Office® Post Office Limited ~ Commercial in Confidence
POL00026954
POL00026954
OST OFFICE LIMITED PAGE 1 OF 10
GROUP EXECUTIVE NOTING PAPER
Retail Strategy Progress Update
Author: Ed Tucker & Tom Moran Spensor: Debbie Smith Meeting date: 27 November 2018
Executive Summary
Context
The Board approved our customer-focused Retail Strategy in June 2018. It used
customer, agent and market analysis to demonstrate why we need to focus on three
key areas: new, segmented formats; better franchise relationships; and being best in
class in our core markets through automation and digitisation. This paper updates on
progress in implementing our strategy. It also provides context for the Retail Strategy
funding request of £12.8m.
This paper does not cover topics which are critical to delivering our Retail Strategy but
have been covered elsewhere, notably the acquisition of Payzone, negotiations with
RMG, the new Banking Framework, and our ongoing franchising of the DMB network
including the recent deal with WH Smiths.
Questions addressed in this report
1. What is the challenge and opportunity?
2. What progress have we made since June?
3. What difference will the Retail Strategy make to our customer, postmasters and
business performance?
4. What approach are we taking to implementation and what funding do we need?
Conclusions
1. Our Retail Strategy called out a significant risk to our sustainability due to our
proposition not being attractive to retailers. It also set out a unique opportunity to
be even more relevant to customers, and commercially sustainable for Post Office
and agents.
2. We have been developing our new formats, trialling elements of them and
reviewing and developing our franchise support model as well as investing in
automation and digitisation to become best in class in our core markets.
3. We believe our planned initiatives will improve our Retail Value Proposition, better
meet the needs of our customers whilst making us more attractive to agents, and
create a more sustainable business for the future, delivering an incremental £5m
EBITDAS from the Retail Business Unit by 2021.
4, The implementation is split into two tranches: Strengthening the current retail
proposition to be more relevant to customers and better for agents now ensuring
we deliver our 11,500 branch commitment to government to 2021; and Building
our new retail proposition that will significantly improve our proposition for agents,
POL00026954
POL00026954
POST OFFICE PAGE 2 OF 10
customers and Post Office. We are rolling out these initiatives as they become
ready and will be trialling new formats over the next year. This will cost £12.8m.
Input Sought Input Received
To note the progress and approve the The Retail Lead team as well as
funding request in the linked Business colleagues from FS&T, Finance,
Case. Operations.
What is the challenge and opportunity?
1. Changing customer behaviour and rising wage costs which directly affect Post
Office viability for agents is seeing churn increasing and conversion rates for new
postmasters drop. It is increasingly difficult to maintain our network of 11,500
branches. On our current trajectory, by 2021 we will have an additional 840
Outreaches & 440 temporary managed branches than today. This will cost an
additional ~£21m p/a by 2020/21 from higher agent pay and lower sales, plus the
cost of churn. This EBITDAS gap is a symptom of this challenge.
2. However, we have a number of key strengths that will help us - a profitable
business and strong brand recognition. We are confident we can seize the
opportunity to be more relevant to customers if we are willing to be sufficiently
radical, embracing new formats, transforming to a ‘more traditional’ franchise
business and investing in the digitisation and automation which customers and
agents now expect from any retailer. Increasing our Retail EBITDAS from £127m
today to £132m in 2020/21.
What progress have we made since June?!
New, segmented custemer-led formats:
3. We have simplified our proposed formats to four: Post Office Plus; Post Office
(New) Local; Post Office Express; and Payzone. We have discounted a stand-alone
‘SSK’ as a format following further modelling which showed that it would be
economically unviable:
1. Plus: Complete Post Office product range. Highly automated customer journeys
with open-plan counters and removal of combi-till;
2. New Local: Focus on core offering mails, bill pay, banking & travel. Introduction
of ‘catalogue’ products based on local customer need and automation for larger
Locals.
POL00026954
POL00026954
POST OFFICE PAGE 3 OF 10
3. Express: Delivering convenient, low-cost access to collections/returns and an
option to add a bill pay proposition. We are targeting a delivery cost of under
£500, as Deutsche Post have already achieved this in Germany. We see Express
as being core to building a future sustainable network and have therefore
prioritised Express and digitisation of Mails with the aim of launching Q2 2019.
4. Payzone: bill payments and limited non-RMG mails collections & returns.
4. We have trialled key aspects of our new approach to formats, notably:
¢ New branches in urban locations: 14 new Locals in London have now been
running for 6 months, showing high (1000+ per week) customer sessions
without any discernible impact on nearby existing branches (typically just 2-3%),
generating an additional £63k profit to POL (£4.5k per branch p.a.). This
increased volume is, in part, coming from our competitors and demonstrates that
we should continue to prioritise urban expansion without fear of cannibalising our
existing branches (in urban areas).
e ‘Catalogue’ products and Field Team support: 11 London branches now
have on-demand travel money with dedicated field team support - these
branches have seen a 26% increase in demand and a 50% increase in
transaction value, compared to a similar size control group that didn’t receive
field team support. 5 of the branches also have Parcelforce International 2kg+ (a
‘catalogue’ product that is usually not sold in Locals). This has delivered an
additional 2% remuneration for the agents and a new service for customers. It
has demonstrated to us the value of how a customer / demographic approach,
supported by field teams, will increase value for agent and Post Office.
Developing the BluePrint: The BluePrint provides a plan for every branch
(close/relocate/change format/leave as-is). It will enable us to pro-actively
manage our network to better meet customer needs as banking and mails
volumes change. This comprehensive view will allow us to reshape our network
post-2021 to be more convenient for customers and more efficient for us.
Mains to Locals (initial roll-out): We are targeting transitioning ~1,800 Mains
to Locals. This will provide POL with up to £18m cost saving, as we save ~£10k
per branch p/a by moving Mains to a Locals with reduced pay rates. We are in
discussions with various Multiple retailer partners around transitioning some of
their Mains to Locals. We have found the Mains run by independents are more
difficult to transition to Locals. However, we believe we now have a more
compelling proposition for agents, by using automation and giving back retail
space we can reduce their operating costs and increase convenience sales.
5. We have concluded a joint FS&T-Retail review of FS&T sales through the Retail
channel and will be recommending the following:
¢ In the current network we will continue selling MoneyGram, Travel Money, Travel
Insurance, Postal Orders and Phonecards.
POL00026954
POL00026954
POST OFFICE PAGE 4 OF 10
e Restrict selling of Insurance (excluding Travel) and Homephone & Broadband to
Mains only. This will benefit 2/3s of the network by removing compliance and
training requirements and has a minimal P&L impact (£51K DPC over 3 years).
« As we develop our new network (Plus/New Locals/Express) we will focus on
Mails, Cash, Bill Payment and Travel, not FS&T products. MoneyGram, Travel
Money and Travel Insurance would be offered in all Plus branches and in
appropriate Locals, based on location and customer demand. Express will not
have any FS&T products. These changes will not materially impact P&L during 3-
year funding period.
¢ All the above to be underpinned by significant improvement in our ability to
generate leads effectively in branch.
6. Bigitisation & Automation: Automation, Digitisation and HIH are key enablers of
these formats:
e Automation: There are currently 30 self-service machines deployed in our
agency network. We will start to move them onto commercial terms, where the
agent will realise ~£4k - £7k staff cost savings (net of the £5k p.a. SSK rental
fee). We are also procuring the next generation of significantly lower cost next
generation SSKs and have already secured proof of concept machines to inform
our procurement, which will complete in November 2019 following an OJEU
process, with plans to deploy 20 SSKs per month from January 2020.
Digitisation: Digitisation, particularly in Mails, will increase customer
convenience and drive significant mails volume growth through the Express
format. We have already completed the advisory function of a customer app and
are working towards a full launch in March 2019, which will include the ability to
buy postage online. This is subject to technical and commercial agreement with
RMG.
Horizon Integration Hub (HIH): This is the platform that allows us to be
agnostic, enabling us to make changes to our network quicker and at lower cost.
We have re-prioritised the stack to do the Mails products first and thus enabling
us to deliver Post Office Express earlier.
Strengthening & Transforming our franchise relationships
7. Agent Remuneration: Over the medium-term we will reduce the agents pay cost
by transitioning Mains, Community and Legacy branches to our lower/variable cost
formats such as New Locals and Express. However, we need to make a targeted
investment in agent pay now, in order to ensure stability in our network, retain
agents and motivate postmasters to sell and offer products & services, notably
banking.
8. An across-the-board agent pay increase would have minimal impact, as the
benefits would be spread too thinly. Instead, we need to target increases in
POL00026954
POL00026954
POST OFFICE PAGE 5 OF 10
remuneration which, when combined with other measures, will reduce churn,
retain Multiples, and increase conversions to Locals.
9. From external benchmarking there are three potential areas of focus in order to
best target the agent pay increases, more work is needed to agree these:
e Rewarding retailers that host more post offices; following analysis we propose to
pay retailers an additional fixed payment of ~£10k per 25 post offices they run.
This incentivises multiples and symbols who tend to be more sustainable.
e¢ Reward achievement of customer and operational standards, such as: Branch
Standards; Customer Service; Conformance; Online Tests completed in advance
of deadlines; Mails Segmentation; and Attendance at ‘training events. If
branches hit the requisite standards they would receive a 5% bonus.
e Reward sales growth, above expected levels, through increased share of profits,
rewarding our most entrepreneurial agents of all sizes. So for instance, this
might increase commissions for bill payments above a certain level. This could
drive agents to switch from utilising their Post Office AND PayPoint terminals to
just using the Post Office.
e Complementing these changes, we are also increasing the remuneration to
agents from banking.
We have made the following progress on the other 5 aspects of our franchise
relationship:
10. Recruitment: We will simplify and digitise the application process for agents from
April, to reduce the 46% drop-out rate.
11. On-boarding & Training: We will digitise the induction training, adding video
content to make this more accessible to new agents and their assistants. An agile
project will run from November to June to implement these changes.
12. Field team structure: We will re-structure and strengthen our field sales team to
support all postmasters as currently only a third receive support. We will create a
localised structure and the number of front line field team will flex within each
area dependent on the mix of formats within a geography e.g. higher density of
low support PO Express formats will require less support. We will implement the
new structure in April 2019.
13. Engagement & Comms: Our Agent Portal will be introduced in November,
initially to log and follow-up on IT issues, but with plans to add essential support
such as cash, coin and stock tracking and order management, chat bots for
common questions and essential information and support for branches. This is
expected to replace the need to contact the NBSC, significantly driving down the
current c.30k calls per period and giving branches instant access to help in a
visual way.
POL00026954
POL00026954
POST OFFICE PAGE 6 OF 10
14. Branch Performance: We have created a Branch Insight Tool which provides
field teams with Case Management data, so that local support teams can address
issues and offer support in a targeted way. In addition, we are creating a
scorecard measuring the key elements of a stable branch network, such as
resignations, audit closures, branch dissatisfaction, etc.
15. As we trial Post Office Express and others we will adopt the above franchise model
new ways of working.
What difference will the Retail Strategy make to our customer, postmasters
and business performance??
16. For the agent: The changes we are making to pay, formats and digitisation &
automation will undoubtedly make our proposition more attractive to retailers by
increasing their income and reducing their costs. Much of this has yet to be proved
on the ground and we are moving fast to test and learn this over the next six
months so that we can rapidly move to full deployment.
17. The table below shows the improvement in agent profitability as a result of the
Retail Strategy (excluding retail cross-sell benefit). To take an example of a large
Local with £30k of retail sales per year (the red box in table below): The agent
goes from a ~£6k loss to break-even. This is achieved by a combination of
increased agents pay and use of automation to reduce their staff costs. Retailers
of this size tend to be vibrant and sustainable Multiples and Symbols and are an
appealing segment for Post Office.
Figure 1: Agent Profitability for running a Local, pre and post Retail Strategy
of
3000 18,000 Je,00 30,008 30,08 190,000
sp
from POE
VerrsmaliGo0 “gga h003 400
Sma (300 65)
sma uoes) 0 oo tt00 tao
Large (1,000 CS)
Large {1,000 CS) (1,000) (1,000) 3,000
wom) I watiwones) 8 a
18.You will notice that we have not increased agent profitability across the board:
« For example, running a post office for very large retailers (£50k+ retail sales)
will improve by £1k p.a. but will remain unprofitable, as it’s too costly to make
them profitable.
POL00026954
POL00026954
POST OFFICE PAGE 7 OF 10
e Smaller turn-over retailers that host a post office will receive minimal
improvements in agent profitability, as we have relative strength with this
segment already.
« Plus and (existing Mains) operators will benefit from Automation and Digitisation.
As such, we won't be providing additional pay increases or ‘Standards’ payments
for them.
19.For Post Office: The Retail Strategy initiatives will drive £5m incremental
EBITDAS benefits by 20/21, with significantly more benefits post-2021.
Figure 2: Modelled impact on Post Office EBITDAS of Retail Strategy Update
170
140 + “
1304 3
Revised Increase in Revised Mainsto Churn + EPOS Bill Impact of Banking Banking —_-Post_ Impact of Post Retail
3YP Agents Pay Network New Locals Policy Payimpact retail AgentsPay Pricing Banking Future Strategy
20/24 forecast Changes Strategy Increase Framework Network Initiatives
Initiatives 2 Strategy
20.The Retail Strategy initiatives will deliver:
« £2m EBITDAS improvement from ‘Revised Network forecast’. The outturn looks
more favourable than June forecast with 70 more NNLs vs June Forecast and a
more favourable churn trajectory. Each NNL saves POL £15k per annum versus
an Outreach.
e £4m improvement in EBITDAS from ‘Mains to Locals’. The shift from small Mains
to Locals, enables us to receive £5k income on Automation per branch and
reduce pay by £6k from the lower Locals rates. Agents will also be £9k better off
due to reduced staffing costs.
e¢ £3m improvement in EBITDAS from ‘Churn and Policy changes’, as the improved
franchise Model, On-boarding and Field support will lead to reduction in churn
(~90 in temps and outreach), in addition to more post offices in urban locations.
« There is a £4m EBITDAS drag from the targeted increase in Agents Pay.
POL00026954
POL00026954
POST OFFICE PAGE 8 OF 10
e Once we’re in full roll-out mode (post-2020/21), we are confident that the
initiatives we’re implementing will deliver a further £16m EBITDAS improvement.
21.For Customers: The Retail Strategy proposals will respond specifically to
customer feedback.
e More locations providing increased convenience for customers and greater
choice.
e Express and automation enabling customers to more easily and quickly complete
their transactions
¢ Digitisation enabling customers (particularly younger customers) to more
conveniently complete their transactions
e Better franchise relationships will result in better customer experience
22.by having more locations providing increased convenience for customers and the
proposition, particularly for Mails Collections and Returns will be quicker, simpler
and easier. where deliver a Post Office that is more accessible to our customers
with an additional ~15k locations than today. Many of these locations will be in
urban and sub-urban locations, where our customers live and work. In addition,
the majority of our locations will be open extended hours, offering even greater
access than today. The increased access for Home Shopping Returns and
Collections, combined with digitisation and automation, will specifically appeal to
younger customers.
What approach are we taking to implementation and what funding do we need?
23.We have developed a twin-track approach to transitioning: The first tranche is
focused on improving and strengthening our current network in order to maintain
our 11,500 branches over the 3YP, without excessive reliance on Outreaches and
temporary managed branches. We identified and evaluated 14 potential activities
to deliver the £7m EBITDAS improvement. This produced four key activities: Small
Mains to Locals; SSKs into Mains; SSKs into existing busy Locals; More Locals in
city centres. We plan on progressing with these as quickly as possible, but without
causing disproportionate ‘noise’ amongst our stakeholders.
24.The second focuses on transforming the business for the future developing the new
models, new technology and new franchise relationships that will allow us to
increase our network size through new formats post-2021. The latter requires us
to develop and secure government endorsement for new, customer-focused
definitions of a ‘Post Office’ with government, we will start that discussion shortly.
We also need to set out our proposal for a post-Network Subsidy Payment —
maintaining our Community network will cost Post Office c£50m p.a. (or roughly
halve our projected profit) by 2020/21.
POL00026954
POL00026954
POST OFFICE PAGE 9 OF 10
25.We are prioritising the following three areas: Mains to Locals (which will generate
financial headroom); Express (to build a larger, more accessible network) and
maintaining the existing network (creating a more sustainable network and
reducing the cost of churn). To ensure agent support during this key test and learn
phase we are proposing some incentivisation to encourage agents to work with us.
26.Subject to funding approval, we are mobilising cross-functional teams covering
technology, network, brand, operations and products.
27.Consistent with transformation methodology we are deploying test and learn
focused trials. In particular we have targeted an area from Milton Keynes to
Nottingham consisting of 160 branches. This area is representative of the UK as a
whole.
28.Our work over the past 6 months has helped crystallise a clear way forward for the
implementation phase of the Retail Strategy (see roadmap below). There are some
areas where we are ready to roll-out improved solutions to our customers and
agents, for example around sales & service support and Agent’s Pay. However, the
pace of roll-out in some areas is constrained by the c18 months it will take to
procure and test the next generation SSKs. As the new SSKs are a key enabler of
areas such as New Locals and Small Mains to Locals.
Figure 3: Retail Strategy Activity Plan
- 52049120 — 2020-21 I 2021-22
Increased
digitisation live number of Customers fq, NOW PIUS More modern and
I- integrated end- locations in benefiting from wore convenient
eta Gtutrs to-end journey which Collect & more convenient. streamlined, Xperience, beth
with quicker Returns can be Journeys via _,Steamiined, “In-branch and
experience In- completed (via SSKs Soe ney digitally
branch Express) i ¥
New Agents Improved
Provided with _ benefiting from Multiples
Inereased Post office, Realising Proposition vi
support including Express ee eeeed Improved ane gents
cere acts I Senate ts I Agent support ,PIORSEEIO I”. I improvements I See Post Office
portal —Locaisandssks Improved =“ Taduced staf ‘Meremental as Partner of
Benefiting from New Local format PrORESitonfOr costs) enabled I, Sect OF I choice
increased increasing vollout Y via SSKs iabnaelinel
Banking Agents —_ income via
RPOS attractiveness of
Pay I catalogue
produats proposition and
reduces churn
First tranche of
I post office mew generation improved,
Se ot deployment Ramp-up of roll- means we
Increased Financial benefits =SITDAS boosted out generating a partner with only
Fee ee ener’ by converting fullyear of the best Agents
Formatand — Agentscpport Small Mains to EBITDASkenefits Removal of
Ssktrals starting tobe Lecalsand SSK Financial limitations
complete oe ealised rental (c.£10k improvements (branch numbers
EBITDAS boost RPOS increases PEF Branch) Increasing via etc.) enables
I reduced churn I more pro-active
via catalogue — income through Gevelopment of
f
products dlsplacarene of seer
Confidential
POL00026954
POL00026954
POST OFFICE PAGE 10 OF 10
Funding request
29.We are requesting £12.8m until the end of March 2020 to: develop roll-out new
formats, continue Sales Support, Onboarding and Franchise improvements,
procure next generation of SSK.
Appendix
Figure 4: Retail Strategy Implementation Plan
2020-21 . 2021-22
fecruit and induct project team
ENABLERS
Agent portai
Banking transaction - Increased agents’ pay
Regional support teams
Lees ROLE
SSKs in existing busy branches
IMPROVING THE
EXISTING NETWORK
Maiis digitisation
Retailer EPOS availability
New Plus format ~ trial 2029 and rollout aR 2. menue
Eroress ferme
REORTT RO OT
New Local format (STRAIGHT TO DEPLOYMENT)*
Adopt biueprint oy
Development phase: this phase of activity wil ensure vendiness for the itis rollout phase
(cleat prase, asl ncorporatobronchceign, 70S oreeting Copel tious
ane sedated aperational processes. HERD co.
rat, we il als bald ew Agent camuneretonpackeae I” GS wieetone
POL00026954
POL00026954
POST OFFICE PAGE 1 OF 6
COVER SHEET ONLY
Marketing Effectiveness,
Efficiency and Relevancy
Author: Emma Springham Sponsor: Owen Woodiey Meeting date: 12" November 2018
Executive Summary
Context
The new CMO Emma Springham joined the Post Office on the 4"° September. The
purpose of this paper is to present to the GE and POL Board fresh-eyed thinking on
our marketing effectiveness, efficiency and relevancy.
Challenges today:
= Product driven structure leading to low cross sales - 4.3 million active
customers with only one product holding (85% of the active marketing
database).
* Slow to market, duplication of tasks and lack of ownership across the team.
= We urgently need a brand strategy and guidelines for Apps, web and the
network.
= Our website (shop window) is broken, under-invested and under-resourced
leading to reduced conversion.
= ‘Campaign-driven’ rather than ‘always-on’ marketing strategy.
= Currently we only report on digital marketing performance and have limited
end-to-end management information/tagging/tools in place to fully report on
performance.
= Brand, Insight and Social is managed outside of the Group Marketing function
which is leading to competing priorities.
What we are trying to achieve:
= Massively increase our marketing maturity, capability and pace of delivery.
= Remove duplication of activity and drive much greater consistency for
customers.
= Raise the bar significantly around the quality of the customer/user experience.
« Ensure a joined up approach to management information, customer data and
the development of customer journeys.
«Improve the efficiency of our marketing spend.
= Start moving the focus away from product stovepipes and towards customer-
led propositions and interactions.
= Move to disruptive and relevance marketing strategies to make impact in a
crowded market.
= Channel budget ownership to increase response to market conditions.
= Greater spend on SEO and content marketing to reduce dependency on
affiliate, aggregator and paid search.
Confidential
POST OFFICE
Questions this paper addresses
POL00026954
POL00026954
PAGE 2 OF 5
1. Are we delivering best in class marketing effectiveness?
2. How efficient is our marketing activities?
3. Is the Post Office brand relevant today?
4
. How do we differentiate our brand in a crowded market coupled with competitor
spend far outreaching the Post Office?
5. Can Insurance meet their growth targets through marketing?
Conclusion
1. Marketing Effectiveness
The central marketing data ecosystem is complex,
manual and time consuming. Marketing and sales
management information is misaligned. We only
measure paid digital data.
Highest spend is in affiliates, aggregators and paid
search (53% of total YTD media spend) which often
attracts short term customers. Post Office has a
small investment in natural search (SEO) and
121/on-boarding customer communications.
2. Marketing Efficiency
Aggregators
Media Spend
18/19 (YTD)
I
Channels I
I
Paid Search
Out-of-Home £2.1m
Our current segmentation model does not go far enough and we push solo product
messages to customers. We need to build on our current segmentation to expand our
relevancy and grow our audience:
e Propensity
¢ Lookalike
¢ 121 Marketing
Changes in circumstances are the biggest trigger to purchase. Using insurance - what
are the life moments that increase propensity to purchase.
e Child aged 0-4
¢ Brought a home
e Brought a car
¢ Divorced
¢ Lost a loved one
e Starting a business
¢ Entered retirement
Confidential
POL00026954
POL00026954
POST OFFICE PAGE 3 OF 5
3. Post Office Relevancy
Post Office is one of the most trusted brands in the UK and there is public outcry when
a branch is closed, but only 51% of consumers agree Post Office products and
services are relevant to them. The Post Office is struggling with salience:
* 8% Mortgages
¢ 14% Broadband
¢ 23% Financial Services
¢ 31% Travel Insurance
Between 2014 and 2017, only one in ten brands grew.
¢ 37% think Post Office is modern and up to date
¢ 57% think Post Office is a brand I feel no duty to support
¢ 33% of millennials consider Post Office is a brand for me
¢ 43% think Post Office is a brand for me
¢ 33% think the Post Office is easy to do business with
“If we don’t change the way we think, we will lose a whole generation of customers.”
— Nicholas Cooper, VP IKEA.
4. Create disruption in the market
Marketing blends into the market often using price and incentives to drive demand.
With competitor marketing and media budgets much higher than ours (BT £93 million
v £12 million Post Office annual media spend), the Post Office needs to be disruptive
and look at new channels to make an impact.
Confidential
POL00026954
POL00026954
POST OFFICE PAGE 4 OF 5
5. Can Post Office meet insurance growth targets?
POI are currently behind target (ambitious growth targets yoy):
Insurance Performance
Produce TE cp, tncoree targer Distal Tosormn Vip
18/19 Actuals 18/19
Travel Insurance £5.7m -14% +38%
Term Life Insurance £0.4m -22% +464% +73%
050s Life Insurance £0.3m -35% +233% -4%
Motor Insurance £0.7m -22% -24% +31%
Home Insurance £0.8m -21% 12% +14%
Rationale for under-performance vs target:
Travel insurance contributes to 70% of the POI Digital Income therefore its
underperformance impacts POI business unit as a whole.
Travel Insurance down vs target due to lower market demand (-10%) and pulling
back on investment due to lack of confidence in media agency strategy.
Term Life marketing investment was re-phased due to lack of confidence in media
agency strategy and prioritisation of Travel CVM activity over Life.
Over 50s Life down due to response from DRTV being below previous expectations
due to competitor brand bidding in paid search, decline in competitiveness of incentive
and offline taking a higher proportion of responses than planned.
Motor and Home insurance investment scaled back to drive in-year efficiencies.
Travel Insurance annual policy renewals are at 17% highlighting the opportunity to
focus on renewals.
Strictly Confidential
POL00026954
POL00026954
POST OFFICE PAGE 5 OF 5
POI Marketing Digital Sales
(PO!) Share of Paid Digital Sales
Affs & Ages
21%
Paid Search
61%
Ore
Marketing spend is currently focused on:
e Short term lead generation activities to drive volume - Affiliates, Aggregators
and Paid Search. Only 21% of sales are driven organically.
e Support by DRTV for the over 50's life insurance.
e Press and outdoor to support travel insurance.
Marketing Support
e Insurance marketing FTE is limited and based on short term contractors.
e There is CVM/CRM functionality but it is only used for the quote stage of the
buying process.
e New entrants into the market are using disruptive marketing to create stand out,
for example Dead Happy —- www.deadhappy.com
« The insurance website needs investment to support lead conversion. This should
not be done isolation to the central marketing team. Mortgages used an external
agency and performance has been affected.
EXIT RATE 49.9% +19.8% Short term: Created an a/b test
strategy to deliver a number of quick
BOUNCE 17.2% +152% wins
RATE Long term: relook at the end to end
journey and optimise
Opportunities and considerations
e Increasing investments in SEO and content to grow awareness of products and
reduce reliance on paid channels.
e Focus on CVM to drive retention, cross-sell and upsell of products (current Travel
Insurance annual policy renewals are at 17%).
e Ongoing conversion funnel optimisations (to address 60%-70% drop out at quote
stages)
¢ Product considerations: considerations around product competitiveness especially
with regards to Travel Insurance.
Confidential
POL00026954
POL00026954
F insight
POST OFFICE PAGE 1
Appendix
1. Data Eco System is complex and manual
The central marketing data eco system is complex, manual and time consuming.
Marketing and sales management information is misaligned. We only measure paid
digital data:
Salesforce
2. Presentation for GE ~ Available in the Reading Room
Strictly Confidentiat
41 of 87
POL00026954
POL00026954
ategy
PAGE 1 OF 6
POST OFFICE LIMITED DECISION PAPER
GROUP EXECUTIVE
Security Strategy
Author: Bryan Littlefair (external) Sponsor: Rob Houghton/Mick Mitchell Meeting date: 12 November 2018
Executive Summary
Context
Since 2016 we have invested a total of £3.5m in our IT security capability to move us further
towards risk appetite and respond to internal and external security assessments. We have closed
33 issues from the original 37 that were identified in the 2016 Deloitte Risk Audit. The outstanding
actions are all due to be completed by Qi 2019. The business is investing heavily into digital
transformation which requires increased security capabilities. We have held detailed security
workshops with our strategic partners and this paper outlines the required people, process and
technology investments that make up the next phase of security maturity.
Questions addressed in this report
1. What capability has the £3.5m level of investment delivered - are we now within risk appetite
and fulfilled Deloitte’s risk audit?
2. What's our target capability and why?
3. What are the activities, options and investment required to get to target capability?
4. Do we have the capabilities to close the gap?
Conclusion
1. We have significantly improved the risk posture of Post Office (PO). We have created our
internal security operations centre to collate all of the techical security information from PO
and our partners, and closed our greatest risk areas. We have closed 33 out of 37 audit issues
but more still needs to be done given the accelerating demands.
2. Our target capability is to achieve a pragmatic but effective security posture across PO, which
aligns with our North Star to introduce new technology and digitise the PO. Pragmatism,
investment and risk appetite needs to be carefully balanced.
3. We have investigated the various options from “remaining as is” to achieving the benchmark
state of others in our sector. We have held detailed workshops with our strategic partners,
who have ratified our approach. We have also conducted ethical hacking exercises on PO
which has further highlighted the requirements to increase focus and capability on security.
4. The recommended approach is to harmonise the existing security teams currently spread
across five different functions within the business and create a single security function under
one CISO (Chief Information Security Officer) and to achieve the minimum security baseline
in regards to people, process and technology requirements in Post Office which is in line to
the benchmark state of similar companies to ourselves. This approach will be prudently
managed but will require further incremental investment to attain this parity.
Input Sought
The GE is asked to note and endorse the direction set out in this document to present to the
board. A paper will be presented to CAG requesting seed funding to provide the full details for
the provision of the costs for both process security changes and technology changes from our
suppliers. However, there are key initiatives that PO needs to own and drive such as embedding
a security culture into the organisation. Progress will be reported to the GE and board in six
months’ time.
Strictly Cont
POL00026954
POL00026954
POST OFFICE PAGE 2 OF 6
The Report
What capability has the £3.5m level of investment delivered - are we now
within risk appetite and fulfilled Deloitte’s risk audit?
1. Previously conducted external assesments of our security posture by Deloitte and the findings
of these assesments have been embedded into our current secuity transformation project and
good progress has been made on the remediation. Figure 1.0 demonstrates the areas of the
Deloitte audit where progress has been made. Progress has been slower than planned or
anticipated. This is largely due to the complexity of the supplier mix within our domain and
the hugely outsourced nature of the organisation coupled with PCR restrictions.
Deloitte Audit Recommendations Progress
atte
Network
ediated
Figure 1.0 Deloitte Audit Recommendations Progress
2. A risk based approach was taken to identify which audit findings would be a priority for
remediation.
3. We have made strategic investments in our Advanced Security Operations Centre (ASOC)
which is intended to be the internal brain in relation to security. The system collates the
information flowing from the technology systems within our network and systems, including
those managed by our third parties in order to effectively detect and manage security incidents
in line with the PO security policies. We have locked down access to our 0365 environment
from mobile devices and work is in progress to extend this to locking down access from all
non-corporate laptops.
4. Our initial approach was to close the basic security concerns identified by Deloittes. We have
now matured this by benchamrking ourselves agaisnt The National Institute of Standards and
Technology (NIST) security and standards framework. This is internationally recognised and
provides a useful context to benchmark our current capabilities across the NIST 5 security
domains and core risk areas which are - Identify, Protect, Detect, Respond and Recover.
5. We have used the framework and the publicly available material on the average CMMI Maturity
scores across the financial services sector and the public sector and mapped on the current
capabilities within PO.
Identify
Recover Protect
Respond Detect
Post Office Financial Services Public Sector
Strictly Confid
POL00026954
POL00026954
ategy
POST OFFICE PAGE 3 OF 6
Figure 2.0 NIST Benchmarking?
6. With the investment to date we have effectively lifted ourselves to the point that we are
covering the basic hygiene factors of information security. The challenge is that this is not
sufficient for our ambitious plans on identity and digital transformation.
What's our target capability and why?
7. The new security strategy outlines a low maturity environment that needs further
improvement. Its important to understand security in the context of the Post Office and how
it operates as a business:
a. The document refers to our Administration estate - the branch network is separated
from the administration network and is secure - we have no information to suggest it
isn’t; the risk of a branch terminal or Horizon being compromised remains very low.
b. Our data assets are distributed and outsourced - we do not retain many critical data
assets within “our infrastructure” (infrastructure being used here to describe all our
applications, servers and processes) - therefore our main role is the third party
contract management and assurance (which are equally important). For instance:
i. Our digital identity service is outsourced to Digidentity which has to comply to
the highest level of protection.
ii. Our banking data is managed by BOI which is highly regulated to ensure
compliance.
iii. BRANDS which holds customer data is also outsourced.
c. Thus the main objective of the strategy is to IDENTIFY and PROTECT the critical data
assets that a compromise of our administration estate within our immediate control
would affect WHILST strengthening significantly our third party management to ensure
they are able to DETECT an incident and RESPOND to it in an appropriate timeframe
before it has a negative impact on Post Office.
8. The strategy is based on industry best practice and aligned with the NIST standard and the
best practice released by the National Cyber Security Centre (NCSC). The NIST standard
compliments the existing COBIT 5 IT Controls framework. PO are prioritising our approach for
maximum risk reduction using the internationally recognised CIS controls framework which is
a risk-prioritised version of the NIST 20 key controls that an organisation should follow in
sequence to improve its Cyber Security posture in a risk aware manner.
9. Our recomended approach focuses around 5 core risk areas - Identify, Protect, Detect,
Respond and Recover? - aligned to the NIST standard.
10. Figure 3.0 shows the PO Target Security Capability against the NIST framework/CMMI Maturity
Scale.
POL00026954
POL00026954
POST OFFICE PAGE 4 OF 6
Post Office Target Security Capability NIST Framework / CMMI Maturity Scale
O~ Absent Letoitiat 2Managed 3. Detined, 4~ Quantitively Managed 5 - Optimised
Figure 3.0 - CMMI Maturity Scale against the NIST Framework
11. As can be seen in figure 3.0 PO is targeting achieving maturity levels on the CMMI scale
between 2 (Managed) and 3 (Defined). This would give us the required level of structure,
governance and operational contro! across the environment required whilst effectively
managing investment. Figure 2.0 shows this is in line with the maturity typically achieved
within financial services and the public services sector and further highlighted below in figure
3.1 showing the maturity of all audited companies adopting the CMMI Scale. Achieving a
maturity of 4 or 5 is restricted to certain processes and technologies required in highly
sensitive environments, such as the nuclear industry.
Process Maturity Profile
by All Reporting Organizations
¥¢
>.
soe geen
Figure 3.1 ~ CMMI Maturity Achieved by companies audited in 2018
12. We will proactively stress test and benchmark our capabilities across these 5 domains to
identify current status using ethical hacking and red-teaming. Using effective threat
intelligence and the same capabilities and tools available to external hackers, we will
proactively try to compromise PO. This will enable us to evaluate our performance across each
of the 5 domains, ensuring we learn from the forensic detail on any successful exercise to
embed new processes and ways of working.
Strictly Confidentiat
POL00026954
POL00026954
ategy
POST OFFICE PAGE 5 OF 6
What are the activities, options and investment required to get to target
capability?
13. We have investigated and analysed the various different options available to PO
a. Remain in current situation and perform risk acceptance on the widening security gap
b. Define the mimumum security baseline that all PO functions and suppliers will adhere
to
c. Effectively resource cyber security to achieve the target security capability
Each option has its own set of challenges. Option A is unsustainable from a security
perspective as the risk gap and inability to effectively secure PO is already a challenge. The
minimum security baseline will give us the bare minimum components in terms of process
and technology across the business and partners, but it will not enable PO to meet changing
demands. Option C will enable achieving risk tolerance and effectively manage PO from a
cyber security persepctive.
14. To ensure the new security strategy is set up for success, we recommend the creation of a
Chief Information Security Officer (CISO) function. Based on the fact that the organisation is
going through a significant digitisation and technology transformation drive, the proposal is
that the function reports into the Chief Information Officer. This new function will combine
the current security teams (IT Security and Information Security) to ensure accountability for
the end to end security within PO. This would align us with industry best practice and deliver
the synergies, removing the overlaps and complex processes in the current model, as well as
presenting a simple interface point to the business for security.
15.We need to achieve compliance across the board including in our third-party suppliers. We
also have a mixed capability in terms of technology and compliance across our supplier
environment. This needs to be standardised to ensure the core capabilities in terms of
technology, policy and process are present in all of our environments to provide holistic
protection. We have held detailed security workshops with our strategic suppliers. We have
sense checked PO security policy and strategy with our suppliers and performed a gap
analysis. There are significant areas of non-compliance to our current policy with our strategic
partners and this position is likely to be present with our other suppliers due to lack of effective
3" party security governance
16. The minimum security baseline has been created to effectively underpin and support the North
Star business strategy. With extra focus on digitisation and technology, we need to invest in
new security technology capability to ensure our new services are secure by design and remain
under effective security management. In the table below you can see today that the majority
of our capability has Partial (P) coverage. This means that we do not have Holistic (H)
coverage of the process or technlogy across PO and our suppliers and therefore a security gap
exists. The minumum security standard takes the essential security components and ensures
they are deployed holistically across our infrastructure.
Today Minimum Security Baseline Recommended Target
Technology
Security Operations Centre
Security Proxy
DOS Protection
Intrusion Prevention System
Firewalls
Intrusion Detection System
Network Data Loss Prevention
Anti-spam / Phishing
Cloud Security P
‘Server Anti Virus ae : 4
Control and Compliance Suite
Database Activity Monitoring
Server Firewalls P
‘Secure Coding Suite : H
Web Application Firewalls
Encryption P
Information Classification H
x=
xz
x=
=
EELELErETEre ter eT
Strictly Cont
POL00026954
POL00026954
ategy
POST OFFICE PAGE 6 OF 6
information Asset Register
Data Loss Prevention P
Anti Virus Protection
Host Based Firewall P
Forensics Suite
Process
3rd Party Supplier Management
Security Governance
Security Reporting
Information Risk Mitigation and
Reporting
Security Culture Change p
Information Protection in Change
Physical Security P
Incident Management Process
Ctisis Management
Business Continuity P 4
rErs
npr
EErE Era
Ex
EErEx6s
17. The most critical activity by the business will be to ensure the appropriate tiered access to our
data has been implemented. Given that any device can be compromised with enough time
and effort, we need to be certain that any data that could be accessed is secure. We also need
to ensure that our existing Information Security classifications of SENSITIVE, CONFIDENTIAL,
PUBLIC are actually applied throughout our environment and different controls are enforced
before access is granted to the data. For example - anyone with access to SENSITIVE data
would need to undergo increased user education training, may operate within a physically
contained environment and would require advanced protection software on their laptop. The
IDENTIFICATION of users with access to SENSITIVE data within our estate and then the
DIFFERENTIATED controls for those users is an immediate action.
Do we have the capabilities to close the gap?
18.We have made progress on closing the gaps identified in the latest external assessment on
our security capability, conducted by Deloitte in 2016, these include assigning security
consultants to each business area to ensure the necessary controls are being implemented,
ASOC for visibility of security incidents, improved governance, centralised tracking of firewall
changes and improved penetration testing. This has closed the risk tolerance gap for the
previous business model. However, with the new business model North Star, the risk exposure
to the business has increased with extra digitisation and reliance on technology, even after
closing all of the findings we will remain in an adverse risk position.
19. Recent pro-active security testing engaged by PO has shown that an external internet based
attacker can compromise our estate via social engineering and phishing, maintain a persistent
connection to our environment for over a week whilst scanning and navigating around our
network. This activity generated zero security alerts into the central security function from PO
teams or our strategic suppliers.
20. We need to work with our partners in a risk based manner, investing in people process and
technoogy to provide a holistic security capability that can effectively underpin the business
strategy, further investigation is required with the business partners to fully understand the
level of investments required in each areas and the seed funding request to CAG will enable
this to happen
. The recommended approach is to conduct a target operating model exercise that clearly
defines the target structure for the new security function, combining all of the existing security
teams into a single function. We would clearly map out the organisational structure, roles
and responsibilities of each area ensuring broad areas of accountabilities as well as the process
and service ownership for each of the teams.
22.We will also focus on embedding the resource available to us as part of the tower partners
framework agreement to operate as a combined virtual team with everyone working towards
acommon goal, regardless of the supplier.
2
&
Strictly Cont
POST OFFICE
Appendix A:
NIST Maturity levels definitions
POL00026954
POL00026954
PAGE 1
iE
Absent
Absent or partially present
Initial
Managed
Inconsistent approach;
Ad-hoc;
Undocumented procedures
Formally resourced;
Objectives are defined;
Procedures are defined but are applied
inconsistently
Defined
Formally resourced;
Objectives are defined;
Procedures are defined but are applied
inconsistently
Quantitatively
Managed
Consistent and robust application;
Activities are increasingly automated;
Processes and tools are integrated
Optimised
Processes are well managed and governed;
Improvements are actively sought;
Monitoring captures metric to measure
performance
Strictly Confidentiat
POL00026954
POL00026954
ategy
POST OFFICE PAGE 2
Appendix B: Definition of the 5 core risk areas aligned to NIST
Identify — The identify stream ensures an organisation wide understanding and
management of cyber security risks in relation to people, assets, data and
a. Identifying all sources and repositories of sensitive or critical data and ensuring
appropriate protection is in place against loss or misuse.
b. Ensuring we can correctly identify and authorise all infrastructure and software
assets on our estate.
c. Ensuring all asset vulnerabilities are identified and remediated in line with policies
and standards.
d. Identifying and managing all risks posed to PO by our existing and new third party
relationships.
e. Effectively using threat intelligence feeds to deliver actionable security intelligence
into our operations and security programmes.
f. Ensuring appropriate governance and reporting over information security activities.
Protect - Ensures appropriate safeguards to ensure the delivery of critical services to
our customers.
a. Ensuring effective Identity Management and access control with an effective joiner,
movers, leaver’s process as well as enhanced governance over the IT administrator
community - a community which stretches across all our suppliers of IT systems.
b. Empowering our employees to self-manage their cyber security posture with effective
security awareness and training ensuring a security aware culture across PO, our
third party suppliers, and our partners.
c. Establishing and embedding appropriate data security protection, consistent with our
risk strategy.
d. Ensuring that there are appropriate security processes and procedures, both within
the security teams, and across the business as a whole.
e. Deploy document classification to ensure that we can effectively structure our data in
terms of confidentiality and sensitivity and enable effective data loss protection.
f. Ensure that effective protective technology is in place and have plans for the evolving
nature of such protective technology.
Detect - Defines the appropriate activities to identify a cyber security incident.
a. Ensuring anomalous events are detected effectively on our infrastructure, channelled
appropriately to the Advanced Security Operations Centre (ASOC), triaged effectively
and presented to an analyst for appropriate action.
b. Implementing 24x7 protection holistically across the estate in a risk-based manner.
Con:
POL00026954
POL00026954
POST OFFICE PAGE 3
c. Deploying defence in depth security technology across the estate focusing on
protecting sensitive data.
d. Ensuring the threat intelligence from our external providers is analysed for root cause
and embedded into our cultural training.
e. Working closely with our outsourced partners to ensure security is a critical success
factor and key performance indicator.
Respond — supports the ability to effectively respond to detected security incidents in
a timely manner.
a. Ensuring appropriate incident management and response processes are embedded
and tested within the organisation at all levels.
b. Ensuring appropriate communications about incidents and threats across the
business and high risk third party suppliers.
c. Mitigation and control to prevent expansion of a security event and to effectively
resolve the incident end to end.
d. Ensuring lessons learned is conducted on each detection / response activities
constantly improving the security processes.
Recover - maintains the resilience of PO security and works with the IT operations
teams to recover and restore normal business operations that were impaired as part
of a security incident.
a. Ensuring effective and appropriate business continuity plans across all critical
business systems and processes.
b. Ensuring holistic configuration management databases are maintained across the
estate to facilitate the system and application recovery process.
c. Maintaining a ‘green book’ of pre-prepared internal and external communications for
different types of security incidents that may affect PO, negating the need for them
to be created from scratch during an incident.
POL00026954
POL00026954
PAGE 1 OF 5S
Performance Review — Health & Safety
Authors: Martin Hopcroft Sponsor: Al Cameron Meeting date: 12" Nov 2018
Executive Summary
Context
Keeping our employees healthy and safe is our legal responsibility and is fundamental
to our success.
Our Health & Safety performance has improved significantly over the past 6 years. We
have a rolling 3-year plan to drive compliance, targeting a reduction in safety metrics
including accidents; lost time accidents (LTIFR); days lost; and personal injury claims.
Our H&S reporting and safety management system is measured against the externally
recognised standard, OHSAS 18001 and performance is reported monthly to the Group
Executive and at each Board meeting.
Questions addressed in this report
1. What patterns are emerging in violent activity, is it getting better or worse, what
are we doing about it?
2. How are we performing in 2018/19 and what are the current activities and priorities?
Conclusion
The prevention of accidents has improved materially year in year. Whilst we have seen
a reduction in robbery and CViT incidents during September and October, a spike in
August and a recent increase in violent robberies and ATM rip-outs raised our concerns.
Post Office robberies are currently showing an overall 35% decrease from last year (50
vs 77). Retail robberies show a 24% reduction (37 vs 49). Injuries, however, show a
33% increase on the same point last year, (8 vs 6), all relatively minor with punches,
kicks and cuts. There has also been a 35% decrease in weapons carried during robberies
on the same point last year (41 vs 63). Included within this figure, the number of blades
being carried has seen a 55% reduction (17 vs 38). Security equipment that has been
installed to tackle branch robberies in higher risk branches is clearly having a positive
impact with a number of foiled incidents to date (see Report for additional information).
Post Office CViT robberies are showing an overall 15% decrease, (11 vs 13), and £111k
losses (18/19) vs £221k losses (17/18). Chester CViT has experienced 6 (55%) of 11
crimes, however, we are beginning to see positive results as mitigation is stepped up.
ATM attacks are currently showing an overall 88% increase year on year, (15 vs 8).
We have developed an ATM risk model, based on similar underlying trends and analysis
as the Burglary and Robbery Risk model, showing 707 of 2545 as high risk. Various
Strictly Confidential
POL00026954
POL00026954
POST OFFICE PAGE 2 OF 5
discussions are taking place to consider options such as glue, dye, foam and
pyrotechnics along with new anchoring plate technology to tackle the recent brute force
attacks. Temporary IP cameras with automatic aggression detection in response to
abuse and aggressive behaviour will be made on a case by case basis going forward.
Engagement with the wider community is already progressing with the BRC, and we will
widen this to BSIA. To mitigate risk further, we have approved £3m spend on rolling
fogging and IP cameras out to 1200 high risk branches.
Whilst formal feedback received from the HSL audit was good, a number of areas can
still be strengthened. An action plan has been developed covering 6 main areas ie. H&S
competence across the business, online training tools, recognition and visibility through
121s, a hearts and minds safety culture and greater awareness of the harassment by
customer policy and support. 20 sub actions have been agreed and will be tracked to
conclusion by Safety Board with 33% completed to date and all completed by year end.
There has been a decrease in accidents reported in October P7 (4), 1 incident in DMBs
and 3 in Supply Chain, with no new lost time incidents reported. There has been a 28%
reduction in accidents reported YTD to P7 (Oct) compared to 2017/18 (50 v 69) mainly
due to a 43% decrease in Supply Chain (23 v 40 YTD). Accidents per 1000 employees
have reduced by 25% with Supply Chain reducing to 28 from 49 (-43%). Lost time
accidents have also reduced and the P7 YTD LTIFR is 0.143 v 0.260 in 2017/18. Total
lost days are 110 compared to 331 in 17/18, a reduction of 67%.
The Supply Chain safety plan is progressing well with the introduction of safety
champions, safety forums, a review of local risk assessments and safe systems of work.
External IOSH training courses have been completed. Health & Safety training
workshops are being provided to Network Operations teams in November and
progressed across the business.
We are beginning to see further improvement and reduction of road risk through the
introduction in Telemetry in Supply Chain. The Road Risk Policy has been approved by
Safety Board and we will work to strengthen a number of areas including driver safety
training, guidance on how to alleviate fatigue whilst driving and the introduction of
Alcolock (breathalyser integration with key management).
The overall risk for property statutory compliance remains low at 96.28%. The external
Fire Risk Assessment inspections have been completed for 2018 with over 90% actions
closed out and therefore the risk profile has reduced significantly. We have confirmed
our signage inspection policy meets the national signage consortium best practices. We
have also confirmed POL are liable to inspect c.3800 local agency signs, mainly low risk
lozenges. This will commence 18/19 starting with signs over 3 years old and those
located in harsh weather areas. 98.67% waste was diverted from landfill in September.
Input Sought
The Group Executive are requested to note the current health safety performance and
content of this report and input to discussion at the meeting.
POL00026954
POL00026954
POST OFFICE PAGE 3 OF 5
Report
Our current risk modelling identifies 1200 branches at high risk from Burglary and
Robbery and 707 ATM's at high risk from Gas Attack or Ram Raid. So far this year 22%
of Robberies have occurred in these identified branches and 67% of ATM crime has
occurred in the identified branches. Given the difficulty in identifying future criminal
attacks, we can be confident that our statistical modelling is as accurate as we can
make it at this time. There are c.1200 high risk branches in the network (accounting
for around 10%) and around 200 branches move between medium and high risk in any
given year. It was a concern that the level of violence increased in August P5 and the
presence of firearms (not discharged) has also increased, however, incidents returned
to normal levels in September P6.
Mitigation included drafting an article on Security Ops Manual, 36 Torch visits conducted
in numerous areas, many at branches in close proximity to robbery targets. There were
16 DMB visits undertaken and full security reviews incorporated, meetings held with
Staffordshire and Hampshire Police to discuss closer links and future strategies. Security
presentations were delivered at regional NFSP meetings and to franchise partners.
Post Office CViT robberies are currently showing an overall 15% decrease, 11 incidents
(2018/19) vs 13 (2017/18) last year, and £111k losses (2018/19) vs £221k losses
(2017/18). 6 Chester (£71k), 4 Birmingham (£30k), 1 Manchester (£10k). 1 reported
injury (bruising), no injuries caused by weapons. There was zero CViT incidents
reported in Sep and no incidents in October. There were no incidents of violence nor
injuries reported.
Current mitigating activity:
e Work well underway to deliver Crimestoppers campaign in October in West Midlands
following a number of CViT (and branch) robberies during the calendar year.
e Police meeting with Police Scotland at Glasgow Depot included walk through for
greater clarity and understanding of operation.
e 204 Cross Pavement Observations (CPOs) undertaken by Security Managers during
period, including 34 on Merseyside by local Security Manager.
e Security Manager also working closely with Merseyside Police to cover off as many
deliveries in high risk areas as possible between them at present.
e Working to ensure most up to date equipment is deployed as quickly and
comprehensively as possible on high risk Liverpool routes.
ATM attacks at period 6, Sept 18/19, are currently showing an overall 88% increase,
15 (2018/19) vs 8 (2017/18). We have developed an ATM Risk model, based on similar
underlying trends and analysis as the Burglary and Robbery Risk model, showing 707
of 2545 as high risk. Currently 67% of all ATM crime this year has occurred in the high
risk bracket. The chance of a crime occurring in this bracket is 2.8% compared to 0.7%
in the medium risk bracket. There was also an attempted ATM gas attack where the
suppression system prevented any build-up of gas. The 3G and Pinhole cameras have
also resulted in 3 arrests to date.
Strictly Confidential
POL00026954
POL00026954
POST OFFICE PAGE 4 OF 5
The Next Six Months
Further planning for upgrades has been undertaken, branches have been profiled and
a roll out plan prepared. There have been a number of successes following installation
of mitigating upgrade equipment. For example, of the 90 fogging kits installed in
2017/18, only one branch suffered a robbery which was prevented when the fog was
activated by the post master. To mitigate risk further, we have approved £3m spend
on rolling fogging and IP cameras out to 1200 high risk branches.
- The fogging and IP camera upgrade programme will improve the outlook against
violence and robbery against Post Office. The programme will start Nov 18 with
an install rate of between 30 and 40 per week reaching 1200 when completed.
- Additional budget has also been requested to respond to risk profile changes. BAU
installs will also continue as part of post-robbery events.
- The security team continue to engage the British Retail Consortium, and have
attended a recent retailer crime event. Input has been provided to help shape
the 2018 BRC Annual Security Survey by the Physical Security team.
ATM
ATM incidents are becoming the next major problem, with almost double the level of
attacks over the previous year. A newly developed ATM Risk model has enabled a more
accurate measure of those deemed to be higher risk, 707 from 2545 ATM's.
Various discussions are currently taking place to consider options such as glue, dye,
foam and pyrotechnics, along with new anchoring plate technology to support the recent
brute force attacks. The Police and Safercash both report a national increase in ram
raids against retail and ATMs because they believe criminals will receive a far less
sentence than gas attacks and being non-person facing, it is tantamount to theft. There
is anecdotal suggestion, CViT criminals are testing the ATM arena for this very reason.
CVIT
Whilst CViT crime at periods 6 and 7 appears to be on a positive turn, work will continue
mitigating against existing threats. The security team will engage further with BSIA
over the forth coming months. There is currently a programme to obtain 100 more
bodycams, and as with ATM's, there is work ongoing to investigate new technologies to
destroy the cash beyond the existing ink technologies. A number of initiatives have
been agreed for Chester CViT, following the recent increase in violence, including CViT
vehicles ‘wrapped’ to identify live streaming, Ibox construction review including means
of destruction, hot spot area route changes and the Serious Crime Group NW Police to
attend Chester to address crew and management. We are scoping a man guarding
initiative in the Liverpool area. 4 escorts will be used across two routes at cost of £28k.
ABUSE & AGGRESSIVE BEHAVIOUR
A process is now in place to tackle abuse and aggressive behaviour. Volumes remain
static, and analysis of the past year show no repeat branches. Rather than install a
temporary IP Camera with aggression detection based on 2 or more incidents in a 6
POL00026954
POL00026954
POST OFFICE PAGE 5 OF 5
week period (which would have meant zero installs to date), Grapevine will make a
judgement on each and every incident.
Crime Profiling and Intervention
POL utilises risk models and crime mapping already provided under KIS (Kings
Intelligence Services). There is a minimum security equipment standard for every
branch format. Ordinarily, these will include safes, safe time locks, monitored alarms
and cash funding units (if open plan), as a minimum. The table below highlights a
number of the security equipment upgrades either as preventative, or upgrades
following an incident to prevent a repeat attack.
Fogging I IP Pinhole I 3G Gas Tracker I DNA I DNA
Camera I Camera I Camera I Suppress Packs I Spray
Robbery I 98 39 370
H Risk 98 13 169
M Risk 0 26 199
LRisk 0 0 2
Burglary 193
H Risk 134
M Risk 59
L Risk 0
ATM 30 46 13 10 103 [17
H Risk 24 23 il 5 76 (9
M Risk 6 23 2 5 27 [8
L Risk 0 0 0 0 0 °
(Note: H Risk = High Risk, M Risk = Medium Risk, L Risk = Low Risk)
Body I Vehicle TBox
cam I CCTV Trackers
streaming
Robbery
Chester 5 i2
Birmingham 5 il 8
Manchester 7
Hemel 5
Further planning for upgrades has been undertaken, branches have been profiled and
a roll out plan prepared. There have been a number of successes following installation
of mitigating upgrade equipment. For example, of the 90 fogging kits installed in
2017/18, only one branch suffered a robbery which was prevented when the fog was
activated by the post master.
Whilst CViT crime at periods 6 and 7 appears to be on a positive turn, work will
continue mitigating against existing threats. The security team will engage further
with BSIA over the forth coming months.
POL00026954
POL00026954
POST OFFICE LIMITED PAGE 1 OF 4
GROUP EXECUTIVE DECISION PAPER
Digidentity contract extension
Sponsor: Martin Ex ‘ds Authors: Martin Edwards, Chris Hoyle Meeting date: 12% November 2018.
Executive Summary
Context
Our current contract with Digidentity is due to expire at the end of the November, but
we have the option of up to two further 12-month extensions to maintain continuity of
our Verify service and enable a rapid route to market for delivering our broader digital
identity MVP.
Questions addressed in this report
1. What do we propose to do with Digidentity in the short term?
2. How will we review our medium-term supplier options for digital identity?
3. What are the key broader developments in Identity Services since the GE update
last month?
Conclusions
1. Digidentity has been a strong partner for the Post Office to date, delivering the
market leading technical solution under Verify with the best conversion rates. We
successfully re-negotiated our payments to them last month to maintain
favourable margins for the Post Office in response to the reduced pricing from
Government. They also have the technical capabilities required to deliver the MVP
for our proposed new digital identity product. For these reasons we recommend
extending the Digidentity contract for a further 12 months. In practice there are no
other credible options in the short term.
2. However, we also propose to undertake a wider market engagement exercise early
in 2019 to ensure that we have the right technology supply chain in place to
support our long-term ambitions in identity, procured through a PCR compliant
mechanism.
3. A brief update on our wider product development and client engagement activities
is set out at the end of this paper.
Input requested
The GE is asked to approve a further 12-month extension with Digidentity, which will
be subject to Board sign-off as the contract value is above £5m.
POL00026954
POL00026954
POST OFFICE PAGE 2 OF 4
The Report
Digidentity contract extension
1.
Digidentity have been delivering our Verify service since March 2016. The initial
contract term expired in November 2017, but we have the discretion to extend
for three 12-month periods up to 30 November 2020. We are now approaching
the end of the first of these 12-month extensions.
. The Contract Change Note (CCN) we signed with Cabinet Office last month
extends our Verify service to 23 March 2020. While as explained below we
propose to engage the market next year to assess alternative supplier options,
to maintain continuity of our service in the short term we recommend that we
invoke the next 12-month extension with Digidentity to 30 November 2019. They
have been a strong partner to us over the last 3 years, consistently helping us to
deliver the best conversion rates of all the 7 Verify providers (beating identity
specialists like Experian and GBG). Moreover, we successfully negotiated new
pricing with them last month which enables us to maintain a 29% average gross
margin against the significantly reduced pricing from Government. Informal
testing with potential alternative suppliers confirmed that they would be unable
to improve on these terms. There is therefore no obvious reason to seek to
migrate to another supplier at this stage.
. This extension will be on largely the same terms as the existing contract, with
the exception that we are also seeking to flow down some new liabilities to
Digidentity. The new contract with Cabinet Office signed last month provides the
flexibility for us to use Verify identities with private sector clients. However,
alongside this new flexibility the Cabinet Office has introduced an unlimited
indemnity to cover any losses to Government arising from a breach of our
obligations under these new terms.
. We are therefore seeking to flow down these indemnities and other associated
restrictions as part of the contract extension with Digidentity. At the time of
writing discussions are still ongoing but are progressing constructively and we
are therefore anticipating a satisfactory outcome.
. Pinsent Masons will prepare a risk note on the extension once these discussions
are finalised, which we will share with Jane. It should be noted that the original
contract with Digidentity was awarded following a competitive but non-compliant
tendering process, although the risk of a challenge under PCR was assessed to
be low when we extended the contract a year ago. Furthermore, we will seek to
mitigate this risk in the way we approach the market engagement exercise
proposed for next year (explained below).
. As the anticipated contract value over the next 12 months is £5.9m (based on
current Verify forecasts), the extension will require Board approval.
POL00026954
POL00026954
POST OFFICE PAGE 3 OF 4
7. As discussed with Investment Committee and GE last month, we will also be using
Digidentity to deliver the MVP for our broader digital identity product beyond
Verify, which is targeted for launch in Q1 of 2019/20. The anticipated build costs
for this are around £1.5m, including the development of APIs which will enable
other Customer Hub apps and other Post Office channels to consume identity
services from Digidentity’s backend. We will negotiate a separate change notice
to the main Digidentity contract to cover this work, once the first stage of joint
planning work has been completed during November.
Reviewing our medium-term supplier options
8. While Digidentity remain a strong partner to support our near term priorities in
digital identity, over the medium term (2020 and beyond) there are a range of
credible alternative suppliers we could use, particularly if we are prepared to
disaggregate the fully managed service they provide (which integrates all of the
required capabilities such as authentication, identity proofing, secure data
storage and customer support). This would require us to establish a new SI
capability, most likely through a partner, capable of bringing together multiple
providers for each sub-component. The advantage of such an approach is that it
would provide us with greater flexibility to access best-in-class technologies,
together with reduced dependence on a sole supplier. The potential downside is
that it may come with increased cost (both set-up and run) and integration risks.
9. Given the technology landscape for identity has evolved significantly since
Digidentity was selected in 2015, and our ambitions are also expanding beyond
Verify, we believe the time is right to conduct a review of these alternative options
and suppliers. This process will be jointly sponsored by Martin, Rob and Jeff, to
ensure appropriate alignment to the wider Group IT strategy and to ensure that
any new platform can also meet the identity requirements for Post Office’s own
products and services.
10.Given other priorities before Christmas we propose to conduct the majority of
this review early in the new year, reaching recommendations on the way forwards
by March following engagement with the market. At this stage we are assuming
that we will then need to commence a full OJEU process, although we are
assessing the suitability of existing frameworks such as Digital Outcomes and
Specialists (DOS). We will also maintain a dialogue with the Project LEO team on
the procurement implications of the proposed corporate restructuring.
11.We will require some additional technical support to conduct this review, the
funding request for which will be taken through CAG.
Update on other developments
12.Since the last GE update 3 weeks ago we have continued to progress our product
development plans and engage with prospective new clients and partners for
digital identity. Key highlights are set out below.
POL00026954
POL00026954
POST OFFICE PAGE 4 OF 4
13.Our new Digital Check & Send (DC&S) service for adult passport renewals was
rolled out to all 725 AEI branches on 29" October. To date we have processed
over 3,500 applications with a 98.3% success rate (the failed applications are
mostly due to HMPO caseworkers rejecting some photos). This compares very
favourably with the c.92% success rate that HMPO achieve with their own online
channel, underlining the value of our service to customers. We have a workshop
with senior HMPO stakeholders on 13 November to discuss both the extension
of DC&S to other application types (such as first-time applicants and child
renewals) and our proposed digital identity supported journey.
14.Preparations for the February launch of our International Driving Permits service
remain on track. The contract with DVLA was signed last week, which was an
important milestone politically for DfT given the NAO’s recent criticisms of the
Government's Brexit preparations. The service will be launched initially in 2,500
branches, although we would consider extending this to 4,000 branches in the
event of a high volume ‘no deal’ scenario.
15.Following IC funding approval last month work is now underway to develop our
new digital identity product to open up the use cases beyond Government. The
first phase of UX prototype development will be complete by the third week of
November. In parallel we are progressing more detailed joint planning with
Digidentity for the build phase, with the aim of being ready to launch the first
iteration of the new product by the start of the new financial year followed by
further releases over the subsequent months.
16.The first two revenue-generating use cases targeted for the new product are
passport applications and employment vetting. The latter will be supported
through a channel partnership with GBG (who already have a significant presence
in this market), with detailed technical and commercial discussions planned
during the second half of November. We are also engaging directly with
prospective clients such as Uber and the NHS to inform the development of the
vetting product, and are working with Sean Leahy and David Gemmell to agree
how this will be integrated into the Post Office’s own vetting processes from early
2019/20.
17.We are meeting with the Treasury and FCA this week to discuss how our digital
identity product can be used to meet banks’ AML requirements. We will be
pressing the case to ensure that Verify grade identities are explicitly recognised
in the UK implementation of the 5th Money Laundering Directive (due by the end
of 2019) and will also be asking for their support to progress some pilot projects
with engaged banks (such as HSBC) prior to that regulatory change.
18.Discussions are also continuing with MasterCard about the potential for us to be
the first UK partner for their planned launch of a global digital identity scheme.
Our next working session with them is scheduled for the afternoon of 12th
November and so will provide an update to the GE after that.
Strictly Confide
POL00026954
POL00026954
POST OFFICE LIMITED
UTIVE
PCI Compliance
Author: lan Robertson Sponsor: Rob Houghton / Debbie Smith Meeting date: 12 November 2018
Executive Summary
Context
1. Post Office has been unable to obtain Payment Card Industry (PCI) compliance.
2. Without a Record of Compliance (RoC) Post Office is in breach of contractual
arrangements with banking and payment partners.
3. In the event of a data breach Post Office would be subject to regulatory
investigation and significant financial penalties.
4. There is a risk of severe reputational damage to our brand if a breach occurred.
5. There is therefore a clear imperative for Post Office to be PCI compliant as the
ability to process card payment is at the core of our retail business.
Questions addressed in this report
6. What is the need or opportunity and why now?
7. What do we propose to do and why?
8. What do we need to do next to progress?
Conclusion
9. The PO PCI-DSS estate is increasing in complexity over time (the Post Office Data
Gateway (PODG) is now in scope, Customer Hub and Panther), although some of
these will be covered by separate certifications, not linked with our current PCI-DSS.
audit. This adds to the complexity of achieving RoC status, with Fujitsu, in particular,
struggling to keep up with this increasingly complex scope.
10.PO have been working through a methodical approach of considering a number of
tactical and strategic options to understand how best to achieve RoC status in the
most expedient manner (See Appendix 2).
11.The current status of working through the above options indicate:
a. Option 1 (pursue gaining compliance via legal/commercial mechanisms
swiftly) is highly unlikely to succeed.
b. Option 2 (look to gain a moderated RoC by asking FJ and CC to confirm
Attestation of Compliance statements) would cost in the region of £9.5-16.5M
and take between 12-18 months to achieve. This is unlikely to succeed in
gaining in a swift resolution.
c. Option 3 (go to a more strategic encrypted message state either aligned to
new devices or using payzone devices) is unlikely to succeed as no new device
solutions have entered the market yet and the payzone solution is unproven.
POL00026954
POL00026954
d. Option 4 (move to an encrypted design and updating the existing pinpad
estate) would cost in the region of £8-10M and could be completed in 9-15
months. This currently looks the most likely option to guarantee achieving
RoC status in the medium term but has the disadvantage of having to replace
the pinpad estate within 4 years due to obsolescence.
12.Based on current analysis, it is recommended that Option 4 is progressed starting
with the smaller counters. We will continue to monitor the progress made on the
strategic approach and regularly review the possibility of moving to the new solution.
The advantage with options 3 and 4 is that they reduce our exposure on relying on
our suppliers to maintain our PCI-DSS certification.
13.We will continue to ensure all new solutions are RoC compliant and aligned with the
strategic direction of not holding card data on devices (e.g. Customer Hub has
achieved RoC status).
14.The next steps are to: -
e. Obtain funding approval for £2.175 Million to initiate the project.
f. Submit Change Requests to FJ and CC to obtain detailed costs for refreshing
the current PIN Pads, enabling P2PE, and updating the Horizon
infrastructure.
g. Return circa 2,000 PIN Pads from the existing spares pool to Ingenico to
kick off the refurbishment process.
h. Test and then deploy PIN Pads to smaller branches and kick off the
productionised refresh process
i. Build and test the revisions to the Horizon Infrastructure.
15.Whilst Point-to-Point encryption is delivered, we will continue to discuss the future,
strategic options with our vendors, including Ingenico. With Ingenico, the aim will
be to explore if they would be willing to offset the cost of the Point-to-Point rollout
against a future strategic device purchase.
POL00026954
POL00026954
of 6
Input Sought Input Received
16.The Group Executive is asked to: - 17.The options have been reviewed by:-
(i) Approve the approach to compliance (i) I The IT Leadership Team
with PCI-DSS and the business case (ii) Post Office’s in-house legal team
pertaining to Option 4: move to an endorsed by our external legal
encrypted design and update the team.
existing pin pad estate; (iii) The third party compliance
(ii) Recommend the funding request of resource
£10.821m over three years as set (iv) Our external Qualified Security
out in the business case for onward Assessor (QSA
submission to the Board subject to (v) Options were reviewed at ARC and
prior CAG and Investment proposed recommended option
Committee approval; and endorsed.
(iii) Request the Board to delegate (vi) CAG review was on the 6" of
authority to the CE, Retail to oversee November and conditional
operational deployment and approve approval given.
drawdowns. (vii) This business case is being
circulated for formal approval prior
to GE on the 12".
(viii) GE submission will be for 12"
November.
(ix) IC submission is scheduled for 15‘
November
The Report
What is the need or opportunity and why now?
18.The latest version of the PCI Standard includes updated and much more detailed
guidance that mandates how an audit is carried out. As a result the QSAs that
audit businesses are becoming more forensic in their approach. The company that
carried out the audit in 2017 discovered that the Post Office PCI scope was
significantly larger than had been declared.
19.Our QSA identified that CC’s Data centres were now in scope as HNGA is supplied
and managed by CC. Although there is a contractual obligation for CC to be PCI
compliant on our behalf the requirement has not been met.
20.Closer scrutiny of FJ’s estate identified multiple systems that are in-scope which
had not previously been audited.
21.The most effective way to obtain a RoC is to move as much of the estate out of
Scope of PCI and this can be achieved by having Point to Point Encryption and
Network Segmentation as this removes all of CC’s data Centres and much of the
Horizon Network from the scope allowing us to securely manage a smaller estate
with very robust controls.
22.As well as the Acquiring Bank being directly informed of our current status we are
now receiving enquiries from other payment services customers and banks about
POL00026954
POL00026954
the current status of Post Office’s RoC. We are currently informing those concerned
that we have a secure private network but are not currently compliant.
23.Post Office must progress obtaining a RoC in as short a time as is reasonably
possible in order to meet our contractual commitments and protect our business.
What do we propose to do and why?
24.The proposal is to update the existing PIN Pads to a version which supports P2PE
and roll these out to the branch estate. The existing Branch Deployment Centre
will be retained although as a smaller unit, to manage the appointments and
ByBox will be engaged through CC to deliver the refreshed PIN Pads under Chain
of Custody to the estate.
25.Fujitsu will update the Horizon infrastructure so that the P2PE tunnel terminates
with Ingenico and they will forward all requests for payments to Global Pay
returning a token and authorisation to the branch terminal allowing us to track the
payments.
26.Ingenico will pass Banking Framework Services, POCA transactions, and third party
payment services transactions back to Fujitsu through a secure tunnel. FJ will
segment the Horizon network and contain the servers that remain in scope for PCI
in a secure hosting environment.
27.Client Contract Review
a. Our external counsel, CMS, has completed a legal review of all the major
POL client contracts to identify specific statements that make express or
implied obligations to be PCI compliant.
b. A cross-functional Working Group, which includes CMS, has been
formed. The remit of the Working Group is to liaise with our internal client
relationship owners and to manage the communications with our clients -
ensuring that all communications regarding our PCI compliance status are
handled in a consistent, appropriate and timely manner.
28.Whilst Point-to-Point encryption is delivered, we will continue to discuss the future,
strategic options with our vendors, including Ingenico. With Ingenico, the aim will
be to explore if they would be willing to offset the cost of the Point-to-Point rollout
against a future strategic device purchase.
29.Post Office is required to ensure it is routinely operating in a compliant state in
order to maintain revenue.
30.We need to work with customers and we need to be part of a PCI compliant chain
with our business partners.
POL00026954
POL00026954
64 of 87
FUNDING OVERVIEW
Existing Approval New Request
‘otal New Total
én Prior Years FY18/19 Approved FY18/19 FY19/20 FY20/21 Request Project
Opex a.o09 0.000 0.000] 9.054 0.334.334] 0.722] 0.722
Exceptional 9.000. 0.000] 0.000] 0.000. -0.000_—9.000] 9.000] _—_ 9.900]
Capex 0.000 9.0001 0.000] 2.120. 7.978 0.000] 10.099] _ 10.099]
Total Funding 0.000. 0.000} 0.000] 2.175, 8.312 0.334] 10.821] 10.821)
BUSINESS CASE FINANCIALS
sunk Cost /F¥18/19IFY19/20IF¥20/21 F
£m 1/22 I EY 22/23 I F¥23/24 TOTAL
Gross Income 0.000 6.000 0.000 0.000: 6.000 0.000 0.000 0.000)
Cost of Sales 0.000 0.000 0.000 0.000 9.000 9.000} 0.000}
Total Direct Contribution 0.000: 0.000 0.000 0.000 0.000 0.000 0.000) 9.000
Operating Expenses (OpEx) 9,000. 0.054 0,334 0.334 0.334 0.334 0.334! 1,724]
Trading Profit 0.000: 8.054 0.334 0.334 0.334 0.334 0.334 1.724
Trading Prafit [%j 2.000 0.008 0.000 0.000 0.000 08.000 8,000) 0.088!
Capital Expenditure (Capex) 0.000 0.000 0.000 0.000 0.000 9.000 9,000} 0.000}
Exceptional 0.000 0.000 0.000. 0.000 0.000 9.000 9.000} 0.000}
Net Cash Flow 0.000: 0.054 0.334 0.334 0.334 0.334 9.334] 1.724I
ith Wi
Intangible tangible
benefits benefits
Discount Rate (te) iz0%] 12.0%]
NPV / Net Present Value (S years) 1.4] 1.3]
IRR / Intemal Rate of Return [%] N/A NfAl
PBP / Payback Period [years] 1.0I 7.2I
31.The primary risks are:
a. Our clients reject our mitigation plan, seek greater indemnity protection, or
worse case, terminate/sue for breach of contract. The risk as low and an
extensive Comms program in place to keep clients informed of our progress
b. Post Office is subject to a data breach. The mitigation is that we are
actively reviewing our network security and carrying out BAU activity to
ensure we meet Industry Best Practice security standards.
c. Ingenico are unable to refurbish the PIN Pads at a rate commensurate with
our rollout schedule. The mitigation is that we will send as many of our
spares pool as are available to start building a buffer stock and liaise with
Ingenico to ramp up production.
What do we need to do next to progress?
2f¢ f
32. The following steps are required: -
it
c
Engage with FJ to review detailed plan and approach and re-validate
proposals.
Establish Ingenico’s capacity to refurbish PIN Pads and engage ByBox to
prepare a distribution plan
tly Contidentiai
POL00026954
POL00026954
e. Raise a change request to CC to deploy the PIN Pads (via ByBox at cost plus
agreed margin)
f. Engage with FJ to start segmentation of the network and updating the
systems to provide tokenised transaction data.
Hany fur
iC@S are requis
33.Please see appendix 3.
+
o the
Whe Q
34. Post Office would be at risk of increased transaction charges or lose the ability to
transact card payments to the detriment of our business.
POL00026954
POL00026954
Tab 10 Compliance with PCI van interim Sol
Page i
Appendix
. Appendix item 1 ~ Plan on a Page
. Appendix item 2 ~ Options Considered
. Appendix item 3 ~ Resource requirements
. Appendix item 4 ~ Org Chart
BwWN
1. Plan on a Page
POAP — Strategic IT Projects (PCI compliance}
a
Pe Pate SS
Baesn entre DED cant (EE!
..
8 Sobson
Transaction Senses Feeneseots
Acchhechral Optimcatcn
PEE Cawmphance (252425
7
CONPDENTHAL
Strictly Confidential
86 of 87
Tab 10 Compliance with PCI
2. Options Considered
Aativity
Owner ‘Mick Mitchelt
Risks
3, Resource requirements
Title
PM
Junior PM
PMO
BDC
Project Architect
Project Accountant
Contracts Manager (1)
Contracts Manager (2)
ATOS Resource
Programme Director
Project Planner
Strictly Contidentiai
Name
lan Robertson
TBC
Shauna Francis
Wayne Fitzgerald
3x call centre
resources
Bob Booth
Qamar Asghar
Isabel Christophers
Gareth Coles
James Brett (Atos)
Catherine Hamilton
Sean Robinson
FTE
FT
FT
FT
FT
FT
PT
PT
0.2
0.2
0.2
0.2
per 201812
man
Jason Black
POL00026954
POL00026954
POL00026954
POL00026954
Tab 16 Compliance with PCH oval for an interim S
4, Org Chart
Tretia or Se
Strictly Contidentiai
POL00026954
POL00026954
Group Executive — Strictly Confidential
POST OFFICE LIMITED GROUP EXECUTIVE
Minutes of a meeting held at
Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ
On 17 October 2018 at 9.30 am
Present: Paula Vennells (Chair) (PV) Chief Executive
Alisdair Cameron (AC) Chief Financial and Operating Officer
Mark Davies (MD) Group Director of Communications, Brand and Corporate Affairs
Mo Kang (MK) Group HR Director
Rob Houghton (RH) Chief Information Officer
Jane Macleod (JM) Group Director Legal, Risk and Governance
Debbie Smith (DS) CEO - Retail
Owen Woodley (OW) CEO ~ Financial Services & Telecoms
In Attendance: Veronica Branton (VB) Head of Secretariat
Cem Oztoprak (CO) Head of Business Performance (item 1 to 3)
Cathy Mayor (CM) Finance Director — Retail (item 4)
David Gemmell (DG) Programme Director — LRG and HR Change Portfolio (item 5)
Tom Moran (TM) Network Development Director (item 6)
Tracy Marshall (TrM) Programme Manager — DMB (item 6)
Martin Edwards (ME) MD — Digital Identity (item 8)
Elinor Hull (EH) Chief Operation Officer - Digital Identity (item 8)
Brian Kelly (BK) Finance Director — Digital Identity (item 8)
Emma Springham (ES) Chief Marketing Officer (item 9)
Chrysanthy Pispinis (CP) Director — PO Money (item 10)
Apologies: None
1. Performance — Financial Results & Review of Business Scorecard Action
a) Al Cameron and Cem Oztoprak introduced the report and highlighted a number of issues:
* the P6 results had been strong overall with a £0.4 m trading profit upside, driven predominantly by
Mails. POca and lottery figures were also ahead of plan. PO Insurance was running behind plan. Verify
was significantly ahead of plan but the fee cut would feed through from next month. Non staff costs
were significantly under in the month, partly driven by closing down a number of old purchase orders.
Branch numbers were better than expected. The position with cash had been challenging during the
period
© The 6 +6 plan figures were estimating a trading profit of around £51 m (including a reserve of £1 m
against the PO Insurance plan). The growth plan and Christmas trading could affect these figures by a
few million pounds.
b) — Anumber of points were raised, including:
* Network numbers. Should 66 above target be amber rather than green?
* PO Insurance - we were through the peak travel period and there was less risk of our underperforming
against plan for the next period. PV requested a realistic assessment of the insurance opportunities for OW
the rest of the financial year
* TelCo~ customer numbers had been below target for some time
* Whether we should focus on the 6 + 6 figures at Board rather than retail performance?
2. UKGI Quarterly Report (6+6 Change Forecast Review)
a) ACreported that CO had circulated the latest version of the 6 + 6 change forecast the previous evening.
More had been spent on projects but the benefits from these had reduced. We had spent money on fixing
the infrastructure (DMB franchising. Back office transformation). It was noted that the Mails commercial
GE Minutes Page 1of 9
POL00026954
POL00026954
Group Executive ~ Strictly Confidential
project had only ever been a place holder as we knew that we would have to look to market circumstances,
including our deal with RM, and there had been no trigger for us to proceed.
RH and Al had a meeting with UKGI on 18 October 2018 to go through change spend, explaining each of the
projects.
b) —_ Anumber of points were raised, including:
* that while we were unlikely to get significant benefits coming through from the Travel app for some time
we had to develop a digital offering to remain relevant. We were re-cutting the Customer Hub business
case but some of the other verticals would be a lot more difficult to deliver. It was noted that this fed
into the McKinsey work on the future shape of the organisation. We were in an unusual position
because some of our customer initiatives should be coming from our core partners
* that there was no placeholder for what we wanted to do with the mails strategy during the next period
* we needed to work on our translation from Strategy into deliverable benefits
© we were making a huge investment in the network and would need to look at the long-term shape of the
network after banks have closed and cash requirements were diminishing.
¢) GE approved the submission of the paper to the Board subject to any changes which needed to be made
following the meeting with UKGI.
3. 2019/20 Financial Planning
a) AC introduced the 2019/20 Financial Planning discussion and the slide deck to accompany this:
* Slide 5 - we had received Government funding to invest in our infrastructure. This had been a once in a
generation shift and that investment funding was nearing an end. The Network subsidy funding ought to
continue at a rate of around £50m a year. The business had to deliver trading profits that would turn
into cash flow
Slide 6 — set out how we said we would achieve our ambition to deliver increased trading profits. There
had been areas with significantly higher returns (e.g. the banking framework) and others significantly
lower (e.g. insurance). We had said we would take £30 m out of staff costs. We were broadly on-track to
deliver our plan but the pattern and picture were different. This illustrated that we were in a very fast
moving environment and our plans would adapt and change
* Slide 7 ~ sets out our £66m trading profit target for 2019/2020
* We were re-thinking our approach to the simplification of pay for agents because some cannot reduce
their cost base. Pay would be reduced if there was a strategic change that led to a significant reduction
in the time required from an agent but not reductions on a piecemeal basis. Agents had to be able to
realise the benefits of simplification
* Mails income would reduce at some point. Our projections were based on what we were seeing in the
market
* Slide 11 showed that the budget had been different to the 3 year plan
* Slide 12 illustrated that change spend was a mechanism to deliver trading benefits and that we had
invested in areas that were delivering profit. £40m of this year’s profit has been delivered by change
budgets
* Slide 13 showed a list of benefits from next year’s programmes but was not compelling and needed to be
reviewed. Some of items were incremental BAU rather than change. We needed real focus on where
we wanted to spend our change money given our limited investment funds. It was AGREED that this
slide for Board needed to show top five things we were going to do.
© we had been borrowing out of the working capital facility but would not be able to continue doing so
because we risked running out of headroom. We needed to prioritise more as we would have less to.
spend. Our surplus will then go into the working cash facility
there was a gap of broadly £20m at the moment. We needed to look again at the cost base and the
Finance Directors were working on ways of taking cost out of the business. A project on failure demand
had been initiated
* Slide 20 set out the timetable. There would be a GE discussion in December 2018 and an initial
discussion at the January 2019 Board meeting. The process was drawn out and there was a risk that the
situation would have changed significantly in that time period. There would be hard choices to make
Todo:
AC/ CO
GE Minutes Page 2 of 9
POL00026954
POL00026954
Group Executive ~ Strictly Confidential
and there was no point playing games with budgets; however, £66 m EBITDA was still viewed as
achievable for 2019/20
we would consider investment prioritisation in January 2019
* CO would issue the targets as early as possible and then get GE feedback on what the exceptions
would be.
b) A number of points were raised, including:
* whether the PO Insurance Board was monitoring the delivery of the Insurance Plan. OW reported that
there had been a discussion about whether the plan was deliverable. PV requested a piece of work to ow
provide a balanced view of where we were against the plan and what realistic figures were for the end of
the financial year as there appeared to be a disconnect between the original plan and our current
position
* that BAU costs should be included in BAU, not in change
© the review MK was leading on capability and structure was discussed. There were a large number of
people in our support functions and over 600 people in London (n.b. many of these were change
contractors). There was a longer term issue about numbers and locations. We needed to consider
where there was scope to automate work and where it could be moved online. We also needed to
consider whether we were doing too much staff training at one time. There was a mixture of short and
long term issues. We were not setting a cost reduction target but did need to monitor head count issues
to reduce our costs in the short term. MK and AC would be producing a strawman including the controls
for next year’s budget. We also needed to avoid being overly reliant on consultants. More attention
would also need to be paid to non-staff costs. A single structure for communications with branches was
going to be introduced next year. MK reported that he was getting a group together to look at our
current structure and identify some “quick wins”. The longer term piece of work also needed to start
and GE would be considering the first outputs from McKinsey on 5 November 2018. GE would need to
discuss this work at some point in November.
* what could we do differently to drive performance? It was agreed that keeping costs under control
would be a clear focus but we could also drive performance through the marketing plan. It was agreed Todo:
that Emma Springham should be invited to attend a slot at GE once a quarter and as part of that, DS and © OW/
OW would feed in the initiatives taking place in their areas (e.g. pricing, benefits coming through from DS/ VB
change activity). GE would not expect a paper to be produced for these sessions but would ask the key
people to come in and talk us through the plans. CO could also pull together a slide for the financial Todo:
performance report summarising sales increases in product areas and the drivers for these. These Ac/co
initiatives would also be good topics for the Leadership huddles.
4. Performance Report - Retail
a) Cathy Mayor joined the meeting, introduced the paper and invited questions. Agents’ pay and trading
figures had increased.
b) — Anumber of points were raised, including:
* Payzone’s performance to date. It was reported that performance was broadly on track. Work on the
day 1 plan had intensified over the past few weeks and confirmation of the CMA approval was expected
on 19 October 2018. The first day for NewCo was likely to be 25 October 2018 but a SteerCo was taking
place next week to look at operational due diligence
it would be helpful to see the split between retail products as network sessions were reported to be
falling year-on-year. It was reported that we also wanted to get better data for different geographical
areas
we would need to revisit the wider high street / retail environment in the November Retail Strategy
session
the report looked at retail as a distribution channel but did not cover insurance as a distribution channel, To do:
It was agreed that joint quarterly reviews for Retail and FS&T would be produced from January 2019 and DS/OW
for Board meetings in-between we would update on areas of current concern and focus
* the customer satisfaction figures remained very high and we had included incentives for customer
service in our agreement with WHSmith. An explanation of how the voice of the customer figures were cM/ DS
compiled was requested.
GE Minutes Page 3 of 9
¢)
5)
a)
b)
a)
b)
Group Executive ~ Strictly Confidential
GE approved the submission of the paper to the Board.
Legal Enterprise Optimisation (LEO)
David Gemmell joined the meeting and JM introduced the paper. A number of issues were highlighted:
* the proposal to create a HoldCo was to support the financial services strategy. We would need to set up
Peregrine entities and PO Insurance entities up as sister companies to HoldCo
a significant amount of work had taken place to look at the implications of changing the corporate
structure and whether there were any “red lines”
* a timetable was included and sectioned into phases
© the establishment of a financial services subsidiary and ServCo were linked to execution of the Peregrine
strategy which envisaged PO selling financial services products from a range of providers and not just Bol
* the next phase of the project was likely to run for 4 to 5 months.
A number of points were raised, including:
‘* that we needed to make sure we did not replicate the PO! governance structure and the costs associated
with this. We needed to avoid complexity. It was noted that the Reading room included a pro-forma
governance structure. Our premise had been that we should only make a change to the current
structure where there was an imperative to do so and to make the governance structure as lean and
simple as possible. It was requested that we include simplification of PO! governance within the LEO
project. It was noted that the Articles for subsidiaries would stipulate direction from the group, except
where there is a regulatory requirement for the subsidiary to direct
© is this an imperative and do we need to do it now? It was reported that as we began to do more work
with other financial service companies the current model would cease to be feasible as agreement
would be required from all of the principals. The alternative to setting up subsidiaries would be that PO
Limited became regulated by the FCA and/ or that the FCA would not be prepared to regulate PO Limited
and would require us to set up subsidiaries. The FCA would not approve an unregulated parent directing
a regulated subsidiary. Setting up a HoldCo and subsidiaries was to future proof Post Office and to
recognise the timelines for FCA approval of regulated entities. The PO Insurance acquisition and seeking
an alternative provider for credit cards were immediate drivers. Our negotiations with potential
providers on credit cards could be conducted on the basis of this function sitting in a regulated entity in
due course. It was agreed that there was a need to tie the paper back to the events which are occurring
* why could we not have one subsidiary for financial services and insurance? It was reported that it would
be more complex to have one subsidiary than two because of the different regulations that applied to
insurance and financial services
© the VAT regime needed to be undisturbed and tax losses need to be protected. It was noted that any
separate entity we created would not be able to benefit from historic tax losses so we needed to be
clear that our financial services strategy took account of this. DG and AC would put time in the diary to
discuss the tax and VAT issues fully.
DMB Implementation Strategy (Verbal)
Tom Moran and Tracy Marshall joined the meeting and provided an overview of the DMB Implementation
Strategy:
¢ the Edgware project would have concluded by Ql. 77 DMBs were going to be exited in 2019/20.
Activity was taking place to keep the momentum going, including extending the interim operator
approach where a permanent operator could not be identified. An interim operator was running the St
Leonards branch so we had been able to test and learn from this experience. Ten interim operators
were going to be placed in Q4 and we had had expressions of interest from a number of interim
operators.
A number of points were raised, including:
© whether we had thought about making larger deals with a few interim operators? It was reported that
there had been discussions but we had not sought to do a deal. One issue for us with interim operators
was that we carried the property overheads. We did not view interim operators as a long-term solution
and the larger interim providers were unlikely to want to go down the franchise route. Interim
GE Minutes Page 4 of 9
POL00026954
POL00026954
DG/JM
To do:
Dc/ Ac
POL00026954
POL00026954
Group Executive ~ Strictly Confidential
operators were appointed for up to 18 months but we did have the ability to extend if we had not found
a franchisee
© whether we could give the interim operator an incentive to find a permanent franchisee?
* what was needed to accelerate the programme? It was reported that we needed more field team time
ring-fenced for DMBs. It was noted that the approach would need to be consistent across all the field
teams and we would need to consider how this impacted on the teams’ other responsibilities
© that it would be helpful to see the costs and benefits associated with different approaches
* was there an additional option to open our own branches where we needed to? It could be a franchise
branch but with our person running it.
It was AGREED that a proposal on DMB implementation strategy should be included on the November To do:
Board agenda. We wanted to avoid a long-term interim solution. Ds/TM
NB
7) Communications
a) Mark Davies introduced the Communications paper and highlighted a number of issues:
© agents and network as well as employees fell within the internal communications remit
recruitment for a director of internal communications was underway
we were looking at how to engage with agents in a retail environment with our colleagues in retail
we needed to be better at news gathering and sharing good news
our communications for agents and employees need to be distinguished better
© the organisation was not always clear about what it wanted from communications and feedback on this
would be helpful.
b) — Anumber of points were raised, including:
* our approach to communicating with agents needed to be radical. We needed to be clear why we were
communicating. Too much content which was insufficiently focussed on purpose was unhelpful and
sometimes we only needed to land one sentence. The relationship would take years to build and needed
to be joined up with the supply chain
© there was general agreement with the messages in the paper, including that there were too many
communications. Sometimes the format was old fashioned, sometimes the messages were not read and
sometimes our advice was not trusted. We needed more agent to agent advice, more peer to peer
learning and development as well as different formats
* that we needed to get “under the skin” of how our colleagues wanted to share/ receive information. It
was reported that colleague feedback was being analysed at the moment
‘that we were overwhelmed with information at the moment. Agent Portal would be the best way to Todo:
share information with agents. RH would be happy to come up with some ideas on how we deliver RH
content for colleagues
© that there were too many channels and it was difficult to keep track of where the information had been
seen. We needed to be clear what we were using the different channels for
* face-to-face communications remained critical and “huddles” were generally working well.
8. Digital Identity
a) Martin Edwards, Elinor Hull and Brian Kelly joined the meeting and provided an overview of performance
and developments in Digital Identity:
© the performance on Verify had been strong but the price reduction would start to impact the figures
Nevertheless, we expected to be around £1m ahead of plan by year end. RM and GBG had dropped out
as Verify providers. Customers needed to positively consent to moving across to the PO platform on
Verify so we were thinking about how we could maximise this potential
‘* Passport office had been pleased with progress on developing a digital passport processing service. We
were looking at pricing this service at £9 with a 50/50 revenue share. HMPO was keen to launch this
with their own digital platform
* the investment case for the creation of a digital platform and APIs, labelled as an NVP, was approved at
the Investment Committee on 16 October 2018
GE Minutes Page 5 of 9
POL00026954
POL00026954
Group Executive ~ Strictly Confidential
the original 3 year plan for digital identity had not factored in the price drop for Verify as we had been
advised that this would not apply until later
* Uber had expressed interest in the scope for us to provide them with a digital identity service
* ahandout with the top ten partner and client conversations was circulated. It was noted that it often
made sense for us to talk to the top tier channel providers. One of these was MasterCard/ Samsung —
who wanted to own the back end of the structure and wanted us to provide the service to them
exclusively within this market. Further discussion would be needed, especially on the exclusivity point. A
quid pro quo could be a requirement for them to get rapid traction in the UK market. However, we were
not close to making a recommendation and issues such as the potential alternative alliances to
MasterCard/ Samsung would need to be considered
© the next steps were digital passport work with HMPO; building APIs with Digidentity; and, work on
International driving permits
* formal approval of a 12 month contract extension with Digidentity would need to come back toGE and Te. do:
Board next month as the value would be over £5m. ME/ VB
b) — Anumber of points were raised, including:
* that offering digital for vetting was not viable if we could not provide the service for ourselves. We
needed to work out our contractual position with our current provider
‘© whether the Digital Identity team had the right people resource within the wider infrastructure? It was
reported that the team was working with Ben Foat and Zoe Brauer from the legal team as well as Pinsent
Masons. The team had also been working with Emma Springham about the connectivity of our brand
with potential clients and with Joanne Leahy on a brand risk assessment. It was noted that this was a
strategic question and that Emma Springham would to lead on considerations of who we should partner
with from a brand perspective. Brand assessment, the commercials, the opportunity and the cost of
choosing not to work with a particular partner, were all part of that equation.
9. Customer Value Management
a) Emma Springham joined the meeting and provided an overview of the Customer Value Management
approach and how we would seek to implement this. The purpose of the paper was to make sure that GE
Members were comfortable with the approach.
We could start testing the approach and it was proposed to do so with four key financial products.
Currently, the customer experience was fragmented and product led. We wanted to understand our
customers, how we cross sell to them, how we could communicate through the right channels and create a
story about the range of services we provided. The product phase was scheduled for February 2019 but we
would accelerate this if possible.
The initial test for the approach was with some FS products because the work was already part progressed.
However, we wanted to drive loyalty in the branch network and build a group wide capability in marketing.
10. Bank of Ireland Negotiations
a) _Chrysanthy Pispinis joined the meeting and provided an update on where we had reached in the
negotiations with Bol, the key positions of each party and the next steps. There had been a number of
useful share sessions during September 2018 and these aligned with Bol’s market announcements in June
2018. However, Bol had claimed that:
- the FSIVA was loss making
- if we couldn’t agree a new FSJVA package they would seek to exit mortgages as they were seeking
to shrink their balance sheet aggressively
- they wanted to exit the credit card market in the UK.
Some of the information provided had been contradictory.
They needed deposits for some of their other lending (e.g. for their Bristol & West back book which it would
not be easy to exit), though it was possible that they would seek to sell their B&W back book if we agreed to
an “amicable divorce”; however, that would not align with their June 2018 statement to the market.
We had updated some of the scenarios and included them for comparative purposes. A new deal looked
slightly less attractive than it had done a few months ago. An “amicable divorce” scenario had been added
GE Minutes Page 6 of 9
1.
a)
12.
13.
a)
14.
a)
b)
¢)
d)
e)
POL00026954
POL00026954
Group Executive ~ Strictly Confidential
in case our direction in FS and that of Bol could not be aligned. The terms of our contract meant that we
could not “sound out” the market at the moment and would not know if there were credible players in the
market until we asked the question.
The Group CEO conversations were critical at this point. PV had sent a note to Francesca McDonagh to
position the discussions about whether our strategies were aligned.
We were still hoping to be able to conclude negotiations by the end of November 2018. The contract ended
in 2023 but we had options to extend. Termination of the contract was required two years in advance and
were this to be decided we would be able to go to market in March 2021.
It was agreed that a separate item would not be included on the October Board agenda but a paragraph Todo:
would be included in the CEO report and a verbal update provided at the meeting. ow/
vB
Contracts for Approval
Media Buying Contract
It was reported that we were moving provider because we secured our media buying services through the
government framework which had switched provider. We were not committed to £71 m of spend and
there were potential cost savings.
Approval would be sought from the Board by written resolution.
Christmas branding
The new brand creative for Christmas would be in branches by 22"°/ 23" of November 2018. It was noted
that Black Friday was a great opportunity for digital. We were stripping back to basics on posters so the text
could be read from a distance. The Marketing Team was updating the top five pages and would then
refresh the underlying pages. We would also look at creating videos and whether any of the material was
good enough to go to the press. Repetition was critical. We needed to be sure that we had brand
recognition where we needed it.
Postmaster Litigation — confidential and subject to legal privilege
JM provided a verbal update on the Postmaster Litigation.
Items for Noting
Health and Safety Report
The report was NOTED.
Belfast Exit Plan Business Case
The Business Case was NOTED.
Forward Agendas
The draft forward agendas for the Board meetings on 30 October 2018 and 27 November 2018 as well as
the GE meeting on 12 September 2018 were NOTED.
Todo:
RH would review whether the IT Strategy paper was needed. RH
Retail Strategy had been included on the November GE agenda but needed to be added tothe November 4.
Board agenda. ogo:
vB
Conflicts of Interest Policy
The report was NOTED.
Armed Forces Deed of Covenant
The paper was NOTED. We would be signing the Arms Forces Deed of Covenant in early November and
were confident that we could honour the commitments.
GE Minutes Page 7 of 9
15.
16.
a)
b)
Group Executive ~ Strictly Confidential
Review of GE Minutes, Action Points and Updates
The GE minutes of the meeting held on 12 September were APPROVED. The actions as shown on the action
log were NOTED.
Performance Management (action 18/07/18)
MK reported that Lisa Cherry was going to speak to each GE member to make sure objectives had been set
and that we had a process people understood. The current rating system and two reviews a year would be
maintained for now. Aspiration for a better developed performance management system made sense but
that would be a journey over the next 2-3 years and Lisa would be setting this out. We were not far from
being able to demonstrate a solution for Success Factors.
It was agreed that we needed to be able to advise colleagues early about bonus payment dates moving to
August. We should also consider the number of 4s and 5s awarded last year as we needed to move the bell
curve to the left and be rigorous about how ratings were awarded. We needed to do more on talent
management and would be having a GE conversation about this and development and training in
November. MK would circulate the MBA list. We needed to focus the right resources on the right
individuals and recognise that there may only be a small number of people who could progress to GE level.
Any other Business
PCI compliance
RH described the bills payment transaction process and what we needed to do to comply with PCI
requirements. At the moment around 100 people had access to our PCI data.
ASouth African firm provided the remote control computer service, which was a technical a breach of our
GDPR requirements because the provider was outside the EEA. It was noted that Azure was managed partly
from India and we would be using this for Agent Portal. A remote computer operator would be able to
access PCI data if the client had not shut down that data before allowing their system to be accessed
remotely. A mitigation of this risk would be to require the remote computer operator to get confirmation
from the client that they had shut down any PCI data prior to remote accessing the computer. However, our
key concerns were about contractual breach risk rather than data breach risk
If we were completely risk averse we would have to introduce locked rooms. We needed to understand our
contractual obligations properly before signing contracts. We also needed to consider our risk appetite.
Return certification on PCI compliance was required to deliver our contractual obligations so we needed to
obtain this. This was a continued trading benefit rather than an upside benefit.
We needed to encrypt data coming through the pin pads and would have to replace the pin pads and in
doing so start to reduce our risks incrementally. RH had commissioned three data audits into Accenture,
Fujitsu and Computacenter. We needed to have consistent approaches for how we treated this data. RH
was working through the compensating controls with Nettitude and would be pulling together our
recommended approach for the ARC meeting on 30 October 2018.
A number of points were raised, including:
© that there was an increasing amount of sensitivity about card data and we should focus on this
© the timeline for introducing new pin pads. It was reported that we needed to have sufficient
compensating controls in place even while we acquired the new pin pads. It was noted that
compensating controls would never be enough from a compliance perspective even though it might be
from a security risk perspective
* the key risks? Third party objections were a primary concern. QSA could usually work with a company if
it had a remediation plan and could show how it was going to execute the plan. Reputational risk was
also a concern
GE Minutes Page 8 of 9
POL00026954
POL00026954
Todo:
MK
POL00026954
POL00026954
Group Executive ~ Strictly Confidential
* who was accountable for PCI? It was split out because of the different relationships with those we were
providing different services to e.g. bills payment; banking framework.
GE Minutes Page 9 of 9
Post Office Limited Group Executive Action Log,
Updated: 05.11.18
POL00026954
POL00026954
( I
1. ATOS Proposal
Produce an integration plan for moving calls to NBSC and Rob The next phase of the IT supplier strategy is included on the 12 Open
a communication plan to explain the changes. Houghton / December 2018 GE agenda.
Catherine
Hamilton
: co _
Performance Management and Bonus
Bonus proposals should be produced for each cohort of Natasha September I NW Update: To meet the challenge of implementing a tactical To close
colleagues, working with the managers in each cohort to Wilsen 2018 change in this financial year, a number of options have been
determine what would work best in each instance; Mo Kang produced. Financing is being agreed and will be brought back to
recommendations should be brought back to GE and the GE in September. A table showing the current cohort of
could be sent via GE Meeting Team Site. colleagues is included on the GE site.
MK Update: GE on 08.10.18: Lisa Cherry would lead on
Performance Management project.
MK Update: GE on 17.10.18: Lisa Cherry would liaise with each
GE member to ensure objectives had been set and the process
was understood. The current rating system and two reviews a
year would be maintained for now. Lisa would progress the
wider ambition for a better developed performance management
system but this would be a journey over the next 2 -3 years.
b) The second piece of work should look at the mechanism Natasha, October NW Update: With the arrival of the GHRD, we are looking at To close
of the bonus scheme. It should be as simple as possible, Wilson 2018 long term viable solutions around rewarding our people for their
underpinned by company performance but linked to PDR Mo Kang performance measured against the contribution and impact they
ratings. We would need a lot of rigour around objective make as well as how they behaved (the what and how).
setting at a more local level if we were to give junior
managers discretion over part of the pot. MK Update: GE on 08.10.18: Consideration should be given to
the number of 4s and 5s awarded last year, as we need to move
the bell curve to the left and be rigorous about how ratings are
awarded. We need to do more on talent management and will
have a GE conversation about this and development and training
in November.
Strictly Confidential Page
1 of 3
POL00026954
POL00026954
Post Office Limited Group Executive Action Log,
Updated: 05.11.18
sia tii : a
1. I Performance - Financial Results and Review of Business Scorecard
) I Paper template to be reviewed to include a prompt to Veronica Nov-18 CoSec has developed new paper templates which include the Open
consider how the paper linked to North Star and to Branton relevant prompts. The drafts are being tested with key users.
include relevant financial information.
2 Telecommunications
Provide a short analysis for GE of the potential adverse Meredith Nov-18 Update received 24.08.18: Detailed analysis into the customer Open
impacts of the initiatives proposed in the telecoms Sharples / Jan-19 impact of changing fault repair service level (from business to
service, particularly those that would affect customers. Owen consumer levels) underway, made complicated as majority of
For example, the potential impact on complaint levels, Woodley current faults are resolved within SLA (which would continue
potential loss of customers, whether we could with new longer SLAs).
demonstrate our ability to expedite faults notified to us by
vulnerable customers quickly enough if customer service
levels changed and the cumulative impact of the changes
proposed,
ition i Ce Co
7. __I Any other Business
a) I Anitem on SMEs to be included on the January 2019 GE Veronica January I Added to the January agenda. To close
agenda. Branton 2019
r
a
Fy a cc
co
Financial Results and Review of Business Scorecard
oo
Cc Lc I
oo
Geo
1. Performance —
PV requested a realistic assessment of the insurance Owen October OW confirmed that PV has briefed as requested. To close
opportunities for the rest of the financial year, which Woodley 2018
would provide a balanced view of where we were against
the plan.
4. Performance Management - Retail
The customer satisfaction figures remained very high and Debbie November I Update received from Cathy Mayor which is to be circulated. Open
we had included incentives for customer service in our Smith / 2018
agreement with WH Smith. An explanation of how the Cathy
voice of the customer figures were compiled was Mayor
requested.
Strictly Confidential Page
20f3
POL00026954
POL00026954
Post Office Limited Group Executive Action Log,
Updated: 05.11.18
ACTION Action Due Date STATUS
Owner Closed
(GE
Member)
5. Legal Enterprise Optimisation (LEO)
It was requested that we include simplification of POI David October Simplification of PO Insurance governance was included as part To close
governance within the LEO project. Gemmell / 2018 of the paper that went to Board and was approved on 30
Jane October 2018.
MacLeod
Strictly Confidential Page
3 of 3
1.
(a)
POL00026954
POL00026954
INVESTMENT COMMITTEE TERMS OF REFERENCE
Purpose
The purpose of the Investment Committee is to ensure that the investment provided by UKGI is
used to deliver the agreed strategic objectives, as detailed within the North Star. As part of its
scope, the Investment Committee will review demand and approve funding for new initiatives,
approve changes to in-flight initiatives and also provide intervention \ support for resolution of
any escalated issues.
Its responsibilities and delegated authorities are as set out its terms of reference, changes to
which must be approved by the Group Executive
Responsibilities
The IC, has the following responsibilities :
¢ Setting the portfolio of change initiatives across the business
° Prioritising the discretionary portfolio based on strategic alignment, complexity
and financial return
° Reviewing a rolling 12-18 month view of the portfolio including relevance to
strategic goals, setting of portfolio goals and ensuring a balanced and deliverable
portfolio
e¢ Review major proposed projects in the demand pipeline:
° Ensuring alignment with agreed strategic objectives
° Assessing proposed activity within overall portfolio prioritisation
° Ensure projects:
«meets financial hurdles or
=" area legal, regulatory or contractual requirement or
* are mitigating a material risk
° Consider the opportunity cost of the initiative
° Approve new projects to become part of the agreed portfolio of change, approve
business cases and sanction funding for projects and programmes with total spend
of between £2m to £5m
Major in-flight project escalations (“major” based on cost, benefit, strategic relevance and
complexity risk) for:
° Actions to be taken to reduce risks - review escalations and commission corrective
actions and consider risks arising through inter project dependencies
° Sanction additional requests for funds from projects and programmes that are
outside of the existing business case tolerances (business cases over £2m)
° Stop projects that are failing, not delivering value or that no longer meet strategic
goals
Review and approve the quarterly management report that is sent to UKGI and the Board, to
detail Post Office’s progress against government targets. These reports will be sent to GE for
information prior to submission to Board.
82 of 87
POL00026954
POL00026954
INVESTMENT COMMITTEE TERMS OF REFERENCE
(b) IC members will be expected to:
Attend all IC meetings or arrange appropriate representation if absence is unavoidable
Review all material circulated to IC members and clarify as necessary their own understanding of
key issues
Work collaboratively to achieve the agreed key objectives
Raise matters of concern or difficulty with fellow IC members and seek their input with the aim
of resolving difficulties at an early stage
Provide constructive challenge to other members of the IC on matters on the agenda
Complete actions within the timescales set by the IC Chair.
Authority
The Investment Committee will focus on the most material projects and programmes (currently
classified as Gold and Platinum projects)
In-flight project reviews should focus on Red projects
The Investment Committee is not responsible for assurance for all projects — projects of lower
materiality will be delegated to the appropriate forums. These will include Bronze and Silver
projects and funding for strategic thinking and commercial negotiations. Although the
Investment Committee do not have responsibility for these activities it will approve funding at a
consolidated level and be kept up to date on progress.
The Chair of the Investment Committee has delegated authority to authorise change spend up to
£5m.
Funding requests for change activity totalling over £5m should be reviewed by the IC and
recommendations passed to the Board for ratification. This applies to both new projects and also
additional requests for funding of existing projects that would take total project spending above
the £5m limit. Funding requests over the IC delegated authority will be sent to GE, prior to Board
submission, for information not authorisation.
4. Composition
A quorum is four members, one of whom is the Chair (or their deputy) and one other GE member.
5. Meetings
The IC will be held at least once per month.
Notice of each meeting shall be given to all those entitled to attend and notice of the matters for
discussion shall usually be given at least 24 hours before each meeting but notice need not be
given in writing. Papers are expected to be issued to IC members 48 hours in advance of the
meeting.
The Secretary will keep a log of decisions and actions which will be reviewed at each meeting
The IC will meet in person, with attendance by telephone by exception.
Inputs are as follows:
POL00026954
POL00026954
INVESTMENT COMMITTEE TERMS OF REFERENCE
1. Change Requests [Business Owners
2. Business Cases Business Owners
3. Cost & Benefit reports Finance
4, Programme Performance reports Strategic Portfolio Office
5. Capacity planning reports Strategic Portfolio Office
6. Actions from last meeting Strategic Portfolio Office
7. Progress of projects through Gates Strategic Portfolio Office
6. Reporting
e The IC will ensure timely and appropriate reporting to the Board and UKGI
e The Strategic Portfolio Office will lead on reporting in to the IC.
e Outputs from the meeting are as follows:
1. Decisions made on business case approvals and change requests over £2m and below
£5m
2. Recommendations made to Board for funding requests for new projects over £5m in
size or in-flight projects where additional spend takes them over £5m.
3. Updated list of agreed projects that form the change portfolio
Actions and minutes
5. Monthly update report to Group Executive for information (not authorisation)
>
7. Risk Management
e The IC will ensure that all issues discussed will highlight the risks to the business and mitigating
actions.
8. Members
e Attendees are as follows:
Rob Houghton Change Director & Group Chief Information Officer (Chair)
Alisdair Cameron Chief Finance and Operations Officer (Deputy Chair)
Martin Edwards Managing Director of Identity Services
Tim White Director Strategic Portfolio Office
Owen Woodley CEO — FS&T
1118 83 of
@
POL00026954
POL00026954
INVESTMENT COMMITTEE TERMS OF REFERENCE
Cathy Mayor Finance Director — Retail
Alistair Roman Finance Director, IT, IT Finance
Cem Oztoprak Finance Lead (Change)
Tom Moran Head of Strategy
° Empowered deputies are expected to attend if the CEO for FS&T or Managing Director of
Identity cannot attend
Other GE members will attend as required
Portfolio Leads and project/programme managers may attend on an adhoc basis as requested.
Secretariat will be provided by the Strategic Portfolio Office
84 of 87
Post Office Board Agenda
POL00026954
POL00026954
Present
in Altendance
27 November 2018 ‘Tim Parker (Chairman) » Tom Cooper * Jane MacLeod (Company Secretary) ‘© Emma Springham, (Chief Marketing Officer)
Start tine finish time * Paula Vennells © Tim Franklin * Veronica Branton (Head of Secretariat) © Chrysanthy Pispinis (Director PO Money)
11.45 hrs [16.50 hrs] # Ken McCall ‘© Shirine Khoury-Haq_ I © Debbie Smith (CEO ~ Retail) Martin Kearsley (Banking Director)
Location « Alisdair Cameron * Carla Stent + Owen Woodley (CEO ~ FS&T) * Tom Moran (Network Development
Director)
1.19 Wakefield
Agenda tem Action Purpose lead Timings
Needed
1. I Welcome and conflicts of interest Noting To note any new declarations of conflicts of interest. Chairman
2. I Minutes of previous Board and Committee meetings I Approval Minutes formally agreed. Jane Macleod 11.45 ~ 11.50
including Status Report
3. I CEO Report Noting and Input CEO to update the Board on the report. CEO 11.50- 12.10
4. I Financial Performance Report Noting and Input CFOO to update the Board on the report. CFOO 12.10 = 12.30
5. I I Security Strategy Noting and Input To update the Board on the organisation’s approach to Rob Houghton 12.30- 13.00
Cyber Security.
‘Lunch 13.00-13.15
6. Future of Cash - Banking Framework 2 Approval To approve the plan for Banking Framework 2. Debbie Smith/ Martin Kearsley 13.15- 13.45
7. I ATM Partner Noting and Input To update the Board on progress in moving away from our I Debbie Smith / Martin Kearsley 13.45 - 14.00
current ATM Partner.
8. Retail Strategy ‘Approval To present the Retail Strategy to the Board for approval. Debbie Smith / Tom Moran 14.00- 14.45
9. DMB Implementation Strategy Noting and Input To update the Board on the proposal on DMB Strategy Debbie Smith / Tom Moran 14.45 — 15.00
10. I Postmaster Litigation Noting and Input To update the Board on the Postmaster Litigation, including I Jane MacLeod 15.00- 15.15
contingency planning.
woby
POL00026954
POL00026954
@
Post Office Board Agenda
11. I Bol Negotiations Noting and Input To update the Board on the negotiations with Bol, Owen Woodley/ Chrysanthy Pispinis I 15.15~ 15.45
12. I Marketing Effectiveness & Customer Insight Noting and Input To update the Board on marketing effectiveness and Owen Woodley/ Emma Springham I 15.45~ 16.15
customer insight, including the PO Insurance growth
strategy.
13. I Health & Safety report (including violence and Noting and Input To update the Board on health and safety performance, ‘Al Cameron 16.15- 16.30
robberies) including a review of robbery risk and violence in PO’s and
PO's approach to mitigating these risks.
14. I Compliance with PCI-DSS Approval Rob Houghton 16.30— 16.35
15. I Contracts Approval To seek the Board's approval on the contract extension for I Martin Edwards
14.1 - Digidentity Digidentity.
16. I Items for Noting
16.1. Sealings Noting For the Board to be aware of the affixing of the Seal Jane Macleod 16.35 ~ 16.50
16.2. Future Meeting Dates Noting For the Board to note the future meeting dates for 2018, Jane MacLeod
16.3. Forward Agendas Noting For Board to note. Jane MacLeod
17. I Any Other Business
POL00026954
POL00026954
Group Executive Agenda
(Bate! I] Monday 12 December 2018 I Time I
09.00-11.00 Location I 1.19 Wakefield
Pre oO L
‘* Paula Vennells (Chair) ¢ Rob Houghton I Veronica Branton
Alisdair Cameron * Mo Kang * Micheal Passmore
Debbie Smith * Mark Davies * Catherine Hamilton
Owen Woodley Jane Macleod I e Meredith Sharples
1. I Finance Discussion ‘Al Cameron / Micheal I 09.00 ~ 09.20
Performance ~ Financial Results & Review of Business Passmore
Scorecard
2. _ I Telco Strategy Owen Woodley / 09.20 10.00
Approval Meredith Sharples
3. _ I IT Service Supplier Strategy) Py Rob Houghton / 10.00 - 10.30
Catherine Hamilton
4. _ I Postmaster Litigation (verbal) Discussion Jane Macleod 10.30— 10.45
5. _ I Verbal Updates from Committees and Steering Groups
Discussion
6. _I Review of GE Minutes, Action Points and Updates Veronica Branton
7. _ I Contracts for Approval Approval for Board
10.45 ~ 11.00
8. I Items for Noting
15.1 Health and Safety Report
Forward Agenda
9. I Any other Business Noting Ail
10. I Review the agenda items and the effectiveness of the
sessions