POL00391936
POL00391936
®
Post Office Risk and Compliance Committee Agenda
18 January 2018 Jane MacLeod(Chair) Johann Appel Martin Hopcroft (Item 3.7) Nick Kennett
Paula Vennells Ashish Singh Jules Harris (Item 3.8)
Start Time Finish Time Al Cameron Jane Fahey Richard Williams (Item 4)
13.00 16.00 Mark Davies Owen Woodley Barbara Brannon (Items 5 and 6)
. . Martin Edwards Jonathan Hill (Items 3.1 and 9.1) Ben Foat (Item 8)
Debbie Smith Jenny Ellwood (Item 3.2) Mark Dixon (Item 10)
5 ‘ 5 Rob Houghton Sally Smith (Item 3.3) Julie Thomas (Item 11.2)
1.19 Wakefield, Finsbury Dials Martin Kirke Michael Passmore (Item 3.5)
Tim Armit (Item 3.6)
Agenda Item Action For ARC Purpose Lead Time
Needed
1. Welcome, introduction & Members to declare any conflicts of interest Chair 13.00 - 13.05
conflicts of interest i
(5 minutes)
2. Minutes and action lists Approval To approve the minutes of the meeting held on 8 Chair
November and update on actions
3. Key Operational Risks Discussion & v To review the management of key operational risks. 13.05 — 14.15
approval fi
(70 minutes)
3.4 FS Conduct Jonathan Hill
Jenny Ellwood
Sally Smith
Rob Houghton
3.2 Change
3.3 Financial Crime
3.4 IT Controls Framework
3.5 Financial Reporting Controls Michael Passmore
3.6 Business Continuity Tim Armit
3.7 Health and Safety
3.8 Information Protection and
Assurance
Martin Hopcroft
Jules Harris
POL-BSFF-0218823
Post Office Risk and Compliance Committee Agenda (cont)
POL00391936
POL00391936
®
Agenda Item Action For Purpose Lead
Needed ARC
4. k Update Questions v To note a Risk Update. Richard Williams 14.15 - 14.30
& Noting (15 minutes)
5. Compliance Questions To review the Procurement compliance report and 14.30 - 14.40
& Noting forward view. Barbara Brannon .
5.1 Procurement (10 minutes)
6. Policies Approval v To approve new and updated policies. 14.40 - 14.45
6.1 Supplier Relationship Barbara Brannon (5 minutes)
Management
7. Audit Questions v To note the Internal Audit Report. 14.45 — 15.00
7.1 Internal audit report ‘noting Johann Appel (15 minutes)
8. Deep Dives Questions ov 15.00 - 15.20
& noting To note the Annual Legal Risk Report Ben Foat 20 minut
8.1 Annual Legal Risk Report (20 minutes)
9. Horizon Scanning 15.20 — 15.25
9.1 FCA Report — Aging Populations cain To note the FCA Report - Aging Populations and Jonathan Hill (6 minutes)
and Financial Services noting Financial Services, and any new or proposed
9.2 Legal and Regulatory Horizon material changes to laws and regulations. Ben Foat
Scanning
10. Interest Rate Swap under new Approval v To approve an interest rate swap under the new Mark Dixon 15.25 — 15.30
POca contract. POca contract. '
(5 minutes)
41. Papers for noting Noting 15.30 — 15.55
44.1 POMS RCC minutes Owen Woodley (25iminutes)
11.2 EUM Update v Julie Thomas
11.3 SuccessFactors Update v Martin Kirke
11.4 Joiners, Movers and Leavers v Jane MacLeod
11.5 GDPR Update v Jane MacLeod
12. Any Other Business 15.55 — 16.00
CLOSE 16.00
POL-BSFF-0218823_0001
1
Post Office Ltd - Confidential
POL00391936
POL00391936
Risk and Compliance Committee (R&CC)
Reference: R&CC Nov 2017
Date: 8 November 2017
Venue: 1.19 Wakefield, Finsbury
Dials
Time: 13:00 - 16:00
Members:
Group Legal, Risk & Governance
Jane MacLeod (JM) Director Chair
Al Cameron (AC) Chief Finance & Operations Officer Member
Martin Edwards (ME) Group Strategy Director Member
Kevin Gilliland (KG) Chief Executive Retail Member
. Group Communications, Brand &
Mark Davies (MD) Corporate Affairs Director Member
Paula Vennells (PV) Group Chief Executive Member
Attendees:
Joe Arakji Deputy Group HR Director On behalf of HR Director
Mick Mitchell IT Security & Service Director On behalf of Group (Chief
Information Officer
Owen Woodley
Managing Director,
Post Office Money
On behalf of Chief Executive -
Financial Services & Telecoms
Johann Appel (JA)
Senior Internal Audit Manager
Report (Paper 6.1)
Marla Balicao
Interim Head of Secretariat
Georgina Blair (GB)
Risk Business Partner
Secretariat
Ashish Singh
Interim Head of Risk
Jonathan Hill (JH)
Jenny Ellwood (JE)
Head of Risk, Banking Regulation
and Strategy
Head of Transformation Risk and
Assurance
Report (Paper 3.1)
Report (Paper 3.2)
Sally Smith (SS)
Head of Financial Crime
Report (Paper 3.3 & 5.2)
Tim Armit (TA)
Senior Manager Business Continuity
Report (Paper 3.6)
Deana Herley (DH)
Senior Assurance Manager
Report (Paper 4)
Tom Wechsler (TW)
Government and Payment Services
Director
Report (Paper 4)
Jackie Newton (JN)
Head of Learning
Report (Item 5.3)
Mark Dixon (MD)
Head of Treasury, Tax and
Insurance
Report (Paper 7.1)
Jules Harris (JuH)
Head of Information Protection and
Assurance
Report (Paper 7.2 & 8.1, 8.2)
Apologies:
Rob Houghton (RH) Group Chief Information Officer Member
Nick Kennett (NK) hte - Financial Services Member
Martin Kirke (MK) HR Director Member
The Chair declared the committee quorate and opened the meeting. The Chair asked for any
conflicts of interest to be declared. Standing conflicts of interest were acknowledged and no other
conflicts were raised. The Chair introduced Marla Balicao, Interim Head of Secretariat, and Ashish
Singh, Interim Head of Risk, and explained that she had asked them to look at risk governance
Risk and Compliance Committee minutes
8 November 2017
POL-BSFF-0218823_0002
POL00391936
POL00391936
2
Post Office Ltd - Confidential
within POL. The Chair noted that it would be taken that Committee members had read the papers
and the agenda would be taken up with questions and discussion.
The Committee agreed the minutes of the previous meeting and reviewed the open actions. (See
RCC actions log for updates)
3.1 FS Conduct Risk
JH asked the Committee for any questions on the paper. The Committee discussed how mystery
shopping incidents which revealed non-compliance were followed up and were reassured that each
Customer Relationship Manager (CRM) is account managed by an Area Sales Manager who provides
training and support. The Committee noted the difficulty in creating consistency of scripts across
the network, which meant that other controls were necessary, and that the main one was that the
sale could not currently be completed in branch.
JH highlighted to the Committee that the FSA had published a paper in September 2017 on ‘Aging
Population and Financial Services’ which looked at the public policy implications of an ageing
population, the impact on financial services and suggested actions for both the FSA and the
financial services industry to better support older people. The Committee agreed that the findings
of this report we relevant not only to the Financial Services teams, but also POCA & Identity and
requested that JH summarise the high level findings of the report and how they apply to POL for
next RCC(AP1798), and that ME organise a workshop for the key parties. (AP1799)
JH left and JE joined the meeting.
3.2 Change Risk
JE asked for comments on the paper. The Committee discussed action tracking and queried
whether projects were made aware of the impact of missing deadlines on projected benefits. JE
explained that a new reporting format was being developed which will capture the type of benefit
and map out the period when the benefit should start to be realised. It will also clearly call out
variances and the reason for these. The Chair noted that this activity was in response to action
1784, from the July RCC meeting, and hoped that it would be possible to close the action in
January.
JE left and SS joined the meeting.
3.5 Financial Controls
AC provided the Committee with summary of control status. The Committee discussed whether the
fact that the Financial Controls Framework was operational meant that risk exposure had reduced
and noted that the continued use of POLSAP meant exposure continued to be high, despite the
mitigations in place. The Committee noted that the Financial Controls Framework is to be
extended to FSC, and possibly into HRSC once SuccessFactors is introduced.
3.3 Financial Crime
SS introduced the paper. The Committee noted that there were 13 branches with no known issues
which had not done their Anti-Bribery and Corruption training. The Committee discussed the issue
and potential courses of action, and confirmed that bureau transactions should be switched off in
those branches. SS would liaise with the Bureau team to ensure that happened. In addition the
consequences for Moneygram and the Banking Framework should be considered. (AP1800(a))
The Committee noted that volumes of suspicious activity reports (SARs) have decreased by 25% in
September and October. KG noted that he wanted Roger Gale and the Regional Managers to be
Risk and Compliance Committee minutes 8 November 2017
POL-BSFF-0218823_0003
POL00391936
POL00391936
3
Post Office Ltd - Confidential
more aware of the issues and asked SS to send Roger Gale monthly updates so he can monitor
trends.
The Committee noted that the HMRC audit action plan is on track, apart from the bureau de
change mitigation activity. The implementation of the data warehouse and data mining tool has
been delayed due to delays to the Credence re-platforming project, and it has been identified that
the proposed bureau de change eKYC solution may not meet HMRC requirements. This may
require additional procurement and HMRC have been advised that due to our procurement
compliance requirements we may be unable to meet the action implementation plan date. SS said
she had spoken to HMRC and they are satisfied that manual mitigations are in place while the eKYC
solution is being procured and implemented.
5.2 Criminal Finances Act
SS asked if there were any questions on this paper. The Committee noted that any suspicions of
Criminal Financing should be reported to the Financial Crime team, via Grapevine or an individual’s
line manager. Communications will be issued to the business to reinforce this. SS confirmed she is
taking over responsibility for compliance with the Criminal Finances Act at end of November.
SS left and TA joined the meeting.
3.4 IT Controls Framework & IT Disaster Recovery
MM explained the current status of the IT Controls Framework. The Committee discussed how
reporting from the controls framework would feed into the placemat, and what role internal audit
should take.
The IT DR paper was handed out. The Committee noted that that Business Impact Assessments
had identified that the untested system causing the most concern was Horizon. It had been hoped
to perform a full Fujitsu DR test for the May Bank Holiday 2018 but this may have to be postponed
to August Bank Holiday 2018, due to a dependency with POLSAP migration, now forecast for June
2018. It will be necessary to migrate off POLSAP before performing a DR test, because there is a
concern that if POLSAP is switched off it won’t switch back on again. Instead of a whole DR test
we are providing assurance through governance and unit tests.
The Committee requested that MM provide an update in March 2018. (AP1800(b))
3.6 Business Continuity
TA provided the Committee with an update from the previous day’s meeting with Royal Mail. The
Committee noted that in the instance of a strike RM won’t collect from 3000 of our branches,
based on MI about storage volumes and capacity. 5000 of our branches have less than 50 items a
day. Martin Kearsley has said failure to collect will not cause contractual problems under the
Banking Framework perspective. The Committee discussed the issue and noted that the problem
will be customer perception and that the aim should be to avoid closing Post Offices because
customers are likely to change their habits. If the strike occurs in early January, as seems likely,
there could be an issue about storage space because of high volumes of Mail Order Returns.
The Committee considered the issue of cheque clearance processes and noted the importance of
setting expectations in the case of a strike. Although the ‘clock doesn’t start’ until cheque reach
IPSL, the banks will be sensitive to customer complaints due to money not in being in an account
because cheques have not been collected. AC said this may give us a chance to behave well in
banking.
MM left meeting
The Committee noted that tested business continuity plans were needed for Banking Framework.
In addition, the business continuity plans for HRSC at Bolton need to have been tested before the
implementation of SuccessFactors. An incident at Bolton could result in the business being unable
to pay people. The Committee requested that a tighter timetable for testing business continuity be
produced, which included testing Bolton before the implementation of SuccessFactors and
Risk and Compliance Committee minutes 8 November 2017
POL-BSFF-0218823_0004
POL00391936
POL00391936
4
Post Office Ltd - Confidential
Chesterfield by financial year end. (AP1801) The Committee noted that if help with resource was
need it would be provided.
TA left and DH & TW joined the meeting.
4.1 Risk Placemat
DH gave an update on the Placemat roll out. JM explained the new Legal risk around PCI audit.
The Committee noted the company doing the audit has taken very technical approach and found a
number of relatively immaterial things (old equipment, manual controls) and scored them very
highly. Negotiations were ongoing on remediation plans.
TW explained how the placemat approach had worked in his team. As well as increased awareness
of their risks, his team had a better understanding of what each other was doing and a better
appreciation of other team members’ skills and knowledge. He noted that there had been strength
in the iterative approach to identifying his top risks, but that the initial workshops had produced a
very operational set of risks which didn’t include any of the five things that keep him awake at
night. He intended managing his risks to become part and parcel of managing his team. He asked
the Committee to note that the reasons given for being poorly resourced in the paper were his own
application of hindsight. He had never been blocked or unsupported in terms of resource. His
team also included parts of the business which haven’t been looked at for a long time and which
had been revealed to be unexpectedly complex. With reference to his top risks he noted that the
the cause of much of the risk around AEI was dispersed accountability, but that there was a
process in place to resolve this. He felt he had scored the Paystation risk too high. This was being
actively managed and there are devices in place to see us through to 2021. We are doing
everything we should do.
The Committee discussed the escalation of issues and risks, and noted the examples given in the
Engagement Champions Session which had preceded the RCC. Cleaning and the IT helpdesk had
both been raised as issues. The Committee noted that there is a culture of people not reporting
issues because they think it will not make a difference. The Committee requested that Rob
Houghton update RCC on his plans to improve IT helpdesk and how to monitor that it is getting
better.(AP1802)
TW and DH left meeting
5.1 Procurement
The appendix to the Procurement meeting was handed round the meeting. The Committee
discussed the report and appendix, noting although risk exposure was relatively low Barbara
Brannon, Head of Procurement, should be encouraged to tell the Committee where procurements
were not handled properly. The Committee requested a forward view of expected procurement
activities over the next two years.(AP1803)
JN joined the meeting.
5.3 Training Matrix
JN explained the Learning team had created a training matrix which matched training requirements
to roles. A slide of the highest level of the matrix was circulated to the Committee. PV
commented that very reassuring that training commitments had been logged and recorded.
JN left the meeting.
Risk and Compliance Committee minutes 8 November 2017
POL-BSFF-0218823_0005
POL00391936
POL00391936
5
Post Office Ltd - Confidential
6.1 Internal Audit Report
JA introduced the report. The Committee noted that JA had discussed the updated 2017/18 audit
plan with all GE members and that the revised plan would be ready for the November ARC
meeting. Three audits had been completed since the last meeting. JA noted that the level of
engagement across the business had improved and that the plan was still on track to complete.
The audit year was currently running May to May and the aim was to change that to the financial
year end in 2019.
MD entered the meeting.
7.1 Tax Update and Strategy
MD explained that there was a new tax manager, Andy Jamieson, a VAT specialist who had been
recruited from KPMG. The Committee noted the tax strategy and discussed the resource
requirements. MD noted that historically the tax team has relied on advisers. The Committee
noted that it was important to consider VAT when making proposition and product changes, as well
as contractual and structural changes, and that VAT should be considered at an early stage of the
change process. The Committee discussed the consequences of the VAT ruling over PayPoint and
noted that there might be an opportunity where we have some contracts that are vatable and
some aren't.
The Committee approved the Tax Strategy for submission to ARC.
MD left and JuH joined the meeting
7.2 Cyber Security and Information Assurance (CSIA) Update Paper
JuH provided copies of the paper to the committee, explaining that the annual review should be
September but had been postponed to November. The risks haven’t changed materially. There is
still no consolidated view of IT security threats, vulnerabilities and events but the Advanced SOC
project will significantly reduce the impact of this risk. Once complete by Q3 2018 it will also
reduce the likelihood of other cyber risks from materialising. The Committee discussed the paper
and its presentation to ARC. The Committee discussed the recent DDOS attack, noting that there
had been no chatter about it. JuH noted no chatter was more dangerous because then we don’t
know what the attack was for.
8.1 Acceptable Use Policy
JH explained that the policy format had been updated to focus on risks, controls, and who was
required to operate the controls and how frequently. This made the policy clearer but the content
is the same. There will be comms around the policies.
The Committee approved the Acceptable Use Policy.
8.2 Cyber and Information Security Policy
JH explained that the policy format had been updated to focus on risks, controls, and who was
required to operate the controls and how frequently. This made the policy clearer but the content
is the same. There will be comms around the policies.
The Committee approved the Cyber and Information Security Policy.
The Committee noted the following papers
9.1 POMS RCC minutes
Risk and Compliance Committee minutes 8 November 2017
POL-BSFF-0218823_0006
POL00391936
POL00391936
6
Post Office Ltd - Confidential
There being no other business, the Chair closed the meeting at 3.48pm.
Next Meeting - Thursday 18 January 2018, Room 1.19 Wakefield, 13.00 - 16.00
Risk and Compliance Committee minutes 8 November 2017
POL-BSFF-0218823_0007
POL00391936
POL00391936
POL Risk and Compliance Committee
Action List
Status Report as at: 28/11/2017
7 Open7
Meeting Date AP ref ACTION Action Owner I Due Date STATUS Closed
Two year view of procurement - provide Committee Barbara 18/01/2018
08/11/2017 1803 —_Iwith forward view of expected procurement activity over IBrannon See January 2018 ag.enda item 5.1 Open
next two years
. Rob Houghton I 18/01/2018 I Atos service desk improvement plan in
08/11/2017 1802 —_ I=" Helpdesk - Update Committee on plans to Improve IT progress; measuring weekly against I Open
helpdesk and how it will be monitored. performance.
Business continuity testing - Test Bolton before the = [Tim Armit 31/03/2018
08/11/2017 1801 implementation of SuccessFactors and Chesterfield by the Open
financial year end
08/11/2017 1800(b) [IT DR plans - Provide an update on IT DR plans Mick Mitchell 13/03/2018 Open
Financial Crime - Confirm with Bureau team that Sally Smith 18/01/2018
09/11/2017 1800(a) transactions had been switched off for those branches Open
who had not completed ABC training.
Martin Edwards I 18/01/2018
Issues partly considered as part of
future of POCA workshop in December;
Workshop on FS report - Organise a workshop for the strategy team (Daniel Farber)
08/23/2037 1799 I key parties (FS, POCA & Identity teams) engaging with relevant teams during Open
January to co-ordinate response to the
wider report.
(Camelot lessons learnt - Internal audit to interview [Johann Appel 18/01/2018 IUpdate at November RCC: IA are still
staff members to augment the lessons learnt exercise. waiting to interview an ex-employee.
Individual is currently unwilling to be
13/09/2017 1796 interviewed. Decision to be taken Open
whether to pursue interview.
Compliance requirements -Discuss impact of likely [Jane MacLeod/ I 16/01/2018 IUpdate at November RCC: Sally Smith
enhanced AML & fit & proper requirements with the Patrick Bourke/ I (next update) Ihas started discussions with Patrick
13/09/2017 1789 relevant stakeholders in Government Mark Davies Bourke but they have not yet Open
approached stakeholders.
Financial Crime Risk assessment - one product Kevin Gilliland’ I 18/01/2018 IUpdate at November RCC: Review
manager to present their area's risk assessment and Jane MacLeod outputs of product managers’
13/09/2017 178g _ IMmitigation plans at each RCC meeting. KG and JM to workshop that Financial Crime team Open
agree products to cover. are holding next week [w/c 13/11]to
determine which products to cover.
POL-BSFF-0218823_0008
POL00391936
POL00391936
Future risks - Change risk register should include Jenny Ellwood I 18/01/2017 [Updated reporting format in January
forward looking risks which may arise over the next 6 ARC paper.
13/09/2017 1787b —_Imonths. These risks should be included in a separate Open
lsection and the IT Tube Map report format should be
used
20/07/2017 1781 IInsurance Distribution Directive - Provide a briefing [Jonathan Hill 18/01/2017 IUpdate at November RCC: Network Open
on the potential training requirements of the IDD in order and Learning team currently looking at
to consider the future compliance burden against this. Will have a year to implement.
capacity in the branch network Update on progress due at January
RCC
09/03/2017 i773 [RCC Terms of Reference = to be reviewed and updated Ijane MacLeod I 13/03/2017 Open
based on changes in PO structure
POL-BSFF-0218823_0009
POL Risk and Compliance Committee
Action List
Status Report as at:
19/10/2016
POL00391936
POL00391936
MEETING DATE JAP REF IACTION Action Owner IDue Date STATUS Open/Closed
IT Security - There will be an ongoing comms Rob Houghton/ I 18/01/2018 (next [Addressed in IT Risk Updates.
programme across the business on the importance of IT IJane Macleod update)
13/09/2017 1790 Isecurity, role of users in enhancing IT security and Closed
reiterating the processes in place regarding return of
unused IT kit.
Regulatory framework - Legal to update and re- Ben Foat 02/11/2017 _IAccountabilities have been assigned as
distribute to GE members the paper covering regulatory requested. A final meeting with each
13/09/2017 1792 Irequirements for their business area. GE member has been held to confirm Closed
that they are happy with our approach.
FSA report on Aging Population & FS - Summarise the Ponathan Hill 18/01/2018 [See January 2018 agenda item 9.1.
08/11/2017 1798 Ihigh level findings of the FSA paper ‘Aging Population and Closed
Financial Services’ and how they apply to POL
20/07/2017 1784 IChange risk - Develop change risk report to focus on [Jenny Ellwood 08/11/2017 I This is introduced in the report for the Closed
benefits realisation January 2018 meeting and risks to
benefits will continue to be reported.
20/07/2017 1783 IPOMS compliance scorecard - Develop POMS Jonathan Hill 08/11/2017 [See January 2018 agenda item 3.1. Closed
compliance scorecard to make it more similar to Bank of
Ireland's scorecard & include some commentary
09/03/2017 1770 IGE accountabilities map - to be refreshed / updated [Jane Macleod I 13/09/2017 Will be an output of the development ofI Closed
based on the new structure following discussions the regulatory framework (see AP1782)
04/05/2017 1776 ICamelot Audit Lessons Learned - Produce a paper on IKevin Gilliland [13/09/2017 Sept Agenda item 7.2 Closed
the lessons learned (what happened, how we found out
about it, potential consequences) for September RCC
04/05/2017 1774 IFraud Reporting - Hold meeting between JM, AC(& [Jane MacLeod/AlI 13/09/2017 Superceded by placemat reporting Closed
NK?) to agree accountabilities for fraud reporting and ICameron/ Nick
data to be reported Kennett
20/07/2017 1787a ICode of Business Standards - Update report and John Whitefoot 13/09/2017 ISept Agenda item 8.4 Closed
circulate for feedback
[Staff training - Training matrix mapping planned Jackie Newton 02/11/2017 Presented in November 2017 Meeting
13/09/2017 1797 Itraining to staff groups to be presented in the next RCC. (Item 5.3) Closed
Procurement compliance reporting - Distribute up to [Barbara asap Done - 15/09/2017 Updated version
13/09/2017 1794 Idate paper to RCC members. Brannon filed in September 2017 papers folder Closed
POL-BSFF-0218823_0010
POL00391936
POL00391936
(Criminal Finances Act - Paper to be presented in next [Ben Foat 02/11/2017 Paper presented by Sally Smith in
13/09/2017 1793 IRCC covering updated guidance on POLs obligations November 2017 Meeting (Item 5.2). Closed
reaardina CFA,
RMG Industrial Action - A note on potential industrial [Kevin Gillland/ I 19/09/2017 _ Included in September CEO's Board
13/09/2017 1791. [action by RMG unions and business continuity Tim Armit report Closed
arrangements in case of this to be included in CEO's
Board report,
20/07/2017 1786 IInterim Gifts and Hospitality report - Committee to [Sally Smith 08/11/2017 Included in Financial Crime paper
review interim gifts and hospitality report demonstrating presented in November 2017 Meeting Closed
the outputs of the new reporting system (Item 3.3)
20/07/2017 1785 IeKYC - Discuss with Sally Smith whether ekYC Martin Edwards 13/09/2017 ISS and ME have discussed. ME to
requirements could be met through the identity proposals provide verbal update if required. Closed
that ME's team is working on
20/07/2017 1782 [Regulatory framework - Discuss regulatory framework [Jane MacLeod 13/09/2017 ISept Agenda item 6.1 Closed
created in response to ARC action at RCC prior to
discussion at September ARC
04/05/2017 1780 IRM IA Planning - Include somebody with experience of [Tim Armit 31/05/2017
the last RM IA in the planning team
Done Closed
04/05/2017 1779 IET ‘Tube map’ - Bring and explain the IT Tube map of [Rob Houghton I20/07/2017 See paper 3.5, July meeting Closed
operational IT risks to the Committee
04/05/2017 1778 IUpdate on Placemat Pilot - Update the Committee on [Deana Herley/ [20/07/2017 Update given in agenda item 4, July Closed
progress of the roll out across Finance and Operations —_Richard Williams meeting
and consider the roll out plan thereafter.
04/05/2017 1777 ITop Risks - Reflect changes discussed and circulate Richard Williams I10/05/2017 Updated and included in May ARC Closed
revised paper prior to ARC submission pack.
04/05/2017 1775 IExecutives Declaration - Reflect changes discussed in IDeana Herley __I10/05/2017 Updated and included in May ARC Closed
meeting in paper and circulate revised paper prior to ARC pack.
submission
09/03/2017 1772 IConflict of Interest - to be confirmed for RCC meetings IAlwen Lyons [05/05/2017 Included in item 1 Welcome, Closed
by forming part of the agenda. Introductions & Conflict of Interests in
May 2017 RCC meeting
(09/03/2017 1771 [Vulnerable customers - policy to be reviewed and Jonathan Hill/ [20/07/2017 See paper 6.1 Closed
updated based on RCC feedback. Martin Kirke
09/03/2017 1769 ha controls Feview - update paper to be presented tot /Rob Houghton [21/03/2017 Submitted to March ARC. Closed
1e ARC.
10/01/2017 1768 IVetting audit - Audit to be finalised and submitted to Johann Appel 23/01/2017 Audit finalised and submitted to Closed
January ARC January ARC.
09/03/2017 1768 IFraud reporting - report to be updated to include past [Sally Smith 05/05/2017 Superceded by action 1774 on Fraud Closed
incidents. Present report at each RCC meeting Reporting
POL-BSFF-0218823_0011
POL00391936
POL00391936
09/03/2017 1767 ITax governance - to be included in the annual Treasury [Amanda Radford ]18/05/2017 Paper setting out context for tax Closed
report to the RCC/ARC governance to go to May ARC. Will be
circulated to RCC members. Tax
strategy paper to follow later in year.
10/01/2017 1766 IRisk reporting format trial- Trial new reporting format [Jane MacLeod/ [05/05/2017 Included in item 4 Risk Update in May Closed
in Supply Chain and provide update to RCC and ARC Russell Hancock 2017 RCC pack
10/01/2017 1765 ITax governance - Paper on approach to tax policy to be [Al Cameron ? Duplicated by AP 1767 Closed
submitted to Committee and to ARC/Board on an annual
basi
03/11/2016 1764 INetwork Conduct Risk Action plan - Committee to Kevin Gilliland / I10/01/2017 IA standing item now Closed
receive update on proaress Nick Kennett
03/11/2016 1763 [AML Training - Committee members to receive list of _ [Sally Smith asap E-mails sent to individuals who have Closed
employees who have not completed AML training not completed training. Next annual
training is due in two months and will
be linked to bonus pavments.
03/11/2016 1762 [AML update - Committee to receive update on progress [James Dingwall I 10/01/2017 _ ISee paper 6.2 in January RCC pack Closed
(MLRO)
03/11/2016 1761 IIT Controls Plan - Committee to receive update on Rob Houghton 10/01/2017 _ISee paper 6.1 in January RCC pack Closed
proaress against plan
03/11/2016 1760 IRisk champions - List of existing risk champions to be IMike Morley- 10/01/2017 Risk champions list refreshed for Closed
circulated to Committee. Members to consider whether [Fletcher business changes.
their business unit risk champion is the best person to
iwerform the role,
03/11/2016 1759 [POMS Risk Appetite - Compare POMS' risk appetite _IMike Morley- 10/01/2017 _ [Completed as part of review of POL Closed
with POL's risk appetite Fletcher Risk Appetite Statements.
03/11/2016 1758 IRisk appetite workshops- Central Risk team to offer Richard WilliamsI 10/01/2017 IWorkshop held on 13 March, Closed
risk appetite workshops for lead teams moderated by Deloitte.
03/11/2016 1757 [Overview of Risk Framework - develop an overview of [Richard WilliamsI 05/05/2017 _ISuperceded by AP 1766 Closed
the risk framework which defines the standard which Post
Office is aiming to achieve and present this to the
Committee at the next meetina
03/11/2016 1756 IPOL incidents in POMS - Determine how incidents Nick Kennett 10/01/2017 POMS send a copy of the POMS Closed
relating to POL are reported by POMS to POL Incident Log to the Central Risk Team
on a weekly basis. However as POL
have set a minimum limit of £50k for
reporting of incidents into RCC it would
be rare for a POMS incident to reach
RCC through this route.
Incidents and Breaches is a standing
item on the agenda for the monthly
POL/POMS Joint Conduct Committee
which any branch incidents are shared
and discussed.
08/09/2016 1755 IWorkers on Boards proposal - Consider the proposal _IJane MacLeod/ 10/01/2017 [See paper 10.1 in January RCC pack. Closed
for workers on boards in the next Horizon scanning Patrick Bourke [To be covered in more detail in March
paper, meeting,
POL-BSFF-0218823_0012
POL00391936
POL00391936
08/09/2016 1754 ]Reports from Health & Safety Committee - Reports [Martin Hopcroft I 09/03/2017 [H&S report made to May RCC Closed
on Property Compliance to go to Health & Safety
Committee and RCC to get updates from the Health &
afety Committee
08/09/2016 1753 ITreasury Policy - Nick Kennett to provide comments INick Kennett/ AlI 03/11/2016 _ [Presented to RCC meeting on 3 Nov Closed
to Al Cameron. New treasurer to review and update [Cameron 2016 (see agenda item 9).
document as necessary and re-present to the
‘Committee.
08/09/2016 1752 IBusiness Impact Assessments - update the Tim Armit 09/03/2017 [BC & CM Update paper to March and Closed
Committee on the progress of the Business Impact May RCCs.
Assessment plans compared with the position in October
2015
08/09/2016 1751 IGE risk discussion - hold a GE session to discuss the _ [Mike Morley- 09/03/2017 [Roll forward for consideration post Risk Closed
Group Risk Profile before the November ARC meeting _IFletcher [Appetite in March inclding "Risks of the
moment"; See AP 1758
08/09/2016 1750 ILessons learned exercises - Collate findings from David Hussey/ 03/11/2016 [Included on agenda (items 8.1 & 2 Closed
relevant BTA and audit work to date in order for Jane MacLeod Internal Audit Report & Lessons
Committee to consider extent to which the business has Learned) of RCC meeting on 3 Nov
taken on board such lessons and recommendations 2016
08/09/2016 1749 IBranch premises registration with HMRC - Review [Kevin 03/11/2016 Closed
and simplify the process for registering branches with _IGilliland/Jane
HMRC MacLeod/Sally
ith
08/09/2016 1748 IFraud reporting - present a list of frauds at each RCC Angela Van Den I _ 09/03/2017 _IFirst report to be provided to March Closed
meeting (output of new Financial Crime Forum ) Bogerd/ Paul RCC meeting. Superceded by AP 1774
Hemsley/ Jane
Macleod
08/09/2016 1747 IBranches with restrictions issues - Find a solution for [Nick Kennett/ 03/11/2016 [Agreement reached on way forward. Closed
Ithe three remaining branches before 28 Sept. Jane MacLeod/ Plan developed to resolve legacy
Kevin Gilliland branch issues and being tracked by
Multiples team. Update on progress
ito be provided at each RCC
meetina
08/09/2016 1746 ICyber security actions - Articulate the actions needed [Julie George/ 03/11/2016 [Included on agenda (item 5.2 IT Closed
Ito bring the cyber security risk back within appetite, Rob Houghton Controls Plan) of RCC meeting on 3
prepare a plan covering the necessary improvements in Nov 2016
people, process and systems, and include these in the
Inaner to he presented to ARC
14/07/2016 1745 IRisks around MSB clients - Committee requested Jane MacLeod 08/09/2016INo longer required as service is being
clarification on the cost of due diligence requirements of withdrawn Closed
providing cash collection services to Money Service
Businesses (MSBs)
14/07/2016 1744 IBusiness Continuity and Key Suppliers - Update to _IMike Morley- 08/09/2016ISee agenda item 8 Business Continuity
ARC to address how business continuity risk managed by IFletcher update Closed
suppliers outside the 'top 10°.
POL-BSFF-0218823_0013
POL00391936
POL00391936
POST OFFICE PAGE 1 OF S
RISK & COMPLIANCE COMMITTEE
Financial Services Conduct Risk Update
Author: Jonathan Hill Meeting date: 18 January 2018
Executive Summary
Context
1. This paper updates the Committee on current risks and actions in respect of
conduct risk. One of the key risks on the FS Risk register (also reflected in the
Post Office and POMS risk registers) relate to conduct risk. Conduct risk in the
regulated financial services context refers to risks to customers from poor product
design, distribution and selling processes as well as those risks relating to poor
product fulfilment.
Questions this paper addresses
2. This paper provides an update on the key conduct risks and how they are being
managed.
Conclusions
3. Conduct risk is within risk appetite. The December Bol risk dashboard is showing
16 green, 3 amber and 3 red ratings on its dashboard. For POMS the data reported
in November was 21 green, 1 amber and 2 red.
4. The common themes for the areas of red ratings are mystery shops identifying
that colleagues are not following the approved introductory process and out of date
literature in branches.
Input Sought
5. The R&CC is asked to note these developments.
Strictly Confidential RCC
POL-BSFF-0218823_0014
POL00391936
POL00391936
POST OFFICE PAGE 2 OF 5
The Report
Key risks, governance and management information
6. Conduct risks are measured and reviewed by FS&T Risk together with our Principals
on an on-going basis and management information is provided on the key risk
areas. These are reviewed at the Bol-Post Office Customer and Conduct Risk
Committee (CCRC) and POMS-Post Office Joint Compliance Committee (JCC), which
meet monthly.
7. POMS has produced a revised scorecard and FS&T Risk is supporting the
development of this.
8. Post Office FS&T Risk is working with BoI and POMS to take on and further develop
the dashboards itself as the first line for Conduct Risk.
Current risks and issues
Customer Relationship Managers (CRMs), VMS results and actions
9. VMS monitoring shows that for both insurance and banking products there remain
issues related to some CRMs who are:
. Not using the tablet (leading to the risk that the CRM strays from the compliant
introductory process);
. Not following the required introductory sales process (e.g. not letting the
customer hear the required recorded compliance information when passed on to
the call centre);
. Providing information to a customer that was misleading or incorrect
10. There are existing controls in place for CRMs which include
. A Training and Competence Scheme
. Approved sales aids and compliant tablet journeys
. Specific co-ordination and management resource within Agency to work on CRM
development and support
11. We are supporting the network building an Agency VMS Action plan path to
‘green’.
12. A co-ordinated plan and approach to support the Network is being developed by
the POL FS&T Risk team together and the Bol Business Controls teams.
13. Counter Mystery Shops
14. Both Bol and PO Risk have recently undertaken counter mystery shops of FS
products. Further analysis is being carried out on the results, in conjunction with
the Network, product and training teams which will be concluded in Q4.
15. What is encouraging from a culture risk perspective is that close to 100% of our
November shopping results confirmed that the mystery shopper was not
pressurised to take out a product ‘there and then’ without giving the shopper
time to read the product literature.
16. However, product knowledge is inconsistent. It appears that much of this is due
to low activity levels in branch.
Strictly Confidential RCC
POL-BSFF-0218823_0015
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 5
17. The latest Financial Services Workbook and test was launched in January 2018
for completion by all network colleagues that engage in Financial Services. This
workbook gives training on how to engage appropriately with customers,
(including how to give information/help and not advice) and this is required to be
completed by all relevant colleagues by 7th February 2018.
18. Out of date product literature in branch
19. Both Principals have identified that there is an increasing amount of ‘out of date’
product literature out in branch or behind the counter available to give to
customers.
20. FS&T Risk have been working with Network and Supply Chain (including the
branch user forum) on solutions. The key actions taken include updated
communications through a new branch focus article with an updated monthly
checklist to enable branches to understand all the FS literature that is current.
This has received good feedback from the network.
21. We are also piloting a new branch checklist for Branch Managers/Postmasters to
use, working with the Network Gateway team at the end of January.
22. Banking Framework Governance.
23. As part of the Banking Framework, we are establishing a Regulation, Security
and Compliance Committee to include representation from Banking Framework
SLT, FS&T Risk, LRG and the Banking partners. The draft TOR for the Committee
(which will sit under the Partnership Committee and alongside the Operations
Group Governance Committee) is to be shared for comment with our Banking
partners.
New regulatory items of note
24. Insurance Distribution Directive
25. This key piece of legislation was expected to come into force in February 2018
although the FCA recently posted on its website that the implementation of these
requirements have been delayed until 1 October 2018. This covers a number of
key requirements including
. new disclosure wording requirements,
. a customer's best interest rule and
. a requirement to demonstrate that those involved or overseeing insurance
mediation can demonstrate competence and are trained with 15 hours of CPD.
26. This gives the business more time to implement effective solutions although we
will continue to make planned changes that are in progress (such as Travel
Insurance) for February 2018.
27. Further FCA Consultation Papers on Senior Manager and Certification Regime
(SM&CR).
28. The FCA released three Consultation Papers (CPs) in December covering this topic
with implementation still planned for some time later in 2018. In previous papers
the FCA had acknowledged that SM&CR did not apply to ARs, but said it would
bring out a further CP covering ARs. However, in these CPs the FCA states that
there is no additional impact for ARs and those working for ARs. This is because
the FCA has acknowledged the Financial Services Act 2016 does not give it the
powers to do this.
Strictly Confidential Rec
POL-BSFF-0218823_0016
POL00391936
POL00391936
POST OFFICE PAGE 4 OF 5
29. Therefore the responsibility rests with the Principal firm to ensure the activities of
the AR remain compliant. POMS is driving a project to implement these
requirements, supported by FS&T Risk
30. FCA Mission Our Future Approach to Consumers Paper (issued November 2017)
31. The FCA outlines in this paper its mission in respect of consumers recognising the
changes in technology and the characteristics and changing demographics of
consumers. In all markets the FCA wants to see consumers being able to access
the products they need, for the market to deliver high quality good value products
and services and for there to be financial inclusion. But the FCA recognises that it
does not have the mandate to ensure access to financial services for all (that would
be a role for government) but it will intervene under its public sector equality duty
if it sees discrimination against vulnerable customers.
32. It aims for partnership working with the industry and others to achieve its
objectives recognising that in some areas (such as vulnerable customers) it has
been able to make good progress with industry engagement rather than rules and
regulation.
Regulatory items previously highlighted.
33. FCA Financial Lives Study 2017-issued October 2017
34. Based on nearly 13,000 face-to-face and online interviews, Financial Lives is the
regulator's tracking survey on consumers and finance. The paper can provide some
useful data on our key markets and the challenges that might be raised by the
FCA in the future. This paper has been shared with the Post Office Money team
35. FCA published findings from the Ageing Population Project-Occasional Paper no 31
issued September 2017
36. See separate report to RCC
37. FCA focus on culture and performance management guidance.
38. This is an ongoing theme in the FCA’s business plan and regulatory approach to
ensure an appropriate customer centric culture is embedded in firms.
39. General Data Protection Regulation
40. The General Data Protection Regulation (GDPR) ushers in an enhanced legal
regime for the collection, processing and storage of personal data from 25" May
2018. A comprehensive risk review and programme is underway in Post Office,
with appropriate training being provided to personnel. The Post Office and Bol
GDPR teams are working together.
41. FCA Strategic Review of Retail Banking
42. Further to the FCA’s review, it is now seeking to improve its understanding of the
state of competition and conduct in retail banking markets at a pivotal time of
change. We await first publication of the information in mid-August 2018.
43. Vulnerable Customers
44. Whilst Post Office already undertakes a lot of work in this area. We are undertaking
a risk assessment to assess whether there are any gaps and scope for
improvement. As part of this work in November, we joined an industry workshop,
sponsored by the FCA, on how to support customers with mental health challenges
through digital channels. We are looking at ways to build in such support into the
Customer Hub.
Strictly Confidential Rec
POL-BSFF-0218823_0017
POL00391936
POL00391936
POST OFFICE PAGE 5 OF 5S
Jonathan Hill
Head of FS&T Risk & Regulation
RCC
POL-BSFF-0218823_0018
POL00391936
PoL00391936
BOI Post Office Money branch distribution - December 2017
Risk ratings Performance measured in November
November risk ratings and how they Risk ring and overall Green rated Amber rated Red rated November v Performance against our FACE commitments
compared to October performance rating KRis KRIs KRIs October ratings :
i
@ Red rated MS shops v x ny > 15 Accessible [i
@ Red rated CRM shops o 1 6 3 3 > 2 comme a
ay
@ Red rated counter shops o> > 2
@ Black rated Ms shops bid a 1 Distribution of KRI risk ratings between June
2017 and November 2017
@ MS mutiple red/black shops. <> This month we were within tolerance for 19 out of the 22 KRIs we av 1
© AorBrated mortgage cases <>‘ B28Ed onthe weighted __ measured. 16 of our KRls were rated green and 3 of our KRIs were rated - 1
cumulative outcome of amber. 3 of our KRis were rated red. In comparison, in October we oO OO
@ Drated mortgage cases <> the KRIs we measured in exceeded tolerance in 2 of our KRis and in September we exceeded one of
November, the overall our tolerances. On average, in each month between June and November, 2 KRis remained red
@ Msmeeting QAT benchmark <> Fisk rating is Amber, we were within tolerance in 20 of the KRls we measured and exceeded and one wl fellto S98 —3———0
red.
@ Distribution complaints <> tolerance in 2.
Jun Jul. Aug. Sep. Oct-Nov
@ Mis-selling complaints o
@ Conduct survey results «> Exceptions and key trends
© Mystery shopper experience y __ MS mystery shops - The volume of MS shops has been low over the last 3 months which has skewed the data. One shop was graded 'red' in November and related to a 'fact find’
over the phone, where insufficent detail was requested in relation to the customer's budget. The MS was subsequently deaccreditred from completing fact finds over the phone,
NPS survey results pending retraining. No other significant or material trends or deficiencies noted.
°
@ Branch product knowledge CRM mystery shops - Savings shops are still resulting in red ratings, with 10 out of 58 (17%) being red rated in the 3 months to the end of November, which is an increase on the
@ Branch regulatory knowledge <> _ previous 2 months. POL continue to look at ways to simplify the sales process in branch. While CRM shops relate to lower-risk introductory activities, remedial actions are being
Py followed up with Post Office and progress will be kept under close oversight for a period. An update on actions was provided by POL at November's C&CRC.
Specialist/CRM knowledge <>
© Branch advertising reviews _-<»_COUNter shops - The Red rated KRI relates to counter-staff savings mystery shops completed across the agency and multiple networks by BO! during the quarter ending November
2017. 37 of the 66 shops completed (56%) were rated red. The shops related to introductory conversations and the red ratings were caused by staff making comments or taking
@ Advertising compliance issues <> actions which could have been deemed as suggesting the suitability of a particular course of action and/or failing to provide a summary box leaflet. The findings from the review
a ; have been fedback to POL and we await confirmation of the actions they will be taking in this regard. A separate paper highlighting compliance with the need to provide customers
@ Social media compliance issues <> with a Savings Summary Box leaflet was presented to C&CRC in November with further actions resulting from that meeting.
@ Savings cancellations >
Branch Advertising Reviews - Whilst only one BO! branch review was rated ‘red’ in November for displaying out-of-date marketing literature and/or not following display
@ Competent specialists <> instructions, POL continue to investigating what process and control improvements could be made to ensure out-of-date literature is less likely to remain in the public domain
© super fcontro) a» acfossthe network following a series of 'red’ rated branches and material financial promotional approval issues during 2017. There were no material financial promotion issues
hipervisor spans of contro recorded in November.
@ 80! supervisor reviews a
“<> Remained green <D Remained amber <P Remainedred A Improvedtogreen A Improvedto amber YW Felltoamber W Fell tored
BO! Group classification : Red (Confidential) - distribute only with sender's permission
1
POL-BSFF-0218823_0019
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 9
AUDIT, RISK & COMPLIANCE COMMITTEE INFORMATION
PAPER
Change Risk Update
Author: Jenny Ellwood Sponsor: Angela Van Den Bogerd Meeting date: 18 January 2018 (RCC)
Executive Summary
Context
Following discussions at November’s Audit and Risk Committee (ARC) this report
provides an overview of the change landscape both past and future, the key
challenges facing the Portfolio and the root cause for delays and overspend and what
we are doing to address these.
Questions addressed in this report
. What is the change landscape both past and future and the key learnings?
. What are the key risks that the change portfolio (and its constituent projects/
programmes) are seeking to mitigate?
. What makes the current changes complex?
. What are we doing to address these?
. What are the next steps?
Conclusion
. Post Office has delivered significant change over the last 3 years, largely on
budget and delivering substantial benefits, albeit with some delays and
overspends in individual programme.
. Post Office continues to manage a significant amount of change through its
Portfolio over the next 3 years with changes to our critical IT systems (front
office and back office); our ways of working as an organisation; how we interact
with our customers and our branch network size and shape. In essence no part
of Post Office is untouched by this change.
. The stability of the old systems running on out of date equipment continues to be
our greatest risk, the key systems are: POLSAP, HR POLSAP and HGNX.
. The change within our portfolio is complex. There are many 3" parties we are
dependent upon (not only our IT partners but also service partners such as Royal
Mail and Bank of Ireland), testing is significant and any deviations can impact
other change activities significantly as we are managing many cross-
dependencies.
. Our current change capability is not mature enough to achieve our strategic
goals, to enable us to successfully deliver change of this magnitude and
complexity, we need to a more mature, agile and integrated Change capability.
. At the November GE Angela Van Den Bogerd, presented a series of proposals on
structure, governance, culture and competency elements of Post Office change
management, the successful implementation of which would result in an effective
and efficient Change capability with a commercial organisation’s ethos and
approach. This approach was approved.
Input Sought
The ARC are asked to consider the challenges, the root causes for delays and over
spend and most importantly how we plan to strengthen and support our future change
deliverables.
Strictly Confidential
POL-BSFF-0218823_0020
POST OFFICE
The Report
POL00391936
POL00391936
PAGE 2 OF 9
What is the change landscape both past and future and key learnings?
1. The Post Office has delivered significant change over the last three years, largely
on budget and delivering substantial benefits, albeit with some delays. Some of
key deliveries are shown below:
Programme
Objective
Benefits
Network
Transformation
To create a sustainable branch network
through the introduction of new and viable
operating models, removing government
compensation for mains or locals.
To 2017/2018 P7: c£37m. Over 7,500 will have
been opened by March 18. The Programme
continues to downsize with phase 4 staff reduction
taking place in March 18, the remaining branch
builds will be completed in H1 18/19
Directly Managed
To develop a network which will break even
£8m cumulative benefit will be achieved by end of
including End User
Computing (EUC)
Admin
mobile phones and lap tops
Branches and create a commercial rate of return. 17/18
(including
WHSmiths
contract)
Separation from I To separate POL and RMG and to replace __ I No financial benefits were created as this was a
Royal Mail all hardware for back office users e.g, contractual obligation when the Royal Mail was
privatised. Unfortunately due to the complex
nature this Programme significantly overran and
overspent. However, it did successfully enable
separation from Royal Mail and avoid further
penalty costs, interruption of service and enable
the PO to continue to trade.
‘Support Services
Transformation
To consolidate 8 service centres into 2
including relocating Branch & Customer
contact centres without any loss of service.
Annualised savings of c £5m.
Organisational
Restructure to
reduce costs
To reorganise the structure to make leaner
and more cost efficient
£13m
Closure of Defined
Benefit Pension
Scheme to future
accrual
To explore and then potentially close the
Post Office Final Salary pension (the DB
plan) and replace with a DC pension as we
could no longer maintain the scheme at
this level
Pension contribution rates would have increased
from 17% to 70% of salary had we not closed the
scheme on 31 March 18
Supply Chain
Transformation
To create an optimum Supply Chain
network delivering sustainability and
withdrawing from the external cash
management market
£10.4m (an increase of £0.8m)
‘Simplification
To simplify key product journeys, applying
timing improvements and development
cost to generate benefits. Mails journeys
P1 complete
For mails journeys Phase 1 - £2.3m in 17/18 (6
months) annualising to £4.6m FY
Hawk To acquire and migrate the business and _I EBITA over 5 years of £53.5m, PO gross income of
processed currently managed by the insurance £64m and assets of £43.9m
Insurance Joint Venture with the Bofl into
Post Office Management Services (POMs)
Agreed and To provide a standard offering under the I £20m per annum in additional fixed fees
Implemented Banking Services Agreement and create a
revised Banking framework to grow partner bank income
Framework
2. Anumber of the major programmes within the portfolio remain on track to
deliver within budget and benefit realisation (albeit with significant risk) - Branch
roll out, Network roll out and Horizon Data Centre refresh. Back Office Transition
whilst highlighting a potential reduction in benefits, has met a number of key
targets - completing transformation base state activities within timeline and
making significant progress with Agents Remuneration and Cash Processing.
Strictly Confidential
POL-BSFF-0218823_0021
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 9
3. However, delays and overspend trends within the portfolio do exist. Key
programmes such as Back Office Transition, Success Factors and EUM are seeing
late delivery and overruns. Specific investigations into the reasons for this
include:
. The volume of successive change within the Back Office systems,
compounded by complexity, lack of knowledge, documentation and inter-
dependencies between programmes. Teams have been strengthened within
Back Office Transition, Success Factors and EUM and are now close to
coming to a conclusion, albeit late and over budget. We have also taken
learnings from breaking down transformation into smaller deliverables,
applying shorter approvals in a much more dynamic way
. The change and governance process was sensibly designed but is being
operated too weakly. This has been subject to both internal and external
review and we are now implementing a number of improvements which are
covered from paragraphs 8 to 16.
4. Our analysis has confirmed that our current Change capability is not mature
enough to achieve our strategic goals. Our strength of Project Management on
key deliveries needs to be reviewed and we need to increase our cadre of
permanent Project Directors. A recent review by Deloitte observed a Central
Portfolio team that need to evolve from a team whose focus was data collation,
into a portfolio function that is able to proactively manage the Portfolio of change
and support Project and Programme managers across the business.
5. Other findings from the internal analysis include:
a) a lack of clarity across the eco-systems on how our change initiatives align
to strategic outcomes and the interdependencies they create;
b) _ insufficient time and resource allocated to the initiation/assess phase - so
costs, activities and time to deliver are inaccurate and increase the risk of
failure from the outset; and,
c) complex change programmes are not phased / structured correctly,
programmes should be broken down into smaller work phases so that
delivery confidence can be gained.
What makes the current changes complex?
6. Key reasons are:
. work involves 3° parties and any deviance to plan by them can impact the
critical path/milestones of the programme (this is both IT 3° parties and
service partners such as Royal Mail and Bank of Ireland);
. some change requires significant testing which can lead to unexpected
issues being identified and testing times exceeding original plan. This can
also impact other scheduled change activities;
. new regulation is leading to major change to process and 3% party
contracts, many involve timescales which are difficult to control;
. change is creating material amendments to ‘as is’ processes, of which in
some areas there is a genuine lack of knowledge and documentation of our
current processes. When work commences on the programme, it identifies
necessary pre-work which was not in plan. Additionally, change may create
significant impact to our key business areas i.e. Retail, Network and other
key business areas and they are not always engaged early enough in the
process;
Strictly Confidential
POL-BSFF-0218823_0022
POL00391936
POL00391936
POST OFFICE PAGE 4 OF 9
. there are also cross-dependencies which need tight management but are
often not managed sufficiently i.e. Transaction Simplification requires
installation of new branch printers and scanners and the timelines of each
programme did not always align
. Managing the delivery of change through our agency network is sometimes
more complex than delivering the change itself.
What are the key risks that the change portfolio (and its constituent projects/
programmes) are seeking to mitigate?
7. The stability of the old systems running on out of date equipment continues to be
our greatest risks. The key systems which the change programmes are looking
to replace are :
. POLSAP - The key system than holds our data and MI and carries risk
around agent pay, cash management, settlement and financial reporting;
. HRSAP - The HR system which manages employee and agent data and
manages key processes such as payroll and expenses; and,
. HGNX - The Branch Horizon system which processes all our customer facing
transactions.
8. The key risks which are being mitigated through change activity are:
Corporate I Risk Description Current I Change Activity
Risk ID. Risk
Score
(I/L)
1 Replacement of POLSAP: The Post Office 5:3 The Back Office Transformation programme is
has to replace POLSAP or shore it up. seeking to migrate POLSAP to CFS. This
POLSAP is an old legacy system which is soon Programme has recently delivered the required
to be out of support (September 2018) and Base State requirements and is now working on
is critical to PO operations the key activities to migrate POLSAP to CFS which
is currently planned to make a go / no go decision
and migrate in the Summer.
2 Agents Pay: The Post Office has to deliver a3 oe i eebeecr ts froin HB, POLSAP
agents pay via CFS as this is currently
delivered via HR POLSAP which is being ‘,
replaced by Success Factors due bo age of confirmed inthe business case (E3-im vs the
the system and it soon to be out of support original £3.9m).
3 Replacement of HR POLSAP: The Post 4:3 SuccessFactors is planning to commence
Office has to replace the current fragile and migration of payroll from HR POLSAP in January
outdated HR POLSAP with SuccessFactors for 18. This risk is also linked to risk 1 re: POLSAP
the delivery of payroll. Process Migration which is targeting completion
within the Summer 2018. This will allow us to de-
commission HR POLSAP by Sept 2018
6 5:3 The Portfolio has a number of infrastructure
programmes underway to mitigate this risk such
IT Impacting Ability to Trade: There are a as HDCR, Back Office Transformation and Branch
number of Post Office 3 party suppliers who Technology/IT Network rollout.
are supporting critical components within the
IT Estate. The components have either Branch upgrades within network, kit and software
reached the end of life or there is no back-up are well underway and this work is significantly
capability and so could cause significant reducing this risk. Network work is due to
impact to the business if they fail. complete in March / April 2018 and the majority
of the kit software will be rolled out by the end of
Summer 2018.
9. Confirmation of the Board approved Programmes are shown in Appendix A.
Strictly Confidential
POL-BSFF-0218823_0023
POL00391936
POL00391936
POST OFFICE PAGE 5 OF 9
What are we doing to address?
10. The November GE approved a series of proposals on the structure, governance,
culture and competency elements of Post Office Change Management aimed at
delivering an effective and efficient Change capability with a commercial
organisation’s ethos and approach. The key elements of the proposals include
the:
. implementation of a Strategic Portfolio Office (SPO) and appointment of a
Portfolio Office Lead (Tim White) to align strategy with the outcomes and
benefits required from Change initiatives. This will help ensure senior
stakeholders are provided with the timely insight required, within an
integrated governance framework, to make informed decisions. This will
address not only the structure but as importantly the governance, metrics,
culture, tools and data requirements;
. definition of a high-level target operating model with roadmap that seeks to
rapidly transforms the current capability within the next 12 months;
. identification and build of a phased transition plan to implement new model
within this timeline, including new teams where necessary; and,
. identification, implementation and delivery of a series of Quick Wins
including supporting 2018/19 business and budget planning - through the
development of a refined and focused Investment Committee.
11. Estimated initial spend is c. £0.5m to support the implementation of the new
Change operating model.
What are the Next Steps?
12. To optimise our focus we will combine the IT change process and the business
change process into one, sitting in the area of greatest experience with Rob
Houghton and Tim White. Additionally we have recruited a stronger and more
experienced Finance lead who starts on 1 February.
13. An experienced third party will help us shape and implement the new Change
operating model for the level of portfolio maturity we deem appropriate for Post
Office. An example Portfolio Maturity Model has been provided in Appendix B.
Typically there are five stages of maturity. Appendix C details our self-
assessment of our current level of maturity as being 1.5 on a scale of 1 to 5
where 1 is “sporadic” with disorganised processes; lack of core capabilities and
insight leading to sub-optimised delivery performance. 5 is “optimise” with
strategically aligned investments and an advanced portfolio management
capabilities.
14. Procurement has completed and work will commence with PA Consulting w/c 8
January 2018. Outcomes of the work with PA will include:
. A set of key artefacts for February’s Investment Committees;
. Guidance and advice on how to conduct and manage an effective
Investment Committee;
. A Target Operating Model for Post Office’s Change capabilities
(competencies, organisation structure, governance, processes, tooling,
metrics etc.); and,
. A transition plan (which will include training and support for all levels of
colleagues responsible for change delivery, this will include agile training.
Strictly Confidential
POL-BSFF-0218823_0024
POL00391936
POL00391936
POST OFFICE PAGE 6 OF 9
Additionally awareness workshops for standards and working practices will
be developed and arranged).
15. A Target organisation will also be developed, role profiles and recruitment
process are under development with HR support and an impact assessment is in
progress.
16. Appointment of core team responsible for transition and implement a
communications plan is in train.
17. Investment requirements for 2018/19 are being collated.
Strictly Confidential
POL-BSFF-0218823_0025
POST OFFICE
Appendix A:
Board Approved Programmes
PAGE 7 OF 9
POL00391936
POL00391936
mains or locals
Programme I Objective Benefits Target
Completion Date
Network To create a sustainable branch network through the introduction of new I To 2017/2018 P7: c£37m plus transforming Decisions are to be made whether
Transformation and viable operating models, removing government compensation for over 7,500 NT Branches this programme will finalise in 2018
or continue beyond
Network Shape
/Paddington
This is part of the wider Network strategy and will is considering the size
and feasibility of the directly managed network. This included delivering
a deal with WHSmiths to move some DMBs into mains
£8m cumulative benefit will be achieved by
end of 17/18
April 2018
Enhanced User
Management
Creating a new user identity management system and new ways of
working to provide the necessary controls for those who can access and
transact on the Horizon
No financial benefits per say, but allows us to
be compliant and to continue to sell FS and
Mails services and therefore protects income
Roll out to 1200 branches by Qi 18
Customer Hub
To create a digital customer platform which will facilitate a single Post
Office brand and customer experience when they’re online. Enabling
customers a single view of the Post Office products
Business case confirms the 1* NPV to be
positive of £0.5m from the launch of the 1%
vertical (covering the entire cost of the
horizontal build)
Travel Hub May 18
Branch
Technology
(Branch roll out)
Replace the existing HNGx kit and design, build and implement the new
Horizon system for Branch network (HGNa) - Windows 10 based
counter, removing end of life serviceability
Annual Savings of £2.5m per annum
(Tranche 1) complete - Mar 18 /
(Tranche 3) complete - Aug 18
IT Networks
Replacing the IT Network services. Transition and consolidation from
Fujitsu and BT for Branch and Admin Network Services to Verizon
‘Annual Savings of £1,8m per annum
BT Contract exit - Mar 18
FJ Contract exit - Mar 18
making changes to enable quick transition to the Cloud Platform
to maintain compliance and currency of
datacentre infrastructure.
Back Office Replace the aging POLSAP system and moving to CFS for the key Combined Annual Savings of £3.8m per POLSAP - Augi8
Transition & Finance activities. This also includes improving cash processing and annum Agent Remuneration ~ Apr 18
Transformation replacing the existing agents remuneration payment processes Cash Processing - Nov 18
Network To help optimise the shape of the agency network towards that of the I To date Programme has achieved benefits of I Phase 1: March 18
Development most commercially beneficial model - The Local model £0.5m and a further £1.68m to be delivered Phase 2: March 19
(Whitespace) in 18/19
Simplification To simplify key product journeys, applying timing improvements and £11.6 m (Transactions P1- £4.6m, Trx Simp (Mails P1) - Complete
development cost to generate benefits Transactions P2 - £6.5m & Op Simplification. I Trx Simp (Mails P2) - Oct 18
- £0.5m) Op Simp (ATM) - Mar/Apr 18
HNGT Lite To develop new Epos Technology in existing POL branches, which will £0.5m annualising to £1.2m in steady state HNGT Lite Pilot to commence
(Mercury) radically reduce IT run costs targeting Q1 18/19
HDCR Upgrading of the Data Centre Core Network, server infrastructure and NA - this is a service protection programme I Apr 18
Success Factors
To replace SAP HRv4.7 which currently operates employee payroll and
core HR processes. As the support for this system expires in Apr 18
‘Annual savings of £3.5m per annum
Go Live Jan 18
Project Closure Mar 18
Strictly Confidential
POL-BSFF-0218823_0026
POST OFFICE
Appendix B: Portfolio Maturity Model
Portfolio Maturity
PAGE 8 OF 9
POL00391936
POL00391936
A level 1 maturity organisation risks wasting £36m of every £100m invested
2.0 ~A
10.6
18.84
27.4)
% Investment at Risk
Portfolio Demand Management ensuresthat
organisations invest in strategically aligned
Research shows that effective investment
EFFECTIVENESS
change initiatives
decisions can result in up to 20%
improvement in returns on investments.
Level2
Level3
Proactive
+ Standard PPPM processes
and standardsfully
adopted with some
improvement
+ Increasingaccuracy in
predictingoutcomes
Improved decision making
‘through improved insight
+ SharePointand
collaboration tools
LevelS
EFFICIENCY
Portfolio Performance Managementensures
that organisations deliver change initiatives in
‘scope, on time and within budget.
Research shows that efficientdelivery
capabilities can result in up to 25%
improvement in returns on investment.
Strictly Confidential
me
vn
os
Level3
Ni
lo
Capability
POL-BSFF-0218823_0027
POL00391936
POL00391936
POST OFFICE PAGE 9 OF 9
Appendix C: Post Office Portfolio Management
Portfolio Managementat the Post Office
With a current maturity level assessed to be = 1.5 Post Office could realise
benefits of = 12% by achieving level 3 maturity
Core
Processes
Portfolio Development
& Resource Management
Portfolio Strategy Portfolio Performance Benefits Realisation
Maturity
Level
Develop Portfolio Stra
Planning
Governance,
Stakeholder
Engagement &
Communications Levels
Management
i
basal
been
lal
a I
Financial insight
Strictly Confidential
POL-BSFF-0218823_0028
POL00391936
POL00391936
POST OFFICE Page 1 of 26
RISK & COMPLIANCE COMMITTEE
Financial Crime Risk Update
Author: Sally Smith Sponsor: Jane MacLeod Meeting date: 18" January 2018
Executive Summary
Context
This paper updates the Risk and Compliance Committee on financial crime risks relating
to Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) and Anti-Bribery
and Corruption, and includes the Money Laundering Reporting Officers (MLRO) annual
report on compliance with The Money Laundering, Terrorist Financing and Transfer of
Funds (Information on the Payer) Regulations 2017 and The Terrorism Act 2000.
Questions this paper addresses
e What are the key AML and CTF risks within Post Office Ltd and are there any
significant gaps or weaknesses in the Post Office’s compliance with its regulatory
obligations under the Money Laundering Regulations (MLRs)?
e What is the current position with the HMRC Audit and potential penalties?
e Are the minimum control standards in the Post Office’s Anti-Bribery and Corruption
Policy being effectively applied?
e Are the minimum control standards in the Post Office’s Whistleblowing Policy being
effectively applied?
Conclusion
1. The AML/CTF control framework has improved during 2017, with enhanced
controls and improvement in cultural attitude around the completion of mandatory
training, greater emphasis on risk assessment and clearer minimum control
standards within the AML/CTF and Financial Crime policies. Regular reports have
been provided to the R&CC and ARC throughout 2017, and there is a greater
recognition across the business of the risks and challenges.
2. There are still significant challenges in respect of the size and complexity of the
Post Office network, and the diverse range of products and services provided in
both face to face and digital environments. Whilst a robust approach has been
taken to ensure that all branches have completed their annual training, this is still
a highly manual and labour intensive process. It is also clear that agents and
agent assistants struggle to either complete or understand AML/CTF training, and
in some instances ignore guidance to achieve sales, and more work needs to be
done to improve this aspect.
3. There have been significant improvements to the controls in the Bureau de Change
product, with further enhancements delivered in 2018, but with the high
percentage of payment by cash for these transactions, money laundering risks will
continue to require close monitoring.
4. The increase in business banking deposits with sizeable cash deposits is seeing a
larger number of AML investigations, and a number pursued by HMRC. Whilst the
partner banks are primarily responsible for KYC and transaction monitoring for
POL-BSFF-0218823_0029
POL00391936
POL00391936
their customers, Post Office must develop strong and robust relationships with the
banks, so that we can be assured that our counters are not being used to launder
the proceeds of crime.
5. The competing requirements of maintaining the Network Access Criteria and
robustly enforcing Post Office standards continues to create challenges. While
there has been an improvement in consequence management, and closer working
with the Contracts Management team, this will continue as the new Fit & Proper
requirements are applied.
6. Post Office continues to be heavily reliant on manual analysis of data via excel
spreadsheets and hampered by inadequate data analysis infrastructure, although
the new data solution for Bureau de Change will alleviate this, and Project Arrow
should see improvements in data across the business.
Controls and reporting relating to ABC and Whistleblowing have improved during
2017, and there are no significant issues (see Appendix B&C). Further updates
will be provided in the March report.
Recommendations for Action
7. Training and awareness for all relevant staff is a key control for Post Office and all
business areas across Post Office need to continue to apply a robust approach in
respect of mandatory compliance training and specifically Learning & Development
and Retail need to seek ways to improve training and communications
conformance in the agency network.
8. Product managers that attend the risk assessment workshop must complete a
product information pack for any existing products and services that have not been
subject to documentation as part of the risk assessment work to date, to enable
the Financial Crime team to accurately review and update the risk assessment,
ensuring inherent risks and the strength of controls is properly documented and
assessed. Support will be needed from the Directors of Retail and Financial Service
& Telecoms to ensure that this is achieved.
9. Relevant teams across Retail, HR and Finance and Operations will need to support
and deploy a robust approach in respect of non-conformance issues in the Network
and the new requirements of the Fit & Proper regime to be implemented in 2018
to ensure regulatory compliance.
Input Sought
The Committee is asked to note the contents of this paper and the MLRO report, and
endorse and support the recommendations above; to continue to adopt a robust
approach to compliance training, to ensure all products and services are properly
documented and risk assessed and deploy a robust approach to non-conformance
issues to ensure that Post Office meets the regulatory Fit & Proper requirements.
POL-BSFF-0218823_0030
POL00391936
POL00391936
Appendix A
The Annual Report of the Money Laundering Reporting
Officer for the Post Office Limited for the period 1st
January 2017 - 31%* December 2017
Table of Contents
A.
B.
Cc.
D
E.
G.
Purpose and Scope of Report
Background
Governance Framework
Operation and Effectiveness of the Control Framework
i. Senior management oversight
ii. Staff awareness and training
iii. Risk assessment, policies, controls and procedures
iv. I New products and services
v. — High risk products and services
vi. Customer due diligence requirements
vii. I Reporting suspicious activity
viii. Record keeping
ix. Premises Registration
x. Fit & Proper tests
Incidents and Investigations
External Threats/Landscape
i. Business areas
. The 4 Money Laundering Directive
iii. The 5 Money Laundering Directive
iv. The Criminal Finances Act 2017
v. The Policing and Crime Act 2017
vi. Joint Money Laundering Intelligence Taskforce
Conclusions and Recommendations
Annex A: Product and Service Risk Assessment Summary
Annex B: Report on duties of Nominated Officer - SAR Summary
A.
1.
Purpose and Scope of Report
The Money Laundering Regulations (MLRs) require that the Money Laundering
Reporting Officer (MLRO) produces an annual report to appraise senior
management on the effectiveness of key Anti-Money Laundering and Counter
Terrorist Financing (AML/CTF) controls, and make appropriate recommendations
for improvement in the management of risks and priorities, including resources
where appropriate.
HMRC is the regulator responsible for supervising Post Office Limited compliance
with MLR requirements. Their oversight relates to Post Office Limited Money
Service Business (MSB) activity, specifically, the provision of Bureau de Change.
The MLRs and the 2017 National Risk Assessment clearly identify a requirement
for organisations to adopt a risk-based approach to prevent money laundering and
terrorist financing. Risk assessment must be documented and evidence the
POL-BSFF-0218823_0031
POL00391936
POL00391936
decisions that senior management have made in the context of the particular risks
facing the business.
The Post Office Managed Services insurance business is subject to a
separate MLRO annual report in September each year.
. Background
Post Office’s business model means that the majority of products and services
offered are through third party or white label solutions and joint venture
arrangements. Direct regulatory risks are focused on Bureau de Change, although
Post Office has contractual regulatory responsibilities for a number of products and
services, including MoneyGram, the Partner Banking Framework, Post Office
Money products and Gift Cards. The most significant impact of financial crime on
Post Office continues to be reputational damage. Negative media attention
following an incident of financial crime has potential for consequential devaluation
of brand values and possible impact on Government commitment which is vital to
support Post Office. Managing these risks is particularly important in light of the
recent terrorist activity in the UK.
HMRC met with Post Office on 22nd March 2017 to share the findings of their audit
carried out between February and November 2016, which defined a number of
breaches of regulatory principles, including the application of customer due
diligence measures, ongoing monitoring, the deployment of a risk based approach,
record-keeping and training.
As previously reported to the R&CC and ARC, the majority of the issues related to
Bureau de Change, in particular:
Levels at which ID is taken and captured
Inability to capture linked transactions
Acceptance of €500 notes
Inability to prevent business transactions and absence of special due diligence
procedures to address this; poor practices re customer due diligence, e.g.
collecting hotel addresses for overseas customers
e System limitations which do not prevent transactions above thresholds
e “Sales driven culture evidenced at some large agents could override need to
adhere to regulatory requirements.”
« Transaction monitoring limited by poor systems therefore expected checks not
being robustly applied
e Post Office rely on FRES for transaction data, but the data feeds are limited
Other concerns related to:
Frequent changes in Post Office MLRO (6 registered in the previous 6 years)
No training of non-branch staff prior to 2016
Sanctions that can be applied to branches that are in breach are limited
SAR reporting for Bureau de Change is low given size of network and number
of transactions
AS a response to the HMRC feedback, a project team and steering committee were
established by the Bureau de Change product management team to work on an
action plan to address the weaknesses identified and a number of initiatives have
been delivered:
a. Removal of €500 notes
POL-BSFF-0218823_0032
POL00391936
POL00391936
b. Customer data and primary ID captured from £1,000, with two forms of ID
from £2,000
c. A number of basket and transaction issues addressed to improve data
monitoring
d. Measures to improve quality of data capture at POS
Further improvements scheduled for early 2018 include:
10.
11.
12.
13.
14.
15.
16.
17.
e Post Office data warehouse and transaction monitoring solution, removing
reliance on FRES for data and enabling activity across the network, regardless
of amount of transaction to be analysed
e Real time electronic Know Your Customer (eKYC), Politically Exposed Person
(PEPs) and Sanctions checking for all transactions of £2,000 and over
The Financial Crime team have continued to meet with HMRC regularly during 2017
to track activity against an agreed action plan, and the AML Steering Group,
ensures that the HMRC action plan is on track and any changes necessary are
implemented.
Post Office is awaiting a pre-penalty notice in relation to potential breaches of
Regulations 19 (Risk Based Approach) and 20 (Record Keeping) for the Bureau de
Change product for the period January 2015 to August 2016. This is expected to
be c. £400k. HMRC have advised verbally that they have reduced the amount of
potential penalty by 50% in recognition of Post Office collaborative and proactive
approach to date.
In August 2017, HMRC fined Post Office £796,500 in relation to historic premises
registration issues that were corrected in 2016.
Risk assessment work commenced in July 2016 and was completed for high risk
products and services by September 2017, and this activity has now transitioned
to business as usual.
The new MLRs came into force on 26 June 2017, and the requirements relating
to the Bureau de Change product and Fit & Proper tests for agents, and the impacts
for Post Office are still being worked through (see paras 56-59 below).
. Governance - those responsible for anti-money laundering
systems and controls, and the structure within which they
operate
As a result of new requirements under the 2017 MLRs, Jane MacLeod was
appointed as the officer responsible for overseeing compliance via the AML
Steering Group, now renamed the Financial Crime Steering Group that was
established in May 2017.
James Dingwall from Thistle Initiatives was appointed as Post Office Limited’s
interim Money Laundering Reporting Officer (MLRO) on 30th October 2016. Due
to delays in the recruitment of the Director of Risk & Compliance, the Head of
Financial Crime, Sally Smith, took over as interim MLRO in September 2017. The
MLRO is located in Finsbury Dials, Moorgate, London, where Post Office Group is
situated.
Two additional roles were recruited into the Financial Crime team in 2017,
increasing the resource available to investigate non-conformance activity and
undertake risk assessment work.
POL-BSFF-0218823_0033
POL00391936
POL00391936
18. The MLRO is the focal point of all AML/CTF activities and with the assistance of the
Financial Crime team is responsible for assessing and assuring Post Office Limited’s
exposure to financial crime. This responsibility includes setting policies and
standards relating to financial crime, assessing and assuring AML/CTF risks across
Post Office, making decisions regarding the submission of suspicious activity
reports to the National Crime Agency (NCA), liaising with third parties regarding
investigations and ensuring information is appropriately disclosed to clients or third
parties.
19. The MLRO takes ultimate responsibility for the provision of training and awareness
within Post Office, the design and implementation of internal anti-money
laundering systems and procedures, and advising on how to proceed once an
internal report and/or Suspicious Activity Report (SAR) has been made.
20. The role of the Financial Crime team is to ensure that there is adequate MLRO
oversight of AML/CTF investigations, investigate and oversee remediation of non-
conformance by branches or individuals, develop and provide training &
communications, risk assess and assure products and services and review any
other regulatory issues at a granular level. The team also ensures that issues are
escalated to senior management within the business and to the Financial Crime
Steering Group, as appropriate. During 2017 regular reports have been provided
to the Risk & Compliance Committee (R&CC) and the Audit & Risk Committee
(ARC) relating to AML/CTF controls, the outcomes of risk assessment work, HMRC
supervisory activity, changes to legislation and industry issues.
21. Legacy IT systems continue to constrain the ability of the Financial Crime team to
gather accurate data and MI to ensure that the business is able to identify trends
and incidents and comply with its regulatory obligations.
22. Financial crime MI reporting within Post Office is not currently at a sufficiently
granular product level to aid transparency and decision making. This lack of
information and analysis makes it harder to appropriately balance commercial
considerations against regulatory risks. The new data depository for Bureau de
Change and Project Arrow should help address this area.
D. Operation and Effectiveness of Control Framework
i. Senior management oversight
23. See Section C above for summary of governance and oversight.
24. Fit and Proper tests have been performed on all external Board Directors, GE
and the MLRO as required.
ii. Staff awareness and training
25. Provision of staff awareness and training is a key control for Post Office. All
back office and customer facing staff are required to complete annual AML/CTF
training:
e For back office staff this must be completed within 30 days of joining and
annually
e For customer facing staff this must be completed before they have access to
Horizon and annually
26. Monitoring of training completion levels has improved for back office staff in
2017 due to the enhanced functionality of Success Factors, but remains manual
POL-BSFF-0218823_0034
POL00391936
POL00391936
and labour intensive for customer facing staff. Completion levels of AML/CTF
compliance training delivered during 2017/18 are as follows:
e Back Office Training - all staff have completed annual training, and new
staff joiners are tracked for completion. Regular reports are provided from
Success Factors to HR Directors for them to chase and where necessary,
line managers follow through via performance management with individuals
who have not completed training as required.
e Directly Managed and Agency Branch Training - completion of the training
delivered in May has been closely monitored by the Branch Standards team,
with a series of targeted memo views and c. 3k outbound calls to branches
to chase outstanding training completion. 98 branches were written to in
October, and on 13‘ November, 22 branches had their Bureau de Change
facility removed from Horizon. Further follow-up activity was actioned for
these branches resulting in a further 12 completing training, with remedy
letters being sent to the remainder by contracts managers.
e Supply Chain - annual training was rolled out October-December 2017.
27. The Financial Crime team are undertaking some qualitative analysis of the test
attempts, as data provided by the Branch Standards Team has shown a high
number of postmasters, officers in charge and agent assistants had to take the
test more than 20 times. This coupled with the significant manual reminders
activity by the Branch Support Team continues to be a cause for concern. The
results of the analysis and the issues with agency network completion will be
discussed with the Learning & Development team early 2018, to help improve
the training module and test for May 2018.
28. During 2017, 39 branch and business awareness communications on AML,
Financial Crime and SAR reporting have been delivered, and an AML training
video was designed and delivered in May. This is available to staff via the
Intranet and Grapevine. The annual Training, Awareness and Communication
plan is scheduled to be reviewed and refreshed in January 2018.
iii. Risk assessment, policies, controls and procedures
29. The Group takes its legal and regulatory responsibilities seriously and
consequently has*
e Tolerant risk appetite for Legal and Regulatory risk in those limited
circumstances where there are significant conflicting imperatives between
conformance and commercial practicality
e Averse risk appetite for litigation in relation to high profile cases/issues
e Averse risk appetite for ligation in relation to Financial Services matters
e Averse risk appetite for not complying with law and regulations or deviation
from business’ conduct standards for financial crime to occur within any part of
the organisation
e Averse risk appetite in relation to unethical behaviour by our staff.
30. The Group acknowledges however that in certain scenarios even after extensive
controls have been implemented a product or transaction may still sit outside
the agreed Risk Appetite. In this situation, a risk exception waiver is required,
4 The Risk appetite was agreed by the Post Office Board January 2015
POL-BSFF-0218823_0035
POL00391936
POL00391936
although no waiver has been sought or granted in respect of AML/CTF controls
in 2017.
31. As part of the work with Thistle Initiatives since July 2016, a robust risk
assessment methodology has been designed and this has been applied to Post
Office’s directly regulated activity (Bureau de Change and Post Office Managed
Services insurance products) and a number of other high risk products and
services (see Appendix A for details).
32. These risk assessments are now reviewed and updated where there is a change
to the product or service, where this is a significant issue identified, an incident
occurs, or annually. Training of product managers on risk assessment
requirements commenced in November 2017 with an initial cohort of 19, and
will continue throughout 2018.
33. Policies relating to Financial Crime overall and AML/CTF specifically, have been
updated during 2017. The new policies were approved at the September 2017
Audit and Risk Committee, and published on the Intranet via a One
Communication in October 2017. They clearly set out the minimum control
standards required and who in the business is responsible for them, and are
subject to annual review. Both first and second line management have
responsibility to ensure that the controls in place work as intended.
34. Processes within the Financial Crime and Fraud Analysis Teams are robust and
up to date, however processes and policies across the business to support these
are less mature and require improvement. In October 2017, a graduate joined
the Financial Crime team to review the application across the business of the
minimum control standards as set out in the policies, and to design a
compliance control framework which will enable effective reporting to R&CC
and ARC of compliance with the policies across the business. This should be
fully operational from early 2018/19.
35. The Financial Crime team review, investigate and report all instances of non-
conformance with AML policies and processes, ensuring corrective action is
taken. During 2017, the team have worked closely with the Contracts
Management team to ensure that non-conformance in the agency network is
dealt with robustly and consistently.
iv. Development of new products
36. All new products and services have to go through the Business Readiness
Assurance approval process. Business Readiness Assurance involves multiple
approval points that evaluate the confidence that the business has in accepting
the change into its operational environment and ensures relevant AML/CTF risk
assessment. The Financial Crime team ensure that all new or amended
products and services have been through the risk assessment process prior to
approval of Business Readiness.
37. There have been no significant products or services launched during 2017 which
have changed the regulatory risk landscape for Post Office.
v. High risk products and services
38. Post Office branch pre-order and on-demand transactions are regulated by
HMRC and represent the highest direct risk for Post Office in terms of AML/CTF
and regulatory compliance.
39. Other products that are high risk include:
POL-BSFF-0218823_0036
POL00391936
POL00391936
e MoneyGram - in response to the changes to requirements for money
transmission services from the 2017 MLRs, MoneyGram introduced new
identity thresholds and requirements from June 2017 - ID must be provided
for all transactions (previously only required from £650), and transactions
over £850 need ID to be uploaded to a MoneyGram microsite before the funds
are released. As a near real time money transmission service, MoneyGram
remains high risk for laundering and scams and there is significant training
and awareness activity to help front line staff identify issues.
e Business banking cash deposits — most issues relate to Santander Business
Banking and the MLRO has recently engaged with Santander and HMRC Joint
Money Laundering Intelligence Taskforce (JMLIT) representatives to review
and address the concerns with cash deposits (see paras 79-84 for an update
on JMLIT).
e Gift Cards - the provider GVS are responsible for key controls, but due to the
anonymous nature of the product, this is often a target for criminal activity,
and Post Office sees a high volume of suspicious activity related to this
product.
40. All high risk products have been subject to a documented assessment of the
inherent risks, control strengths and residual risk (see Annex A)
vi. Customer due diligence
41. Post Office Limited is required to undertake customer due diligence for directly
regulated activity when:
e Establishing a business relationship, or
e Carrying out an occasional transaction with a customer of €15,000 or more,
or
e Money laundering or terrorist financing is suspected
42. For Bureau de Change, the following controls are in place:
¢ Risk assessment and review has confirmed that the service is aimed at and
marketed as retail travel (holiday) money service - i.e. occasional
transactions. Additionally, 95% of all transactions are under £1,000, with
the average amount being less than £300. The service is cash exchange, not
money transmission, and Post Office does not transact high denomination
notes. Consequently, the service is assessed as being lower risk.
e Horizon restricts single or multiple transactions in the same basket to
£10,000 (well below the €15,000 occasional transaction limit).
e Staff training and Horizon prompts advise that customers should not
undertake more than £10,000 in any 90 day period.
e¢ From 30" August 2017, customer details and ID are taken for all transactions
of £1,000 and above (for those transactions of £2,000 and above, proof of
address is also taken), and these transactions are monitored for non-
conformance and multiple transactions. Corrective action is taken as
required.
e Staff are trained to decline transactions if they suspect money laundering or
terrorist financing.
43. Subject to procurement and IT development, it is anticipated that from early
2018/19, the following will be implemented for Bureau de Change transactions
of £2,000 and above:
° eKYC
POL-BSFF-0218823_0037
POL00391936
POL00391936
e PEPs checks
¢ Sanctions checks
44. Where there is a match on Sanctions lists, the transaction will be declined in
real time. PEPs matches will be monitored post transaction (this will be on a
rules-based approach determined by the transaction footprint of the customer).
45. For all other products and services, Post Office Limited is not directly
responsible for customer due diligence, however, there may be contractual
obligations where Post Office undertakes some part of customer due diligence
on behalf of the third party client or supplier. For example, where Post Office
acts as agent for MoneyGram, we must comply with their policies and processes
in relation to recording customer data and identification details. As part of
product and service risk assessment work undertaken for these products and
services, the requirement for customer due diligence, PEPs and Sanctions
checks is considered, and where appropriate, work is undertaken with the
product manager to ensure the right controls are in place.
vii. Reporting suspicious activity
46. All SARs are reviewed and, where appropriate disclosed. This activity together
with monitoring of Bureau De Change transactions over £1,000 is undertaken
by the Fraud Analysis team in Chesterfield under oversight by the Head of
Financial Crime. The Financial Crime team support more detailed investigations
via liaison with relevant stakeholders. (See Appendix B: Report on duties of
nominated officer for additional information)
47. A pilot was undertaken in 2016 to report suspicious activity to the 24/7
Grapevine telephone service, rather than submit manual paper SARs. This was
rolled out to all branches in 2017, and 50-60% are now submitted via
Grapevine, reducing time spent on scanning and logging paper SARs, and
calling branches to clarify reports.
48. With the growth of cash deposits for business banking under the Partner
Banking Framework, we have seen more instances of CViT drivers raising SARs
due to the volume of cash they are collecting.
49. Since the implementation of the reduced Bureau de Change customer data
collection limits, SAR reporting as a result of monitoring activity undertaken by
the Fraud Analysis and Financial Crime teams has increased substantially (See
Annex B for details).
50. Where suspicious activity reports received relate to third party clients, the
details are shared with them so that they can conduct an investigation against
their own KYC and transaction records.
viii. Record keeping
51. All record keeping relating to AML/CTF is electronic (all paper SARs and
paperwork are scanned and saved electronically) and filed within a restricted
access AML drive under the control of the Head of Financial Crime.
52. All risk assessments and supporting documents are filed in the AML drive, and
a log is maintained to ensure annual review and sign-off.
53. A new data platform is to be implemented for Bureau de Change from the
beginning of 2018/19 that will include all transactional data (including the
10
POL-BSFF-0218823_0038
POL00391936
POL00391936
customer and identity data captured for all transactions of £1,000 and above
and card transactions, and pre-order transactions). This will ensure that Post
Office has direct access to all data for a rolling 5 years from the date of the
transactions, plus improved monitoring capabilities. A data dictionary for the
new data platform has been documented as part of the project.
54. The processes and controls relating to branch premises registration are
regularly reviewed and enhanced to ensure that there are no future regulatory
failures with this process.
55. Court Orders - Post Office Financial Crime Team has received 16 Data
Protection Act [DPA] requests for information from Law Enforcement and
regulatory bodies from January 2017 to December 2017. Four of these related
to historic high risk MSB clients within the Supply Chain external cash market.
Of the remaining 7, these were split across Bureau de Change, fraudulent card
transactions and Santander Business Deposits and Post Office Card Account.
ix. Premises Registration
56. HMRC have yet to move Post Office onto the self-service portal, therefore we
continue to rely on spreadsheets produced by the Network Design & Analysis
team each fortnight detailing premises that have gone into long term temporary
closure status, have been amended or are new. Whilst there have been some
issues with timeliness/accuracy during the year, the assurance process applied
by the Financial Crime team has addressed issues and ensured that the
premises registration business rules agreed with HMRC have been adhered to.
57. The Financial Crime team have been working with Project Arrow to identify
automated branch premises change reports, and will be undertaking a pilot of
the new reports from January 2018 which will run in parallel with existing
reporting via the Network Design & Analysis team.
x. Fit & Proper Test Requirements
58. The new MLRs have introduced a new requirement for MSBs regulated by HMRC
to extend the Fit & Proper test to agents. Guidance on implementation is still
being finalised by HMRC, but so far we understand that:
e Post Office must have policies and processes in place to ensure agents, and
those responsible for managing our branches are fit and proper. This includes
vetting at on-boarding and periodically thereafter, together with ensuring
individuals have the skills and knowledge required to undertake regulated
activity.
e Those captured by the requirements are expected to include:
i For Directly Managed Branches - The Network and Sales Director, the
Regional Sales Managers and the Area Managers
ii. For Bureau de Change product - The Director of Post Office Money and
the Travel Money Product Director
iii. For Multiple Partners - a director responsible for overseeing the Post
Office activity within the business, plus regional and area sales managers
where these exist
iv. For agency branches - each individual where this is a sole trader or
partnership and where this is a limited company or limited liability
partnership, this will include the directors and any beneficial owners with
more than 25% interest. Historically, we have limited information on
11
POL-BSFF-0218823_0039
POL00391936
POL00391936
directors and beneficial owners, and there has been an increase in limited
company agents in recent years. It is therefore anticipated that there
will be significant work to identify these individuals and perform any
necessary checks.
e Directly employed individuals will be required to complete a formal Fit and
Proper test via HMRC, the same as the existing arrangements for NEDs, GE
and the MLRO.
e We will have to provide HMRC with details for all existing individuals within
the agency population that meet the criteria early in 2018 and they will
undertake some checks across these individuals (expected to be a minimum
of 11,000 individuals). Going forward, Post Office must maintain accurate
records of individuals for the agency population within scope for Fit and
Proper testing, and HMRC will audit compliance with our policies and
processes from time to time.
59. A working party has been established by HR to define:
e Post Office polices and processes for Fit & Proper testing
« How the data is going to be pulled together for all individuals captured by the
new regulations and sent to HMRC for their initial review, and when they
request this periodically for audit purposes
e If any remedial activity is required for existing individuals
e What on-boarding screening is required and how often this needs to be
renewed
e¢ How directors and any beneficial owners with more than 25% interest will be
identified at agent on-boarding, and any subsequent changes identified.
e What skills, knowledge and expertise are needed to carry out the regulated
activity effectively and how this will be achieved at agent recruitment and on-
going
60. Further meetings are scheduled with HMRC to assess, progress and agree the
approach. MoneyGram compliance team are also seeking advice from HMRC
on the impacts for them as there could be over 11k individuals captured by this
requirement that both Post Office and MoneyGram will need to demonstrate Fit
and Proper testing for. MoneyGram have met with the new MSB lead at HMRC
who has suggested that a joint meeting may be required between the HMRC
Bureau sector lead, Post Office, the HMRC Money Transmission sector lead and
MoneyGram to ensure a workable solution is identified.
61. The existing Fit and Proper test requirements performed by HMRC for GE
members, Non-Executive Directors and the MLRO remain.
Investigations and Incidents
62. All investigations and incients relating to AML/CTF concerns are logged and
managed by the Financial Crime Team.
63. The table below shows the investigations undertaken in 2016/17 and up to P8
2017/18 and is split out by the high risk products.
12
POL-BSFF-0218823_0040
POL00391936
POL00391936
Investigations by product type
70
60
20
; [. — ill I I
Gift Cards Bureau MoneyGram Banking Other
Ss
2016/17 ™ 2017/18 YTD
64. There were a total of 152 investigations in 2016/17, and up to P8 2017/18
there have been 74. The drop relates mainly to a reduction in the volume of
MoneyGram investigations, the spike in 2016/17 predominantly relating to
card fraud following the introduction of MoneyGram accepting card payments
late in 2015.
65. Giftcard investigations in 2016/17 related to a combination of queries raised
by GVS and a spike in purchases using fraudulent cards. A series of branch
communciations via memoview, text and branch focus that were undertaken
seems to have curtailed the issue.
66. In 2016/17 there were 44 Bureau de Change based investigations, with 32 in
the period up to P8 2017/18. The increase in 2017/18 relates to the
increased data available to monitor since the new data capture limits were
introduced at the end of August 2017. In 2016/17 14 new branches had
reduced ID thresholds implemented and were added to the watch list for
monthly manual monitoring. Up to P8 2017/18, 3 new branches had reduced
ID thresholds implemented and were added to the watch list for monthly
manual monitoring.
67. Bureau de Change (volume and value of branch transactions 2016/2017 8.6m
& £2.6bn, and to P8 2017/18 5.4m & £1.4bn).
e¢ P8 YTD 2017/18 there have been 32 Bureau de Change investigations relating
to branch non-conformance, money laundering and confirmed card fraud. As
of December 2017, there are 13 branches on monthly monitoring as a result
of serious non-conformance. The majority of these relate to transaction
splitting (in order to avoid the ID threshold) and branches not conforming to
the regulatory limit of £10k per customer, cumulative over a 90 day period.
e Prior to the new customer ID thresholds being implemented at the end of
August, c. 10 branches a month were being identified as having undertaken
multiple transactions for the same customer that breached the £10k limit.
From September onwards, the number of branches identified has increased
to 20-30 per month.
13
POL-BSFF-0218823_0041
POL00391936
POL00391936
e« Two Post Office agents along with four other individuals were sentenced
recently in relation to money laundering offences committed at Media
Village branch in 2016. The two Post Office agents received five and a half
and six year sentences and automatic deportation for their involvement in
using their Post Office to launder in excess of £1.2 million, by knowingly
accepting fraudulently obtained cards to settle Bureau de Change
transactions. There was no failure in Post Office processes, which were
correctly followed, however new monitoring capabilities being introduced in
2018, should assist in detecting unusual patterns of activity go forward.
68. MoneyGram (volume and value 16/17: send transactions 3.3m & £832m,
receive transactions 363k & £117m. Volume and value to P9 17/18: send
transactions 2.3m & £528m, receive transactions 280k & £83m).
e During 2017 there was a spike in SARs from the network reporting that
vulnerable customers were sending money to Nigeria and Ghana who had
fallen victim to ‘romance scams’. In addition, a new trend was identified for
customers sending money to Lebanon. This was escalated to MoneyGram
through our fortnightly SAR update.
e Vulnerable customers falling victim to ‘TalkTalk’ or ‘Microsoft’ scams has
continued. Instances are reported via branch SARs, calls to Grapevine and
from notification received directly from the card issuers. 80% of MoneyGram
investigations relate to customers who are victims of scams.
69. Business Banking Cash Deposits - 2017/18 to P8, there have been multiple
incidents of individuals depositing large volumes of cash over Post Office
counters, mostly in relation to Santander Business Banking. SARs have been
raised by branches, cash centre staff and area sales managers due to their
suspicions. Some examples of these include:
e In May 2017, a significant spike in high value card fraud over our counters
was identified within the East London area (2 branches, c£45k). It was
identified that the suspect had been using fraudulently obtained cards to
deposit funds into a personal Santander bank account. Concerns were raised
as the suspect was using card payments to settle cash deposits, which the
Banking Product Team confirmed should not be possible. The majority of
cards were issued by NatWest bank and fraudulently obtained through either
lost or stolen means. As both branches were owned by the same postmaster,
a visit was conducted by the Security Operations Team to the office where
the majority of fraud occurred. Information from our investigation and the
branch visit was shared with Santander and the Post Office Banking Product
Team. In response to this fraud, the ability to settle cash deposit by card
from the Horizon reference data table was removed on 27/06/17.
e Three businesses deposited large cash amounts across nine separate
branches. This was escalated to Santander, who confirmed that the nature of
the deposits were not in line with their expectations. Over the last 12 months
the individuals involved have deposited £10.2 million (£8 million of which has
been deposited over our counters). All SARs have been shared with
Santander and disclosed to the NCA. Due to the level of the deposits, West
Yorkshire Police arrested a number of individuals, including a postmaster in
relation to money laundering offences (circumventing processes for cash
deposits, by breaking transactions down to smaller amounts to avoid
14
POL-BSFF-0218823_0042
POL00391936
POL00391936
detection) and Contracts Managers are dealing with termination of the
contract.
e In light of the extension of small business banking deposits under the Partner
Banking Framework agreement, it is expected that there will be further issues
identified with large value cash deposits.
70. One4All Gift Cards (GVS) - In October 2017, GVS reported that a branch had
been reloading the same Gift Card for a customer. Following a call with GVS,
they advised that there was not any system controls to stop customers topping
up existing gift cards. This information was escalated to the product team and
an action plan was implemented to address the issue.
71. From May 2017 the Financial Crime Team began receiving monthly reports from
the Agency Remuneration Team which included high performing branches for
gift card sales. One branch was investigated due to a spike in gift card sales,
size of the branch and being situated in a historically high risk area for gift card
fraud. A 90 day transactional report from the branch identified £58,000 of
£200-£400 gift card sales. The gift card numbers were referred to GVS who
confirmed the cards were being converted to Amazon gift codes. Members of
the Financial Crime Team conducted an unannounced visit to the branch and
spoke to the Officer in Charge who advised the sales were for a Nigerian who
had said he was a council worker who gave the cards out as gifts to his clients.
The branch had not thought this was suspicious, they were given education and
remain on the watch list.
72. Bill Payments -In October 2017, a SAR from a Directly Managed Branch was
received relating to 167 ‘Bill Payment’ transactions all for £500 each (totalling
£83.5k) processed from mid-September reportedly by the same individual, via
Self Service Kiosk (SSK). Each of the transactions was for Prepay Tech Ltd and
related to one Prepay Tech account, which had been settled using three
different payment cards. The existence of account services within the Bill
Payments product suite, was not documented, nor had it been risk assessed.
Subsequently, further suspicious activity was identified using other cards and
branches via SSKs. The contract with PrePay Tech Ltd was out of date, the
services that they offered not properly understood, and the controls that they
have in place to monitor frequent or high value deposits appears to be
ineffective. The product was removed from SSKs and the impacted accounts
closed by PrePay Tech Ltd. The service is still under investigation and
assessment by the product manager and the Financial Crime Team.
F. External Threats/Landscape
i. Business areas
73. There have been no significant changes to the Post Office regulatory landscape
during 2017, however, we have received formal notification from HMRC that
Bill Payments and Payout services are not deemed to be regulated activity, and
the Bill Payments category has been removed from HMRC _ premises
registrations.
ii. Fourth Anti Money Laundering Directive
74. The Money Laundering, Terrorist Financing and Transfer of Funds (Information
on the Payer) Regulations 2017 came into force on Monday 26th June 2017
and have been reflected in the new AML/CTF policy approved in September
15
POL-BSFF-0218823_0043
POL00391936
POL00391936
2017. HMRC have published some interim guidance for MSBs in relation to the
new legislation and the new Fit & Proper test requirements, but further clarity
is still being provided:
e In relation to the Bureau de Change service, the HMRC MSB Guidelines
suggest that copies of paper primary and secondary ID documentation for
customer due diligence need to be retained during the relationship (i.e. where
customer due diligence has been performed) and for 5 years after a
relationship has terminated. This is contrary to the guidance from the JMLSG?
which specifically states that “Firms may choose to use electronic/digital
identity checks where this is possible, either on their own or in conjunction
with documentary evidence”. Post Office wrote formally to HMRC to challenge
this position and we have received written confirmation that eKYC suffices.
They do however, expect that there is some form of independent validation
that the customer at the counter is the owner of the credentials verified by
the eKYC provider, and a solution is still being sought with the product team
and HMRC.
e See paras 69-72 re. the new requirements of the Fit & Proper test. Post
Office have until the date of our next annual registration (1st June 2018) to
comply with these new requirements.
e Any penalty levied in relation to the new regulations will be published without
delay and remain on the HMRC website for 5 years. Penalties in relation to
breaches arising under the previous regulations would be captured by the
prior regulations and therefore not made public.
¢ The definition of PEPs has been widened to include domestic PEPs. This
expanded definition will include UK MPs and Bureau de Change activity within
the Houses of Parliament branches will need to be specifically monitored.
e Post Office will need to ensure that all relevant risk assessments, polices and
processes are fully documented and kept up to date. These policies, controls
and procedures must include risk management practices, internal controls,
customer due diligence and the monitoring and management of compliance
with these, and HMRC may periodically ask for documentary evidence.
e The new act required the UK to update the National Risk Assessment which
was published at the end of October 2017. This has been reviewed, and the
main impact for Post Office is that the MSB sector has been re-assessed
from medium risk to high risk, albeit it this is predominantly the money
transmission sector, but this will need to be reflected in the re-assessment
of the Bureau de Change product. There was also emphasis on lower value
cash transactions being used to disguise activity of organised criminal
gangs.
iii. Fifth Anti Money Laundering Directive
75. The Fifth Money Laundering Directive was announced on 30'* November 2016
and its principle aims appear to be tackling the finance of terrorism. On 20*
intering
aundering Regulations. This is primarily
16
POL-BSFF-0218823_0044
POL00391936
POL00391936
December 2017, EU ambassadors confirmed that agreement had been reached
between the European Parliament and the Council regarding the latest
amendments. These now need to be endorsed by the European Parliament and
Council and they will then need to be transposed into national legislation within
18 months (it is not clear at this stage if Brexit will impact this). The amended
Directive requires:
e — Limiting the use of anonymous prepaid cards - anonymous eMoney payments
can only be made to a maximum transaction limit of €150 in store or €50
online.
e Virtual currencies, tax related services and works of art - AML and CTF rules
will apply to these sectors
e Beneficial ownership — improved transparency and public access to registers
of beneficial ownership of corporate and other legal entities including trusts
is to be granted on the basis of legitimate interest.
e Centralised bank account registers —- account registers or retrieval systems
to identify holders of bank and payment accounts.
e Enhanced powers for Financial Intelligence Units - more access to bank and
payment information
e Enhances cooperation between financial supervisory authorities in light of the
Panama Papers
The Financial Crime team have asked for a meeting with GVS to discuss their
assessment of the impacts for GiftCards.
iv. Criminal Finances Act
76. The Act came into force in September 2017, and a working group was
established by Legal with support from the Financial Crime team to ensure that
a documented risk assessment was produced and measures put in place to
establish a defence for Post Office. The primary risk relates to the criminal
facilitation of criminal tax evasion by a Post Office ‘associated person’, although
this is currently deemed to be low risk.
77. The working group have examined the reasonableness of procedures and
controls relating to postmasters, contractors, employees and suppliers, and
actions have been taken to address any areas of weakness.
78. The financial crime risk assessments in relation to products and services have
been reviewed to ensure that the risks of facilitating criminal tax evasion have
been covered. Existing SAR submission is highlighting potential tax evasion
and Post Office already supports a number of HMRC investigations.
79. The risk assessment will be subject to annual review and monitoring by the
Financial Crime Team.
v. The Policing and Crime Act 2017
80. The Act came into force in April 2017, making changes to sentencing,
enforcement and implementation of sanctions violations. The new civil powers
introduced monetary penalties up to £1m, or 50% of the estimated value of
the funds or resources; both increasing the penalties and lowering the burden
of proof. Currently, a new bill is in progress at the House of Lords regarding
Sanctions and AML - it will ensure that the UK can impose, update and lift
sanctions when we leave the European Union.
vi. Joint Money Laundering Intelligence Taskforce (JMLIT)
17
POL-BSFF-0218823_0045
POL00391936
POL00391936
81. Post Office continues to participate in an information sharing agreement with
the National Crime Agency. The Head of Financial Crime regularly attends JMLIT
meetings as a means of ensuring market intelligence and horizon scanning of
issues relevant to Post Office activity can be considered on a proactive basis.
82. In addition, all members of JMLIT are expected to analyse their internal
information against the search criteria set out in requests sent by the NCA to
identify, and at Post Office’s discretion, disclose, relevant information to the
NCA. The NCA will then analyse, and if appropriate, disseminate to relevant
parties via information requests or NCA alerts.
83. The terrorist attacks in the UK in 2017 saw financial investigations being co-
ordinated via the JMLIT members, and c.15 requests for information were
responded to by members (including Post Office) in the hours after each event,
which collectively resulted in c.70 positive responses (some from Post Office).
These have assisted law enforcement to piece together the events that led up
to these attacks.
84. Prior to these attacks, the main terrorist finance red flags were to help identify
funding activity for overseas terror groups, funding the outward or inward
journeys of terrorist fighters, and the funding and activities of groups that
preach or incite racial hatred. c.40% of terrorist financing is financed by low
level criminality, basic fraud and robbery. Overseas terror group funding is
frequently linked to charities, whose donors believe that the funds are being
used for humanitarian purposes.
85. It is anticipated that going forward, security services will require the financial
services industry to be able to do more to review ‘pattern of life’ activity, and
focus more on domestic activity. In the 2017 attacks transactions were small,
money was obtained and used quickly, often in cash or through other
instruments like prepaid cards and gift cards. The transactions are also
consistent with normal activity — hiring vehicles, booking hotel rooms, buying
kitchen equipment (knives) from supermarkets. The NCA have also advised
that monitoring activity will be more about named individuals, and there is an
expectation that there will need to be some regulatory or legislative changes
to facilitate this.
86. From a Post Office perspective, risk assessment and financial crime work
continues to focus activity on the products and services deemed to be high risk
or anonymous.
G. Conclusions and Recommendations
87. With the size and complexity of the Post Office Network, one of the key
AML/CTF controls for Post Office is robust training and awareness for all
relevant staff. In 2017 there has been an improvement in terms of corporate
culture towards regulatory training and monitoring completion, although there
continue to be significant challenges in the agency Network. Post Office needs
to continue to apply a robust approach in respect of mandatory compliance
training and seek ways to improve training and communications content and
access for the agency network.
88. The responsibility for robust and effective training and awareness across Post
Office falls across several areas of accountability, namely:
e The MLRO has ultimate responsibility for content
18
POL-BSFF-0218823_0046
POL00391936
POL00391936
e Learning and Development have responsibility for effective delivery of content
e Line Managers and HR Directors have responsibility for ensuring that all
directly employed staff complete mandatory training as per the AML/CTF Policy
e Finance and Operations have responsibility for ensuring that agents and agent
assistants complete mandatory training as per the AML/CTF Policy
Additionally, Retail and Financial Service and Telecoms have responsibility to
support and promote effective training and awareness across product managers
and sales teams.
89. Since 2016, the strength of controls and residual risk across a number of
products and services have been properly understood and documented for the
first time. Undertaking this assessment retrospectively has been costly and
time consuming, due to a number of factors, including lack of documentation
relating to products and services features and target audiences, coupled with
loss of corporate knowledge as previous product managers have left the
business, and missing or incomplete contracts. These issues are illustrated by
the Bill Payments incident in para 70 above.
90. There has also been an historic lack of assessment or understanding of the
regulatory or legislative environments which impact these products and
services, resulting in a number of the risk assessments undertaken requiring
Legal review and opinion.
91. The risk assessment methodology used has been built into a replacement
product and service risk assessment tool for product managers which is due to
be delivered by the end of financial year 2017/18. Product managers will be
required to document a detailed product information pack, to inform the
process.
92. At the end of 2017, a risk assessment workshop was designed for product
managers and those individuals who lead and direct sales within the Network
to ensure that the existence of inherent risks is understood for all products and
services, together with the importance of documenting the customer and
transaction lifecycle, and assessing whether Post Office or a third party (client
or supplier) is responsible for any aspects of regulatory requirements or
controls. As part of the risk assessment work to September 2017, eight detailed
product information packs have been completed and signed off. For the product
managers that attended the 2017 workshop and for the Partner Banking
Framework, draft product information packs are expected to be completed early
2018.
93. Product managers that attend the workshop must complete a product
information pack for any existing products and services that have not been
subject to documentation as part of the risk assessment work, to enable the
Financial Crime team to accurately review and update the risk assessment.
Timely completion will need the support of the Directors of Retail and Financial
Services & Telecoms.
94. The workshop content will be enhanced during 2018, and a programme of
workshops delivered to the remaining product managers and those responsible
for leading and directing sales. This should ensure that all products and
services are properly documented and understood, and adequately risk
assessed as business as usual.
19
POL-BSFF-0218823_0047
POL00391936
POL00391936
95. The requirements of the new Fit & Proper regime for agents, once fully
understood will require a documented policy and robust decision making
process to be adopted by the whole business to ensure consistency of approach.
20
POL-BSFF-0218823_0048
POL00391936
POL00391936
Annex A: Product and Service Risk Assessment
From July 2016 to September 2017, the Financial Crime Team undertook a review and
assessment of 48 products and services across Post Office with Thistle Initiatives. Of
these 48, 40 had a residual risk score that was rated as ‘red’. Nine high risk products
and services were identified and a further comprehensive risk assessment was
undertaken:
e Bureau de Change
e Drop and Go
e MoneyGram
° Gift Cards
« Travel Money Card
« International Payments
« Postal Orders
¢ Bill Payments
« The POMS insurance products.
The control strengths and residual risk scores for these products and services were
reviewed and assessed and, apart from Bureau de Change, no material risks were
identified. Each has been signed off by the product managers and the AML Steering
Group and logged and filed (with all accompanying documentation and assessment
rationale) by the Financial Crime team. Further re-assessments will now be undertaken
when:
e There is a product/service change, or
e There is an issue highlighted by monitoring or an incident, or
e = Annually
For Bureau de Change the current residual risk rating is 5.74 (‘amber’ rated); to be
within the Board’s risk appetite this should be 1 or less, but this will be re-assessed
once the further enhancements have been delivered in 2018, and it is not anticipated
that any material risks will remain.
Of the products and services not considered high risk, the following approach was
adopted:
e Residual risk was calculated in October 2016 by Thistle Initiatives, based on the
initial work that they undertook, and the documents that were supplied by various
product managers.
e In October 2017, the control strengths and residual risks were reviewed in line with
business changes and controls identified from the high risk re-assessments
completed during 2017, and it was assessed that there were no high risk products
and services remaining that required remediation work - there are no ‘red rated’
residual risks remaining.
e 6 are ‘amber’ rated, but as product managers go through the risk assessment
workshops, and complete and submit a detailed product information pack to the
Financial Crime Team, it is anticipated that the risk assessment will improve further.
If it is considered that material risks remain, these will be managed via the risk
acceptance process.
Due to recent incidents (described in the report above), Gift Cards and Bill Payment
Services are currently being reviewed and re-assessed.
21
POL-BSFF-0218823_0049
POL00391936
POL00391936
Annex B: Report on duties of Nominated Officer
Suspicious Activity Reports (SARs) summary
A total of 3,263 SARs were received from the Network in 2016/17, compared to 2,525
in 2015/16. For P8 YTD 2017/18, 2,033 SARs have been received. On average, c.270
SARs were received per month in 2016/17 and c.255 per month up to P8 YTD 2017/18.
The volumes of SARs reduced from c.340 per month up to June 2017 to c.200 per
month in July, August and September. This downward trend is linked to the decrease
in volumes of SARs submitted in relation to MoneyGram and potential vulnerable
customers following changes to the MoneyGram ID requirements in July. We suspect
that branches are relying on physical identification and no longer thinking about the
circumstances of the transaction and whether they are suspicious or otherwise, as prior
to the new limits we were receiving 2-300 SARs per month relating to MoneyGram and
this has reduced to c. 130. Further analysis is being conducted both internally and with
MoneyGram Compliance team to understand why this is, with a view to sending out
branch communications and reminders in January 2018.
Bureau de Change SAR numbers have risen since implementation of the reduced Bureau
threshold end August with a significant increase by December. Prior to the new Bureau
de Change ID thresholds being introduced at the end of August, the maximum number
of SARs per month raised for the product was 50, with on average c. 30 per month.
This rose to 65 in October, 79 in November and 92 in December. This has been driven
by the increased identification of suspicious activity via transaction monitoring and
investigations, resulting in a higher number of SARs being reported by the Financial
Crime and Fraud Analysis teams, rather than reporting by the Network.
At the end of 2016, a trial was commenced whereby selected branches could call
Grapevine with SARs rather than complete a paper form. This was to reduce the number
of completion errors, reduce the number of outbound calls to branches to collect full
information/clarify reports and to reduce time spent scanning and logging SARs. With
the success of the trial, the process was rolled out to the whole Network in February
2017.
All non-disclosed SARs and a sample of disclosed SARs are checked by the Head of
Financial Crime each month.
The graph below demonstrates that the number of SARs received in 2016/17 was
greater than in the previous two years. This is due to the introduction of the new
Grapevine SAR reporting process and increased training and communications to the
network.
22
POL-BSFF-0218823_0050
POL00391936
POL00391936
Total SARs Recieved
3000
2500
2000
1500
1000
500
0
2014/2018 2015/2016 2016/2017 17 YTD
MoneyGram mBureau mBanking m™ Other
In October 2015, Post Office started to accept card payments for MoneyGram and this
resulted in an increase in suspicious and fraudulent activity and vulnerable customers
falling victim to scams.
The following graph shows the volume of SARs disclosed to the National Crime Agency
(NCA). 3,057 SARs (93.67%) were disclosed to the National Crime Agency (NCA) in
2016/17, in comparison to 2,263 SARs (89.62%) in 2015/16. Additional training has
been received from NCA, who have also given specific feedback to the team responsible
for disclosing SARs, so the overall growth in disclosure rates does not represent a more
defensive approach to reporting.
SARs Disclosed
3500
3000
2500
2000
1500
1000
2014/2015 2015/2016 2016/2017
Disclosed Non Disclosed
23
POL-BSFF-0218823_0051
1.
Appendix B
Anti-Bribery and Corruption Compliance
POL00391936
POL00391936
The new Gifts and Hospitality reporting tool was launched in August 2017, and the
volume and value of reports received and centrally logged has improved as a result.
The first two quarterly reports have been provided to GE members for their
respective areas and are summarised below:
Q2 2017/18 summary:
Gifts Hospitality Total
Business Team I Volume Value Volume Value Volume Value
Communications, 0 £0.00 0 £0.00 0 £0.00
Brand and
Corporate Affairs
Finance and 2 £140 3 £370 S £510
Operations
Financial Services 0 £0.00 11 £876 11 £876
and Telecoms
HR [e) £0.00 Unknown 2 £0
iT ie} £0.00 £10 1 £10
Legal, Risk and 0 £0.00 21 £6,525 21 £6,525
Governance (inc
CoSec)
Retail i?) £0.00 6 £565 6 £565
Strategy i?) £0.00 0 £0.00 ie) £0.00
Q3 2017/18 summary:
Gifts Hospitality Total
Business Team I Volume Value Volume Value Volume Value
Communication,
Brand & 0 £ 0.00 1 £ 1,100.00 1 £ 1,100.00
Corporate Affairs
Finance‘and 2 £ 54.00 10 £ 2,862.00 12 £ 2,916.00
Operations
Financial Services 2 I £ 80.00 18 £ 2,907.07 20 £ 2,987.07
HR 0 £ 0.00 6 £ 625.00 6 £ 625.00
IT 0 £ 0.00 1 £ 240.00 1 £ 240.00
Legal, Risk and
Governance (inc 1 £ 10.00 16 £ 2,803.00 17 £ 2,813.00
CoSec)
Retail 3 £ 430.00 £ 625.00 8 1,055.00
Strategy 0 £ 0.00 £ 100.00 1 £ 100.00
As a result of some repeat errors across Q2 and Q3 relating to the use of the
reporting tool, acceptance of cash or cash equivalents and logging and approval of
all gifts and hospitality before acceptance, a communication was sent to GE members
with the Q3 reports in January 2018 with the request that they cascade to their
teams.
24
POL-BSFF-0218823_0052
POL00391936
POL00391936
ABC training was delivered for completion on 2" October 2017, and as at December
2017 completion rates were c.96%. Line Managers and HR Directors receive regular
reports of those who have not completed training for escalation and intervention.
During 2017, there have been 11 communications delivered via e-mail and One to
relevant audiences to raise awareness of reporting requirements.
25
POL-BSFF-0218823_0053
POL00391936
POL00391936
Appendix C
Whistleblowing Update
1. A review of the effectiveness of controls relating to Whistleblowing has been
undertaken during December 2017.
2. This has resulted in a number of improvements being implemented:
e The Whistleblowing Log has been reviewed and updated. To improve the audit
trail, all documentation relating to investigations has been saved into folders
labelled with the reference number from the Whistleblowing Log.
e A communications plan is being drafted to outline various methods to promote
the Whistleblowing service to improve take-up
e Access to the Speak Up Line has been granted to key members of the Financial
Crime team to ensure that the online portal is accessed regularly to review,
update and close reports
e Access to the Whistleblowing mailbox has been granted to key members of the
Financial Crime team ensure e-mails received are dealt with in a timely manner
e¢ The Speak Up Line contract was signed in 2013 with an initial term of 3 years
then renewable every 2 years. The contract is next due for renewal in April
2018 and will be reviewed to see if renegotiation is appropriate.
There have been 30 cases since 2013 (some of which relate to bullying and harassment
and a high proportion relate to matters between agents and their employees):
Report Channel Volume
Direct Whistleblower 6
ECT 1
Grapevine 7
Other 2
Speak Up Line 14
Total 30
The following tables show the volume of reports received in 2017 and closed in 2017.
There are greater number of cases closed than received, this is due to some historic
reports not being closed off on the log and/or the Speak Up Line.
Received 2017 I Volume Closed in 2017 I Volume
Jan i?) Jan ie)
Feb i?) Feb ie)
Mar i¢) Mar ie)
Apr 1 Apr ie)
May 4 May (¢)
Jun 2 Jun 2
Jul 1, Jul 2
Aug 2 Aug ie)
Sep 1 Sep 1
Oct 2 Oct 2
Nov 3 Nov ie)
Dec 3 Dec 13
Total 19 Total 26
26
POL-BSFF-0218823_0054
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 13
RISK & COMPLIANCE COMMITTEE INFORMATION PAPER
IT Risk Update
Author: Rebecca Barker Sponsor: Rob Houghton / Catherine Hamilton Meeting date: 18" January 2018
Executive Summary
Context
This report provides updates on the IT Risk landscape within Post Office and the key
projects within IT risk area and details on the remediation activities for the risks
identified outside our risk tolerance.
Questions addressed in this report
1) What is the current IT Risk Landscape?
2) What is the existing progress of the remediation activities planned for the risks
outside of the Risk Tolerance?
3) What are our key activities for continuous improvement within IT Risk
Management?
Conclusion
We remain outside our risk appetite in key operational areas. However, Infrastructure
related change programmes focused on reducing these risks over time are in flight.
The migration of Credence/MDM in December was successful, delivering increased
service availability for users; and this key milestone will enable us to progress with
the migration of POLSAP as we now have improved blade frame availability.
Security Transformation programmes continue to reduce the risk of cyberattacks and
security breaches. The Operational Command Centre will enable real-time monitoring
of critical applications. We have signed the SOC contract with Verizon to implement
the Security Operations Centre and are in implementation.
An IT Risk Transformation programme has been established to improve our capability
maturity. This includes improvements in risk awareness, IT Risk reporting, and
supplier risk management. The IT Controls’ Framework implementation to improve
control across the IT landscape is in self-assessment phase and on target to finish by
end of F17/18.
Input Sought
The RCC is requested to note the progress made, and provide feedback on the report.
Strictly Confidential
POL-BSFF-0218823_0055
POL00391936
POL00391936
POST OFFICE PAGE 2 OF 12
The Report
What is the current IT Risk Landscape?
1. At the end of December 2017 there are currently 47 open risks being managed
within IT, each risk contains a risk response which includes 98 secondary risks
that also require a response to mitigate the overall risk. We have 7 risks which
remain outside our risk tolerance which are detailed within the 3rd question
addressed in this report (point 3, also refer to Appendix 1 for the high level tube
map).
2. The number of risks outside tolerance is reducing over time, and IT are running
key programmes which will mitigate our overall risk and bring us within risk
appetite, these include;
« Horizon Data Centre Refresh (HDCR): The HDCR Programme is moving
applications off very old infrastructure onto new - this also provides
resilience to POLSAP by freeing-up spare blades in the event there is a
failure and spares are required. We are actively testing all the Banking and
Payment services interfaces for the Banking and Payment services
migration in Q1 2018. All business critical migrations will be completed by
Qi 2018.
« SOC (Security Operations Centre): the contract with Verizon was signed at
the beginning of 2018 and we moved immediately into implementation.
Firewall Assurance will be the first live service at the beginning of February
2018 addressing a number of the key Deloitte report Requirements.
e DDoS (Distributed Denial of Service attacks): We experienced a number of
DDoS attacks towards the end of 2017. This resulted in a review of the
website security architecture and controls, and a number of changes were
implemented enabling us to manage these attacks. This has resulted in
attacks having zero impact and they have died off completely. We
continue to be vigilant and ready to respond.
e BYOD (Bring Your Own Device): Our mobile management service to
protect data on corporate and personal devices is now live and in
production. We are migrating more users on to the solution, with the
mobile risk being closed at the end of February. We are designing the
wider BYOD for non-corporate laptop access which will be live late
February, enabling full rollout in March with the closure of uncontrolled
access to Office 365 at the end of March 2018.
e Horizon Counter Refresh: Branch counter transition stretch target for exit
of HNGX is Jun-18 (commercial deadline is 31/3/19). Working with
Computacenter (and other partners) to agree plan to accelerate delivery to
meet this target. The Programme has had to select new counter IT as
current model being rolled-out went end-of-sale in May-17. New model is
an all-in-one and has been selected to support HNGT as well as HNGA. The
programme depends on the postmaster’s goodwill to allow branch to close
for transition work to be done. The postmaster is not compensated for
loss of business while this happens, and the programme is concerned that
it may become harder to book appointments to do the work going forward
(since Transaction Simplification).
e Disaster Recovery Framework: Our governance position is improved as we
have now established monthly IT Service Continuity reviews, which are
providing increased visibility of the DR Position across our main suppliers.
Strictly Confidential
POL-BSFF-0218823_0056
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 12
Planning for 2018 DR testing is well progressed. The DR Framework is
populated and over the next 6 to 8 weeks we will need to focus on the
Recovery Point Objectives where applicable, Recovery Time Objectives and
business impact assessment from the IT Service Leads.
e Cyber Security Vulnerability: A recent discovery by a number of sources has
highlighted significant vulnerabilities in computer processor chips. The
vulnerabilities are known as Meltdown (affecting Intel processors) and
Spectre (affecting AMD and Arm processors). They are exploitable only
through the use of very specific Malware and require specialist knowledge
of how the computer is utilised in its processing of information. These chips
are found in almost all computers, so this vulnerability has a wide potential
impact scope. There are currently no known threat actors exploiting the
vulnerability however due to the severity of exposure that could result from
a breach, protecting against the threat is paramount, and we are doing this
by implementing fixes as they become available. We have strong boundary
controls which limit the exposure of this threat within our estate. Our main
area of concern is in our End User Computer estate, where the plan is to
patch and update our malware solutions as and when patches and updates
become available. We continue to work with our IT partners, we remain
vigilant, and will continue to be protected by carrying out regular patch
updates.
How are the remediation activities progressing for the risks
outside tolerance?
3. The risks below are currently sitting outside risk tolerance; with the potential to
significantly impact service availability, compliance, regulatory requirements.
e Branch Network Refresh
HRSAP
POLSAP
MDM / Credence
Horizon Datacentre failover
GDPR
PCI Compliance
4. Branch Network Refresh: As part of the IT Networks project (transitioning the
Branch Network management from Fujitsu to Verizon), there is a risk that some
Branch sites will not have replacement primary circuits delivered by the 15th
January. This is due to access difficulties, postmaster or landlord rejection of a
satellite dish installation, and/or the replacement solution not being identified
and delivered in time (with no interim solution possible).
Strictly Confidential
POL-BSFF-0218823_0057
POL00391936
POL00391936
POST OFFICE PAGE 4 OF 12
Branch
Network
Refresh
Target
Mitigation Plan Due date RAG
Failure to ensure that all branches . ISDN Eradication to be 1.15/01/18 8
are transitioned from ISDN complete by 15/01/18 as
Primary/Secondary circuits by the latest ISDN cessation date Ik
15t January, may lead to service agreed with Fujitsu &
disruption within the Post Office 7 Vodafone 2.31/03/2018 I
eoen Fujitsu Contract exit
branches, resulting in service loss, EAM’s aware of the “at risk”
financial loss and reputational sites and assisting on
damage. specific sites .
Scheduling on Network 4, Ongoing
changes brought in house.
Weekly briefing to POL to 5. Ongoing
Ensure all actions identified
and in place to progress at
pace.
3. Ongoing
6. Flexibility in deployment 6. Ongoing
process .
7. Complete re-check of ISDN 7.Anflight
primary sites remaining for
ability to replace with
preferred connectivity
solution.
HRSAP
Legacy
Systems
HRSAP: Employee functions have been moved off HR SAP to SuccessFactors
(starting Jan 8th, first payroll end of Jan). Agent Remuneration is planned to
move to CFS in Feb, and is currently in pre-prod parallel run. With these two
functions removed, the HR SAP risk is entirely closed.
Mitigation Plan Due date
Failure to ensure all components. . End of Life HRSAP Version 1. In
are fully supported by the 4.7 Support. progress.
appropriate levels of adequate . SuccessFactors 2. Complete
technology, hardware, whilst Implementation
ae - . Agents Pay 3.01/02/2018
programme activities are in a ; -01/02/:
. DXC Contract Exit 4.31/03/2018
progress, may lead to a loss of
service within Supply Chain and
Finance Teams, resulting in
service unavailability, financial
loss, reputational damage and
Security Vulnerabilities.
POLSAP: POLSAP Services will be migrated by June 2018 this has slipped from
the original programme plan of migration by February 2018. The extension of
support services is currently being reviewed with Fujitsu. Extra hardware blades
have been purchased to mitigate risks. Further movement of POLSAP dates will
cause Fujitsu Datacentre Failover test to be moved (currently planned August
Bank holiday weekend).
Strictly Confidential
POL-BSFF-0218823_0058
POL00391936
POL00391936
POST OFFICE PAGE 5 OF 12
Risk " Curr. acianl Targe
Title Risk RAG Mitigation Plan Due date
POLSAP I Failure to ensure all components. POLSAP Processes 1.June 2018
Legacy are fully supported by the migrated to core finance.
Systems I appropriate levels of adequate 2. Cash Processes migration I 2.27/01/2018
technology, hardware, whilst to Belfast.
programme activities are in 3. core osting Contract I 3 ongoing
progress, tay lead. 0.8 lossicf 4. IPSEC Tunnel Failover - .
service within Supply Chain and Exploring MSEG options 4.Ongoing
Finance Teams, resulting in with Verizon.
service unavailability, financial 5. Application Upgrade 5.Withdrawn
loss, reputational damage and 6. Hardware Upgrade 6.Withdrawn
Security Vulnerabilities. 7. Network Upgrade to core 7.In progress
Network.
8. SAP Application Support 8.Review
9, Bladeframes- additional 9.Complete
failover blades
10, Reviewing the purchase of
2 additional blades for 10.10 progress
additional contingency.
7. MDM/Credence: Credence/MDM upgrade and migration has been successfully
completed December 2017. Further work continues on Batch remediation
activities and MI tidy up.
Target
Mitigation Plan Due date
RAG
Failure to ensure all components . EMC Storage Array 1.Complete 9
are fully supported by the . Batch Remediation Kalido I 2.In Progress
appropriate levels of adequate . Batch Remediation ETL
technology, hardware, whilst Stage . 3.In Progress
programme activities are in Batch Job Documentation I 4 th progress
MDM /
Credence
Performa
nce
Credence UAT testing
woogie
progress, may lead to a loss of r 5.Complete
4 Abe rn Off - Shoring
service within Supply Chain and EMC Storage Array 6. To start in
Finance Teams, resulting in Feb
service unavailability, financial
loss, reputational damage and
Security Vulnerabilities.
7.Complete
8. Horizon Datacentre Failover Test: The full Fujitsu DR test for the May Bank
Holiday 2018 will be postponed to August Bank Holiday 2018. This is due to the
dependency with POLSAP migration now being forecast as June 2018. Changes to
the date have been communicated to key Stakeholders and Suppliers.
eee Risk oe Mitigation Plan Due date Target
Horizon I Failure by Post Office IT to ensure 1.In-flight
Datacentr I that a full Disaster recovery test is
e Failover I carried out on a regular basis in
Test line with contractual agreements,
may lead to being unable to
restore primary servers and
services not being restored in a
Ensure that component
testing that does not
impact the delivery of
POLSAP or Horizon
Datacentre refresh
continues to as planned,
this is supported by the DR
Framework.
real outage. Resulting in financial 2. Planning in place to 2. Meeting
losses, reputational damage, and support the Full Datacentre I scheduled
prolonged service interruption. refresh takes place in Feb 2018.
August.
Strictly Confidential
POL-BSFF-0218823_0059
POL00391936
POL00391936
POST OFFICE PAGE 6 OF 12
Mitigation Plan
9. GDPR: A GDPR programme is in flight, supported by the IT Team, they provide a
comprehensive GDPR update to RCC.
Risk Title Mitigation Plan
Failure by POL IT to To be updated by GDPR team in
communicate the expectations a separate paper to RCC
of GDPR to projects and
programmes May lead to
products and services being
prevented or being delayed
from launching, Resulting in
delays to operational activity,
financial loss and reputational
damage.
10. PCI Compliance: Engagement is ongoing between the IT Security Team, IPA, IT
Risk Management and Vendor Management.
Target
RAG
PCI Failure by Post Office to ensure To be updated by IPA team in a 8
Compliance I operational activities, IT separate paper to RCC
infrastructure/security and I/k
related services are PCIDSS
compliant may cause 3 4:2
challenges during external
audit, require significant
remediation activities and
attract unbudgeted costs. This
may result in a failure to
obtain the required
certification, breach our agreed
banking framework and may
lead to a legal/regulatory
breach, financial loss and
reputational damage
Risk Title Mitigation Plan Due date
What are our key activities for continuous improvement within
IT Risk Management
11. The IT Risk team endeavours to improve the IT Risk framework and processes
within Post Office: we are progressing the following initiatives:
e IT Controls Framework (ITCF): This project aims to implement the COBIT
Framework. This two phased (Tranches) implementation covers 11
COBIT v5 process in the Tranche 1. After completing design of the
controls’ framework, we have now initiated controlled self-assessments
using TrAction tool. Key highlights: User Acceptance Testing is complete,
all RACMs are uploaded in TrAction, follow up sessions with users are
planned Testing phase in progress, to complete by end F17/18. During
Strictly Confidential
POL-BSFF-0218823_0060
POL00391936
POL00391936
POST OFFICE PAGE 7 OF 12
the testing phase where possible, we continue to mature ITCF. Once the
controlled self-assessment of Tranche 1 processes is complete, design of
another set of processes shall be initiated as part of Tranche 2.
e IT Risk Transformation improving IT Risk maturity, framework, policies
and processes we have initiated the IT Risk Improvement Programme,
which focuses on the following 8 different areas;
- IT Risk Strategy: ensuring alignment with the Organisational
Goals. Increase Sr. Management engagement, awareness and
sponsorship. Establish ‘As-Is’ and ‘To-Be’ state (Use CMMI model
for Process maturity measurement). Mature IT Risk awareness
across the IT function.
- Risk Framework: Continue implementation of COBIT framework.
Initiate internal assessments. Establish KGI (Key Goals indicators)
and KPI (Key Performance Indicators) and focus on sustained
improvement.
- IT Risk Reporting: improve risk dashboards to meet internal and
external reporting requirements. Mature interaction with Non-IT
Risk Management Forums at PO. Where possible, automate data
collection, measurement and reporting.
- IT Compliance: Improve Alignment between IT risk function with
IT Compliance requirements. Oversee audit points remediation.
- Projects & Programmes: Mature IT Risk Processes in ‘Change’
function. Introduce Risk criteria in Change management process.
- Risks in Ops: Mature IT Risk Processes in ‘Run' function. Mature
interface between 'Change' & 'Run' risks.
- Supplier Risk Management: Improve Supplier Risk engagement
- Supporting Functions: Improve alignment with BCP/DR, Incident
Management.
- Disaster Recovery (DR) Framework: Development of the DR
Framework, providing a current view of Recovery Time Objectives,
agreed test plans and alignment to the critical services will be
complete by the 31st March 2018.
Next Steps
e Completion of forward schedule of Disaster Recovery plan with attention
required from Accenture Back office, Verizon, Digidentity; this has been
requested by Friday the 19" January.
e Review DR Framework with Mick Mitchell and agree action plan to address
feedback from mails services, RTO and RPO’s meeting is scheduled for 23'¢
January 2018.
e Agree and publish the IT DR Policy and Framework with business users by
Financial year end.
« The Risk and control matrices which support the ITCF have now been uploaded
into TrAction and training is in progress with control owners.
Strictly Confidential
POL-BSFF-0218823_0061
POST OFFICE
Appendix 1: Risk Tube Map
* updated 1st December 2017
The following diagrams represent various projects and programmes in place to mitigate IT Strategy Risks.
Strictly Confidential
PAGE 8 OF 12
Migration from POLSAP
POLSAP Hosting extended to
The end of June
Fujitsu Mitigation on POLSAP connectivity transitioned
= Application and Hardware To new core network
<
LEE)
[2
a Agent
o Decision to extend remuneration Decommissioned
5 DXC Contract migration. 2018
x = DXC Contract
¥u a a= expiry/possibly
— =< extend 3 months.
ze = Implementation of
rod £ Successfactors
c
sz g Credence Mi
8 o o Hosting Ceases with
ao —— Fujitsu
se 8 Monitoring
loko) 45 day notice to cease hosting can be
3] made as and when service is migrated
ao MDM Migration Monitoring
—<— Hosting Ceases with
Fujitsu
Decision to extend BT — Casemanagement
BT /DXC Contract
Contract § DXC_
. are expires 31/03/2018
ie ‘Service Migration
‘Small Apps migration
POL00391936
POL00391936
POL-BSFF-0218823_0062
POL00391936
POL00391936
POST OFFICE PAGE 9 OF 12
P= Decisionto exit On-track for migration from
go. Or extend contract Fujitsu BNS to Verizon
z& Fujtsu Branch Contract services end
2 =] 31/03/2018
oe 2 Vodafone ISDN
*x 25 bE cease 30! November.
2Es = 9 branches at risk of Plan released for Thin Thin Client Deployment run through to 2019
cog fa not being able to. Client
BES a trade
siz
pu
Log
Bot
BBS
O08
40 4275 branches have been
Stretch target for exit
of HNGX is Jun-18
7 ® © commercial deadline is 31/3/19
agree plan to accelerate
delivery Release of circa
3249 counter refresh
successfully deployed to date.
Branch Counter
Strictly Confidential
POL-BSFF-0218823_0063
POL00391936
POL00391936
POST OFFICE PAGE 10 OF 12
‘Ongoing review of PCIDSS Audit
audit findings finalised
—_———— >
PCI Compliance
Operational Risk
Loss Of Sensitive Data
GDPRIT Security New GDPR regulations go live
Consultant engagement Risk Assessment for go live date
TT Engagement Data Discovery Exercise
Strictly Confidential
POL-BSFF-0218823_0064
POL00391936
POL00391936
POST OFFICE PAGE 11 OF 12
Sep Oct Nov Dec Jan Feb Mar — Apr May Jun Jul Aug Sep Oct Nov
a
a
3%
33
=F
=
z
<
Se
—55S_———————————
zs
g
2c
0
<
x=
a)
Planned DR test
May Spring BH
Dependency on POLSAP
B Could result in a lippage to August BH
©
=
x - 5800 lines transferred
2. From BT to Verizon BT Contract exit
rz
o
<
52 Services from BT to Verizon transitioned
be
oa
& Solution received from
Fujtsu
I
IT Avail
Next steps SHA 1 certificate expires
To be agreed
DR Framework in place
lonthly reviews in place Alignment to BIA
Forward plan 2018
DR
Framework
I
Strictly Confidential
POL-BSFF-0218823_0065
POL00391936
POL00391936
POST OFFICE PAGE 12 OF 12
Extend programme to March
Branch Access layer 2018 to accommodate BAU
Migrated ahead of change change freeze and other
freeze & a programmes
Datacentre refresh HDCR
High Level Architecture
Plan, approach and service
transition
Operational Risk
Horizon Platform
Failure
Pivot to Cloud complete 2020
a
Pivot to Cloud
Strictly Confidential
POL-BSFF-0218823_0066
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 9
RISK AND COMPLIANCE COMMITTEE ADVISORY PAPER
Financial Reporting Controls
Author: Danielle Goddard Sponsors: Micheal Passmore, Al Cameron Date: 18 January 2018
Executive Summary
Context
The purpose of this paper is to update the RCC on the status of the Financial Reporting
Controls Framework (the FRC), the most recent control self-assessment results
(November 2017), current areas of focus, and the progress made on the second phase
of the project.
Questions addressed in this report
What is the current status of the FRC?
What testing is being performed over the FRC?
What is the status of the additional scope of the FRC?
What other controls changes are being implemented?
What controls work is being performed over Back Office Transformation (‘BOT’)?
What actions are being taken in response to the control points raised in EY’s
FY16/17 audit report?
7. What additional work is planned for FY17/18 year end?
OF on Bw
Conclusions
Current status of the FRC
The existing framework of 303 controls continues to be self-assessed on a monthly
basis within the TrAction online self-assessment tool and results are being monitored.
Of the 303 controls at end November 2017, 211 (70%) were issued for self-
assessment. 202 (96% of those issued for self-assessment) were operating
effectively. Of the remaining 9 controls, 4 were not performed due to a resource issue
which is being resolved, 2 related to the change in the Fixed Assets control
environment which is under review, and 3 related to a quality issue (this has since
been resolved through training and is being monitored).
Of the 92 controls not issued for self-assessment at the end of November, 78 were
not due to be operated in the period. The remaining 14 controls were in remediation,
with workaround controls in place or remediation in progress.
Work is in progress to address the comments raised by PwC in their testing over
spreadsheet controls. This was 76% complete at the date of this paper, and is
expected to be fully complete by end January 2018.
Strictly Confidential
POL-BSFF-0218823_0067
POL00391936
POL00391936
POST OFFICE Page 2 of 8
Testing performed
Monthly sample testing of self-assessed controls is now being performed within the
FRC team. A total of 186 controls have been tested to date; the results will be
presented once the testing has been reviewed. A number of exceptions were identified
but no significant issues have been noted.
Additional scope of the FRC
3 out of 14 Masterdata processes have been added to the self-assessment process,
and 2 further processes will be live for the January self-assessment. The 9 remaining
processes are expected to be complete by end May 2018.
16 key controls over the FSC Transaction Correction process were introduced in the
November self-assessment, and 8 further controls are due to go live in January. 2
control gaps have been raised, for which remediation plans are in place. The controls
documented to date focus on the management of open items, review of aged items,
and managing of queries in line with SLAs. A further piece of work is planned to
commence in February which will analyse the balance sheet accounts relevant to FSC,
and ensure that the appropriate in-depth reconciliations and controls are in place.
Other controls changes and improvements
A number of new controls will be introduced to the framework in January, as a result
of Success Factors go live. Documentation and review of some areas remain in
progress but is expected to be completed by end January.
Interim controls are in operation over POLSAP journals and work is being performed
as part of Back Office Transformation (‘BOT’) to ensure that stronger automated
controls are in place once POLSAP processes migrate into CFS.
Cash count controls are being formalised and a cash count will be performed at
Belfast cash centre as part of the BOT POLSAP to CWC transition for Belfast in January
2018, and at all cash centres prior to FY17/18 year end.
An action tracker has been circulated to agreed action owners in response to the
control points raised by EY as part of their FY16/17 report, and weekly progress
meetings are taking place to ensure completion of all required remediation or process
improvements by the deadlines detailed in Appendix 2 of this paper.
Input Sought
The RCC is asked to note the progress made and comment on the priorities.
Strictly Confidential
POL-BSFF-0218823_0068
POL00391936
POL00391936
POST OFFICE Page 3 of 8
The Report
1. What is the current status of the FRC?
1.1 The FRC is being self-assessed by control owners on a monthly basis, with
monthly results being monitored by the FRC Manager. The table below
summarises compliance in November 2017.
November 2017 - Total controls 303
Less: Controls in remediation (14)
Controls not due to be operated due to frequency I (78)
Total population for self-assessment 211 I 70%
Self-assessed and operated effectively 202 I 96%
Self-assessed but not operated effectively 9 4%
No self-assessment submitted 0 0%
1.2 The number of controls in the framework continues to expand for changes and
improvements in processes, and the additional scope covered by the project.
Total controls have increased by 43 (less 3 removed duplicate controls) since
the last update to RCC; 16 of these relate to the Transaction Correction
process, and the remaining 27 relate to user access management controls,
governance over the controls framework, balance sheet sample reviews,
accrued expenditure reviews, and other new controls across various processes.
1.3 Of the 303 controls at end November 2017, 211 (70%) were issued for self-
assessment. 202 (96% of those issued for self-assessment) were operating
effectively. Of the remaining 9 controls, 4 were not performed due to a
resource issue which is being resolved, 2 related to the change in the Fixed
Assets control environment which is under review, and 3 related to a quality
issue (this has since been resolved through training and is being monitored).
1.4 Of the 92 controls not issued for self-assessment at the end of September, 78
were not due to be operated in the period. The remaining 14 controls were in
remediation.
1.5 Since the last update to RCC, 2 control gaps have been closed and 2 new control
gaps have been raised. The 2 closed gaps relate to audit of third party data
used for billing, and segregation of payroll roles (closed after the November
results). The 2 new control gaps relate to the FSC Transaction Correction
process; remediation plans are in place. Remediation of outstanding control
gaps is expected to be complete by the financial year end, except where reliant
on the June 2018 BOT implementation.
1.6 PwC performed testing to rate the controls over Financial Spreadsheets and
identified 20 spreadsheets as requiring some improvement (as per the results
reported to RCC and ARC in 2017). PwC's improvement recommendations
Strictly Confidential
POL-BSFF-0218823_0069
POL00391936
POL00391936
POST OFFICE Page 4 of 8
related to the implementation of a summary control sheet, separation of inputs
and outputs, and password protection. These are being applied across the
whole population of critical spreadsheets; at the date of this paper this was
76% complete and will be fully complete by end January 2018.
2. What testing is being performed over the FRC?
2.1 Discussions are being held regarding what additional PwC testing should be
performed to test new controls and re-test existing key controls.
2.2 A permanent Balance Sheet and Controls Analyst has joined the FRC team and is
performing controls testing on a monthly basis. A total of 186 controls have
been tested to date; the results will be presented once the testing has been
reviewed. A number of exceptions were identified but no significant issues have
been noted.
2.3 As part of external audit, EY were provided with a list of key controls from the
framework. EY selected 33 controls to walkthrough, and are in the process of
testing those which they can rely on for audit purposes.
3. What is the status of the additional scope of the FRC?
3.1 The scope of the FRC was extended to cover; Masterdata, Finance Service Centre
(‘FSC’) processes, Agents’ Debt, Agents’ Remuneration, Cash Management and
Forecasting, and POMS.
3.2 5 Masterdata processes have now been completed. Vendor, Customer and GL
Masterdata controls are in TrAction being self-assessed on a monthly basis.
Payroll and Employee controls are due to be loaded into TrAction for the
January self-assessment. The remaining Masterdata processes to be covered
include; Product, Branch, Fixed Assets, Project Accounting, Settlement, Tax,
Treasury, Bank & Cash, and Stock. These processes are expected to be
complete by end May 2018.
3.3. Work is in progress over FSC controls. 16 key controls relating to the Transaction
Correction process were introduced in the November self-assessment, covering
all live products. 8 further controls are due to go live in January. 2 control gaps
have been raised, for which remediation plans are in place. The controls
documented relate to ageing analysis of open item matching accounts, ageing
review of outstanding queries in line with SLAs, weekly monitoring and
escalation of workload and other concerns, and review and authorisation of
refund requests.
3.4 An additional piece of work is planned to analyse FSC balance sheet accounts
and map the related processes and controls. This review will commence in
February 2018; a new resource has been recruited to perform this review and
to complete the mapping of FSC risks and controls.
Strictly Confidential
POL-BSFF-0218823_0070
POL00391936
POL00391936
POST OFFICE Page 5 of 8
4. What other controls changes are being implemented?
4.1. The interim authorisation control continues to operate over POLSAP journals. A
monthly 10% sample check is performed; no exceptions were noted for
December 2017. Work is being performed to develop an automated control as
part of BOT (refer to section 5 of this paper).
4.2 A control has been introduced to the framework for a bi-annual full cash count at
all cash centres. It has been agreed that counts will take place at the BOT
cutover date (Belfast in January 2018, and all other cash centres in June 2018),
and prior to FY17/18 year end. A standard count policy and template has been
documented and is currently being reviewed. A Finance representative will
attend at least one location for each count (excluding Belfast due to expected
low value of cash holding).
4.3 Work is in progress over Fixed Asset controls. A review of AUC is currently being
performed to ensure that no live projects remain in AUC. This is 73% complete;
results will be summarised upon completion. Going forwards this review will be
on a quarterly basis. The business case form has been updated to include an
indicative project go live date to enable a more proactive solution to ensuring
assets transfer out of AUC at the correct date. Further work is being performed
to design appropriate controls over additions, disposals and physical verification
prior to year end.
4.4. The ‘go live’ of the new HR system Success Factors has led to a change in, and
additional, Payroll controls. The medium risk gap around payroll segregation of
roles (access to run payroll and change bank details), for which a monthly
detective workaround control was in place, has been addressed in the new
system. The user access controls, IT controls, Masterdata controls, and other
key controls under Success Factors have been documented; these are still
being finalised as a number of items still require review. We expect to introduce
new controls into the framework for the January self-assessment; this is
subject to finalisation but currently includes 26 Payroll and Employee
Masterdata controls, 21 key IT controls, and 6 other new controls.
5. What controls work is being performed over Back Office
Transformation (‘BOT’)?
5.1 A BOT controls analyst joined the FRC team in November 2017 and is working with
the BOT team to ensure an appropriate control environment is in place over all
process changes and migrated processes. BPDs and control matrices are being
produced for each process and are being reviewed by the relevant business
owners and the FRC team, prior to review by the Finance Director, POL.
5.2 The FRC team have agreed an approach to building automated user access controls
in CFS, in order to minimise the user access risk when POLSAP processes are
migrated to CFS. The BOT team are now proceeding with the analysis required
Strictly Confidential
POL-BSFF-0218823_0071
POL00391936
POL00391936
POST OFFICE Page 6 of 8
to design these user access controls so that they can be formally signed off and
built prior to go live in June 2018.
5.3. The controls will ensure that all manual journals are centrally processed where
possible, and there is a closed environment for any manual transactions which
cannot be centralised (e.g. transaction corrections, file uploads, settlements, and
other high volume processes which are transitioning from POLSAP to CFS). This
closed environment will be achieved by:
Restriction of access by user ID on value
Restriction of access by user ID on GL account, with additional review controls to
be built around unrestricted GL accounts
5.3.3 Automated workflow approval based on value, with workflow Masterdata
controlled centrally.
5.3.4 Limited number of approved users who can have access to the restricted role.
gin
ww
Ne
5.4 User access controls over CWC are currently being reviewed in advance of Belfast
go live.
6. What actions are being taken in response to the control points
raised in EY’s FY16/17 audit report?
6.1 Actions and deadlines have been agreed with owners for each Management Letter
Point raised by EY (refer to Appendix 2). A weekly progress meeting is being
held; all items are currently on track to be completed by the deadline. There are
two items to note:
6.1.1 In respect of item 2.4 (refer to Appendix 2), there is a delay in determining an
appropriate system solution to make the changes required. We are working
closely with Accenture to progress this.
6.1.2 Item 2.13 (refer to Appendix 2) is in its planning stage. A formal plan and timeline
for completion will soon be in place.
6.2 Progress against the items due for completion by end January is noted below:
6.2.1 Item 2.6 Revenue commission rates; review is in progress, with 5 out of 15
product areas complete and the remaining due for completion by the deadline. A
quarterly review will be implemented thereafter.
6.2.2 Item 2.9 Network cash internal audit; count dates have been agreed, refer to
section 4 of this paper.
6.2.3 Item 2.10 Network cash counts; Finance attendance has been confirmed for at
least one of the cash counts. A count policy and instructions have been
documented and review is in progress.
6.2.4 Item 2.14 Timely deactivation of leaver accounts; a weekly leaver review is in
operation and this has been extended to cover third parties.
6.2.5 Item 2.19 Management of SAP privilege accounts; the DDIC account has been
locked by Accenture as recommended by EY. Accenture have advised not to
Strictly Confidential
POL-BSFF-0218823_0072
POL00391936
POL00391936
POST OFFICE Page 7 of 8
change the TMSADM password as this could affect service, this will be discussed
with EY.
7. What additional work is planned for FY17/18 year end?
7.1 As part of the planning process for the FY17/18 financial year end, we are
determining the additional controls and balance sheet work that should be
performed prior to year-end. The following work is planned:
7.1.2. Finance Director Balance Sheet review files for P11 or P12 to include all support
attached, for review within the Financial Accounting & Governance Team. Formal
communications will be issued regarding this, and Finance Directors will be made aware
in the next monthly FD Balance Sheet review meetings.
7.1.3. Annual controls to be performed prior to year-end where they are not specific to
P12, in order to identify any potential issues prior to year end. This will also allow
internal testing of annual controls prior to year end.
7.1.4 Cut-off reminders to be issued to Finance prior to year end. Unrecorded liabilities
review to be performed in the weeks prior to and after the year end date.
7.1.5 Additional balance sheet review to be performed in P11 and P12, over higher risk
areas.
Strictly Confidential
POL-BSFF-0218823_0073
POL00391936
POL00391936
POST OFFICE Page 8 of 8
Appendix 1 - November 2017 CSA results by process
November 2017 CSA Results (submitted
Controls Control Gaps Control Owners: December 2017)
HIM/L risk gaps Self-
Not operated
Controls I No self assessment I Controls
Total I Control No owner due to
Process cantols I gops Designed I operated I assessment I 29° I submitted but Ito be set
effectively I submitted control not I to live
frequency
operated
Eivecat 31 0 0 27 0 4 0 0
Management
Bill To Cash 35 2 oO 27 oO 6 oO oO
(Control Environment 35 1 0 14 0 20 0 0
Fixed Assets 21 2 0 14 0 3 2 0
Payroll 47 1 0 44 0 2 0 0
Procure To Pay 27 oO oO 15 oO 12 oO oO
Project Accounting 10 1 0 4 0 5 0 0
Record To Report 47 4 0 28 0 12 3 0
Settlement Process 16 1 oO 11 oO 4 oO oO
Stock 6 2 0 1 0 3 0 0
[Tax 18 oO oO 10 i) 4 4 0
[Treasury 10 0 0 7 0 0 0
303 I 14 0 202 0 78 9 0
Strictly Confidential
POL-BSFF-0218823_0074
POL00391936
POL00391936
POST OFFICE Page 9 of 8
Appendix 2 - EY control findings from FY16/17 audit with owners and
deadlines
Observation Control Priority I POL Owner(s) POL
issue I efficiency deadline
21. [Assets under construction v v High [Tom Woodhouse 25-Mar-18
project monitoring
2.2. [Asset under construction v v High Tom Woodhouse 25-Mar-18
additions
23. Fixed asset disposals v v Medium [Tom Woodhouse 25-Mar-18
24. Ongoing management of v Medium [Tom Woodhouse 25-Mar-18
the FAR
25. Branch postcodes v High [Tom Woodhouse 25-Mar-18
2.6. Revenue commission v v High [Danielle Goddard I 31-Jan-18
rates
27. Revenue third party v High IDanielle Goddard I 25-Mar-18
information
28. Bill payments revenue v High [Danielle Goddard I 28-Feb-i8
2.9. Network cash internal v High [Russell Hancock, 31-Jan-18
audit Danielle Goddard
2.10. Network cash counts v High Russell Hancock, 31-Jan-18
Danielle Goddard
2.11. Pension discount rate v Medium IMicheal Passmore 25-Mar-18
212. Financial statements v Low [Danielle Goddard I 25-Mar-18
preparation
2.13. New accounting standards v High [Briony Tristram 25-Mar-18
2.14. Timely deactivation of v High [Matthew Warren, 31-Jan-18
leavers’ accounts Tracy Wilkes
2.15. [Approval of third party v High Matthew Warren, 25-Mar-18
created user accounts Tracy Wilkes
2.16. Improvement in the v Medium [Matthew Warren, 25-Mar-18
periodic user access Tracy Wilkes
review process
217. [Segregation of v Medium IRebecca Barker 25-Mar-18
incompatible duties within
the manage change
process
2.18. Direct access to make v Medium IMax Jacobi 30-Jun-18
changes to SAP - SCC4
security settings
2.19. Management of SAP v Medium IMatthew Warren 31-Jan-18
privilege accounts
2.20. Changes approval v Medium [Rebecca Barker, 28-Feb-18
Max Jacobi
2.21. Audit of third party v Low [Rebecca Barker 28-Feb-18
providers
Strictly Confidential
POL-BSFF-0218823_0075
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 3
RISK & COMPLIANCE COMMITTEE GOVERNANCE UPDATE
Business Continuity & Crisis Management
update
Author: Tim Armit Sponsor: Jane MacLeod Meeting date: 18 January 2018
Executive Summary
Context
Business Continuity capability continues to improve across Post Office. There are gaps
across all areas but awareness and levels of ability to respond to incidents is increasing.
The period between RCC meetings has seen a large number of significant incidents across
many areas. The ongoing threat of a Royal Mail strike continues.
Questions this paper addresses
e Post Office capability to respond to a strike by Royal Mail?
e How successful was the management of significant incidents?
e What are the next priority areas to be addressed?
Input Sought
The Committee is requested to note the report.
POL-BSFF-0218823_0076
POL00391936
POL00391936
PAGE 2
Conclusion
What is the Post Office capability to continue operations should Royal Mail strike?
1. The threat of a Royal Mail strike has reduced but planning for such a strike continues
across Post Office. Our assessment of Royal Mail’s capacity to continue to serve
Post Office during a strike has consistently reduced throughout the planning. At
the final meetings RMG stated that they would be unable to collect from some 4000
branches during a strike, impacting Mails, Special Mail and Banking Framework as
well as other areas.
2. Discussions across Post Office have been ongoing and detailed planning has been
discussed regularly with Royal Mail. Alternative solutions, such as collecting mail
ourselves have been explored.
3. I Communications plans for branches and customers have been developed.
How successful was the management of significant incidents?
4. Since the last report, there has been a number of significant incidents drawing
extensively on management time across many areas. The incidents have included:
e POCA mass letter distribution and reduction of service in the customer call
centre capability.
e AEI software patch error resulting in the loss of all AEI machines across POL
e ATM failure across POL due to Bank of Ireland issue
. DDOS attacks of varying natures against the POL website
e Severe weather affecting areas of operations and Supply Chain
e Chesterfield local terrorist police raids
. Risk within chips across computing
5. The Business Protection Team (BPT) was invoked on many occasions and the
system is now proven to work effectively. The new Grapevine invocation system
proves to be more efficient and the quick notes to GE are working well.
6. The impact of the incidents is what matters most in terms of risk management and
this is not being clearly reported. A strategy to identify the impact and report this
is now being developed.
What are the next priority areas?
7. Chesterfield is completing a review of the impact of a failure in their operations and
working with IT and CC to implement a PC image at Sungard, the recovery site
provider, to enable quicker and more effective recovery of operations to be in place
and tested.
8. Supply Chain depot contingency capability has been reviewed and report is being
finalised for Supply Chain management to use to enhance their recovery capability.
9. Banking Framework impact of failure and required contingencies are being worked
on.
10. Government and Payment Systems are being worked with to ensure their
operations understand the impact of failure and have contingency solutions.
POL-BSFF-0218823_0077
POL00391936
POL00391936
PAGE 3
Appendix 1
Status of progress
Action Update Owner Target Date
Further training and education for the Business Initial changes made to invocation in place. Tim Armit 1/18
Protection Team including improvement of the Second workshop planned for November
procedure to invoke the Business Protection Team
The Industrial Action plans needs to be reviewed in I Internal POL meeting held and two Royal Mail I Mark Siviter / Tim Armit Ongoing
light of current risks. meetings held to determine needs and plans.
POL requirements will feed to the RM plans to
ensure we know gaps and planned responses.
Development and implementation of a recovery Cost for Sungard solution agreed and budget, I Joe Conor / Tim Armit 1/18
strategy for Bolton meeting with Bolton lead team to agree
solution being planned for September.
Stay Calm manual needs to be simplified and Training across Supply Chain depots Tim Armit / Marcia Bourne I 1/18
training provided as to its use underway. Agreement to restructure in place
with key users within Supply Chain. Review
of documentation complete. Draft new
approach out for pilot now, once approach
agreed new approach to be rolled out in
October. Restructured document in place by
year end.
Resilience levels across all key locations and Chesterfield solution in place and approach to I Paula Jenner / Tim Armit / I 6/18
facilities needs to be tested, improvements PC’s being reviewed for improvement by IT.
identified and implemented. Finsbury Dial home working proven in a
controlled manner and more realistic exercises
will develop from this.
Supply Chain solutions being reviewed. The Russell Hancock
levels of resilience will continue to be reviewed
whilst plans and strategies are developed
across all areas led by Tim Armit but owned by
each business lead. This will take until June
2018
POL-BSFF-0218823_0078
POL00391936
POL00391936
PAGE 4
Action
Update
Owner
Target Date
Supply Chain Sites Visited:
Aberdeen / Glasgow / Belfast /
Norwich / Sheffield / Birmingham /
Hemel Hempstead (at Norwich) /
Swansea (at Birmingham)
Key initial findings include:
e No confirmed or tested continuity
locations for depots
No plans for large loss of vehicles
Clarification on crisis escalation and
central crisis response needed
These and other initial findings have been
reported to Supply Chain leadership for them
to resolve. Once all visits are complete
timescales for resolution will be agreed with
Supply Chain management and a method to
track these implemented. The reviews are
also uncovering some opportunities to review
standard methods of operation. Once all
issues identified are resolved the sites will
show as green with respect their continuity
capability. It is anticipated this will be
complete by March 2018.
Russell Hancock / Tim
Armit
1/18
POL-BSFF-0218823_0079
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 4
RISK & COMPLIANCE MEETING
Health and Safety
Authors: Martin Hopcroft Sponsor: Al Cameron Meeting date: 18" January 2018
Executive Summary
Context
1.1 The Risk & Compliance Committee requested a regular update on our management of risks
around the health and safety of our people and customers.
1.2 Health and Safety performance is reported monthly to the Group Executive and at each
Board meeting, together with information on health and wellbeing.
1.3. Our Health & Safety performance has improved significantly in the past 6 years and we
have a rolling 3-year plan to drive health and safety compliance and year on year risk
reduction, targeting a reduction in four key safety metrics: accidents; lost time accidents;
days lost; and personal injury claims. A comprehensive report was provided for the deep
dive review for GE and PO Board in October.
Questions this paper addresses:
2.1 What is going well across health and safety and what is not going so well?
2.2 What are we doing to mitigate the key risks, including driving and robberies?
2.3 Are there any significant emerging risks?
Conclusion:
3.1 There has been a recent increase in the number of accidents (P8 and P9), including
absence accidents following 3 incidents in DMBs and Supply Chain. Investigations are
being undertaken and accountabilities reviewed (see Report-H&S Metrics). Benchmark
data has been received from suppliers / insurers and overall Post Office performance is
favourable. Post Office has also participated in a BSIA exercise to benchmark Supply
Chain performance across the industry and should receive a report from BSIA very soon.
3.2 Whilst mitigating action has reduced road risk across the Commercial Fleet over recent
years, a new overarching policy is being developed for all business drivers (company and
personal cars) and will be presented to Ops Board in Q4. Online awareness training has
been issued via Success Factors and the Mobile Phone whilst Driving Policy reiterated.
3.3 Whilst CViT attacks remain lower in 2017/18 with 14 v 20 (2016/17), Post Office
robberies have increased. A number of initiatives are being deployed in hot spot areas.
Due to this increase in violence, the Board and GE have requested a review of employee
and agent security, following an ONS report that shop theft is increasing across the
industry, as are the number of robberies in branches. A report will be provided to GE
during Q4 following a review of current procedures, equipment and analysis of robberies,
attacks and losses whilst also considering the impact of change on the risk profile.
3.4 The overall level of Property risk is predominantly low. An Independent Assessment of
high risk building fabric (including signage) is complete, with remedial works being
planned. Medium risk assessment has now commenced and will be completed by March.
We are amending our FM contract to move to a proactive fabric management regime.
Current property statutory compliance is good at 96%.
3.5 A number of actions are being progressed following the GE H&S deep dive review,
including a review of road policy, guidance for lone workers, safety of vacated buildings,
competency and statutory compliance. A 3rd Party Audit has been commenced with HSL
/HSE to review the Post Office Safety Management System.
3.6 A number of initiatives are being developed to raise awareness of mental health support
and resources, including MH Awareness Workshops and the introduction of MH First
Aiders to provide proactive support to colleagues across the business.
Input Sought
The Risk & Compliance Committee are requested to note the update on safety.
Strictly Confidential Health & Safety Report Jan18
POL-BSFF-0218823_0080
The Report - H&S Metrics
POL00391936
POL00391936
Summary of Safety Performance - YTD Period 9 (Dec 2017)
Number of Employee Accidents — Monthly - Period 9
(Target to achieve a 5% year on year reduction)
Directly Managed Branch
Accidents P9 YTD
15
10
2. I 7
3 r
PL P2 P3 P4 PS P6 P7 PS PS
2016/17 2017/18
Accidents are forecast to outturn lower than 2016/17. There have been 91
accidents YTD compared to 101 at P9 in 2016/17. Causation is consistent
with previous years in DMBs and due to falls indoors (2 in P9), lifting and
handling (1 in P9) and stepping and striking (1 in P9). There was also a rare
incident whereby a customer assaulted a DMB employee. Whilst stepping
and striking (1 in P9) and non RTA vehicle related accidents (2 in P9) have
increased in Supply Chain recently, lifting and handling related incidents have
reduced (0 in P9). Following an increase in accidents P8 and P9 and a serious
near miss, investigations are being carried out to understand causation and
action plans agreed by local management to mitigate future risk. A Safety
Forum is being set up to share best practice and discuss lessons learnt and
promote safety culture,
There were 2 lost time accidents reported in P9 with 17 lost time accidents
YTD 2017/18 and 364 total lost days. Cumulative Trends can be seen per
000 employees in the graph below. Total lost time / 000 employees has risen
by 50% YTD. Trauma related total lost days, following an attack, are 97%
down (4 days 17/18 v 137 in 16/17).
Days lost due to accident / 000 employees - Cumulative
100.0
80.0
60.0
40.0
20.0
0.0
Pi = P2 PB PPS PHCéPTsPBC#P'G
2015/16, 2016/17 ——2017/18
Post Office total lost days: 29 in Period 9
DMB total lost days P9 YTD : 202 (96 in 16/17) - 1 step/strike, 1 lifting, 2 fall, 1 assault
Supply Chain total lost days P9 YTD: 199 (191 in 16/17) 3 vehicle, 3 falls, 2 lifting
Support total lost days P9 YTD : 6 (6 in 16/17)
Post Office CViT Robberies — P8 (Nov 17)
There were zero incidents reported in Nov v 1 in 2016/17 and over a rolling 12
mth period there have been 14 incidents v 20 in 16/17. Trend is being
monitored closely. 3 incidents YTD have used violence with 1 injury. 4 used
weapons v 6 in 2016/17 YTD. 70 Cross Pavement Observations have been
undertaken by Security Managers during period. 3 ‘Operation Stripes’
undertaken to test resilience of depots, and to ensure unauthorised access is
not given, regardless of circumstances. 17 other depot visits undertaken by
security during period to engage with Supply Chain staff and promote security
best practise.
60
50
40
30
20
10
tC)
Year to Date
m15/16 56
16/17 42
m17/18 39
Supply Chain
Accidents P9 YTD.
50
40
30
20
« I
0
Year to Date
15/16 55
16/17 33
17/18 50
Post Office (All branch types)
Robberies ~ P8 (Nov 17)
There were:
June - 8 incidents v 11 (16/17)
July - 4 incidents v 8 (16/17)
Aug - 8 incidents v 12 (16/17)
Sep - 13 incidents v 9 (16/17)
Oct - 14 incidents v 6 (16/17)
Nov - 9 incidents v 17 (16/17)
97 robberies YTD v 74 in 2016/17
170 compared to 112 in rolling 12mth
Violence - 2 vs 4 last year
Injuries - 1 vs 2 last year
8 injuries YTD v 8 (2016/17)
Weapons - 6 (1 firearm, 3 blades) vs 14
last year (4 firearm, 7 blades)
There has been a 10% increase in bladed
robberies and a 2% reduction in firearm
robberies over rolling 12 month period.
TORCH visits are being made to hot spot
branches to verify for compliance to
security standards. A review is being
undertaken to assess personal safety risk
to employees and agents and to look
forward to consider potential change to
the risk profile of branches and CViT
operations.
Strictly Confidential
Health & Safety Report Jan18
POL-BSFF-0218823_0081
POL00391936
POL00391936
LTIFR - Lost Time Incident Freq Rate
2.50
2.00
1.50
1.00
0.50
0.00 Vv
PA P2 P3 P4 PS PG P7 PB P9
TRO LTIFR Supply Chain LTFR Post Office LTIFR Target
Lost Time Injury Frequency Rate (LTIFR) - Period 9 YTD
Supply Chain
YTD P9 - 0.896
2016/17 out turn - 0.590
2017/18 target - 0.500
Absence accidents/000 SiP 11.08 YTD v 9.24(16/17)
All Post Office - Employee
YTD P9 - 0.293
2016/17 out turn - 0.168
2017/18 target - 0.180
Absence accidents/000 SiP: 3.37 YTD v 2.53 (16/17)
P9 Road Traffic Collisions
* 7 Road Traffic Incidents in P9
* 4 at fault, 3 not at fault
Comparing 17/18 v 16/17
There were 66 RTCs YTD in 2017/18 v 129
(16/17), a 49% reduction YTD.
At fault RTC’s were 78 in 2016/17 and have
reduced to 42 in 2017/18, a 54% YTD
improvement. Initiatives include:
* An overarching Road Risk Policy, with
improved training and compliance checks
is being developed by the Fleet
Management team to cover Commercial
Fleet, Business Cars and Personal Car use.
* Driver Training has been developed and
launched on Success Factors for all
employees who drive on business.
* Road Risk Manager is working closely with
the road safety charity Brake, our
Insurers, QBE and Fleet providers, BT
Fleet and Inchcape and Cranfield
University to benchmark and pilot
initiatives to mitigate risk.
Road Risk
Road Traffic Incidents - Cumulative
140
120
100
0 A i, I I I
Pl «P23 PPS GPT
wall16/17 malla7/18 = wAtFauk 16/17 mAt Fault 17/18
2
s
s
6
v
8
Strictly Confidential
Health & Safety Report Jan18
POL-BSFF-0218823_0082
POL00391936
POL00391936
Summary of Wellbeing Performance - YTD Period 8 (Nov 2017/18)
* The overall Post Office attendance level remains stable at 96.4% YTD P8 (November 2017/18). Short
Term absence is 1.0% YTD and long term absence is stable at 2.6% YTD. There has been a positive
uptake of free flu vaccinations offered to Support Centre and Supply Chain colleagues during P8.
+ Mental health related absence remains the most common cause of long term absence. Some additional
analysis is being undertaken by our Occupational Health and HR Service Providers to understand
trends and areas of concern to target intervention by business area.
» Proactive activity includes ‘positive mental health awareness’ sessions for colleagues, additional Mental
Health Awareness Workshops being piloted for line managers and the introduction of Mental Health
First Aiders with 39 trained in November and an additional 20 planned for training in Supply Chain in
January, followed by a review and launch of the initiative across the business in late January.
Business Area Absence Performance v Target - P8 YTD 2017/18
2017/2018 Sick Absence Yge
Gross
PeriodIPeriodI Period] Period I Period I Period I Period I Period IY.1.D I Hours
01 02 03 04 05 06 07 08 _I Totals} Target}
(CHIEF FINANCE & OPERATIONS OFFICE 3.4% 3.3% 3.2%I 3.6%) 4.0%) 4.8%) 4.3% I 4.1%] 3.8%] 3.4%!
FIN: SUPPLY CHAIN 4.0%I 3.7%] 3.9%] 4.1%] 5.1%) 5.8%] 4.5% I 4.5%] 4.4%) 3.6%
FIN: CHANGE MANAGEMENT 0.2%] 1.0%] 3.2%) 6.6%) 6.4%] 2.5%! 0.6%! 0.6%] 2.6%) 3.3%
FIN: HRSC 0.8%] 3.6%] 1.1%) 2.6%! 4.4%! 4.7%] 9.1% I 5.6%] 4.2%) 3.39%)
FI 10 CONTACT CENTRES 3.7%I 1.9%] 2.5%I 5.4%] 4.1% I 6.6%] 7.0%I 5.8%] 4.4%) 4.2%
FI IETWORK OPERATIONS 2.1% I 3.6%] 2.0%I 2.1%] 1.9%) 1.8%] 2.5% I 2.8%] 2.4%] 3.3%
FIN: FSC 4.0%] 1.7%] 2.1%) 1.9%) 2.0%} 6.6%} 4.9%] 3.7%] 3.4%] 3.4%
RETAIL OFFICE 3.5% I 3.1%] 3.5%] 4.1%] 4.4%I 4.2% I 4.2% I 4.2%] 3.9%] 3.4%
IRO: DIRECTLY MANAGED BRANCHES 3.9%I 3.4%] 3.8%I 4.6%] 4.9% I 4.7%] 4.6%! 4.4%] 4.3%] 3.7%
IRO: AGENCY SALES & CRM 3.8%I 4.9%] 4.1%I 1.4%] 3.0%} 3.8%! 6.3% I 6.8%] 4.3%] 3.3%
RO: NETWORK DEVELOPMENT 1.2%} 1.0%] 1.2%) 1.4%] 1.5%] 1.0%) 1.0% 1.9%] 1.2%] 3.3%!
[COMMUNICATIONS & CORPORATE AFFAIRS] 0.0%] 0.0%I 0.0%] 0.0%] 0.0%] 0.0%] 0.0%] 0.0%I 0.0%I 0.3%)
[HUMAN RESOURCES
0.0%] 0.3%] 1.8%] 1.3%] 1.3%] 0.5%] 2.5%] 0.0%] 1.0%] 1.2%
[GENERAL COUNSEL [0.1%] 0.0%] 0.0%] 0.7%] 1.5%] 1.5%] 0.4%] 0.9% 0.6%I 1.5%
FINANCIAL SERVICES & TELECOMS: 3.0%] 2.3%] 1.9%] 2.190] 1.79%] 1.19%] 1.99%] _ 2.69] 2.19%] 1.99%
FST: PO MONEY PRODUCTS 6.0%] 4.5%] 3.8%I 4.1%] 3.3%] 2.2%] —3.6%I 4.5%] 4.096) 3.794
{CHIEF INFORMATION OFFICE
2.7%] 3.1%] 2.6%] 5.2%] 5.4%] 5.6%] 4.4% I _2.6%I 3.7%I 3.5%
[Post Office Ltd
3.3%] 3.0%] 3.2%I 3.7%] 4.0%] 4.1% I 4.0%I _3.9%I 3.6%I 3.3%)
Strictly Confidential Health & Safety Report Jan18
POL-BSFF-0218823_0083
POL00391936
Information Protection and
Assurance Update Paper.
Executive Summary
Context
A paper was input to the December 2017 RCC and ARC which detailed how Post Office
(PO) is addressing the mitigation of our top risks regarding both Information Security,
and IT Security.
In 2017, IT Security were brought under the direction of the CIO, whilst Information
Security remained under the direction of Legal, Risk and Governance. This move defined
roles under the ‘3 Lines of Defence’, ensuring that Information Security focuses on the
protection of information assets, compliance to supporting policies, and assurance
activities, whilst IT Security focuses on the protection of our systems, networks and
applications.
This paper, produced by Information Protection and Assurance (IPA), is focussed on
their Information Security accountabilities. This report highlights further details of IPA's
activities, their status and planned resolutions. In addition, an update is provided on
our current PCI risk - which is a new top risk added since the last paper was produced.
Questions this paper addresses
e What does a mature Information Security Model look like?
e Where are the gaps?
e Can PO do anything more, or differently, to reduce the risks?
e What is the status of deliverables on the Information Security Transformation
journey?
Conclusion
1, PO remain below the level of maturity in information security that would be
expected for a company operating in the digital space. PO needs to further
develop its maturity in people and processes in order to bring the current levels
of risk within appetite.
2. Information Protection and Assurance (IPA) is working on improving the ability of
PO colleagues to recognise and react appropriately to cyber threats, malware and
other Information Security risks through our cultural change programme.
Input Sought
ARC is requested to note this paper.
POL-BSFF-0218823_0084
POL00391936
POL00391936
POST OFFICE PAGE 2 OF 5
Report
What does a mature Information Security Model look like?
3.
A mature Information Security Model ensures that all three elements (people,
process and technology) of good Information Security protection are
appropriately resourced.
A mature Information Security model includes:
a. Defining our strategy in securing our data and ensure that each part of the
business is supported in developing its products and services securely.
b. Creating a culture where our people know the importance of good security
practices and behaviours. This is ever more important with the advent of
GDPR and is also an area of specific focus by our Data Privacy team.
c. Developing appropriate policies and processes that set accountabilities for
the management of our data and provide informative resource for people
to inform their decisions.
d. Managing risk effectively ensuring that we make the most appropriate risk-
based decisions.
e. Developing incident management and reporting to ensure we remain
compliant to regulatory obligations and reduce the impact of data related
incidents.
f. Enhancing compliance and assurance activities to identify poor
behaviours/practices that increase our risk exposure and drive proactive
remediation.
g. Continually assessing our security capabilities and develop appropriate
strategies and activities to ensure we keep up-to-date with industry best
practice.
IPA have recruited highly qualified staff to ensure that PO is supported in making
the most effective risk-based decisions regarding the protection of its data and
information assets. All of the requirements of a good Information Security Model
will be included in the Information Security Strategy, currently in development.
IPA base their maturity on the Information Security Forum’s (ISF) maturity
model. This scoring framework is globally accepted as a best-practice measure
employed by financial institutions, insurers and technology companies. Currently
PO score an average of 2.72 on a 5-point scale. Our plans for 2017 are to
progress our maturity to 3+. The 5 point scale is Performed, Planned, Managed,
Measured and Tailored. Mostly PO does not require to achieve a Tailored score
for any of the disciplines defined within the framework. IPA, working with Internal
Audit and the Central Risk Team have agreed the target levels which are
appropriate for PO. These are between Managed and Measured, thus working
towards a level of 3+ is deemed appropriate for PO for 2018/19.
. IPA are accountable for the creation, maintenance, implementation and
assurance of the Information and IT Security Policy set, and providing assurance
that IT Security (Line 1) are carrying out appropriate activities. To this end,
during 2018/19 once the new member of staff in IPA has started, they will be
responsible for this deliverable.
POL-BSFF-0218823_0085
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 5
Where are the gaps?
8. IPA, using the output from our maturity model, intend to enhance our maturity
by developing the current Information Security Strategy, continuing staff
awareness campaigns, building effective Compliance and Assurance Frameworks,
and focussing on 3 Party Supplier Management.
9. There is also significant activity in the Data Protection and Privacy arena, which
is subject to a separate paper on the GDPR programme.
Can PO do anything more, or differently, to reduce the risks?
10. Information Security must be considered as part of all change activity and
embedded in the business as usual.
11. The increasing levels of change activity are driving increased demand and we are
currently reviewing our resourcing model to ensure that we continue to be able
to provide advice and assurance to appropriate levels.
What is the status of Deliverables on the Information Security
Transformation journey?
12. The table in Appendix 1 highlights the deliverables and their status that IPA have
identified since the inception of the Information Security Transformation which
started mid-2017. Going forward, IPA will report on progress between each
RCC/ARC cycle.
POL-BSFF-0218823_0086
POST OFFICE
Appendix 1
Risk
Insider
Threat &
External
Malicious
Attack
External
Malicious
Attack
PAGE 4 OF 5
Control Improvement Actions
1) E-learning - annual training is produced by IPA and delivered
annually. This year we reached 96.4% of all staff (including agency
staff).
2) The Information Security Policy Set is complete and ratified.
3) The Information Risk dashboard is produced monthly.
4) Changes to vetting provider have been implemented.
5) Line managers have been issued with updated instructions for
joiners’ movers and leavers, and HR Service Centre will be auditing
results. Further improvements are dependent on the
implementation of an automated Identity and Access Management
(IAM) system.
6) Ownership for JML has been agreed to sit with the Director of HR.
All the actions which do not require an IAM system have been
completed.
7) Ownership for IAM has been agreed to sit with the CIO.
8) Roll out the Culture change programme.
a. Initial Survey to assess current levels of awareness
b. Launch the refreshed communications programme including
collateral (posters etc.)
c. Arrange a security day in our Support Offices.
d. Mini audits within Finsbury Dials to detect failure to comply
with policies.
e. Adding document classification prompts to PO templates.
Work with the central risk team to agree how to use the risk
champions for information security purposes.
1) Maintenance of our ISO27001 certification for government services.
2) Agreed with legal that the correct clauses, for both information
security and all privacy legislation, are included in the P suite of
contracts and playbooks associated with each contract.
9
Status
Complete
Complete
Complete
Complete
Complete
Complete
Complete
In progress
In progress
In progress
Scheduled
In progress
Scheduled
Complete
Complete
POL00391936
POL00391936
Completion
Date
19Jan18
31Jan18
31Mar18
31Mar18
31Jan18
31Aug18
POL-BSFF-0218823_0087
POL00391936
POL00391936
POST OFFICE PAGE 5 OF S
3) Information Security and Privacy are included in project initiation Complete
documentation in One Best Way.
4) Re-start of the Information Security Committee (ISC). Complete
5) Complete the Information Security Strategy and get it ratified by In Progress 31Mar18
the ISC.
6) Restart the Information Security Working Group to feed into the In Progress 31Mar18
newly re-started Information Security Committee (ISC).
7) Initiate full risk based due diligence on all suppliers to PO. (To date Scheduled 31Aug18
only the critical suppliers have any form of due diligence carried
out).
8) Extend the Information Security Management System to cover the Scheduled 31Aug18
whole of PO. (This is dependent on the resourcing model review).
PCI 1) External Qualified Security Assessor (QSA) peer review of some of Complete
the findings of our appointed QSA to ensure they are reasonable.
2) Steering Committee set up to ensure focus of correct resources to Complete
get PO to a compliant position as soon as possible.
3) Budget request for extra funds to cover remedial work has been Complete
created.
4) Regular reporting to GE on progress and blockers is issued from the Complete
Steering Committee.
5) Run a data discovery exercise to find any residual places where Scheduled Will be
payment card data is stored. This is dependent on receipt of a planned once
Report of Compliance (RoC). RoC
6) Work with legal to ensure correct contractual obligations in regard Scheduled Received.
to payment cards are in our third party suppliers.
7) Remediate failings discovered during 2017 PCI-DSS audit. Scheduled
POL-BSFF-0218823_0088
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 5
RISK AND COMPLIANCE COMMITTEE
Risk Placemat, including an update on Risk Exceptions
Author: Richard Williams and Deana Herley Sponsor: Jane MacLeod Meeting date: 18 January 2018
Executive Summary
Context
The purpose of this paper is to provide the Committee with the current status of the roll
out of the Risk Placemat together with a briefing note on Risk Exceptions. This includes
a summary of the work completed since the last Risk and Compliance Committee (RCC)
meeting in November, detail of the work in progress and planned for January and
February and a current status of Risk Exceptions, since inception in 2016.
Questions this paper addresses
e What progress has been made since the November RCC meeting?
¢ Is the roll-out of the Risk Placemat on track?
e What are the next steps in the roll-out?
e What is the current status of Risk Exceptions?
Conclusion
1. Since the November RCC meeting, the approach has been further rolled-out within
Financial Services (FS) and Retail. Work is progressing in three (Post Office Money,
Banking Services and POMs) of the seven remaining areas (Business Innovation,
Customer Marketing & Digital, Risk & Regulation and Finance). Scoping meetings have
also been held with the remaining Retail business areas (Mails, Network Development
and Sales & Trade Marketing).
2. The rollout of the Risk Placemat is on track to be completed by June 2018. By year
end, circa 80% will have been tested and rolled-out to the business areas.
3.In parallel, we are creating a methodology to test the integrity and formalise the
governance framework of principle risks (horizontals) for post Placemat
implementation. Pilots are underway for Information Protection, IT Security and
Financial Crime, the results of which will be brought back to the March RCC.
4. The Q4 reassessment will commence in March and presented in May. Work will
commence to roll-out the Placemat to HR, Comms, Strategy and IT in the remainder
of Q4.
5. Since inception in December 2016, the Risk Exceptions process has accepted 5
proposals, 3 of which remain current and are included for noting. Further work on
enhancing the process is underway.
Input Sought
The RCC is asked to note these developments on the further Placemat rollout and to the
current status of Risk Exceptions.
Confidential RCC 18 January 2018
POL-BSFF-0218823_0089
POL00391936
POL00391936
POST OFFICE PAGE 2
The Report
What progress has been made since the November RCC meeting?
1. Work is progressing with Post Office Money, Banking Services and POMS. Initial
outputs have been discussed with Ian Holloway (POMS) and meetings will be held in
January with Owen Woodley and Martin Kersley.
2. The rollout to the remaining FS business areas will continue in January, with the aim
of reviewing with Nicholas Kennett and presenting the results at the March RCC.
3. Scoping meetings have been held with the remaining teams in Retail (Mails, Network
Development and Sales & Trade Marketing) and workshops arranged to complete the
rollout.
Is the roll-out of the Risk Placemat on track?
4. As shown in the timetable below, the roll-out to Finance and Operations and Legal,
Risk and Governance is complete, and pilots have been completed in both the FS and
Retail, Telecoms and Government & Payment Services Teams respectively. The roll-
out of the Placemat is on track to complete by the end of June 2018.
RCC ARC
RCC ARC
RCC ARC RCC ARC
FINANCE &
orenarions
GOVERNMENT I
‘& PAYMENTS
:RVICES
Dec Jan 18 Feb Mar (to1ne)
xle
Nov
Sep 17 Oct
a Commencement
How are we developing an approach to governance?
5. The Placemat will provide a comprehensive baseline view of the top risks facing each
business area, and an assessment by respective management of how effectively those
risks are being managed (verticals).
Confidential RCC 18 January 2018
POL-BSFF-0218823_0090
POL00391936
POL00391936
POST OFFICE PAGE 3
6. To further enhance our understanding and management of risk, we are creating a
methodology to test the integrity and formalise the governance framework of the key
principle risks (horizontals), ready for embedding prior to full Placemat
implementation. Three pilots are underway, covering Information Protection, IT
Security and Financial Crime. The outputs will support our understanding of how we
should ‘end to end’ assure the completeness, quality and consistency of the business
areas view (verticals). The overall risk picture will help to focus dialogue on the highest
risk items.
7. These principal risks have been selected as they have a cross-business footprint, have
a set of Post Office policies defined, have identified governance forums and are key
areas of focus for both the RCC and the ARC.
8. The scope of the pilots will include developing proposals for:
* Governance
e¢ Ownership and accountability
e Risk MI and reporting
« Functional assurance
9. Stakeholders from across the relevant business areas are actively involved in these
pilots. We expect to report the results at the March RCC, along with a proportionate,
scalable and sustainable approach for roll-out across the other principal risks.
What are the next steps in the roll-out?
10. The roll-out will be completed for the FS and Retail business areas and results compiled
and reviewed. We aim to present the results for both at March RCC.
11. The Q4 reassessment for completed business areas (Finance and Operations, LRG,
Telco and Government & Payment Services) will commence in March.
12. Work will also commence to roll the placemat out to HR, Comms, Strategy and IT.
What is the current status of Risk Exceptions?
13. In the ordinary course of events, standard business procedures should be followed to
ensure that Post Office stays within its defined risk appetite. However, there are
situations where business requirements make it necessary to depart from approved
policy and operate outside risk appetite. In these circumstances the business is
choosing to accept a risk, which is an “informed decision to take a particular risk”. The
reasons for this decision must be shared and approval sought from the relevant GE
members (or their direct reports) BEFORE the final decision is made. The Risk
Exception Note (REN) process was presented to the RCC in the November 2016
meeting.
" Approved Exceptions
Confidential RCC 18 January 2018
POL-BSFF-0218823_0091
POST OFFICE
POL00391936
POL00391936
PAGE 4
Name /
Area
Risk
Exception
Category
Accountable
owner
Status
Reason for
extension
Robotics /
Finance
Service
Centre
There is a risk of loss
of data / service as
the RPA software is
running on stand-
alone desktop
machines, which are
not backed-up, have
no UPS and have no
provision for real time
resilience.
Policy
Angela Van-
Den-Bogerd
Approved till 30
June 2017.
Revised to 31
December 2017.
The REN will be
reviewed and
extended in
January.
Business is
pursuing a hosted
solution with IT.
Awaiting
confirmation — that
the preferred
option of Fujitsu KS
as a location will
permit the robots
to operate exactly
as an ordinary EUC
end user (this is
critical to their
operation).
Project Finch
/ Financial
Services
There is a risk of
regulatory breach as a
result of the roll-out
of tablets to branches
due to the following:
« All users may not be
vetted
« CRM+ will have
access to customer
data
Regulatory
Owen
Woodley/
Nick Kennett
Closed.
N/A
SalesForce -
Procurement
Contract has been
renewed / extended
non-compliantly for a
period of 12 months.
Regulatory
Barbara
Brannon
Expires on 29
April 2018.
N/A
CRM
There is a risk that,
without Postmaster
contract addendums
in place for c106
branches with CRMs,
Post Office cannot
enforce policies and
procedures where
issues are identified in
line with our
obligations as an
Appointed
Representative to our
Principals, specifically
including our ability to
meet FS regulatory
requirements so that
agents are clear on
their obligations.
Regulatory
Andrew
Kingham
Closed.
N/A
Success
Factors
Implementation of
Success Factors
without addressing
certain data
protection and
information security
risks could result in
Regulatory
Martyn Lewis
Expires 30 June
2018.
N/A
Confidential
RCC 18 January 2018
POL-BSFF-0218823_0092
POL00391936
POL00391936
POST OFFICE PAGE 5
breach of data
protection regulation
and Post Office policy
requirements as line
managers can
download, copy,
export and distribute,
personal data of their
team members, via
non-corporate
devices.
14. We will continue to engage with Risk Champions and attend GE Member’s lead team
meetings so that to further improve the understanding and application of the process
across the Post Office. The status of approved RENs will be reported to the RCC to
provide visibility and ensure these are closed in a timely manner. Further refinement
will seek to ensure that any gaps in the current process are understood first. To this
end, a lessons learnt exercise is underway, following a number of issues identified
during the pre-launch stage of Success Factors. Risk will help to develop and build any
approved changes into the existing process, where appropriate, to enhance P.O. risk
governance.
Confidential RCC 18 January 2018
POL-BSFF-0218823_0093
POL00391936
POL00391936
POST OFFICE Page 1 of 7
RISK & COMPLIANCE COMMITTEE POLICY REVIEW
Procurement Compliance
Reporting
Author: Barbara Brannon Sponsor: Al Cameron Meeting Date: 18 January 2018
Executive Summary
Context
As a business in receipt of public funds POL is bound by the Public Contract
Regulations (2015). PCR 2015 oblige POL to behave in a fair, objective & transparent
way when contracting with 3 party suppliers. Additionally, set procedures must be
followed for spend above £25k and £164,500k (total contract value).
Failure to abide by the legislation or “slicing and dicing” contracts exposes POL to risk,
both as far the commercial outcomes of the contracts as well as the reputational
damage, legal remedies, censure & fines that can follow the discovery of a breach.
Our compliance to PCR can be requested under a Freedom of Information request at
any time.
The PCR Compliance Register allows for the tracking of breaches to PCR regulations at
the Post Office and internal governance processes. One aim of collating this
information is to drive improvement in awareness and compliance behaviour across
the organisation. The second and primary aim is to work with GE and Business Units
to commence commercial reviews in a more timely way ensuring POL obtains value,
commercial and contractual flexibility fitting the requirements and business strategy
of the organisation.
Questions addressed in this paper
1. How many and what types of procurement non-compliance have occurred in the
past quarter?
Since the last RCC in October there have been a total of 7 non-compliant
incidents with a total value of £9,388,000. It should be noted that 3 of which
are currently pending imminent contract signature.
These are comprised of:
a. 2 under >£164k threshold
i. Professional Services award for Phase 1 analysis work while
compliant and competitive process is completed for Phase 2.
ii. 14 month extension to VOW Wholesale & online contract, pending
legal advice as to whether it will now fall outside of PCR.
INTERNAL Page 1 of 7 RCC 18 January 2018
POL-BSFF-0218823_0094
POL00391936
POL00391936
b. 5 are significantly above threshold
i. 3 interim contract extensions of varying duration to existing supply
and are over the >£164k threshold. 2 have been legally reviewed
as low risk, and an OJEU process is due to commence by the
renewal date for the third interim extension, rendering it low risk if
we can maintain the planned timetable.
ii. 2 have been subject to a competitive process but are technically
non-compliant under law. Legal advice is that due process can be
evidenced and they are currently low risk. One of these awards is
also within the near term pipeline as it will require renewal in May.
2. What are we doing about it?
In the past quarter, while we have £9.3m in new non-compliant spend we have
completed a number of very large value procurements and brought them into
compliance. Our overall value is therefore dropping from £19m in October to £15m in
January.
Open non-compliant awards since January 2017 are outlined below:
Function Sum of Value/
Branch Equipment £ 10,000
Corporate Comms £ 95,750
Financial Services £ 1,289,647
HR iE 1,579,000
IT iE 1,075,500
Marketing £ 2,318,000
NT Programme £ 180,000
Property £ 1,006,000
Research & Insight £ 661,500
Retail £ 2,767,000
Network £ 25,815
Travel £ 4,000,000
Grand Total £ 15,008,212
3. How did we arrive at £9m in a single quarter?
Due to delays at Crown Commercial Services awarding a new Travel Framework under
which we will tender the service, we will need to further extend our current Travel
Services Contract until May 2018. It is high value [£4m] due to throughput but the
sales margin [under which penalties would be calculated] for the TMC is very low.
Competitors are aware of the delay and that a competition is pending. Our new target
date for compliant award is 1 May 2018 and we are confident of achieving that.
The POL contract for Identity Services valued at £2.5m was extended for 12 months
non-compliantly while we review options and execute the sourcing strategy for this
INTERNAL Page 2 of 7 RCC 18 January 2018
POL-BSFF-0218823_0095
POL00391936
POL00391936
market sector. The legal risk note states "a medium risk of breach of procurement law
though, absent any notice having been received from other providers in the
intervening period, the likelihood of a challenge being brought against the extension
and variation is probably low."
Two awards for a value of circa £1m have been made for Property Mgmt Services and
Staff Vetting respectively. A competitive process has been completed for both and are
assessed as low risk.
An interim contract extension for 6 months with NCR [SSK equipment and support] to
allow for an OJEU process to be completed is pending authorisation. Provided we can
hold to the current planned timetable, any residual “extension” required will be as
part of Exit services which is compliant.
A detailed table which also outlines next steps and mitigation activities is attached as
Appendix A.
4. What are the potential consequences?
a. Pre-contractual remedies overview: During a Procurement, an aggrieved
party can seek an interim injunction suspending the tender or the
implementation until the court decides on an outcome.
b. Post-contractual remedies: The court can order an ‘ineffectiveness order’
rendering the contract void &/or can award damages.
5. Why are these incidents occurring, and what can be done about it?
Non-compliant awards are made for a variety of reasons at the Post Office.
a) Low value, time constrained or highly sensitive/specialist engagements
are common. For example, the Board have requested a number of
expedited reviews since the New Year on a short turn-around time.
b) Large commercial arrangements cannot often be easily competed or
unravelled without operational impact, and re-procurement may be
subject to a pending evolution of a supporting Business Strategy.
c) The contractual arrangements may pre-date PCR 2015 regulations or the
contract novated during separation from RMG, automatically becoming
non-compliant at the renewal point. Non-compliant awards are frequently
made on a tactical basis to extend contractual services while public
tender processes are executed.
d) Delays to public sector panels of suppliers becoming available. The Post
office makes extensive use of this low cost route to market and
new/refreshed panels are subject to frequent delays from Crown
Commercial Services. Single interim extensions [of periods under 12
months] while tender processes are run are considered to be low risk
legally.
INTERNAL Page 3 of 7 RCC 18 January 2018
POL-BSFF-0218823_0096
POL00391936
POL00391936
e) Changes in scope or value over the term of a contract may render the
extension or renewal of services non-compliant. Material changes to the
scope of a contract may render the whole contract non-compliant.
f) Disregard for, or lack of understanding of the regulations.
6. Why are we receiving this report now?
A decision to collate this information into a single location was taken in the
Autumn of 2016. The aim is to track and improve our overall compliance and
commercial results as an organisation, while also ensuring perceptions are
accurate. However it should be noted that it will facilitate timely responses
to Freedom of Information requests which adds risk to the Post Office
commercial landscape.
7. What is in the current Procurement pipeline which is high value and at risk of
being awarded non-compliantly?
Please see the attached table in Appendix B
Conclusion
Non-compliant awards of contracts are already subject to extensive internal
governance, legal and risk review, explicit GE and Board approval where value/risks
reach a minimum threshold.
The YTD non-compliance value is high at £15,008,212 the majority of which are interim
extensions while procurement processes are run and to allow for operational migration
risk to be mitigated. Individually, all large value non-compliant contracts have been
reviewed by appropriate Post Office governance forums with agreement on next steps
and actions towards remediation allocated where appropriate.
Executive support towards moving POL towards a more compliant footing is very strong,
but equally as important there is extensive support towards the cultural change required
to ensure that Procurement activities and outcomes will support longer term business
strategies and we reduce commercial risk making our 3 party arrangements fit for
purpose.
Input Sought
Review and note content only.
INTERNAL Page 4 of 7 RCC 18 January 2018
POL-BSFF-0218823_0097
POL00391936
POL00391936
The Appendix
1. Are any of these breaches arguable on regulatory grounds or are they all
breaches?
A full explanation of the individual compliance breaches is attached in Appendix 1.
Each entry details the nature of, and the value of the breach.
The Procurement Compliance Register does not at present give an indicative risk
level attached to the award. This information is provided to the accountable
executives under internal governance processes in the form of a PCR risk note before
a contract above threshold is entered into, and if necessary under Legal Privilege.
In addition, all signatories to a contract have sight of the Risk note as part of the
Contract Authorisation Form [CAF].
All entries are compliance breaches. A period of challenge applies to each PCR breach
once an aggrieved party becomes aware or ought to have become aware. This risk
finally expires at 6 years from the date of breach. The defensibility of a legal
challenge is outlined within a Risk Note.
2. How many of the breaches were approved in advance and how many
retrospectively?
Seven contracts were entered into during this period all compliant with internal
governance processes on contract and commercial review. All were for awards of
between £0 and £4,000,000.
3. Why were the approvals given?
The rationale for approval is relevant to the individual service and is detailed within
Appendix 1.
4. What were the unapproved, material breaches?
There were no unapproved, material breaches during this period.
5. Describe the causes of non-compliance to PCR regulations
Non-compliant awards of contract are made for a variety of reasons at the Post
Office:
a) Low value, time constrained or highly sensitive/specialist engagements are
common. For example, the Board have requested a number of expedited
reviews since the New Year on a short turn-around time.
b) Large commercial arrangements cannot often be easily competed or
unravelled without operational impact, and re-procurement may be subject
to a pending evolution of a supporting Business Strategy.
Cc) The contractual arrangements may pre-date PCR 2015 regulations or the
contract novated during separation from RMG, automatically becoming non-
compliant at the renewal point. Non-compliant awards are frequently made
INTERNAL Page 5 of 7 RCC 18 January 2018
POL-BSFF-0218823_0098
POL00391936
POL00391936
on a tactical basis to extend contractual services while public tender
processes are executed.
d) Delays to public sector panels of suppliers becoming available. The Post
office makes extensive use of this low cost route to market and
new/refreshed panels are subject to frequent delays from Crown
Commercial Services.
e) Changes in scope over the term of a contract may render the extension or
renewal of services non-compliant. Material changes to the scope of a
contract may render the whole contract non-compliant.
f) Disregard for, or lack of understanding of the regulations.
6. Describe what you are doing about the breaches. Where we are in breach, do we
have a plan to come back into compliance and over what time period will that
plan take effect?
a) A forward view of material contracts falling under each Business Unit is
currently prepared by the relevant Procurement Manager for discussions with
their key stakeholders. The maturity of this look ahead view does vary
currently and is a high priority activity within the team.
Sourcing options papers are prepared for review by contract managers and
key stakeholders [risk, legal, security] with routes to market agreed. In many
cases these are dependent on evolving business and operating model
strategies and the Procurement team are now actively involved with some
units helping to advise as thinking evolves.
c) Where a non-compliant award is proposed due to time pressure, Procurement
are actively working on long term mitigation with awards made on an interim
basis to meet urgent operational needs.
d) Each RCC member will now receive a regular report on compliance within
their business unit[s].
e) Anew Risk & Governance process requires a Risk Exception report to be
created for non-compliant direct awards with SLT or GE sign off.
f) All Professional Services engagements must be approved in writing in
advance by the COO. A compliant panel of preferred consulting partners has
been appointed and proposed engagements outside of this panel are subject
to additional review and challenge.
g) Procurement will now provide training as part of the revised Induction process
for new staff. Training packs are being updated for existing staff and made
available on the Intranet and ad hoc training sessions for interested Business
Units are being run.
h) A new Intranet site has been launched for Procurement to improve visibility of
process, regulation, and the panels of approved compliant suppliers available
to POL business units.
i) Arevised POL Procurement Policy is being drafted giving more granular
guidance.
j) Using Crown Commercial Services frameworks, panels of Preferred Suppliers
are being refreshed and updated across a wide range of spend categories to
reduce time to market, improve compliance and greatly improve commercial
outcomes and legal risk.
b
INTERNAL Page 6 of 7 RCC 18 January 2018
POL-BSFF-0218823_0099
POL00391936
POL00391936
k) A planned change to operational systems will, once live, give Procurement
earlier visibility of potential compliance issues eg: contractual value
thresholds.
INTERNAL Page 7 of 7 RCC 18 January 2018
POL-BSFF-0218823_0100
POL00391936
POL00391936
brain ow congrsinage I mewnmercinors I —tmin I crn I ners I MY I ste
aa oT pa [omen ——frmena agar —— Jerr — [on
a eT paar im [arenes —— rasa — [eas Fomor
poe —— fr a a Ee mao TST ATONE Ie ATOR IT
POL-BSFF-0218823_0101
APPENDIX B: Procurement Pipeline - High Value Forecast or At Risk Non Compliance
POL00391936
POL00391936
FroarerentI
ore I category IPCHEM™I Function I GEMember I stTOwner I Petilonot I sunpiertame IContact Expiry Date I “Tiree Vale
Geer I “cteton Serdice er sonar
TOBTPOTAI ona Waren arty [aretng [Rk [iouse Tower [Pantserices [Gio] [ais Waren 01® TE 4000000 contact deo expe March 2018 Pann pacevo complete Tender dv ogo we amar 2018 ubjet to approval trom fer anICCShaveprotded vome addon
Jreprocrement by end of cones However, sk of delay it TUPE Merseing on comercial scrcture proposed by Procurement on plan dueI guidance tis week which infers &
Jepotes,transterto new suppler etc isrequired, mont extension jo be completed before 33st Merch 20:8, direct award maybe comptant
oroposedo cover this period nk, \without hulcomaetive proces,
Cea review sundry
TOPI/2O78] Tone chron [artery [Waren [NeXKennem louse Tower [Medi Buyng [tart [sm Novenber2018 Ie 7,200,000 IConvact due o expire Nov 2018 CCS have no completed the [anon aren cone nal Warch 2IDTs proposed alow Une Tor [Farnalagremen Tor cone
retender ote framework, hiss now due tobe awarded Mey Jreprocurenenc nd understand outcome of €CStender.Afurther extension Ierenson and supporter agreed
018 win go Wve Now 2018 abton the rucure of framework Jnaybe required sould the CCS ramewerk be unsuitable and a OIEU I imetable arom FOL with rescue to
ls unciar ti met Pox Oe reqareman's. Not enoup ene process te required POL pacing premsure on CSto aur Ratt tor our Iaspper. OJEU now or wat for CS to
joan a compiex JEU process on whatis a high complex purposes dre oc sper vue wcin he Famaworkcureny however, Iwward?
coral deal. ring wil expr in No 2018 soin order to Joni ON vender willbe append for Med Buying and Planing wich may]
extend nom company we may ao have tore negra ring. Jct bea grea fifo POL reqaemens.
TOPIT2078] one coven Iarkeang [arcing [WaXKennem louse Tower [Daa Sevaces —[QAPP Pssteren 2018 [1,300,000 Convacthes been extended non compiar for several yersand [ecarrent plano extend von comploniy Sint Morh2010{ 12 I lve CSTrameworkogoTe
les deen under reve between fan Martting for mos 12 ns wile the business both IT and merteting- agree whet te serice IOIEU proces
Inons as par possible CRM / Data strategy econ made to shoud be and te Hes rote to market be CCS framework posibe or
oreceed on basis of current soe but no onge suit ine to Jorcu. the atari the refered Marktig route a alow for mana
execu, Fret GDPR concerns war under nvesigaion. are paris nudge incumbent howeve this under review
JA romp deci co waie the crrent CCS ramawork wed atom PO 0
contain he risk ofa non complet period 012 moms oinclude a posible
vanstion pers. Theres serious resource consti orn matle
lenders simulta necusy long with vamitoning te current service shed
be required. An GIEU process hey 0 ake up 012 months with a
vantion of we serie therater.
TORTOTA] Rone Wren artang—[arietrg [Ween ose Tower [Ute [Woon tone —[BistMarcnzoiw Ie 190,006 [Convac doe to expe March 2018, Reproaremen pomedo [anton oan conceal Oc 20T8 Tao tne Tor reorocremet [ara] agremen Tor cont
Jogi March 2018. Non compan extension equred wnt ex 2018 leenson and suppor for agreed
rocove period of del neta aoe OL.
TOATTOTA aaa amare [fenices arin Kite [SeanTeahy [EmoloyeeVeing [Bpeian [River 2017 I 80000 nil 6 mort conrat aw ring ova menty Baus wie FOL [ated Pending ery saogy and whether POL wlinsoure the himeabe
resources sericea Jearees sourcing stag for delivery of service sercyrovide troup subsidy, Current risk challenge with vole
ocrvsing money
TOPTTIOTRI Ae Gandy [fetal Real [Doble Smith [ath Maple [DMBRetal And [OCS Group UK sit ay2018 I F #50700 [Convo wil eaceed ie powted OIE vlue dag Ie oriinaT serce wil ransfer to Wino won required. One ol alt due ths [None Terinaton nate wil Be
[sionery mang. fied ovocuremen tthe veo et. B50 (20% ove forecast). Jom lan hen services being undertaken by WIS under the new Real [sued post aut.
rods fonzcamae) rangement
TOPOITROTRI Ane Gandy [feta [Real [Debi Swath [WK Spcar IWin & Most Car f lool Paynes IB May 2019 TOES [Te Orga Global Pay Rare was company awed wader [A5iceension also bang sough or 15720 pending planned endl Pose couse afectonTo ewer
Js uric CR procedure, covering» period of 3 yors 0 G8/5/17 or wher excending 2 year whch
lies TWO 12 mom oxtions to extend thas come n00I Insyimorove our ox se Dedsion
Jomptont ony becuse now ovr te frees valve ding te cenon so tender under CCS Framewort agreement [Merchant Acq be taken wn ts yer sujectto
orev proces oraward by 03/05/20, The exension period coud ve reduced IB0ard approval Legal dhe that
Josie incumbent retains he tunes. eechlogyuagrades are [esis low rk Detaled pape going to
comoteted iy switching revider becomes faster aster. sou
TORT ly Rass ]Safoware [17S Nek Keane fe smn [nestoree OM —inesorce ‘IRSTPOTR] F100 000 [Conroe carenty nov comand rong eae [separate rk per gang to RCC Posable compl roweTo esoveas I Revew separate Rak Pope
sofware nce idence and spring leg aie
cae
ote re: Where comple convacs ar exging the nad! ss conmences fom thestar ofthe new no compo erm
‘Where conacs are aeody nn completa additonal extension wl ai cute the Bian! ak ofthe prior vale commited,
POL-BSFF-0218823_0102
Value/Income
(Multiple Items)
Function Sum of Value/
Branch Equipment £ 10,000
Corporate Comms £ 95,750
Financial Services £ 1,289,647
HR £ 1,579,000
T £ 1,075,500
Marketing £ 2,318,000
NT Programme £ 180,000
Property £ 1,006,000
Research & Insight £ 661,500
Retail £ 2,767,000
Network £ 25,815,
Travel £ 4,000,000
Grand Total £ 15,008,212
Value/Income (Multiple Items)
Function Count of Function
Branch Equipment 1
Corporate Comms 2
Financial Services 6
HR 5
iT 5
Marketing 5
NT Programme 1
Property 2
Research & Insight 2
Retail 4
Network 1
Travel 1
Grand Total 35
Value/...
Sum of Value/
Value/...
Count of Function
vaiue of Non-Compliant Spend by
Function
Function
mBranch
Equipment
m™ Corporate
Comms
m Financial
Services
mHR
ait
™ Marketing
=NT
Programme
voiume of Non-Compliant Spend by
Function
Function
m Branch Equipment
m™ Corporate Comms
m= Financial Services
mHR
aT
Marketing
WNT Programme
Property
m Research & Insight
m Retail
mi Network
Travel
POL00391936
POL00391936
POL-BSFF-0218823_0103
POL00391936
POL00391936
®
GROUP POLICIES
Supplier Relationship Management Policy
For review and comment
Version — V1.0
INTERNAL Page 1 of 346.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0104
POL00391936
POL00391936
1. Overview...
Note: Content in bold is flagged as an Internal audit requirement......... 4
1.1. Introduction by the Policy Owner-.....
1.2. Purpose ......
1.3. Core Principles ...........
1.4. Application
1.5. Supplier Management Risk
1.6. Legislation Rie RTTIRT A
2. Introduction to Supplier Relationship Management and SRM.........:csseseee 7
2.1. Why do we need to do Supplier Management?....
2.2. What are Supplier Management and Supplier Relationship Management?.7
2.3. When does Supplier Management need to happen? ...........ccceeeee eee 8
2.4. Who is responsible for Supplier Relationship Management?........
3. Supplier Segmentation - first step in identifying in-scope suppliers .......... 11
3.1. What is Supplier Segmentation?.......
3.2. When to segment suppliers..............
3.3. How to segment suppliers.
4. Required Supplier Management Activities - A summary
4.1. Supplier Relationship Management Tools..
5. Where to go for help...............
5.1. Additional Policies......
5.2. How to raise a concern......
5.3. Who to contact for more information
6. Governance
6.1. Governance Responsibilities ....
7. APPENDICES: Detailed Supplier Management requirements and guidance19
8. Control...
8.1. Policy Version .............
8.2. Policy Approval.
Company Details
INTERNAL. Page 2 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0105
POL00391936
POL00391936
INTERNAL Page 3 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0106
POL00391936
POL00391936
1. Overview
Note: Content in bold is flagged as an Internal audit requirement
1.1. Introduction by the Policy Owner
The General Counsel has overall accountability to the Board of Directors for the design and
implementation of controls to appropriately manage third party supplier relationships.
Supplier Management is an agenda item for the Risk committee and the Post Office board
is updated as required.
1.2. Purpose
Post Office must manage its third party supplier relationships to ensure continued delivery
of high quality services and optimal value, as well as have a structured approach to
managing and mitigating the ongoing risks of using a supplier. This is not just good
practice but also consistent with regulatory recommendations for suppliers deemed critical
to our financial services business and those who provide material outsourced services or
fulfil our contractual obligations to Post Office clients on a day to day basis. This Policy
has been established to set the minimum operating standards relating to the ongoing
management and controls of third party suppliers throughout the Group?. It is one of a
set of policies which provide a clear risk and governance framework and an effective
system of internal control for the mitigation of risk across the Group. Compliance with
these policies supports the Group in meeting its business objectives, contractual
obligations to its customers and to balance the needs of shareholders, employees? and
other stakeholders.
1.3. Core Principles
The governance arrangements described in this Policy are based upon the following core
principles:
e The interests of stakeholders are protected by ensuring that excessive powers are not
delegated to individuals;
e Decisions taken by management are consistent with the Group’s strategic objectives
and Risk Appetite, which are approved by the Board;
« Appropriate conduct is demonstrated in executing the requirements contained within
the Policy;
« Every member of staff is responsible for understanding and managing the risk they
take on behalf of the Group;
e Clear accountabilities are delegated by management to people who have the right level
of skill, competency and experience;
‘ In this policy “Post Office” and “Group” mean Post Office Limited and Post Office Management Services Ltd
? In this policy “employee” means permanent staff, temporary including agency staff, contractors, consultants and anyone else
working for or on behalf of Post Office.
INTERNAL Page 4 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0107
POL00391936
POL00391936
e All employees are required to comply with Group Policies.
1.4. Application
This Policy is applicable to all areas within the Group and defines the minimum standards
to manage the day to day supplier relationship once the supplier is on board and providing
services.
Failure to comply with the requirements of this policy by any employee will be regarded
as a [significant] breach impacting on the Group’s risk and control environment and may
lead to disciplinary action up to and including dismissal.
The risk to the Group in relation to Supplier Management is reviewed by the [[GE / board]]
on a regular basis.
1.5. Supplier Management Risk
Supplier Management (SM) encompasses all activities from inception of the requirement
to engage a supplier through to the end of that supplier relationship. Supplier Relationship
Management (SRM) is the activity within SM which manages the day to day supplier
relationship once the supplier is on board and providing services. This policy focusses
specifically on Supplier Relationship Management, but also provides an overview of the
wider requirements of SM. It summarises POL’s approach to managing third party supplier
relationships and their subcontractors with effort prioritised on supplier deemed
Strategic/High Risk or Critical during supplier segmentation.
The Strategic/High Risk segmentation may also include suppliers who provide outsourced
services to the group or who co-ordinate and deliver services across them. These
outsource providers, in particular, require a number of mandatory supplier management,
and SRM activities to fulfil POL obligations to its clients and/or regulatory
requirements.
For Strategic/High Risk and Critical suppliers a Supplier Manager must be identified;
they are responsible for day to day management of the relationship and for completing
the activities required under this Policy. They must be identified by an overall accountable
business owner - an Accountable Executive - of the services being delivered who
retains the responsibility for ensuring appropriate ongoing supplier management is in
place.
This policy outlines the mandatory and recommended activities that a Supplier Manager
must complete in line with related policies and the group’s current view of best practice.
For SRM, these requirements include:
« Completion of annual due diligence on the supplier
e¢ Monitoring of supplier performance to agreed SLA’s, KPI's and contractual
obligations
e Management of agreed risks, issues, escalations and change control
procedures
e Conducting annual strategic reviews plus other service development,
innovation and performance review meetings
e For Outsourcing arrangements, completing annual audits, review of all
obligations (including exit) and regular security penetration and disaster
recovery testing and submission of a Quarterly SRM Dashboard to
Procurement.
INTERNAL Page 5 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-021
8823_0108
POL00391936
POL00391936
e Adherence to a contractually agreed Supplier Management Governance
Model.
The mandatory and recommended supplier management activities outlined for
Strategic/High Risk and Critical suppliers may also be adopted as best practice for any
supplier at the business owner’s discretion.
1.6. Legislation
Guidance has been sought from Risk on any legislation which may apply to supplier
management specifically.
INTERNAL Page 6 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0109
POL00391936
POL00391936
2. Introduction to Supplier Relationship
Management and SRM
2.1. Why do we need to do Supplier Management?
Post Office is dependent on a number of third party suppliers to help us deliver market
facing services, revenue generating products or critical activities across our business. This
may be through direct outsourcing of services to them or via their provision of
goods/service to us which enables us to continue our critical business activities.
In parts of our group we are required by regulatory bodies and government authorities to
carefully manage those dependencies, thereby ensuring our critical business operations
are not impacted by loss or interruption of supply. Specific focus is given to outsource
providers but increasing attention is being given to critical suppliers.
In addition, it is the desire of the Post Office Group that we should apply a similar level of
rigour to our higher risk or strategic third party relationships, even if we are not obliged
to by an external body. This is good business sense. Formal Supplier Management is not
required for all suppliers, however this policy aims to clarify those requirements and on
what basis they apply.
Furthermore one of the key aims of good supplier management is to ensure that the Post
Office obtains value for money from its suppliers and it’s contracts, and that those
contracts are continually aligned and realigned where required with the organisation’s
needs.
2.2. What are Supplier Management and Supplier Relationship
Management?
At the highest possible level, good practice and regulatory guidance considers adequate
Supplier Management (SM) to include the following activities, covering activities from the
inception of a supplier requirement through to the end of the relationship:
« Rigorous and compliant* supplier selection and contracting, including due diligence on
the potential third party supplier;
« Appropriate approval? to proceed with engagement of the supplier from suitably
authorised and accountable individuals within the organisation;
e A clear plan implemented from the activities that will be in place to manage the
relationship and supplier's performance;
e Anagreed set of controls and procedures to mitigate, manage and respond to emerging
risks;
e Clear roles and responsibilities defined for the performance of these activities and
ultimate accountable executives who can assure that these activities take place;
e Regular (in most cases annual) reviews of the supplier to ensure it remains a going
concern and to manage risk to the group;
* Sufficient exit management procedures at the end of the relationship to protect the
group’s interests and minimise the risk of disruption to business operations.
® Currently the Procurement Sourcing Councils and CAF Process at the point of contract
INTERNAL Page 7 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0110
POL00391936
POL00391936
Supplier Relationship Management (SRM) is an integral part of overall Supplier
Management. It is concerned with the day to day activities to manage and drive value
from the relationship with the supplier once it has contractually commenced.
Through this policy and associated framework documents, Procurement has overlaid
additional best practice Supplier Relationship Management guidance which enables the
group to obtain optimal value from the supplier relationship, leading to the following
benefits:
Ensure contractual commitments; service levels and quality of service expectations are
met throughout the life of the relationship;
Delivery of optimal value from the relationship in financial and non-financial terms;
Enable the creation of successful relationships, shared objectives and facilitate innovation.
Furthermore, best practice supplier management provides a holistic view of supplier
experience, enabling delivery of key information to a range of stakeholders, allowing
supplier to be measured on a balanced set of metrics.
Procurement expects this Policy to be continually updated as the view of best practice or
the regulatory environment evolves. It welcomes any feedback or suggestions which could
enhance the Policy and associated framework documents.
*With Public Contract Regulations 2015.
2.3. When does Supplier Management need to happen?
It is important to understand that supplier management needs to happen at all stages of
a relationship with a supplier:
Before supplier selection: developing and agreeing a suitable business case and
justification for using a third party versus in-house, assessing the risks and benefits of all
scenarios. In some circumstances, regulatory or client approval may also be required.
During supplier selection: treat potential suppliers equally and without discrimination,
acting in a transparent and proportionate manner, and compliantly in line with Public
Procurement legislation; assess the potential suppliers(s) ability to deliver the goods and
services required, through proper due diligence and a rigorous selection process. For
outsource providers, rigorous control, approval and transition activities need to be in place.
During contracting: agreeing appropriate contractual protections, SLA’s/KPI’s with the
supplier. Planning for implementation and transition including identification of an
Accountable Executive and a Supplier Manager.
During implementation: agree and document the roles, governance and necessary
supplier management activities that will be required from Day 1 of the service. During
handover from business owner to the Supplier Manager.
Through the life of the contract in the form of Supplier Relationship Management:
carry out supplier reviews, monitor supplier performance and annual due diligence where
required.
At the end of the contract: manage transition of the service back in house or to an
alternative provider, ensuring risk to operations or business is mitigated throughout the
transition period. Ensure group assets held by the supplier are adequately managed or
disposed of as appropriate.
INTERNAL Page 8 of 346.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0111
POL00391936
POL00391936
2.4. Who is responsible for Supplier Relationship Management?
Business Owners and Accountable Executives
The Business Owner/Accountable Executive of the services provided by a supplier
is ultimately responsible for ensuring that all activities required by this policy and all
related framework documents are completed. The Accountable Executive retains
accountability for ensuring that proper supplier management is in place throughout the
supplier relationship.
e The business owner must ensure completion of all other SM activities in compliance
with the Procurement Policy and other related polices.
« They must identify a Supplier Manager / Product Manager for each applicable
supplier at the appropriate time.
« The term Supplier Manager refers to employees in any part of the group who, in
either a formal or informal capacity, have responsibility for managing the day to day
relationship with, and performance of, a third party supplier to the Post Office Group.
This will involve management of the supplier to pre-determined service level
agreements (SLA’s) and Key Performance Indicators (KPI’s) as well as facilitating
periodic supplier review and service innovation meetings. In the absence of a defined
Supplier Manager the business user who owns the spend requirement and budget is
responsible.
e For highly complex 3 Party contracts a team of Supplier Managers may be put in
place to effectively manage day to day and Change activities. These roles and detailed
job descriptions and responsibilities may be specific to a business unit or the contract
needs and are detailed within the Appendices where they exist.
e It is expected that typically the business owner of the goods/services to be provided
by the supplier will perform this role as part of their business as usual responsibilities
and not as a new formal role.
e The Policy and its associated guidance documents [[is/are not]] specifically intended
for application to client based relationships. However, the approach and methodologies
contained within these guidelines can be effectively applied to the management of
those relationships as required.
Supplier Managers: execution of SRM activities
The Supplier Manager (or business owner in the absence of a formally defined Supplier
Manager) is responsible for day to day management of the supplier relationship and
execution of SRM activities in line with this Policy, to include the following in addition to
those defined SRM activities:
e Raising purchase requisitions and receipting ahead of payment to the supplier by
Finance on an ongoing basis;
e Managing the commercial arrangements with suppliers, including correct engagement
with Procurement and other business functions as required in line with Procurement
policy and other related Policies.
e Providing a single overview/coordination point on behalf of their business entity
including where this requires facilitation of other functions e.g. Legal, Business
Continuity, Information Security, Procurement, Audit, Risk, Compliance.
e Aggregating a single view of the supplier in terms of commercials and service delivery.
INTERNAL Page 9 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0112
POL00391936
POL00391936
Procurement: best practice, guidance and advice.
This Policy is owned by Procurement. The ultimate owner of the Policy, the guidance and
the standards contained within is the [[General Counsel].
Procurement is responsible for:
Defining, maintaining and updating the Supplier Management Framework based on
best practice principles including continual updates based on information received from
other business functions regarding change in policy, procedure or regulatory
requirement.
Defining the appropriate application of the policy to certain types of supplier and the
associated segmentation standards and terminology defined within the Procurement
Policy and related frameworks.
Providing, where possible, best practice tools and templates for use by Supplier
Managers.
Providing guidance, advice and support to employees and Supplier Managers in
appropriate implementation of the Policy and execution of SRM activities.
Support to the business in the selection of a new supplier and ongoing management
of all suppliers, in line with the Procurement Policy. For Critical and Strategic/High Risk
suppliers, providing contract management support. For all other types of supplier,
providing ad-hoc advisory support.
INTERNAL Page 10 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0113
POL00391936
POL00391936
3. Supplier Segmentation - first step in
identifying in-scope suppliers
3.1. What is Supplier Segmentation?
Supplier Segmentation is the generic term for completing a risk assessment of a supplier,
using a range of pre-defined criteria and risk factors, ultimately determining if a supplier
is a Low, Medium, or Strategic / High Risk. Segmentation determines if the supplier is also
a Critical Supplier. Not all suppliers will be Critical.
3.2. When te segment suppliers.
Segmentation of the supplier (particularly where a new supplier is to be selected) should
be completed at the earliest possible point when a potential spend requirement has been
identified and at a minimum prior to on-boarding and contracting with a supplier. Since
procurement typically considers multiple suppliers during the selection process,
segmentation will normally be based on the business activity we require of the suppliers
(their “Category”) but once a supplier is known, re-segmentation is necessary which may
require additional due diligence.
The identification of Strategic/High Risk and Critical Suppliers through segmentation is
essential in determining the correct levels of due diligence. For Strategic/High Risk
suppliers which will also be providing outsource services, the importance is even greater
as the preparation/due diligence requirements are more stringent for the protection of the
Post Office group.
If a new service is introduced with an existing supplier, then that supplier’s segmentation
and associated mandatory activities should be reassessed ahead of introduction of the new
service.
3.3. How to segment suppliers
In line with Procurement policy, the Supplier Segmentation Tool should be used to
correctly segment suppliers based on latest risk criteria.
The criteria set is agreed by a cross-functional working group (including Finance, Business
Continuity, and Information and Data security, Legal, Procurement & Risk) based on
policies and practices. The Segmentation Tool consolidates these and provides an efficient
way to complete and document the segmentation.
The segmentation, risk factors and due diligence requirements will not, and should not,
remain static. They will continually evolve to incorporate emerging risks and new risk areas
which may be driven by external market forces, new business and internal risk appetite.
The table below summarises the criteria for Strategic/High Risk and Critical suppliers at
the current time of publication but you should refer to the Supplier Segmentation Tool to
ensure an up to data assessment. If any of the criteria are true, the classification applies
(i.e. a Supplier can be both Strategic/High Risk and Critical.
INTERNAL Page 11 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0114
POL00391936
POL00391936
Strategic / High Risk
Critical
Provides outsourcing of business
functions and people including regulated
activities.
Business Continuity:
Supports critical infrastructure or business
operations
Total value of the expected contract
>£1m per annum (excl. VAT) OR spend is
>25% if business unit’s cost base
Business Continuity:
Supports the recovery of the business in
the event of a crisis
Expected term of contract >5 years
Business Continuity:
Supports the critical activities of the Post
Office through the provision of services of
information
Potential for adverse reputational /
brand impact - Major impact to brand
value/market share, adverse publicity,
legislation or regulator breach leading to
fines, loss of revenue >£1m
Business Continuity:
Provides critical
business
infrastructure to the
Revenue generation and creation of
Intellectual Property (IP) - Direct
contribution to creation of IP / market
facing products or services or integral to
ongoing generation of revenue.
Cyber / Information Security Risk:
Supplier will have physical or logical access
to Post Office systems or Data
(excludes intragroup entities, suppliers
providing hardware or software only)
Ability of POL to influence the
selection of supplier or quality of
goods/services received - Use of the
supplier has been mandated* by client,
customer and there is no ability to
influence - Monopoly market provider.
[*Note this would be a breach of the law
under PCR Regulations but could
potentially apply elsewhere within the POL
Group.
Data Security:
Supplier will have physical or logical access
to Post Office Customer Data
Ease of implementation of supplier's
goods/services - Complex implementation
effort requiring >6 months to complete
and involvement of multiple business
units.
INTERNAL Page 12 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0115
POL00391936
POL00391936
ility to switch suppliers once
implemented - >6 months to transition
away from the supplier and/or significant
financial penalties and/or organisational
change.
Dependency on supplier - Highly
dependent on __ single/niche/specialist
supplier for bespoke services/goods; very
limited - if any - alternative supplier
choice.
Sanctioned / Politically Exposed
Individuals or organisation - Supplier
has known connections to a sanctioned
individual or is a sanctioned organisation.
High Risk Geographies - Supplier's
geography of incorporation or significant
operations rated “Amber” or “Red” on the
POL Risk Register.
INTERNAL Page 13 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0116
POL00391936
POL00391936
4. Required Supplier Management Activities - A
summary
e This framework follows on from prior Segmentation and Due Diligence activity
described within this Policy. Critically, the Supplier Segmentation tool must be used
to determine the segmentation of the potential supplier, and therefore the application
of this framework.
« It is expected that suppliers in any risk segment may also be classified as Critical
therefore requiring ongoing supplier management and due diligence, however not all
Strategic /High Risk suppliers will necessarily be Critical, and vice versa.
e The following table summarises the supplier management requirements for suppliers
depending on their segmentation and overall risk level.
Engage
procurement prior
to spend
commitment
[consult the Procurement Policy and
required]
MANDATORY
engage Procurement team as
Initiation - formal
business case by
Business Owner and
sign off checkpoint
Not required MANDATORY MANDATORY
Not
Required
Due diligence prior
to on-boarding and
contracting
MANDATORY
(as directed by Segmentation Tool)
MANDATORY
(In addition to what is
required based on risk level)
Management Plan
including SRM,
governance and
roles
Identification of Not Required MANDATORY
Supplier Manager
Formal transition Not Required Not Required MANDATORY Not
plan agreed in Required
contract
Agree Supplier Not Required MANDATORY
INTERNAL
Page 14 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0117
POL00391936
POL00391936
Ensure sufficient MANDATORY
contractual
provisions
Agree appropriate Recommended MANDATORY
KPIs /SLA‘s in place
Formal Control MANDATORY
checkpoint prior to
contract signature
Handover: Business I Not Required MANDATORY
Owner to Supplier
Manager
Complete SRM
Annual Due Not Required MANDATORY
Diligence
KPI/SLA Monitoring I Not Required MANDATORY
Management of Not Required MANDATORY
agreed risk, issue,
escalation and
change control
procedures
Conduct annual Not Required MANDATORY
strategic reviews
plus other service
development,
innovation and
performance review
meetings
For Outsourcing, Not Required MANDATORY
completing annual
audits, regular
Penetration and
disaster recovery
testing, and
submission of Qtrly
SRM Dashboard
INTERNAL Page 15 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0118
POL00391936
POL00391936
Exit Management Not Required MANDATORY
4.1. Supplier Relationship Management Tools
Supplier Segmentation Tool
The Supplier Segmentation Tool has been created by the Procurement Team to assist
Supplier / Product Managers to determine the level of risk exposure and engagement
required for new and existing suppliers.
The Tool can be found [insert link to Procurement Intranet site]
Suppl
Classification.xlsx
POST OFFICE SUPPLIER SEGMENTATION / CLASSIFICATION
NOTE: Supplies meeting criteria flagged in red shall alo be deemed 'rtical”or"Wigh Risk”
[pple ipactoncurentand
stu POL reverse
INTERNAL Page 16 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0119
POL00391936
POL00391936
5. Where to go for help
5.1. Escalation and reporting of issues
Supplier Managers should report and escalate issues or risks identified through the course
of Supplier Relationship Management activities as required by the Post Office Risk
Management Framework and any related policies. Business Owners and Accountable
Executives are ultimately responsible and accountable for ensuring compliance with
required Risk and policy reporting requirements.
5.2. Additional Policies
This policy is one of a set of policies. The full set of policies can be found at:
https://poluk.sharepoint.com/sites/postoffice/Pages/policies.aspx
5.3. How to raise a concern
Any Post Office employee who suspects dishonest or fraudulent activity has a duty to:
e Discuss the matter fully with their Line Manager; or,
e Report their suspicions by telephoning Grapevine o
¢ Staff can contact the Procurement Director, currentl
be contacted by email at: barbara.brannor_
* Staff can contact the Post Office’s General Cqunsel.currently. Jane MacLeod who
can be contacted by email at: whistleblowing, GRO r by telephone
on: }
« Alternatively staff can use the Speak Up service available on
e or via a secure on-line web portal: http://www. intouchfeedback.com/postoffice
; OF,
ion who can
5.4. Who to contact for more information
If you need further information about this policy or wish to report an issue in relation to
this policy, please contact Procurement!
INTERNAL. Page 17 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0120
POL00391936
POL00391936
6. Governance
6.1. Governance Responsibilities
The policy sponsor, responsible for overseeing this policy is the General Counsel of Post
Office Limited.
The policy owner is the Procurement Director who is responsible for ensuring that the Risk
& Compliance Team conducts an annual review of this policy and tests compliance across
the Group. Additionally the Director of Risk and Compliance are responsible for providing
appropriate and timely reporting to the Risk and Compliance Committee and the Audit and
Risk Committee.
The Audit and Risk Committee are responsible for approving the policy and overseeing
compliance.
The Board is responsible for setting the groups risk appetite.
INTERNAL Page 18 of 34 6.0 Supplier Relationship Mgmt Policy v1.0
January 2018 Final for RCC Review
POL-BSFF-0218823_0121
POL00391936
POL00391936
APPENDICES: Detailed Supplier Management requirements and
guidance
7.0 Appendices: Detailed Supplier Management requirements and guidance
7.1 Initiation (Outsource suppliers)
Steps Requirement analysis and risk assessment
Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C}
Post-supplier Complete a requirements analysis and risk assessment to identify/enable: Requirements analysis Business Owner _[C] Compliance
segmentation and ~ The business processes to be outsourced and the materiality if these in the context of the business and/or
after confirmation _service they support [C] Outsourcing Policy
service include ~ The required service levels that the supplier will have to commit to. Owner
outsourcing ~ The ability of Post Office to maintain appropriate intemal controls and meet regulatory requirements (if
applicable), particularly if the supplier were to experience problems
Consideration of the need to seek 3rd Party [Client/Customer/Regulatory] approval or non-objection, any
current advice or guidance provided by them, and the need to consultation with any of these partners.
Consideration also, of whehter the nature of the outsource will bring increased or new risks.
Initial consultation and non-objection from partners.
Consideration of the extent to which outsourcing is preferable to undertaking the activity in-house.
Consideration of the ability for intra-group outsourcing versus third party supplier and the impact of PCR
ulation on that option.
n
uux
t
INTERNAL Page 19 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0122
POL00391936
POL00391936
71 Initiation (Outsource suppliers)
iis P- a a mie level business case
‘Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C]
Post-supplier Prepare a high level business case which provides detail and analysis of the following: High level business case Business Owner _[C] Finance Business
segmentation and ~ The extent to which outsourcing is preferable to undertaking the activity in house. Partner
after confirmation ~ All potential costs and benefits (hard and soft) of the outsource including any cost saving incentives to be put [C] Procurement
service include in place with the potential supplier.
outsourcing ~ The compliant Public Procurement Process which must be followed in order to award the contract.
Step 3: Sign-off Checkpoint
Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C]
Post-supplier A formal checkpoint should be held on the conclusion of the prior steps to decide whether or not to proceed with Approval to proceed to Business Owner [C] Relevant Authority
segmentation and supplier selection. supplier selection [GE/Board/Exec]
after confirmation
service include ~ Review and approval of the high level business case from appointed, accountable executives of the Post
outsourcing Office or relevant group entities
~ For POMS Ltd notification is required to the relevant XYZ... [C] Compliance
~ The compliant Public Procurement Process which must be followed in order to award the contract. For IA) Relevant
details of the Procurement processes please review the Procurement Policy Accountable
Executives]
LS
INTERNAL Page 20 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0123
POL00391936
POL00391936
7.0 Appendices: Supplier Relationship Management Framework
7.2 Due Diligence
Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C]
Pre-contracting, Complete Supplier Due Diligence as required by the Supplier Segmentation Tool, to include: Due diligence summary Business Owner [C] Procurement
post-Supplier ~ Check of supplier's past experience, capability and competence to implement and support the proposed —_and action plan for any [c]BCM/IS/
Selection activity over the contract period. actions for management / ‘Compliance as needed
~ Any potential conflicts of interest between the potential supplier and the Post Office, of its entities and mmitigation pre and post
‘employees and a plan for resolution contract [C] Legal as needed
~ Assessment of the supplier's business reputation and culture, compliance, complaints and outstanding or
potential litigation; open audit considerations or notes to the supplier's financial statements or regulatory
censure,
Review of Supplier's customer references
~ Review of supplier's Corporate Social Responsibil
and codes of conduct.
Relationships between the Supplier, i's supply chain, and/or sanctioned territories or individuals which could
create reputational risk for Post Office
Completion of a Business Continuity Management questionanaire and review with BCM team
Completion of an Information Security questionnaire and review with InfoSec team,
Consideration of Insurance provisions as relevant to the goods and/or services
's premises or operations, if required
n
ity and policies and their agreement to Post Office policies
a
n
a
a
INTERNAL Page 21 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0124
POL00391936
POL00391936
————_;———————————————————————————————————————
7.0 Appendices: Supplier Relationship Management Framework
7.3 Transition Planning
aaa
‘Approvals [A]
When to complete Act
Outputs Responsible or
Consultations [C}
During contracting A transition planning exercise must be undertaken as a joint exercise with the supplier and should be ‘Agreed transition plan Business Owner [A] Supplier
~ Onsite due diligence by the service provider (particularly for outsource services to ensure a thorough (formally documented in [C] Service owners and
understanding of the processes or services to be outsourced) contract for outsource users
~ Communication with affected staff if relevant suppliers) [C] Supplier Manager
~ Hiring and induction of new staff to support the service or outsourced team [C] Other business
~ Training, knowledge transfer and parallel run between all parties functions as needed
~ Stabilisation and efficiency period required e.g. HR, affected
~ [Onshore] Decommissioning / staff reductions and/or TUPE (where relevant) business units,
~ Identification of risks specific to the transition period with mitigating actions as appropriate Technology
n
Clear roles and responsibilities on all sides
~ Embedding and scheduling Supplier Management and SRM activities and responsibilities of the supplier
eahgroe reporting and escation paths for any issues during transition
INTERNAL Page 22 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0125
POL00391936
POL00391936
7.0 Appendices:
Supplier Relationship Management Framework
7.4 Agree Supplier Management Plan
er ree
When to complete Activity
Pre-contracting
INTERNAL,
Review
Agree the Supplier Management Plan, to includ
~ Schedule and timings of mandatory Annual Strategic Review Meetings (incl. attendees, agenda, scorecards
to be reviewed.
Schedule and timings of quarterly, monthly or regular checkpoint service reviews (as applicable under the
Supplier Segmention agreed)
Schedule and timings of recurring due diligence activities
Issue escalation and resolution procedures, with accountable owners assigned.
t
n
Definition of formal Supplier Management Team roles, to include at a minimum:
~ Accountable Executive: Individual holding overall accountability for the relationship and supplier
‘engagement
~ Business Owner(s): representative of business unit who receives or will receive the service (multiple to be
defined where multiple entities or units are receiving services). This is not the Project Manager.
‘Supplier Manager: individual(s) responsible for the day to day management of the supplier relationship and
facilitation of SM activities. The Supplier Manager should be identified as early as possibble in the
process of selecting a supplier such that they can be part of the team undertaking supplier
selection, along with Procurement. Complex supply e.g. large outsourcing may require a number of
resources to deliver the day to day commercial management of the Supplier. The particular roles and
responsibilities within that team should therefore be documented within the Supplier Management Plan and if
possible, replicated within the Suppliers team facing into the Post Office.
~ Service Owner: overall service owner who has the holistic view of the services being provider to all
Business Entities
~ Service Manager: manages the day to day, business as usual activities between the supplier and the Post
Office. May support the Supplier Manager and services owners in completion of their duties.
~ Procurement Representative
2
‘Supplier Management Business Owner
Plan
Approvals [A]
or
Consultations (C}
[A] Accountable
Executive
[C] Service owners and
users
[A] Supplier Manager
[C] Procurement and
Other business
functions as needed
e.g. HR, affected
business units,
Technology
Page 23 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
POL-BSFF-0218823_0126
POL00391936
POL00391936
7.0___ Appendices: Supplier Relationship Management Framework
7.5 — Ensure sufficient contractual provisions
Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C}
Contracting Procurement and Legal must be engaged to support drafting of an appropriate, fit for purpose contract, Draft contract and Business Owner, [A] Legal
~ Transition plan for outsource services, transitional arrangements schedule, Contract Procurement [as _ [A] Procurement
~ Contractual service levels and means of monitoring / reporting, including performance measures such as key Approval Form [CAF], IA] Supplier Manager
risk and key performance indicators (see next section) Contract & Commercial
~ Protection of confidential information and/or segregation of information. Summary form, PCR Risk A Supplier
~ Contingency and business continuity plans and implementation of equivalent business continuity Note, Risk Exception Note
requirements aligned to Post Office policies [if required}
t
Termination rights and procedures
Information security and internal control, audition coverage, reporting and monitoring environment
Vetting of third party supplier employees or confirmation of compliance to Post Office standards
Service credits in the event service levels are not met
Compliance with applicable Post Office policies including modem slavery, anti-bribery and corruption.
Special requirements such as physical access control.
Clearly defined descriptions of the service to be provided and the responsibilities of each party
Notification of any material change in circumstances of the supplier which could have a material impact on
the provision of service.
Contract management and escalation including dispute resolution
Exit management rights and procedures
Insurance cover
‘Ownership of Intellectual property and data, and obligations in respect of management of IPR
Roles and responsibilities, and restrictions on changes to key personnel
Limitiations on sub-contracting or pre-approval on subcontracting, and liabilities
~ Compliance and co-operation, where required, with applicable regulatory requirement and bodies
‘Audit / Access rights, including the rights of on-site access for regulatory bodies
Benchmarking ot other commercial activities relevant to the service.
t
t
n
t
t
a
n
t
Q
Q
INTERNAL Page 24 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0127
POL00391936
POL00391936
7.0 Appendices: Supplier Relationship Management Framework
7.6 Agree KPIs / SLA's / Contractual Obligations (mutual outputs to meet)
Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C)
Contracting Agreement of service levels and performance measures to include: Draft contract incl. Business Owner, [A] Supplier
~ Definition of critical service levels (cost, time, responsiveness, quality, customer satisfaction, volume, Schedules incl. SLAs and Procurement [as _ [A] Procurement
accuracy) : overall expectations of service kP\s. directed by the
~ Definition of performance measures (KPIs): specific performance meansures and how they will be calculated [C/A] Supplier Manager
and reported. KPI's are the indicators and early warning signs of potential or actual breaches of service and Service Manager
levels.
~ Key Risk Indicators (KRIs): leading or lagging metrics which identify emerging risks. Supplier Scorecard(s)
~ Agree monthly, quarterly, annual reporting and MI requirements, and their delivery SLA’s to enable the [what to report]
service(s) to be managed effectively and in a timely way. Ensure that Post Office obligations on fault
reporting to customers and clients are "backed-off” in order that Post Office can meet it's contractual
obligations on time.
~ Define reporting scorecards and requirements for measurement and reporting, including roles, recipients, Updated Supplier
responsibilities for both sides. Management Plan incl
~ Agree contractual consequences of material and repetitive low level SLA breaches, escation paths and monitoring and reporting
dispute management. plan (what/how will be
~ Consider service related circumstances under which Post Office would wish to Terminate for Cause and measured and reported
‘ensure appropriate contractual remedies are in place. and by whom)
a
Ensure mechanism for review and realignment of SLAs/KPIs is included to allow for additional or reduction in
services over time.
Ensure reporting and deciaration of compliance for regulatory or contractual obligations are detailed
separately.
Refer to Procurement for guidance on KPIs / SLAs which are appropriate to the service to be
provided.
a
INTERNAL Page 25 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0128
POL00391936
POL00391936
7.0 Appendices:
Supplier Relationship Management Framework
7.7 Approval and Formal Control Checkpoint
When to complete Activity
Outputs
Responsible
Approvals [A]
or
Consultations [C}
Contracting
INTERNAL,
Review
A formal Control Checkpoint must be conducted and approvals documented. Business Owners and
Procurement should consult with Post Office Company Secretariat to ensure governance is
The attendees should include as appropriate [mandatory attendees in bold}
~ Accountable Executive, representatives from General Executive / Board as appropriate.
~ Managers of business areas impacted
Legal , Risk
Procurement
~ Supplier Manager
Business Owner
Service Manager
Checkpoint meeting must consider and approve, in principle:
The proposed governance and supplier management approach, including roles and responsibilities via the
Supplier Management Plan.
Key contractual terms and conditions via the draft contract and Contract Approval Form
‘Summary of supplier risks, due diligence actions taken and any residual risk requiring post-contract
mitigation or sign-off by the Accountable Executive(s)
Updated final business case
Transition Plan
t
a
z
n
n
a
a
Q
‘AGo I No Go decision to proceed to contract signing and tran:
[Drafting note: CAF is under review. Subject to Co-Sec approval this process may take place virtually, via a
Contract Summary Form walk around and completion of the CAF process.]
Minutes of Control
Checkpoint meeting with
Go/ No Go decision
Business Owner
[A] Supplier
[A] Procurement
[C/A] Supplier Manager
and Service Manager
Page 26 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
POL-BSFF-0218823_0129
POL00391936
POL00391936
7.0 __ Appendices: Supplier Relationship Management Framework
7.8 Handover: Business Owner to Supplier Manager
Sc JJ_J_ccccc rr... =
Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C)
Post-contracting The Business Owner should complete a minuted Handover Meeting to the nominated Supplier Minutes of Handover Business Owner [A] Supplier Manager
and Manager which ensures successful transition to the Supplier Manager, including: meeting [A] Business Owner
implementation ~ Roles and responsibilities clearly agreed and communicated
~ Supplier Management Plan agreed and handed over
~ Scheduling of annual activities including Due Diligence
~ Scheduling of performance monitoring activities
‘~ Scheduling of reviews both internal and with the Supplier
~ Scheduling of Monthly/Quarterly SM Dashboard submissions (for Outsource)
~ Agreed next steps to establish performance monitoring, reporting, risk and issue management, escalation
and change control processes and the retention of documentation relating to those.
~ Change notes, billing and invoice management (internal SLAs on turnaround times)
INTERNAL. Page 27 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0130
POL00391936
POL00391936
7.0 Append ices: Supp! ier Relations: P Management Framework
7.9 SRM: Annual Due Diligence
el
Approvals [A]
ity Outputs Responsible or
Consultations [C
When to complete Act
Annual, prior to The Supplier Manager is responsible for completing required annual due diligence on a timely basis. The due Results of due diligence Supplier Manager [C] Procurement, BCM,
Annual Service diligence required is dependent on the segmentation of the supplier. The supplier should be re-segmented at a IS teams, Supplier.
Review Meeting Supplier Managers should refer to the latest version of the Supplier Segmentation Tool and to Procurement due Issues noted in due [C] Business Owner,
diligence escalated to Service Manager and
Minimum requirements for Strategic / High Risk suppliers appropriate individuals or Accountable Executive
~ Financial Health check business functions
~ Conflict of interest checks
~ Operations and Capability assessment
~ Review of company information, CSR, regulatory and risk management background
~ High Risk country or Sanctions. Low risk for Post Office however, any offshore locations relevant to services
should be considered.
Relevant risks, issues or
Minimum requirements for Strategic / High Risk suppliers including Outsource actions noted in
~ BCM and IS questionnaires or statement from supplier of no change corresponding logs and
~ [Annual Audit - to be discussed at RCC, possibly applicable to BO! and RMG relationships??] ‘owners assigned.
~ Evidence of disaster recovery / BCM and penetration testing as required
~ Statement of, and evidence of compliance to key contractual obligations e.g. staff vetting
Minimum requirements for Critical suppliers
~ BCM and IS questionnaires or statement from supplier of no change
~ Financial Health check [- to be discussed - subject to review of final number of suppliers deemed critical’)
INTERNAL Page 28 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0131
POL00391936
POL00391936
7.0 Appendices: Supplier Relationship Management Framework
7.10 SRM: Monthly Service Performance Review:
Approvals [A]
When to complete Activity Outputs Responsible oC
Consultations [C]
Post Monthly Service Performance Review: Minutes of meeting ‘Supplier Manager [C] Business Owner,
Implementation, circulated to attendees Service Manager and
Monthly Attendees to include Service / Supplier
~ Supplier Manager Scorecard (KPIs and
~ Business Owner Service Levels)
~ Service Manager
~ Procurement as request if there is a performance issue or commercial aspect to the discussion. Not
complex Outsource arrangements, Procurement responsibilities may be delegated to a Commer
Risks, Issues, Incidents,
Log updated with
Vendor Manager as part of the Supplier Manager team responsible for the supplier. Under these mmitigating actions
circumstances, Procurement should attend annually at a minimum or where there is a dispute.
Agenda: Performance Improvement
~ Review of KPIs and service performance in the period Plan if required.
~ Financial performance, billing and invoicing, aged debt
~ Agree performance improvement actions and incident resolution actions Change Control Log
~ Review and approve Change Requests
~ Review open Actions Log Actions Log
~ Review open Risk Log Updated Risk Log
~ Review any compliance or contractual obligation activity due. Certification, or as
roguirod,
INTERNAL Page 29 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0132
POL00391936
POL00391936
a
7.0 Appendices: Supplier Relationship Management Framework
7.11 SRM: [Half Yearly] / Quarterly Service Development Meeting:
I
‘Approvals [A]
When to complete Act
ity Outputs Responsible or
Consultations [C
Post ‘Quarterly Service Development Meeting ‘Supplier Manager [C] Business Owner,
Implementation, circulated to attendees Service Manager,
Quarterly Attendees to include: Accountable Executive,
~ Supplier Manager Service / Supplier Procurement service
~ Business Owner Scorecard (KPIs and users or owners.
~ Service Manager Service Levels)
~ Accountable Executive Risks, Issues, Incidents
~ Procurement Log updated with
~ Business Owners / Units as required mitigating actions
Agenda: Performance Improvement
~ Business review including service and financials Plan if required.
~ Review of market trends and trading updates Change Control Log
~ High priority action items Actions Log
~ Agreement of key deliverables, Transition Plan (if appropriate) and status of Performance Improvement
Plans Updated Risk Log
~ Review and approval of significant Change Requests Change Plans as required
Review of any audit or risk assessments or findings
~ Innovation actions, activity or opportunities
~ Service Irproverent gpporuns, actions
n
INTERNAL Page 30 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0133
POL00391936
POL00391936
7.0__ Appendices:
Supplier Relationship Management Framework
7.12 SRM: Annual Strategic Review Meeting
When to complete Activity
Consultations C]
irpleataton,
Quarterly
‘Annual Strategic Review meeting
Attendees to include:
~ Supplier Manager
~ Service Owner
~ Service Manager
~ Procurement
Accountable Executives of both parties
~ Business Owners / Units
~ Other Business functions at the
Agenda:
~ Overall trading and market conditions review: external and intemal impacts.
~ Review of annual due diligence and agreement to mitigating actions
~ Review of compliance to intemal policies, contractual obligations and external regulations,
~ Review of Service Levels and KPIs
~ Review of financial status and any risk/reward actions relevant
~ Review of continuing appropriateness of contractual terms
~ Review and approval of significant Change Requests and plans as required
New business opportunities
z
cretion (Risk, BCM, Information Security, Legal, HR, Internal Audit)
Outputs
Minutes of met
circulated to attendees
and wider governance
group
Service / Supplier
Scorecard (KPIs and
Service Levels)
Risks, Issues, Incidents
Log updated with
mitigating actions
Performance Improvement
Plan if required
Change Control Log
Actions Log
Updated Risk Log
Change Plans as required
Approvals A}
Responsible
‘Supplier Manager [C] Business Owner,
Service Manager,
Accountable Executive,
Procurement service
users or owners.
Faview ancl egree sgn icant changes to roles and reaponelbiles, specifically the Accountable Executive
INTERNAL,
Review
Page 31 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
POL-BSFF-0218823_0134
POL00391936
POL00391936
7.0 Appendices: Supplier Relationship Management Framework
7.13 SRM: Exit Management
—EE——>2»2»2DDDD»~~AEY E—————EEE
Approvals [A]
When to complete Activity Outputs Responsible or
Consultations [C
Prior to contract. Agreement of a detailed Exit Management Plan, to include, where relevant: Detailed Exit Management Supplier Manager [C] Business Owner,
exit Plan supported by Service Manager,
~ Communication with affected employees Accountable Executive,
~ Hiring and induction of new employees as a result of insourcing, where relevant Procurement service
~ Training users or owners.
Q
Parallel run and stabilisation approach
Stabilisation/wind down and efficiency period
‘Supplier decommissioning/employee impacts
~ Identification of risks specific to the transition period with mitigation actions as appropriate
~ Transfer/ownership of shared assets owned or assets provided by either party
~ Requirements of termination/exit notice to supplier included in timelines
n
n
Contract exit ‘Completion of an Exit Management Control Checkpoing to include the folloing attendees and agenda Agreed exit management
items as appropriate: plan
~ Post Office CEO, Post Office Accountable Exec(s) as relevant, Business Owner, managers of Business Notices provided to
areas impacted, Legal, Procurement (early engagement of Procurement is essential to plan any activity to supplier as contractually
source an alternative supplier required
~ Supplier Accountable Executive and other individuals as required by the plan
~ Review and agreement of exit management plan Documents and audit trail
~ GolNo Go decision on exit to be retained for future
‘All documentation, plans, meeting minutes and formal contractual documents relating to the exit must be audit
retained by the supplier manager/business owner for future aul.
INTERNAL Page 32 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0135
8. Control
POL00391936
POL00391936
8.1. Policy Version
Date
Version
Updated by
Change Details
January 2018
1
Barbara Brannon
Roll out of Final version
8.2. Policy Approval
Group Oversight Committee:
Risk and Compliance Committee and Audit and Risk Committee
Committee Date Approved
POL RCC
POMS RCC 315t August 2017
POL ARC 18‘ September 2017
POMS ARC 25" September 2017
Policy Sponsor:
Policy Owner:
Policy Author:
Next review:
INTERNAL
Review
General Counsel
Procurement Director
December 2019
Page 33 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
POL-BSFF-0218823_0136
POL00391936
POL00391936
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers 2154540 and 08459718 respectively. Registered Office: Finsbury Dials, 20
Finsbury Street, London EC2Y 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its Information Commissioners Office registration number is ZA090585
Post Office Limited is authorised and regulated by Her Majesty’s Revenue and Customs (HMRC), REF 12137104. Its Information Commissioners Office registration number is 24866081
INTERNAL. Page 34 of 34 6.0 Supplier Relationship Mgmt Policy v1.0 January 2018 Final for RCC
Review
POL-BSFF-0218823_0137
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 6
RISK AND COMPLIANCE COMMITTEE NOTING PAPER
7. Internal Audit Report
Author: Johann Appel Sponsor: Jane MacLeod Meeting date: 18 January 2018
Executive Summary
Context
The purpose of this paper is to update the Committee on the PO Internal Audit activity
and key outcomes. This includes details of the work completed since the last Risk and
Compliance Committee (RCC) and Audit, Risk and Compliance Committee (ARC)
meetings in November and progress on the 2017/18 Internal Audit Plan.
Questions this paper addresses
e Is the Internal Audit Plan on track? What progress has been made since the
November RCC meeting?
e What progress is being made with completion of audit actions?
e Have any significant issues arisen that the committee should be aware of?
Conclusion
1. Progress against plan:
Delivery of the 2017/18 audit plan is making good progress and we have finalised three
more reviews since the November ARC meeting. Year to date we have now finalised
ten reviews, with a further four reviews currently in reporting. More emphasis is placed
on timely audit planning and as a consequence 13 reviews are currently being scoped
for delivery between January and March (5 internal control reviews and 8 change
assurance reviews). Current progress against plan is as follows:
2017/18 Combined Plan Status -Total Audits = 29
q = Completed
= Reporting
= Planning
= Not started
(ARC approved baseline plan for 2017/18 (16 internal control reviews & 13 change assurance reviews)
A full summary of the 2017/18 audit plan status is included in Appendix 1.
Confidential RCC 18 January 2018
POL-BSFF-0218823_0138
POL00391936
POL00391936
POST OFFICE PAGE 2
2. Open and Overdue Audit Actions (as at 31 December 2017):
Audit Action Status:
Open (not yet due) 34
Overdue (<60 days) d.
Overdue (>60 days) 1
Total 36
More detailed information is provided in paragraphs 10 - 11 of the report.
3. Significant Issues:
There are no significant issues we believe the committee should be made aware of.
Input Sought
The Committee is asked to note and provide comment as necessary.
Confidential RCC 18 January 2018
POL-BSFF-0218823_0139
POL00391936
POL00391936
POST OFFICE PAGE 3
The Report
Changes to plan since November RCC and ARC meetings
4. Minor changes to the audit plan were approved at the November ARC meeting
following the refresh of the audit plan that was undertaken in October. Additionally
the committee requested a review of SuccessFactors to be undertaken in two
phases:
- Phase 1: An independent ‘go live’ readiness review; and
- Phase 2: A deep dive lessons learned review of the slippages and cost
escalations experienced by the programme.
5. No further changes to the plan were made during this reporting period.
Internal audit reviews completed
6. Since the November ARC meeting we have finalised the following three reviews:
e Integrated Change Plan and Dependencies (Change advisory)
e IT Networks (Change assurance)
e IT Security Transformation Programme (Advisory)
Our findings and observations are summarised below:
Audit Key Messages
Integrated Change This was an advisory review to assess Post Office’s approach to
Plan & Dependencies producing, managing and maintaining the integrated change
(Ref. 2017/18-07) portfolio delivery plan. The review included an assessment of
: the maturity of Post Office’s change capability against industry
Appendix 2a best practice as defined by the Association for Project
Management.
Advisor
Y We observed a Central Portfolio Team (CPT) that is eager to
evolve from a team whose focus is data collation, into a forward
looking portfolio function that is able to proactively manage the
Sponsor: central portfolio of change and support project and programme
Angela Van Den Bogerd I managers across the business. As this was an advisory review,
the report has not been rated, however, assessed against the
Portfolio Capability Maturity Model, we believe the CPT to
currently be operating at Level 2 (Partial Management Practices
Displayed) on a 5 level maturity scale.
(Not Rated)
The recommendations from this review are aimed to help the
business optimise how it manages change at a maturity level
appropriate for the organisation.
Confidential RCC 18 January 2018
POL-BSFF-0218823_0140
POST OFFICE
POL00391936
POL00391936
PAGE 4
Audit
Key Messages
IT Networks
(Ref. 2017/18-16)
Appendix 2b
Sponsor:
Rob Houghton
Audit actions:
2
2
2
6
The purpose of this review was to provide assurance over the
programme to transition IT Network services from Fujitsu to
Verizon by 31 March 2018.
We conclude that significant progress has been made in the
delivery of the network transition and project risks were for the
most part managed effectively. However, the target date of 31
March 2018 is challenging, with some significant risks remaining,
which require active management.
The most significant challenges to project delivery are:
e Issues with the integrity of the Master Site List (MSL), which
is essential for effective scheduling of the rollout of network
hardware and performance of network transition work;
e Enabling performance of network switchover in rural or
outreach areas, due to geography and weather-related
constraints; and
e¢ Limited engagement from outgoing suppliers, including
Fujitsu and BT.
IS Transformation
Programme
(Advisory)
(Ref. 2017/18-01)
Appendix 2c
Advisory
(Not Rated)
Sponsor:
Rob Houghton
The Information Security Transformation programme is
progressing the deployment of an enhanced information security
control environment. A review of this programme was carried
forward from the 2016/17 internal audit plan and it was agreed
with the ARC that Internal Audit will provide ongoing assurance
over the programme. This report summarises our observations
between March and December 2017.
Although we believe the work within the transformation scope is
progressing and the actions taken are relevant to improve the
level of IS control, we have made the following
recommendations to benefit the programme:
e The project will benefit from defining a (one page) project
plan and a Security Road map (Completed).
e Consideration should be given to reporting transformation
Progress against the main IS risks, rather than against
agreed audit actions. This will be particularly useful to
stakeholders who are not close to the project.
¢ The project team deals with a number of project and BAU
initiatives and priorities are not always clear. Priorities should
be clarified to ensure the correct focus. Additionally the
project should define how success within the IS
Transformation Programme will be measured.
e IS Transformation requires a behavioural /culture change
from colleagues across the business on how they deal with
company information. This will only be achieved through
leadership, communication and awareness training.
* The level of control deployed should be benchmarked against
best practices (ideally a recognised Cyber Security
framework).
Confidential
RCC 18 January 2018
POL-BSFF-0218823_0141
POST OFFICE
Reviews in Reporting
POL00391936
POL00391936
PAGE S
7. Reports for the following reviews are currently being drafted or cleared through
management:
Review
Status / Remarks
1 I SAP SuccessFactors Payroll -
Go-Live Readiness Review
Final draft report. Expected to be finalised and
circulated in time for ARC.
2 I Compliance with Banking
Framework agreement
Draft report for management comment. Expected
to be finalised and circulated in time for ARC.
3 I MoneyGram: AML Compliance
Draft report for management comment. Expected
to be finalised and circulated in time for ARC.
4 I Customer Complaints
Report being drafted.
Reviews in Progress
8. No reviews were in fieldwork at the time of writing this report. The scope for the
following two reviews have been agreed and fieldwork will commence shortly,
(with a further six reviews scheduled to start in January):
Review
Status / Remarks
1 I Project Solar - HNGT Lite
(Chameleon)
Terms of reference agreed.
2 I Branch Technology - EUC
Transition
Terms of reference agreed.
Reviews in Planning
9. We are currently scoping the following reviews scheduled for delivery in Q4:
Review BAU / Timing
Change (start of
fieldwork)
1 I Telecoms Control Framework BAU January
2 I Business Continuity BAU January
3 I Data Protection (GDPR) BAU January
4 I Pension Scheme(s) BAU January
5 I Financial Reporting Controls BAU February
6 I SAP SuccessFactors Payroll - Lessons Learned Change January
7 I Back Office Transition - Credence / MDM Change January
8 I Back Office Transformation - POLSAP to CFS Change February
9 I Network Transformation Change February
10 I EUM Change March
11 I Peer to Peer Encryption Implementation ("Pin Pad") Change March
Confidential
RCC 18 January 2018
POL-BSFF-0218823_0142
POST OFFICE
POL00391936
POL00391936
PAGE 6
Updates on Internal Audit Open and Overdue Actions
10. Audit actions are generally being completed on time and year to date 107 audit
actions have been completed (93 BAU and 14 Change Assurance actions). At 31
December 36 actions remained open, two of which were overdue.
Audit Action Status: BAU Change Total
Open (not yet due) 31 3 34
Overdue (<60 days) Hi, 0 1
Overdue (>60 days) 0 1 1
Total 32 4 36
11. Following is a summary of the overdue actions, reasons for delay and latest
status update:
conversations around the
mid-point review of the
RMG agreement. (P2)
Description of action Ducjdate
aA a & GE Reason for delay and status update
and Priority rating
Sponsor
Mails Segregation
The issue around 30/11/17 I Reason for delay: Commercial negotiations
insufficient supply of mail have been postponed until after the Christmas
bags to be incorporated Debbie period.
into the commercial Smith Status: Negotiations with RMG will now
commence in Q4. (Update provided by action
owner, Sam Conway.)
Third Party Vendor Management (Change Assurance)
A Vendor Management
policy to be created to
outline baseline
requirements with regards
to the management of
vendor services. (P2)
30/09/17 I Reason for delay: Resource constraints and
interdependencies on other initiatives / projects
5 that are currently being delivered.
jane
MacLeod Status: The Vendor Management policy is in the
process of being finalised and will be submitted
to the RCC in January 2018.
Confidential
END OF REPORT
RCC 18 January 2018
POL-BSFF-0218823_0143
Appendix 1
POL00391936
POL00391936
2017/18 Internal Audit Plan - Status as at 10 January 2018
INo. ITitle/Subject Sponsor renal Timing Status / Rating
Internal Control Reviews
1__IVAT Process A.Cameron [Addition _ [May
2 ILottery Prize Pay-out (Design effectiveness) K.Gilliland [Addition [August
3 _IFinancial Spreadsheet Controls IA.Cameron [Addition _IAugust
4 [IT Control Framework (Advisory) R.Hougton _ [Original March - Aug
SI Mails Process K.Gilliland [Original uly
6 —_ Information Security (2016) Follow-up review R.Hougton Original September
17__JIT Security Transformation (Advisory) R.Hougton Original March-Dec I Advisory Report
ls —_ICompliance with Banking Framework N.Kennett Original August Reporting
19 Customer Complaints IA.Cameron {Original November Reporting
10 _IMoneyGram: AML Compliance 1}. Macleod —_ [Original September [Reporting
11 __ I Telecoms Control Framework N.Kennett {Original January Being Scoped
12 _IBusiness Continuity J. Macleod _IOriginal January Being Scoped
13 _IData Protection (follow up) (GDPR) J. Macleod _ Original January Being Scoped
114 _IPension Scheme(s) A. Cameron _ [Original January Being Scoped
45 [Financial Control Framework A.Cameron __ [Original February Being Scoped
146 _IIT Governance and IT Risk management R. Hougton Original March Not started
FRES N.Kennett {Original February Not started
Client Settlements Process A. Cameron _ [Original February Not started
Cyber Security (Ph 2) R.Hougton __ [Original March Not started
Branch Cash Forecasting & Management A.Cameron [Postponed [2018/19 Not started
(Change Assurance
SAP SuccessFactors - Payroll M. Kirke Original June
2 integrated Change Plan (Advisory) lA.vdBogerd [Original [July
3__ [IT Networks R. Houghton _IOriginal October
4 __ISAP SF Payroll Go-Live Readiness Review M. Kirke Addition _ [December Reporting
s__ISAP SF Payroll Lessons Learned M. Kirke Addition _IJanuary Being Scoped
6 _ [Back Office Transformation - POLSAP to CFS A.Cameron _ [Original February Being Scoped
7 Back Office Transformation - Cash Processing IA.Cameron __IAddition March Not started
ty Back Office Transition - Credence / MDM IA.Cameron __IAddition January Being Scoped
9 _IProject Solar - HNGT Lite (Prev. Chameleon) K.Gilliland __ Original January TOR Agreed
10 INetwork Transformation K.Gilliland [Original February Being Scoped
41 _IBranch Technology - EUC Transition K.Gilliland {Original January TOR Agreed
2 [eum K.Gilliland [Original March Being Scoped
13. IPeer to Peer Encryption Implementation J. Macleod —_ Original March Being Scoped
Placeholder (FS Customer Hub?) N.Kennett {Original tbe Not started
Placeholder (Project Panther?) K.Gilliland [Original tbe Not started
Agile Methodology and Governance J. Macleod _IOriginal tbe Not started
Gating Process - Effectiveness A. vd Bogerd [Postponed [2018/19 Not started
Note: Target audit delivery per original approved plan is for 29 audits (16 internal control reviews and 13 change assurance
reviews).
POL-BSFF-0218823_0144
POL00391936
POL00391936
Appendix 2a
POST OFFICE LIMITED - CHANGE ADVISORY REPORT
ADVISORY REVIEW: Integrated Change Plan & Dependencies
REFERENCE: 2017/18-07
DATE ISSUED: 17 November 2017
Executive Summary
Background
Post Office is in the process of delivering a portfolio of projects and programmes to transform its business.
The change portfolio for the 2017/18 financial year consists of circa 85 projects moving through the
gating process, as defined by the One Best Way Framework, with a total value of £330m. The One Best
Way Framework was introduced across the Post Office in 2015, in order to bring a comprehensive and
consistent approach to change management. This framework has now been embedded across the
business.
The Central Portfolio Team are responsible for monitoring the overall portfolio of projects and ensuring
there is an integrated view of change across the portfolio. The Integrated Change Plan is one of the
controls being implemented to effectively manage and prioritised Change at the portfolio level, in order
to ensure that the portfolio’s overall objectives are achieved and are aligned to the overall Post Office
strategy.
Scope & Approach
A review of the Integrated Change Plan is part of the FY17-18 Annual Audit Plan approved by the ARC.
The Central Portfolio Team indicated that the Integrated Change Plan is still in its infancy and they were
really looking for support to assess their approach to producing, managing and maintaining the
physical/virtual integrated portfolio delivery plan. Deloitte were engaged to provide this support through
an advisory review, which included an assessment of the maturity of Post Office’s change capability
against industry best practice as defined by the Association for Project Management and drawing from
industry best practice and the Deloitte methodology on portfolio management.
This review covered the following areas:
e Portfolio information: Consideration of the information captured in the current suite of portfolio
management tools and assessing if it is fit for purpose in supporting the production and management
of an integrated portfolio delivery plan. Further, assessing the weight of the reporting burden on
project managers.
¢ Use of project management tools: Reviewing the use of Microsoft Project Server by the Central
Portfolio team, to determine whether it is being used in the most effective and efficient way.
e¢ Central Portfolio team: Interviewing stakeholders, to understand their requirements of the Central
Portfolio Function to identify potential improvements, with an ongoing consideration of industry best
practice.
« Embedding of improvements identified: Advising on appropriate activities to help with the
embedding of recommendations.
Conclusion
We observed a Central Portfolio Team (CPT) that is eager to evolve from a team whose focus is data
collation, into a forward looking portfolio function that is able to proactively manage the central portfolio
of change and support project and programme managers across the business. As this was an advisory
review, the report has not been rated, however, assessed against the Portfolio Capability Maturity Model,
we believe the CPT to currently be operating at Level 2 (Partial Management Practices Displayed) on a 5
level maturity scale.
The recommendations from this review are aimed to help Post Office optimise how it manages change
at a maturity level appropriate for the organisation (level 3/4 depending on the change management
component).
POL-BSFF-0218823_0145
POL00391936
POL00391936
Despite some level of internal debate over the role of a Central Portfolio function, we believe it is a critical
function to define and uphold the standards associated with the change process, whilst ensuring that
there is sufficient information on the management and deployment of essential resources (including both
staff and wider resources such as IT change capacity) to ensure change is effectively delivered.
The following recommendations have been made to further improve the effectiveness of the Integrated
Change Plan:
1. Implement clear mechanisms to assign priorities to projects and programmes, and
highlight key dependencies and areas of constraint. This will provide senior decision makers
with information to ensure they understand the long term resource demands of the portfolio, both in
terms of staff and bottlenecks throughout project and programme delivery, such as access to test
environments.
2. Minimum reporting standards, aligned to the scale and/or level of priority of projects and
programmes. Provision of consistent, high quality information on the potential constraints and
delivery disruptions across the portfolio and ensuring the information is systematically available to,
Project and Programme managers as well as senior decision makers, will support effective
prioritisation and independent decision making.
3. Effective use of portfolio management tools. Utilisation of MS Project Server is largely limited
to its basic functionality. Using some of MS Project Server’s additional functionality will reduce the
reporting burden and avoid duplication of effort.
4. Maturity Assessment. Assessed against the Portfolio Capability Maturity Model, we believe the CPT
to currently be operating at Level 2 (Partial Management Practices Displayed) of a five level maturity
scale. This is due to the current focus of the CPT being fairly narrow, with a focus on key milestones
and dependencies rather than a wider view of resources and pinch points across the portfolio. In
terms of maturity improvement we would be expect to see one point per year, however that may
require some increased resources and additional funding.
Current POL Aspirational
Area of Assessment Position Position
2 4
2 3/4
2 3
1 3
2 3
2 3
Page 2 Confidential
POL-BSFF-0218823_0146
POL00391936
POL00391936
Appendix 2b
POST OFFICE LIMITED - CHANGE ASSURANCE REPORT
AUDIT TITLE: IT Networks Programme
REFERENCE: 2017/18-16
DATE ISSUED: 19 December 2017
Executive Summary
Background
Post Office Limited (POL)’s IT Network is extensive and consists of two critical elements:
e The Back Office IT Network - Consisting of IP, telephony and network services to corporate offices
and directly managed branches; and
e The Branch IT Network - Connecting 11,600 branches to Post Office Services.
The current contract with Fujitsu to supply IT Network services ends on 31 March 2018, by which time
the Post Office will need to vacate the Fujitsu network to prevent the incurrence of additional service
costs equivalent to 50% of the current service cost (£4.2m). Verizon were selected following a
competitive tender process to supply IT Network services in 2015. As at the time of this review, Post
Office was forecasted to fully transition to Verizon network services by 18 March 2018, providing an
element of contingency.
The IT Networks project manages the switchover between the incumbent suppliers (Fujitsu, branch
network services and BT, Back Office admin network services) and Verizon. Delays have historically
occurred outside of the project which have resulted in a larger investment being required to assist with
project delivery. As a result, the project timeline and scope have been reviewed to ensure alignment
with the Post Office Business and IT Strategy.
The success of the IT Networks project is essential to ensure continuity and stability of the day-to-day
Post Office Branch operations. The project cost is estimated at £30.9m, with an estimated completion
date in March 2018.
Scope & Approach
The focus of our review has been interviews with key project personnel and review of project
documentation comprising RAID logs, status reports, trackers, dashboards and other key information
maintained by the project team and used to track performance against deadline.
Specifically, this review assessed the following areas:
« Timely delivery;
e Off-boarding of Fujitsu services;
e Transition from project to run; and
e Service management.
Two additional scope areas were raised by the Executive Sponsor that were also addressed as part of
this review:
« Review of the current status of recommendations raised as part of a Network Design Effectiveness
review, performed by APSU (a 3rd party consultancy); and
e Service performance and benefits realisation as per contractual agreements, and the adequacy
of 3" party management processes.
Conclusion
Since the refresh of the IT Networks project’s business case in February 2017, significant progress has
been made in the delivery of the network transition. The contractual end date that the project aims to
meet (31 March 2018) is recognised to be challenging, but significant steps have been taken to ensure
a complete transition to Verizon services by this date. This includes the operation of the Accelerated
Network Programme, implemented to expedite delivery of the network switchover to mitigate the risk
Page I 1 Confidential
POL-BSFF-0218823_0147
POL00391936
POL00391936
Internal Audit Report: IT Networks December 2017
that the contractual deadline would not be met. This programme’s business case was also submitted in
February 2017 and was subject to the standard project governance gating process.
However, some challenges to project delivery still exist, which the project team are currently resolving:
e Issues with the integrity of the Master Site List (MSL), which is essential for effective scheduling
of the rollout of network hardware and performance of network transition work;
e Enabling performance of network switchover in rural or outreach areas, due to geography and
weather-related constraints; and
e Limited engagement from outgoing suppliers, including Fujitsu and BT.
Work is ongoing to overcome the issues highlighted above, with the requirement for current levels of
effort to be maintained to ensure delays are avoided. The most significant issue exists with the lack of
accuracy within the MSL, which, despite being provided by Fujitsu (as a list of all branches currently
serviced), contains errors and omissions. This issue presents the largest risk to the project, contributing
to both scheduling failures and installation failures. Current efforts to remediate the issues with the MSL
are resource intensive, with engagement required from a number of POL teams, as well as the 3" party
suppliers, Fujitsu and Verizon. With consideration to the findings highlighted within this report, we are
not aware of any issues that may prevent the contractual deadlines for Fujitsu and BT services being
met. However, we recognise that efforts to proactively manage the risks highlighted are required to
continue. Due to the nature of these risks, this report has received a rating of ‘Needs Improvement’
Management Comment
Jason Black (CIO, IT4IT Programme): We found this audit very helpful, although it identifies a number
of things to do. Considering the scale of things we have had and have to do management considers this
a positive report.
Report rating: I V0) i
Needs
Improvement
Summary of Findings
The table below provides a summary of the findings and their ratings.
Finding Rating” I Action Owner Date
Scope Area: Timely delivery
1 Remediation of errors within the Master PL John Donovan 31 January
Site List (MSL) 2018
Prioritising scheduling procedures for a) John Donovan 31 January
2 Ie arn PL
at-risk” branches b) Andrew Swaffer 2018
3 Connectivity upgrades for branches p2 Jason Black 31 January
utilising ISDN connections 2018
4 I Resolution of issues with secondary p2 Will Templeton 31 January
connectivity 2018
Scope Area: Transition to BAU
5 I Lack of proactive supplier monitoring P3 Alan Owens Complete
Scope Area: Additional Areas for Review
6 Incomplete assignment of management
actions
P3 Jason Black /Max Jacobi Complete
* Pi = High Priority, P2 = Medium Priority, P3 = Low Priority
Page I 2 Confidential
POL-BSFF-0218823_0148
POL00391936
POL00391936
Appendix 2c ®
POST OFFICE LIMITED - INTERNAL AUDIT ADVISORY REPORT
AUDIT TITLE: IS Transformation Programme Ongoing Assurance
REFERENCE: 2017/18-01
DATE ISSUED: 20 December 2017
Executive Summary
Background
Post Office is in the process of improving the maturity level of the information security controls, following a number
of weaknesses and gaps that have been raised by the Information Security review performed by Deloitte in 2016. To
address the 2016 audit recommendations an IS Transformation programme was initiated. Internal Audit performed a
follow-up review of the 2016 audit and found that, although progress had been made, the project must maintain focus
on improving the IS internal controls (as recommended in 2016) as the current IS risk remains outside the PO risk
appetite. The status of the various actions raised in 2016 were presented to the November 2017 ARC.
A review of the IS Transformation programme was carried forward from the 2016/17 internal audit plan and it was
agreed by the ARC that Internal Audit will provide ongoing assurance over the programme.
Overall Conclusion
The Information Security Transformation project is progressing the deployment of an enhanced information security
control environment, based on the actions agreed from the 2016 IS review. Although we believe the work within the
transformation scope is progressing and the actions taken are relevant to improve the level of IS control, we have
made the following observations to the project team and sponsors, which have been well received and will be
discussed in details at the January meeting of the Information Security Committee.
1. The project will benefit from defining a (one page) project plan and a Security Road map. This will give visibility to
other stakeholders of the progress made and expected outcomes by defined timeframes. This has been
completed.
2. Consideration should be given to the reporting of transformation progress against the main IS risks, currently the
reporting is against agreed audit actions. This will be particularly useful to stakeholders who are not close to the
project. Detailed review of the information within the project reporting pack would help (limit the time spend)
with the preparation of various board papers (RCC and ACR).
3. The project team deals with a number of project and BAU initiatives (e.g. SOC, remediation gaps following the ITCF
design, managing penetration testing, etc.), and priorities are not always clear. The definition of clear priorities
will also help the project team keep their focus on IS top risks and deliver against stakeholders expectations.
Additionally IA have recommended that the project defines how success within the IS Transformation
Programme will be measured, to ensure there is a clear view of what good looks like and when the project can be
considered closed with activities migrating into managing BAU.
Once priorities and success indicators are clear, a review of the adequacy of dedicated resource should be
considered (in terms of numbers and skills required to ensure timely delivery).
4. The IS Transformation requires a behavioral/culture change from colleagues across the business on how they deal
with company information. This will only be achieved through leadership, communication and awareness training
to ensure all colleagues understand the importance of IS, why change is necessary and the impact their behavior
can have on the business — either putting it at risk or keeping it safe. It is recommended that more information is
shared with the wider company (e.g. via One or IT blogs) about the IS Transformation, what it means, how things
will change and what is expected from the wider business and from each colleague.
5. As the main focus of the IT transformation is to deploy an adequate level of IS internal control (which keeps IS
risks within PO risk appetite) the utilization of a recognised Cyber Security framework to benchmark the level of
control deployed against best practices is strongly recommended. This will help the team conduct a self-
assessment of the internal control maturity level and identify possible areas of improvement prior to further audits
being performed.
POL-BSFF-0218823_0149
POL00391936
POL00391936
POST OFFICE PAGE 1 OF
RISK & COMPLIANCE COMMITTEE
Annual Legal Risk Review: 2017
Author: Ben Foat Sponsor: Jane Macleod Meeting date: 18 January 2018
Executive Summary
Context
7
The RCC Terms of Reference require it to undertake an annual review of risks. This paper
provides the Committee with a review of the key legal risks during 2017, their management and
what this means for our control environment.
Questions this paper addresses
. What are the key Legal risks?
. What controls are in place to manage these risks?
. What is the overall position and further actions required?
Conclusion
1. The Post Office takes its legal and regulatory responsibilities seriously and consequently
has an averse risk appetite for non-compliance with law and regulations or deviation from
its business conduct standards. In respect of contractual risk, it has averse appetite for
risk taking which would alienate or lose significant groups of profitable customers but a
tolerant risk appetite for legal and regulatory risk in those limited circumstances where
there are significant conflicting imperatives between conformance and commercial
practicality.
2. Within the last 12 months, the legal department (“Legal”) has managed approximately
1,800 matters, mostly from Retail, Operations, and Financial Services & Telecoms areas of
the business. Further development of MI will be undertaken in 18/19 to better understa
areas of risk within each area of the business.
ind
3. Legal seeks to enhance the legal maturity of the business strategically (aligned to the
Board's risk appetite and Post Office’s strategic imperatives) and efficiently (in accordance
with its budget). Operational managers, as a first line of defence, needs to understand
legal risk and, with second line support from Legal, incorporate appropriate controls. Such
controls need to be complied with and enforced by the business.
4. The main areas of concern are:
. Contract management continues to present a legal risk to the business although
enhancements have been made to the control environment. Contract management
must be seen as a core competency of Post Office given that Post Office’s business
model is focused on the distribution of third parties’ goods and services (all of which
are underpinned by a contract) and its highly outsourced model for infrastructure
support. Further enhancements and enforcement of controls within the business
should prevent services being provided without appropriate written contracts
in
place or contracts being breached because the obligations imposed are not either
understood or monitored. In addition, significant improvements have been
introduced over the last 12 months such as the further development of a cent
repository of contracts through the existing Bravo procurement system as well
ral
as
the provision of contract and PCR training, greater enforcement of the CAF process,
and further development of the Contractual Obligations Spreadsheet.
POL-BSFF-021
8823_0150
POL00391936
POL00391936
. The business continues to improve its understanding of the complex legal and
regulatory framework within which it operates. Post Office is in the process of
finalising accountabilities and responsibilities for compliance with material laws and
regulations which apply across the organisation. The refinement of corporate
policies (AML, ABC, and Information Security) and operational processes (e.g
accessibility assessment in the Network Transformation Decision Manual to ensure
better compliance with Equality Act) together with training and bespoke legal
advice, has allowed the business to better control regulatory risk. The new Law and
Trends Forum with representatives from across the different business areas enable
Post Office to proactively identify emerging legal and regulatory developments and
embed appropriate processes to support compliance.
. Many of Post Office’s activities need to be considered in light of competition rules,
and there needs to be better understanding of the potential implications of
commercial activities such as acquisitions or joint ventures and even information
sharing arrangements. In the last 12 months, Legal developed a Compliance
Guidance and FAQs to support the operational managers understand this risk
together with bespoke training. Further competition law training will be rolled out
over the next financial year.
. The strategic direction of a number of areas of the business involve potential
acquisitions or joint ventures which give rise to a complex matrix of legal and
operational risks. Corporate M&A knowledge is dependent on a few core individuals.
Legal is developing a Corporate Acquisition Checklist and challenge process aimed
at enhancing risk management of these projects.
. The Postmaster Litigation has been reported separately to the GE and as such is
not within the scope of this report. However, as a result of the litigation, the
recovery of agent losses and prosecutions have become significantly more
challenging. The risk is that the deterrent effect of such recovery actions or
prosecutions has diminished, and opportunistic behaviours by agent may be
increasing.
. Post Office takes a reactive approach to brand protection and enforcement of its
intellectual property rights. Brand infringements largely go unchallenged. Basic
controls have been employed, such as cease and desist letters but further
enhancement could be achieved through a formal trade mark infringement process
with appropriate funding to enforce significant infringement.
5. Legal has established a draft Legal Policy which will shortly go through governance. This
Policy sets out how Post Office manages legal risk including the types of controls which are
in place. Legal supports the approval and execution of legal documents in accordance with
the Board approved delegations of authority (overseen by Corporate Secretariat); a legal
Risk Report is provided in respect of all new material contracts; legal risks are included in
the Risk logs for projects by project managers; legal and regulatory risks are monitored
by the General Counsel through the Post Office risk universe and risk registers; and
potential risks arising from emerging legal and regulatory developments are identified
through the Law & Trends Forum and flagged to the RCC and the ARC through the regular
Horizon Scanning report.
6. Legal is planning to deliver further training during 2018 which will assist managers to better
understand core areas of legal risk areas and develop necessary processes.
Input Sought
The Committee is asked to note this report.
POL-BSFF-0218823_0151
POL00391936
POL00391936
The Report
What are the key legal risks?
Contract Management Risk
7. As the Committee is aware, previous internal audit reports and the 2016 Legal Risk report
identified risks associated with the contract management and procurement processes.
While improvements have been made through the introduction and enhancement of a
number of controls, there remains more work to enforce a compliant culture in the
business. Current controls include:
e a contract authorisation process designed to ensure that all legal instruments go
through a consistent process with key stakeholders including Finance and Legal;
* contractual obligations spreadsheet which sets out the key deliverables or actions that
each party needs to undertake to comply with the contract. Completion and use of
these remains incomplete and inconsistent;
« Legal has developed house positions with playbooks which set out a range of
acceptable negotiated positions for the following contract types: supplier contracts,
bill payment contracts, agency network contracts, and employment contracts; and
e standardised legal risk reports;
8. Within the last 12 months, a central repository of contracts was enhanced and further
populated utilising the existing Bravo procurement system which ensures that commercial
contracts, property documents and other legal instruments are readily available. There is,
however, limitations on this repository as it does not always include Change Controls Notes
or Change Management Notes.
9. There are a number of material arrangements in which services are being provided without
a written contract in place. The most significant of these relate to c.50 bill payment
arrangements where contracts cannot be located. This is of particular concern given POL’s
obligations under its funding agreement with the BEIS to provide SGEI Products of which
bill payments is a part. Further, approximately 5% of all branch agency contracts cannot
be located which potentially creates issues for the Postmaster Litigation as well as
operational issues. Finally, the HR Weekly/Monthly dispute, which arose when POL sought
to transition weekly pay to monthly, was hindered by a lack of visibility of the various
historical versions of employee contracts. The absence of complete written contracts
results in uncertainty around the contractual position of the parties which could also give
rise to regulatory issues. Although these arrangements are generally historical in nature
and represent a small proportion of the total number of contracts, they represent a serious
and unnecessary legal risk.
10. Business managers need to manage their contracts in accordance with the obligations that
are set out in the contract. The contract obligations spreadsheet is a document that helps
the business map out those obligations. Consistent use of this spreadsheet will mitigate
against the risk that Post Office breaches the specific obligations set out in the contract
and/or fails to enforce the obligations owed to it by the third party. This control should be
enforced for all material contracts.
Further actions
11. Further enhancement of controls should be achieved with:
e the new proposed procurement and contract management SAP system (to replace
Bravo) which will provide greater functionality and automation in relation to
contracting processes. A demonstration has been provided to Procurement, IT and
3
POL-BSFF-0218823_0152
POL00391936
POL00391936
Legal of its capabilities. This will provide direct access for contract owners to manage
their agreements; understand key contractual information at a glance; produce MI;
and if used correctly will ensure that contracts do not lapse and that new
arrangements are planned and executed in a timely manner.
e« Legal is planning further training to the business in 18/19 to improve their
understanding of the contractual obligations and of the impact of contracts on other
areas within the business;
Non compliance with legal and regulatory requirements
12. Post Office is a multiline business with a number of complex legislative and regulatory
obligations. The RCC and ARC received a report on Post Office’s legal and regulatory
framework in September last year which set out the material pieces of legislation and
regulations that apply to the different business areas across the organisation as well as its
key regulators. GE accountabilities and responsibilities of these laws and regulations are
in the process of being finalised. This clarification of ownership will provide a further
opportunity to enforce existing controls and develop additional controls where appropriate.
13. The key regulators relevant to Post Office include:
HMRC AML in relation to regulated products and services
Ico Data Protection (issues involving the use of personal data) and
Freedom of Information;
CMA Competition (anti-trust);
OFCOM Telecommunications and mails;
FCA Financial Services (directly relevant to POMS), but also regulates
competition in financial services, consumer credit and payments
services (in its dual capacity as Payment Services Regulator)
14. Generally, controls supporting regulatory compliance across the business have been
clarified or enhanced over the last year. Examples include:
« The accessibility assessment in the Network Transformation Decision Manual was
refreshed and re-emphasised when the Retail team had not completed the
assessment in a number of instances (Chobham and Ayleston). Failure to undertake
this assessment could expose Post Office and the postmaster to a risk of challenge
under the Equality Act;
« There continues to be instances of non-compliance with Public Contracts Regulation
(PCR) which will be addressed separately in the Procurement Director’s Report.
However, Legal has drafted a Procurement manual designed at improving the
business’s understanding of PCR obligations on Post Office;
e Training was provided to relevant stakeholders on GDPR and SMCR;
15. Anew Law and Trends Forum with representatives from across the different business areas
was established last year to enable Post Office to proactively identify emerging legal and
regulatory developments and to design and embed appropriate processes to support
compliance. Any such developments will be flagged through the Horizon Scanning Report.
Further actions
16. The General Counsel is in the process of recruiting a Risk & Compliance Director who will
refine the new Compliance function, which once established will help to enhance: controls
within the regulatory framework within which Post Office operates; understanding of the
cross-dependencies and implications of Post Office’s various activities, and ascertain and
interrogate MI regarding regulatory risks. As Post Office continues to operate in highly
4
POL-BSFF-0218823_0153
POL00391936
POL00391936
regulated sectors that are integral to Post Office’s future growth, the development and
embedding of a compliant culture is critical.
17. As part of the legal strategy, we proposed to launch a Legal Academy during 18/19 to
enhance the business’s understanding of core legal risk areas (e.g DPA/GDPR, Regulatory
Framework, Competition Law,) and help it enhance necessary first line of defence
processes to support compliance with these regulations.
Competition Law
18. Competition law issues arise in a number of contexts:
. When contracting, Post Office needs to be careful not to include restrictions/benefits
which could be deemed to be anti-competitive (certain exclusivities, pricing
structures, terms which limit supply/production in a particular market etc.).
. Restrictions clauses in agency contracts need to be kept under review to ensure
that they are still appropriate and not anti-competitive. Legal is presently reviewing
network restrictions together with the Restrictions Manager, Paul F Williams.
. When holding exploratory talks with potential partners (JVs, acquisitions etc.);
. When participating in industry wide associations; and
. During procurement exercises - both where Post Office is bidding/involved in a
bidding vehicle (e.g. in response to government and utility contracts) and where
Post Office is itself procuring goods/services.
19. There are a number of controls of this risk which were enhanced last year including
additional personnel in Legal with competition law skills; a competition law guidance
manual; competition law FAQs; and training.
20. Legal has seen instances where the language used by business managers in business
documents and meetings has not been appropriate and could be construed as being anti-
competitive. Given that Post Office is engaging in a number of exploratory discussions with
potential partners about acquisitions and/or JVs which will, in some cases, require approval
from the Competition Markets Authority, business managers need to ensure that they
understand competition law issues (as provided through training), follow bespoke advice
from Legal, and utilise the Competition Law Do’s and Don’ts FAQs.
21. Restrictions clauses in contracts with agents are monitored and discussed with the Post
Office Restrictions Manager, Paul F Williams, to understand the level of compliance with
this clause across the agency network and how these restrictions may be compliantly
enforced. Paypoint have challenged Post Office's approach previously and Post Office has
previously argued successfully that the restrictions policy is needed to maintain the
network (as we did, successfully, before the European Commission in relation to Post Office
2015-2018 state aid). Legal is presently reviewing these restrictions to ensure that they
remain within risk appetite.
Further actions
22. Given the increased activity which gives rise to competition law risks, Legal will continue
to provide competition law training to different areas of the business and project teams to
ensure that competition law issues are highlighted early and dealt with appropriately.
Corporate Acquisitions and JVs
23. As noted above, there are a number of business areas within Post Office that are
considering acquisitions or joint ventures as part of their strategy. Acquiring third party
assets or companies or entering into joint ventures (including contractual joint ventures)
involves a complex matrix of issues which gives rise to legal risk. There are only a few key
stakeholders in Post Office with significant corporate acquisition experience. Industry
POL-BSFF-0218823_0154
POL00391936
POL00391936
analysis reveals that a majority of such projects fail because businesses fail to understand
the operational consequences.
Further actions
24. Further enhancement of controls are in progress: POL Legal Corporate Acquisition Checklist
and challenge process reviews which together with the existing gating requirements and
SME expertise from the external legal panel and consultants should reduce the risks
associated with these projects.
Dispute Resolution Management
25. As Post Office seeks to become more commercially independent, there will be a greater
emphasis on the need to manage disputes carefully. Over the last financial year, there
have been 22 formal disputes of which the following were material:
e 1 Criminal Litigation
« 1 ICO (ROPSI)
e¢ 3 Property Litigation Claims (total value of £495,407)
« 1 Employment Litigation Claims (est. value £366,750)
e 2 Public Liability Claims (handled by insurers) total value of £43,372.00
26. As set out in paragraph 7-11 above, effective contract management will diminish the risk
of disputes arising against Post Office. There have been instances where poor contract
management has resulted in informal disputes between Post Office and suppliers. An
example was a recent omission to execute a formal change note and the contract’s change
control procedure was not followed which allowed the supplier to argue that the change
note was not binding and that it did not have to provide the (verbally) agreed future
service credits (value being £510K). By complying with the controls already in place and
adopting the further enhancement, these risk can be mitigated.
Enforcement of Agent Losses and Prosecutions
27. Over the last few years Post Office has undertaken very few prosecutions by contrast to
its previous practices. This lack of appetite has been observed by the agency network. It
remains to be seen whether the reduction in prosecutions will directly result in higher
incidences of opportunistic behaviours, however agent losses are increasing.
28. The Postmaster Litigation matter, currently complicates Post Office’s ability to recover
agent losses or prosecute for fraudulent losses. The issue arises where an agent who
cannot account for a loss makes an allegation that is a subject of the Postmaster Litigation
(ie the loss is due to an error with the Horizon system). As this issue is currently before
the Court but has not been determined, any formal action against that agent would likely
result in a stay of those proceedings (in effect preventing the recovery of the loss until the
stay is lifted). This has the effect of frustrating the Former Agent Debt teams’ ability to
recover losses in 318 cases with a combined value of c.£1.14million. Further, the
postmaster of the Walton Road and Chestnut Grove branches, identified as having
improperly processed c.£400k of Parcelforce transactions, has frustrated the investigation
into those transactions (and any consequential criminal or civil legal activity) by joining
the Postmaster Litigation as a claimant.
29. The Postmaster Litigation trial on 5 November later this year will determine whether certain
additional duties should be implied into the standard postmaster contract, including rights
and responsibilities for branch losses. Depending on the outcome of that hearing it may be
possible for Post Office to take a more proactive position on recovery of branch losses.
POL-BSFF-0218823_0155
POL00391936
POL00391936
Service of Proceedings
30.
al.
32.
There have been a number of instances of the business failing to identify and respond to
service of court proceedings resulting in default judgment or enforcement against Post
Office.
Post Office is, from time to time, named as a defendant to court proceedings. A Claim form
can be served at any place of business which has a real connection with the claim including
customer centres and directly managed branches or at the registered office (Finsbury
Dials). Post Office personnel may not always forward the Claim or court related documents
to Legal which has resulted in default judgement and, in turn, diverted resource and further
cost to set aside such judgements.
Legal has drafted a “Receipt of Court Documents” process which will be circulated to the
Post Office network and placed on the Legal Intranet together with periodic
communications will reduce the risk going forward.
Brand and Intellectual Property (IP) Infringement
33.
34.
The Post Office brand is one of its more important assets. However, a reactive approach
is taken to enforcement of its IP rights. There are examples where Post Office’s trade
mark or brand has been used in search engines and comparison websites to divert traffic
to competitors. Infringements have largely gone unchallenged. The infringement of its
rights may cause reputational damage and customer confusion.
Present controls involves Legal providing a “cease and desist” letter however due to
budget constraints generally no further action is taken.
Further actions
Ob.
Legal will provide a Risk paper to the Group Brand, Communications, and Corporate
Affairs Director and Marketing Director outlining the risks of the current approach.
Nevertheless even with a more structured Trade Mark Infringement Process there will be
challenges to the effectiveness of brand protection unless budget is available for legal
action.
POL-BSFF-0218823_0156
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 4
RISK & COMPLIANCE COMMITTEE
Ageing Population and Financial Services
Author: Jonathan Hill Meeting date: 18 January 2018
Executive Summary
Context
1. In recent communications the FCA has been setting out the expectations it has of
the industry in using customer research to drive change. The FCA’s Ageing
Population Occasional Paper is part of this series of papers, which also include
papers on consumer vulnerability and the FCA’s future approach to consumers more
generally.
2. The FCA has emphasised that the ageing population and financial services project
is not meant to catch firms out or test compliance with rules but rather to consider
what harm might arise and challenge the FCA and the industry to make things
better.
Questions this paper addresses
3. This paper updates the Committee on how we are meeting the challenges outlined
by the FCA.
Conclusions
4. In a number of areas we have good evidence of how our business takes into
account the requirements of elderly (and vulnerable) customers.
5. However, we do need to continually review the consumer market and challenge
ourselves on the requirements for older customers as their needs and ability to
engage on technology improves and changes.
6. We need to consider this paper in the context of the overall Vulnerable Customer
Policy. The vulnerable customer risk assessment and gap analysis is continuing,
which is expected to be concluded at the end of March 2018.
Input Sought
7. The R&CC is asked to note these developments.
Strictly Confidential RCC
POL-BSFF-0218823_0157
POL00391936
POL00391936
POST OFFICE PAGE 2 OF 4
The Report
The FCA paper
8. The FCA launched the Ageing Population Project in February 2016 to explore how
older people use financial services and products.
9. The review concluded that there are risks that their financial services needs are
not being fully met, which can result in exclusion, poor customer outcomes and
potential harm. The paper also explores a range of issues including older
consumers’ engagement with retail banking, third party access and planning
ahead, later life lending and long term care.
What the FCA said firms can do?
10. Product and Service Design. Firms could think about how they can take older
customers’ needs into account when developing products, services and
distribution channels, and involve older consumers in testing and product design.
11. Customer Support. FCA has asked firms to think about how they support older
consumers, especially as their needs change over time.
12. Review and Adapt Strategies. The FCA recognises that this is not a one point
in time challenge and solutions need to be reviewed and adapted.
How are we meeting the challenge?
13. Product and Service Design.
Banking Framework
14. The Banking Framework is a key demonstration of how Post Office is supporting
elderly and vulnerable customers. We are increasingly the last ‘bank’ in town as
bank branches close supporting those who prefer to do their banking in branches.
Product Propositions
15. We have product propositions aimed at older customers, including products for
end of life planning (savings, pre-paid funeral, over 50s life, life assurance and
home insurance).
16. Post Office Money target customer segments are not age-based but are attitude
based and include older customers’ needs, particularly in the first two categories
of our three target segments (Prosperous and Discerning, Socially Responsible)
17. Future product propositions are specifically considering the needs of older
customers, including an intergenerational mortgage and a freedom mortgage.
The freedom mortgage will specifically be designed for those that need to access
capital from their home (for example, for later life planning or care costs) without
having to sell up or downsize.
18. Weare also evaluating savings and lending propositions for those that have cash
flow needs including those that may be caring for generations above and below
them; or for those that need funds to cover care costs.
Strictly Confidential Rec
POL-BSFF-0218823_0158
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 4
19. The regulator has also tacitly acknowledged that its application of regulations
(particularly for mortgages) has led to product providers excluding access to
older customers for regulatory reasons. In this new climate we are working with
Bol on re-evaluating the upper age limit for lending products.
20. Customer Hub
It is confirmed that the new customer hub as it is developed will seek to include
user testing and feedback from a whole range of technical ability from the the
‘tech savvy’ to the ‘clueless’ and the project will seek to include different age
ranges in its proposition testing.
Customer Support
21. We have training on vulnerable customers in Success Factors and Horizon. The
FS workbook that all colleagues undertake has a section on vulnerable customers.
This is also covered in the ‘Delivering a Great Customer Experience’ module that
senior managers in Agency have taken. Vulnerable customers is also covered in
the Customer Relationship Management (CRM) training.
22. We are developing new vulnerable customer training for the new mortgage
propositions aimed at the needs of older and potentially vulnerable customers.
23. Bol staff have received detailed vulnerable customer training including customer
call centre staff. There are examples where Bol have made exceptions to terms
and conditions for customers where a vulnerable condition has been
demonstrated (eg allowing grace periods for charges during hospital visits, or
making allowances for deteriorating mental health).
24. Post Office works with Age Concern and the police in high profile vulnerable
customer fraud prevention initiatives across the UK raising awareness of scams
and how to prevent them. A number of postmasters have been able to prevent
fraud because this and other initiatives.
25. The Power of Attorney process was also reviewed and updated with support pages
on Horizon help.
Review and Adapt Strategies
26. It is recognised that we will need to continually review and adapt our strategy.
For example, the older generation are becoming increasingly familiar with new
technology and the cohorts that refuse to engage with technology is becoming
smaller. New ONS data shows that the proportion of over-75s who have used the
internet recently has increased from 19.9 per cent in 2011 to 40.5 per cent in
2017.
What more do we need to do?
27. We need to complete the risk assessment and gap analysis for vulnerable
customers as part of the Vulnerable Customer Policy approach. This is expected
to be completed by end March 2018.
28. We need to do identify if/where there are any themes arising from complaints,
as it is unclear how well Post Office or third parties collect this information
Strictly Confidential Rec
POL-BSFF-0218823_0159
POL00391936
POL00391936
POST OFFICE PAGE 4 OF 4
29. We will engage with outside focus groups such as ‘Age Concern’ to get further
insights into how we could improve engagement with Financial Services products.
Jonathan Hill
Head of FS&T Risk & Regulation
Strictly Co: RCC
POL-BSFF-0218823_0160
POL00391936
POL00391936
PAGE 1 OF 4
DECISION PAPER
POST OFFICE
RISK AND COMPLIANCE COMMITTEE
Legal & Regulatory Horizon
Scanning
Author: Ben Foat, Legal Director Sponsor: Jane MacLeod, General Counsel Meeting date: 18 January 2018
Executive Summary
Context
The legal and regulatory framework within which POL operates is complex due to it
being a multiline business operating across numerous sectors including those which
are highly regulated. There are hundreds of pieces of legislation and regulation that
apply to Post Office. Legal has previously reported to the Committee on the material
laws and regulations that apply to Post Office. However, laws and regulations develop
and change over time. The purpose of this report is to bring to the attention of the
Committee relevant new or emerging requirements.
Questions addressed in this report
1. What are the new or proposed material changes to laws and regulations to be
noted by the Committee this month?
Conclusion
1. Legal is responsible for providing second line of defence management of legal risk.
On a monthly basis it identifies new legal trends and developments through its
Regulatory Developments Tracker.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0218823_0161
POL00391936
POL00391936
POST OFFICE PAGE 2 OF 4
2.
In addition, certain business areas also undertake horizon scans specific to their
area. Any new or proposed material changes to laws and regulation are
communicated through the Law & Trends Forum which has representatives across
the business. The Law & Trends Forum enables alignment across the business by
setting up, where appropriate, working groups consisting of relevant stakeholders
to further assess the impact of such new developments and provide
recommendations in respect of any changes to existing internal or management
controls.
There are three new matters for the Committee to note (details of which are set
out in the Appendix):
a. Morrisons Data Leak which concerns a High Court decision which found an
employer vicariously liable for a data breach in which a former employee
disclosed personal data of co-workers on the internet. Although we
understand that Morrisons is to appeal the decision, (if upheld), it could set
a new precedent in making employer vicariously liable for data breached
committed by employees. Post Office’s Data Protection Officer is considering
mitigations that could be put in place and continuing to monitor the appeal.
. IRFS 16 which concerns a new accounting standard regarding leases which
will impact Finance. This include leases of retail and commercial property as
well as equipment and vehicles. Finance are considering the potential
implications.
Public Contracts Regulation has been amended to increase to public
procurement threshold to £181,302. Procurement and Legal have been
made aware of this change.
Input Sought Input Received
1. The Committee is asked to note this
report and approve the use of the
new report format set out in
Appendix 1.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0218823_0162
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 4
Appendix
1.RCC Horizon Scanning Report: New material updates
Issue Why it matters? Latest Developments Impact on Post Office Action
Morrisons Data I High Court finds employer vicariously The case against Morrisons I Could set a new precedent Chris Russell
Leak liable for a data breach in which a former I relates to the posting on the I making employers vicariously (IPA) considering
employee disclosed personal data of co- internet of the bank, salary liable for data breaches mitigations.
Martin Kirke, HR I workers on the internet. and national insurance committed by employees. Monitor status of
details of almost 100,000 appeal.
The first group litigation data breach case I members of staff by a
to come before the courts and former colleague with a Martin Kirke
compensation payable to the claimants grudge in 2014. considering
collectively under the Data Protection Act mitigation option
1998 could be substantial. Morrisons to appeal. for “rouge
employees”
IRFS 16
Al Cameron, CFO
The International Accounting Standard
Board (“ISAB”) has released International
Financial Reporting Standard 16 (“IFRS
16”), a new standard on lease accounting.
The standard, will require lessees to
account for all leases on their balance
sheets, including those which had
previously been treated as operating
leases and accounted for in the P&L
account as an “in-year” expenses. This will
include leases of retail and commercial
property, equipment and vehicles.
The standard is mandatory
for accounting periods
commencing on or after 1
January 2019.
[Awaiting business update,
due tomorrow AM from
Briony]
Possible implications:
¢ Assets and liabilities on the
balance sheet will increase
significantly, study by PWC
estimates that retailers will be
hit the hardest with a median
increase in debt of 22% and in
EBITDA 13%;
e The cost profile of income
statements change, with costs
skewed towards the early
years of leases and greater
volatility due to the frequency
of recalculation;
Briony Tristram
is working with
finance to
consider the
impact on Post
Office.
Strictly Confidential
Board Intelligence Hub template
POL-BSFF-0218823_0163
POST OFFICE
PAGE 4 OF 4
POL00391936
POL00391936
Issue
Why it matters?
Latest Developments
Impact on Post Office
Action
e The accounting benefits of sale
and leaseback transactions
could be negatively impacted.
Increase in EU
Public
Procurement
threshold
Al Cameron, CFO
The 2018/19 financial thresholds for
services have increased to £181,302 and
for works to £4,551,413.
Procurement and legal
aware of change.
A slightly higher threshold for the
application of the standard PCR
regime.
Changes have
been
incorporated into
Procurement and
Legal processes.
Jacqueline Scott,
Principal
Procurement
lawyer is aware
of change.
dential
fligence Hub template
POL-BSFF-0218823_0164
POL00391936
POL00391936
POST OFFICE PAGE 5 OF 4
Strictly Confidentiat Intelligence Hub template
POL-BSFF-0218823_0165
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 1
RISK AND COMPLIANCE COMMITTEE NOTING PAPER
POca Interest Rate Swap -
Update
Author: Mark Dixon Sponsor: Alisdair Cameron Meeting date: 18 January 2018
Executive Summary
Context
At the July 2017 Board meeting a paper was presented asking the Board to give
consideration to entering into a 3-year amortizing interest rate swap under which POL
would pay 1 month GBP Libor and receive a fixed rate. This effectively “locks in” the
interest income on a portion of the POca balances at a fixed rate for a three-year
period and would provide certainty around a portion of the interest component of the
POca income statement.
The Board authorized the Group CFOO, following ARC approval, to execute an interest
rate swap if considered advantageous.
A paper was presented at the September 2017 ARC setting out the rationale for the
transaction, with an update to the pricing, compared to that presented to the July
Board, and the steps required to execute an interest rate swap. It also considered
how to manage the risks associated with swap execution. The paper raised the
requirement to obtain BEIS / HM Treasury approval before executing a transaction.
This paper provides an update for the RCC as at 11 January 2018, including an update
on current pricing. It should be noted that it is presented as a draft and may be
subject to change before final submission to the ARC. At a minimum we will refresh
pricing so that the ARC has a latest view before making its final decision.
Question addressed in this report
1. What was the outcome of discussions with BEIS / HM Treasury?
2. What are the current pricing levels for the interest rate swap?
Conclusion
We believe that it continues to be advantageous for POL to enter into a 3-year
amortising interest rate swap under which it pays 1-month GBP Libor and receives a
fixed rate and that the cost of doing so represents value for money for POL.
Strictly Confidential
POL-BSFF-0218823_0166
POL00391936
POL00391936
POST OFFICE PAGE 2 OF 6
This swap simply “locks in” interest income over the three year period at current rates
to give certainty around a portion of the interest component of the POca income
statement over the next three years. It should not be seen as a bet on future interest
rates or as a way of securing a higher interest income in any given year.
We have now received approval from BEIS / HM Treasury to enter into an interest
rate swap for the purposes of hedging its floating rate exposures linked to the POca
cash balances.
We will seek approval from the ARC to go ahead with the transaction as described
with delegation of authority to the CFOO to: (i) agree the choice of swap co-ordinator
bank; (ii) agree a range of pre-agreed pricing within which POL’s Head of Treasury
can execute the transactions; and (iii) execute any documentation required in
connection with the transaction, including novation agreements (if applicable) and
confirmations.
Input Sought
The framework, policies and authorities adopted by Post Office Limited and
its subsidiaries in relation to the company’s treasury activities are set out
in a paper that was presented to and approved by the ARC in November
2016. This framework requires POL to obtain approval from the ARC to
enter into the interest rate swaps described in this paper.
At its July meeting the Board authorized the Group CFOO, following ARC
approval, to execute an interest rate swap if considered advantageous.
The ARC will be asked to approve the execution of an interest rate swap,
or a series of swaps and to delegate authority to the CFOO to carry out all
tasks necessary in order to execute such swaps, including but not limited
to: (i) agreeing the final choice of swap co-ordinator bank; (ii) agreeing a
range of pre-agreed pricing within which POL’s Head of Treasury can
execute the transactions; and (iii) executing any documentation required
in connection with the transaction, including confirmations.
The form of the resolution required is set out in draft in Schedule 1.
The RCC is asked to note the paper for onward submission to the ARC.
Strictly Confidential
POL-BSFF-0218823_0167
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 6
The Report
What was the outcome of the discussions with BEIS / HM Treasury?
1. In May 2012 HM Treasury published guidance on Managing Public Money. The
guidance states that an Arm’s Length Body (such as POL) needs to consult its
sponsoring department / HM Treasury before executing any derivative for the first
time.
2. POL has now received approval from BEIS / HM Treasury to enter into an interest
rate swap for the purposes of hedging its floating rate exposures linked to the POca
cash balances.
What are the current pricing levels for the interest rate swap?
3. As at 10 January we could lock in a rate of 79.25 bps (0.7925%) at an estimated
cost of 1 bp pa (0.010%). In effect we would receive a fixed rate of 78.25 bps
(0.7825%) in exchange for paying 1 mth GBP Libor. This rate will fluctuate over time
as market rates move up and down. The actual rate achieved will reflect the market
rate when the swap is executed. For reference as at 20 September 2017 the
comparable pricing was given as 75.5 bps (0.755%) at an estimated cost of 3 bps pa
(0.030%).
4. For the ARC Committee paper dated September 2017 we indicated that charges
would be 3 bps. This was based upon indications from three banks and covered
market execution charges and credit and capital charges. Following the meeting, and
in order to better demonstrate “value for money” for the purpose of the BEIS / HM
Treasury approval, we asked the banks to revisit their charges. With one co-ordinator
bank executing 100% of the transaction and then taking and holding 100%, fees
would be 1 bp. With one co-ordinator bank executing 100% of the transaction and
then splitting the final take and hold position between two to three banks, fees would
be approx. 1.5 bps. 1 bp represents £262k of total cost over the three-year life of the
swap. 1.5 bps therefore represents £393k, an increase of £131k. We therefore
propose to execute using the first option in order to save £131k of fees.
5. Adopting this execution strategy means that POL takes counterparty credit risk on a
single bank, rather than spreading this risk over 2 to 3 banks, in order to save fees of
£131k. To achieve the 1 bp fee we will need to execute the transaction with RBS.
Hence any potential counterparty credit risk is on RBS. Given current Libor of approx.
0.50% we estimate that, under stress conditions (i.e. an immediate fall in rates to
zero combined with an immediate credit situation for RBS) the exposure would be no
Strictly Confidential
POL-BSFF-0218823_0168
POL00391936
POL00391936
POST OFFICE PAGE 4 OF 6
more than £10 million. We are therefore comfortable with this level of counterparty
credit risk.
6. The overall cost of the swap to POL is a combination of: (i) the mid-market rate
prevailing at execution; reduced by, (ii) market execution charges; and, (iii) credit
and capital charges. (ii) and (iii) are covered above. The mid-market price obtained
at execution is therefore critical to the overall cost of the swap to POL. 1 bp
represents £262k. Because of the non-vanilla nature of the swap (i.e. the notional is
amortising and the floating leg is against 1 mth rather than 6 mth GBP Libor) we
believe that it will be helpful to use a third-party consultant to ensure that the best
possible mid-market price is achieved. We have obtained a quote of £35k for this
support from Rothschild, who have helped on previous parts of the POca project.
7. All other details of the proposed interest rate swap are set out in the ARC Paper
dated 5 September 2017 and this paper should be read in conjunction with that
paper.
Strictly Confidentiat
POL-BSFF-0218823_0169
POL00391936
POL00391936
POST OFFICE PAGE 5S OF 6
Schedule 1 - Form of Resolution
Post Office Limited
(the “Company”)
Minutes of a meeting of the board of directors of the Company
held at Finsbury Dials, 20 Finsbury Street, London, EC2Y 9AQ
on [e] at [e] [a.m.]/[p.m.]
Present: [eo]
In Attendance: [e]
1 Appointment of Chairman, Notice and Quorum
11 [e] was appointed Chairman of the meeting.
1.2 The Chairman noted that due notice of the meeting had been given in accordance with the Company's
articles of association and that a quorum was present.
Purpose
241 The Chairman explained that the Company intends to enter into certain interest rate swap derivative
transactions under the terms of 2002 ISDA Master Agreements and accompanying Schedules with
certain counterparty banks (each a “Transaction”, together the “Transactions”).
2.2 The purpose of the meeting was to consider and, if thought fit, approve the steps required to be taken
by the Company to give effect to:
2.2.1 any confirmation relating to a Transaction;
2.2.2. any documentation to be entered into with any counterparty in connection with compliance with
the Company's obligations under Regulation (EU) No 648/2012;
2.2.3 any ancillary document relating to a Transaction; and
2.2.4 such other documents necessary to bring the Transactions into effect,
(together, the “Transaction Documents’).
3 Resolution
After due and careful consideration, having regard to what would be most likely to promote the success
of the Company for the benefit of its shareholders as a whole, IT WAS RESOLVED THAT:
3.1.1 the performance by the Company of its obligations under each of the Transaction Documents
be and is hereby approved;
3.1.2 any Director or the Head of Treasury be and is hereby authorised, for and on behalf of the
Company, and its name to agree such additions, deletions or changes to the Transaction
Documents as they shall deem appropriate (including without limitation any changes, additions,
deletions or changes to any schedules or exhibits thereto);
3.1.3. any Director be and is hereby authorised to sign, seal, execute and deliver all Transaction
Documents; and
Strictly Confidential
POL-BSFF-0218823_0170
POL00391936
POL00391936
POST OFFICE PAGE 6 OF 6
3.1.4 any Director be and is hereby authorised to do all acts and things so as to carry into effect the
purposes of the resolutions passed at this meeting and/or to give or execute any or all notices,
communications, or other documents on behalf of the Company in connection with the
Transactions and agree such amendments, variations or modifications to the Transaction
Documents or such notices, communications or other documents as such person may in his or
her absolute discretion think fit.
4 Filings
The Chairman instructed the Secretary to deliver all filings (if any) as are required in relation to the
resolutions passed.
5 Close
There being no further business the Chairman declared the meeting closed.
Chairman
Certified a true copy of the minutes of a meeting of the board of directors held on [e] September 2017
Dated: Signed:
Company Secretary
Strictly Confidentiat
POL-BSFF-0218823_0171
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
PExCo 17/157 — 17/173
POST OFFICE MANAGEMENT SERVICES LIMITED (Company)
Present:
In Attendance:
Apologies:
PExCo 17/157
(a)
(b)
(c)
PExCo 17/158
(a)
(b)
(c)
EXECUTIVE COMMITTEE (ExCo)
Minutes of an ExCo meeting held at
Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ
on 11 October 2017 at 2.00pm
Rob Clarkson (Chairman/RC) — Managing Director
Michelle Downs (MD) Head of Change Management
Ben Foat (BF) Legal Director
Ryan Griffin (RG) Product Director
lan Holloway (IH) Director of Risk and Compliance
Sean Leahy (SL) HR Director
Simon Parr (SP) Chief Financial Officer
Russell Tavener (RT) Chief of Operations
Victoria Heath (VH) Marketing Director
Victoria Moss (VM) Deputy Company Secretary
None
WELCOME, QUORUM AND CONFLICTS OF INTEREST
There were no apologies for absence. The Chairman declared the
meeting quorate and open.
The Chairman welcomed IH and VH to their first meeting of the ExCo.
The ExCo agreed to appoint VH to the ExCo with immediate effect.
No new conflicts of interest were declared.
2017/18 PERIOD 6 FINANCIAL PERFORMANCE
SP introduced the financial performance report for Period 6 2017/18.
The report clarified the current status of the 5+7 reforecast and SP
informed the Board this reforecast would be submitted to an
extraordinary meeting of the Board on 17 October 2017 for approval.
Once the figures for the five year plan had been completed, the budget
figures would be submitted to Group in late November 2017, followed
by a trueing up process in January/February 2018.
SP confirmed that the Company's accounts for the 2016/17 financial
year would be submitted to the extraordinary meetings of the Audit,
Risk and Compliance Committee and the Board to be held on 17
October 2017. Approval of the accounts had been delayed due to
delays with the finalisation of the Group accounts.
The Chairman noted the revenue variance and the adverse margin on
product lines at a revenue level. SP explained that for life the variance
was one of trading, about which there had been productive
conversations with the network. For home and car the checking
process had been enhanced for Period 7 and for home there was a
POMS ExCo minutes, 11 October 2017 Page 1 of 12 DRAFT
POL-BSFF-0218823_0172
(d)
ACTION: SP
(e)
ACTION: SP
(f)
ACTION: SP
(9)
PExCo 17/159
(a)
(b)
ACTION: RG
ACTION: RG
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
timing variance. There had been an adjustment for travel and an
examination of cash versus the figures from Duck Creek had proved
inconclusive. While challenges and timing issues were anticipated,
there was no validation of the premiums coming in. The required detail
was, however, visible in Dalesridge and there were no issues with audit.
SP explained that the work of his team was prioritising high risk areas
such as cashflow from Horizon. RC emphasised the importance of
comprehensively setting out current risks, particularly following the
Shareholder’s challenge on the 5+7 reforecast. It was agreed that SP
would check with internal audit as to what areas had been included in
the internal audit plan to audit in the current year and these areas would
be called out.
SP was working with VH to achieve a more realistic positioning
regarding the current adverse marketing phasing. VH confirmed that
she would manage marketing to the budget agreed but the current risk
was the receipt of an invoice which had not been budgeted for. It was
agreed that SP should add ‘legacy invoices’ to the list of risks.
The Chairman was keen to identify further opportunities for
communication to the Board. When the revised 5+7 was resubmitted
to the Board the accompanying paper would detail engagement with
the Shareholder and a timeline for the future. SP confirmed he was
fleshing out the risks and opportunities around the revised 5+7 which
he would provide to the ExCo.
The ExCo noted the financial performance report for Period 6, 2017/18.
TRADING REPORT
RG introduced the trading report for Period 6, 2017/18 and explained
that trading had been down in the period, particularly protection in the
network which had previously been trading ahead. There had been
strong engagement with the network to consider how this should be
addressed and improvements were expected to take a couple of
months. RG was hopeful about seeing improvements realised for
Period 8.
The ExCo noted the year on year improvement in travel trading at the
end of Period 6. RG explained that while there had been improvements
it was likely that this was mostly the effect of extending the summer
travel campaign by two weeks. The Chairman queried whether
penetration with foreign exchange sales had changed following the end
of the campaign. RG would investigate and confirm.
RG referred to the action plan, summarised in the trading report, to
mitigate the trading underperformance. These actions had mostly been
built into the 5+7 reforecast. The Chairman wished to see greater
clarity in the plan and it was agreed that RG would rearticulate the table
of actions to identify which actions would contribute to closing the gap
of Group EBITDA to Plan, which actions would deliver against the 5+7,
which would mitigate risks and where the gaps remained. The
Chairman emphasised that where there was opportunity the target
should be to close the remaining gap of £1m Group EBITDA to Plan to
POMS ExCo minutes, 11 October 2017 Page 2 of 12 DRAFT
POL-BSFF-0218823_0173
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
bring performance back to budget.
(d) RG reported that having gone live on MoneySupermarket with travel,
sales were predominantly at a loss. His team was examining this and
had switched off the aggregator in the interim. The Chairman
emphasised that a loss leading proposition had not been agreed and
questioned whether the issue was missing the volume target. RG’s
team was working through the numbers and also considering whether
customers were behaving differently on MoneySupermarket compared
to other aggregators. It was agreed that a ‘like for like’ comparison be
ACTION: RG carried out, separating out the medically impaired product.
(e) The Chairman explained that the key risk for the Shareholder was
delivering to a particular number in the three year plan recently
submitted to HM Treasury. It was essential that the Company identified
and understood what it required from the support functions in Post
Office to achieve that number and clearly communicated those
requirements to Post Office. The ExCo needed to consider whether the
Company was making the best use of its assets such as brand, data
and network. It was agreed that Roger Gale, Post Office Sales and
Trade Marketing Director, should be briefed on the Shareholder’s
ACTION: RG specific requirements regarding the Company's performance.
(f) The Chairman asked that a forecast column be added to the sales
ACTION: RG dashboard for future trading reports.
(g) The ExCo noted the trading report for Period 6, 2017/18.
PExCo 17/160 PRODUCT REPORT
(a) RG introduced the product report for Period 6, 2017/18 and highlighted
certain matters which had been considered at the Product Committee
(ProdCo) held earlier that month. The offer on the SME book from AJG
had been considered and rejected, the Chairman advised this sale was
not a priority and should not be pursued at the current time.
(b) RG drew the ExCo’s attention to the detail provided in the report on the
discussions at ProdCo on travel insurance minimum premium and price
optimisation. Analysis of suggested changes indicated that they could
drive up the income per policy in the aggregator channel. Testing was
being carried out by the Head of Pricing.
(c) The Chairman referred to the discussion on aggregators under the
trading report and cautioned that if aggregators were switched off the
learnings from testing would be impacted. It would be important to work
out whether turning off certain aggregators would slow down learnings
too much. MD advised that throttling to turn aggregators on and off
could be done very quickly, in hours. The ExCo agreed that a price test
should be carried out in three to four days’ time and, dependent on the
result, the aggregator could then be switched off.
(d) RG advised that the multi variance testing (MVT) for travel had been
concluded and the product was now out of testing and back to 100 per
cent control. The analysis was being examined as part of Project Ares,
now running behind, and the MVT had failed to identify a clear winner.
POMS ExCo minutes, 11 October 2017 Page 3 of 12 DRAFT
POL-BSFF-0218823_0174
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
The approach could be taken to sell less volume with a more expensive
product. The Chairman asked all members of the ExCo to consider
ACTION: All what more could be done to leverage or drive value on travel.
(e) The issue around renewals and the FCA challenge was being
addressed, MD reported that a technical impact assessment was being
carried out and letters sent out to customers. The Chairman noted the
opportunities a move to auto renewal would bring. Collinson retention
rates were at 60 per cent with auto renewal while the Company
currently was reaching a rate of around 10 per cent. RG advised that
auto renewal contact centre scripts were being developed with
Collinson and Collinson should also comment on the current contact
centre scripts. Collinson had a view as the underwriter and needed to
ensure the products it owned were being sold compliantly and to be
comfortable with the conduct risk position. Customers also needed to
have a clear understanding about the policy carrier.
(f) Regarding the data capture programme, it was noted that there was
GDPR related risk. The Chairman noted that on search engine
optimisation the Company currently spent £250k per year for eleven
products. This very low spend had resulted in the Company dropping
from position one or two down to position seven which it was anticipated
was costing around 500 sales per week. The Chairman was keen to
spend money on search engine optimisation to regain the higher
position.
(g) The Chairman felt that investment in capability to drive the next year's
performance should be accelerated with a combined cost of around
£2m. The Chairman and SP would be speaking with the Shareholder
the following day. The Shareholder was keen to understand in more
detail the Company's business cases for investment. There was a
suggestion that the requested funding would be provided by the
Shareholder. It was hoped that the meeting with the Shareholder would
provide clarity over what the Company needed to do to provide the
Shareholder with the confidence to invest.
(h) RG confirmed that Project Athena (Insurance Distribution Directive)
had been trending red due to lack of resource but additional resource
had now been assigned.
(i) I RG updated the ExCo that he had been in conversation with Royal
London for some time about a guaranteed acceptance term insurance
product. This could potentially be available from January 2018 and it
was expected to drive incremental volume. The business case would
be considered by the ProdCo before coming to the ExCo. There was a
question over whether there was a future for a current term product not
sold in the network.
(j) I The ExCo noted the product report for Period 6, 2017/18 and the draft
minutes from the meeting of the ProdCo held on 5 October 2017.
PExCo 17/161 COMMERCIAL AND OPERATIONS REPORT
(a) RT introduced the commercial and operations report for Period 6,
2017/18. He reported that Webhelp’s performance continued to
POMS ExCo minutes, 11 October 2017 Page 4 of 12 DRAFT
POL-BSFF-0218823_0175
(b)
(c)
(d)
(e)
(f)
(9)
(h)
ACTION: RT
(i)
PExCo 17/162
(a)
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
improve. Call average handling time (AHT) was down by ten per cent,
exceeding anticipated progress. RT confirmed that the combined cost
benefit of a reduction in AHT and multi skilling of agents was anticipated
to be around £100k.
RT reported that a number of agents had recently left Webhelp. The
Webhelp facilities continued to be of a poor standard with
improvements delayed, this was affecting retention and Sky had paid a
bonus to retain staff. The agents’ path from appointment through to
proficiency was being addressed and a new reduced script had been
introduced with early signs of the resulting improvements expected to
be seen in the next few weeks.
The work to renegotiate the Master Services Agreement (MSA) and
Distribution Agreement (DA) with Post Office continued. The marketing
schedule for the MSA required finalisation and Thistle Initiatives was
reviewing the MSA for any matters of concern relating to the Senior
Managers and Certification Regime. The Chairman reported he had
sought confirmation from Al Cameron, Group CFOO, of who would be
the Company's contact in Group for the MSA. Roger Gale, Post Office
Sales and Trade Marketing Director, was the contact in Group for the
DA.
A new incident management process had been rolled out to the
Company in the current week which would bring welcome consistency.
The ExCo noted the significant improvement in the Company's
relationship with Hexaware.
RT reported that three panel insurers had gone live with the new home
claims model, representing 35 per cent of the panel. It was hoped that
this figure would rise to 70 per cent. It was noted that the NPS score
for home claims had significantly increased. When enough data had
been gathered there would be a conversation with the insurer about
matters such as behavioural pricing.
Notice had been given to TIF of the Company’s intention to carry out
an audit.
The ExCo noted the poor service level performance from Devitt for
motorcycle insurance. It was agreed that RT should look to build into
the relationship with Devitt consequences for not meeting service levels
and consider the introduction of service audits.
The ExCo noted the commercial and operations report for Period 6,
2017/18.
COMPLAINTS
RT introduced the update on complaints which provided information on
the reporting and analysis of complaints data across the supply chain.
Overall dissatisfaction levels had decreased month on month. There
had been a couple of Financial Ombudsman Service complaints but no
action had been required from the Company.
POMS ExCo minutes, 11 October 2017 Page 5 of 12 DRAFT
POL-BSFF-0218823_0176
(b)
(c)
ACTION: RT
(d)
PExCo 17/163
(a)
(b)
(c)
(d)
(e)
PExCo 17/164
(a)
(b)
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
RT explained that there was a number of reasons for the upheld
complaints rate being high, including the refund process. Project
Cronos was looking at the branch refund process and the difficulties
around cash payments. Project Zeus brought a number of
opportunities with policy documentation such as changes in postage
and ways of printing. The ExCo was reminded that with the introduction
of the Insurance Distribution Directive it would no longer be possible to
charge for documentation and the cost of this would need to be factored
in. MD confirmed that renewals would be included in a major release.
IH queried why pet insurance was rated ‘red’ for percentage of
complaints to customer base numbers. RT committed to investigate
this rating but advised that often what drove complaints in this area was
the cost of renewal for aging pets. IH stated that there was a regulatory
challenge to inform customers how the policy price would increase with
age of their pet.
The ExCo noted the update provided on complaints.
POLICIES
RT reported that following initial consideration of the Ex Gratia,
Outsourcing and Procurement policies at the previous month’s meeting
of the ExCo he had received feedback. The policies had been
amended following that feedback and were now resubmitted.
Ex Gratia
SP confirmed that the revised Ex Gratia Policy now addressed his
concerns raised at the ExCo which had taken place on 12 July 2017.
The ExCo approved the revised Ex Gratia Policy.
Outsourcing
The ExCo approved the revised Outsourcing Policy for onward
submission to the Board in November 2017.
Procurement
The ExCo approved the Procurement Policy for onward submission to
the Board in November 2017.
CHANGE MANAGEMENT REPORT
MD introduced the change management report for Period 6, 2017/18.
She reported on the Duck Creek infrastructure upgrade and that the
final workstream in Project Hermes had gone live which had included
the on boarding of two new aggregators. The average load was
currently around 60 per cent and the Service Delivery Manager, Carl
Roe, was closely monitoring this. There would be an auto alert if the
system came close to breaching. To date there had been no service
issues.
Following the FCA challenge regarding renewals, contacting continuing
customers on that issue had been prioritised. There had been
marketing input when preparing the letter. The Chairman advised
POMS ExCo minutes, 11 October 2017 Page 6 of 12 DRAFT
POL-BSFF-0218823_0177
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
ACTION: MD considering how Collinson had prepared renewals letters.
(c) MD confirmed that Project Cronos, on travel Q3/4 project delivery, was
performing well.
(d) MD reported that satisfactory clarity around required activity and
impacts had yet to be received from the Post Office General Data
Protection Regulation (GDPR) team. The Chairman was particularly
concerned about customer databases. It was noted that an impact
assessment had been carried out on travel which had gone well and
further sessions would be held for other products. SL confirmed that
the ExCo would be sent on a GDPR training session. IH emphasised
the need to ensure the Company was influencing Post Office
appropriately. It was agreed that a meeting be held with the Chairman,
ACTION: MD 1H, VH, MD and Chris Russell and Clare D’Netto from the GDPR team.
(e) The ExCo noted that a report on Project Plutus, the MI discovery phase,
would be submitted to the next meeting of the ExCo in November 2017.
(f) I The ExCo noted the change management report for Period 6, 2017/18.
PExCo 17/165 HR REPORT
(a) SL provided a verbal update on HR matters for Period 6. The need for
clarity over the status of Post Office’s Vulnerable Customer Policy and
the associated training was noted.
(b) SL confirmed that work around the Senior Managers and Certification
Regime (SMCR) was progressing, with information sought from all
managers to set out the key activities and deliverables for their teams.
It was noted that the implementation of SMCR might have an impact on
staff engagement and retention. SMCR had been added to the risk
register in relation to staff retention and it was agreed that entries on
ACTION: MD the risk register relating to SMCR be shared with the ExCo.
(c) RT reported on the recent helpful debates on staff engagement and
confirmed that the resulting recommended actions and plan of
implementation would be submitted to the ExCo in November 2017. It
was agreed that Amber Kelly, Post Office Engagement, Learning and
Talent Director should be invited to the Company’s next engagement
ACTION: RT working group.
(d) The Chairman asked that a written HR report be submitted to future
meetings of the ExCo. This should particularly detail what engagement
was needed from management to satisfactorily take forwards the HR
ACTION: SL agenda.
(e) The ExCo noted the verbal update on HR for Period 6, 2017/18.
PExCo 17/166 RISK MANAGEMENT AND COMPLIANCE
(a) lH introduced the risk management and compliance report for Period 6.
The report provided an update and commentary on the risk framework
and compliance activity since the last issued report. Appended to the
POMS ExCo minutes, 11 October 2017 Page 7 of 12 DRAFT
POL-BSFF-0218823_0178
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
paper were: the risk dashboard (including top risks, strategic risks and
risks outside appetite); the incidents register, including a separate
travel incidents register; the conduct risk scorecard; and the draft
minutes from the Risk, Compliance and Conduct Committee (ARC)
held on 28 September 2017.
(b) 1H drew the ExCo’s attention to the recent FCA challenge on renewal
transparency rules. He explained that rules on renewals had been
brought in earlier in 2017 which required that current year and renewal
premiums be provided side by side in renewal letters. After a customer
had renewed for a certain number of years prescriptive wording would
also be required to encourage the customer to explore other products.
The FCA had challenged the Company on a letter sent to customers
towards the expiry of an annual policy, stating that it had breached
renewal rules.
(c) IH had spoken with the FCA and letters were being revised to ensure
they were compliant going forwards. Impacted customers were being
written to, with a focus on those customers, around 6,700, who had
received non-compliant letters and then renewed. There was a residual
risk that some customers might game the process and there was a
small revenue risk. There was the possibility of some poor publicity. IH
advised that there had been some other cases of FCA challenge with a
number of private medical insurers but to date no fines had been
issued. He confirmed that the root cause of the issue had been the
Dalesridge migration and the interpretation of the FCA rules. The ExCo
noted that the Audit, Risk and Compliance Committee had been made
aware of the challenge and had held an extraordinary meeting to
discuss the matter.
(d) 1H confirmed that the work on the Insurance Distribution Directive was
on track with Project Athena. Regarding the General Data Protection
Regulation (GDPR) IH noted that the ability to leverage data would be
key. The Chairman stated that after the next meeting with the GDPR
team an assessment would be made as to whether specific insurance
resource would be required. The Chairman committed to make Jane
MacLeod aware, as the Post Office Director of Legal, Risk and
ACTION: RC Compliance, of this assessment.
Risk, Compliance and Conduct Committee Minutes
(e) The ExCo noted the draft minutes of the Risk, Compliance and Conduct
Committee held on 28 September 2017.
(f) IThe ExCo noted the updates on risk management and compliance.
PExCo 17/167 MINUTES OF THE MEETING HELD ON 12 SEPTEMBER 2017
(a) It was agreed that the ExCo should have some further time to review
the minutes of the meeting held on 12 September 2017.
PExCo 17/168 MATTERS ARISING AND ACTIONS LIST
(a) It was agreed that those whose updates were outstanding would
provide them to VM, who would then find an appropriate time for the
POMS ExCo minutes, 11 October 2017 Page 8 of 12 DRAFT
POL-BSFF-0218823_0179
PExCo 17/169
(a)
PExCo 17/170
(a)
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
meeting to be reconvened to consider the actions list and the minutes.
ANY OTHER BUSINESS
There being no further business the Chairman adjourned the meeting
at 4.25pm until later in the week.
DATE OF NEXT MEETING
The ExCo noted that its next meeting would be held on Friday 10
November at 9.00am.
The meeting was reconvened on Friday 20 October at 3.30pm
Present: Rob Clarkson (Chairman/RC) — Managing Director
Ryan Griffin (RG) Product Director
lan Holloway (IH) Director of Risk and Compliance
Russell Tavener (RT) Chief of Operations
In Attendance: Victoria Moss (VM) Deputy Company Secretary
Apologies: Michelle Downs (MD) Head of Change Management
Ben Foat (BF) Head of Legal
Victoria Heath (VH) Marketing Director
Sean Leahy (SL) Head of HR
Simon Parr (SP) Chief Financial Officer
PExCo 17/171
(a)
PExCo 17/172
(a)
ACTION: RT/
RC
(b)
(c)
(d)
MINUTES OF THE MEETING HELD ON 12 SEPTEMBER 2017
The minutes of the meeting held on 12 September 2017 were approved
and the Chairman was authorised to sign them as a true record of that
meeting.
MATTERS ARISING AND ACTIONS LIST
Actions relating to the Master Services and Distribution
Agreements (MSA and DA) - it was noted that the Senior Managers
and Certification Regime (SMCR) could affect the MSA and DA so there
would be a delay in the finalisation of these agreements for further
review, they would not be completed by November 2017. It was agreed
that a short update on the progress with the MSA and DA negotiations
be emailed to the Board.
Action PExCo 17/125 — it was agreed that this action regarding
consideration of the specification within the MSA of the provision of
customer experience surveys be closed.
Actions PExCo 17/52(g) and 17/52(i) — it was agreed that these two
actions regarding contract management be closed.
Actions PExCo 17/80(d) and 17/94(f) — these actions related to
POMS ExCo minutes, 11 October 2017 Page 9 of 12 DRAFT
POL-BSFF-0218823_0180
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
cancellation MI and the Chairman queried whether reports were now
being received. RT explained that there had been some questions over
the provision of data for the life and over 50s products but these were
now being addressed. The Chairman noted that MI was expected for
travel policies taken out in branch, cancelled and allocated back to
branch. The Chairman sought assurance from IH that he was content
with the conduct risk MI. IH stated that progress was being made in
identifying and addressing any gaps but more granular information was
required. The ExCo agreed that both these actions should be closed
but that a new action be added to the list, consolidating all actions
relating to MI. This new action would include a request for IH to review
whether the required conduct risk reporting was being effectively
captured and the schedule of delivery for the MI programme, to be
ACTION: IH communicated to the Audit, Risk and Compliance Committee.
(e) Action PExCo 17/94(d) — Post Office’s Enhanced User Management
(EUM) project was critical for the management of the Appointed
Representative (AR) risk and the implementation of the Insurance
Distribution Directive (IDD) in early 2018. The structure and lead of the
project steering group had changed resulting in the Company no longer
being represented, it was agreed that RC would escalate this matter to
ACTION: RC Kevin Gilliland, Post Office Chief Executive for Retail. IH confirmed that
the Company had engagement with the working group which reported
into the steering group. It was further agreed that RG, as the sponsor
for IDD, would work with IH on the scope of the Company’s
ACTION: RG/ requirements and the necessary timelines for progress to comply with
IH IDD.
(f) Action PExCo 17/101(d) — it was agreed that this action relating to
investment options be closed.
(g) Action PExCo 17/105(c) — it was noted that this GI strategy action
would be addressed with the strategy in November. The action would
be closed.
(h) Action PExCo 17/111(i) — the appropriate timing for an update on
SMCR was discussed and it was agreed that considering
implementation was not expected before the end of 2018, a briefing to
the Audit, Risk and Compliance Committee (ARC) in December would
be too early. It was agreed that IH would discuss with Amanda Bowe,
Chairman of the ARC, a rescheduling of this briefing and what
ACTION: IH alternative briefing should be provided in December 2017. An update
on SMCR would be provided to the ExCo in January 2018.
(i) I Action PExCo 17/114(c) —it was agreed that IH would discuss with VH
ACTION: IH the build of the financial promotions system, ensuring no duplication.
(j) I Action PExCo 17/114(h) — the ExCo noted the progress made with the
review of the Company's policies and the successful introduction of a
staff attestation. There was more work to be done but it was agreed
that the action be closed.
(k) Action PExCo 17/127(b) — it was agreed that this action relating to
Webhelp’s accountability be closed, noting that it would be addressed
in the strategy discussions in November 2017.
POMS ExCo minutes, 11 October 2017 Page 10 of 12 DRAFT
POL-BSFF-0218823_0181
(m)
ACTION: RG
(n)
(0)
(p)
(q)
(1)
(s)
(t)
(v)
(w)
(x)
ACTION: RG
POL00391936
POL00391936
Company no. 8459718 - Strictly Confidential
Action PExCo 17/128(e) — IH drew the ExCo’s attention to the status
update he had provided on this action relating to the provision of branch
data on complaints. He emphasised the importance of needed to be
able to take a complaint in branch on products sold in branch.
Action PExCo 17/141(c) — RG reported that a piece of work was in
progress on the integration with the FRES app. An update was
provided at the weekly trading meetings and the ExCo would receive a
report at its next meeting in November 2017.
Action PExCo 17/141(d) — the action relating to the structure of future
trading reports had been noted by RG and would be closed.
Action PExCo 17/141(e) — a list of trading initiatives would be included
in future trading reports.
Action PExCo 17/143(c) — this action was in progress to analyse MI
from Webhelp exit interviews.
Action PExCo 17/143(d) — it was agreed that this action relating to
Webhelp’s removal from the list of risks outside appetite be closed.
Action PExCo 17/143(i) — further information on the home claims data
would be considered by the ProdCo and then submitted to the ExCo in
January 2018.
Action PExCo 17/143(k) — it was confirmed that the action concerning
the training of life agents had been completed.
Action PExCo 17/144(h) — it was confirmed that the action concerning
customer self-service been completed.
Action PExCo 17/145(b) — it was confirmed that the action concerning
complaints data for regulated products had been completed.
Action PExCo 17/145(c) — it was confirmed that the investigation into
the reported reduction in complaint volumes for travel had been
included in the complaints analysis for regulated products. The action
had been completed.
Actions PExCo 17/146(d) and 17/146(f) — these two actions relating
to policy approvals had both been completed with the resubmission to
ExCo of the revised Ex Gratia, Outsourcing and Procurement policies.
Action PExCo 17/147(c) — the Chairman noted the importance of
understanding capability in relation to the distribution strategy. A
discussion had been scheduled with Roger Gale, Post Office Sales and
Trade Marketing Director, as part of the development of the five year
plan. It was agreed that IH should be brought into those discussions to
manage the conduct risk.
Action PExCo 17/150(f) — regarding the management of the AR risk,
IH emphasised the need for clarity around the operating model for
managing the AR and the current gap. The EUM project would be
critical for this. IH confirmed that he would provide an update to the
ExCo in November 2017.
POMS ExCo minutes, 11 October 2017 Page 11 of 12 DRAFT
POL-BSFF-0218823_0182
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
(z) The ExCo noted the actions list.
PExCo 17/173 ANY OTHER BUSINESS
(a) There being no further business, the meeting was closed at 4.15pm.
Ghagaga oe paige
POMS ExCo minutes, 11 October 2017 Page 12 of 12 DRAFT
POL-BSFF-0218823_0183
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
RCC 17/100- 17/110
POST OFFICE MANAGEMENT SERVICES LIMITED (Company)
RISK, COMPLIANCE AND CONDUCT COMMITTEE (RCCC)
(A committee of the Executive)
Minutes of an RCCC meeting held at
Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ
On 29 November 2017 at 11.00am — 12.30pm
Present: lan Holloway (Chair) POMS Risk and Compliance Director
Russell Tavener (RT) Chief Operations Officer
Stephen Gaines (SG) POMS Compliance Manager
Michael Brown (MB) Deputy for Head of Commercial
Sanjeeve Thakrar (ST) Risk Manager
Alberto Zannatta (AZ) Audit Manager Corporate Services
Renata Prywerek (PK) Legal Counsel
Beverley Turner (BT) Senior Product Manager GI
Dan Tremain (DT) Senior Product Manager Life
Ehtsham Ali (EA) Senior Compliance Manager IPA
Ann Young (AY) Compliance Advisor
Apologies: Gill Craig (GC) Deputy for Head of Travel
Francisco Couto (FC) Head of FS Legal
Ryan Griffin (RG) Head of Protection
Elizabeth McMenemy (EMM) Compliance Advisor
RCC17/100 WELCOME, QUORUM AND CONFLICTS OF INTEREST
(a) The Chairman declared the meeting quorate and open.
RCC17/101 MINUTES OF THE MEETING HELD ON 7 November 2017
(a) The minutes of the meeting held on 7 November 2017 were approved
and the Chairman was authorised to sign them as a true record of the
meeting.
RCC17/102 RISK MANAGEMENT
(a) ST confirmed that the POMS Risk Register had 83 risks recorded, 4 of
which are considered outside of appetite.
1. Appointed Representatives — ST confirmed confirms that this
remains outside appetite.
2. Strategy — This risk remain outside appetite is and is expected to
become within appetite in the coming months
3. Marketing - Following a restructure, this risk is expected to be
within appetite by mid-2018. Victoria Heath and Caroline Keany
are working to bring this risk within appetite.
4. Limited Reconciliation — This risk was raised by Simon Parr and
relating to reconciling cash received against business volumes
written Work is ongoing to provide appropriate system based
reconciliation controls and is expected to be completed by May
2018.
POMS RCCC minutes, 29 November 2017 Draft Page 1 of 4
POL-BSFF-0218823_0184
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
(b) I ST confirmed that the Post Office are considering the risk management
system Archer.
(c) RT asked if 83 risks on the risk register was too many. ST confirmed that
some of the risk were relatively low but still needed to be recorded. IH
confirmed that he considered the number to be low considering the
complexity of the business. All the risks were assessed periodically.
(d) lH informed the forum that a paper will be going to ARC detailing POMS
plan regarding the Appointed Representative. The paper will contain
information on risk tolerance, EUM, Staff training and competence and
will set out clear timescales for completion.
RCC 17/103 INCIDENT MANAGEMENT
(a) ST confirmed that there had been no new incidents reported this month.
(b) st reported that Carl Roe had delivered the presentation on the incident
reporting procedure
RCC17/104 1st LINE COMPLIANCE REPORT
(a) MB presented the re-engineered scorecard and confirmed that the over
50 cancellation data had now been received from Royal London
(b) MB confirmed that complaints remain outside tolerance at 38.1%.
Collinson upheld rate was 59%. The main trend was delays in customers
payments. Collinson will provide root cause analysis in December.
(c) MB confirmed that the Mystery Shopping activity had increased in
October and a high failure rate had been identified in the Mortgage
Specialist videos. Ross Hunter is to provide feedback.
(d) MB also confirmed that the Customer Relationship Managers (CRM)
video also reported a high failure rate which has been attributed to not
following the process on the tablets. The network team are currently
reviewing the failures.
(e) MB confirmed that the Devitts complaint review is due to take place in
January 2018.
(f) IH discussed the lack of feedback from Collinson in which POMS were
not made aware that there had been a problem with customer’s payments
until a spike in complaints was identified. IH would like Collinson to be
advised to keep POMS informed at all times
RCC17/105 2°¢ LINE COMPLIANCE REPORTING
Action IH (a) SG provided the report from the Monitoring Team. This report confirmed
that the Monitoring Team has recommenced Branch Review and had
currently revisited 4 branches which had previously recorded a red score
on their review. It was reported that 2 of the branches revisited had
received another red score. It was agreed to discuss the next steps to be
taken with Nick Phillpott and the Network.
(b) SG advised the forum that the Mortgage Specialist Review had been
finalised. Currently no feedback has been received to date.
POMS RCCC minutes, 29 November 2017 Draft Page 2 of 4
POL-BSFF-0218823_0185
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
(c) AY provided update on the VMS 2"¢ line monitoring and confirmed that
POMS Compliance is now engaged with FSRisk to discuss the 2" Line
finding and to discuss the high level of amber scores that had been
recorded. It is hoped that a more comprehensive report will be
forthcoming in the future.
(d) SG discussed the second line monitoring report from Webhelp. SG
provided information on calls in which customer detriement had been
identified. A life sale appeared to persuade the customers to have critical
illness cover and one travel sale did not inform the customer that cover in
the UK must have two nights pre booked accommodation.
RCC 17/106 POLICIES AND PROCEDURES
(a) No items were raised in Policies and Procedures this month.
RCC 17/107 INFORMATION PROTECTION AND ASSURANCE (IPA)
(a) EA provided a report on current issues within IPA;
(b) Hexaware SMP document has not been finalised as there are concerns
that the security controls are not document or not in place.
(c) POMS looking to sign their own contract with Global Pay this will bring
them out of the current PCI certification with Post Office. Investigating the
option of self certification. There is no change from the last minutes.
(d) Supplier Security questionnaire is scheduled to be sent out in December
(e) EA also reported on the following external examples of a security incident
Uber hack resulted in 57 million records being stolen of drivers and
passengers. This has been poorly managed resulting the Chief Security
Officer loosing there job. Uber hid the breach for a year and paid a
ransom instead, which is not best practice. There is no guarantee that the
stolen data has been destroyed or if it is being sold on the dark web.
It was confirmed that there is no impact to the Post Office but serves as a
good reminder.
RCC 17/108 MATTERS ARISING AND ACTIONS LIST
(a) Agreed by all that Action Log will be circulated with required responses
actioned.
RCC 17/109 Internal Audit
(a) AZ provided a report for the forum on the work carried out by Internal
Ault Duck Creek Assessment of controls framework — Draft report to
be finalised
« MI Discovery phase — project assessment is in an advisory
capacity to ensure the project delivers the expected and fit for
POMS RCCC minutes, 29 November 2017 Draft Page 3 of 4
POL-BSFF-0218823_0186
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
purpose outcomes
« Change Management Process — Scope to be finalised by the end
of November
« Readiness to European Data Protection Regulations — Scope to
be finalised in December/
RCC 17/110 ANY OTHER BUSINESS
Action ST ST to invite the Head of Travel to the next RCC Meeting in Jan 2018
There was no other business raised. There being no further business the
meeting was closed.
The next meeting of the RCC will be held on 19 December 2017 at
11.00am. This will be a shorter meeting due to the commitments for
Christmas Maker.
GHANMAN sc. 2 << cases +c sareeee 222 es seasees acu soe Date 2222 comes ss21se0e
POMS RCCC minutes, 29 November 2017 Draft Page 4 of 4
POL-BSFF-0218823_0187
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
RCC 17/111- 17/114
POST OFFICE MANAGEMENT SERVICES LIMITED (Company)
RISK, COMPLIANCE AND CONDUCT COMMITTEE (RCCC)
(A committee of the Executive)
Minutes of an RCCC meeting held at
Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ
On 19 December 2017 at 11.00am — 12.00pm
Present: lan Holloway (Chair) POMS Risk and Compliance Director
Russell Tavener (RT) Chief Operations Officer
Stephen Gaines (SG) POMS Compliance Manager
Sanjeeve Thakrar (ST) Risk Manager
Alberto Zannatta (AZ) Audit Manager Corporate Services
Renata Prywerek (PK) Legal Counsel
Beverley Turner (BT) Senior Product Manager GI
Elizabeth McMenemy (EMM Compliance Advisor
Gill Craig (GC) Deputy for Head of Travel
Ann Young (AY) Compliance Advisor
Apologies:
Francisco Couto (FC) Head of FS Legal
Ryan Griffin (RG) Head of Protection
Michael Brown (MB) Deputy for Head of Commercial
Dan Tremain (DT) Senior Product Manager Life
Ehtsham Ali (EA) Senior Compliance Manager IPA
RCC17/111 WELCOME, QUORUM AND CONFLICTS OF INTEREST
The Chairman declared the meeting quorate and open. ST explained
that this meeting would be short due to the Christmas period and the
(a) absence of key personnel working in Branch. This meeting will
concentrate on outstanding actions and anything deemed to be urgent.
RCC17/112 MINUTES OF THE MEETING HELD ON 29 November 2017
(a) The minutes of the meeting held on 29 November 2017 were not
approved at this meeting and the Chairman confirmed that they will be
taken off line.
RCC17/113 OUTSTANDING ACTIONS LIST
POMS RCCC minutes, 19 December 2017 Draft Page 1 of 3
POL-BSFF-0218823_0188
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
(a) Action 17/61 (e) Tracking FOS Complaints — RT confirmed that the
procedure for tracking the FOS complaints is to be issued imminently —
Action Closed
(b) I Action 17/77 (b) Home claim report — RT is to continue to ask for clarity
on the Home Claim report produced by Junction -Open
(c) Action 17/93 (d) Repudiated claim on Home Insurance. BT confirmed
that she has asked Junction to provide further information - Open
(d) Action 17/95 (b) TIF Audit — RT confirmed that TIF are open to POMS
conducting a review but are resistant to the use of a third party to conduct
the review. RT further confirmed that following the Quarterly Business
review RT would be looking to instigate formal actions or sanctions if this
is not resolved. - Open
(e) Action 17/96 (b) Policies and Procedures — ST confirmed that he will be
meeting with Victoria Moss to update the 10 POMS procedures and 16
POL procedures and ensure that POMS is aware when a POL procedure
is updated. - Open
(f) I Action 17/99 (a) IDD — IH confirmed that he will provide a fuller update in
Jan 2018. A brief update was provide to the meeting. There is continued
pressure on the Network to provide IDD training for the sales force. IH is
reasonably confident that the deadlines will be met. There will be a
greater focus on Travel insurance. There is focus on the training record
keeping and there will be a manual process until EUM commences in
July. The records should be electronically stores by Feb 2019. Open
(g) Action 17/104 (f) Feedback from Collinson- Feedback from Collinson
regarding delay in payment has been received and is now closed.
(h) Action 17/105 (a) Branch Escalation Process — Discussions have taken
place with Nick Phillott and similar discussions will take place with the
Network to ensure that Branches which consistently fail the audits will be
turned off from sales until improvement can be confirmed. Closed
(i) Action 17/110 (a) New Head of Travel — ST confirmed that invitations to
join the RCCC meeting will be extended to the new Head of Travel and
the new Head of GI. Open
RCC 17/114 ANY OTHER BUSINESS
Action IH (a) 1H to review the Terms of Reference for the RCC for 2018.
Action ST (b) ST to ensure that Renata Prywerek is included in the invitations for the
RCCC.
(c) IH discussed the out of tolerance risk — Appointed Representative. And
confirmed that the intention is to bring this risk back into tolerance next
year. It is hoped that EUM will play a major part in achieving this.
(d) MI —1H discussed recommendations from Arc that the business should
move to meaningful MI data and actions have been undertaken to
achieve this.
POMS RCCC minutes, 19 December 2017 Draft Page 2 of 3
POL-BSFF-0218823_0189
POL00391936
POL00391936
Company no. 8459718 — Strictly Confidential
(e) IAZenquired about the Collinson audit undertaken a few weeks ago. RT
confirmed that a better outcome is expected as opposed to the previous
audit. RT to liaise with lan Coughtrey on the timeline for the publication
of the audit.
Action RT & (f) RP discussed a recent litigation incident which has happened in
RP Finsbury Dials. RT wanted to know if there was anything in place to
prevent a re-occurrence. From the discussion it was evident that re-
occurrence could happen as there is no control on where the litigation
paperwork could appear. RT agreed to produce a communication to
POMS and RP to provide a channel of communication for litigation.
Action IH & ST
(g) AZ suggested sending an invitation to Sally Smith to cover financial
crime. It was suggested that ST to send the invitation on alternative
months starting from January 2018 and IH will send Sally an email to
explain.
(h) There was no other business raised. There being no further business
the meeting was closed.
(i) The next meeting of the RCC will be held on 31 January 2018 at 10.30
am.
CU AIIUID, 5s ciscciess -2 5 emetic 2 otc cesar st tecass ares CE
POMS RCCC minutes, 19 December 2017 Draft Page 3 of 3
POL-BSFF-0218823_0190
POL00391936
POL00391936
POST OFFICE PAGE 1 OF 3
RISK AND COMPLIANCE COMMITTEE PROJECT DEEP DIVE
EUM Programme update
Author: Julie Thomas Sponsor: Debbie Smith Meeting date: 18 January 2018
Executive Summary
Context
The Enhanced User Management (EUM) Programme will introduce a new system
based on individual ‘log-on’ IDs which will limit access to Horizon to staff who are
vetted and only allow them to sell products for which they have completed mandatory
training.
There are now over 700 branches live, including the POMS top 500 selling branches
for financial services products. The solution design has been reviewed and additional
functionality added to make this fit for purpose for our current Horizon platform and a
franchise, not employee network.
Questions this paper addresses
1. What is the status and outlook?
2. What are the implications?
Conclusion
1. A refreshed EUM business case has been completed and is progressing through the
business approvals process this month (POL Board 29 January). Our IT suppliers are
ready to move into development for the new design, part of this is the integration of
Success Factors with Horizon to match training records to the user.
2. The programme has been delayed by 12 months, but joining all 60,000 users to
SmartID is continuing at pace. This new scope and plan will see 8000 branches,
covering 95% of financial service income, live by July 2018 to coincide with the
activation of the training control function. The remaining branches are planned to go
live by the autumn.
Input Sought
The Risk and Compliance Committee is asked to note the current status of the EUM
Programme.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0218823_0191
POL00391936
POL00391936
POST OFFICE PAGE 2 OF 3
The Report
What are we trying to achieve?
1. The EUM programme has undergone an extensive review to understand the key
issues which will prevent/hinder its successful deployment, many of which have
been identified during the early stages of implementation. A new design has been
developed and the component parts authorised via the EUM Steering Group. This
has allowed a refreshed business case to be produced which is expected to go to
POL Board on 29 January.
What is the status and outlook?
Is the project on time?
2. The programme has been extended by 12 months, partly due to the delay to
Success Factors (SF) implementation and partly due to the design changes
identified during the EUM review as a result of early implementation issues.
3. The roll-out of SmartID continues on a non-integrated basis, i.e. using a holding
database for user records instead of SF employee central and its ‘Biz X’ layer for
Agents and their assistants. Once users have been issued a SmartID, we have the
confidence that they have been vetted and they can be linked to their training
record.
4. The roll-out can only go as fast as data cleansing which must happen prior to
allowing a SmartID log on. There is also a huge dependency on Success Factors
enabling Employee Central, so that we can achieve full integration. By continuing
data cleansing and issuing SmartIDs, we are de-risking the plan; as soon as SF is
ready, we can integrate.
5. The business case will re-baseline the plan. Our IT suppliers have worked closely
with us and commercial terms are in place for the changes. We will reserve test
rig and release timeslots with Fujitsu once the revised business case is approved to
further assure our plan.
Is the project on budget?
6. The refreshed business case, if approved, will result in a £2.5m overspend. This is
driven by IT enhancements, £1.6m, and programme and support team extension,
£900k.
7. Since the IT enhancements are supported by Commercial Terms from our IT
suppliers, the risk of overspend is low.
Is the project on track to deliver the planned benefits?
8. The key outcome of the project is to ensure POL is compliant with various
regulation, mainly through ensuring 100% training conformance and locking users
out of Horizon through training controls if they fail to complete training on time.
9. The latest training conformance rating was 85% for SmartID users and this
compares well to the usual 67% conformance achieved in rest of network prior to
intervention by Branch Standards.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0218823_0192
POL00391936
POL00391936
POST OFFICE PAGE 3 OF 3
10.Training controls will be activated in July 2018, once the training user role has
been developed which will allow users to re-gain access to Horizon in real time
should they be locked out of products for training non-conformance. This training
user role will protect the operation for our customers by minimising the number of
closed counters or branches.
What are the implications?
Overall, how confident do you feel in the outlook?
11. Once the refreshed business case is authorised, the delivery confidence level will
move from Red to Amber. It cannot be set at Green due to the dependency on
Success Factors and the IT testing not yet completed. This position will become
clearer in March 2018.
Should we alter our plans or expectations?
12. This is addressed by the business case to go to POL Board this month.
What are the implications or lessons for any other part of the business?
13. The review of the EUM design was as a result of the early implementation issues.
It has been documented and agreed that there was insufficient Network input into
the solution and this is the reason the sponsorship has moved into Retail and a
Programme Director assigned with extensive Network experience.
Strictly Confidential Board Intelligence Hub template
POL-BSFF-0218823_0193
POL00391936
POL00391936
Risk Exception Request Confidential
Ref: Title I SuccessFactors Access on Non-Corporate Devices Category
V1.3
Owner (name & I Martyn Lewis—Programme Director I Contact Point (name & I Mark South — Programme Manager
title) title)
Date 02/01/2018 Duration I 6 months Target Closure I 30June 2018 I Review monthly
Raised Frequency
Proposed Exception:
Specific Area of Exception:
SuccessFactors is a cloud-based SaaS HR platform from SAP’s ERP suite and will be the Post Office replacement for HR SAP
and six other HR systems from 8" January 2018. The SuccessFactors application will empower employees to manage their
own personal data through the self-service portal, with a view to significantly improving the integrity, security and availability
of HR and Payroll data.
The premise of this SuccessFactors cloud platform is that it will provide real time services and functionality to those that
currently don’t have access to corporate devices. This includes frontline employees that are without access to PCs, and non-
employees such as agents and agent assistants, for agent/agent assistant joiner, mover leaver changes and access to learning
and the management of learning compliance.
The flexibility of being able to access the platform without concern for the device or location holds benefits from a business
continuity perspective. For instance, Payroll could continue to be managed without a functioning office or IT assets.
Moving to SuccessFactors with the current design will mean that Post Office will lessen the need to share sensitive and
personal data using the current manual processes which have inherent risks; e.g. data is downloaded from HR SAP into Excel
files (with password protection) and emailed to the relevant individual. This Outlook email account could then be accessed
via a non-corporate device. The password could then be removed and forwarded, downloaded, printed etc. with no audit
trail or knowledge of this happening within the business.
The project team has identified that access via non-corporate devices may not have the same level of security as access
through corporate devices. This creates information security and data protection risks.
The Post Office implementation of SuccessFactors is due to be deployed on 8" January 2018 using the standard
SuccessFactors webpage security and vendor supplied mobile applications, which will enable all staff to access the solution on
controlled corporate devices as well as on non-corporate PC and mobile devices.
This risk exception seeks approval to continue to deployment on 8 January. Separately work will continue to address the
identified risks.
Rationale for request — Benefits:
This section is to set out the benefits of proceeding now — subject to the risk exception — rather than deferring until the risk has
been addressed.
© Cost avoidance of c£1 million (this would be the minimum spend for any delay to the programme at this point).
Providing employee’s the ability to take responsibly for accuracy of their personal data — supports GDPR principles
Increased certainty of payroll accuracy
Move to a more stable HR and payroll solution, moving from the legacy systems
Improved approach to business continuity planning
Provision of better reporting and management tools for managers.
Risk Assessment
KEY RISKS:
1. Proceeding to implement SuccessFactors now ahead of addressing certain data protection and information security risks
will carry the following additional risks whereby those with access to data could also in breach of data protection and
Post Office policy requirements, download, copy, export and distribute, personal data of employees, via non-corporate
devices:
© Line managers will be able to view and take actions on job and compensation data for their [direct] employees on a
non-corporate device. [The ability to run reports or download data is not available).
© HRSC Payroll Administrators (c5 staff) will be able to access pay information on non-corporate devices, which
includes bank details.
Pageil4
POL-BSFF-0218823_0194
POL00391936
POL00391936
Risk Exception Request Confidential
Payroll have access to view payslip-level data, and will be the only role that can access bank details.
© HRSC Payroll Executors (2 staff) will be have access pay information, be able to execute payroll but not have access
to bank details.
This role allows the execution of employee’s payroll.
© HRSC Service Desk staff (c20 staff) will have view only access to pay information and edit certain personal data.
Part of their responsibilities are to support payroll queries and to assist in changing personal data for those that do
not have access to SuccessFactors to manager their own through self-service.
© HRSCHR Administrators (c25 staff) will be able to access and change job and compensation data on non-corporate
devices.
Administrators will be able to change job and compensation information, and some basic personal data.
* — Post Office SuccessFactors System Administrators (4 staff) will be able to access all the functions and data necessary
to carry out their roles through non-corporate devices.
Limited to 4 individuals but data access is absolute. [They do not have the ability to edit bank details].
© Ml Reporting (2 staff) roles will have access to business-related HR data maintained for management reporting
purposes, not personal sensitive data.
The MI team’s access is limited down to job and compensation information, but will exclude unnecessary personal
data such as personal contact details, bank details etc.
© Post Office have limited audit trail or knowledge of any activity taken on a non-corporate device such as printing,
downloading or copying in any other format.
2. Implementing the proposal without the necessary technical solution in place would potentially mean that the Post Office
have not taken the necessary technical measure to meet its statutory obligations from the go-live date.
3. Any audit or investigation by the Regulator could lead to sanctions being made against the Post Office that would have
both a financial and non-financial impact.
4. In light of the recent Morrisons litigation, actions by a rogue employee (including unauthorised export and use of
personal data) could result in adverse publicity, actions by employees resulting in significant costs and reputational
damage, and enquiries and sanctions from regulators. Post May 2018 these regulatory sanctions will have amore severe
impact (potentially up to 4% of worldwide turnover)
Net Risk Net Net
Rating: Impact: Likelihood:
‘Assessment against Risk Appetite:
The relevant risk appetite statements are:
Tolerant risk appetite for Legal and Regulatory risk in those limited circumstances where there are significant conflicting
imperatives between conformance and commercial practicality
Averse risk appetite for litigation in relation to high profile cases / issues
Averse risk appetite for not complying with law and regulations or deviation from business’ conduct standards
Averse risk appetite for unethical behaviour including staff Misfeasance
Averse appetite for data loss/leakage that can lead to customer, commercial or reputational damage
Averse appetite for inaccurate and unreliable processing of data.
Averse risk appetite for any serious impact to the confidentiality, integrity and availability of information, leading to
financial loss, business disruption, public embarrassment or legal consequences.
Aggregate Risk Assessment (TO BE COMPLETED BY THE CENTRAL RISK TEAM):
Impact of ER being declined:
There are 2 options:
Delay implementation of SF which would result in increased costs at the rate of c£S00k per month until the next viable
launch date of [end March]. However at this stage there is no certainty that a permanent solution would be available to
be implemented by that date; or
Launch SF in accordance with the proposed timeline, however access to SF would be limited to the corporate network.
This would have adverse impacts for:
Page2I4
POL-BSFF-0218823_0195
Risk Exception Request
POL00391936
POL00391936
Confidential
restricted to access via their Manager's PC.
dependency for the EUM project.
© Employees in large branches and Supply Chain depots where employees have limited access to PCs and may be
© Agents and assistants would not be able to access on-line training modules via SuccessFactors. This is a key
Mitigation
Action Owner Target Date
Adirective from the Group HR Director will be issued to Will not reduce risk impact Joe Connor 8 Jan 2018
staff in HR Service Centre mandating that access to but make the occurrence less
SuccessFactors must only be from Post Office supplied likely as will be termination
devices and during normal working hours. offence if ignored.
Weekly monitoring of access via IP addresses of non- Staff will be aware of the pro- I Joe Connor w/c 8 Jan
corporate devices. active monitoring and will not 2018
concerns ignore the policies.
Install a password manager that encrypts the users Yes- to within appetite as per I Ben Cooke 26 Jan 2018
password and stores it on their work machines (within3 I HRSAP confirmation
weeks of go live). Passwords are deployed centrally - with
the users not knowing their log-on. This will prevent them
from accessing at home.
This will no longer be required once the corporate
solution (combination of SSO/BYOD) is rolled out
Suitable training and information during the Roll out of Likelihood of Risk occurrence I Martyn Lewis 8 Jan 2018
SuccessFactors to all line mangers and to new joiners of will decrease.
their responsibilities to not disclose the HR data they
need to access to conduct their roles.
A corporate solution (combination of SSO/BYOD) will be Yes Ben Cooke 30 June 2018
rolled out The Solution must be in place within 6 months
(30th June 2018). If this timetable is not achieved, the
use of SuccessFactors must be limited to Post Office
devices by IP Whitelisting. This will implement greater
controls across our entire suite of applications including
SuccessFactors.
Contingency Planning
to corporate devices only.
If we were unable to implement the outlined technical solution within 6 months, the system would need to be locked down
Approval:
‘Accountable Owner Approval Rationale:
Martin Kirke- Group HR Director
Through the enforcement of strict policies and pro-active monitoring governing the staff in the HR Service Centre to mandate
that only corporate encrypted devices are used from within the Post Office corporate network, I am satisfied this data risk is
acceptable until a technical restriction can be implemented to further protect the HR data process as part of these critical
roles.
Approvers:
Name & Title Signature Date
Martin Kirke- Group HR Director 14 December 2017
Page 3I4
POL-BSFF-0218823_0196
POL00391936
POL00391936
Risk Exception Request Confidential
Closure:
Closure Approved by:
Lessons Learned:
Page 4I4
POL-BSFF-0218823_0197
POL ARC
SUMMARY OF ACTIVITY SEPTEMBER - NOVEMBER 2017
Updates from the POMS ARC
e Concerns about oversight of POL which is the most significant risk to POMS
as principal:
o Dependency on EUM & SuccessFactors to address risk relating to
appropriate qualification of branch sales network
o Vulnerable customers
Approval of the Accounts (September)
e Management letter (November)
o Change of assumption from full impairment means that there needs to
be careful consideration as to whether capital spend represents ‘assets
under construction’ or value to be impaired, and development of
controls to address the risks arising from this
o Branch locations/addresses - different systems and processes drive
differing results : reconciliation being undertaken
Review of the Executive Declaration process to support risks being disclosed in
the ARA.
Internal Audit
e No ‘red’ rated audits.
e Concern that audit actions are slipping and due dates being revised -
monitoring this
Review of Risks:
e Reviewed ‘Top risks’ for ARA
¢ Roll out of Placemat and review of operational risks & controls by function
(Finance & Operations, Legal Risk & Governance, Telecoms,
Payment/Government Services)
e Regular review of key ‘operational risks’ including financial controls,
financial crime, FS conduct risk, change, BCP/DR
o Control framework being embedded in Finance & IT
o Placemat remains work in progress, but enables deeper
understanding of material risks including strategic, regulatory and
resourcing risks
o AMLand BCP/DR risks remain of concern
o Seeking better understanding of change risks
e AML - still waiting on formal notification of fine for breaches in relation to
bureau de change. Remediation plan underway, and key deliverables on time,
however there continue to be risks around timely delivery:
o data analysis/modeling (due to Credence delays),
o eKYC issues;
o formal guidance still awaited on Fit & proper regime;
POL00391936
POL00391936
POL-BSFF-0218823_0198
10.
POL00391936
POL00391936
o work ongoing to provide further training to product managers; network
wide training at acceptable levels. 22 branches had Bureau transactions
switched off in November pending re-training.
¢ =BC/ITDR-
co while there have been recent issues, many of these are outside the
control of IT (DDoS, AEI failure due to anti-virus upgrade, POCA) ;
othe continued delivery of the branch tech rollout (upgrade of comms,
hardware & software) continues with acceptable ‘failure’ levels. Will
continue to operate with significant - albeit reducing - risk until late
summer 2018.
e IT & Information Security - delays to implementation of SOC & DLP. Now
expected Q4 2017-18. Deep dive at ARC. Key controls are SOC, DLP (also for
GDPR) and behaviors
Review of Insurance coverage levels (September)
Approval of Interest rate swaps (framework arising from POCA
e Approved in principal however ARC has requested further update before
swaps entered into ~ also depends on Treasury view.
Losses management and remediation plans
Tax Strategy
Approved policies:
Data protection
Financial crime
Anti-bribery
Whistleblowing
Vulnerable customer
Acceptable Use
Cyber & Information Security
POL-BSFF-0218823_0199
POL00391936
POL00391936
POST OFFICE LIMITED PAGE 1 OF 5
RISK AND COMPLIANCE COMMITTEE GDPR PROGRAMME
GDPR Programme Update
Author: Clare D’Netto Sponsor: Jane MacLeod Meeting date: 18 January 2018
Executive Summary
Context
The General Data Protection Regulations (‘GDPR’) come into effect in May 2018. Post
Office has a project underway to implement the necessary changes to achieve
compliance with the GDPR requirements. As a key stakeholder, the Risk and
Compliance Committee of Post Office Limited has requested an update on the progress
of implementing the necessary changes as they impact Post Office. A GDPR Training
Session will also be provided to the ARC on 23 January. The matters covered inthis
paper will form the basis of that training.
Questions this paper addresses
. What is the GDPR, how is it different from the Data Protection Act (1998)?
. Where do we think we'll be by May 2018 and why is this appropriate from a risk
perspective?
. What is our level of certainty and is there a risk to delivery?
Conclusion
1. There are few key changes as a result of the GDPR when compared to the DPA,
however these will have significant impact on the Post Office due to the
complexity of the business and the legacy risks that the business currently has,
which also need to be addressed to ensure compliance with the GDPR.
2. The GDPR programme has from inception flagged that it was unlikely to achieve
full compliance by May 2018. Instead the programme has taken a risk-based
approach to achieve ‘effective compliance’. This anticipates that:
¢ new activity? will be compliant from May 2018 (if not before)
e¢ remediations for existing activities which are high risk / high priority will be
completed by May 2018
e legacy issues will be remediated over time following a risk assessment and in
light of the relevant risk appetite.
1 Includes new contracts, products and change programmes and the on boarding process
for new customers, employees and agents which will be GDPR compliant by May 2018.
POL-BSFF-0218823_0200
POL00391936
POL00391936
3. This approach is in line with the guidance the Programme has received from the
Department of Culture, Media & Sport (DCMS) which sponsors the Information
Commission Office (ICO) and a recent survey from Deloitte that indicated that
overall, only 15% of organisations surveyed expect to be fully compliant by May
2018, with the majority instead targeting a risk-based, defensible position.
4. The GDPR programme provides separate reports to the POMS Board. The scope
and residual risks for POMS are lower than for the wider Post Office.
55 During 2017, the majority of the project activity was focussed on assessing the
current operational framework to understand the extent of remediation that is
required. Following this assessment we are now moving to remediation with a
21 week roadmap to deliver prioritised changes by 25 May 2018.
6. The status of the GDPR programme is considered to be Red based on our current
level of certainty of delivery of the roadmap. This is being addressed by the
Programme by continuing to work with the Business and partners to confirm
requirements, build detailed plans and gain certainty over whether the necessary
operational and technical changes can be made by May 2018, in light of lead
times and capacity. This process, which is due to be completed at end January,
will identify resourcing and budget issues that need to be addressed as part of
the development of remediation plans and possibly subject to individual business
cases e.g. Marketing and significant IT change.
7 The relevant UK legislation (Data Protection Bill) is currently going through
Parliament, so the law isn’t decided yet. In order to meet our timescales, we
need to make certain decisions without full information and these will be
presentated as positioning papers via the Programme Governance.
8. Resource from Internal Audit will be provided to review our plans towards the end
of January 2018. There will be monthly reviews carried out in order to provide
comfort that suitable progress is being made.
Input Sought
The RCC is requested to note the report and consider whether we have correctly
prioritised the items that comprise effective compliance.
The Report
What is GDPR, how is it different to the Data Protection Act (DPA) ?
9. The GDPR will replace the current DPA from 25 May 2018? and will give individuals
more control over the personal data that organisations hold, greater transparency
as to the personal data held, where it’s held, for how long, how it is used and
other core information that the Data Protection Act did not demand.
10. There are few key changes as a result of the GDPR when compared to the DPA,
however these will have significant impact on the Post Office due to the
ent which will
In light of Brexit,
implement GDPR
rate UK le:
er than relying
ion is being progressesd through P:
cation of European
in the direct app:
POL-BSFF-0218823_0201
POL00391936
POL00391936
complexity of the business and the legacy data risk that the business currently
carries which will also need to be addressed to be compliant with the GDPR.
Accountability
11. The assessment and documentation of processing activities and the establishment
of a Privacy Management Governance framework will allow Post Office to
demonstrate that it complies with the principles of accountability and
transparency required by the GDPR.
12. The GDPR Programme has completed an information audit and gap analysis to
risk assess the personal data processed by the Post Office, prioritising customer
personal data, where PO is the controller (c 40 product categories) as the areas
of greatest risk. We are now assessing lower risk areas.
13. This is a key deliverable for the Programme (due to the lack of existing
documentation) and will enable us to demonstrate to the Regulator that data
processes have been reviewed using a risk-based approach and areas of non-
compliance and risk have been identified.
14. The Post Office has outsourced the processing of its personal data to a number of
third parties. In order to ensure POL accountabilities have been clearly
discharged, it needs to be able to demonstrate oversight of those third parties.
The programme is implementing the appropriate controls, including governance
via contracts, documentation of processing activities (not available currently) and
esblishment of an assurance process.
New and enhanced rights for individuals
Transparency
15. All privacy notices and policy documents will need to be updated to accurately
and clearly reflect how Post Office and its partners process personal data across
all products, channels and at the appropriate stages in the customer journey, as
identified in the gap analysis.
16. Existing customers will be contacted via re-papering of the new privacy notice.
17. This will also apply to new job applicants, employees and agents via contracts
and re-papering existing employees and agents directing them to an updated
privacy notice online.
18. For both, there is a dependency on the updated data rights procedures and
business-level retention schedules (a consistent gap) which are a component
the Privacy Notices.
Consents
19. Historically marketing permissions have been opt-out, so all marketing
permissions across all channels (and partners) must be updated to include a
proactive opt-in for new customers. There is also a lack of consistency of
approach to permissions, which will be aligned as part of the Programme.
20. The DP Team and Marketing are working together to agree the approach and
wording to marketing permissions which is GDPR compliant, meets commercial
POL-BSFF-0218823_0202
POL00391936
POL00391936
objectives and which can be rolled out across all channels and partners
(including joint controllers) to ensure that they aligned.
21. In addition, Marketing and the Programme are scoping the risk to the Brands
database and the option of using legitimate interests to market to existing
customers.
Enhanced individual rights
22. The Post Office has an existing process for subject access requests which is
managed by the Information Rights Team (IRT). The Standard Operating
Procedure is being updated to reflect the enhancements and this will be
cascaded to the business. In order to respond to an assumed increase in
requests and the shorter timescales, the IRT has submitted a business case for
an e-case management tool to improve business processes and MI.
New individual rights
23. The “right to be forgotten” doesn’t apply to all of Post Office’s personal data and
is applicable where consent has been given for e.g. marketing and for special
categories of data.
24. This will apply to customer data, where POL is a Controller and will impact on
customer databases, including (Brands, MDM/Credence, CDP, Salesforce,
Horizon, Hexaware) and unstructured data.
25. The process is dependent on understanding data flows and suppliers having
the technical capability to delete (or ring-fence) data from their databases. This
is being assessed as part of the ‘Systems’ workstream.
26. The “right to data portability” is most applicable to insurance and financial
services and the Post Office is likely to adopt a simple manual solution (e.g. an
excel template) in line with industry standards.
27. These rights do not apply in all circumstances e.g. when personal data is
retained for legal or contractual reasons, however right to be forgotten is
presenting challenges to many organisations (Deloitte).
Controllers vs. Processors:
28. Data processors are now subject to increased accountabilities. Controllers need
to understand who has access to their personal data and ensure appropraite
due diligence is undertaken on suppliers, vendors and processors.
29. This is a significant risk for Post Office as due to historic issues with contract
management, contracts with many IT suppliers do not contain appropriate
governance provisions. There is therefore, alack of shared understanding of
processing responsibilities. In many cases, documentation is not sufficient to
comply with GDPR nor in line with good contractual practices.
30. There are emerging risks to the clarity of processor and controller roles for Post
Office and partners including Moneycorp, Vocalink, Verify, BOI.
31. The GDPR Programme is addressing this using a risk-based approach; a high
level assessment has been done and ‘ gold/silver/bronze’ categories have been
allocated so as to prioritise the updating of material contracts to be GDPR
compliant. The treatment strategy will also depend on the nature of the
relationship i.e. whether POL is a Controller or Processor.
POL-BSFF-0218823_0203
POL00391936
POL00391936
32. The Tower contracts have been prioritised as these will have the most
significant impact on personal customer data and business continuity.
33. It will be essential for contract management and change management processes
that all changes to services that could impact on how data is processed, are
subject to Impact Assessments and the relevant core documentation updated
accordingly. This process is not currently consistently followed within the Post
Office and there is unclear business ownership.
Information governance and security:
34. Privacy by Design, including Impact Assessments, will be required for higher
risk activities and organisations must ensure that data is kept safe and the risk
of data breach is minimised. The Post Office has already introduced this
approach to ensure that any new projects will be compliant including Success-
factors, Travel Insurance, EUM, Vetting, HNGA and Accenture Outsourcing.
Data Breach Notification:
35. The GDPR will require data controllers to notify the ICO within 72 hours of
becoming aware of a personal data breach and the penalties have increased.
36. Data subjects must also be informed “when the personal data breach is likely to
result in a high risk to the rights and freedoms of individuals”.
37. The existing procedure will need to be updated and tested to ensure the
requirements can be met.
Increased penalties:
38. There is a tiered approach to fines: maximum fines of up to 20 million euros or
4% of global turnover can be imposed for the most serious infringements e.g.
not having sufficient customer consent to process data or violating the core of
Privacy by Design concepts. A company can be fined up to 2% of turnover for
not having their records in order. Article 28 states that controllers must only
appoint processors who can provide “sufficient guarantees” to meet the
requirements of the GDPR. This is a key driver of the information audit and
contract updates which will implement better controls for our data processors.
What is our level of certainty and is there a risk to delivery?
39. Appendix A describes the components of ‘effective compliance’ that we aim to
have in place by May 2018 and our current level of confidence in meeting that
timeline in light of operational and technical capacity and other key
dependencies. It also identifies those activities which will therefore extend
beyond that date.
POL-BSFF-0218823_0204
POL00391936
POL00391936
What is effective compliance?
‘A. All new activities are compliant with the GDPR in the areas described below by May 2018. These will include all new customer/agent/employee-facing activities (prioritised in this order)
B. Existing activities that will be remediated by May 2018 within the Post Office’s risk appetite.
C. Itis proposed that the remediation of legacy risk in certain areas will continue beyond May 2018, however it is critical that by May 2018 Post Office has a defensible position i.e.:
* Data processes have been reviewed using a risk-based approach
* Areas of non- compliance and risk have been identified
+ Plans are in place to address risks in a proportionate way
1
POL-BSFF-0218823_0205
A. All new activities are compliant with the GDPR in the following areas by May 2018
Theme
Deliverable
What this
What a
the steps to get there
Level of
certainty
POL00391936
POL00391936
Risks & Dependencies
governance of
personal data in
BAU
and ongoing assurance process as BAU -
for suppliers and POL processes
means to Post acceptable position?
Office
Accountability I Privacy Establish a na na i) Create policy and procedure framework ‘@. DP Resource and the availability of DP resource
Management I Governance ‘a. DP Policy and Vision (complete) has been a constraint, but additional resources
Governance Framework that b. Procedures - Breach and rights, have now been, and continue to be, sourced
Framework allows the Post cea below
Frannie brine c. Security Standards b. A dependency on the Document Management
obligations to 2) Draft Privacy Notice Strategy and wording Policy so a pragmatic approach will be required
regulators 3) Create Record of Processing Activities at for retention which can be updated.
Legal Entity Level
4) Produce positioning papers for approvals
via Programme Governance
5) Create templates and support business
leads in completion
1) PIAs (done)
Requires 2) Privacy Notices wording (PNs)
business 3) Telephone Scripts wording
alignment, 4) Data Retention template (draft in
eens nt circulation)
biseryasie 5) Records of Processing Activity at
‘contract entity level (inc. retention)
management 6) Implement One Trust tool (in progress)
and change 7) Complete Information Audit and data
processes to mapping (in progress ~ see section 8)
‘ensure 8) Establish control framework and audit
POL-BSFF-0218823_0206
A. All new activities are compliant with the GDPR in the following areas by May 2018
POL00391936
POL00391936
Theme Deliverable What this Residual Risk What are the steps to get there Level of Risks & Dependencies
meanstoPest I iran) acceptable postion?
Office
Individual 100% Privacy I All customer- The Privacy Notices will I This is a legacy risk and I 1. Complete Product reviews for relevant a) The Privacy Notice Strategy and wording needs
Rights Notices and I facing privacy _I be updated but there is I it needs to be addressed products (40) including data flow and to be drafted (by 19/1) and approved by
(customer) I Privacy wording I notices and risk that are however, the complexity change logs (complete) Marketing.
updated Privacy policy inaccuracies in the and dependencies with 2. Agree and co-ordinate the remediation b) We are finalising detailed plans with business
documents will be I privacy notices fn the data marlosting plan with Business Leads (in progress) leads and partners and as soon as we have done
bp oesoriaial all tems: ae bird complicate it 3. Work with the business and partners to this (by end Jan) it will increase certainty that
(nciuding _ : area - weaning rer agree requirements and lead times for operational and technical changes will made in
Horizon, branch ‘There is parallel activity operational and technical changes to be time based to change lead times / business
(application ‘he cefenibe postion It2e'procute Brands, the I delivered by the business wich wl be capacity.
forms), call The defensible position I re.procurement won't be tracked and reported via the programme ©) There is risk that there is inconsistency across
centre, partners, I Wl De tat Pome Onn’ I completed by May 2018 {in progress) partners and a lack of clarity of the controller and
PPS) Where PO Is ee erred the 4, Engage Digital to raise CR and get processor may delay decisions on what Is in the
controller or I erate to remediate the PN on the digital roadmap Privacy Notice. (see also Marketing Permissions
Joint controler. I tris on @ proportionate (complete) and contracts.
basis (see Table 3) 5. Draft Privacy Notice strategy and wording d) There is a dependency on the roll out of the
Includes POMS, for agreement with Marketing (in Document Management Policy to address the
rel ee progress) legacy risk to retention, so a pragmatic solution
Yow Retail, Drow 6. The Business-level Privacy language to retention will need to be agreed for the
and Go, Gov. UK which will be based on the Privacy privacy notices.
Verity strategy defined by DP but agreement
with partners will need business support
Requires and buy in.
involvement of 7. Implementation will be via the
business leads, existing change processes
Marketing, 8. Engage with IT to co-ordinate
Digital and IT technical changes via CRs as part of a
Grange wa of wider IT roadmap (in progress)
existing change
management
processes
which may
require
reprioritisation
of planned
change.
POL-BSFF-0218823_0207
A. All new activities are compliant with the GDPR in the following areas by May 2018
Theme
Deliverable
What this
What a
the steps to get there
POL00391936
POL00391936
Risks & Dependencies
means to Post acceptable position? certainty
Office
Individual 100% Marketing I All marketing n/a n/a i) Complete Product reviews for the relevant ‘a. There is a risk that wording will not acceptable
Rights permissions permissions will products (40) including data flow and to partners including BOI based on lack of
(customer) I updated be updated change logs (complete) Clarity of responsibility and this may require the
across all 2) Agree and co-ordinate the remediation input of Legal which will delay resolution and
channels plan with Business Leads (in progress) risk not meeting IT change windows.
Haag ‘op, 3) Work with the business (and with the b. Delayed agreement of the Marketing
Forvon, support of the Business Leads) Permissions wording to ensure compliance and
Hexaware, partners to agree requirements and lead that the messaging is on brand ~advice from
Webhelp, apps) times for operational and technical WBD recommends we are more explicit in our
for all situations changes to be delivered by the permissions wording which requires quick
where the Post business which will be tracked and resolution and agreement in order to meet
Office captures reported via the programme (in progress) Change windows.
consent for direct, 4) Marketing to complete the c. We are finalising detailed plans with business
marketing assessment of marketing activities leads and partners, and as soon as we have
for the business and partners against done this (by end Jan) it will increase certainty
This -indudes proposed consents (in progress) that operational and technical changes will
POMS, FS 5) Engage with IT to co-ordinate technical made in time based to change lead times /
Products (BOI, changes via CRs as part of a wider IT business capacity
Fres), Telecoms,
Vow Retail, Drop roadmap (in progress) d. There is a risk is that the level of IT change
and Go, Gov.UK 6) Engage Digital to raise CR and get the PN required (configuration and interfaces) will be
Verity on the digital roadmap (complete) dependent on the option chosen and this will
7). Draft Privacy Notice strategy and wording impact on lead times and cost, which has not
Requires for agreement with marketing (in been budgeted for.
involvement of progress)
business leads, 8) The Business-level Privacy language
Marketing, which will be based on the permissions
Digital and IT defined by DP and Marketing but
for delivery of agreement with partners will need
changes via business support and buy in.
existing change 9) Implementation will be via the
management existing change processes
processes
which may
require
reprioritisation
of planned
change.
POL-BSFF-0218823_0208
A. All new activities are compliant with the GDPR in the following areas by May 2018
Theme
Deliverable
What this
What a
the steps to get there
POL00391936
POL00391936
Risks & Dependencies
part of future
marketing
activities
Requires
involvement of
business leads,
Marketing,
Digital and IT
for delivery of
changes via
existing change
management
processes
Requires
involvement of
POMS and
Marketing to
engage with
relevant bodies
decide on
approach to
other consents
existing change processes
Level of
meanstePost I “(ita I acceptable postion?
Office
Individual 100% Other I The form for There is a risk is that as I This will be addressed by Ii) Continue to engage with the Insurance ‘a. There is a dependency on making a decision on
rights Consents consents for there is no clarity in the I drafting a positioning industry (POMS/DP) and MediaLab consents based on what is happening in the
(customer) I Updated special categories I law, relating to Paper on the proposed (Marketing/DP) to understand an Insurance and Marketing industry for Special
of data (SCD) consents for SCD and I approach to consents for industry approach and produce a Categories of data and use of cold data. Delays
and profiling for I cold data (Article 14) I decision by the positioning paper for decision via the to a decision on other consents will increase the
naw customers [takin order to meat: I Programme govemaneg Programme Governance. (in progress) risk to making the operational and technical
will be updated I change windows,
by May 2018 ~ _I changes that are made 2) Continue to engage the business, changes by May, due to change lead times /
this will probably I may not be compliant, including POMS and Product leads to business capacity.
apply to they can plan for these changes. (in
Insurance progress)
products where 3) Wording and requirements for other
we process SCD consents to be confirmed with input from
and potentially op.
for profiling as 4) Implementation will be via the
POL-BSFF-0218823_0209
A. All new activities are compliant with the GDPR in the following areas by May 2018
Theme
Deliverable
What this
means to Post
Office
(if any)
acceptable position?
What a
the steps to get there
Level of
certainty
POL00391936
POL00391936
Risks & Dependencies
Individual
Rights
(Employees
and Agents)
100% processes
updated for new
Agents,
Employees and
Job Applicants
Privacy Notices,
and any relevant
new contracts will
be updated with
the privacy
policy.
For form of
consents will be
updated for new
Job applicants,
Employee and
Agent data
processes,
Requires
involvement of
POL Legal, HR,
Agents
Remuneration,
Digital and IT
for delivery of
changes via
existing change
management
processes
There is risk that are
inaccuracies in the
Privacy notices in
terms:
Retention of data
‘* Purpose of processing
The defensible position
will be that Post Office
has identified the risk
and agreed the
roadmap to remediate
this on a proportionate
basis (see Table C)
This is a legacy risk and
it needs to be addressed.
‘There are dependencies
on back office
transformation and
success factors.
T
Complete process reviews including data
flow and change logs (in progress)
Initiate activity for Privacy Notices and
Consents for Job Applicants, Employee &
Agents
Review and update employee contracts
working with HR and Legal
4) Review and update Agent Contracts
working with Agents team, WBD and
Legal
Work with HR and Nick Beal's team to
agree engagement of employees and the
NFSP. (see also re-papering)
2)
3
5)
‘An interdependency with the Contract
workstream to create an updated contract for
‘SPMs and engagement of the NFSP and the
CWU for both.
Individual
Rights (all)
100% of
requests follow
the procedure
for enhanced
individual rights
‘The Information
Rights Team
(ART) will
continue to co-
ordinate this to
ensure the we
manage the
shorter
timescales and
any increased
demand
Requires
involvement of
the IRT to
contribute to /
and test the
process
Va - the process will
be compliant, but see
above re: risk to
exposure as a result of
requests.
This is big risk that
could be exposed in a
DSAR or a breach
n/a
Update the Post Office procedure to
reflect enhanced individual rights and
cascade to the business to ensure
compliance
The IRT procure an e-case tool to support
the process.
2)
POL-BSFF-0218823_0210
A. All new activities are compliant with the GDPR in the following areas by May 2018
Theme
Deliverable
What this
means to Post
Office
(if any)
acceptable position?
What a
the steps to get there
POL00391936
POL00391936
Risks & Dependencies
Level of
certainty
Individual
Rights (all)
100% of
requests follow
the procedure
for new
individual rights
The Post Office
procedure will be
produced for new
rights where they
apply. Right to
be forgotten
applies where
consent is used
as a lawful basis
and the right to
portability will be
implemented in
line with the
relevant
industry's
approach,
Requires
involvement of
the IRT and
business leads
to contribute to
/ and test the
process
Requires
involvement
from IT in the
event of
capability gaps
being
identified.
‘Some existing systems
already have built in
deletion capabilities.
This is being validated
by the systems
analysis. For those that
don't then they will be
approached in priority
order according to the
risk that failure to
delete would have.
The defensible position
will be that Post Office
has identified the risk
and agreed the
roadmap to remediate
this on a proportionate
basis (Section C)
This is big risk that
could be exposed in a
DSAR or a breach
This is a legacy risk that
will be addressed
T
Update the procedure to reflect enhanced
individual rights and cascaded to the
business to ensure compliance
2) Validate existing capability of IT systems.
3) Complete full assessment of solution for
where this applies, including manual
workaround for RTF
Develop a simple excel spreadsheet for
data portability
Test the solutions with the IRT and key
business areas.
4
5)
‘a. Level of certainty is subject to the confirmation
and testing of the solution.
Data Breach
Response
100% data
breaches will
follow the new
procedure for
breach
reporting
The data breach
response
procedure will be
updated and
tested so that
initial reporting
can be achieved
within the 72
hour timescale
where relevant
Requires
involvement of
Business
Continuity, IT
and business
leads to
contribute to /
and test the
process
n/a
Ttis an absolute
requirement that from
May 2018 we can have
confidence that we can
meet our statutory
obligation to report all
breaches within set out
timescales
i) Update the procedure for GDPR
2) Incorporate measures for data breach in
branch via training and contracts
Test the updated procedure via war
games
3)
POL-BSFF-0218823_0211
A. All new activities are compliant with the GDPR in the following areas by May 2018
POL00391936
POL00391936
Theme Deliverable What this What are the steps to get there Level of Risks & Dependencies
means to Post acceptable position? certainty
Office
Contracts 100% of new I This is already n/a n/a i) Approve the p-suite of clause (Complete) [Neer
contracts in progress ~ 2) Develop the playbook (Complete)
contain the new I any new 3) Create the templates for the schedules (in
DP clauses and I contracts will progress)
schedules be compliant
Security 100% of new I This will be Wa n/a i) Develop the Security Standards for
standards and I contracts will I completed before inclusion in the p suite (consultant
due diligence I include the May so any new engaged by Jan)
GDPR compliant I suppliers will
security meet the new
standards standards
Security ‘An audit and I From May, the Wa n/a 1) Confirm / approve process for
standards and I due diligence —_I process will be implementation
due diligence I process for implemented to 2) Confirm resources in the IP&A Team.
suppliers will be I audit suppliers
ready for using a risk
implementation I based approach
from May 2018.
Privacy by 100% of This is already I There needs to be a n/a i) Already live and embedded in Complete
Design projects have I in progress ~ _I formal process to ‘loop OneBestWay.
completed a PIA I any new back’ and update 2) OneTrust will be implemented to
and are projects will be I contracts and schedules automate workflow and support
compliant ‘compliant and reflect these ‘overnance.
including changes in OneTrust 9 e
pana when there is a change 3) Further training and awareness to embed
factors, Travel. I Deeiceor the: this process and extend to alll changes,
"e formation will very not just new projects.
Insurance, quickly become out of 7
EUM, Vetting, I date.
HNGA,
Customer Hub, I Suggest this should
Drop & Go and I form scope of the
Accenture “Categorise &
Outsourcing. Assurance Team
All new change
programme
must complete
aPIA
POL-BSFF-0218823_0212
‘A. All new activities are compliant with the GDPR in the following areas by May 2018
Theme
Deliverable
What this
Residual Risk
What are the steps to get there
Risks & Dependencies
POL00391936
POL00391936
communications
High risk areas
would have
received face to
face or skype
training
Set pieces on DP
will be rolled out
to FD and Bolton
in addition to
communications
via One
progress)
Tier 1 - GDPR awareness &
‘communications across Post Office
including intranet, monthly commms,
Tier 2 - Annual Information Security &
Data Protection compliance training for
network + customer support colleagues
(to be split into two distinct chapters
with one overall test)
Tier 3 - Face to face targeted training
for impacted audience groups (1 hour)
~ already completed for Product
Managers, Marketing, IRT, POMS ARC
heenaee + One day bespoke external training for
training and Data Protection officers (approx. 30-40,
prioritisation people across PO)
from GE/GE-1.
Level of
meanstoPest I “Ciramy) accepabte postion?
Office
Education and I 100% of 100% of n/a nja 1) Communications strategy and plan
‘Awareness employees have I employees would agreed (complete)
received have received e 2) Collateral developed (in progress)
training and training 3) Roll out of training and comms (in
POL-BSFF-0218823_0213
POL00391936
POL00391936
B. Existing activities that will be remediated by May 2018 within the Post Office’s risk appetite
Theme Deliverable What thi Residual risk I Why this is an acceptable What are the steps to get there Level of isks & Dependencies
means to Post (if any) position? certainty
Office
‘Accountability I Information The GDPR Lack of existing For lower risk areas, the i) Questionnaire to L300 to complete high ‘a) There is a risk that we do not get the level of
audit and data_I Programme has I documentation, assessment will continue. level risk assessment and update detail we require from our processors, and / or
Frows for nigh I I completed an ait I mocegwth heatmap (Complete) this will incur a cost.
been complete I and gap analysis ror reer Vendors we are I 2) Complete Product Reviews and data-flows b) Completion of the lower risk areas within the
to identify and Cae cie ot oreoeeent 2 for high risk products (complete) existing resources needs to be prioritised
risk assess the I The analysis has et ofthe coueace 9 3) Lower risk areas assessment complete, against other remediation activity.
personal data identified significant I P2"* Of including Business Functions and low risk
rocessed by the remediation process as a
i y gaps in terms products (in progress)
Post Office for I documenting how I lever to complete the more
high risk areas I personal data has I Gétalled data mapping and _I 4) Assessment of systems (in progress)
i.e. prioritising I fistorically been I assessment. 5) Transfer questionnaires and data onto
customer One Trust so that they can be monitored
personal data,
where PO is the
controller (c, 40
product
categories).
Lower risk areas
are in progress.
This is a key
deliverable for
the Programme
(due to the lack
of existing
documentation)
and will enable
us to
demonstrate to
the Regulator
that data
processes have
been reviewed
using a risk-
based approach;
areas of non-
compliance and
risk have been
identified.
Requires
completion of
questionnaire
and attendance
of workshops
and playbacks
for alll business
areas
Facilitation of
input from IT
providers via
Business Leads
and ITVMs
processed,
The risk to data
processes needs to
be understood and
documented so
areas that cannot be
completed by May
2018, including
suppliers will
continue beyond
May 2018.
and controlled.
10
POL-BSFF-0218823_0214
POL00391936
POL00391936
B. Existing activities that will be remediated by May 2018 within the Post Office’s risk appetite
Theme Deliverable What thi Residual risk I Why this is an acceptable What are the steps to get there Level of isks & Dependencies
means to Post (if any) position? certainty
Office
Individual 100% Privacy _ I All existing Ex-customers will I The rationale for using this I 1) Agree and co-ordinate the remediation ‘@) We are finalising detailed plans with business
Rights Notices and customers will not be re-papered I risk based approach will be plan with Business Leads and partners (in leads and partner and as soon as we have done
(customer) Privacy wording I receive an documented using a progress) this (by end Jan) it will increase certainty that
updated to updated PN via Positioning paper. 2) Privacy notices updated (see new ‘operational and technical changes will made in
existing email and in customers) time based o change lead times / business
custoners eee 3) Communication plan agreed with capacity.
ars Marketing and the Business Leads for
This applies updates via email and updates to
where PO isa literature.
4) Implementation will be via the
controller or joint
controller.
Includes POMS,
FS Products (BOI,
Fres), Telecoms,
‘Vow Retail, Drop
and Go, Gov.UK
Verity.
Requires
involvement of
business leads
and Marketing
for delivery of
changes via
existing change
management
processes
ig change processes
11
POL-BSFF-0218823_0215
B. Existing activities that will be remediated by May 2018 within the Post Office’s risk appetite
POL00391936
POL00391936
Theme Deliverable What thi Residual risk I Why this is an acceptable What are the steps to get there Level of isks & Dependencies
means to Post (if any) position? certainty
Office
Individual Continuation of I The business There is a legacy __I The Post Office is i) Seek legal advice on use of legitimate ‘a) Requires increased resource and the
Rights marketing needs the ability I data risk to the completing a Legitimate interests (Complete and affirmative) establishment of a Marketing Data Strategy
(customer) activity to the I to continue to personal data Interests Assessment of 2) Marketing and DP to complete the mini-project. This is currently being assessed
Gack book'from: I market to 3 collected tn Brands: I ‘clirrent and fllture legitimate interests assessment of for decision by Steerco on 22/1. However the
May (Brands) I proportion of the I used opt out marketing activities against marketing activities (in progress) ability to bring on board addition DP capacity
Pac Dok bees! I eee le the data held in Brands t I 3) Marketing to commission RAPP to quickly will not be possible via the existing
on ‘legitimate —_I business is Identify what it can continue
interests’ as a__I assessing using to use going forward and extract analysis based on the different resourcing routes.
fawful basis for I legitimate interests I what will need to be scenarios this identifies b) Key assumptions and risks to be documented
processing and I to continue to deleted, The use of 4) Marketing to complete assessment via positioning papers for decisions via the
an understanding I market to these legitimate interests for against revenue Programme Governance
of the customers, rather I marketing to the back book I 5) Marketing to input to development of
commercial than repapering will need to be documented positioning paper on potential impacts
Impact of this so_I existing customers I i.e. which data we can and recommendations for decision via the
that they can to get them to continue to market. Tt will programme governance
forward-plan. _I consent. document this in a 6) Marketing to raise change request for
Positioning paper for RAPP to ring-fence data that can no
Requires There is an decision via the Programme longer ba marketed to and ensure that
Marketing emerging risk that I Governance. delete / anonymisation of data is built
sponsorship _I the organisation
and resources _I cannot justify the into the roadmap.
to input to the I retention of
strategy customer data in
(gaining input _I brands for CRM
from the purposes and the
business) and _I data base will need
tobe the lead _I to be drastically
for engagement I depleted, thereby
of RAPP for limiting future
change commercial uses.
requests
Individual 100% Privacy I All existing Ex-employees or job I The rationale for using this I 1) Agree and co-ordinate the remediation 'a) We are finalising detailed plans with business
Rights Notices and employees and I applicants will not be I risk based approach will be plan with Business Leads leads and partners, and as soon as we have
(employees) I Privacy wording I agents will re-papered documented using a 2) Update Privacy notices (see above) done this (by end Jan) it will increase certainty
updated to receive an positioning paper: 3) Agree Communication plan with HR for that operational and technical changes will
existing updated privacy updates via email and updates to made in time based to change lead times /
employees and I notice via terse pisiness eepsctey
agents existing
communication
channels
Requires
involvement of
HR to facilitate
communication
5 via existing
channels
12
POL-BSFF-0218823_0216
POL00391936
POL00391936
B. Existing activities that will be remediated by May 2018 within the Post Office’s risk appetite
Theme Deliverable What thi Residual risk — I Why this is an acceptable What are the steps to get there Level of isks & Dependencies
means to Post (if any) position? certainty
Office
Contracts All contracts will I We have The documentation I This is a legacy risk that will I 1) Prioritise and risk assess contracts ‘@) There is a risk that if the security standards are
be updated to I outsourced the I one would expect I be addressed. (complete) not completed within the timescales of the
Teflect the I process andto I e.g. accurate 2) Develop a playbook and process for contract review, this will need to be updated
besed I fendthe Saiedtles ot negotiations. (in progress) separately. The Programme is on-boarding a
risk-based negotiations to I processing is often >
approach by 3) Test the process using a pilot group of c Security Consultant (due 22/1) to complete this
piobrctly WBD however I not available and is 70. (WED) activity
This includes _I Wider business I not detailed enough 4) Develop a positioning paper on controller b) WBD will need to manage dependencies with
material (¢ 80) I involvement will I for Post Office to be ening P
material I depend onthe I demonstrate processors for risk areas. existing renegotiations / renewals with support
fooled risk/eomplexity of I Accountability Le. 5) Draft security standards from the business.
contracts the contract, where its data and 6) Continue to engage /work with the ©) There is a high level of certainty for the low risk
(c.400) and how it is processed business to confirm ownership and less complex contracts, but it is hard to
‘SPM contracts I VMs, Contract involve VMs and Contract Owners as quantify how long negotiations will take for the
Owners and I Thisis a risk and required more complex contracts and the SPMs.
Product this work will need 7) Workshops with Tower Vendors to However, the clauses and schedule templates
managers will I to continue via the document processing activities as an are based on the regulation and the CCS
be involved inI Systems input to processing schedules Procurement Policy Note so they should be
the process (as I Workstream 8) Work with HR and Nick Beal to agree standard practice. In addition is a requirement
facilitators and I however this may
approvers) to. I not be complete by approach to engagement of the NFSP for of the GDPR that Controller: Processor
update the May 2018. updating existing contracts with SPM, be relationships are governed by a contract, so it
GDPR clauses that by an addendum. the interests of both parties to complete
and schedules. this.
Tower Vendors
will require
involvement of
Data
Architecture to
define
processing
schedules
13
POL-BSFF-0218823_0217
Proposed that remediation of legacy risk
these areas will continue beyond May 2018,
POL00391936
POL00391936
Deliver: What this me: Re isk Why thi Whi the steps to get th Level of Risks & Dependencies
to Post Office acceptable position? certainty
Data audit and I Post Office needs a) Identify systems and capture what data I Tbc-see I a) Dependency on contracts updates, specifically
mapping to ensure that it are stored or processed (higher level) ~ Fight the agreement of the Schedule of Processing
completed for I understands and Top 26 Vendors including Telecoms and activity.
processors —_I has access to POMS have been mapped (high level) (in b) Time constraints to developing the roadmap for
documentation on progress) remediation by May 2018 in parallel with pre-
VMs to the data it has
pernan ree i b) Identify systems and capture what data May activity, to be addressed by reviewing
Coniace processors and this are stored or processed have been current resources and kicking off this activity as
‘cronto pesdeto be mapped (detail) a discrete workstream to the changes and
support maintained. ©) Data interfaces identified and mapped remediation activity to be completed by May
team in (detail) 2018.
removing
blockers
Involvement
of Data
Architecture
in
documentati
on of
processes
and maintain
in BAU.
Legal basis for I Delete or ‘a) Complete assessment of legal basis for Thc - see I See above
rights processing of II anonymise marketing activities Fight
(Customer) I customer data I excessive b) Complete assessment of data in Brands,
has been customer personal Hexaware (potentially before May),
implemented I data in Brands, Horizon, Salesforce, Credence, CDP,
in key Hexaware “telecoms.
customer (potentially before
databeses May), Horizon, ©) Confirm requirement and raise change
Salesforce, requests
Involvement I Credence, CDP,
of Telecoms.
Marketing,
POMS and IT
in facilitating
change
process and
alignment
with existing
re-
procurement
of Brands.
14
POL-BSFF-0218823_0218
C. It is proposed that remediation of legacy risk
Theme
Deliver
What this me:
to Post Office
these areas will continue beyond May 2018,
Why tt in
acceptable position?
What
e the steps to get there
Level of
certainty
Risks & Dependencies
POL00391936
POL00391936
Indi
rights
(Customer)
Legal basis for
processing of
customer data
has been
implemented
in key
customer
databases
in facilitating
change
process and
alignment
with existing
re-
procurement
of Brands.
Changes to
Interfaces to and
structure of Brands
to minimise
excessive
customer data
‘@) Complete assessment of legal basis for
marketing activities
b) Complete assessment of interfaces
©) Confirm requirement via change request
process
Thc - see
right
‘See above
Individual
rights (right
to be
forgotten)
Individual
Rights ~ full
technical
solution rather
than manual
workaround
Involvement
of
Marketing,
POMS and IT
in facilitating
change
process
Input from
ISto
complete the
assessment
Changes include
deletion of data
following removal
of consent
a) Complete assessment of systems
b) Confirm requirement via change request
process
The - see
right
‘See above
15
POL-BSFF-0218823_0219
POL00391936
POL00391936
proposed that remediation of legacy risk in these areas will continue beyond May 2018,
Deliver: What this me: Re isk Why thi What are the steps to get th Level of Risks & Dependencies
to Post Office acceptable position? certainty
Deletion of I This includes @) By May we will have information on Thc - see I See above
Rights (right I unstructured I structured and where unstructured data is stored based Fight
tobe data across all I unstructured data on the review of products and business Dependency - Implementation of the document
forgotten) systems functions, Implementing changes in management policy, including hard copies.
according to response to individual rights and
the Retention
schedule retention schedules will not be completed
by May for all systems.
paar nvers b) The Programme is investigating
of implementing scanning of OneDrive and
IT/Security Sharepoint (subject to discussions with
in facilitating Computercentre).
change ©) Akey mitigation to address non-
process compliant storage of personal
unstructured data will be via Education
and Awareness (see Section A)
Data Breach I Data Breach _I The new Data i) Continued engagement with the Security I Tbc-see I See above
Reporting Detection: is I Breach Response ‘Team to monitor progress and ensure right
not a procedure will alignment with the GDPR Programme.
deliverable of I meet the
the GDPR requirements of
programme, I the regulation and
but is an we can
enabler to demonstrate there
Data Breach I is a plan in place to
Reporting is I introduce the
the DLP appropriate
Programme I technical and
which is due I organisational
to go live from I measure via the
Jun/July 2018. I DLP.
Involvement
of
IT/Security
in facilitating
change
process
16
POL-BSFF-0218823_0220
C. It is proposed that remediation of legacy risk in these areas will continue beyond May 2018
POL00391936
POL00391936
Theme Deliver ‘What this mez Why tt in What are the steps to get there Level of Risks & Dependencies
to Post Office acceptable position? certainty
Contracts ‘Assurance and I Changes may be i) Approach to be agreed with the IP&A Toc - see I See above
(Processors) I Remediation I required following Team. Security and IT. Fight
of key contract There is a risk that there will be no impetus for
processors —_I remediation and processors to complete remediation where there are
following assessment. gaps, however the remediation of the contracts (by
assessment May) will include the development of a schedule of
via contract processing and GDPR clauses including the
and systems requirements of POL for retention, rights, security
workstreams standards and this can be used as a lever for
contract assurance and remediation.
Involvement
of
IT/Security
in facilitating
change
process
17
POL-BSFF-0218823_0221