POL00363167
POL00363167
Post Office Ltd — Strictly Confidential
RISK AND COMPLIANCE COMMITTEE
20 JULY 2004 - Meeting Ref 01
Members:
Sir Mike Hodgkinson (Chair)
Peter Corbett
Apologies:
lain Anderson
In Attendance
Rod Ismay
SUMMARY ACTION POINTS
ITEM ACTION LEAD
0101 Letter to FSA regarding independent expert for Compliance Cttee RI
0102 Update the compliance risk map’for the.next.meeting_ RI
0103___I Prepare end to end description of the“‘life of an MVL" _ RI
0104 Overview and risk analysis of the planned DWP ‘exceptions process RI 1
0105 Confirm defence position on major cases with Group Legal PC
1. MINUTES FROM LAST MEETING
Not applicable. This was the first meeting.
2. STATUS OF ACTIONS FROM THE PREVIOUS MEETING
Not applicable. This was the first meeting.
3. MATTERS DISCUSSED AT THE MEETING AND NEW ACTIONS REQUESTED
The issues discussed included the following items (which are expanded on as shown):
3.1 Purpose of the committee
3.2 Members of the committee
3.3'What is compliance:
3.4 Risk & Control Team — Audit & Inspections activity
3.5 Risk & Control Team — Anti Money Laundering and Vital Few Controls:
3.6 Security activity
3.7 Legal Services activity
3.8 Group Audit activity
POL00363167
POL00363167
Post Office Ltd - Strictly Confidential
3.1. Purpose of the Committee
It was agreed that this body should be a Compliance Committee, to support and
complement the business and the group Audit & Risk Committee. It is not
intended to be an Audit Committee in its own right.
RI suggested the following responsibilities for the committee. These were
provisionally agreed. However, following 3.2 below, MH proposed we take
advice from the intended “independent expert” member in defining the
responsibilities:
Approve POL audit and compliance plans
Monitor POL's internal control and risk management systems
Initiate quality review of control & compliance functions
Monitor the setting and deployment of policy in POL
Monitor the integrity of POL’s external reporting (including financial)
The committee noted the disclosures about Audit and Risk committees in the
Royal Mail Holdings accounts and that there. may be future benefit in disclosure
about this committee in Post Office Ltd's accounts.
3.2. Members of the Committee
MH suggested that the committee should include an independent expert; who
could advise (without being held legally responsible).
PC explained that the draft membership of MH, PC and IA had been proposed so
as to be able to bring as independent an executive challenge.as possible to the
compliance of Banking & Financial Services-and of Operations. It was agreed
that Graham Halliday and Dave Miller therefore be default invitees to all meetings
of the committee but not to be members of the committee.
- Action 0101
RI to draft a letter, and clear with Keith Woollard, for MH to send.to the FSA. The
letter to explain that Post Office Ltd is setting up a compliance committee and
would appreciate the FSA's recommendations, as an independent party, on
appointing an independent expert adviser (non legal responsibility).
3.3. What is Compliance?
The Committee noted the diversity of potential legal, regulatory and contractual
obligations for compliance and that the draft risk map of these. was helpful.
Action 0102
RI to update the compliance risk map. for the next meeting.
3.4. Risk & Control Team — Audit & Inspections Activity
The Committee noted the development plans for risk models for targeting branch
audit visits. =
POL00363167
POL00363167
Post Office Ltd — Strictly Confidential
3.4.1. Branch control and Audit committee feedback
Updates received from old cases: Turners Hill, Blackwood and Sevonoaks.
New cases discussed Finsbury Park, Putney Bridge and Edgware.
Development of the Branch Control forum was discussed.
Post Office Saving Stamps frauds were discussed.
Discussion regarding counterfeit notes and benefits of ultraviolet scanner was had.
Action 0401 7
What is the indicative cost of a suspension in terms of cover pay and overheads?
Action 0402
Sevonoaks to be revisited now new BM and SAM are in place.
Action 0403
Increase scope of Branch Control forum reports to target top 20 worse performing
branches in the future.
Action 0404
Turners Hill — ensure property assets are investigated for recovery
3.4.2. Branch Audit team
Martin Ferlinc presented review of Branch Audit findings 04/05 — assets verification
-and compliance: audits. . a i
Proposed Branch Audit plan for 05/06. was. discussed. é
3.4.3. Banking and Financial Services compliance
Improving trend in compliance, though mystery shopper less encouraging than audits. i
. New tools to increase awareness were discussed i.e. competition, vidéo as well as
refresher training.
Royal Mail Internal Audit review focused on a number of steps to be completed to
embed business as usual processes.
3.4.4 Investigation team
Current fraud risks were discussed around cash cheques, Bureau de Change, PO
Saving Stamps, fictitious deposit and deposit suppression.
Action 0405
Confirm what security features are incorporated within PO saving stamps, and
whether high value postage stamps could be used
Action 0406
Install ultraviolet scanners at 3 DMB's to ascertain the benefits for installing at all
DMB’s.
Action 0407
Confirm that we have written to DWP to highlight cash cheques concerns.
POL00363167
POL00363167
Post Office Ltd — Strictly Confidential
Action 0408
Bureau — why are high value bills ($100 etc) being returned to Hemel when we have
note scanners in the branches?
Action 0409
Destructions and returns — could some DMBs be.used to recycle stock from closed
offices instead of returning for destruction
3.4.5 Corporate risk register
Reviewed current risk register and discussed any movement of risks and causes.
Action 0410
How did we get some of the monetary value = revisit using inherent risk/residual. risk.
3.4.6 Information Systems security
Access to Horizon and other IT platforms was discussed.
POL web site recently received a number of attacks.
Action 0411
{D theft risk — provide further detail on risks including comparison of branch versus
call centre channel risks
Action 0412 .
Bank account “theft & flight” — what sort of accounts are. involved and how is the
money being stolen?
4. DATE OF NEXT MEETING
7™ July 2005
Sir Mike's office
Future agenda Item
Key Controls
DVLA actions from recent review
ID theft and security of personal information
Attendees to include
Sue Lowther — Head of Information Security