POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee Meeting
MINUTES OF A MEETING OF THE RISK AND COMPLIANCE COMMITTEE (THE
“COMMITTEE”) OF POST OFFICE LIMITED (THE “COMPANY”) HELD ON 18 JANUARY
2018 AT 20 FINSBURY SREET, LONDON EC2Y 9AQ AT 1.00PM
Present:
In Attendance:
Apologies:
# by telephone
Jane MacLeod
Paula Vennells (PV)
Al Cameron (AC)
Debbie Smith (DS)
Rob Houghton (RH)
Martin Kirke (MK)
Mark Davies (MD)
Martin Edwards (ME)
Johann Appel (JA)
Ashish Singh (AS)
Owen Woodley (OW)
Jane Fahey (JF)
Sally Smith (SS)
Jules Harris (JH)
Clare D’Netto (CDN)
Chris Russell (CR)
Richard Williams (RW)
Barbara Brannon
(BB)#
Ben Foat (BF)
Mark Dixon (MD)
Nick Kennett
Chairman
Group Chief Executive
Chief Financial and Operations Officer
Chief Executive, Retail
Group Chief Information Officer
Group HR Director
Group Communications, Brand & Corporate Affairs
Director
Group Strategy Director
Senior Manager, Internal Audit
Interim Head of Risk
Managing Director, Post Office Money
Deputy Company Secretary
Head of Financial Crime
Head of Information Protection and
Assurance
GDPR Programme Manager
Data Protection Officer
Senior Risk Manager
Procurement Director
Legal Director
Head of Treasury, Tax and Insurance
Chief Executive - Financial Services
& Telecoms
1. WELCOME, INTRODUCTION AND CONFLICTS OF INTEREST
1.1. The Chairman welcomed DS, Chief Executive, Retail, to the meeting.
2. MINUTES AND ACTION LIST
ACTION
2.1 Minutes of the meeting of the Board held on 8 November 2017 were approved
and authorised for signature by the Chairman.
2.2 The Action List Status Report was noted as accurate. Save for the following,
there were no actions which had not been addressed in advance of the meeting
or through the meeting papers:
(a)
1789 -
Compliance Requirements:
The Chairman advised that
discussions were now underway with HMRC on the impact of likely
Strictly Confidential
3.1
3.2
3.3
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee Meeting
(b) enhanced anti money laundering (“AML”) and fit and proper
requirements. PV stressed the importance of ensuring this action was
closed by the next meeting; and
(c) 1788 - Financial Crime Risk assessment: The Chairman confirmed that
the Financial Crime workshops for Product Managers (“PMs”) had been
held, however the PMs had yet to complete the follow-up work. DS
agreed to raise the matter with the relevant PMs.
KEY OPERATIONAL RISKS
Financial Services Conduct Risk
The Financial Services Conduct Risk Update was noted.
AC highlighted inconsistencies in risk ratings between this report and the
Company’s financial performance pack presented in other governance forums.
The Chairman explained that this was due to lack of alignment in the metrics
used to produce the reports and agreed on the importance of consistent
reporting.
Change Risk
The Change Risk Update was noted.
The Chairman advised that Carla Stent, Chairman of the Company’s Audit, Risk
and Compliance Committee (“ARC”) had requested further detail as to the
lessons learned from Change activity over the past three years, and a forward
view as to where the principal risks would arise. The paper should be updated to
reflect this request.
AC invited the Committee to submit any additional comments on the content of
the paper to him in advance of the ARC.
SS joined the meeting.
Financial Crime Risk
SS advised that due to the size and complexity of the Post Office network, and
the diverse range of products and services provided in both face to face and
digital environments, the key financial crime risk control was staff training and
awareness. The current training model was inefficient, and while work was
underway with Learning and Development to address this, further support from
the Group Executive (“GE”) and senior leadership population would be required
in order to deliver.
RH submitted that it was not sufficient to address this risk through education
alone, and that, in order to address the root cause, systems needed to be
redesigned to incorporate the right controls. SS responded that no system could
entirely address the risk due to the complexity of the network. Therefore,
education would remain the key control. PV challenged this, stating that while
the issues caused by the network structure were large in scale, they were not
necessarily complex. The launch of HGNT would help ensure that agents
complied with financial crime-related requirements. In addition, she submitted
that there were certain products which should be reviewed to ensure that the
benefits they brought to the business outweighed the associated financial crime
Strictly Confidential
DS
3.4
3.5
3.6
3.7
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee Meeting
risk.
In response to a question from DS as to where the legal accountability lay for
financial crime compliance, the Chairman explained that it was the Company’s
responsibility to ensure that effective systems and controls to prevent money
laundering and counter terrorist financing were in place. Training was one
aspect of this, as was having processes to ensure products were designed with
fraud prevention in mind. Agents were then contractually obliged to comply with
Post Office rules. She added that twenty agents had recently been suspended
for failure to comply with these rules. In response to a further question from DS
as to the position of the risk environment, the Chairman clarified that cases of
non-compliance were mostly historical. However, as the management
information (“MI”) in this area had been largely developed over the past two
years, it was not possible to provide a definitive, long-term assessment as to
whether the risk environment was improving.
SS advised that under requirements introduced during 2017, the Company was
required to demonstrate the fitness and propriety of all agent entities to HMRC.
In response to a question from DS as to how compliance with these
requirements would be demonstrated, SS explained that this would be achieved
through staff training metrics.
AC queried whether the resourcing and budget required for the
recommendations outlined in the paper had been planned for with sufficient
detail. JM advised that a detailed project plan had been prepared which was
funded to the extent necessary. SS highlighted the importance of ensuring
Product Information Packs were complete to demonstrating a full risk
assessment. OW agreed to follow up with the PMs in question.
The Committee noted the Money Laundering Reporting Officer’s (MLRO) annual
report on compliance with The Money Laundering, Terrorist Financing and
Transfer of Funds (Information on the Payer) Regulations 2017 and The
Terrorism Act 2000, which was included in the report.
SS left the meeting.
IT Risk Update
The IT Risk Update was noted.
Financial Reporting Controls
The Financial Reporting Controls Update was noted.
Business Continuity and Crisis Management
The Business Continuity and Crisis Management update was noted.
In response to a query from AC as to whether sufficient resources were being
provided to this crucial area, the Chairman advised that resourcing requirements
over the next twelve months were currently under review.
Health and Safety
Strictly Confidential
ow
3.8
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee
The Health and Safety Update was noted.
JH joined the meeting.
Information Protection and Assurance
JH introduced the Information Protection and Assurance Update. AC submitted
that while the need to improve the management of data was critical, it was
important to ensure that all data management needs were consolidated into one
programme. In response, the Chairman advised that all programmes related to
data were aligned.
RH commented that the control improvement actions to mitigate insider threat
and external malicious attack, as detailed in the appendix to the paper, were
somewhat vague. He suggested that GE members be assigned responsibility for
identifying owners for the various categories of data, and the actions required to
increase the Company’s maturity level in this area. JH agreed to develop a
draft proposal.
MK requested that the appendix to the paper be amended to reflect the
fact that the HR Director was accountable for, rather than the owner of,
the Joiners, Movers and Leavers (“JML”) programme.
PV requested that the appendix be updated to provide further detail on
how the control improvement actions outlined would be applied in
practice.
CDN and CR joined the meeting.
GDPR PROGRAMME UPDATE
The Chairman introduced the General Data Protection Regulation (“GDPR”)
Update. She advised that a GDPR training session would be provided to the ARC
on the 29 January 2018, and that the matters covered in this paper would form
the basis of that session.
CDN explained that the GDPR programme had from inception flagged that it was
unlikely to achieve full compliance by May 2018. Instead the programme has
taken a risk-based approach to achieve ‘effective compliance’. New activity
would be compliant on or before 15 May 2018. In addition, remediation of
existing activities which were high risk/high priority would be completed by May
2018.
RH highlighted that the challenge to achieving effective compliance by the May
2018 deadline was in meeting change lead times. There was still uncertainty as
to what needed to be achieved and when, and consequently whether the
necessary operational and technical changes could be delivered in time. For
those instances where the requirements were known, it was not clear that the
programme was progressing sufficiently quickly to deliver them. He requested
that a clear articulation of the “known unknowns” be prepared,
including details of the key stakeholders, and where prioritisation calls
may be required. PV challenged this position, querying whether the volume of
change required by the programme between now and May, which was
incremental to the existing change agenda, was truly significant. The Chairman
advised that it was not, with most of the change involving marketing activity.
Strictly Confidential
Meeting
JH
JH
JH
CDN/CR
6.1
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee Meeting
However, remediating legacy issues would take another approximately 12-18
months following the deadline.
MK highlighted that there was a lack of awareness of the issues raised by GDPR
across the business and asked the programme team to consider how they
could drive understanding. CDN/CR
JH, CDN and CR left the meeting. RW joined the meeting.
RISK UPDATE
RW introduced an update on the Risk Placement, including an update on Risk
Exceptions. Rollout of the Risk Placemat was on track to be completed by June
2018. Since the November 2017 meeting, the approach had been further rolled-
out within Financial Services and Retail. In parallel, a methodology was being
created to test the integrity, and formalise the governance framework, of
principal risks for post-Placemat implementation.
The Committee reviewed the current Risk Exception Status and commented on
the following in particular:
(a) AC advised that an IT solution for the risk of loss of data/service due
to the RPA software running on stand-along desktop machines was still
being awaited; and
(b) RH advised that he would need to determine the extent to which
Salesforce software was being used across the business prior to
making any decision on contract renewal. He expressed frustration at
the fact the contract was due to expire on 29 April 2018, which did not
give sufficient time for transition, should that be determined the
correct option. AC commented that while he was aware of the issue, BB
he had not until now been aware of the April deadline. He would
work with Barbara Brannon to ensure early escalation of these
matters going forward. PV requested that RH bring a report on
the use of Salesforce across the organisation to GE. If it were
concluded that the software was used exclusively by Customer
Relationship Managers (“CRMS”), then she was content to carry any
risk until the Company’s strategy with regard to CRMs was finalised.
RH
RW left the meeting. BB joined the meeting.
COMPLIANCE
Procurement Compliance Report
BB presented the Procurement Compliance Report. She reported that since the
last meeting in October 2017 there had been a total of seven non-compliance
incidents, with a total value of GBP9,388,000. Three of these were currently
pending imminent contract signature. During that period, a number of large
value procurements had been completed and brought into compliance, bringing
the overall value down from GBP19 million in October 2017 to GBP15 million in
January 2018.
Strictly Confidential
8.1
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee Meeting
The Committee expressed concern at the level of non-compliance detailed in the
report. AC queried whether instances of non-compliance were being escalated to
the GE in a sufficiently timely manner. The Chairman submitted that there
seemed to be a relaxed culture within the business regarding procurement
compliance and that more could be done to address this. BB responded that
while there was room for improvement, it was not necessarily a matter of the
business being apathetic where compliance was concerned. There were large
parts of the business which were very proactive in working with Procurement
and who had a clear understanding of their requirements and the lead times
involved. However, there were other part of the business who, for a variety of
reasons, found articulating their requirements more challenging and therefore
found decision-making proved difficult. AC reiterated his request that such
instances be escalated earlier.
POLICIES
Supplier Relationship Management
BB recalled for the Committee that, in order to help evidence good supplier
management, she and the Chairman had been given an action to create a
Supplier Relationship Management Policy (the “Policy”). In doing so, they had
endeavoured to create an easy-to-follow guide which defined the minimum
standards to manage the day-to-day supplier relationship once the supplier is on
board and providing services. She explained that between now and the end of
March 2018, Procurement would work the business to create supplier
relationship terms, and a timetable would be signed off by each GE member as
to how mandatory activities would be delivered over the next 12 months. This
would involve identifying the tools and systems to evidence that the required
degree of oversight existed. The Committee discussed the merits of Traction
system, noting that while it would be relatively simple and cost-effective, it did
not hold any data, and merely provided a system to acknowledge completion of
the tasks assigned. After discussion, it was agreed in principle that Traction be
utilised.
Subject to a request from RH that the policy be amended to standardise
role titles, the Committee approved the policy. It was agreed that the policy
did not require further approval by the ARC.
BB left the meeting.
AUDIT
Internal Audit Report
The Committee noted the Internal Audit Report.
JA advised that reports for four Internal Audit reviews were currently being
drafted or cleared through management. These included reviews of compliance
with the Banking Framework and AML compliance for MoneyGram. With regard
to the Banking Framework review, a number of areas, namely Information
Protection, Data Security, and Business Continuity, required significant
Strictly Confidential
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee
improvement in order to demonstrate compliance. The Chairman commented
that an assumption had been made at the time of signing the Banking
Framework that the requirements under the agreement had been clearly
communicated to the relevant teams, which had not been the case. However,
the changes required to demonstrate compliance should be relatively simple to
introduce. AC stressed the importance of taking the lessons learned from this,
and requested that a copy of the report be circulated to the Committee.
After discussion, it was agreed that that the Banking Framework report should
be submitted for consideration at the March 2018 ARC. PV requested that OW
provide his view on the report from a Post Office Money perspective.
JA reported that audit actions were generally being completed on time and 107
actions had been completed year to date. As at 31 December 2017, 36 actions
remained open, two of which were overdue. These were being tracked closely.
BF joined the meeting.
DEEP DIVES
Annual Legal Risk Review
BF introduced the Annual Legal Risk Review for 2017 (the “Review”). He outlined
the main legal risks for Post Office as follows:
(a) Contract Management
Improvements had been made over the last 12 months to the
contracts management and procurement processes, through the
introduction and enhancement of a number of controls. These included
the enhancement of a central repository of contracts utilising the
existing Bravo procurement system. However, there remained further
work to enforce a compliant culture in the business. AC advised that it
had been agreed earlier in the meeting that Traction would be used to
assist with overseeing compliance with contractual terms, and that the
Review should be updated to include this.
PV challenged the language used in the Review concerning the number
of material arrangements in which services were being provided
without a written contract in place. While she agreed that it was
unacceptable for there to be no written contract in place, the Review
did not detail the significant progress that had been made in managing
down the number of such contracts. AC added that the actions
being taken to mitigate any risk arising from the remaining
cases should also be clearly spelled out.
(b) Competition Rules
There needed to be better understanding of the potential implications
of commercial activities, such as acquisitions or joint ventures (“JVs”).
The legal department (“Legal”) had developed Compliance Guidance
and FAQs to support operational managers in understanding this risk,
together with bespoke training.
Strictly Confidential
Meeting
JH
ow
BF
10.
10.1
10.2
11.
11.1
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee
(c) I Corporate acquisitions and JVs
Corporate M&A knowledge was dependent on a few core individuals.
Legal was developing a Corporate Acquisition Checklist and challenge
process aimed at enhancing risk management of these projects.
(d) Litigation
As a result of litigation, the recovery of agent losses and prosecutions
have become significantly more challenging, thereby increasing the
risk that the deterrent effect of such recovery actions or prosecutions
will be diminished. In addition, there was a risk of default judgments
due to Legal not being notified of service of proceedings received in
the network. Proper communications were required to ensure
documents were scanned and emailed to Legal promptly.
(e) I Branding and IP Enforcement
While basic controls were in place, such as cease and desist letters,
brand infringements largely went unchallenged. Further enhancement
could be achieved through a formal process with appropriate funding.
PV responded that these cases should be dealt with on a case by case
basis. If a significantly serious instance, or increase in infringement
cases were seen, Legal should escalate appropriately.
BF advised that Legal’s focus for 2018/19 Legal would centre on enhancing the
legal maturity of the Post Office through the introduction of enhanced controls,
and the delivery of further training to assist managers to better understand core
areas of legal risk and develop necessary processes.
HORIZON SCANNING
FCA Report —Ageing Populations and Financial Services
The FCA Report on Ageing Populations and Financial Services was noted.
Legal and Regulatory Horizon Scanning
The Legal and Regulatory Horizon Scanning report was noted.
MD joined the meeting.
INTEREST RATE SWAP UNDER NEW POCA CONTRACT
Mark Dixon recalled for the Committee that at the July 2017 Board meeting the
Group CFOO, following ARC approval, was authorised to execute an interest rate
swap, if considered advantageous. A paper setting out the rationale for the
transaction, an update on pricing, and how to manage the risks associated with
swap execution, was subsequently presented to the ARC in September 2017. He
reported that as approval had now been received from the BEIS/HM Treasury to
enter into an interest rate swap for the purposes of hedging its floating rate
exposures linked to the POca cash balances, approval would be sought to do so
at the upcoming ARC. The current pricing levels for the swap were then outlined.
Strictly Confidential
Meeting
POL00411937
POL00411937
Post Office Limited
Risk and Compliance Committee Meeting
After discussion, the Committee noted the paper for onward submission to the
ARC.
12. PAPERS FOR NOTING
12.1 Minutes from the meetings of the POMS RCC held on 11 October 2017, 29
November 2017 and 19 December 2017 were noted.
12.2 The EUM Programme Update was noted.
12.3 The SuccessFactors Risk Exception Report was noted.
12.4 JM agreed to circulate an update on Jointers, Movers and Leavers following the
meeting. IM
13. ANY OTHER BUSINESS
13.1 There being no other business, the Chairman closed the meeting.
Chairman Date
Strictly Confidential