POL00104316
POL00104316
POST OFFI PAGE 1 OF
AUDIT, RISK AND COMPLIANCE COMMITTEE
Annual Legal Risk Review: 2017
Author: Ben Foat Sponsor: Jane Macleod Meeting date: 29 January 2018
Executive Summary
Context
7
The ARC Terms of Reference require it to undertake an annual review of risks. This paper
provides the Committee with a review of the key legal risks during 2017, their management and
what this means for our control environment.
Questions this paper addresses
° What are the key Legal risks?
° What controls are in place to manage these risks?
° What is the overall position and further actions required?
Conclusion
1. The Post Office takes its legal and regulatory responsibilities seriously and consequently
has an averse risk appetite for non-compliance with law and regulations or deviation from
its business conduct standards. In respect of contractual risk, it has averse appetite
risk taking which would alienate or lose significant groups of profitable customers bu
for
ita
tolerant risk appetite for legal and regulatory risk in those limited circumstances where
there are significant conflicting imperatives between conformance and commercial
practicality.
2. Within the last 12 months, the legal department (“Legal”) has managed approximat
ely
1,800 matters, mostly from Retail, Operations, and Financial Services & Telecoms areas of
the business. Further development of MI will be undertaken in 18/19 to better understand
areas of risk within each area of the business.
3. Legal seeks to enhance the legal maturity of the business strategically (aligned to the
Board’s risk appetite and Post Office’s strategic imperatives) and efficiently (in accordance
with its budget). Operational managers, as a first line of defence, needs to understand
legal risk and, with second line support from Legal, incorporate appropriate controls. Such
controls need to be complied with and enforced by the business.
4. The main areas of concern are:
« Contract management continues to present a legal risk to the business although
enhancements have been made to the control environment. Contract management must
be seen as a core competency of Post Office given that Post Office’s business mode!
Lis
focused on the distribution of third parties’ goods and services (all of which are
underpinned by a contract) and its highly outsourced model for infrastructure support.
Further enhancements and enforcement of controls within the business should prevent
services being provided without appropriate written contracts in place or contracts being
breached because the obligations imposed are not either understood or monitored. Legal
are working closely with Procurement to embed a stronger contract compliance
culture. Supplier managers are made aware of their accountability to evidence their
compliance with meeting their respective contractual obligations. In addition, significant
improvements have been introduced over the last 12 months such as the further
development of a central repository of contracts through the existing Bravo procurement
1
POL00104316
POL00104316
system as well as the provision of contract and PCR training, greater enforcement of the
CAF process, and further development of the Contractual Obligations Spreadsheet.
e The business continues to improve its understanding of the complex legal and regulatory
framework within which it operates. Post Office is in the process of finalising
accountabilities and responsibilities for compliance with material laws and regulations
which apply across the organisation. The refinement of corporate policies (AML, ABC, and
Information Security) and operational processes (e.g accessibility assessment in the
Network Transformation Decision Manual to ensure better compliance with Equality Act)
together with training and bespoke legal advice, has allowed the business to better
control regulatory risk. The new Law and Trends Forum with representatives from across
the different business areas enable Post Office to proactively identify emerging legal and
regulatory developments and embed appropriate processes to support compliance.
* Many of Post Office’s activities need to be considered in light of competition rules, and
there needs to be better understanding of the potential implications of commercial
activities such as acquisitions or joint ventures and even information sharing
arrangements. In the last 12 months, Legal developed a Compliance Guidance and FAQs
to support the operational managers understand this risk together with bespoke training.
Further competition law training will be rolled out over the next financial year.
e The strategic direction of a number of areas of the business involve potential acquisitions
or joint ventures which give rise to a complex matrix of legal and operational risks.
Corporate M&A knowledge is dependent on a few core individuals. Legal is developing a
Corporate Acquisition Checklist and challenge process aimed at enhancing risk
management of these projects.
* The Postmaster Litigation has been reported separately to the GE and as such is not
within the scope of this report. However, as a result of the litigation, the recovery of
agent losses and prosecutions have become significantly more challenging. The risk is
that the deterrent effect of such recovery actions or prosecutions has diminished, and
opportunistic behaviours by agent may be increasing.
« Post Office takes a reactive approach to brand protection and enforcement of its
intellectual property rights. Basic controls have been employed, such as cease and desist
letters but further enhancement could be achieved through a formal trade mark
infringement process for material infringement incidents.
5. Legal has established a draft Legal Policy which will shortly go through governance. This
Policy sets out how Post Office manages legal risk and the controls which are in place.
Legal supports the approval and execution of legal documents in accordance with the Board
approved delegations of authority; a legal Risk Report is provided in respect of all new
material contracts; legal risks are included in the Risk logs for projects by project
managers; legal and regulatory risks are monitored by the General Counsel through the
Post Office risk universe and risk registers; and potential risks arising from emerging legal
and regulatory developments are identified through the Law & Trends Forum and flagged
to the RCC and the ARC through the regular Horizon Scanning report.
6. Legal is planning to deliver further training during 2018 which will assist managers to better
understand core areas of legal risk areas and develop necessary processes.
Input Sought
The Committee is asked to note this report.
POL00104316
POL00104316
The Report
What are the key legal risks?
Contract Management Risk
7. As the Committee is aware, previous internal audit reports and the 2016 Legal Risk report
identified risks associated with the contract management and procurement processes.
While improvements have been made through the introduction and enhancement of a
number of controls, there remains more work to enforce a compliant culture in the
business. Current controls include:
* a contract authorisation process designed to ensure that all legal instruments go
through a consistent process with key stakeholders including Finance and Legal;
¢ contractual obligations spreadsheet which sets out the key deliverables or actions that
each party needs to undertake to comply with the contract. Completion and use of
these remains incomplete and inconsistent;
e Legal has developed house positions with playbooks which set out a range of
acceptable negotiated positions for the following contract types: supplier contracts,
bill payment contracts, agency network contracts, and employment contracts; and
« standardised legal risk reports;
8. Within the last 12 months, a central repository of contracts was enhanced and further
populated utilising the existing Bravo procurement system which ensures that commercial
contracts, property documents and other legal instruments are readily available. There is,
however, limitations on this repository as it does not always include Change Controls Notes
or Change Management Notes.
9. I Anumber of historic arrangements in which services have been provided without a written
contract in place were identified:
a. There were c.50 bill payment arrangements where contracts could not be located.
This was of particular concern given POL’s obligations under its funding agreement
with the BEIS to provide SGEI Products of which bill payments is a part. However,
the business managers have been utilising the house positions developed by Legal
to remediate this issue and provide certainty around those contractual
arrangements.
b. Further, approximately 5% of all branch agency contracts cannot be located which
potentially creates issues for the Postmaster Litigation as well as operational
issues. A remediation plan is in place to ascertain those contracts. These contracts
involve individual postmasters rather than multiples and therefore do not
represent a significant risk individually.
c. Finally, the HR Weekly/Monthly dispute, which arose when POL sought to
transition weekly pay to monthly, was hindered by a lack of visibility of the various
historical versions of employee contracts. The absence of complete written
contracts results in uncertainty around the contractual position of the parties
which could also give rise to regulatory issues. A project has in place to identify
those historical arrangements which is expected to be finalised within the month.
10. It should be noted that the above arrangements are generally historical in nature and
represent a small proportion of the total number of contracts.
11. Business managers need to manage their contracts in accordance with the obligations that
are set out in the contract. The contract obligations spreadsheet is a document that helps
the business map out those obligations. Consistent use of this spreadsheet will mitigate
against the risk that Post Office breaches the specific obligations set out in the contract
POL00104316
POL00104316
and/or fails to enforce the obligations owed to it by the third party. This control should be
enforced for all material contracts.
Further actions
12. Further enhancement of controls could be achieved with:
*® anew procurement and contract management system (replacement of Bravo) to
provide greater functionality and automation in relation to contracting processes. It
will be important that, in any such system, business managers who manage the
contracts have access to such system.
e Legal is planning further training to the business in 18/19 to improve their
understanding of the contractual obligations and of the impact of contracts on other
areas within the business;
Non compliance with legal and regulatory requirements
13. Post Office is a multiline business with a number of complex legislative and regulatory
obligations. The RCC and ARC received a report on Post Office’s legal and regulatory
framework in September last year which set out the material pieces of legislation and
regulations that apply to the different business areas across the organisation as well as its
key regulators. GE accountabilities and responsibilities of these laws and regulations are
in the process of being finalised. This clarification of ownership will provide a further
opportunity to enforce existing controls and develop additional controls where appropriate.
14. The key regulators relevant to Post Office include:
HMRC AML in relation to regulated products and services
Ico Data Protection (issues involving the use of personal data) and
Freedom of Information;
CMA Competition (anti-trust);
OFCOM Telecommunications and mails;
FCA Financial Services (directly relevant to POMS), but also regulates
competition in financial services, consumer credit and payments
services (in its dual capacity as Payment Services Regulator)
15. Generally, controls supporting regulatory compliance across the business have been
clarified or enhanced over the last year. Examples include:
e The accessibility assessment in the Network Transformation Decision Manual was
refreshed and re-emphasised when the Retail team had not completed the
assessment in a number of instances (Chobham and Ayleston). Failure to undertake
this assessment could expose Post Office and the postmaster to a risk of challenge
under the Equality Act;
e There continues to be instances of non-compliance with Public Contracts Regulation
(PCR) which will be addressed separately in the Procurement Director’s Report.
However, Legal has drafted a Procurement manual designed at improving the
business's understanding of PCR obligations on Post Office;
e Training was provided to relevant stakeholders on GDPR and SMCR;
16. Anew Law and Trends Forum with representatives from across the different business areas
was established last year to enable Post Office to proactively identify emerging legal and
regulatory developments and to design and embed appropriate processes to support
compliance. Any such developments will be flagged through the Horizon Scanning Report.
POL00104316
POL00104316
Further actions
17. The General Counsel is in the process of recruiting a Risk & Compliance Director who will
refine the new Compliance function, which once established will help to enhance: controls
within the regulatory framework within which Post Office operates; understanding of the
cross-dependencies and implications of Post Office’s various activities, and ascertain and
interrogate MI regarding regulatory risks. As Post Office continues to operate in highly
regulated sectors that are integral to Post Office’s future growth, the development and
embedding of a compliant culture is critical.
18. As part of the legal strategy, we proposed to launch a Legal Academy during 18/19 to
enhance the business’s understanding of core legal risk areas (e.g DPA/GDPR, Regulatory
Framework, Competition Law,) and help it enhance necessary first line of defence
processes to support compliance with these regulations.
Competition Law
19. Competition law issues arise in a number of contexts:
e When contracting, Post Office needs to be careful not to include restrictions/benefits
which could be deemed to be anti-competitive (certain exclusivities, pricing
structures, terms which limit supply/production in a particular market etc.).
° Restrictions clauses in agency contracts need to be kept under review to ensure
that they are still appropriate and not anti-competitive. Legal is presently reviewing
network restrictions together with the Restrictions Manager, Paul F Williams.
° When holding exploratory talks with potential partners (JVs, acquisitions etc.);
° When participating in industry wide associations; and
° During procurement exercises - both where Post Office is bidding/involved in a
bidding vehicle (e.g. in response to government and utility contracts) and where
Post Office is itself procuring goods/services.
20. There are a number of controls of this risk which were enhanced last year including
additional personnel in Legal with competition law skills; a competition law guidance
manual; competition law FAQs; and training.
21. Legal has seen instances where the language used by business managers in business
documents and meetings has not been appropriate and could be construed as being anti-
competitive. Given that Post Office is engaging in a number of exploratory discussions with
potential partners about acquisitions and/or JVs which will, in some cases, require approval
from the Competition Markets Authority, business managers need to ensure that they
understand competition law issues (as provided through training), follow bespoke advice
from Legal, and utilise the Competition Law Do’s and Don’ts FAQs.
22. Restrictions clauses in contracts with agents are monitored and discussed with the Post
Office Restrictions Manager, Paul F Williams, to understand the level of compliance with
this clause across the agency network and how these restrictions may be compliantly
enforced. Paypoint have challenged Post Office’s approach previously and Post Office has
previously argued successfully that the restrictions policy is needed to maintain the
network (as we did, successfully, before the European Commission in relation to Post Office
2015-2018 state aid). Legal is presently reviewing these restrictions to ensure that they
remain within risk appetite.
Further actions
23. Given the increased activity which gives rise to competition law risks, Legal will continue
to provide competition law training to different areas of the business and project teams to
ensure that competition law issues are highlighted early and dealt with appropriately.
Corporate Acquisitions and JVs
POL00104316
POL00104316
24. As noted above, there are a number of business areas within Post Office that are
considering acquisitions or joint ventures as part of their strategy. Acquiring third party
assets or companies or entering into joint ventures (including contractual joint ventures)
involves a complex matrix of issues which gives rise to legal risk. There are only a few key
stakeholders in Post Office with significant corporate acquisition experience. Industry
analysis reveals that a majority of such projects fail because businesses fail to understand
the operational consequences.
Further actions
25. Further enhancement of controls are in progress: POL Legal Corporate Acquisition Checklist
and challenge process reviews which together with the existing gating requirements and
SME expertise from the external legal panel and consultants should reduce the risks
associated with these projects.
Dispute Resolution Management
26. As Post Office seeks to become more commercially independent, there will be a greater
emphasis on the need to manage disputes carefully. Over the last financial year, there
have been 22 formal disputes of which the following were material:
e 1 Criminal Litigation
* 1 ICO (ROPSI)
«© 3 Property Litigation Claims (total value of £495,407)
« 1 Employment Litigation Claims (est. value £366,750)
e 2 Public Liability Claims (handled by insurers) total value of £43,372.00
27. As set out in paragraph 7-11 above, effective contract management will diminish the risk
of disputes arising against Post Office. There have been instances where poor contract
management has resulted in informal disputes between Post Office and suppliers. An
example was a recent omission to execute a formal change note and the contract’s change
control procedure was not followed which allowed the supplier to argue that the change
note was not binding and that it did not have to provide the (verbally) agreed future
service credits (value being £510K). By complying with the controls already in place and
adopting the further enhancement, these risk can be mitigated.
Enforcement of Agent Losses and Prosecutions
28. Over the last few years Post Office has undertaken very few prosecutions by contrast to
its previous practices. This lack of appetite has been observed by the agency network. It
remains to be seen whether the reduction in prosecutions will directly result in higher
incidences of opportunistic behaviours, however agent losses are increasing.
29. The Postmaster Litigation matter, currently complicates Post Office’s ability to recover
agent losses or prosecute for fraudulent losses. The issue arises where an agent who
cannot account for a loss makes an allegation that is a subject of the Postmaster Litigation
(ie the loss is due to an error with the Horizon system). As this issue is currently before
the Court but has not been determined, any formal action against that agent would likely
result in a stay of those proceedings (in effect preventing the recovery of the loss until the
stay is lifted). This has the effect of frustrating the Former Agent Debt teams’ ability to
recover losses in 318 cases with a combined value of c¢.£1.14million. Further, the
}has frustrated the investigation
or civil legal activity) by joining
the Postmaster Litigation as a claimant.
30. later this year will determine whether certain
additional duties should be implied into the standard postmaster contract, including rights
6
POL00104316
POL00104316
and responsibilities for branch losses. Depending on the outcome of that hearing it may be
possible for Post Office to take a more proactive position on recovery of branch losses.
Service of Proceedings
31. There have been a number of instances of the business failing to identify and respond to
service of court proceedings resulting in default judgment or enforcement against Post
Office.
32. Post Office is, from time to time, named as a defendant to court proceedings. A Claim form
can be served at any place of business which has a real connection with the claim including
customer centres and directly managed branches or at the registered office (Finsbury
Dials). Post Office personnel may not always forward the Claim or court related documents
to Legal which has resulted in default judgement and, in turn, diverted resource and further
cost to set aside such judgements.
33. Legal has drafted a “Receipt of Court Documents” process which will be circulated to the
Post Office network and placed on the Legal Intranet together with periodic
communications will reduce the risk going forward.
Brand and Intellectual Property (IP) Infringement
34. The Post Office brand is one of its more important assets. However, a reactive approach
is taken to enforcement of its IP rights. There are examples where Post Office’s trade
mark or brand has been used in search engines and comparison websites to divert traffic
to competitors. Although these are generally not material, the infringement of its rights
may cause reputational damage and customer confusion.
35. Present controls involves Legal providing a “cease and desist” letter.
Further actions
36. Legal will draft a Trade Mark Infringement Process with the Group Brand,
Communications and Corporate Affairs Director, which will set out a proportionate and
risk based approach, to ensure continued brand protection particularly for those incidents
involving a material or significant infringement.