POL00027479 - Post Office Ltd Risk and Compliance Committee meeting 20th January 2014 Agenda
Evidence on official site
POL00027479
POL00027479
Post Office Ltd — Strictly Confidential
[Risk and Compliance Committee (R&CC) - _ ee _ -Referenc .&CC/MINIJAN14
I Date: 20" January 2014 I Venue: POL Boardroom, 148 Old Street, London Time: 13.30 — 15.30
I Attending:
Chris Aujard General Counsel Chair
Chris Day I Chief Financial Officer Member
I Alwen Lyons I Company Secretary Member
I Martin Edwards _ Chief of Staff Report (for Paula Vennells)
I Dave Mason Head of Risk & Compliance Report
_ Jonathan Hill Head of Financial Services Risk Report (for Nick Kennett)
Julie George _ Head of Information Security Report
_ Rob Bolton _ Assurance Adviser Secretariat
Apologies:
Paula Vennells Chief Executive Officer Member
Neil Hayward Group People Director Member
The committee was asked to endorse the risk management approach and methodology and to provide
feedback on the content and structure of future risk reporting
jiscussi
The overview of ExCo risks paper was discussed and the committee reviewed each risk considering whether :
- the ExCo view was an accurate reflection of the risk
- the governance structure was appropriate for the risks
- had there been enough progress in managing the risk
An overview of the risk management approach and progress to date was provided and the committee requested
an interim update on progress every 4 weeks outside of the normal committee meeting schedule. The committee
provided feedback on the structure and content of risk reporting and it was agreed that the name of the business
partner and the risk owner be identified in future updates. The committee also requested that consideration be
given to the use of a RAG status to more clearly identify the quantum of risk.
As a general point the committee asked that consideration be given to more clearly describing the top risks in
the interests of clarity — this will be reflected in subsequent reports to the committee.
i
I The top risks were discussed by exception and the following comments made, however no significant concerns
I were raised:
Integrity of Horizon System
It was agreed that, whilst this is more of an issue than a risk, the progress on managing Sparrow would continue
to be reported to the committee. It was noted that assurance work was being planned on Sparrow, especially
with regard to its dependency on the Business Improvement Programme.
Inadequate People Capability
The committee was concerned that the risk was too focused on the capability of those currently employed rather
than the mix of people and skills we need to deliver the strategic plan and a sustainable business. It was agreed
that this will be followed up with the risk owner.
Data Security / Cyber Security
It was confirmed that merging the two risks had been agreed with Lesley Sewell (Chief Information Officer) and
Julie George (Head of Information Security). The committee expressed concern regarding the IT capability in the
R&C team and it was confirmed that a new IT Business Partner with experience in this field was due to start in
ee ey eee
POL00027479
POL00027479
Post Office Ltd — Strictly Confidential
Failure to Deliver Top Line Growth
The committee requested that, for future meetings, more information was required about how the risk was being
managed and controlled.
The committee endorsed the risk management approach and methodology
The committee provided feedback on the structure and content of future risk reporting
I Action Lead
1557 Interim update on risk management progress to be provided to the Dave Mason
committee every 4 weeks
To conduct a “deep dive” session on the management of the FS mis-selling risk
The committee received a presentation on the FS Mis-selling risk. The committee suggested that the appropriate
Risk & Compliance business partner should attend future deep dive sessions to support the risk owner.
The committee asked for more detail regarding the training and development controls and the risk owner
explained that 100 mortgage specialists would be in place by April 2014 together with training & development
logs retained in a central admin team in London.
The committee requested details of the ‘go-live’ decision for Mortgage Market Review. The risk owner explained
this was performed through the Mortgage Market Review Governance Board which would be confirmed. The risk
owner also confirmed that the Financial Services Sub Committee was under review and that terms of reference
would be provided in due course
The Key Risk Indicator (KRI) measures were reviewed and the committee asked for more detail on how the
tolerances had been calculated. The risk owner provided an explanation of how the tolerances had been
identified and agreed
Action ae sa en HOO
Confirm that the MMR Governance Board provides final sign off for i] Jonathan Hill
mortgage product
1558
Provide the terms of reference for the Financial Services Sub Committee Jonathan Hill
once review of this forum completed
I
/
I
POL00027479
POL00027479
Post Office Ltd — Strictly Confidential
The committee was asked to approve a number of business policies as part of the agreed governance
process
Four policies had been submitted to the meeting for approval by the committee:
- Anti-Bribery
- &xternal Data Protection
- Data Sharing
- Acceptable Use
With the exception of Acceptable Use the policies were agreed and approved for further submission to ExCo for
final endorsement
It was the view of the committee that the Acceptable Use policy could not be approved until further work had
been performed and it was agreed that once this had been completed an updated policy be re-submitted to a
The committee approved the Anti-Bribery, External Data Protection and Data Sharing policies to be submitted to
ExCo for final endorsement
Action Lead
1560 Approved policies to be submitted to next available ExCo for final Rob Bolton
endorsement
1561 Re-submit updated Acceptable Use policy to a future Risk & Compliance Julie George
I Committee for approval
The committee was asked to note the implica!
recommenda
ns of risk events and near misses and agree any
r future events
e risk events paper was
committee that future reporting should include an impact assessment for each reported event.
The committee focused on the reported business continuity related events and the committee requested a full
report on the status of business continuity to be provided to the next meeting
The committee did not reach a view on the recommendations in the risk events paper and the paper relating to
tivit t i d
The committee agreed future risk event reporting to continue and that it include an impact assessment for each
of the reported events
The committee requested a full BCM status report to be provided to the next meeting
The committee did not reach a view on the recommendations in the risk events paper or review the assurance
activity paper
POL00027479
POL00027479
Post Office Ltd — Strictly Confidential
Ref _ Action Lead
A full BCM status report to be provided to the next meeting Dave Mason
The committee was asked to review and agree the update on the outstan
from the last meeting
A full update had been provided in advance and it was explained that there was a risk that the Information
Security team does not have enough resource to manage the required activity. The committee agreed that the
risk needed to be quantified and requested a paper to be provided to this effect, including options for Post Office
and identification of the residual risk under each option.
The committee asked that the Information Security resource risk to be quantified
Ref Action Lead
1563 Paper to be submitted to the next meeting that quantifies the Information Julie George
Security resource risk, including options for Post Office and the
identification of residual risk under each option
The committee was asked to endorse the progress against risk plans and suggest any further
recommendations
The risk management update that had been provided was discussed. The committee queried the pace of
progress against risk plans and it was explained that whilst there had been some good progress, this could have
been quicker although now the Christmas period was over it was likely that this would improve. The committee
agreed that the Risk & Compliance business partners should be more challenging in their discussions with risk
owners and in any reporting to the committee
The committee also considered the profile of risk management and associated risk discussions and it was
confirmed that a piece of assurance work was currently being performed, in the area of governance and terms of
reference, that would focus on the profile of risk management. The results of this would be reported to the next
committee meeting.
The committee agreed and endorsed progress against risk plans
The committee agreed a governance and terms of reference assurance report to be provided to the next meeting
___ Action _ Lead
1564 I Results of assurance work on governance and terms of reference to be I Dave Mason
reported to the next meeting l
POL00027479
POL00027479
Post Office Ltd — Strictly Confidential
are completed
The committee agreed the minutes from the last meeting in October 2013 and all actions were confirmed as
completed
The committee agreed the minutes from the previous meeting as an accurate record
The committee agreed that all outstanding actions confirmed as closed
None
The committee was asked to consider any other business not captured in the agenda and agree any
necessary actions
Three AOB items had been identified:
National Measurement Office
McColls Multiple Partner
Terms of Reference
National Measurement Office (NMO):
It had been identified that the scales in use at self-service kiosks need to be certified together with the linked
component of the Horizon system. This was being progressed via the Crown Transformation Programme. A
review of the corresponding licence for counter scales has revealed that current certification expires in 2014 and
this is being progressed with the NMO. The committee requested that confirmation be provided when this.
certification had been achieved
McColls Multiple Partner:
The Network Transformation Programme is currently engaging with this multiple partner to convert 192 branches
to new models however it was suggested that this could lead to a concentration risk of too many branches
operated by this partner. The committee queried what risk assessments are conducted when working with
multiple partners in the NT Programme and that a representative from the NT Programme should attend the next
meeting to explain
Terms of Reference:
The terms of reference had been re-drafted to reflect the recent changes in the committee focus and
membership. The updated terms of reference to be circulated by email for agreement by the membership
The committee requested confirmation of the certification of scales required by the NMO
The committee requested confirmation of what risk assessments are performed when working with multiple
partners in the NT programme
The committee agreed that the updated terms of reference be circulated to members for agreement
POL00027479
POL00027479
Post Office Ltd — Strictly Confidential
Action
Lead
__Programme
Report to be provided for the next meeting to explain what risk
I assessments are conducted when working with multiple partners in the NT
Dave Mason
Rob Bolton
Risk & Assurance Adviser
Action Lead Update
1557 Interim update on risk management Dave
progress to be provided to the committee Mason
every 4 weeks a
1558 I Confirm that the MMR Governance Board — Jonathan
provides final sign off for mortgage Hill
product _ ee
1559 je terms of reference for the Jonathan
Financial Services Sub Committee once Hill
review of this forum completed
1560 I Approved policies to be submitted to next I Rob Bolton
. available ExCo for final endorsement
1561 Re-submit updated Acceptable Use policy = Julie
to a future Risk & Compliance Committee I George
for approval
1562 A full BCM status report to be provided to I Dave
ww the next meeting LL
1563 I Paper to be submitted to the next meeting Julie
that quantifies the Information Security George
resource risk, including options for Post
Office and the identification of residual
_...fisk under each option oe oe ee
1564 I Results of assurance work on governance = Dave
and terms of reference to be reported to Mason
_ the next meeting __ __. ne ee
1565 Report to be provided for the next meeting Dave
to explain what risk assessments are Mason
conducted when working with multiple
partners in the NT Programme
1566 I Updated terms of reference to be Rob Bolton
circulated to members for agreement