Business Loss Programme Board
ONCH - Cash Loss deficiencies
Post Office Limited
Analysis Report
1.Document Control
1.1. Version Control
POL00085769
POL00085769
Reference ONCH Cash Loss Owner Andy Hayward
Version 0.2 Author(s) Peter Prior-Mills
Business
Contact No.
Status Review Contributors I Andy Hayward
Lester Chine
Date 28" October 2011 Cathy MacDonald
Classification I Confidential Rajendra Kondra
Joy Lennon
Sue Richardson
Dave M King
John Breeden
John Jenkinson
Doug Brown
Joanne Hancock
Helen Rose
Chris Taylor
Julia Mann
Shaun Turner
Paul Inwood
Alan Stuart
1.2. Reviewers
Name Job Title
Sign off Lester Chine Security Programme Manager
Peer Review I Neill Boulton Senior Business Analyst
Martin Box Principal Analyst
Confidential Page 1
Version 0.1
ONCH - Cash Loss deficiencies
1.3. Stakeholders
Area Represented
Stakeholder
Security Andy Hayward
Security Lester Chine
P&BA Cathy MacDonald
P&BA Branch Conformance Alison Bolsover
Audit Sue Richardson
Information Security Dave M King
MI Guy Linacre
Network Julia Marwood
Network John Breeden
Supply Chain Doug Brown
Crime Risk Joanne Hancock
2. Terms and Abbreviations
POL00085769
POL00085769
Term Meaning
ATM Automated Teller Machine (cash withdrawal machine)
BPP Branch Performance Profile (combination of Financial and Conformance)
BTS Branch Trading Statement
CBPP Conformance Branch Performance Profile
Clients Product supplier companies, contracts mostly through POFS
Customer Person requesting the Face to Face Services in Post Office Branches
FBPP Financial Branch Performance Profile
FONCH Foreign overnight cash holdings
Horizon Post Office Branch Network Counter point of sale system
MI Management Information (accessed via Credence query system)
NFSP National Federation of Sub-Postmasters
ONCH Overnight cash holdings
P&BA Product and branch accounting
POL Post Office Ltd
SPMR Sub-postmaster
3.Document Control
3.1. Version History
Version Date Change Details Author
0.1 20/10/11 Initial Draft Peter Prior-Mills
0.2 28/10/11 Peer review revision #1 Peter Prior-Mills
0.3 01/11/11 Peer review revision #2 Peter Prior-Mills
0.4 28/11/11 Revision of recommendations following I Peter Prior-Mills
meeting with A Hayward & S Smith
3.2. Referenced Documents
Nr. I Title
Version I Date
Document
Ref.
Location
Confidential
Page 2
Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
Confidential Page 3 Version 1.0
ONCH - Cash Loss deficiencies
Table of Contents
POL00085769
POL00085769
1. Document Control
1.1. Version Control.
1.2. Reviewers..............
1.3. Stakeholders............
2. Terms and Abbreviations
3. Document Control
3.1. Version History.....
3.2. Referenced Document
4. Introduction
4.1. Background.
4.2. Objectives.
4.3. Scope
5. Process Mappin
5.1. Initial workshop..
5.1.1. Workshop attendees (Table 1,
5.1.2. Influencing factor groups (Tabi
5.1.3. Processes identified for mapping (Table
5.2. Interconnections between process maps.
5.2.1. Agent Recruitment
5.2.2. Agent Training......
5.2.3.
5.2.4.
5.2.5.
5.2.6.
5.2.7. Cash Reporting / Cash Management
5.3. Network Transformation (Table 4)...
5.4. Branch Performance Profile (Table 5
6. Recommendations
Appendix A - Branch Performance Profile Report
Appendix B — Individual Process Maps.
Appendix C — Stakeholder Feedback...........sscssssssesseseesseseseeneeneeneees
WW WW WOW WWW WWW WHLWWWWWWWNNNNN BAS
Confidential Page 4 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
4.Introduction
4.1. Background
A number of key stakeholders currently undertake BAU activities and interventions in order
to mitigate Cash Losses sustained in the Agency Network.
Although the majority are proactive and at times collaborative, it is clear that any such
activities are not clearly mapped. In order for the business to fully understand the impacts
and inter-dependencies resulting from these process interactions the processes need to be
mapped.
Once the processes are clarified it will then be possible to set out the key priorities required
for future cash loss risk mitigation.
4.2. Objectives
1. To review the current as-is processes behind the identification of Cash losses resulting
from ONCH/Audit activities for Agents
2. To provide clarity on the end-to-end Cash Loss pipeline
3. Make recommendations to improve identification of fraud, and suggest preventative
initiatives to mitigate future losses
4.3. Scope
In Scope:
© Current Agents Cash Loss processes within Post Office Ltd (POL)
o Stakeholder activity:
o Review of the current Cash Inventory ONCH & ATM Data streams and
suitability/ capability for fraud risk identification
o Review current Network/Audit activities in relation to Agents to include
Training, Intervention, Audit, Non-compliance/consequences
o Review current aims, use, and effectiveness of the Branch Profile Report
o Monitoring and intervention activities undertaken by P&BA
© System applications (MI) currently deployed to assist the process
Out of Scope:
© Assessment of the Fraud Management System software
o Crown estate
o Burglary / Robbery
o CviT attacks
Confidential Page 5 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
5.Process Mapping
5.1. Initial workshop
The initial workshop was held to understand the various influences and factors affecting the
risk of cash loss within the agency network
5.1.1. Workshop attendees (Table 1)
Table 1: Names and responsibilities of those taking part in the initial workshop
Name Area of responsibility
Andy Hayward Operations - Security
Lester Chine Operations - Security
Shaun Turner Network — Branch Standards
Cathy MacDonald Finance — Fraud & Conformance
Julia Mann Network - Audit
Doug Brown Supply Chain - Cash Management
Peter Prior-Mills Operations - iT & Change
5.1.2. Influencing factor groups (Table 2)
The workshop participants listed all possible factors which could affect the risk of cash loss;
some 40+ separate factors were identified. These factors were then cluster grouped logically.
The dependencies between the factor groups were then determined and a hierarchy of
dependencies worked out where those factors which most influenced the others were ranked
above those which were the most influenced by the other factors.
Table 2: Factor groups affecting cash loss risk with examples
Factor group Ranking I Example factors
Branch format =1
Influences on Agent =1 Economic conditions, location, demographics, agents
lifestyle, external frauds, opportunity / temptation
Agent Recruitment =3 Capability, appointment / vetting, business plan, credit
history, contract, pay & conditions
Management Information =3 Reporting accuracy, MI, data systems, data analysis
Support 5 Training, cash management, intervention
Non-conformance 6 Audit, investigations, non-conformance, transaction
errors, SPMR debt
Confidential Page 6 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
5.1.3. Processes identified for mapping (Table 3)
Following the determination of influences the workshop identified 9 processes involved in the
Cash Loss Pipeline which it was felt addressed the influencing factors and should be process
mapped in their current state.
In each case a starting and ending point for the mapping was identified to provide clarity.
Table 3: Processes to be mapped in the as-is state
Process
Start point
End point
Agent Recruitment
Vacancy arising
Opening / transfer of business
Agent Training
Agent appointment
Completion of 6-9 month
audit
*Agent Transformation
Selection of Agent
Contract change
Cash Reporting
Data in branch
Net cash supply
Cash Management
SAP data output
Net cash supply
**Data Analysis
SAP data output
Decision to act
Interventions Request / need for intervention I Correction / termination of
agent
Investigation Request / need for investigation I Correction / termination of
agent (and recovery of funds)
Audit Selection of branch Filing of P32 audit reports
**Fraud Monitoring
(P&BA)
Exception identified
Audit requested
**Fraud Loss
Monitoring (Fraud
Team)
Branch MI
Correction / termination of
agent (and recovery of funds)
*Agent Transformation was not mapped as a change of contract type is rare; instead it was
decided to look at the Network Transformation programme and its potential impact on Cash
Loss risk levels.
**During the course of the mapping it was decided to add the Fraud Monitoring processes
conducted by P&BA and the Fraud Team, these processes cover the Data Analysis process.
It was also decided that the study should look at the resilience of the data systems
providing input to the processes (especially to Cash Management), and the nature and
effectiveness of the Branch Profile Report which guides the planned audit programme.
Confidential
Page 7
Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
5.2. Interconnections between process maps
The embedded diagram shows the direct interconnections between the mapped processes
discussed below.
Cash Loss
Interconnections. PPT
The individual process maps are attached in Appendix B.
5.2.1. Agent Recruitment
Mapped with John Breeden, and John Jenkinson
* One output trigger to the Agent Training process
e Input data from the Branch Profile Report where an existing agent is taking over
the vacant business/branch
The Influences group of factors (General economic conditions, branch location, customer
demographics, agent’s lifestyle, external frauds, opportunity / temptation) were shown by the
workshop to have the highest impact on the risk of Agent losses or fraud, yet the Agent
Recruitment process does not take these factors fully into account.
Prospective agents are checked for County Court Judgement history, they are required to
provide references, they are interviewed directly, and a Criminal Record check is made on
those successful at interview. These measures are largely backward looking; the real risk is
in the future.
It would be helpful to understand the relative financial stresses on the applicant and even
more useful to track that factor going forward. Credit scoring is a well established method for
understanding financial stress on individuals and may act as an early indicator of possible
motivation to fraud.
5.2.2. Agent Training
Mapped with Sue Richardson
e No output triggers
e Input triggers from Agent Recruitment, and Fraud Monitoring (P&BA process)
This process is relatively self contained and is reactive in nature to demand from other
processes. The content of training materials was not examined as part of this exercise.
5.2.3. Fraud Monitoring (P&BA)
Mapped with Cathy MacDonald, Rajendra Kondra, and Joy Lennon
e Output triggers to Agent Training, and Audit processes
e¢ One input trigger from Fraud Loss Monitoring (Fraud Team process)
This process is largely concerned with combing the MI data available through POL SAP and
Credence to identify patterns indicative of increased risk or actual losses. This process would
benefit from software tools to automate the search for trends wherever possible leaving the
Confidential Page 8 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
P&BA staff to concentrate on the interpretation of trends or anomalies rather than raw data
sifting.
There may be scope here to look at available analytics software which might assist the
process. I understand that there is a piece of software held by P&BA called Audit Command
Language which may help but that there are no staff trained to use this software, as a result
at this stage I cannot comment on its capabilities.
5.2.4. Audit
Mapped with Sue Richardson
e One output trigger to the Investigations process
e Inputs triggers from Fraud Loss Monitoring (Fraud Team process) and Fraud
Monitoring (P&BA process)
« Branch selection for Audit Plan based on scores in the Branch Profile Report
Although often spoken of as if it were a fraud prevention device, audit is in reality simply a
means of checking whether the assets within a branch correspond to our record of assets.
Where there is a discrepancy it is not necessarily possible to say how that difference arose.
As with all auditing systems the more places you look, the more discrepancy you are likely to
find. Audit resources are not however infinite so targeting the audit resource is valuable, this
is the reason for the Branch Performance Profile report which is discussed in section 5.4
below.
5.2.5. Investigations
Mapped with Lester Chine
e Input trigger from Audit
The Investigations process is necessarily internally complex, essentially reactive in nature,
and is entered into only when there are strong indications that something is amiss.
5.2.6. Fraud Loss Monitoring (Fraud Team)
Mapped with Jo Hancock, Helen Rose, and Chris Taylor
* Output triggers to Fraud Monitoring (P&BA process), and Audit
* Data inputs from branch MI (Credence) and Excel format cash holding reports from
the Cash Management process
The Fraud Loss Monitoring process is concerned with identifying and understanding the wider
scale threat pattern and any emerging trends of data which might act as indicators of
increased risk of cash loss or fraud.
5.2.7. Cash Reporting / Cash Management (combined map)
Mapped with Doug Brown
e One output trigger to Managing Surplus Cash Branches a sub-process for excess
cash recovery.
Data / information connections:
Confidential Page 9 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
e Outputs Excel reports on cash holdings and targets (daily & monthly) to Fraud Team
for the Fraud Loss Monitoring process
e Outputs data to the Branch Profile Report which in turn influences the targeting of
the Audit process
e Input data feeds from SAP ADS (cash movements), and Wincor (ATM's)
* Direct feedback from branches, via telephone, on planned order value
When a branch requests a larger cash supply than the suggested order level, provided the
increase is less than £9k it is generally allowed without challenge as the Cash Management
team has limited resource available.
The Network Team resource level currently committed to chasing the return of excess cash
from agents means that only 150 agents can be contacted each month out of c4900 which
are likely to be in surplus at any given point.
The Network Team chasing excess cash holdings does not have access to live data on branch
cash levels; this means if an agent tells them the cash has already been returned they
cannot immediately verify this.
Daily cash declaration data from agents is passed from Horizon by Fujitsu into the POL MI
stream and is then accessed by the Cash management Team who output the information as
Excel reports which concentrate on the cash holding level and the presence or absence of a
declaration by each branch.
It would be helpful to automatically analyse the cash declaration data for trends in the timing
of declarations and the levels declared by individual branches. Unusual patterns of cash
holdings or late/absent declarations may well indicate underlying issues at a branch. This sort
of analysis is currently undertaken retrospectively by P&BA where they have cause to look at
a particular branch, but it is not routinely done due to the manual intervention currently
necessary.
Confidential Page 10 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
5.3. Network Transformation (Table 4)
Since it is a programme this was not mapped as a process but instead examined for the
impact the changes to agent contracts it brings about will have on overall cash loss risk
levels. Input came from Paul Inwood in the Network Transformation team.
Table 4: Differences between old and new Agent contract types
Current contracts New contracts
Franchise SPMR Main PO PO Local
Liability type Structural — Qualified - liable I Liable for all POL I Liable for all POL
liable for all cash I for losses from cash in the cash in the
losses in branch. I staff error, branch. branch.
fraud, etc.
Cash on hand Cash on hand
POL partially may include may include
covers losses agent’s seed agent’s seed
from burglary / capital. capital.
robbery
depending on
level of SPMR
negligence.
Liability Agent can buy Cap limits the Can reduce Can reduce
reduction commercial SPMR liability to I liability to level liability to level
insurance cover, I 25% of their of SPMR by of SPMR by
or reduce remuneration. paying POL an paying POL an
liability to SPMR annual fee of annual fee of
level by buying Hardship scheme I £500 + VAT. £250 + VAT.
an insurance can allow
waiver from POL. I repayment to be I *Proposed that *Proposed that
spread over 2 there would be there would be
years at 25% of I no cap on no cap on
income per liability. liability.
month.
In Multiple In Multiple
agencies it will agencies it will
be possible to be possible to
offset balances _I offset balances
between between
contracts. contracts.
Agreement Company to Company (POL) I Company to Company (POL)
types Company only to individual. Company only to individual.
(small No. of (with personal
historical Company to guarantees from I Company to
exceptions only) I Company. Directors) Company.
*The current proposal is that the non-contractual cap at 25% of counter income would be
replaced by full liability but with hardship arrangements which spread repayment against a
proportion of the overall business income, not just Post Office counter income.
Confidential
Page 11
Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
The new contract types have been piloted with a volunteer group of agents, in addition to this
group the new contracts have been put in place in those cases where an agent contract has
been terminated.
From April 2012 the new contract types will be introduced whenever there is an agent
resignation. With an annual churn rate of 6-7% of agents this will over time gradually reduce
the cash loss risk levels for POL.
5.4. Branch Performance Profile (Table 5)
The aim of the Branch Performance Profile report is to try to identify those branches which
are at higher risk of cash loss or fraud and to target the audit programme more closely on
them. The idea behind the report is to look at data on branch performance which might
indicate patterns of enhanced risk.
The current Branch Performance Profile (see Appendix A) is produced using 28 data streams,
11 are financial, 17 relate to conformance measures. Each data stream score is converted to
a measure on a scale of 0-10 where 0 indicates either the best performance or, in the case of
conformance, the data type is not applicable to the branch.
For the financial data streams a weighting multiplier is applied (from 0.5 to 2.0) to arrive at
the final branch score. No weighting is applied to Conformance scores though this is currently
under review and a weighting factor based on agency branch size may in the future be
applied against appropriate data streams.
The highest overall scores represent the poorest performing / highest risk branches and it is
from this group that the Audit Plan is derived.
Table 5: Data streams making up the Branch Profile Report
Financial factors
Data stream Description Weighting
factor
ONCH Declared v Predicted I Predicted cash holdings based on historical 0.75
transaction data
ONCH Declared v Compares declared holdings to a generated figure I 1.5
Generated using actual transactions
Cash Rises at Branch ONCH peaks at branch trading 1.25
Trading
Cash Tracker Compares cash holdings from one year to the 2.0
next
FONCH Holdings v Sales Excess of FONCH over authorised holdings 0.5
Cheque Anomalies Bounced personal cheques 1.5
Cheque transaction corrections
Cheque to Cash adjustments - val/vol
Cheque Reversals - val/vol
Cheques at site
Postage Holdings Excess of postage over authorised holdings 1.0
Camelot Scratchcards Excess of scratchcards based on number of 2.0
Confidential Page 12 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
displays
Branch Debt Level of centrally settled debt 1.25
Length of Service *Based on SPMR’s with less than 5 years service 1.5
being more prone to commit fraud
Non Return of Cash Not following planned orders and returning less 1.0
cash than requested
Conformance factors
Conformance group Individual conformance measure
Regulatory compliance training
Selling Products Compliantly I Bureau Transactions >£5K
HomePhone Mis-sell
Compliance Mystery Shopper
Mails Integrity
Mails Pricing in Proportion
Oversized Parcels
Redirection
Mail Segmentation
Missing MVLs
Working Efficiently Cheque Irregularities
Missed or Late BTS
Transaction Corrections
Camelot Scratchcards
Excess Postage
ONCH Declarations
Managing Cash ATM Declarations
ATM Cash Outs
FONCH
Customer Complaints
Providing a Great Service Branch Closures (branch not open when
planned)
Effect Mystery Shopper
Branch Appearance
DVLA Mystery Shopper
Procedural Security
Audit Activity Bank of Ireland Audits
Regulatory Requirements
*It is possible that the apparent increased likelihood for fraud in the SPMR group with less
than 5 years service is a result of this group receiving more frequent audits.
5.4.1. Branch Risk Profile Project
A recent study into the Financial Branch Performance Profile has raised questions about the
effectiveness of the existing FBPP in identifying risk within the branch network.
A graduate mathematician undertook a study of the FBPP and suggested possible changes to
the data streams involved in order to improve the hit rate of fraud/loss detection. These
changes are currently under consideration by the Fraud Forum.
Confidential Page 13 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
e As the study points out, the current hit rate for type 100 audits is 4.72% well below
that of the type 150 (random selection) audits at 5.35%. There are c250 type 150
audits per year.
e The study states that type 100 audits (those driven from the high scoring branches
on the FBPP) were not selected in a statistically effective way as the selection of
branches is skewed by the locations and availability of the auditors. There are c1500
type 100 audits per year.
The FBPP top 500 scoring (worst risk factors) branches are used as the base, the list is
worked through from the highest scoring branch down until the quota for that month
has been selected.
The branches with an audit in the last 6 months or a scheduled audit in the next 6
months are skipped over. Where no auditor is available within the region this month
the branch is booked for an audit in a later month where resource is available.
There is a possible cost to removing this skew in the selection as a truly random
selection could produce a clustering of audits in areas remote from our auditors’
bases. This would increase T&S costs and potentially reduce available audit time due
to travelling.
« The classification of a branch as “bad” in the FBPP required that it had been audited
and the SPMR suspended, one of the changes suggested to the report is that the
definition of “bad” should be changed to add branches where losses of £3000+ had
been found during an audit but no suspension of the SPMR took place.
e The report states that Crown branches represented “only 4%” of the 283 “bad”
branches. With a current agent base of 12320 and 370 Crown offices it should be
expected that 3% of the bad branches would be Crowns, at 4% they are
overrepresented by a third.
+ 83% of data on branch debts was identified as missing. This may be the proportion of
the branch network which does not have debt managed centrally, hence no data.
31% of data on “non-return of cash” was reported as missing. Given that c40% of the
network is in cash surplus at any time this may be either the portion of that group
where the collection of the excess cash is not viable on cost/benefit grounds, or it may
be a confusion of the cumulative demands for return vs. the excess amount actually
held (e.g. if return of £100k surplus is requested 3 times in a week = £300k demand).
+ When discussing how the model should be used, the report states “Need to audit the
branches which the profile identifies as Bad”, but the earlier definition of “bad” within
the report is branches which have been audited and the SPMR suspended (with the
suggested addition of those with losses over £3k but no suspension of the SPMR), i.e.
post audit.
Is this meant to imply that all 500 high risk scoring branches should be audited? If
this is the intention it would imply a large resource increase as the existing workload
is c130 branches per month April to October with lower levels in other months due to
business peaks (the current annual total of type 100 audits is c1500)
Confidential Page 14 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
5.5. Data Resilience
The data model for POL reflects the complexity of the business:
.
.
.
°
.
.
.
For illustration the following diagram represents the main data connections within the model
for counter transactions only:
Broad product offering with 170+ products on sale
Counter transactions in branch
12320 Agency outlets and 370 Crown offices
Web transactions
Call centre based transactions
3" party suppliers of service products (clients)
Joint venture intermediary company (POFS)
MI
Credence
The PING system takes transaction data from 3% party Clients and suppliers (including Post
& Go, ATM’s, Pay Station, and Lottery) and sends it to Horizon so that branches can reconcile
their transactions correctly.
The potential to link Pay Station directly into Horizon is being examined at present.
In terms of risk to data integrity and resilience the main area of concern is the limited co-
ordination and compatibility in the data systems and security of our 3" party clients.
Reducing these risks is complicated by our relationship with them being via our joint venture
Confidential Page 15 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
(POFS) with bank of Ireland, this means we have no direct contractual relationship in most
cases.
An illustration of how this data systems complexity makes POL vulnerable is provided by a
case where individuals with knowledge of the security systems around Bank of Ireland credit
cards exploited our marketing initiative which allows POL credit card users to buy foreign
currency at Post Offices without incurring a cash transaction fee.
The fraud was perpetrated by drawing a quantity of foreign currency (First Rate data
systems) via a POL credit card (Bank of Ireland data systems) and then hacking into the
credit card data system to delete the transaction from the individual card account.
Cross supplier linked product propositions should be routinely examined by IT Security for
potential risk of fraud before the proposition is launched.
Confidential Page 16 Version 1.0
ONCH - Cash Loss deficiencies
6. Recommendations
POL00085769
POL00085769
The processes surrounding cash losses and the cash pipeline are complex and have
developed over time in response to changing risks.
This report is the result of a requirement to understand the as-is processes and how they
interact with each other, nonetheless there are some issues which have become clear and to
which I have suggested the fixes listed below.
Issue Recommendation / Next Steps Owner I Timescal
Mitigation e
Agent Recruitment:
Recruitment checks: As part of the recruitment ‘Enhanced Vetting’ Security April 12
The Influences group of process a credit scoring check I business case is Andy
factors have the highest should be run to determine if currently ongoing. Hayward
impact on the risk of agent I an applicant is under financial I PID being drafted,
losses/fraud yet the agent I duress. with stakeholder
recruitment process does I The agent contract should liaison and input.
not take these factors fully I have a clause added to allow Awaiting reply from
into account POL to continue monitoring an I Risk & Compliance
agent's credit score. team on legal
Trends of worsening credit liability and data
scores would warn of sharing issues.
increasing financial stress and
therefore increasing risk.
New Applicant process: I - Review current new applicant I Contracts team are Network
What criteria is applied in I process currently undertaking I Contracts
deciding suitability within - What criteria is in place if a review of the new I John
the business case, applicant fails CRC check? applicant process Breeden
including scoring - I.D. Verification of applicant (lead: Kathleen
mechanism (H,M,L), CRC I within process? Griffin). Ensure
check and business - Where does the Debarment I recommendations
loan/risk ratio. process fit? (1&2) are included
- POL currently pays for CRC within discussions.
checks. Scope appetite to
transfer cost to applicant
New Applicant training: I - Review current cash Clarify with Network I Network
If the Cash management management training teams on current training team
elements within the delivered training plans in (Sue
training plan are not - Ensure any review place Richardson?)
robustly delivered and/or processes/visits include cash Review findings
understood by the new management capability. from revised 6-9
sub postmaster, could - Network are currently piloting I month visits
lead to further risks post a revised post appointment
appointment. visit plan (inc. training?)
Cash Reporting & Management:
Cash Management Consider the cost / benefit of Cash
process: Where a branch I increasing resource within the Inventory /
is not happy with the cash management team to Security
advised cash supply figure I engage with more agents (Doug Brown/
they can call the Cash challenging cash supply Lester Chine)
Confidential
Page 17
Version 1.0
ONCH - Cash Loss deficiencies
POL00085769
POL00085769
Management Team and
request a larger cash
order.
Provided the increase is
less than £9k it is
generally allowed without
challenge as the team has
limited resource.
figures.
Consider changing the initial
method for agents to challenge
cash supply orders to
electronic means, e.g. via
Horizon. This would allow the
cash management team to
better manage their available
resource and focus on looking
for trends in cash challenges.
Managing Cash Surplus
Branches: The Network
team resource level
currently committed to
chasing the return of
excess cash from agent's
means that only 150
agents can be contacted
each month out of c4900
which are in surplus at any
point.
Examine the cost / benefit
impact of increasing the
available Network team
resource engaged in chasing
agents for the return of excess
cash holdings.
This may have impacts
elsewhere if resource is
transferred from other tasks.
Cash
Inventory /
Security
(Doug Brown/
Lester Chine)
Managing Cash Surplus
Branches: The Network
team chasing excess cash
holdings does not have
access to live data on
branch cash levels, this
means if an agent tells
them the cash has been
sent they cannot verify.
Investigate the practicality and
cost of giving access to the
live cash level / movements
data to the Network team.
Cash
Inventory /
Security
(Doug Brown/
Lester Chine)
Conformance: Although
there is a ‘consequences’
process that can be
instigated by Network (i.e.
charging for visits), there
does not appear to be any
consequences/penalties
for non-compliance to
cash management.
Review the use of the
consequence process and if
and how it could be developed
for use in conjunction with
ONCH/cash management
Cash
Inventory
(Doug Brown)
Cash declarations: made
by agents each day on
Horizon cannot be readily
analysed for patterns
which might indicate risk
as the data is passed from
Horizon by Fujitsu into the
POLMI stream and is then
accessed by the cash
management team and
output as excel reports
which concentrate on the
cash holding level and the
presence or absence of a
declaration by each
branch.
Consider the practicality of a
software solution to analyse
the MI data stream for trends
in both the timeliness of cash
declarations and overall cash
holdings.
This functionality may be
possible within Credence but
would require a feasibility
study to cost.
Cash
Inventory
(Doug Brown)
Analysis of cash Gradient Model: Currently P&BA /
returns: Failure to spot being piloted (Nov — Feb), Security
branch trends for excess Results will dictate Rol and
cash returns by branches I whether to include in Financial
could lead to increase risk I Branch Profile Performance
Confidential Page 18 Version 1.0
POL00085769
POL00085769
ONCH ~ Cash Loss deficiencies
in ability to identify losses I (FBPP).
at source
Fraud Loss Mo! ing:
10 I Financial Loss: The Review undertaken of the Pilot the FBPP Jan- I Security March 2012
current FBPP is used to current FBPP Feb and review (Chris
identify branches for findings March 12. Thorpe)
inclusion in the monthly Report back to
audit plan, with loss R&CC.
identification at 5% (the Ensure skills
same as random audits. capability in place
Better use of risk based for monthly update
methodology may of new profile.
increase both loss
identification and
reduction by earlier
identification
11 I Lessons Autopsy process required to Security March 2012
Learnt/Autopsy: Failure I include lessons learnt for those
to identify trends following I dismissed (contractual, audit
termination of contract and fraud investigation)
(investigation, audit and/or
contractual), could
increase risk in identifying
and mitigating losses and
potential new data
streams.
12 I Financial Investigation: I Better application of the Assess branches Security March 2012
Currently undertaken after I Proceeds Of Crime Act currently ‘under
a loss has been (POCA), Branches under suspicion’ and test
discovered, which is suspicion via fraud monitoring I through use of
reactive and could impact I could be subject to a F.I. POCA findings.
on loss recovery. check to establish risk.
13 I Branch Risk Better use of software to assist I Pilot currently Security Dec 2011
Assessment: Currently in risk identification. ongoing for fraud
undertaken by use of data software systems
streams (excel) and a
manual risk assessment
by individual(s), which
could limit the ability to
efficiently identify risk.
14 I Branch Profiling: The Better use of data to identify Scope current data Security / March 2012
casework and audit data risk profiling, which could lead I bases and Audit
bases are primarily used to more proactive targeting of I information
as a data gathering tools, I resource for both fraud contained within.
with minimal use for programme and audit Agree future
proactive risk pattern intervention. requirements and
analysis. This could capability to deliver..
impact on the ability to
spot trends in risk profiling
(offender, branch
type/location, loss MO).
Additional:
15 I Data Resilience: There Make security co-operation To be clarified
is an increased risk and compatibility core to any before progression.
caused by the diverse 3% I future supplier contracts. This may be cost
party supply base and the I Ensure that all cross-supplier prohibitive given the
Confidential Page 19 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
varying levels of data marketing initiatives are contractual
security in place at the thoroughly examined by IT implications for data
service providers. Security for potential exposure I suppliers (i.e.
This can create to increased risk of fraud Horizon, Credence
opportunities which can be I before they are implemented. etc.).
exploited by fraudsters.
16 I Risk of staged Implement the proposed Check contractual
robberi is currently change to new contracts which I changes with N.T.
increased by the non- removes the cap but replaces I contracts as this
contractual policy of it with enhanced hardship may be subject to
capping SPMR liability for I procedures to spread change
cash loss to 25% of their repayment of losses over time.
income.
Confidential Page 20 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
Appendix A - Branch Performance Profile Report
The documents embedded below are examples of the combined Branch Performance Profile
report and the separate Financial and Conformance reports which contribute to it.
rl
Combined Branch
Performance Profile
Financial Branch
Performance Profile
Conformance Branch
Performance Profile
Confidential Page 21 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
Appendix B - Individual Process Maps
Agent Recruitment
0.2.PPT.
Agent Training
0.2.PPT
Fraud Monitoring
0,2.PPT
a)
Audit Process
0.2.PPT.
Investigations
0.2.PPT
Fraud Loss
Monitoring 0.2.PPT
Cash Reporting &
Management 0.2.PPT
Managing Surplus
Cash Branches 0.2.PI
Confidential Page 22 Version 1.0
POL00085769
POL00085769
ONCH - Cash Loss deficiencies
Appendix C — Stakeholder Feedback
Confidential Page 23 Version 1.0