POL00413444
POL00413444
GROUP POLICIES
Whistleblowing Policy
Version —- V6
Chief Executive’s Endorsement
The Post Office Group is committed to doing things correctly. Our Values
and Behaviours represent the conduct we expect. This Policy supports these
to help us ensure that colleagues know how to report concerns regarding
wrongdoing in the public interest and that they can do so without fear of
recrimination.
Internal and External Page 1 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
1. Overview
1.1. Introduction by the Policy Owner....
1.2. Purpose.
1.3. Core Principles ..........0..
1.4. Definitions...
1.5. Application
1.6. Legislation...
1.7 How to Report Whistleblowing
1.8. Protecting the Whistleblower (Your Legal Rights)
1.9 The Whistleblowing Champion and Management of Reports
1.10 Responding to Whistleblowing Reports.
1.11 External Disclosures
2. Risk Appetite and Minimum Control Standard
2.1. Risk Appetite ....
2.2. Policy Framework
2.3. Minimum Control Standards
3. Governance............
3.1. Governance Responsibilities
4. Control
4.1. Policy Version....
4.2. Policy Approval
Internal and External Page 2 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
1 a Overview
1.1. Introduction by the Policy Owner
The MLRO & Head of Financial Crime and the Group Compliance Director have overall
accountability to the Board of Directors to oversee that a positive whistleblowing culture
is proactively encouraged throughout Post Office and the current arrangements are
challenged and assessed for areas of continuous improvement. The Policy Sponsor and
Owner are accountable for the implementation of controls ensuring Post Office meets it
Whistleblowing obligations. Whistleblowing is an agenda item for the Audit and Risk
Committee and the Post Office Board is updated as required.
1.2. Purpose
This Policy has been established to set the minimum operating standards relating to the
management of Whistleblowing throughout the Group. It is one of a set of policiest which
provide a clear risk and governance framework and an effective system of internal control
for the management of risk across the Group. Compliance with these policies supports the
Group in meeting its business objectives and to balance the needs of shareholders, Staff
and other stakeholders.
1.3. Core Principles
In order to encourage Whistleblowing and provide appropriate protections to
Whistleblowers, the governance arrangements described in this Policy are based upon the
following core principles:
e Post Office will treat Whistleblowing disclosures consistently, fairly, appropriately and
professionally;
* To encourage the reporting of any concerns as soon as possible in the knowledge that
Post Office will take all concerns raised seriously and investigate fully, and that the
confidentiality of all individuals will be respected;
e To provide guidance as to how to raise those concerns;
e To provide Whistleblowers reassurance that all genuine concerns are raised without
fear of reprisals, even if they turn out to be mistaken;
« Post Office is committed to and oversees the implementation of the Policy in line with
the Group’s risk appetite. The Policy and associated procedures for use by those
handling whistleblowing reports (the “Whistleblowing Procedures”) (set out in this
document where relevant) are proportionate to the risks and complexity of the Group;
and
e Post Office undertakes a training and awareness program to ensure all employees are
aware of the Whistleblowing policy and procedure.
If you need further information about this Policy or wish to report an issue in relation to
this Policy, please contact the Policy sponsor or Policy owner.
" The full set of policies can be found at: https://poluk.sharepoint.com/sites/thehub/SitePages/Key%20policies.aspx?web=1
2 The Whistleblowing Procedures will be provided internally to those handling Whistleblowing reports.
Internal and External Page 3 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
1.4. Definitions
“Employee” and “Staff” means an individual who has entered into or works under (or,
where the employment has ceased, worked under) a contract of employment or any other
relevant contract, as defined in sections 230(2) and (3) of the Employment Rights Act
1996, with Post Office or the Group or is defined as a “worker” under section 43K
Employment Rights Act 1996.
“Post Office” and “Group” mean Post Office Limited and any wholly owned subsidiary
that formally adopts this Policy.
“Whistleblowing” refers to the act of a person (the “Whistleblower”) making a
disclosure that the Whistleblower reasonably believes is (a) in the public interest, and (b)
regarding past, present or likely future wrongdoing that falls into one or more of the
following categories:
« criminal offences (this may include types of financial impropriety such as fraud)
e failure to comply with an obligation set out in law (including regulatory breaches)
e miscarriages of justice
e endangering of someone’s health and safety
e damage to the environment
* covering up wrongdoing in the above categories
* a breach of the Post Office’s policies and procedures
e behaviour that harms or is likely to harm the reputation or financial well-being of
the Post Office
1.5. Application
This Policy is applicable to all Staff within the Group and outlines the manner in which Post
Office will encourage, receive and investigate incidents of Whistleblowing and the
protections provided for Whistleblowers by law.
There are also corresponding Whistleblowing Procedures for those handling reports.
In order to encourage reporting of wrongdoing, Post Office will, where appropriate, and to
the extent possible, follow equivalent principles to encourage, receive and investigate
incidents of Whistleblowing by Postmasters (whether limited companies, partnerships,
limited liability partnerships or individuals), Agent Assistants, and members of the public.
1.6. Legislation
The Group seeks to comply with all relevant UK legal and regulatory requirements
including (but not limited to) the following legislation as amended or supplemented from
time to time:
e Employment Rights Act 1996
* Public Interest Disclosure Act 1998
Internal and External Page 4 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
1.7. How to Report Whistleblowing
Post Office supports and promotes a number of reporting mechanisms:
e The Whistleblower’s line manager
« Asenior member of the HR Team
¢ Direct to the Whistleblowing Manager (7
e Via a complaint to a front line team, e.g. customer complaints, BSC and Grapevine.
These may be verbal or written communications.
e Contacting the “Speak Up” line, a confidential reporting service which is run by an
independent company NAVEX Global (formerly Expolink Europe Ltd)
Any Post Office Staff who suspects that there is a breach of this Policy should report this
without any undue delay, again, through any of the reporting mechanisms set out above.
Information and contact details
Speak Up line:
e Telephone Number:
e —http://postoffice.ethicspoint.com/ whicl
is a secure on-line web portal
Grapevine:
24/7 Security Support Centre provided by Kings Ltd. Grapevine provide security advice
and record all security incidents across the business, this includes burglaries, robberies
and the reporting of suspicious activity.
NBSC:
Branch Support Centre (BSC) is a helpline and the first port of call for Post Office branches
if they have any operational query or require assistance.
e Telephone Numbe
e E-mai
Customer Support Team:
Complaints handling team based in Chesterfield. The team address complaints reported
into Post Office via various channels, including post and telephone.
e =E-maili.
Executive Correspondence Team:
This team handles all complaints addressed directly to the Group Executives. The team
liaise with various stakeholders within the business in order to resolve complaints.
What information needs to be provided?
The Whistleblower does not need to provide evidence for Post Office to look into the
concerns raised, and reports can be made:
* openly,
e confidentially - the individual (or entity in the case of a limited company, partnership
or limited liability partnership) making the report gives their or its name and the person
handling the report will try to respect confidentiality where possible (subject to
exceptions described in paragraph 1.8), or
Internal and External Page 5 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
* anonymously - reports made anonymously are taken seriously but Post Office
encourages open reporting. Without certain details, it may not be possible to
investigate a report as thoroughly and/or provide feedback on the progress or outcome
of the investigation.
Difference between Whistleblowing and other complaints
This Policy should not be used by Staff wishing to raise complaints relating to their own
personal circumstances, such as the way they have been treated at work, rather than a
matter in the public interest that meets the definition of Whistleblowing set out in this
Policy. Grievances and matters such as bullying and harassment should be raised in
accordance with the procedures set out in the appropriate HR policy.
The following table sets out examples of events that might prompt the making of a
Whistleblowing disclosure.
Whistleblowing
Not whistleblowing
Actions that put colleagues or customers
health and safety in danger - A branch
manager refuses to follow security
procedures when admitting visitors into
the secure area of a branch, putting staff
at risk
A member of staff tells you they are being
constantly criticised by one particular
manager. The manager seems to pick on
their work and does so in front of others -
- this is covered by the Grievance Policy
Disclosure of a personal grievance may
count as a legitimate complaint if it’s in
the public interest, for example on the
grounds of racial, sexual or disability
discrimination - A staff member
complains that the branch manager has
made racist/discriminatory remarks to
other members of staff and members of
the public.
You believe that you are not provided
with training and development.
opportunities because of your age or sex
- this is covered by the Dignity at Work
Policy
An individual identifies that an invoice
from a company has a company address
that is the home address of a company
director or senior manager, and they do
not believe this is being handled within
Post Office Policy.
A manager believes they have been given
an unfair PDR assessment, and they are
not happy with the outcome of
discussions with their line Manager - this
is covered by the Grievance Policy
It is suspected that Post Office is
breaching legal or regulatory
requirements and that this is being
covered up - A staff member reported to
their manager that the dates on the fire
extinguishers within the building have
expired but still no action has been
taken.
A clerk complains that they feel they are
being bullied by their ling manager - this
is covered by the Dignity at Work Policy
A staff member has noticed their line
manager changing the teams SLA results
to show better figures when reporting —
This is potential fraud as this could lead to
the Post Office declaring false figures
You are suspicious of a customer coming
in to purchase large amounts of foreign
currency on a regular basis - this is
covered in the Anti Money Laundering and
Counter Terrorist Financing Policy.
Internal and External
RCC & ARC and POI approval - Final.docx
Page 6 of 20Whistleblowing Policy v.6 March 2021 - POL
POL00413444
POL00413444
If an individual (or entity in the case of a limited company, partnership or limited liability
partnership) is uncertain about whether something is within the scope of this Policy they
or it should seek advice from the Whistleblowing team, whose contact details are set out
in this Policy.
1.8. Protecting the Whistleblower (Your Legal Rights)
Post Office has a statutory obligation to protect Whistleblowers and will endeavour to
support any Whistleblower who or which raises genuine concerns under this Policy in an
appropriate manner, even if they or it turn out to be mistaken. In respect of a certain class
of person (“Staff” as defined under this policy) Post Office has a statutory obligation not
to subject such persons to detriment or to dismiss them for Whistleblowing.
Where a member of Staff is subject to a Post Office settlement agreement, any clauses
within it will not prevent the member of Staff from Whistleblowing. This should in any
event be made clear by the terms of the settlement agreement itself and staff should
receive independent advice in relation to those terms when entering into a settlement
agreement.
Post Office will, at all times, respect confidentiality and protect the Whistleblower’s
identity, except where:
e It may be appropriate or necessary to share this information with a relevant
stakeholder.
e Disclosure is allowed or required by law.
There is no requirement for a Whistleblower to provide contact information, but not
providing this information may reduce Post Office’s ability to undertake a thorough
investigation into the concerns raised. Please note that making a disclosure anonymously
means it can be more difficult for an Employee or Staff member to qualify for protections
as a Whistleblower, as there would be no documentary evidence linking the individual to
the disclosure for the Employment Tribunal to consider.
Post Office will take all reasonable steps to ensure that Whistleblowers who are Employees
or Staff do not suffer any detrimental treatment as a result of raising a genuine concern
in an appropriate manner. Detrimental treatment includes disciplinary action, dismissal,
threats or other unfavourable treatment connected with raising a concern. Serious action,
typically disciplinary action, will be taken against any individual who threatens or retaliates
against Whistleblowers in any way.
If a Whistleblower who is an Employee or member of Staff believes that they have suffered
any such treatment, they should inform the Whistleblowing Manager immediately. The
Whistleblowing Manager or nominated deputy will take all necessary steps at the earliest
opportunity to address any victimisation, which may include working with the HR team to
put appropriate remedial measures in place. If the matter is not addressed the
Whistleblower should raise it formally using Post Office’s Grievance procedure.
In all cases the Whistleblower’s concerns will be treated sensitively and in confidence.
1.9. The Whistleblowing Champion and Management of Reports
Post Office has appointed an independent Non-Executive Director as Whistleblowing
Champion to provide governance and oversight that the integrity of Post Office work,
finances and wider obligations to the public are upheld at all times.
Internal and External Page 7 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
The Whistleblowing Champion has responsibility for ensuring and overseeing the integrity,
independence and effectiveness of this Policy and procedures on Whistleblowing including
those policies and procedures intended to protect Whistleblowers from being victimised
because they have made a disclosure that constitutes Whistleblowing. The Whistleblowing
Champion oversees that:
e A positive whistleblowing culture is proactively encouraged throughout Post Office
e The current arrangements are challenged and assessed for areas of continuous
improvement and best practice
e Whistleblowers are always supported and protected when raising a concern
« Barriers to speaking up are uncovered and addressed
* The Whistleblowing team, senior managers and leaders receive training on the
importance of Whistleblower support
e Root cause analysis is undertaken for all cases and issues, so that continual
improvements can be made in the relevant areas
The day to day management of Whistleblowing reports and processes is overseen by the
MLRO & Head of Financial Crime (the Whistleblowing Policy Owner) via the Whistleblowing
Manager and nominated deputies who receive all internal reports raised, regardless of the
channel used, review any concerns raised and determine the best course of action, if any.
They may ask for further information in order to make this decision.
The Whistleblowing Manager is also responsible for Post Office’s overall Whistleblowing
Policy and governance framework, which ensures that reports are investigated and
responded to in a timely manner. They are responsible for determining the appropriate
parties who should investigate the allegations raised, taking into account the sensitivities
and seriousness of the report and the need to protect the Whistleblower.
The Whistleblowing Manager is also responsible for identifying key trends or issues, and
providing assurance to the Board that the policy is complied with.
1.10. Responding to Whistleblowing Reports
In all instances any Whistleblowing reports, regardless of reporting method, will be
responded to within 5 working days and passed onto the Whistleblowing Manager.
All reports will be fully reviewed and investigated and any information, including emails,
or records of telephone calls, letters, or any other form of communication will be stored
securely and confidentially.
Any investigations will be carried out in accordance with the Investigations Policy which is
available on the Post Office Intranet and sets out specific Whistleblowing considerations
for investigations.
The time frame for investigating the reports raised is dependent on the nature of the report
and the investigation required, however, the Whistleblower will be given feedback via the
reporting channel they have used, or have given the Whistleblowing Manager permission
to use (Speak Up line, e-mail or phone call) during the investigation and once it has been
concluded.
Post Office will endeavour to give Whistleblowers feedback in the context of a particular
matter, subject to other considerations such as applicable regulations or Post Office’s legal
requirements.
Where a report received is anonymous, Whistleblowers will not ordinarily be able to receive
feedback and details of action taken by Post Office may be limited. However, feedback in
Internal and External Page 8 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
this instance could be sought through a telephone appointment or by using an anonymised
email address.
1.11. External Disclosures
The aim of this Policy is to provide an internal mechanism for reporting, investigating and
remedying any wrongdoing in the workplace and to demonstrate Post Office’s commitment
to listen to the concerns of Staff. In most cases Whistleblowers should not find it necessary
to alert anyone externally.
However, the law recognises that in some circumstances it may be appropriate for
Whistleblowers to report their concerns to an external body such as a regulator. It will
rarely, if ever, be appropriate to alert the media at least without informing Post Office or
an external agency first and usually in that order.
Advice
We strongly encourage Whistleblowers to seek advice before reporting a concern to anyone
external. The independent whistleblowing charity, Protect (formerly Public Concern at
Work) have a list of prescribed regulators for reporting certain types of concerns. Their
contact details are as follows:
Helpline
Website: www.protect-advice.org.uk
Protect operates free, confidential advice to people concerned about crime, danger or
wrongdoing in the workplace. All Protect advisors are legally trained and supervised by
qualified lawyers and their advice is fully confidential and subject to legal privilege. All
information, including emails, or records of telephone calls, letters, or any other form of
communication with Protect advisors is stored in a fully encrypted format.
Advice may also be sought from:
e the Government (general guidance is available on www.gov.uk/whistleblowing);
e Trade Unions; and/or
e Advisory, Conciliation and Arbitration Service (ACAS) (contact details are available on
www.gov.uk/pay-and-work-rights)
Advice may be sought which would, among things, assist Whistleblowers to verify the
position that a personal grievance is not generally regarded as a protected disclosure.
Disclosures to the FCA or PRA
Post Office Management Services (POMS) is directly regulated by the Financial Conduct
Authority (FCA), and Post Office Limited is an appointed representative of Bank of Ireland
(UK) Limited which is authorised by the Prudential Regulation Authority (PRA). As such
individuals may decide to whistleblow directly to the FCA or PRA, and can do so by using
one of the following channels.
Body Contact details
FCA’s Helplin
Whistleblowing E-mail:}_
Service Website: www. fca.org.uk/site-info/contact/whistleblowing
Address: Intelligence Department (Ref PIDA), Financial Conduct
Authority, 12 Endeavour Square, London, E20 1JN
Internal and External Page 9 of 20Whistleblowing Policy v.6 March 2021 - POL
RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
PRA’s
Whistleblowing
Service
GRO j
www.bankofengland.co.uk/prudential-
regulation/whistleblowing-and-the-pra
Address: Confidential reporting (whistleblowing) IAWB team,
Legal Directorate, Bank of England, Threadneedle Street,
London, EC2R 8AH
Contacting the FCA or the PRA is not conditional on a Whistleblowing report first being
made using Post Office’s internal arrangements (nor is it necessary for a disclosure to be
made to Post Office in the first instance), and it is possible to utilise Post Office’s internal
arrangements and contact the FCA or PRA simultaneously or consecutively.
Whistleblowing concerns usually relate to the conduct of our staff, but they may sometimes
relate to the actions of a third party, such as a customer, supplier, agent, Postmaster or
service provider. In some circumstances the law will protect Whistleblowers if they raise
the matter with the third party directly. However, we encourage Whistleblowers to report
such concerns internally in the first instance.
Internal and External
Page 10 of 20 Whistleblowing Policy v.6 March 2021 -
POL RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
2» Risk Appetite and Minimum _ Control
Standards
2.1. Risk Appetite
Risk Appetite is the extent to which the Group will accept that a risk might happen in
pursuit of day to day businesses transactions. It therefore defines the boundaries of
activity and levels of exposure that the Group are willing and able to tolerate.
The Group takes its legal and regulatory responsibilities seriously and consequently has?:
e Tolerant risk appetite for Legal and Regulatory risk in those limited circumstances
where there are significant conflicting imperatives between conformance and
commercial practicality
e Averse risk appetite for litigation in relation to high profile cases/issues
« Averse risk appetite for ligation in relation to Financial Services matters
e Averse risk appetite for not complying with law and regulations or deviation from
business’ conduct standards for financial crime to occur within any part of the
organisation
e Averse Risk Appetite in relation to unethical behaviour by our staff.
The Group acknowledges however that in certain scenarios even after extensive controls
have been implemented an action may still sit outside the agreed Risk Appetite.
2.2. Policy Framework
Post Office has established a suite of policies and procedures, on a risk sensitive approach
which are subject to an annual review. The policy suite is designed to comply with
applicable legislation and regulation. The Whistleblowing Policy should be considered and
read in conjunction with other policies where relevant. These may include the Financial
Crime Policy, the Anti-Bribery & Corruption Policy, Health & Safety Policies and HR Policies
where relevant.
° The Risk appetite was agreed by the Groups Board January 2015,
Internal and External Page 11 of 20 Whistleblowing Policy v.6 March 2021 -
POL RCC & ARC and POI approval - Final.docx
2.3. Minimum Control Standards
POL00413444
POL00413444
A minimum control standard is an activity which must be in place in order to manage the risks so they remain within the defined Risk
Appetite statements. There must be mechanisms in place within each impacted business unit to demonstrate compliance. The minimum
control standards can cover a range of control types, i.e. directive, detective, corrective and preventive which are required to ensure risks
are managed to an acceptable level and within the defined Risk Appetite.
The table below sets out the relationships between identified risk and the required minimum control standards in consideration of the stated
risk appetite. The subsequent pages define the terms used in greater detail:
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Receipt and Failure to meet legal and Directive Control:
investigation of regulatory requirements Post Office must nominate a Post Office CEO and Board I Ongoing
Whistleblowing reports Whistleblowing Champion to must nominate the
provide governance and Whistleblowing Champion.
oversight, ensuring that all
reports are fully investigated
and that any appropriate
corrective action is undertaken.
The Whistleblowing Manager MLRO & Head of Financial Annually
must provide a Whistleblowing Crime is responsible for
report to the R&CC and ARC at providing report.
least annually.
Any serious Whistleblowing MLRO & Head of Financial Ongoing
concerns must be promptly Crime
escalated to the Chairman of the
Post Office Audit and Risk
Committee.
Preventative Control: MLRO & Head of Financial Training must
All Employees and Staff are Crime be provided at
trained and the policy is least annually
available to them and within 30
Internal and External
approval - Final.docx
Page 12 of 20
Whistleblowing Policy v.6 March 2021 - POL RCC & ARC and POI
POL00413444
POL00413444
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
The Whistleblowing Manager
must ensure that appropriate
arrangements are in place to
ensure that Whistleblowing
reports are addressed promptly
including during absences.
Communications and awareness
provided to all Employees and
Staff.
Corrective Control
The Whistleblowing Manager
must escalate Whistleblowing
reports to the appropriate
Investigating manager for
investigation to take place.
The nominated Investigating
manager responsible for
conducting the investigation
must report the findings back to
the Whistleblowing Manager.
Whistleblowing Manager
MLRO & Head of Financial
Crime
Whistleblowing Manager
Investigating manager
days of joining
Post Office
Ongoing
Ongoing
Ongoing
Ongoing
Breach of
confidentiality
Failure to ensure
confidentiality for the
Whistleblower
Preventative Control:
Whistleblowing Policy is robust
and up to date.
Confidential Speak Up line
reports are shared only with the
Whistleblowing Manager and
nominated deputies
Whistleblowing Manager
MLRO & Head of Financial
Crime is responsible for
ensuring that reports are
shared with the
appropriate persons.
Ongoing
Ongoing
Internal and External
approval - Final.docx
Page 13 of 20
Whistleblowing Policy v.6 March 2021 - POL RCC & ARC and POI
POL00413444
POL00413444
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
Whistleblowing email inbox
access is restricted to the
Whistleblowing Manager and
nominated deputies
Whistleblowing Manager must
put arrangement in place to
protect the confidentiality of the
Whistleblower during
investigations
Corrective Control:
All incidents of breaches are
escalated to the MLRO & Head of
Financial Crime to review and
take necessary actions.
Whistleblowing Manager
Whistleblowing Manager
Whistleblowing Manager to
escalate to the MLRO &
Head of Financial Crime.
Ongoing
Ongoing
Ongoing
Incorrect handling of
Whistleblowing report
An individual may raise a
Whistleblowing report with
other individuals in the
Group. Details may then be
shared with various
stakeholders before being
passed onto the
Whistleblowing Manager.
Preventative Control:
Training provided to contact
teams to identify potential
Whistleblowing reports and
ensure these are correctly
handled, e.g.:
e Grapevine,
* NBSC,
« Customer Support, and
e Executive Correspondence
Team.
Communications and awareness
provided to all Employees and
Staff.
Corrective Control:
All incidents of breaches are
escalated to the MLRO & Head of
Whistleblowing Manager
MLRO & Head of Financial
Crime
Whistleblowing Manager to
escalate to the MLRO &
Head of Financial Crime.
Annually and
within 30 days
of joining the
Post Office
Ongoing
Ongoing
Internal and External
approval - Final.docx
Page 14 of 20
Whistleblowing Policy v.6 March 2021 - POL RCC & ARC and POI
POL00413444
POL00413444
must review the effectiveness of
the processes operated by
Grapevine, BSC, Customer
Support, and The Executive
Complaints Team at least
annually to ensure that
whistleblowing reports are
Crime to ensure review
takes place.
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Financial Crime to investigate
and take appropriate actions.
Insufficient Failure to capture/report Directive Control:
Information sufficient information about I Employees and Staff are Whistleblowing Champion Ongoing
the issue may mean that encouraged to report issues and I and Whistleblowing
the underlying issue cannot I provide full information and their I Manager to encourage
be properly investigated and I contact details, where they feel Employees and Staff to do
resolved able to do so. so.
Corrective Control: Whistleblowing Manager
All reports, including those Ongoing
where insufficient information
has been provided and no
further action was taken are
recorded on the Whistleblowing
database, which is reviewed for
trends and issues.
The ‘Speak Up’ Service I Failure to effectively record Preventative Control:
Whistleblowing reports and The Whistleblowing Manager MLRO & Head of Financial Annually
pass onto the must review the effectiveness of I Crime to ensure review
Whistleblowing Manager, the service provided by NAVEX takes place.
due to factors such as Global (formerly known as
resource or IT failure. Expolink Europe Ltd) at least
annually.
The Whistleblowing Manager MLRO & Head of Financial Annually
Internal and External
approval - Final.docx
Page 15 of 20
Whistleblowing Policy v.6 March 2021 - POL RCC & ARC and POI
POL00413444
POL00413444
line managers as part of their
induction process as a manager
and on appointment to Post
Office regarding the handling of
and People Training
Manager
Risk Area Description of Risk Minimum Control Standards Who is responsible When
identified and communicated
promptly.
Treatment of Breach of Whistleblowing Preventative Control
Whistleblowers. guidelines such that a Training must be provided to all I Whistleblowing Manager Ongoing
Whistleblower suffers people managers as part of their I and People Training
prejudice, detriment or induction process as a manager I Manager
dismissal as a result of and on appointment to Post
making a Whistleblowing Office.
report
Annual training must be Whistleblowing Manager Ongoing
provided to all Post Office and People Training
Employees and Staff to remind Manager
them of the protections available
to Whistleblowers and the
importance of identifying and
reporting wrongdoing
The Code of Business Standards I Whistleblowing Manager Ongoing
must refer to the Whistleblowing I and People Training
policy and must be provided to Manager
all new joiners as part of their
induction programme.
Line managers An Employee or member of I Preventative Control
Staff may not want to make I Employees and Staff should be Whistleblowing Manager Ongoing
a report to their line made aware of the multiple and People Training
manager in case it affects ways to disclose a report and Manager
their relationship or where also that reports can be
the disclosure involves the anonymous.
line manager.
Training must be provided to Whistleblowing Manager Ongoing
Internal and External
approval - Final.docx
Page 16 of 20
Whistleblowing Policy v.6 March 2021 - POL RCC & ARC and POI
POL00413444
POL00413444
Risk Area Description of Risk Minimum Control Standards Who is responsible When
reports and the importance of
encouraging Employees and
Staff to make reports.
Support available to Whistleblowers are not Preventative Control
Whistleblowers supported throughout the Feedback should be taken from Whistleblowing Manager Ongoing
process of an investigation
Whistleblowers throughout an
investigation to monitor that
they feel supported and
protected by the Post Office.
Internal and External
approval - Final.docx
Page 17 of 20 Whistleblowing Policy v.6 March 2021 - POL RCC & ARC and POI
POL00413444
POL00413444
2.4. Governance Responsibilities
As at the date of approval of this Policy, the Group Compliance Director is the Policy
Sponsor and the MLRO & Head of Financial Crime is the Policy Owner, responsible for
oversight of the Policy.
The Audit and Risk Committee are responsible for approving the Policy and overseeing
compliance.
The Board is responsible for setting the Group’s risk appetite.
Internal and External Page 18 of 20 Whistleblowing Policy v.6 March 2021 -
POL RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
3 = Control
3.1. Policy Version
Date Version I Updated by Change Details
April 2016 1.4 Jane MacLeod Sponsors review and sign-off
August 2017 1.5 Vitor Camara Annual Review and update.
September 2017 1.6 Thomas Richmond _I POL R&CC approval
September 2017 2 Thomas Richmond_I Final version approved
June 2018 2.1 Vitor Camara Annual review and update.
July 2018 2.2 Sally Smith POL R&CC approval
July 2018 2.3 Sally Smith POL ARC approval
September 2018 2.4 Sally Smith POMS ARC approval
September 2018 3 Vitor Camara Final version approved
June 2019 3.1 Sally Smith Annual review and update
June 2019 3.2 Sally Smith Incorporating legal review comments
July 2019 3.3 Sally Smith POL R&CC approval
September 2019 3.4 Sally Smith POMS ARC approval
September 2019 4.0 Sally Smith Final version approved
April 2020 4.1 Sally Smith Updated with new Speak Up service
contact details
June 2020 4.2 Sally Smith Annual review and update
July 2020 4.3 Sally Smith POL RCC approval
July 2020 5.0 Sally Smith Final approval by ARC's
March 2021 5.1 Sally Smith Amendments following Protect self-
assessment and external review by
Herbert Smith Freehills
March 2021 5.2 Sally Smith Amends after Group Director of
Compliance review
March 2021 5.3 Sally Smith POL R&CC approval
March 2021 5.4 Sally Smith POL ARC approval
May 2021 6.0 Sally Smith POI ARC approval
3.2. Policy Approval
Group Oversight Committee: — Risk and Compliance Committee and Audit and Risk Committee
Committee Date v.6.0 Approved
POL R&CC 16" March 2021
POL ARC 30° March 2021
POMS ARC 14 May 2021
Policy Sponsor: Group Director of Compliance
Policy Owner: MLRO & Head of Financial Crime
Policy Author: MLRO & Head of Financial Crime
Next Review: March 2022
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers
2154540 and 08459718 respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
Internal and External Page 19 of 20 Whistleblowing Policy v.6 March 2021 -
POL RCC & ARC and POI approval - Final.docx
POL00413444
POL00413444
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its
Information Commissioners Office registration number is ZA090585.
Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104. Its Information
Commissioners Office registration number is 24866081.
Internal and External Page 20 of 20 Whistleblowing Policy v.6 March 2021 -
POL RCC & ARC and POI approval - Final.docx