POLARC 17(15")
POL ARC 17/01 — 17/16
POL00247182
POL00247182
Strictly Confidential
POST OFFICE LIMITED
(Company no. 2154540)
(the ‘Company’)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE COMMITTEE
held at 2.00 pm on 30" January 2017 at 20 Finsbury Street, London EC2Y 9AQ
Present:
Carla Stent
Richard Callard
Tim Franklin
Ken McCall
In Attendance:
Paula Vennells
Alisdair Cameron
Jane MacLeod
Alwen Lyons
Amanda Radford
Nick Kennett
Mike Morley-Fletcher
Johann Appel
Richard Williams
Kevin Gilliland
Owen Woodley
Jonathan Hill
Jenny Ellwood
Rob Houghton
Geoff Smyth
Tim Armit
Peter Mclver
Claire Johnson
Chair
Non-Executive Director (RC)
Non-Executive Director (TF)
Non-Executive Director (KM)
Chief Executive Officer (CEO)
Chief Financial & Operations Officer (CFOO)
General Counsel (GC)
Company Secretary (CoSec)
Group Financial Controller (AR)
Chief Executive Financial Services & Telecommunications and CEO of
POMS (NK)
Head of Risk and Assurance (MMF)
Senior Manager Internal Audit (JA)
Senior Manager Risk (RW)
Chief Executive Retail (KG) (Minute POLARC 17/04)
Sales Director (OW) (Minute POLARC 17/04)
Head of FS Risk & Regulation (JH) (Minute POLARC 17/04)
Head of Transformation Risk and Assurance (JE) (Minute POLARC
17/06)
Chief Information Officer (RH) (Minute POLARC 17/07)
Head of Telecommunications (GS) (Minute POLARC 17/07)
Business Continuity Planning (TA) (Minute POLARC 17/13)
Audit Partner, Ernst & Young (PMI)
Senior Quality Leader, Ernst & Young (CJ)
POLARC 17/01 WELCOME AND CONFLICTS OF INTEREST
(a)
A quorum being present, the Chair opened the meeting. The
Directors declared that they had no conflicts of interest in the
matters to be considered at the meeting in accordance with
the requirements of section 177 of the Companies Act 2006
and the Company's Articles of Association.
POLARC 17/02 MINUTES OF THE MEETING HELD ON 17 NOVEMBER 2016,
MATTERS ARISING AND ACTIONS LIST
(a)
The minutes of the meeting held on 17" November 2016 were
approved as presented and the Chair of the Committee was
POL ARC, 30 January 20171DRAFT
(b)
(c)
Strictly Confidential
authorised to sign them as a true record.
The Committee challenged the closed status of actions:
e POLARC 16/27(i), BCP testing. GC explained that a
testing programme was being put in place by the new
BCP Manager who had an agenda item to update the
Committee on progress. BCP would return to the
Committee as a matter of course and the specific
action was therefore closed.
« POLARC 16/44 (d), POMS risk dashboard. NK
explained that the dashboard would be developed
through the year, with risks picked up in his summary
management paper.
The Committee acknowledge the work to date and the actions
status report was noted as accurate.
MANAGEMENT OF KEY OPERATIONAL RISKS
POLARC 17/03 FINANCIAL CONTROL UPDATE
(a)
(b)
(c)
(d)
(e)
The CFOO reported the continued progress to implement the
Financial Controls Framework which would be in place by the
end of the Financial Year.
The Committee discussed the self-assessment controls. The
CFOO confirmed that self-assessment required internal audit
assurance to test its veracity.
The CFOO reported that the work to reconcile branch cash
balances between Horizon and POLSAP was now complete
for sterling but that the accuracy of branch cash declarations
remained an issue. An initial workshop has been set up to
look at the processes in place and to understand the root
cause.
The Committee noted the report and thanked the CFOO for
the good progress.
The Committee noted that the IT Controls Update report
would be included in the IT Strategy paper being discussed at
the Board meeting on 31 January 2017, but would appear on
future Committee agendas.
POLARC 17/04 NETWORK CONDUCT RISK ACTION PLAN
(a)
(b)
NK updated the Committee on the review of End User
Management (EUM) at the POMS Board, the progress made
and the decision of the POMS Board to allow trading of Travel
Insurance products until September 2017 subject to continued
progress being made in accordance with plans.
The next milestone would be the implementation of the
POL ARC, 30 January 20172DRAFT
POL00247182
POL00247182
()
ACTION: JH
(e)
(f)
(9)
(h)
ACTION: JH
(i)
@)
(k)
Strictly Confidential
planned technical solution which was due in June/July. The
Committee asked for an update from the Chair of the POMS
ARC at their next meeting and NK to report to the Committee
if the plan goes off track.
The Chair welcomed, Kevin Gilliland, Chief Executive Retail,
Owen Woodley, Sales Director, and Jonathan Hill, Head of
FS Risk & Regulation, to the meeting.
The Committee discussed the report and noted the apparent
increase in upheld customer complaints. JH explained that the
complaints were mostly around saving products and driven by
branches not providing all the correct leaflets to customers,
but the volumes were relatively small.
JH to circulate the complaints upheld information to the
Committee.
The Committee also noted the inherent risk of local incentive
schemes but were given assurance that with the introduction
of the CRM sales model, postmasters had been informed of
the risks. OW recognised the risk of non-compliance in such a
large network, but the ultimate sanction for non-compliant
postmasters was termination of their contract. KG believed
that in the past postmasters have set up schemes through
ignorance of the conduct issue, but this should not now be the
case.
JH gave assurance that the Bank of Ireland (Bol) regulation
team had signed off the Sales Managers incentive scheme.
JH stated he was pleased with the progress made against
the conduct risk action plan.
The Committee asked to see, quarterly, a network conduct
risk scorecard, and action plans against the areas
highlighted as concerns, with a highlight on any
regulatory changes which will affect the network risk.
The Committee noted the report.
KG, OW and JH left the meeting.
POLARC 17/05 SAFETY
(a)
(b)
The Committee asked if there was a reason that robberies
were increasing year on year. The CFOO explained that
robberies had increased significantly after a decrease in
2015/16. The GE had reviewed losses, which including
robberies, at a recent meeting and more work would be done
in February.
The Committee asked if compliance to OHSAS 18001 H&S
POL ARC, 30 January 20173DRAFT
POL00247182
POL00247182
POLARC 17/06
POLARC 17/07
(c)
(d)
Strictly Confidential
British Standard, in supply chain, was still relevant for an
internal supply function. The CFOO did not know the specific
answer but believed, on context, that the level of accidents in
supply chain was still higher than it could be.
The CEO noted the report appeared to suggest that there was
an emerging risk of suicide. She explained that this risk arose
very occasionally in the postmaster population but that the
number of instances had not increased. The process to
handle these situations when they arose was sympathetic and
supportive for all involved, and it was not considered an
emerging risk.
The Committee noted the report
TRANSFORMATION RISK UPDATE
(a)
(b)
(c)
()
(e)
The Chair welcomed Jenny Ellwood, Head of Transformation
Risk and Assurance, to the meeting.
JE explained the resourcing risk inherent in the new IR35 (Off
Payroll) legislation which comes into force in April 2017.
There are 120 contractors caught by the changes, of which 30
are considered to be critical to the business and specific
solutions are being sought for these individuals. The impact
for these contractors is an average reduction in remuneration
of 12-19%. The Committee was reassured by the actions
taken to date and recognised the need to retain the resource
which was critical to the transformation.
IT delivery capability was highlighted as the second highest
risk in the report and this would be discussed as part of the IT
strategy paper at the Board meeting on the 31% January.
The Committee reviewed the risk portfolio heat maps and
thanked JE for the progress made.
JE left the meeting.
CYBER-ATTACK ON POST OFFICE TELECOMMUNICATIONS
BUSINESS
(a)
(b)
(c)
The Chair welcomed Rob Houghton, Group CIO, and Geoff
Smyth, Head of Telecommunications to the meeting.
GS explained the background to the cyber-attack on Post
Office which took place on the 28 November, details of which
were set out in the report. GS believed that the Business and
particularly Fujitsu (FJ) had responded quickly and effectively.
RH explained that the only way to anticipate a similar future
attack would be through the use of a predictive monitoring of
the dark web, but such protection was expensive. The
Committee recognised that this may be an area which would
POL ARC, 30 January 20174DRAFT
POL00247182
POL00247182
(d)
(e)
(f)
(9)
Strictly Confidential
need future investment.
The Committee asked if there were any other parts of the
infrastructure which were vulnerable. GS explained that the
most vulnerable area for any business was when customer
data is in transit. The risk to Post Office from this type of threat
was considered low.
The Chair asked the CEO if she was comfortable with the way
the incident and the PR had been handled. The CEO
supported the reactive PR and thanked GS for his handling of
the incident.
The Committee recognised that the incident had been well
contained.
GS and RH left the meeting.
POLARC 17/08 ANNUAL RISK REVIEW
(a)
(b)
(c)
()
(e)
(f)
(g)
ACTION: GC
GC explained the three papers covered by the annual review.
The Committee noted the Annual Review on Money
Laundering, the MLRO Annual Report and the Financial Crime
Report.
The Committee noted the work underway on the Product Risk
Review. The initial focus had been on Bureau de Change as
the area with the highest risk of money laundering activity.
Three areas had been identified as important:
1. Documentation
2. Policies and processes
3. Training
GC explained that it was likely that identity verification would
be required for lower value transactions, and that this would
require operational changes.
The Committee asked when the HMRC audit report would be
published and any penalty known. GC expected to hear the
outcome of the audit in the next 2-3 weeks.
The Committee asked how many branches were failing to
comply with the AML regulations, and were these the same
branches who failed other compliance. GC acknowledged that
investment had not been made in a data-mining tool which
would highlight trends in compliance, and that the team were
working with data across several spreadsheets. The team in
Chesterfield monitored compliance across the range of
activities.
The Committee asked for a detailed review at the next
Meeting, with a report to include a consolidated list of
observations and an action plan to mitigate / resolve the
issues across all the reports that have or are to be issued
POL ARC, 30 January 20175DRAFT
POL00247182
POL00247182
ACTION:NK
POLARC 17/09
POLARC 17/10
(h)
(i)
@)
Strictly Confidential
on this subject.
The MLRO report highlighted a growing risk in MoneyGram
compliance. NK explained that the increase was related to
the increase in the number of transactions. He promised to
check and come back to the Committee if the percentage
was increasing.
NK updated the Committee on the takeover of MoneyGram.
The Committee noted the report.
LEGAL
(a)
(b)
(c)
(d)
GC presented the annual review of legal risk and highlighted
the five areas of greatest concern:
1. Lack of Contract Management experience and
expertise
Lack of compliance to contract obligations
Lack of understanding of relevant regulation
Lack of understanding of competition rules
Lack of deterrent due to reduced prosecutions.
gabon
The Committee discussed the control of cash, and its effect on
fraud and cash utilisation. The CFOO explained that an end to
end review was underway to improve cash management
which should also enable more effective monitoring and
intervention to reduce fraud. GC stressed that although the
Business had not initiated any recent prosecutions, the police
prosecuted cases where they believed it appropriate.
GC gave an update on Sparrow. The Group Litigation Order
had been heard by the Court. The initial hearing went as well
as could be expected, with the court requiring a high level of
information from the claimants. The next procedural hearing
would be in October but it was not expected that any
substantive matters would be heard before next year.
The Committee noted the Annual Legal Risk Review.
INTERNAL AUDIT REPORT
(a)
(b)
Johann Appel, Senior Manager Internal Audit, presented the
report and explained that although the programme was
currently behind plan it would be delivered by the end of the
year. JA gave the Committee his assurance that the
resourcing problems had been now been resolved.
The Committee stressed the importance of aligning the audit
plan with the strategic plan and focusing on the areas of
greatest risk. JA assured the Committee that since his arrival
he had been working on the new plan for 2017/18 which
would include the areas of greatest risk. The Business
Continuity Audit would be postponed and included in the
POL ARC, 30 January 20176DRAFT
POL00247182
POL00247182
(c)
(d)
(e)
Strictly Confidential
2017/18 plan which would be presented to the Committee in
March.
The Committee noted that two IT audits had been deferred
until May 2017 and stressed the need to ensure these were
included in the plan.
The Committee challenged the correlation of the findings in
the audit reports and the overall ratings given to audits. JA
explained that the ratings were based on four areas; Value;
Risk; Urgency and Impact on the business. The Committee
were particularly concerned by the lack of rating for the
‘Winning with Retailers PIR’ and the average rating for the
Data Protection audit. The Committee asked for assurance
that ratings had not been negotiated away during
management feedback sessions. JA assured the Committee
of his independence and promised to apply a robust rating
process in the future.
The Committee noted the internal audit activity.
POLARC 17/11 EXTERNAL AUDIT REPORT
(a)
(b)
ACTION: AR (c)
(d)
ACTION: CFOO
(e)
ACTION: PMI (f)
The Chair asked Peter Mclver, Ernst and Young (EY), to give
an update on the External Audit Plan.
PMI assured the Committee that all the planning work was
complete for POL and POMS audits. PMI explained that there
had been some delay in receiving the Service Organisational
Control (SOC) reports from Fujitsu, Accenture and CSC.
The Financial Controller would chase the SOC reports
from Fujitsu, Accenture and CSC.
The CFOO would bring the IRIS and Pensions accounting
treatment to the March ARC.
EY would consider the longer-term accounting policies outside
of the annual external audit.
The Chair asked PMI to confirm that their action to inform
PwC of the POL materiality levels had been discharged.
POLARC 17/12 RISK UPDATE
(a)
(b)
ACTION: AR/PMI
MMF updated the Committee on the changes to the Group
Risk Profile and explained that management had identified
key actions for the top 15 risks, as well as the Risks of the
Moment.
The CFOO reported that access to systems such as
payroll, would be checked as part of the EY audit to
ensure there were no balance sheet implications.
POL ARC, 30 January 20177DRAFT
POL00247182
POL00247182
(c)
)
(e)
Strictly Confidential
The CFOO explained that Credence reliability was captured in
‘IT availability and ability to trade risk’ and it was currently
slightly more stable but would not be without risk until it was
replaced.
The Committee discussed the need to ensure a commercial
approach to risk and risk appetite, and recognised that the
risk report was inevitably a pessimistic view of the Business.
GC acknowledged that the report would highlight risks,
however an effective risk framework should also identify
areas where appropriate for taking more risk.
The Committee noted the Risk report.
POLARC 17/13 BUSINESS CONTINUITY (BC) UPDATE
(a)
(b)
(c)
(d)
(e)
(f)
The Chair welcomed Tim Armit, Senior Manager, Business
Continuity Planning to the meeting.
TA reported that since joining the Company he has found that
there was a good BC system in place and that the approach
was thorough. However there were some operational gaps
which were being tested. The operational knowledge is good
but the documentation is not ideal.
Chesterfield had been identified as the most critical
operational site, and a BC test had been run to prove that this
site could be recovered by using a Sunguard site in Leicester.
A full test be undertaken shortly.
Finsbury Dials is less important however plans are being
designed. An initial exercise to test disaster recovery would
take place with GE on the 3° March.
JA believed that the BC plans would be in a good position by
June/July. Escalation of material incidents and events would
follow the Gold/Silver/Bronze categorisation. Any ‘Gold’
incidents would be reported to the Board once the emergency
services had been informed.
TA left the meeting.
POLARC 17/14 HORIZON SCANNING
(a)
The GC updated the Committee on the following issues:
1. The Corporate Governance Green Paper, which was
mainly relevant to listed companies. Richard Callard
believed that any proposal in the final bill would take at
least 12 months to implement.
2. Criminal Finance Bill — in which changes to anti money
laundering would affect Post Office
3. E-privacy regulation — the GE have already started a
POL ARC, 30 January 20178DRAFT
POL00247182
POL00247182
POL00247182
POL00247182
Strictly Confidential
4. project to look at GDPR (General Data Protection
Regulation) and its effect on marketing.
(b) The GC reported that Mark Davies, Communications and
Corporate Affairs Director was setting up an External Affairs
Steering Group to ensure the Business were aware of future
issues.
(c) I The Committee noted the Horizon Scanning report.
POLARC 17/15 ANY OTHER BUSINESS
(a) No any other business raised.
POLARC 17/16 ARC SESSION WITH THE RISK TEAM
(a) All attendees left the meeting apart from the Committee
members and the Risk team. The Committee debated areas
of concern for the Committee and the risk team.
(b) There being no further business the Chair closed the meeting.
POL ARC, 30 January 20179DRAFT