POL00027483
POL00027483
Strictly confidential
POST OFFICE LTD BOARD
Risk Management Update November 2013
1. Purpose
The purpose of this paper is to:
1.4 update the Board on the ExCo assessment of risks facing Post Office in the
achievement of its strategic objectives; and
1.2 update the Board on the progress made with implementing a risk management
framework and developing a risk management culture in Post Office.
2. Key risks
2.1 ExCo has continued to refine its assessment of the key risks in achieving its
strategic objectives through an iterative process of workshops, facilitated by the
Risk Management function. As a result, ExCo has identified six critical risks
which require top management attention. These are:
2.2 Allegations relating to the integrity of the Horizon system
ExCo Owner: Chris Aujard
There is a risk that the allegations relating to the integrity of the Horizon system,
if not contained, could raise wider questions over the robustness of our core
systems and our ability to operate, damaging (amongst other matters) current
partnerships, new areas of expansion and public and government confidence.
Key Impacts: Reputational - Consumer Confidence I Long term brand damage I
reduced brand strength with potential partnerships/joint ventures I political
impact.
Key Controls & assurance: Project Sparrow and the related Business
Improvement Programme I Sparrow lessons learned work I Risk Function to carry
out review.
2.3 Failure to deliver top line growth in line with strategic plans
ExCo Owner: Martin George & Nick Kennett
Failure to meet our strategic imperative to protect channel income whilst growing
our retail business will ultimately prevent our ability to reach commercial
sustainability. In particular lack of growth in FS will have a detrimental impact on
delivery of the strategic plan. Non delivery of growth targets will reduce the
appeal of the franchise model impacting Network Transformation. There is an
immediate threat that long term growth targets could become unachievable if we
do not respond quickly to competitors.
Key Impacts: Inability to reach commercial sustainability I Reduces appeal of
Franchise model
Risk management update Nov 2013 Chris Aujard Page 1 of 5
21 November 2013
2.4
2.5
POL00027483
POL00027483
Strictly confidential
Key Causes: Failure to respond to shifting consumer behaviour I Failure to
respond to the competitive market with pace I Capability of people I Operational
failures — process and systems I Brand damage/image, particularly significant to
FS business (with a growth target of 70% by 2020) I Overly optimistic planning
assumptions I poor industrial relations
Key controls & assurance: Quarterly performance reviews I Weekly Trading
Board I Commercial plan in place
Operating Model fails to deliver requisite cost savings
ExCo Owner: Chris Day
Reduction of costs and sustained cost management are imperative if we are to
generate the level of profitability required to make Post Office commercially
sustainable. A multi-faceted programme of transformation coupled with
challenging growth targets can conflict with a cost reduction programme.
Key Impacts: Inability to reach commercial sustainability
Key Causes: Failure/Pace of Network Transformation I Culture — not cost
conscious I Conflict with other priority programme e.g. NT I Fixed cost creep as
growth targets met I Union opposition
Key controls & assurance: Benefits realisation project I NAO value for money
standard I external benchmarking
Inadequate people capability or capacity to deliver transformational change
and the strategic plan
Exec Owner: Fay Healey
The capability of our people is critical to successful delivery of all facets of the
strategy. There is a risk that we cannot retain; recruit and effectively performance
manage our people to the level of capability required within the necessary
timeframe. Additionally, as we continue to grow our capability there is a risk that
the pool of existing talent is oversubscribed increasing pressure and reducing
their effectiveness.
Key Impacts: Transformation unachievable
Key Causes: Inability to retain talent — through poorly conceived or poorly
executed change management (overworked), Lack of engagement, lack of
development I Inability to attract talent — brand, pay etc I Ineffective training and
development
Key controls & assurance: tactical skills development I Talent development
programme I FS Academy Iperformance management I Carry out gap analysis
against the skills required to deliver the 2020 plan.
Risk management update Nov 2013 Chris Aujard Page 2 of 5
21 November 2013
2.6
2.7
2.8
POL00027483
POL00027483
Strictly confidential
Non-delivery of Network Transformation Programme
Exec Owner: Kevin Gilliland
Short term issue regarding the successful engagement of the NFSP in supporting
NTP.
In the longer term, failure to deliver network transformation in a timely fashion
would result in a non-viable business model requiring additional subsidy from the
Government or closure of branches, neither of which are sustainable options.
There is an immediate risk that if we do not move quickly, we may find that we
cannot secure the retail partners we need to secure the future of our network.
Key Impacts: Increased Costs I Reduced Income growth I Unable to meet
Customer needs I Credibility of leadership.
Key Causes: Unattractive proposition I Poor project execution I Poor
communication/engagement with agents I Non-delivery of growth.
Key controls & assurance: McKinsey & BIS reviews I stakeholder engagement
plan I RM project audit I 2" line risk review.
Strike action within supply chain could damage ability to distribute cash to
network (IR/CWU)
Exec Owner: Kevin Gilliland
Whilst there are multiple controls, and back up plans, in place to mitigate the risk
of a breakdown in cash distribution there is a risk that these will be insufficient to
deal with a with continued strike action. The impact of branches not receiving the
cash they need to serve our most vulnerable customers would be detrimental to
the Post Office reputation.
Key Impacts: Reputational Damage
Key Causes: Poor communication/engagement with unions I Union demands at
odds with strategic direction of becoming a commercially sustainable business
Key controls & assurance: internal & external communications plans I 3” party
contingency planning I Working group examining alternative carriers/ways of
working.
In addition to the above risks, ExCo identified three further risks which require
continuous monitoring, specifically:
. the risk of regulatory action or reputational damage from FS mis-
selling;
. the maintaining the security and integrity of Post Office data; and
. the successful delivery and operation following IT transformation
Risk management update Nov 2013 Chris Aujard Page 3 of 5
21 November 2013
POL00027483
POL00027483
Strictly confidential
2.9 It is important to note that all nine of these risks are interdependent and should
be viewed collectively to determine the overall impact on the strategic plan.
In addition to the controls outlined above, the management of these risks is
reviewed by ExCo on a weekly basis to provide assurance that plans are
delivering the required outcomes.
Progress on implementation of a risk management framework
3.1 The following activities are complete in respect of the delivery of the risk
management plan:
° Recruitment of all current template roles is now finalised with two recruits
already in post and the remaining two starting over the next few weeks,
bringing the Risk Management function up to full strength;
e As referred to above, ExCo has carried out a risk identification and
assessment session, together with two subsequent reviews to refine this
assessment;
. Each directorate lead team (with the exception of Communications —
scheduled for 28" Nov and Corporate Services) has conducted a similar
risk workshop to identify risks at the next level down from the enterprise
view;
° The Risk & Compliance Committee has been restructured to focus on
management of risks in Post Office and to oversee progress against the
plan;
. The Risk Function has started professional training in risk management to
enhance their current experience and knowledge;
. On-going benchmarking with other organisations has been established;
and
. A review of the risk management software has been completed.
3.2 By the end of the financial year it is expected that risk management will be active
at tier 1 (ExCo) and tier 2 (directorate lead team) with continuous support from
the Risk Function’s business partners who will act as full-time risk champions to
facilitate and monitor the approach. In this context, active means:
Risks are regularly reviewed;
Risks are owned by an accountable individual;
Risk appetite and target levels of risk have been agreed;
Controls and assurance measures for significant risks have been
established; and
. Action plans are in place to manage risks and are regularly monitored for
effectiveness.
eo oee
3.3 In addition to the above, a road map for developing risk management in the Post
Office will be submitted to the ARC for approval in February 2014, setting out the
key milestones across a 1,3 and 5 year horizons.
Risk management update Nov 2013 Chris Aujard Page 4 of 5
21 November 2013
POL00027483
POL00027483
Strictly confidential
Recommendations
41 The Board is asked to:
° Note the update and actions set out above; and
. Provide feedback on the actions outlined above.
Chris Aujard
General Counsel
21 November 2013
Risk management update Nov 2013 Chris Aujard Page 5 of 5
21 November 2013