POL00030969
POL00030969
GROUP POLICIES
Whistleblowing Policy
Version -— V1.5
Chief Executive’s Endorsement
The Post Office Group is committed to doing things correctly. Our Values
and Behaviours represent the conduct we expect. This Policy supports these
to help us ensure that colleagues know how to report concerns regarding
wrongdoing or dangerous practices and that they can do so without fear of
recrimination.
Internal Page 1 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
1. Overview............. ceeeeeeeeeees
1.1. Introduction by the Policy Owner
1.2. Purpose
1.3. Core Principles .....
1.4. Application ..
1.5. Legislation
1.6. What is Whistleblowing
1.7. Protecting the whistleblower
1.8. Whistleblowing Officer and ‘Speak Up’
1.9. External Disclosures..
2. Risk Appetite and Mi
2.1. Risk Appetite .
2.2. Policy Framework
2.3. Who Must Comply?..............
2.4. Minimum Control Standards ..............
3. Definitions .............
3.1. Definitions
4. . Where to go for help
4.1. Additional Policies...
4.2. How to raise a concern...
um Control Standards
4.3. Who to contact for more information 13
5. Governanceé........... 14
5.1. Governance Responsibilities .............. 14
6. Control...
6.1. Policy Version .
6.2. Policy Approval...
Company Details
Internal Page 2 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
1 « Overview
1.1. Introduction by the Policy Owner
The General Counsel has overall accountability to the Board of Directors for the
implementation of controls ensuring Post Office meets it Whistleblowing obligations.
Whistleblowing is an agenda item for the Audit and Risk Committee and the Post Office
board is updated as required.
1.2. Purpose
This Policy has been established to set the minimum operating standards relating to the
management of Whistleblowing throughout the Group!. It is one of a set of policies which
provide a clear risk and governance framework and an effective system of internal control
for the management of risk across the Group. Compliance with these policies supports the
Group in meeting its business objectives and to balance the needs of shareholders,
employees? and other stakeholders.
1.3. Core Principles
Whistleblowing is the reporting of suspected wrongdoing and/or dangerous practices
within Post Office. This would include serious accidents, fraud, regulatory breaches,
financial impropriety and/or reputational damage.
In order to encourage Whistleblowing and provide appropriate protections to
whistleblowers, the governance arrangements described in this Policy are based upon the
following core principles:
« To encourage the reporting of any concerns as soon as possible in the knowledge that
all concerns will be taken seriously and investigated, and that confidentiality will be
respected;
* To provide guidance as to how to raise those concerns;
e To provide whistleblowers reassurance that all concerns are raised without fear of
reprisals, even if they turn out to be mistaken;
e Post Office is committed to and oversees the implementation of a Policy in line with
the Group’s risk appetite. The Policy and associated procedures (set out or referred to
in this document) are proportionate to the risks and complexity of the Group;
e Post Office undertakes a training and awareness program to ensure employees are
aware of the Whistleblowing policy and procedure.
1.4. Application
This Policy is applicable to all employees within the Group and outlines the protections
provided for whistleblowers by law. In order to encourage reporting of wrongdoing, Post
Office will, where appropriate, extend equivalent protection to Postmasters, Agent
Assistants, and members of the public.
‘In this Policy “Post Office” and “Group” mean Post Office Limited and Post Office Management Services Limited.
2 In this Policy “employee” means permanent staff, temporary including agency staff, contractors, consultants and anyone else
working for or on behalf of Post Office.
Internal Page 3 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
1.5. Legislation
The Group seeks to comply with all relevant UK legal and regulatory requirements
including (but not limited to) the following legislation as amended or supplemented from
time to time:
« Employment Rights Act 1996
« Public Interest Disclosure Act 1998
1.6. What is Whistleblowing
“Whistleblowing” refers to the act of exposing potential or actual wrongdoing and/or
dangerous practices by reporting it either internally within an organisation, or to an
external party. A whistleblower is a person who raises a genuine concern in relation to any
wrongdoing, this includes criminal activity, miscarriages of justice, dangers to health and
safety and the deliberate attempt to conceal it.
Individuals? should raise a concern if they are aware of, or suspect, wrongdoing which
affects others (e.g. customers, members of the public, colleagues or the Post Office). The
following lists some examples (this is a non-exhaustive list) of situations where an
individual may raise a concern:
« Financial Crime including Fraud, Money Laundering and financing of terrorism,
Giving, offering or taking of bribes,
Financial mismanagement,
Misreporting,
Practices that could put individuals or the environment at risk,
Breach of Post Office internal policies and procedures (including the Code of
Business Standards),
« Concerns about slavery or human trafficking, and
« Any conduct likely to damage Post Office’s reputation
Grievances and matters such as bullying and harassment are addressed under Post Office’s
HR policies and concerns in relation to such matters should be raised in accordance with
the procedures set out in the appropriate HR policy.
If an individual is uncertain about whether something is within the scope of this Policy they
should seek advice from the Whistleblowing Officer, whose contact details are set out in
this Policy.
1.7. Protecting the whistleblower
Post Office has a statutory obligation to protect whistleblowers and will support any
individual who raises genuine concerns under this Policy, even if they turn out to be
mistaken. Post Office are committed to respecting the confidentiality of all
whistleblowers, and including those who wish to remain anonymous.
Post Office will make every effort to protect the whistleblower’s identity, however, it may
be necessary in the course of an investigation to share this information with a relevant
stakeholder (e.g. an investigator). There is no requirement for a whistleblower to provide
personal contact information. However, not providing this information may reduce Post
Office’s ability to undertake a thorough investigation into the concerns raised.
2 In this Policy “individuals” means Postmasters, Agent Assistants, members of the public and employees (permanent staff,
temporary including agency staff, contractors, consultants and anyone else working for or on behalf of Post Office). The
statutory protections offered under the Public Interest Disclosure Act 1998 only apply to employees, however Post Office
Limited will consider extending these protections to other individuals where they have acted in good faith in raising concerns.
Internal Page 4 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
Post Office will take all reasonable steps to ensure that whistleblowers do not suffer any
detrimental treatment as a result of raising a concern. Detrimental treatment includes
disciplinary action, dismissal, threats or other unfavourable treatment connected with
raising a concern. Serious action will be taken against any individual who threatens or
retaliates against whistleblowers in any way.
If an individual believes that they have suffered any such treatment, they should inform
the Whistleblowing Officer immediately. The Whistleblowing Officer should take steps to
address any victimisation, which may include working with the HR team to put
appropriate measures in place. If the matter is not addressed the whistleblower should
raise it formally using Post Office’s Grievance procedure.
In all cases the individual’s concerns will be treated sensitively and in confidence.
1.8. Whistleblowing Officer and ‘Speak Up’
Post Office has a appointed th
be contacted on whistleblowin
as the Whistleblowing Officer who can
The Whistleblowing Officer will review concerns raised and determine the best course of
action, if any. They may ask for further information in order to make this decision.
It is recognised that sometimes raising a concern directly with the business may not be
possible. In such instances individuals should contact the “Speak Up” line, a confidential
reporting service which is run by an independent company InTouch MCS Ltd.
Contact.details.for.the,Speak Up line are:
GRO:
fitouchfeedback.com/postoffice which is a secure on-line web portal:
All reports to the Speak Up line will be acknowledged within five working days and will
be passed to the Whistleblowing Officer.
It is also possible that individuals may whistleblow via a complaint to a front line team,
e.g. Customer complaints, NBSC and Grapevine. These may be verbal or written
communications.
In all instances any whistleblowing reports, regardless of reporting method, will be
passed onto the Whistleblowing Officer. The whistleblower may be kept informed of any
action taken, however, this information may be limited if it is required to keep the
confidence of other people.
1.9. External Disclosures
The aim of this Policy is to provide an internal mechanism for reporting, investigating
and remedying any wrongdoing in the workplace. In most cases individuals should not
find it necessary to alert anyone externally.
However, the law recognises that in some circumstances it may be appropriate for
individuals to report their concerns to an external body such as a regulator. The
independent Whistleblowing charity, Public Concern at Work have a list of prescribed
regulators for reporting certain types of concerns. Their contact details are as follows:
Helpline:
Internal Page 5 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
E-mail: whistlet_
Website: www.pci
Public Concern at Work operates free, confidential advice to people concerned about
crime, danger or wrongdoing in the workplace. Post Office strongly encourages advice is
sought out from Public Concern at Work before reporting any concern to an external
party.
Post Office Money Services (POMS) is directly regulated by the Financial Conduct
Authority (FCA). Individuals may decide to whistleblow directly to the FCA, and can do so
by using one of the following channels.
E-mail:
Website: www.fca.org.uk/site-info/contact/whistleblowing
Address: Intelligence Department (Ref IDA), Financial Conduct Authority, 25 the North
Colonnade, London E14 SHS
Internal Page 6 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
2. Risk Appetite and Minimum Control
Standards
2.1. Risk Appetite
Risk Appetite is the extent to which the Group will accept that a risk might happen in
pursuit of day to day businesses transactions. It therefore defines the boundaries of
activity and levels of exposure that the Group are willing and able to tolerate.
The Group takes its legal and regulatory responsibilities seriously and consequently has‘:
e Tolerant risk appetite for Legal and Regulatory risk in those limited circumstances
where there are significant conflicting imperatives between conformance and
commercial practicality
e Averse risk appetite for litigation in relation to high profile cases/issues
¢ verse risk appetite for ligation in relation to Financial Services matters
e Averse risk appetite for not complying with law and regulations or deviation from
business’ conduct standards for financial crime to occur within any part of the
organisation
« Averse Risk Appetite in relation to unethical behaviour by our staff.
The Group acknowledges however that in certain scenarios even after extensive controls
have been implemented an action may still sit outside the agreed Risk Appetite.
2.2. Policy Framework
Post Office has established a suite of policies and procedures, on a risk sensitive approach
which are subject to an annual review. The policy suite is designed to comply with
applicable legislation and regulation. The Whistleblowing Policy should be considered and
read in conjunction with other policies where relevant. These may include the Financial
Crime Policy, the Anti-Bribery & Corruption Policy, Health & Safety Policies and HR Policies
where relevant.
2.3. Who Must Comply?
All third parties who. do business with the Group, including consultants, suppliers and
business and franchise partners, will be required to agree contractually to this policy or
have their own equivalent policy.
Any investigations will be carried out in accordance with the Investigations Policy which is
available on the Post Office Intranet
“The Risk appetite was agreed by the Groups Board January 2015
Internal Page 7 of 15 Whistleblowing Policy v.1.5
2.4. Minimum Control Standards
POLO0030969
POL00030969
A minimum control standard is an activity which must be in place in order to manage the risks so they remain within the defined Risk
Appetite statements. There must be mechanisms in place within each business unit to demonstrate compliance. The minimum control
standards can cover a range of control types, i.e. directive, detective, corrective and preventive which are required to ensure risks are
managed to an acceptable level and within the defined Risk Appetite.
The table below sets out the relationships between identified risk and the required minimum control standards in consideration of the stated
risk appetite. The subsequent pages define the terms used in greater detail:
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible When
Receipt and
investigation of
whistleblowing reports
Failure to meet legal and
regulatory requirements
Directive Control:
Post Office must nominate a
Whistleblowing Officer to receive
reports, ensure that all reports
are fully investigated and that.
any appropriate corrective
action is undertaken.
The whistleblowing officer must
provide a whistleblowing report
to the R&CC and ARC at least
annually.
Any serious whistleblowing
concerns must be promptly
escalated to the Chairman of the
Post Office Audit and Risk
Committee.
Preventative Control:
All employees are trained and
the policy is available to them
Post Office CEO and Board I Ongoing
Whistleblowing Officer Annually
Whistleblowing Officer Ongoing
Whistleblowing Officer Training must
be provided at
least annually
Internal
Page 8 of 15
Whistleblowing Policy v.1.5
POLO0030969
POL00030969
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
The Whistleblowing Officer must
ensure that appropriate
arrangements are in place to
ensure that whistleblowing
reports are addressed promptly
including during absences
Whistleblowing Officer
Ongoing
Breach of
confidentiality
Failure to ensure
confidentiality for the
whistleblower
Preventative Control:
Whistleblowing Policy
Confidential Speak Up line
reports are shared only with the
Whistleblowing Officer
Whistleblowing email inbox with
restricted access
Whistleblowing Officer must put
arrangement in place to protect
the confidentiality of the
whistleblower during
investigations
Corrective Control:
All incidents of breaches are
escalated to the Whistleblowing
Officer to review and take
necessary actions.
Whistleblowing Officer
Whistleblowing Officer
Whistleblowing Officer
Whistleblowing Officer
Whistleblowing Officer
Ongoing
Ongoing
Ongoing
Ongoing
Ongoing
Incorrect handling of
whistleblowing report
An individual may raise a
whistleblowing report with
other individuals in the
Group. Details may then be
shared with various
stakeholders before being
Preventative Control:
Training provided to contact
teams to identify potential
whistleblowing reports and
ensure these are correctly
handled, e.g.:
e Grapevine,
Whistleblowing Officer
Annually
Internal
Page 9 of 15
Whistleblowing Policy v.1.5
POL00030969
POL00030969
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
passed onto the
Whistleblowing Officer
e NBSC,
¢ Customer Support, and
e Executive Complaints.
Communications and awareness
provided to all employees and
Policy document published on
the Intranet.
Corrective Control:
All incidents of breaches are be
escalated to the Whistleblowing
Officer to investigate and take
appropriate actions.
Head of Financial Crime
Whistleblowing Officer
Annually
Ongoing
Insufficient
Information
Failure to capture/report
sufficient information about
the issue may mean that
the underlying issue cannot
be properly investigated and
resolved
Directive Control:
Employees are encouraged to
report issues and provide full
information and their contact
details, where they feel able to
do so
Corrective Control:
All reports, including those
where insufficient information
has been provided and no
further action was taken are
recorded on the Whistleblowing
database, which is reviewed for
trends and issues.
Whistleblowing Officer
Whistleblowing Officer
Ongoing
Ongoing
The ‘Speak Up’ Service
Failure to effectively record
whistleblowing reports and
pass onto the
Whistleblowing Officer, due
Preventative Control:
The Whistleblowing Officer must
review the effectiveness of the
service provided by InTouch Ltd
at least annually
Whistleblowing Officer
Annually
Internal
Page 10 of 15
Whistleblowing Policy v.1.5
POLO0030969
POL00030969
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
to factors such as resource
or IT failure.
The Whistleblowing Officer must
review the effectiveness of the
processes operated by each of
Grapevine, NBSC, Customer
Support, and The Executive
Complaints Team at least
annually to ensure that
whistleblowing reports are
identified and communicated
promptly.
Whistleblowing Officer
Annually
Treatment of
Whistleblowers
Breach of whistleblowing
guidelines such that a
whistleblower suffers
prejudice as a result of
making a report
Preventative Control
Training must be provided to all
people managers as part of their
induction process as a manager
and on appointment to Post
Office
Annual training must be
provided to all Post Office staff
to remind them of the
protections available to
whistleblowers and the
importance of identifying and
reporting wrongdoing
The Code of Business Standards
must refer to the whistleblowing
policy and must be provided to
all new joiners as part of their
induction programme.
Whistleblowing Officer and
HR Training Manager
Whistleblowing Officer and
HR Training Manager
Whistleblowing Officer and
HR Training Manager
Ongoing
Ongoing
Ongoing
Internal
Page 11 of 15
Whistleblowing Policy v.1.5
POL00030969
POL00030969
3 a Definitions
3.1. Definitions
Grapevine
24/7 Security Support Centre provided by Kings Ltd. Grapevine provide security advice
and record all security incidents across the business, this includes burglaries, robberies
and the reporting of suspicious activity.
Telephone Number: ve-r.
E-mail: grapevine.admin
NBSC
Network Business Support Centre (NBSC) is a helpline and the first port of call for Post
Office branches if they have any operational query or require assistance.
Telephone Number: i
E-mail: nbscenquirie:
Customer Support Team
Complaints handling team based in Chesterfield. The team address complaints reported
into Post Office via vari including post and telephone.
E-mail: customercare¢
Executive Complaints Team
This team handles all complaints addressed directly to the Group Executives. The team
liaise with various stakeholders within the business in order to resolve complaints.
E-mail: flagcaseadviso:
Internal Page 12 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
4. Where to go for help
4.1. Additional Policies
This Policy is one of a set of policies. The full set of policies can be found at:
https://poluk.sharepoint.com/sites/postoffice/Pages/policies.aspx
4.2. How to raise a concern
Any Post Office employee who suspects that there is a breach in this Policy should report
this without any undue delay. Whistleblowing can be reported via the following channels:
e Their line manager,
e Asenior member of the HR Team, or
«If either or both are not available, staff can contact the Post Office’s Whistleblowing
Officer, who can_bi tacted by email at: whistleblowini or by
telephone on:
* Alternatively staff can use the Speak Up service availableon} GRO iorvia
the secure on-line web portal: http://www. intouchfeedback. cOm/POSstOttice
In some instances it may be appropriate for the individual to report in the form of a
complaint to Grapevine, the Customer Support Team or the Executive Complaints Team.
4.3. Who to contact for more information
If you need further information about this Policy or wish to report an issue in relation to
this Policy, please contact the Policy sponsor or Policy owner.
Internal Page 13 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
5 a Governance
5.1. Governance Responsibilities
As at the date of approval of this Policy, the General Counsel is both the Policy Sponsor
and Policy Owner, responsible for oversight of the Policy.
The Audit and Risk Committee are responsible for approving the Policy and overseeing
compliance.
The Board is responsible for setting the Group’s risk appetite.
Internal Page 14 of 15 Whistleblowing Policy v.1.5
POL00030969
POL00030969
6 « Control
6.1. Policy Version
Date Version I Updated by Change Details
27 April 2016 1.4 Jane MacLeod Sponsors review and sing-off
21% August 2017 1.5 Vitor Camara Annual Review and update.
6.2. Policy Approval
Group Oversight Committee: — Risk and Compliance Committee and Audit and Risk Committee
Committee Date Approved
POL RCC
POMS RCC
POL ARC
POMS ARC
Policy Sponsor: — Group Director of Legal, Risk & Governance
Policy Owner: Whistleblowing Officer
Policy Author: Head of Financial Crime
Next review: August 2018
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers
2154540 and 08459718 respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its
Information Commissioners Office registration number is ZA090585.
Post Office Limited is authorised and regulated by Her Majesty’s Revenue and Customs (HMRC), REF 12137104. Its Information
Commissioners Office registration number is 24866081.
Internal Page 15 of 15 Whistleblowing Policy v.1.5