POL00336006
POL00336006
Internal Audit & Risk Management (IA&RM)
Royal Mail Holdings
Audit & Risk Committee
Quarterly Report
September to October 2006
draft
November 2006
@ Ee =
Royal Mail - CONFIDENTIAL
POL00336006
POL00336006
Contents & Distribu
1. Executive Summary
2. Key IABRM Activity In Period
2.1 Review of Downstream Access (DSA) Contract Compliance
2.2 People Partnering
2.3 Review of Performance Management - Royal Mail Letters
3. Overall Perspectives on Risk and Control Environment
8.1 Risk and Control Self Assessment — Half Year Summary
3.2 Assessments from Specialists in Key Risk Areas.
3.3 Assessing Business Response to Agreed Actions
3.4 Royal Mail Letters ~ Revenue Streams and IASRM Activity
3.5 Whistleblowing Statistics
Other Matters
4, Other JA&RM Activity to Support Business Improvement
5. ABRM Current and Planned Activity
Appendices
‘Appendix A — Reports issued in Period
‘Appendix B — Trend in IA&RM Report Ratings
‘Appendix C — Explanation of Report Ratings Used
‘Appendix D — Evidence from Assessments in Specialist Risk Areas
1B
4
16
7
18
19
Bob Wigley, Non Executive Director, Chair
John Neill, Non Executive Director
Baroness Prosser, Non Executive Director
Helen Weir, Non Executive Director
Royal Mail Group Executive Team
Royal Mail - CONFIDENTIAL,
IA&RM Quarterly Report — November 2008
Page 2 of 21
POL00336006
POL00336006
1. Executive Summary
Introduction
This report assists the Audit & Risk Committee (ARC) and Royal Mail Management in discharging their responsibilty to assess risks and monitor the effectiveness of
Royal Maifs risk management and control environment. It summarises Internal Audit and Risk management (IA&RM) activity and findings from September to
‘October 2006 and presents the results of a varity of risk and control measures including the results from half year Risk and Control Self Assessment exercise.
1A&RM Activity for the Period
IASRM issued 8 reports in the period, listed at Appendix A. Of these, assurancerrisk ratings were applied in 5 cases as follows: 1 was rated as “satisfactory” and 4
Were rated as “some improvement required’ or "low risk’. Appendix C provides an explanation of what the ratings mean, The key report findings are presented in
Section 2. Summarised below are findings on key assignments:
1 The review of Downstream Access (DSA) Contract Compliance was rated as ‘Some Improvement Required’ with a Medium risk at Group level. The review
was undertaken at & Mail Centres. Key processes have been established to enable the RM Letters Operations and Wholesale teams to prevent, monitor and report
Instances of customers failing to comply with contractual terms and conditions. Some important aspects of these processes however are not being deployed by the
business: a key revenue protection check (J Tools) was not completed in 6 out of the 8 Mall Centres; inconsistent gatehouse checks allowed unauthorised drivers to
enter RM sites and at unauthorised times in all 8 of the Mail Centres; unit prices used, when adjustments to customer mail volumes was necessary, were based on
averages rather than agreed actual prices; and instances of customer non-compliance were not being escalated by the sites to central control to enable onward
reporting to customers. This results in 2 loss of revenue and increased operational costs. Since the report was issued, 4 of the 30 agreed actions have been
‘completed, and none are overdue.
2- The review of the People Partnering project ~ Royal Mail Group (RMG) has issued an Official Journal of the European Union (OJEU) notice indicating their
intention to enter into a contract for the provision of Human Resources (HR) processing capability. This includes HR services and an integrated HR system which
currently costs approximately £80m per annum representing over 200,000 payees and 500,000 pension scheme members. IA&RM were asked to support the
business and have helped identify potential risks for each of the four stages of the project in addition to providing advice and techniques to assist in the recording and
treatment of these risks. The most significant risks currently facing the project in the first stage (the selection of an appropriate partner), are: Royal Mail Group
(RMG) does not have a clear understanding of its specific requirements; no solution is able to meet the business requirements in ful; there are inadequate supporting
processes to effectively manage the project; and there is lack of clarity around the respective scopes of the People Partnering project and the Time & Resource
‘Management System project. Each of the above has agreed planned mitigating actions which, if fully executed, will reduce the level of risk for the first stage to Low.
6 ofthe 17 agreed actions have currently been completed, considerable work is in progress to address the remaining actions, and none are overdue.
3 The review of Performance Management — Although the review indicated that some improvement was required, we assess that there is a Low impact at Group
level. There was evidence of performance management at all operational levels. Areas were monitoring actual results, determining root causes of failure against
target and implementing action plans. However only 3 of the 8 areas reviewed utilised the nationally developed unit scorecards. These formats, although broadly
‘reflecting agreed national measures, were found to have certain omissions or changes to agreed target definitions, and resulted largely from a lack of clarity as to
Whether the use of the national scorecards is mandatory and a view from area teams that local scorecards better sulted requirements. Full deployment and
Consistent use of national scorecards may be useful in driving further improvements — this is a decision for the business. Network are not covered in the existing
performance management process, however work to integrate Network is underway. All actions are currently being completed to agreed timescale.
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 3 of 21
POL00336006
POL00336006
1. Executive Summary
Overall Perspectives on Risk and Control Environment
‘An analysis of our findings and available business data regarding the risk and control environment gives these perspectives:
Half Yearly Risk and Control Self-Assessment (RCSA). Section 3.1 provides a summary of half year RCSA process. The RCSA exercise is designed to identity
‘bottom-up’ risks and provide assurance for the business on key controls using a roling programme of testing. No new risks were reported for consideration to date
that exceed the threshold for group reporting of £20m impact and 30% likelihood over a three year period.
Cf the vital few controls (VFC) tested this quarter, two were reported as ‘Major Control Weaknesses’ as follows:
+ the self audit process for Operations Service Standards in RML. Both IA&RM and the Compliance & Audit Specification (CAS) team (who perform independent
‘audits in operational units) found that the self assessments could not be wholly relied upon.
+ front line Customer Service in Parcetforce Worldwide. Recent customer surveys have reported low scores. In response new training and information systems are
being rolled out for completion by March 2007.
Assessments from specialists in key areas. Section 3.2 presents a summary of some indicators used by the business to assess controls. Areas that have
broadly shown improvement include protection of information and mail. Operational compliance is broadly unchanged, with protection of staff, physical securty and
revenue showing some deterioration.
The implications for the business are customer satisfaction, addressing quality of service failures, capturing all revenues and intemal reporting. The business works
with affected units to develop action plans to address identified weaknesses and is also reviewing the standards set to ensure that they are appropriate.
Assessing the business response to agreed actions. Section 3.3 provides a summary of the number of outstanding and overdue actions resulting from IA&RM
reviews. While the number of actions agreed has increased recently, the number overdue is decreasing. Furthermore, of those overdue, the majority (83%) are
‘medium risk, with only 179% being high risk. This implies that the business has an improved focus on addressing identified control weaknesses.
Revenue Controls. Section 3.4 focuses on the topic of Revenue, and gives an overview of aspects of revenue reviewed by IA&RM over the last 6 months, covering
approximately 62% of RM Letters revenue. In the reviews for Revenue Protection (RP) and Mails Verification (MV), issues identified included adherence to
processes, integrity of the risk model, and effectiveness of performance against standards. The measurement of the Stamp & Meter revenue gap continues to show
‘a worsening position, with the gap now standing at 10.2% (equivalent to £239m revenue), the highest for 2 years.
‘As has previously been reported, the Implications for the business are that account revenues are not being thoroughly and comprehensively monitored, and therefore
the business is not being paid in full for the services provided. The Stamp & Meter revenue gap is a symptom of the quality and integrity of source stamp and meter
data, namely operational traffic volumes, Mails Characteristic Survey (MCS) results, average unit revenue prices, and the recording of revenue.
Release 1 of the Online Business Account (OBA) Programme has deployed a new system for RP and MV to use, namely SAP QM. This model has improved the
Weaknesses identified in the JA&RM reviews and actual revenue recovered is increasing. Traffic Performance Managers are working with the National Traffic
‘compliance team to review the measurement of traffic and MCS across operational sites.
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 4 of 21
POL00336006
POL00336006
Key IA&RM Activity in Period
2.1. Review of Downstream Access (DSA) Contract Compliance
BACKGROUND: Under Condition 9 of the Licence granted by the Postal Services Commission (PostComm) to Royal Mail (RM), other postal operators and
customers can access RM's postal facilties. Under these arrangements, Downstream Access (DSA) customers deliver mail to the inward Mall Centre (MC) for
‘onward processing by RM Letters. It is a condition of RIM's licence that mail received under an access contract is treated in the same way as that from RM's own
customers (Condition 11). As a result, operating procedures have been developed to ensure consistent treatment. In 2005/06, RM delivered 1-1bn items of mail
under access arrangements, with volumes forecast to grow to 3bn in 2006/07.
OBJECTIVE: The overall objective of the review was to assess whether RM is providing services to DSA customers in accordance with their contract and that such
services are being provided in a non-discriminatory way. Spectfcally, to ensure that: for all DSA customers, an agreed contract was in place; the pre-advice (volume
forecast) was received in accordance with contract terms; access to RM premises and handover of mail was in accordance with the contract terms and RM
procedures; mail received was checked in accordance with RM procedures; mail was processed in accordance with contract terms and RM procedures; returns,
missorts and redirections of DSA mall were processed in accordance with the contract terms and RM procedures; the actual volume of mail processed was billed and
charges were made in accordance with contract terms; non-compliant practices at every level were escalated centrally and necessary action was taken, including
‘communication to the customer; and customer feedback was handled in accordance with contract terms and RM procedures.
AREA CONTROL ENVIRONMENT: Some Improvement Required. The access and revenue protection (RP) processes are inconsistently deployed. Key
‘management information to assess levels of compliance to contract terms by RM and customers is not complete.
GROUP IMPACT: Medium. The Group is exposed to a medium level of risk ifthe actions identified in this report are not implemented. Loss of revenue and increased
‘operational costs are incurred due to non-compliance with RM stated procedures.
CONCLUSION: The review was undertaken at 8 Mail Centres. Key processes have been established to enable the RM Letters Operations and Wholesale teams to
prevent, monitor and report instances of customers falling to comply with contractual terms and conditions. Some important aspects of these processes however are
not being deployed by the business: a key revenue protection check (J Tools) was not completed in 6 out of the 8 Mail Centres; inconsistent gatehouse checks allowed
unauthorised drivers to enter RM sites and at unauthorised times in all 8 of the Mail Centres; unit prices used, when adjustments to customer mail volumes was
necessary, were based on averages rather than agreed actual prices; and instances of customer non-compliance were not being escalated by the sites to central
Control to enable onward reporting to customers. This potentially results in a loss of revenue and increased operational costs,
UPDATE: Four of the scheduled actions are fully complete. The remaining actions are very heavily focused on providing additional training on existing processes, and
‘new recording and monitoring processes to identify non compliance,
Noot
importance actions Completed _y Dec 06_ByMar 07_®y Jun 07_8ySep07_By Dec O7 By Mar 08
lo o 4 4
[Meaiurn Z o z % 7
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 5 of 21
POL00336006
POL00336006
2. Key IA&RM Activity in Period
2.2. People Partnering
BACKGROUND: In June 2006 Royal Mail Group (RMG) issued an Official Journal of the European Union (OJEU) natice indicating the intention to enter into a
‘contract for the provision of Human Resources (HR) processing capability, including HR services and an integrated HR system. The objective of the People Partnering
project is to identify and enter into contractual terms with a partner that provides for: enhanced capabilty to run end-to-end HR processes; the financing, building,
implementation and operation of an HR system to replace 18 legacy systems; employee and manager “self-serve” functionality; and provision of knowledge and skills
that will enable managers and team leaders to obtain the maximum benefit from the system. All business units except GLS and RoMEC are impacted, representing
‘over 200,000 payees and 500,000 pension scheme members. There are four stages to the Partnering Project namely (1) selection of appropriate partnering
arrangements (i.e. partner, technical solution and the partner's commercial proposition), (2) effective contract negotiation,(3) successful implementation and (4)
sustaining benefits. These are supported by effective project management. The current plan anticipates that a partnering contract wil be in piace by December 2007.
OBJECTIVE: The three objectives are to: (1) provide an assessment of the risks relating to the current stage of the project, namely selection of appropriate partnering
arrangements, and effective project management to the extent that it supports this outcome, together with agreed mitigating actions; (2) identify potential risks to the
‘three future stages; and (3) provide advice and techniques, drawing where appropriate on external sources, to assist in the recording and treatment of risks to current
and future stages, such as additional selection criteria and a mechanism to assess the quality of the partnership arrangement.
CONCLUSION: It is recognised that because of the size and complexity of the projec, itis inherently high risk. The most significant risks currently facing the project in
the first stage (the selection of an appropriate partner), are: Royal Mall Group (RMG) does not have a clear understanding of its specific requirements: f there is a lack
of clarity in RMG, potential partners cannot be clear; no solution is able to meet the business requirements in full (this was also noted in an earlier IA&RM report);
supporting processes are not adequate to effectively manage the project; and there is lack of clarity around the respective scopes of the People Partnering project and
the Time & Resource Management System project. Each of the above has agreed planned mitigating actions, which ff fully executed will reduce the level of risk for
the first stage to Low.
Risks to future project phases may emerge at or in advance of the contract negotiation phase, implementation phase or in sustaining business benefits beyond
Implementation. External evidence provided by Deloitte shows that cost creep, service deterioration and reduction in innovation are commonplace once contracts are
In place. Many of the potential risks at future stages will be mitigated if RMG engages in a genuine partnership, characterised by a collaborative rather than
adversarial way of working. However, the outcome of the arrangement is most likely to be a traditional one of customer-supplier. If so, mitigation of future risks is
mare likely to rely upon effective supplier management underpinned by a strong contractual relationship management.
UPDATE: Six of the agreed actions have been completed with considerable work in progress to address the remaining actions.
Noot
Importance actions Completed _By Dec 06_8y Mar 07_8y Jun 07_8ySep07_By DecO7 By Mar 08
Hoh 8 2 5 4
Meum e 4 3 2
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 6 of 21
POL00336006
POL00336006
Key IA&RM Activity in Period
2.3. Review of Performance Management — Royal Mail Letters
BACKGROUND: Royal Mail (RM) Letters Operations undertakes a performance management process that utlises a series of “scorecards” at area and unit level. The
scorecards record performance across a range of shareholder, customer and employee key performance indicators, chosen to support the overall RM Letters
business plan. Although comprehensive use of the nationally developed scorecards at unit level was not communicated as mandatory, there is an expectation that
any local practices are consistent with the national approach. This includes a full assessment of unit performance against targets at least quarter, with root cause
reasons for failure to achieve targets identified, and remedial activity implemented,
OBJECTIVE: Provide assurance over the robustness of operational performance management procedures. Specifically, to ensure that: performance management
procedural guides / tools were readily available, and were understood by operational managers; performance management scorecards were aligned to key business
objectives; operational managers complied with performance management monitoring and forecasting requirements; corrective actions were undertaken where
performance fell short of target, and performance forecasts were supported by operational activity; and effective escalation procedures existed to identify and remedy
Continued performance shortfalis. The review included both operational areas and Network units, focusing on performance management activity at area and unit level.
AREA CONTROL ENVIRONMENT : Some Improvement Required. Some area level scorecards had omissions changes when compared to national targets.
GROUP IMPACT: Low. Although locally developed scorecards were often used in preference to the national versions, there was clear managerial commitment to
effective performance management. However, full deployment and consistent use of national scorecards may be useful in driving further improvement, and a
business decision is required as to whether use of the scorecards should be mandatory. IA&RM consider the risk of not achieving business objectives through
Inadequate performance management within operational areas as Low.
CONCLUSION: There was evidence of performance management at all operational levels. Areas were monitoring actual results, determining root causes of failure
‘against target and implementing action plans. The requirement for effective performance management was fully understood by managers and reviews of area and unit
performance were being undertaken on a monthly basis, with remedial activity planned or in progress where performance failed target. The use of standard
performance measures is seen as a powerful tool to improve business performance at unit, area, and national level
However only 3 of the 8 areas reviewed utilised the nationally developed unit scorecards. The remaining areas had developed their own scorecard formats. These
formats, although broadly reflecting agreed national measures, were found to have certain omissions of changes to agreed target definitions and were dependent upon
the direction given by the area senior management team. Use of these locally developed scorecards has resulted largely from a lack of clarity as to whether the use of
the national scorecards is mandatory and a view from area teams that local scorecards better sulted requirements. Network are not covered in the existing
performance management process.
UPDATE: Work to integrate Network within the formal performance management process is underway. and the incorporation of automation related measure(s) in
scorecards will improve the alignment to RM Letters business objectives. Performance management guidelines will be updated and will clearly indicate which aspects
‘are mandatory.
No ot
Importance actions Completed _By Dec 06_By Mar 07_8y Jun 07_8y Sep07_By DecO7 By Mar 08
Hoh 2 o 2
Meum 2 0 7 4
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 7 of 21
POL00336006
POL00336006
Overall perspective on the Risk and Control Environment
3.1. Risk & Control Self Assessment
‘The business operates a bi-annual Risk & Control Self Assessment (RCSA) exercise to provide reasonable but not absolute assurance that its effectively managing
Its Key risks. It includes the results of the business’ Vital Few Controls (VFCs) programme as reported by Business Units & Functions (BU/Fs). VFCs cover actions
by management to mitigate key inherent business risks as well as controls over core ‘business as usual processes’. Separately the business is also required to bi-
annually report any new potential risks of Group significance. The corporate threshold for upward reporting is risks of greater than £20m impact and 30% likelihood
over a three year period (after taking existing actions and controls into account)
[The VEC position as at half vear is set out in the table below:
‘Half Year Vital Few Control Status Report Areas of major control weakness:
——— =I = rere
Royal Mail Letters 16 4 7 6 1 to.an electronic solution being developed by CSC.
[SMe ESE = a Ld id bd PFW - ‘Front Line Customer Service’. Recent
[Paeninee ve pie ite ka ‘ £ 3 1 response, new training and information systems are
Property Holdings 14 2 "1 3 °
Totals}
* Lotors have idontified throe new VF in 08/07. The canta status of wo o thesis pending subjoc fo intial ating work.
New/emerging tisks of Group significance
‘At the haf year there are currently no newlemerging risks being reported by the business units as meeting the corporate risk threshold. In some cases formal MD
sign off is pending and, since this is a dynamic process, there remains the possibilty that new/emerging risks could stil be escalated to the CRMC and the Group
Executive Team in November 2006 for possible inclusion on the Corporate Risk Scorecard.
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 8 of 21
POL00336006
POL00336006
im Specialists in Key Risk Areas
‘A summary of the assessments provided by specialists in key risk areas is presented below. (see Appendix O for further detail)
aseaTeTl ona The table ilustrates the
¢ noe ( Illustrative Indicators ) ( Deterlorating movement in assessment
results compared to
Protection of» [Sib I [Number ofporal leticion ] : equivalent period ast
arrow is shaded yellow
Protection of) -RiiC~] [The number efrepared malemsiost 1 + Ser macenceinet tas
Mal, to prior quarter for this
>) [CRMC] [Pororige of Oss passing to Compliance & Ant Speicaton Teas suite] an year.
Operational LPO] [Prertge of omnes Repssloy Requirements 1 + The items to highlight are
Operational I —Fo.— [Preto of Conelanco-Frencl Core I & compliance to operational
‘ompliance I po. I Pererlage of Canptonce- nfrmaton Seculy ] standards particularly in
Letters with 49% of
70. Perertage of Cmpfance = Procedural Seainiy Tap 10 Cals eS
: (Cro. [Pereribge ol Cones a J Delivery Offices falling,
. = physical security in
protection of I) PZ] IRessaetss om Pest cesses nde ] eon ae
tection of FL Vate of Post fice Nevo ore resin fom bug Ben I can protection of revenue.
= [POL] [Value of Post Office Cashin Transit atlack wsses I Key:
(Protection of») CRE Ierantr satis en Raia si I +
I Staff [POL] [Pesaro of Post Otco i robbers where rears are cried I +
4 >) [Percniage of eompiance Fom the physical and procodirl aude ]
etal FRML_ [Percentage of compliance Fom “Unatended Mail itatves” reviews ] +
( [RIC] I Pereontge of complnce Fom “Troan Horse vie ] +
- ) [[RIICT] [Revert Potecton perentage ofriek medal sarges erfomed ] +
Protection of I IICBHE] [Mal Vertcaten- parcatage of mandatory andsk model samples porormed I +
Revenue. I [RWC] Revenue recovered by Revenue Potecon and Mole Vertfeaton I +
{ The slamp and mele rover Gap ] ot
Royal Mail - CONFIDENTIAL,
IA&RM Quarterly Report — November 2008
Page 9 of 21
POL00336006
POLO00336006
3. Overall Perspectives on Risk and Control Environment
3.3 Assessing Business Response to Agreed Actions
‘The ARC and the Group Executive Team (GET) have placed emphasis on the Group taking effective action in respect of issues identified audits and other reviews.
‘A summary ofthe status of agreed actions is outined in Figure 1 below. It shows that as at October 5% (September: 5%) ofthe agreed actions due for implementation in the year
were overdue al date of this report. Figure 2 details the revised timetable for completion of the 24 outstanding actions, of which 83% are Priority 2 (Medium risk)
Figure 1 - Agreed Actions Status
Figure 2— Revised completion dates
Fy]
3]
3I
Iiar-07 7
[Total 4
tgfo]alerfoles
glol-loI
Priority 1 — High risk issues
Priority 2~ Medium risk issues
'A&RM Quarterly Report — November 2008
Page 10 of 21
Royal Mail - CONFIDENTIAL
POL00336006
POL00336006
3. Overall Perspectives on Risk and Control Environment
3.4 Royal Mail Letters - Revenue Streams and IA&RM Activity
Figure 1 - Analysis of 2005/06 Revenue
Figure 2 - Analysis Revenue Leakage
Rating Key SIR - Some Improvement Required
SAT Satisfactory NS - Not Satstacory
AGC Accoptabo Med - Medium
FERTE] Is i j
bey ime SVP EN: TEE la fede Ii le i
ele Re FE !
La a H
lorereral pocmaes spre [a] #
‘The purpose of this section is to give the Committee a
“deep dive” into Revenue and revenue losses, including
analysis of IA&RM activity in the area last 6 months.
Figure 1 details the RML 2005/06 revenue. The Corporate Risk
‘Analysis published in June 2006 for Revenue Leakage identified
sources of revenue leakage totalling £120m (Figure 2). Between
February 2006 and August 2006, reviews across processes and
projects impacting RML revenue have been completed (Figure
3), These reviews have covered the equivalent of 62% of
2005/06 revenues with a key focus being revenue protection.
te 1 Stamp & Meter Revenue Management: The 12-month
rolling Stamp & Meter revenue gap trend at 30 September 2006
has risen to 10.2% (£239m), the fourth consecutive increase and
the highest for 2 years. Work is underway with the Areas to
ensure they are providing the same standard of sampling and
traffic checks as in prior periods. Investigations into the
differences between accounted for revenue and operational
traffic volumes is continuing,
Note 2 Protection of Revenue: Revenue recovered by Revenue
Protection (RP) was £3.9m for the 5 months ended 31 August
2006 (2005/08: £4.7m). For RP, in period 5, only 22% (target:
75%) of the customers identified by the SAP QM risk model as
requiring sampling were sampled, with none of of the 68 Mail
Centres achieving the target.
Revenue recovered from Mails Verification (MV) was £14.2m for
the 6 months ended 30 September 2006 (2005/06: £11.4m). For
MV, 92% (target 100%) of all mail received was sampled. Only
76% (target 90%) of the mandatory checks were completed,
Online Business Account (OBA) Programme have deployed a
new system for RP and MV (SAP QM) which has much
limproved the control weaknesses identified in these areas. This
new system supports increased targeting of RP and MV
resources to the high risk postings. Adherence to the new
standards is currently below agreed targets as detailed above.
Release 2 of OBA will migrate customers to electronic sales
‘orders which will eliminate approximately 5.5m paper dockets
{and therefore help reduce revenue leakage.
Royal Mail - CONFIDENTIAL
IA&RM Quarterly Report — November 2008
Page 11 of 21
POL00336006
POL00336006
3. Overall Perspectives on Risk and Control Environment
3.5 Whistleblowing Statistics
‘The employee disclosure (often called 'Whistleblowing’) policy enables employees to raise concems about inappropriate behaviour (e.g. behaviour linked to criminal
activity, fraud, conflicts of interest or health and safety breaches). The Employee Disclosure Policy concerns those occasional situations where a person feels that
they are unable to use the standard routes for reporting their concems without compromising thelr position or the matter is so serious that it needs escalating to a
senior level of management.
‘Table 1 — Number of Whistleblowing reports raised
Table 1 details the cumulative number of Whistleblowing reports raised
Taal 7a to 73 9
ete 3] _t0 19" September 2006
‘oof of ofa 0] The cumulative numberof incidents reported (118) are broadly
‘of —2{ of — of of {I comparable tothe corresponding period last year (123). However, the
a of 33} 1] 71. 3] number of incidents reporting mail offences has increased by 16%
oof of of a —0 9] compared io last year
of 3} of fof 4 2] All statistics for offenders relate to individuals who have been removed
a ©] from the Business whether prosecuted or not. The percentage of
af fof af of 9] offenders to reported incidents in 2006107 is 23% compared to 26% for
the financial year 2005/06.
za 25] —26I to] 13] 118) 7
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 12 of 21
POL00336006
POL00336006
Other IA&RM Activity to Support Business Improvement
In the current quarter IA&RM have continued to work proactively to support the business in improving the risk and control environment. Examples include:
Review of Atos Origin (Atos) contract performance data: The current term of the Atos contract expires in July 2007; however, a clause entitles Atos to either enter
into an obligatory 2 year extension, f agreed performance criteria are achieved, an optional extension up to 3 years of a 3 month notice period in the event of
termination. The review provided assurance that the source(s) of monitoring data were accurate and that rellance could be placed upon the reported performance
standards,
End User Computing ~ Review of the Control Framework of a sample of User Developed Applications: The functionality contained within desktop software
enables Royal Mail users to develop fairly sophisticated IT systems (e.g. intranet applications, database products and complex inter-related spreadsheet systems),
‘The output of the review provides the business with a better understanding of the typical levels of controls within these systems, an awareness of the more common
‘areas of weakness and an understanding of the level of risk the business faces in this area. We assess that the risk at Group level is Low.
‘ACL duplicate payments: Each year RMG makes payments to vendors worth approximately £2.4bn through its accounts payable function. The audit last year used
Computer Aided Audit Techniques (CATs) to electronically scan data downloaded from SAP ESFS for 2003/4 and 2004/5 which identified duplicate payments
‘amounting to £635k, of which £580K has been recovered by Accounts Payable staff. This year, a joint piece of work is being undertaken between IA&RM and
‘Accounts Payable to perform tests on data for 2004/6 and 2005/6.
HR Infinium Data Integrity: Following the review of People & Organisational Development (P&OD) Enterprise IT in January 2006, IABRM were requested to regularly
re-perform data integrity tests on data contained in approximately 180,000 employee records held on the HR Infinium system. CAATs were used to scan data
downloaded from HR Infinium, which identified a small number of records that appear to be invalid or require further review. These findings are currently under
Investigation by Group Technology.
Review of the level of risk embeddedn
‘management and the risk professionals.
In order to improve risk management within the organisation, a review was undertaken to obtain views from senior
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 13 of 21
POL00336006
POLO00336006
5. IA&RM Current and Planned Activity
The table below shows key areas of current and planned IA&RM activity for the remainder of this financial year to provide ARC with a view of likely topics over the
year, and the opportunity to assess the extent to which the planned activity remains relevant to current key priorities. The table also highlights those assignments
underway or planned and which are of highest potertial significance to the Group.
Assignment Planning [Fieldwork] Draft [Major ReviewsI Target Issue
Road Transport Directive ons
End to end regulation review ts
Restrictive Practices Cr
Health & Safety - Business Unitimplementation Cz
Mails integrity: Security Yes tr
ails integrity. Recruitment Vetting Ors
Time Recording Management System (TRMS) ng
‘Strategic projects - Automation Yes ts
Project Breakthrough U3
Instant Saver Product Review Yes tr
Leavers process: Ors
‘Strategic projects - Walk sequencing Yes 1g
‘Strategic projects - Deliverybest practice Yes Ors
‘Group Compliance Framework Yes Ons
‘Commercial Servicing of Customers tra
HWDG Operational tra
Traffic Meas urement (follow-up) tra
PFWW Customer payments tra
Sales Tender Process ura
Horizon New Generation tra
Environmental sustainability tra
Royal Mail - CONFIDENTIAL
IA&RM Quarterly Report — November 2008
Page 14 of 21
POL00336006
POL00336006
Appendices
Royal Mail - CONFIDENTIAL
IA&RM Quarterly Report — November 2008
Page 15 of 21
POL00336006
POL00336006
Reports Issued in Period
APPENDIX A
‘See Appendix C for a definition of ratings used
a 7 RMLetiers (only) ‘tier {inel. Group wide)
Dato Report N Report Tt ‘AudiWRisk Rating [Group impact I AudivRisk Rating I Group Impact
[Sep-06 [06.063 Review of ATOS Contract Perfamance Data Low
[Sep-08 [06.080 [BBC Licence Stamp Withdrawal WA we
[Sep-08 [06.068 [Network reamvention
[Sep-08 [06.032 [Review of Pertomamce Management
[Oct-06 [06.031 [Downstream Access (OSA)
JOct06 051038 End User computing
Jost06 06-108 [FR inintum Data integrity
[Oct-06 [06.057 People Parinering: Managing Risks (Rating relates
only tothe fst stage ofthe project)
Royal Mail - CONFIDENTIAL,
IA&RM Quarterly Report — November 2008
Page 16 of 21
POL00336006
POL00336006
Trend in IA&RM Report Ratings
APPENDIX B
‘The chart below provides a long term comparison of the proportion of ratings issued in each year. Although the proportion of assignments rated satisfactory has
decreased since 2004/05 this does not necessarily indicate a worsening in the overall control environment.
TA8RM on the areas of the Business where risks are considered to be high.
I reflects the continuing and increased focus of
8 86 8 8
2004/05 200516 200677
Critical / High Risk
mNot Satisfactory / Medium Risk
= Some Improvement Needed / Low Risk
m Satisfactory / Acceptable
Royal Mail - CONFIDENTIAL,
IA&RM Quarterly Report — November 2008
Page 17 of 21
POL00336006
POLO00336006
Explanation of Report Ratings Used APPENDIX C
AUDIT RATINGS RISK ASSESSMENTS:
FOLLOW-UP ASSIGNMENTS:
GROUP IMPACT:
Completed and panned
‘Genera o o few ‘The impact tothe Business 908-100% of axreed
weelnesses Merted fay canzone sir
Low toe lon, Genera Rec beoreaeiicd secepuble level
Senge ined
Busnese Unt proceeeee
Vater eae oe of
sun sifeanee
to require scion 0
‘some poloy [the Group Level of
noncovermance smatriay the Hk othe
Blaine ie red, Fangs
‘tzateg nature fr 8
ater arsng oe of Business Unt with n eect
suftint eiificance to ‘on the Group potion.
son-confoorance
Completed and plomed
etited ata to an
seceptuble level
Completed and panned
sections shuld reduce sme
‘eed aks to 29
soceptable level
been complesed
‘The Group i exposed a 8
ign II tte! re Fes
‘jor system breakdown Group
Completed and plomned
sco wl ot efecuety
‘ranage igneantrik
Lee than 208 ofthe
or threat of be
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 18 of 21
POL00336006
POL00336006
Evidence from Assessments in Specialist Risk Areas ‘APPENDIX D
Information provided by other assurance providers within Royal Mail (RM) can be a very useful in helping to assess the overall level of control in the business. RM is.
inherently vulnerable to loss of assets, misuse of information and damage to brand and reputation. This is due to the scale and profile of the business, and the nature
Of the core business processes. The summary provides key assurance providers’ information and findings on the key activities cumulative to period 6 (September
2006) unless otherwise indicated. On Audit & Risk Committee request, we also give some information on prosecutions arising from discoveries of wrongdoing,
Group Wide
Protection of Information: Incidents of portal lossithett in the 6 months ended 30 September 2006 totalled 25 compared with 26 in the same period last year. Mobile
phone loss/thefts in the 6 months ended 30 September 2006 numbered 97 (2005/06: 107). In the 6 months ended 30 September 2006 the number of virus attacks to
systems are substantially down in comparison with the same period last year, with 703 (2005/06: 4,839) end user virus calls made to the helpdesk; 28,727 (2005106:
382,713) viruses detected by the server virus guard and 16,731 viruses (2005/08: 120,222) blocked by anti-spam measures.
Taking Action — Prosecutions: In the 6 months ended 30 September 2006 there have been 267 prosecutions (2005/06 full year: 723), both internal and external
offenders, of which 220 prosecutions have been successful. Of the successful prosecutions, 73 (33%) resulted in custodial sentence compared with 32% for the full
year 2005/06.
Letters
Operational Audits: No central records are held of mandatory operational self-audits. However, a computerised systems is currently being introduced to record the
information, but the go live date has been delayed until January 2007. The Compliance & Audit Specification (CAS) Team performs independent audits in operational
nits to ascertain performance. The following table shows the CAS Team's assessments:
Smonihs cumulative 1o 30 Seplerber 2006 Top three impacting Delivery Office questions cumulative to September 2006 were:
1. Are the offices staffing and control mechanisms robust? 52% (370/712 failed)
2. Are all special delivery items processed, delivered and recorded on RMGTT on the day
of receipt? 47% (33317 12 failed)
3. Was the Delivery Office Daily Report (DODR) made to time and accurately recorded?
46% (117/712)
The top three impacting Mail Centre questions cumulative to September 2006 were:
1. Were all collections covered and arrive in the Mail Centre to time? 43% (12/28)
2. Were all checks on presentation and quality undertaken? 43% (12/28)
3. Were lll due presentation and segregation standards maintained? 39% (11/28)
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 19 of 21
POL00336006
POL00336006
Evidence from Assessments in Specialist Risk Areas ‘APPENDIX D
Letters (continued)
Protection of Mail: Mall loss incidents for Letters and Parcetforce Worldwide total 707 for the 6 months ended 30 September 2006, down 50% compared with the
same period last year. The number of items was substantially reduced at 118,637 for the 6 months ended 30 September 2006, down 69% on the corresponding
period last year. The four main types of extemal theft are theft from trolleys (20%), theft from drop off points (16%), theft from vehicles (15%) and theft from cycles
(14%). In the 6 months ended 30 September 2006, there have been 195 (2005/06: 217) cases of criminal damage.
Protection of Staff: In the 6 months ended 30 September 2008, 61 people have been injured (3 seriously) in a total of 166 attacks on Royal Mail staff. There were
249 attacks in total for 2005/06, and i this year's trend continues then the total number of attacks will exceeds last year's number.
Security: 92% (92% full year 2005/06) of the offices visited during announced physical and procedural security reviews were compliant in the 5 months ended 31
‘August 2006. However, only 69% of offices visited in the 6 months ended 30 September 2006 (83% full year 2005/06) as part of the “Trojan Horse" exercise were
compliant. “Unattended Mails Initiative" patrols, measuring compliance with delivery and vehicle security procedures, has shown an improvement in cumulative
results, with 45% (52% full year 2005/06) of offices being compliant for the 6 months ended 30 September 2006. These results have implications for Mails Integr.
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 20 of 21
POL00336006
POLO00336006
Evidence from Assessments in Specialist Risk Areas APPENDIX D
Post Office Limited
Protection of Cash: Network cash losses from burglaryirobbery are slightly higher than in previous years with losses to 30 September 2006 totalling £0.74m
(2005/06: £0.72m), although the number of incidents in the same period has risen to 259 (2005/06: 236). The percentage of successful attacks (from perpetrator
viewpoint) was 16% for burglaries and 47% for robberies. Firearms were carried on 45 (2005/06: 50) occasions, with one firearms discharged in September. Cash in
‘Transit (CIT) attack losses are down in 2006/07 at £0.24m (2005/06: £0.40m), and the number of attacks has reduced by 4%, to 44 (2005/06: 46). Only 64% of the
robbery and theft attacks were successful. To date, 14 attacks have caused minor injuries but there have been no instances of major injuries requiring hospital
attention.
Financial Revie\
Financial Reviews: There have been 21 (2005/06: 17) losses greater than £25k,
including 3 (2005/06: 2) over £100k. The percentage of branches with acts of dishonesty
is 8% (2005/06: 4%), with the value of dishonest acts accounting for 31% (2005/06: 13%)
Of the total value of losses. Moreover, the percentage of branches with unexplained
losses has increased significantly to 72% (2005/06: 40%) accounting for 52% (2005/06:
'58%) on the total value of losses.
Compliance Reviews: The top 3 failing questions for regulatory compliance checks,
together with percentage of non compliant branches, were:
Compliance Reviews: 1. Copy of the Post Office Home Phone Code of Practice not to hand, 52%
2. Staff unaware of new process for recording customer ID, 20%
3. There were insufficient supplies of P4677 to hand, 16%
The top 3 falling questions for Financial Controls were:
1, Daily payment advice not to hand, 62%
2. Remittances awaiting collection not included in previous night's cash declaration, 21%
3. ONCH not listed accurately andlor cash denominations incorrectly listed, 15%
The top 3 falling questions for Procedural Security were:
1. Hostage policy not known, 32%
2. Cash held on counter exceeded 1 ~ 1.5 hours usage, 32%
3. CCTV and/or 35mm cameras signage is not prominently displayed, 32%
The top 3 failing questions for Information Security were:
1. PIN.and PMMC were not held separately, 26%
2. Obsolete users had not been deleted from the Horizon system, 32%
3. Horizon system user names were not in the correct format, 32%
IA&RM Quarterly Report — November 2008
Royal Mail - CONFIDENTIAL Page 21 of 21