POL00038603
POL00038603
INTERNAL
Post Office Fraud and Loss Prevention Policy
The purpose of this Policy is to outline the framework for the
Post Office fraud and loss prevention measures which are
employed in order to support the delivery of the Post Office
security vision.
Version 0.4
Page 1 of 10
POL00038603
POL00038603
INTERNAL
1 Introduction
The vision of Post Office security is to minimise crime and business
loss against Post Office Limited, thereby protecting our people,
customers, assets, products, brand and reputation through a risk
based, commercially focused approach that positively embraces
innovation and change.
Post Office is committed to preventing, detecting and reporting fraud
and loss, and in co-operating with the police and other appropriate
authorities in the investigation and prosecution of those responsible.
1.1 Policy Objective
The objective of this Policy is to ensure that all Post Office
employees, agents/SPMR and contractors are aware of the fraud and loss
prevention measures employed by Post Office.
The Policy covers:
* Framework principles
¢ Roles and responsibilities
e Measurement & monitoring
e Control
* Risk appetite
¢ Subordinate policies
© Governance
1.2 Risk Definition
This Policy addresses the management of fraud and loss risks faced by
Post Office. In general these risks can be summarised as;
e Risks to our property
¢ Risks to our information
e Risks to our brand and reputation
1.3 Scope of Application
This Policy applies to all areas of Post Office, including all
employees, agents/SPMR and contractors, all property and all
information.
In the case of any Post Office joint venture, outsourcing or other
‘arms-length’ arrangements, Post Office must satisfy itself through
contractual assurance arrangements that appropriate systems and
controls are in place with 3" parties to monitor and mitigate security
risk.
This Policy does not apply directly to outsourced service providers or
to suppliers.
Version 0.4 Page 2 of 10
POL00038603
POL00038603
INTERNAL
1.4 Compliance with this Policy
Compliance with the Policy is mandatory for all Post Office employees,
agents/SPMR and contractors and will be assessed as part of the
regular review processes conducted by the various Governance Framework
Forums and will be reported upon to the Security Leadership Forum.
1.5 Policy Owner
The Policy owner is the Head of Security, who has:
* Overall accountability and responsibility for setting and
maintaining the Policy and for monitoring compliance with the
Policy
e Responsibility for ensuring that the Policy remains up to date
and relevant for the Post Office
e Responsibility for ensuring that compliance issues are
identified, addressed and escalated as appropriate
1.6 Policy Revision
This Policy must be reviewed and approved by the Post Office ExCo via
the Risk & Compliance Committee on an annual basis. All revisions must
be fully documented in the ‘version history’ section of this document.
Relevant procedures must be updated to conform to the Policy and
updated within three months from the date of approval of this Policy
by the Post Office Board.
Changes to the Policy must be communicated to all relevant staff noted
on the Policy cover sheet who must in turn ensure that the changes are
cascaded to staff, contractors and/or 3*7 parties as appropriate.
2 Fraud and Loss Prevention Policy
2.1 Framework Principles
anation of what the policy ent
Version 0.4 Page 3 of 10
POL00038603
POL00038603
INTERNAL
2.2 Roles and Responsibilities
Security Governance Framework exists to manage the day-to-day
security activity within the company, provide a dedicated
security over watch and to offer advice and assistance to the
wider company on management of its security risks.
an
Security
Leadership
Forum )
i 1
p) Grapevine
Security Investigations Strategic
Governance Governance Governance
Forum Forum Forum
r 1
( >)
eseing & Crown Losses & ATM Security Grapevine Info
Coordination Gains Board Forum Sec Governance
Group u y) Forum
The Security Leadership Forum is responsible for the review and
implementation of Post Office strategic security direction and the
overall management of the Post Office security function.
Chair
Head of
Security
Member Member Member Member
Senior Security Senior Senior SecurityI ISenior Security
Manager Security Manager Manager
Physical Manager Operations svi
The Security Governance Forum is responsible for the strategic and
tactical governance of security risks and incidents against Post
Office, ensuring risk management and mitigation activity is deployed
as appropriate.
Version 0.4 Page 4 of 10
POL00038603
POL00038603
INTERNAL
Chair
Head of
Security
I T T T T 1
Member Member Member Member Member Member
Senior Senior Senior Senior GVO Senior
Security Security Security Security Security
Manager Manager Manager Manager Programme
Physical Commercial Operations GVI Manager
The Investigations Governance Forum is responsible for the strategic
and tactical governance of all live case work/criminal investigations
involving Post Office.
I T T
Menber Member Member Member Member
Senior Team Leader Team leader nh inance al
Security Operations Geese lous Security Investigator
Programme Manager Operations
The Grapevine Strategic Governance Forum is responsible for providing
a detailed review of performance information, service improvement
initiatives and end to end service improvement plans.
Manager
Member Member Member Member Member
Senior Senior Contract GVO Account Gye
Becurity omen’ Manager Management
Manager Specialist Team
The Tasking and Co-ordination Group (TCG) is responsible for providing
a framework to identify key operational priorities and deploy
Version 0.4
Page 5 of 10
POL00038603
POL00038603
INTERNAL
resources to mitigate gaps in the priorities. It acts as an
intelligence platform drawing together information sources in order to
identify current and emerging trends, deploying resources as required
in order to support the security strategy.
Chair
Senior Security
Programme Manager _
Member : Member i Member
Operations Physica. GVI
Team Leader Tean Leader Analyst
The Crown Losses and Gains Board is responsible for driving down
losses and gains within the Crown Network by deploying appropriate
strategic and tactical methods of awareness, prevention and
enforcement.
I
Member Member Member Member Member Member
CON Cash
Commercial Physical Gyr Financial I Itranstormati! I Management
Services on
Member
N
Area Manager
The ATM Security Forum is responsible for the strategic and tactical
governance of ATM risk and incidents that impact Post Office,
deploying risk management and mitigating activities as appropriate.
Version 0.4 Page 6 of 10
POL00038603
POL00038603
INTERNAL
Member I Member “Member Membex
Crown Supply
“Office ‘Chain
Network ce
OperationsI
Security I
2.3 Measurement and Monitoring
The Policy will be measured and monitored as part of the regular
review processes conducted by the various Governance Framework Forums
and will be reported upon to the Security Leadership Forum.
2.4 Control
The Security Leadership Forum is tasked with ensuring that all Post
Office employees, agents/SPMR and contractors comply with this Policy.
2.5 Risk Appetite
Security risk appetite is the maximum level of residual risk that Post
Office is prepared to accept in order to deliver its business
objectives. Security has developed a robust framework that is used to
articulate security risk appetite throughout the Post Office.
In line with the Security Vision and in support of Post Office
strategic goals, Security reviews its risk appetite on a quarterly
basis and sets target values for specific risks in light of; crime
analysis; law enforcement, industry and business intelligence, and
environmental scanning.
2.6 Supporting Policies and Procedures
This Policy supports the overarching Post Office Security Policy.
Security Procedures subordinate to this Policy are listed below with
their hyperlinks to the Post Office intranet.
2.7 Governance
The governance of security sits within the overall framework of
governance for the Post Office Operating Board as part of the Loss
Reduction Programme. The diagram at Appendix A illustrates this more
fully.
Version 0.4 Page 7 of 10
POL00038603
POL00038603
INTERNAL
3 Accessibility
This policy and any subordinate policies are available on the Post
Office intranet.
4 References
In this section, all the references to other documents should be
mentioned, including:
Ref Document Name Description Location
1
5 Glossary
The following table contains definitions for acronyms and terms used
in (and specifically in the context of) this document:
Acronym Definition Term
ACPO Association of Chief Police Officers
AT™ Automated Teller Machine
BSIA British Security Industry
Association
CON Crown Office Network
CPS (NI) Crown Prosecution Service (Northern
Ireland)
DSO Departmental Security Officer
ExCo Executive Committee
GVI Grapevine Insource
GVO Grapevine Outsource
H&S Health & Safety
NPIA National Policing Improvement Agency
PFO Procurator Fiscal Office
R&CC Risk & Compliance Committee
SLP Senior Leadership Programme
SLT Senior Leadership Team
SPMR Sub Postmaster
TCG Tasking Coordination Group
Version 0.1
Page 8 of 10
POL00038603
POL00038603
INTERNAL
Appendix A - Governance Framework
Post Office Governance Framework
H Secury related
I external governance
g ‘ ‘sakeholders
8
C Femanerton & Apo eris i ps0
: 10
i & 2 i Bank of Engtand
<€ + i PIA
E
% C “ang Bord D) C persing Boers ) ¢ “arstomaton Boars
= I I
ze San Eiterval Legal
aE ( cme) Creretarce era
a: TD a)
£ I cartwright Kings
[pro (setanc)
“crs (Nt)
Security Governance Framework
( Operating Board ) ¢ pace )
Post Office
Z { Loss Reduction Programme )
— ‘Senior Leadership Forum: >
im I 7
& Say Cavers investigations ¢ apele BETS )
4 4 Crown fama fP'Grapevine “Grapevine
\ ; 4 Gains Board Forum vernan nerman
Version 0.1
Page 9 of 10
POL00038603
POL00038603
INTERNAL
Version History
Date Version Updated by Change summary
01 Oct 13 o.1 Terry Folkman Initial draft for
Commercial
0.2 Sally Smith
Document Location
Unissued.
Distribution
For Sign-off - This document has been reviewed by the following
people:
Name Title - Department Date of Sign
off
John Scott Head of Security
David Mason
Risk & Compliance Committee
Executive Committee
Version 0.4
Page 10 of 10