POL00265865
POL00265865
PREPARED FOR POST OFFICE LIMITED
Confidential and privileged legal advice WOMBLE
Do not disclose, forward, scan or copy
18 February 2019 DICKINSON
Horizon Issues Trial
DRAFT Risk Assessment Table
INTRODUCTION
This document summarises our views on the strength of the evidence for the Horizon Issues so that Post Office may make decisions about how to mitigate
any related risks. By its very nature it is a simplistic assessment of over 1,200 pages of expert reports and witness statements.
The subject matter of the Horizon Issues Trial is the complex technical architecture and functionality of the Horizon system over its 18 year life. As a law
firm we can only offer a view on the relative weight and persuasiveness of the evidence presented by the witnesses called by the Claimants and Post Office
and the experts who have inspected Horizon. We are not in a position to determine whether that evidence is correct or not because we are not IT experts.
This risk assessment is on the assumption that the evidence of both parties withstands cross-examination and the evidence, as currently written, is accurate.
It should however be noted that this trial turns heavily on the performance of witnesses in giving evidence. Given that witnesses are being asked to comment
on intricate points within a complex topic, sometimes going back more than a decade and sometimes being asked to speculate on unusual scenarios, there is
a real risk that any one of either party's witnesses may not come up to proof. This risk assessment will therefore need to be kept under review as the trial
progresses.
The Horizon Issues Trial is a stepping-stone to other decisions. The reliability and functionality of Horizon is not, in the context of the litigation, an end-result
in itself. It will however set a foundation on which decisions in relation to specific Subpostmasters, both historically by Post Office and in the future by the
Court, will be adjudged. It may tip the scales for or against Post Office but it will not be determinative of any individual claim. The full extent of the outcome
of the Horizon Issues Trial will not been known until at least the end of the Further Issues Trial scheduled for November 2019 where it is expected that the
findings on the Horizon Issues will be applied to particular cases. We have however flagged below where we can foresee an immediate impact.
On 1 February 2019, the Claimants served their Supplemental Expert Report. This report radically changed the Claimants' case, raising many new points
that are adverse to Post Office. WBD and Fujitsu are rapidly investigating these new issues. Early indications are that Post Office will have counter-points
to many of these new issues but investigations are not yet complete. This assessment assumes that (i) Post Office (via Fujitsu) is able to present adequate
responses to the Claimants' Supplemental Expert Report before the trial begins and (ii) that Fujitsu can provide any required further evidence and the Court
will allow that evidence at trial.
POL00265865
POL00265865
Confidential and privileged legal advice PREPARED FOR POST OFFICE LIMITED
Do not disclose, forward, scan or copy 18 February 2019
RISK ASSESSMENT
There are 15 "Horizon Issues" to be decided at trial. These can be grouped together under four categories:
A. Reliability of Horizon. This question also encompasses the extent to which Horizon was the root cause of shortfalls in Subpostmaster branches.
B. Remote access. This question seeks to determine the capability of Post Office and / or Fujitsu to access, edit or delete transaction data recorded in
branches.
C. Reconciliation and transaction corrections. These questions seek to determine how Horizon compares its own transaction data against other
data sources.
D. Information available to Post Office and Subpostmasters. These questions will help inform later trials when looking at the responsibilities and
actions of Post Office and Subpostmasters when dealing with shortfalls.
The above represents convenient groupings for this risk assessment. The experts have grouped the issues slightly differently and the Court may adopt a
different structure. There is also some interplay and overlap between Categories A, B and C. The tables below are our best effort to identify the risks in a
useful structure. There are however innumerable permutations of outcome from the Horizon Issues trial.
A significant adverse impact on the business that could threaten
Post Office is very likely to lose
its existence.
A major adverse impact on the business that will have
Post Office is more likely to lose than win
considerable long-term commercial harm.
A material impact on the business that will cause some
commercial detriment / increased costs.
50/50
Some impact on the business but the additional burdens / costs
Post Office is more likely to win than lose
will be manageable.
Post Office is very likely to win Negligible impact on the business
2 18 February 2019
Confidential and privileged legal advice
Do not disclose, forward, scan or copy
RISK ASSESSMENT TABLE
PREPARED FOR POST OFFICE LIMITED
18 February 2019
A._ Reliability of Horizon
Issue 1: To what extent was it possible or likely for bugs, errors or
defects of the nature alleged at §23 and 24 of the Generic Particulars
of Claim (GPOC) and referred to in §49 to 56 of the Generic Defence
to
have the potential to (a) cause apparent or alleged discrepancies or
shortfalls relating to Subpostmasters' branch accounts or transactions
or (b) undermine the reliability of Horizon accurately to process and to
record transactions as alleged at §24.1 GPOC?
Issue 3: To what extent and in what respects is the Horizon System
"robust" and extremely unlikely to be the cause of shortfalls in
branches?
Issue 4: To what extent has there been potential for errors in data
recorded within Horizon to arise in (a) data entry, (b) transfer or (c)
processing of data in Horizon?
Issue 6: To what extent did measures and/or controls that existed in
Horizon prevent, detect, identify, report or reduce to an extremely low
level the risk of the following:
a) data entry errors;
b) data packet or system level errors (including data
processing, effecting, and recording the same);
¢) a failure to detect, correct and remedy software coding
errors or bugs;
d) errors in the transmission, replication and storage of
transaction record data; and
e) the data stored in the central data centre not being an
Dr Worden, Post Office's expert witness, has reached the conclusion that
"Horizon has been a very robust system, compared to other major
systems I have worked on in sectors such as banking, retail, telecoms,
government and healthcare" and that "the robustness of Horizon made it
extremely unlikely to be the cause of shortfalls in branches".
The Claimants' expert witness, Mr Coyne, concluded in his original report
that "whilst the present-day version of Horizon, supported by manual
human support may now be considered as relatively robust in the
spectrum of computer systems used in businesses today it has
undergone major modifications in its history. It is likely that in 1999 when
it was first commissioned, and in 2010 when it was significantly upgraded
(to Horizon Online), it was less robust."
In his Supplemental Report, Mr Coyne says that "/ have reached the
conclusion that Horizon is less robust that I initially considered...". He
does not go on to say how robust he now considers the system to be.
Like all experts’ reports, both Dr Worden and Mr Coyne are prone to
attack in cross-examination because they are expressing opinions. The
Claimants are likely to attack Dr Worden's reliance of statistical modelling
to show that any problems in Horizon are very small to the point of
irrelevance. They will also likely criticise Dr Worden for his reliance on the
background evidence from Fujitsu that is yet to be tested in Court (in
respect of which see Category B below). Mr Coyne's report can be
attacked for its lack of detailed analysis, methodology and clear opinions.
In our view, the report of Dr Worden adopts a better methodology and is
more cogently evidenced but it remains open challenge in Court.
This view is subject to our introductory comments about Post Office
providing adequate responses to Mr Coyne's new arguments in his
Supplemental Report. Mr Coyne's new points have been reviewed by Dr
Worden who is unmoved in his opinion.
18 February 2019
POL00265865
POL00265865
Confidential and privileged legal advice
Do not disclose, forward, scan or copy
POL00265865
POLO00265865
PREPARED FOR POST OFFICE LIMITED
18 February 2019
accurate record of transactions entered on branch terminals?
If Horizon is found to be unreliable and a material cause of shortfalls in
branches, this will have profound effects on Post Office's ability to recover
shortfalls from Subpostmasters without an investigation into Horizon in
each case. It will also likely give rise to concerns and challenges from
clients who are reliant on Horizon's data to process transactions. In the
context of the litigation, it would materially heighten the risk of successful
claims by Subpostmasters.
It should be noted that there may also be intermediate outcomes that sit
on the spectrum from Horizon being unreliable to Horizon being very
robust. It could be that the Judge finds that Horizon is generally very good
but has weaknesses in particular areas of operation.
B. Remote access
Issue 7: Were Post Office and/or Fujitsu able to access transaction
data recorded by Horizon remotely (i.e. not from within a branch?
Issue 10: Whether the Defendant and/or Fujitsu have had the
ability/facility to: (i) insert, inject, edit or delete transaction data or
data in branch accounts; (ii) implement fixes in Horizon that had the
potential to affect transaction data or data in branch accounts; or (iii)
rebuild branch transaction data:
a) atall;
b) without the knowledge of the Subpostmaster in question; and I
c) without the consent of the Subpostmaster in question.
Issue 11: If they did, did the Horizon system have any permission
controls upon the use of the above facility, and did the system
maintain a log of such actions and such permission controls?
Issue 12: If the Defendant and/or Fujitsu did have such ability, how
often was that used, if at all?
Issue 13: To what extent did use of any such facility have the
potential to affect the reliability of Branches' accounting positions?
On face value, the answer to many of these questions is "Yes". Post
Office (via Fujitsu) has always had "remote access" capabilities and this
has been admitted in earlier Court documents.
There is a material dispute as to the extent that "remote access" was used
to alter branch data and whether such access was properly controlled.
Post Office's case is that "remote access" is a rare event and only used
following strict protocols. The Claimants look to paint a picture of frequent
unregulated use of "remote access" to change branch information in a
_I clandestine manner.
Both experts agree that Post Office had no ability to remotely delete or
edit data within Horizon. The tools for deleting and editing branch data
were held exclusively by Fujitsu. Post Office is therefore reliant on Fujitsu
I for evidence of its use and control of these tools.
Fujitsu's evidence on this subject has been less than satisfactory. During
the mediation scheme, Fujitsu told Post Office that it could not edit branch
data (only that it could inject new transactions). Further investigations
revealed this not to be the case — Fujitsu do have the ability to edit
transaction data by accessing and amending the underlying database
tables within Horizon.
I This shifting position has continued during the litigation and has resulted in
Post Office having to file a second witness statement to correct some
errors in the primary evidence of one Fujitsu witness. In light of this, there
are material concerns about whether the Fujitsu witnesses will come up to
18 February 2019
Confidential and privileged legal advice
Do not disclose, forward, scan or copy
POL00265865
POL00265865
PREPARED FOR POST OFFICE LIMITED
18 February 2019
proof under cross-examination.
Further, Fujitsu's record keeping around use of its remote access tools is
incomplete. Some of this is a product of time and document retention
policies, particularly in relation to the old version of Horizon (pre-2010),
but some is due to a lack of structured documentation around the use of
these tools (including a lack of automatic access logging software within
Horizon).
Mr Coyne has placed considerable emphasis on "remote access" in his
Supplemental Report and Fujitsu's answers to these points will be vital to
the outcome of this issue. Investigations in this regard are continuing.
This is an area where further evidence from Fujitsu, if reliable and allowed
by the Court, would be useful and could affect the overall merits on this
topic.
Even if remote access is possible, it is very unlikely that Fujitsu are acting
maliciously or carelessly causing shortfalls in branches through remote
access. They would have no motivation to do so and the reputational
damage to it of doing so through poor practices would be severe. The
challenge at trial will be persuading the Judge of this and avoiding him
getting drawn into the Claimants’ conspiracy theories.
In terms of impact, the Claimants are seeking a finding that there is
frequent uncontrolled remote access and that that undermines Horizon
being reliable. They are looking for a crossover effect to Category A
above. This link is not however obvious and the Claimants’ expert has not
explained how one issue affects the other. Given the scale of Horizon, we
will argue that the level of uncontrolled access (if any) would need to be
significant for one to lose confidence in the system.
The above factors could lead to a number of different outcomes. For
example, Post Office (or Fujitsu) could be found to have poor access
controls but it be accepted that Fujitsu did not misuse those controls. Or,
that the remote access tools were misused but on such small scale that
there is no overall impact on Horizon or the litigation.
In our view, it is likely that the Judge will make some form of adverse
finding against Post Office on this topic, but it is much more difficult to
assess the impact of that finding on the reliability of Horizon or the
litigation.
Regardless of the outcome, we anticipate that this issue will attract media
18 February 2019
Confidential and privileged legal advice
Do not disclose, forward, scan or copy
POL00265865
POLO00265865
PREPARED FOR POST OFFICE LIMITED
18 February 2019
attention and poses the greatest risk of reputational harm.
C._ Reconciliation and Transaction Corrections
Issue 5: How, if at all, does the Horizon system itself compare
transaction data recorded by Horizon against transaction data from
sources outside of Horizon?
Issue 15: How did Horizon process and/or record Transaction
Corrections?
The comparison of Horizon data against third party data is called
"reconciliation". The identification of discrepancies in branch accounts
through reconciliation is a key control in the operation of Post Office's
accounting systems. Where a discrepancy is identified it can give rise to
a transaction correction being sent to a branch. The transaction
correction should neutralise a previous accounting error but can, in
theory, cause a loss in a branch.
These issues were designed to be uncontroversial factual questions
about how Horizon conducts reconciliations and processes transaction
corrections. Their aim was to lay down a foundation on which to
determine more specific issues in particular cases.
The scope of these issues has however shifted. Mr Coyne mounts an
attack on the quality of the reconciliation processes. We say that this
opinion is outside the scope of his work given the wording of the issues to
be addressed are purely factual and do not invite comment on adequacy
or sufficiency. Indeed, we specifically negotiated the wording of these
issues for this exact purpose.
If the Judge stays within the scope of the questions posed, then these
points are uncontroversial and may well be agreed between the experts
before trial. We would class this as a successful result.
As a contingency plan, Dr Worden has analysed and concluded that the
likelihood of there being an incorrect transaction correction is small. He
has done this also to reinforce his view that reconciliation is an effective
control against bugs in Horizon and so this issue also feeds back into
Category A above. If the Judge strays into assessing the quality of the
reconciliation processes and finds vulnerabilities in them, this will weaken
one line of argument on which Dr Worden has found support for his view
that Horizon is reliable. It would not however be a fatal blow.
In terms of business impact, any adverse views from the Court on Post
Office's reconciliation processes, whether central to the Horizon Issues or
just passing comments, could undermine branch confidence in the
transaction corrections being issued to branch. This in turn might lead to
an uptick in transaction corrections being challenged.
48-Feb:
19
Confidential and privileged legal advice
Do not disclose, forward, scan or copy
POL00265865
POL00265865
PREPARED FOR POST OFFICE LIMITED
18 February 2019
D. Information available to Post Office and Subpostmasters?
Issue 2: Did the Horizon IT system itself alert Subpostmasters of
such bugs, errors or defects as described in (1) above and if so how.
Issue 8: What transaction data and reporting functions were
available through Horizon to Post Office for identifying the occurrence
of alleged shortfalls and the causes of alleged shortfalls in branches,
including whether they were caused by bugs, errors and/or
defects in the Horizon system?
Issue 9: At all material times, what transaction data and reporting
functions (if any) were available through Horizon to Subpostmasters
for:
a) identifying apparent or alleged discrepancies and shortfalls
and/or the causes of the same; and
b) accessing and identifying transactions recorded on Horizon?
Issue 14: How (if at all) does the Horizon system and its functionality:
a) enable Subpostmasters to compare the stock and cash in a
branch against the stock and cash indicated on Horizon?
b) enable or require Subpostmasters to decide how to deal
with, dispute, accept or make good an alleged discrepancy
by (i) providing his or her own personal funds or (ii) settling
centrally?
c) record and reflect the consequence of raising a dispute on
an alleged discrepancy, on Horizon Branch account data
and, in particular:
i. does raising a dispute with the Helpline cause a
block to be placed on the value of an alleged
shortfall; and
ji. is that recorded on the Horizon system as a debt due
to Post Office?
d) enable Subpostmasters to produce (i) Cash Account before
2005 and (ii) Branch Trading Statement after 2005?
e) enable or require Subpostmasters to continue to trade if
they did not complete a Branch Trading Statement; and, if
0, on what basis and with what consequences on the
Horizon system?
These questions were posed so to inform decisions to be made at later
trials when looking at the responsibilities and actions of Post Office and
Subpostmasters in particular cases.
The experts broadly agree on most of the answers to these questions.
There are some minor points of dispute.
There will be only minimal impact on the litigation or the operational
practices of Post Office arising from these issues.
There is however the possibility of some negative media coverage. The
Claimants will attempt to position these issues as showing an asymmetry
of information between Post Office and Subpostmasters, which there is
because Post Office, as the owner of Horizon, naturally has access to
more information about it than Subpostmasters. The Claimants will try to
play this into their wider narrative about Post Office acting unfairly towards
Subpostmasters. We have attempted mitigate this attack through Dr
Worden's report where he explains that there is no need for
Subpostmasters, as users of an IT system, to have detailed technical
information about Horizon.
18 February 2019
POL00265865
POL00265865
Confidential and privileged legal advice PREPARED FOR POST OFFICE LIMITED
Do not disclose, forward, scan or copy 18 February 2019
8 18 February 2019