Post Office Ltd —- Confidential
Risk and Compliance Committee (R&CC)
POL00206990
POL00206990
Reference: R&CC JUL 14
I Date: 245 July 2014 _ Venue: Room 501, 148 Old Street, London Time: 14:00 - 16:00
I Attending:
I Chris Aujard General Counsel Chair
I Paula Vennells I Chief Executive Officer Member
I Fay Healey Head of HR Member (for Neil Hayward) I
"Colin Stuart I Head of Commercial Finance Member (for Chris Day)
I Martin Edwards _ I Chief of Staff Report
I David Mason Head of Risk Report
I lan Kennedy I General Manager Network Transformation Report
I Martin George Chief Marketing and Commercial Officer Report
Jonathan Hill Head of Risk, Banking Regulation and Strategy
Lesley Sewell I Chief Information Officer
Paul Beaumont Risk Business Partner, Financial Services
Malcolm Zack [Head of Internal Audit
I Report
_ Secretariat _
Report
Report
Report a —_
Observer
Member
Member
_ Simon Evans PricewaterhouseCoopers
"Mark Bayliss I Manager, Business Risk and Assurance
Apologies: I
Chris Day I Chief Finance Officer
Alwen Lyons I Company Secretary
‘Introduction i oS (
Purpose
Introduce Simon Evans from PwC as an observer.
ad of Risk Report
Purpose
The committee to review the Head of Risk report
Discussion _
The progress made and current state of the risk management framework was reported to the committee.
The committee asked that the current state and planned completion date of each element of the
framework be included. (Action 1606)
The committee discussed the risk communications plan and the Head of Risk confirmed that the plan
included training as well as awareness and that including risk as a component of the SLT training
programme was being agreed. The committee agreed that priority is given to areas where the level of
experience was low. The risk team was asked to perform a risk assessment of the plan and revise it to
take account of areas of known good practice and areas of low skill and knowledge in the organisation.
(Action 1607)
The committee noted the current staff shortfall in the risk team and agreed that HR would ensure that the
contract replacements would be able to start work as soon as possible. (Action 1608)
Page 1 of 7
POL00206990
POL00206990
Post Office Ltd —- Confidential
I The committee reviewed the risk events section of the report and focused on the recent Travel Insurance event.
The impact, root cause and actions taken so far were discussed and the committee requested that the
actions be given a high priority, particularly the Horizon changes which would prevent a recurrence. The
committee requested that the Director of Financial Services produce an update on the corrective
actions, taking into consideration the impact on project Titan, and circulate it to the committee
members.(Action 1609)
The committee also requested that a policy be defined requiring the escalation of any events having a
I potentially significant reputational impact. (Action 1610)
I The committee reviewed and discussed the emerging risks section of the report.
I The committee agreed that the restrictions policy element of the state aid emerging risk could have a
significant impact on Post Office and should be separately reported. The committee requested that the
Communications and Corporate Affairs Director and the Chief Financial Officer provide a proposal
covering the communications activity and other management of the risk. (Action1611) The emerging risk
should also be escalated to the Audit Risk and Compliance committee at the first opportunity.
The committee requested that the emerging risk report be re-organised to emphasise entries with the
highest potential impact and those likely to occur in the near future. (Action 1612)
The committee reviewed the assurance section of the report, focusing on Titan project support and the review of
_ the Xanadu programme.
I The General Counsel reported that it had been agreed with the Director of Financial Services that, as a
I pre-requisite for implementation of Project Titan, Grant Thornton would be independently confirming that
I risks and other matters arising were appropriately addressed. The committee requested that Grant
I Thornton present their conclusions to the committee in person. (Action 1613)
I The committee agreed that the Xanadu report should be reviewed with the Chief Information Officer and
I the Commercial Director and revised where needed. (Action 1614)
I The lessons learned from the review should then be reported to the committee. (Action 1615)
I The committee discussed the risk
I contracts to be terminated early.
RGUTERTOES = a a — Ee Te
I The committee received th
Page 2 of 7
POL00206990
POL00206990
Post Office Ltd —- Confidential
Deep Dive session - Growth
Purpose 2 :
The committee to review the management in place over the risk of failing to achieve top line growth in
line with the strategy
Discussion ) : 2 : ‘ I
The discussion highlighted the controls in place, areas for improvement and actions to be taken. Areas for
improvement identified by the Chief Marketing and Commercial Officer and Head of Risk, Banking Regulation
and Strategy, presenting the risk, were:
e “horizon scanning” for future trends,
e risk management of programmes, including initial risk assessments and re-assessments throughout
the life of the programme,
future trends and assumptions to be better analysed and documented in the business planning cycle,
business plans need to include market reviews,
identification and review of interdependencies between programmes, and
alignment of assumptions with business partners.
ec ee
I The committee requested that the Chief Marketing and Commercial Officer, the General Counsel and the
I Financial Services Director follow up on this discussion and further define actions for improvement including:
I e Further integrating the various growth programmes, taking into account the review of the Financial
Services strategy, and
e« Documenting the interdependencies between the programmes.
(Action 1617)
I The committee agreed that the Head of Commercial Finance should review the annual planning cycle, ensuring
that all supporting assumptions are documented, including robust “horizon scans” and reviews of market
conditions. (Action 1618)
Outcomes
I The committee reviewed and discussed the current state and future plans for the management of the strategic
_ growth risk and requested follow up actions.
Page 3 of 7
POL00206990
POL00206990
Post Office Ltd —- Confidential
Network Transformation Risk Mapping I
I Purpose I
The General Manager, Network Transformation to present a mapping of the risks to the programme, their
impact and source
‘Discussion _
The committee reviewed the risk mapping which highlighted the following:
e finance, legal and information technology are the areas most exposed to risks from the programme,
e there are more risks arising from interdependencies between programmes than from within the
programme, and
* programme risks commonly affect multiple areas of the business.
The programme is undertaking a ‘100 day’ project to further analyse the risks, improve their management and
devise mitigation approaches. The committee requested that the programme report back to the committee on
the outcomes of the project. (Action 1619) The committee also asked that the Head of Risk identify where risk
knowledge and best practice can be shared between business units and programmes. (Action 1620)
The committee discussed the need to allocate contingency budget or reserves for the management of
programme risk at Post Office and whether it should be held by programmes or centrally. The committee
requested the Head of Commercial Finance to review the financial planning process to ensure that sufficient
contingency / reserve is in place for programme and portfolio risk management and report back to the
committee.(Action 1621)
“Outcomes : SS : : : : : cE : a I
The committee reviewed the risks mapping from the Network Transformation programme and requested follow
up actions.
Page 4 of 7
POL00206990
POL00206990
Post Office Ltd —- Confidential
Agenda Item 4
To present a summary of the Deloitte report on internal controls over the Horizon System (Project
Zebra)
The Head of Risk to bring back the Business Continuity Management enduring model proposal for
approval
The Project Zebra report was reviewed and the committee agreed the response from the business to the
recommendations. The Chief Information Officer confirmed that the report's conclusions would influence future
systems procurement processes, including the need to perform risk and control assessments at an early stage.
The committee requested that:
«the last paragraph of the report be re-written to clearly identify issues and actions arising, (Actions 1622)
and
* actions from the report be tracked as audit actions.(Action 1623)
The Business Continuity Management proposal was not further discussed in detail but accepted and it was
agreed that the Head of Risk document the costs and submit the proposal for business review and approval.
The committee accepted the report on Project Zebra, requesting further actions, and approved the Business
Continuity Management enduring model proposal.
Agenda Item 5
F
The committee to agree the previous minutes and receive the updates on actions to confirm completion
The committee did not cover this agenda item.
The members be asked to approve the previous minutes and action updates by email
Agenda Item 6
The committee to consider any other business not captured on the agenda and any necessary actions
The committee did not cover this item but approved the proposal to move to a monthly timetable.
The committee agreed to meet monthly.
Page 5 of 7
POL00206990
POL00206990
Post Office Ltd —- Confidential
Action Summary and Updates
Ref Action Lead By Update
1623 Track the actions from the Project Zebra Malcolm I 29" August
report as audit actions Zack
1622 Ensure the last paragraph of the R&CC Malcolm I 15" August
paper on Project Zebra is re-written to Zack
I ___clearly identify issues and actions arising. ee a
1621 Review the financial planning process to Colin 29th August
ensure that sufficient contingency / reserve I Stuart
is in place for programme and portfolio risk
management. _
1620 Identify where risk knowledge and best David 29th August
practice can be shared between business Mason
units and programmes
1619 The NT programme to report back to the lan 6th
committee on the outcomes of its ‘100 day’ I Kennedy November
project to improve and embed risk
management.
1618 Review the annual planning cycle, ensuring I Colin 29th August
that all supporting assumptions are Stuart
documented, including a robust “horizon
avi
assurance report be reported to the R&CC Mason September
1614 The Xanadu assurance report be reviewed David 29th August
by the Chief Information Officer and the Mason
Commercial Director and be revised where
©
Yo)
a
U
=:
S.
O
Yo)
)
1612 Re-organise the emerging risk section of David 29th
the Head of Risk Report to highlight entries I Mason September
with a high potential impact and likely to
occur in the near future
1611 Provide the committee with a proposal Mark 29th
covering the communications activity and Davies September
other management of the emerging risk Chris
related to the restrictions policy Day
Page 6 of 7
Post Office Ltd —- Confidential
Define a policy requiring the escalation of
any events having a potentially significant
reputational impact.
Ensure that the contract replacements for
David
Mason
15th August
ion Comp!
POL00206990
POL00206990
jeted)
risk business partners will be able to start I Mason
work as soon as possible I and Fay
I Healey
1607 Perform an assessment of the risk I David 29th
communications and training plan and I Mason September
revise it to take account of areas of known I
good practice and areas of low skill and
knowledge in the organisation. I
1606 The current state and planned completion I David 29th
date of each element of the framework to I Mason September
be included in the Head of Risk report on I
the framework development progress I
1601 Benchmarks or examples of how other Julie 3rd July
Carried businesses manage the exception to the I George 2014
forward acceptable use policy to be collated and I
provided to the committee
1600 Produce and circulate the job specification I David Next
Carried for the MLRO Mason meeting
forward I
1589 Assess the options for further FCA I David Next
Carried approved persons within Post Office and Mason meeting
forward identify training requirements. I I
1586 Failure of external bank IT systems tobe I David Next
Carried investigated to determine exact nature of Mason meeting
forward _ failures and if connected to Bank of Ireland I
systems. To be reported within risk events
paper if appropriate I
1584 Discuss and agree with Group People I David Next
Carried Director how any gaps in compulsory I Mason meeting
forward training are resolved
1583 Risk & Compliance team perform a survey I David Next
Carried to identify the compulsory/obligatory Mason meeting
forward corporate training that is required to be
completed and identify any gaps in actual
training that has been completed
Page 7 of 7