POL00197997
POL00197997
Strictly confidential
POST OFFICE LTD BOARD
Risk Management Update November 2013
1. Purpose
The purpose of this paper is to:
14 update the Board on the ExCo assessment of risks facing Post Office in the
achievement of its strategic objectives;
1.2 update the Board on the progress made with implementing a risk management
framework and developing a risk management culture in Post Office.
2. Key risks
24 ExCo has continued to refine its assessment of the key risks in achieving its
strategic objectives through an iterative process of workshops, facilitated by the
Risk Management function. As a result, ExCo has identified six critical risks
which require top management attention. These are:
2.2 Reputational damage following allegations relating to the integrity of the
Horizon system
ExCo Owner: Chris Aujard
There is a risk that the allegations relating to the integrity of the Horizon system,
if not contained, could raise wider questions over the robustness of our core
systems and our ability to operate, damaging current partnerships, new areas of
expansion & public and government confidence.
Key Impacts: Reputational - Consumer Confidence I Long term brand damage I
reduced brand strength with potential partnerships/joint ventures I political
impact.
Key Controls & assurance: Containment Project I Sparrow lessons learned work
I Risk Function to carry out review.
2.3 Failure to deliver top line growth in line with strategic plans
ExCo Owner: Martin George & Nick Kennett
Failure to meet our strategic imperative to protect channel income whilst
growing our retail business will ultimately prevent our ability to reach commercial
sustainability. In particular lack of growth in FS will have a detrimental impact on
delivery of the strategic plan. Non delivery of growth targets will reduce the
appeal of the franchise model impacting Network Transformation. There is an
immediate threat that long term growth targets could become unachievable if we
do not respond quickly to competitors.
Key Impacts: Inability to reach commercial sustainability I Reduces appeal of
Franchise model
Risk management update Nov 2013 David Mason Page1of5 20" November 2013
POL00197997
POL00197997
Strictly confidential
Key Causes: Failure to respond to shifting consumer behaviour I Failure to
respond to the competitive market with pace I Capability of people I Operational
failures — process and systems I Brand damage/image, particularly significant to
FS business (with a growth target of 70% by 2020) I Overly optimistic planning
assumptions I poor industrial relations
Key controls & assurance: Quarterly performance reviews Iweekly Trading
Board I Commercial plan in place
24 Operating Model fails to deliver requisite cost savings
ExCo Owner: Chris Day
Reduction of costs and sustained cost management are imperative to generate
the level of profitability required to make Post Office commercially sustainable. A
multi-faceted programme of transformation coupled with challenging growth
targets can conflict with a cost reduction programme.
Key Impacts: Inability to reach commercial sustainability
Key Causes: Failure/Pace of Network Transformation I Culture — not cost
conscious I Conflict with other priority programme e.g. NT I Fixed cost creep as
growth targets met I Union opposition
Key controls & assurance: Benefits realisation project I NAO value for money
standard I external benchmarking
2.5 Inadequate people capability or capacity to deliver transformational change
and the strategic plan
Exec Owner: Fay Healey
The capability of our people is critical to successful delivery of all facets of the
strategy. There is a risk that we cannot retain; recruit and effectively
performance manage our people to the level of capability required within the
necessary timeframe. Additionally, as we continue to grow our capability there is
a risk that the pool of existing talent is oversubscribed increasing pressure and
reducing their effectiveness.
Key Impacts: Transformation unachievable
Key Causes: Inability to retain talent - through poor change management
(overworked), Lack of engagement, lack of development I Inability to attract
talent — brand, pay etc I Ineffective training and development
Key controls & assurance: tactical skills development I talent development
programme I FS Academy Iperformance management I carry out gap analysis
against 2020 plan.
Risk management update Nov 2013 David Mason Page 2of5 20" November 2013
POL00197997
POL00197997
Strictly confidential
2.6 Non- delivery of Network Transformation Programme
Exec Owner: Kevin Gilliland
Short term issue regarding the successful engagement of the NFSP in
supporting NTP.
In the longer term, failure to deliver network transformation in a timely fashion
would result in a non-viable business model requiring additional subsidy from
the Government or closure of branches, neither of which are sustainable
options. There is an immediate risk that if we do not move quickly, we may find
that we cannot secure the retail partners we need to secure the future of our
network.
Key Impacts: Increased Costs I Reduced Income growth I Unable to meet
Customer needs I credibility of leadership.
Key Causes: Unattractive proposition I Poor project execution I Poor
communication/engagement with agents I Non-delivery of growth.
Key controls & assurance: McKinsey & BIS reviews I stakeholder engagement
plan I RM project audit I 2" line risk review.
27 Strike action within supply chain could damage ability to distribute cash to
network (IR/CWU)
Exec Owner: Kevin Gilliland
Whilst there are multiple controls in place to mitigate the risk of a breakdown in
cash distribution there is a risk that these contingencies cannot be sustained
with continued strike action. The impact of branches not receiving the cash they
need to serve our most vulnerable customers would be detrimental to the Post
Office reputation.
Key Impacts: Reputational Damage
Key Causes: Poor communication/engagement with unions I Union demands at
odds with strategic direction of becoming a commercially sustainable business
Key controls & assurance: internal & external communications plans I 3 party
contingency planning I working group examining alternative carriers/ways of
working.
2.8 In addition to the above risks, ExCo identified three further risks which require
continuous monitoring, specifically:
. the risk of regulatory action or reputational damage from FS mis-
selling;
. the continued security and integrity of Post Office data; and
° the successful delivery and operation following IT transformation
Risk management update Nov 2013 David Mason Page 3of5 20" November 2013
POL00197997
POL00197997
Strictly confidential
29 It is important to note that all nine of these risks are interdependent and should
be viewed collectively to determine the overall impact on the strategic plan.
In addition to the controls outlined above, the management of these risks is
reviewed by ExCo on a weekly basis to provide assurance that plans are
delivering the required outcomes.
3. Progress on implementation of a risk management framework
3.1 The following activities are complete in respect of the delivery of the risk
management plan:
. Recruitment of all current template roles is now finalised with two recruits
already in post and the remaining two starting over the next few weeks,
bringing the Risk Management function up to full strength for the first
time in 12 months;
. As referred to above, ExCo has carried out a risk identification and
assessment session, together with two subsequent reviews to refine this
assessment;
. Each directorate lead team (with the exception of Communications —
scheduled for 28"" Nov and Corporate Services) has conducted a similar
risk workshop to identify risks at the next level down from the enterprise
view;
. Risk & Compliance Committee has been restructured to focus on
management of risks in Post Office and to oversee progress against the
plan;
. The Risk Function have started professional training in risk management
to enhance their current experience and knowledge;
. Established ongoing benchmarking with other organisations; and
. A review of the risk management software has been completed.
3.2 By the end of the financial year it is expected that risk management will be fully
active at tier 1 (ExCo) and tier 2 (directorate lead team) with continuous support
from the Risk Function’s business partners who will act as full-time risk
champions to facilitate and monitor the approach. In this context, fully active
means:
. Risks are regular reviewed;
. Risks are owned by an accountable individual;
. Risk appetite and target levels of risk have been agreed;
° Controls and assurance measures for significant risks have been
established; and
. Action plans are in place to manage risks and are regularly monitored for
effectiveness.
3.3. In addition to the above, a road map for developing risk management in the
Post Office will be submitted to the ARC for approval in February 2014, setting
out the key milestones across a 1,3 and 5 year horizons.
Risk management update Nov 2013 David Mason Page4of5 20" November 2013
POL00197997
POL00197997
Strictly confidential
4. Recommendations
41 The Board is asked to:
¢ Note the update and actions set out above; and
e Provide direction as required.
David Mason
Head of Risk Governance
20" November 2013
Risk management update Nov 2013 David Mason Page5of5 20" November 2013