Agenda
13.15 1
13.30 2
14.10 3
14.30 4
15.00 5
15.10 6
Post Office Limited
POST OFFICE LIMITED
(Company Number 2154540)
POL00423141
POL00423141
Meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE
to be held at 13.15 on Wednesday 13 February 2013
at 148 Old Street, London, EC1V 9HQ in the Board Room
Minutes of the last meeting and matters arising
« Minutes of the meeting held on 13 November 2012
and meeting dates for 2013
e Matters arising:
- Confirmation of external audit fees for 2012/13
- Minutes of Regulatory Risk Committees and Risk
and Compliance Committees
- Whistle-blowing policy
Risk Management within Post Office Limited
e Approach to risk management
« Risk management framework
« Policies to mitigate against key regulatory risks
* Treasury Risk Framework
Annual Report and Accounts.
e Key Messages
* Definition of Key Management Personnel
Internal Audit
« Summary of Internal audit reports completed since
April 2012 and status report on audit actions
« Recent audit results
e Draft 2013/2014 POL Internal Audit plan
Specific matters referred by the Board to ARC
« Update report on information security
« Eagle contract: termination event scenario planning
Any other business
Alasdair Marnoch
Chris Day/Susan Crichton
Mark Davies
Sarah Hall
Malcolm Zack/Stephen
Collins’
Lesley Sewell
Hugh Flemington?
The Operating Plan briefing will begin at 15.30 and finish at 16.45pm.
' Stephen Collins of Royal Mail Internal Audit will join the meeting at this point.
? Lesley Sewell CIO and Hugh Flemington Head of Legal, will join the meeting at this point
Audit Risk and Compliance Committee meeting-13/02/13
1 of 131
Agenda
2 0f 131
Post Office Limited
PRESENT: Alasdair Marnoch (Chairman)
Susannah Storey (Non-executive director)
Neil McCausland (Non-executive director)
SECRETARY: Alwen Lyons (Company Secretary)
APOLOGIES: Tim Franklin (Non-executive director)
IN ATTENDANCE: Alice Perkins (Company Chairman)
Paula Vennells (Chief Executive)
POL00423141
POL00423141
Susan Crichton (HR & Corporate Services Director)
Chris Day (CFO)
Sarah Hall (Head of Financial Control and Compliance)
Malcolm Zack (Head of Internal Audit)
Stephen Collins (Audit Manager, Royal Mail Group Internal Audit)
Lesley Sewell (Chief Information Officer)
Hugh Flemington (Head of Legal)
Key Decisions and Actions to be taken by the Committee.
Item
Action Requested
1 Minutes of last meeting/matters arising
« Minutes
« Audit fees confirmation
e Financial regulation regime
¢ Minutes of Regulatory Risk Committee
¢ Minutes of Risk and Compliance Committee
Approve
Approve
Note
Note
Note
2 Risk Management in Post Office Limited
e Approach to Risk Management and Risk
Management Framework
e Regulatory Policies — status
e Treasury Risk Framework
Direct and Approve
Note/Direct as necessary
Direct and Approve
3 Annual Report and Accounts
« Key Messages
Discuss and Approve
¢ Template for Corporate Governance Statement I Discuss
* Timetable Approve
© Definition of Key Management Personnel Approve
4 Internal Audit
« Summary of 2012 Royal Mail audit reports and
status of actions Note
¢ Recent Audit Results Note/Comment
¢ Draft 2013/2014 Internal Audit Plan
Discuss, Direct and Approve.
5 Specific matters referred by the Board
e Information Security Paper
planning
e Eagle Contract — Termination event scenario
Note and direct
Note and direct
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Limited — Strictly Confidential
POLARC12 (2"*)
POLARC12/8-15
POST OFFICE LIMITED
(Company no. 2154540)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE SUB-COMMITTEE
held on Tuesday 13 November 2012
at 2pm at 148 Old Street, London EC1V 9HQ
Present:
Alasdair Marnoch Chairman of Committee
Tim Franklin Non-Executive Director
Neil McCausland Senior Independent Director
Susannah Storey Non-Executive Director
In attendance:
Alice Perkins (AP) Chairman, Post Office Limited
Chris Day (CD) CFO
Paula Vennells CEO (item 12/11 only)
Sarah Hall (SH) Head of Financial Control and Compliance
Nick Kennett (NK) Financial Services Director (item 12/13 only)
Alwen Lyons (AL) Company Secretary
Hugh Flemington (HF) Head of Legal Services (item 12/11 only)
Lesley Sewell (LS) Chief Information Officer (item 12/11 only)
Malcolm Staite (MS) Interim Head of Risk Governance
Malcolm Zack (MZ) Head of Internal Audit
Stephen Collins (SC) Audit Manager, Royal Mail Group Internal Audit (item 12/12 only)
Angus Grant (AG) Audit Partner, Ernst & Young (item 12/12 only)
Jeremy Midkiff (JM) Audit Manager, Ernst & Young (item 12/12 only)
POLARC12/8 INTRODUCTION
(a) A quorum being present, the Chairman of the Committee opened the meeting
and welcomed all those present.
(b) The Chairman noted that the Committee would not be able at this meeting to
discuss Risk Management in detail, as the executive team were still working
through the processes and the necessary recruitments had not yet been
completed. The approach to risk management would be a matter for
particular focus at the next meeting in February.
POLARC12/9 GOVERNANCE
(a) The Chairman asked MZ to talk through the new format proposed for the
Terms of Reference of the Committee, including an outline schedule of
matters to be discussed and a form of standing agenda.
Audit Risk and Compliance Committee meeting-13/02/13 3 of 131
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Limited — Strictly Confidential
(b) Following discussion, it was agreed that the revised Terms of Reference for
the Committee, dated November 2012, are approved and adopted subject to
an amendment in 2.1 to clarify that the HR & Corporate Services Director and
the General Counsel were the same role.
(c) These Terms of Reference would be included in the pack of corporate
ACTION: Company governance documents to be approved by the Board in January 2013.
Secretary
(d) The Committee requested that the banking and treasury delegated authority
limits discussed at the Board meeting on 23 October 2012 should return to
the ARC in February for discussion and that outstanding balances and any
ACTION: CD breaches by counterparties be brought to the attention of the ARC.
(e) The Committee asked for sight of the internal audit reports completed since
April 2012, and a status report on the audit actions to be presented at the
ACTION: MZ February meeting.
(f) IThe Committee requested discussion at the February meeting on:
(i) the policies in place to mitigate against key business risks (a paper to be
produced by the Head of Risk Governance); and
(ii) the process for establishing and ensuring compliance by the Business
with those policies and with regulatory requirements. It was recognised
that this exercise would take some time, with priority areas starting to
become clear over the course of 2013.
ACTION:MZ/SC
(g) The CFO and HR & Corporate Services Director would then lead a session at
the Board to give comfort that the Business understands its regulatory risks
and has the policies in place to monitor and mitigate.
ACTION: CD/SC.
POLARC12/10 ANNUAL REPORT AND ACCOUNTS AND HALF YEAR TRADING
STATEMENT
(a) CD presented the latest draft of the half-year trading statement. It was noted
that the DVLA decision had now been announced and could therefore be
included in the statement.
(b) It was noted that the trading statement had not been reviewed formally by
Ernst & Young but it was confirmed that the basis of preparation was
consistent and that there had been no major changes in accounting policies
or practice.
(c) IThe proposed date for release of the statement to the press and general
public was 22 November 2012. Discussions would be held separately with
the Shareholder.
(d) The Committee discussed the tone of the statement and the comments
received to date from members of the Board and it was agreed that final
comments would be input by 14 November, after which the statement
ACTION: CD would be re-circulated to the Board for final approval.
4 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Limited — Strictly Confidential
ACTION: Company (e) A copy of the final statement and press release would be circulated to the
Secretary Board.
(f) I The paper presented by SH, setting out an approach for preparation of the full
year accounts for 2012/13, was considered.
(g) After discussion it was agreed that:
(i) I Post Office should not take advantage of the exemptions from being a
wholly owned subsidiary of a UK parent producing group financial
statements;
(ii) Post Office should continue to report under UK GAAP but the
consolidated financial statements will be under IFRS;
(iii) the Post Office Annual Report and Financial Statements should be
prepared as one formal document for lodging at Companies House;
(iv) Post Office should include the additional Business Review disclosures
applicable to quoted companies where appropriate;
(v) Post Office should aim to meet the elements of the UK Corporate
Governance Code and DTR disclosure requirements on corporate
governance that are appropriate; and
(vi) Post Office should comply with legal requirements concerning the
disclosure of directors’ remuneration but would not seek to go beyond
the statutory level of disclosure for the financial year 2012/3.
A full analysis of Post Office’s compliance with the UK Corporate Governance
ACTION: Company Code was under way and would be provided for discussion by the Committee
Secretary at its next meeting.
There appeared to be nothing which would prevent the Post Office from
confirming that it upheld the principles of the Code, even if some of the
detailed recommendations would not be applicable to a Government-owned
organisation.
POLARC12/11 RISKS — HIGH RISK CONTRACTS.
The CEO, LS and HF joined the meeting to provide an update on the
information security issue which had recently been faced by the Post Office.
An approach to establishing the risk profile of customer data held within the
Post Office had been set out in the paper from LS and this was discussed.
The Committee thanked the CEO and the Business for the rigour with which
they had handled the issue and asked for a short update report in mid-
December followed by a formal report on information security for the next
ARC meeting in February, including a noting paper on High Risk Contracts.
Audit Risk and Compliance Committee meeting-13/02/13 5 of 131
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Limited — Strictly Confidential
The Committee asked to be kept informed in the meantime of any actions
necessary to mitigate against any actual or perceived liability on the part of
ACTION:LS the Post Office.
POLARC12/12 INTERNAL AND EXTERNAL AUDIT
(a) SC, AG and JM joined the meeting.
(b) MZ was introduced as the new Head of Internal Audit. He explained the
future audit team he was recruiting for the Business and that going forward
the audit plan would be based on the key risks which would be signed off by
the ARC. He confirmed the activity in the Audit plan for 2012/13 and that
Royal Mail’s Internal Audit Team would assist Post Office up to 31 March
2012.
(c) The Committee agreed that there may be a need to monitor the increased
strategic risks driven by separation and transformation, but that there also
needed to be a focus on compliance within the Network.
(d) IThe Committee asked for a summary of the areas covered by RMG Internal
ACTION:MZ Audit reports to be presented to the ARC in February.
Stephen Collins left the meeting
(e) AG, the Ernst & Young Audit Partner responsible for the Post Office external
audit, reported that the previous year’s audit had been finalised. He expected
that 2012/13 would be a challenging year for the Business in several areas
because of separation and major change, and that the audit would need to
focus on separation, pensions, and taxation with an overlay of IT. He set out
the proposed approach to external audit of the full year accounts and the
outline timetable. The detailed focus of the audit would be:
(i) Revenue recognition and the accounting treatment across diverse
revenue streams;
(ii) Counterparty risk;
(iii) Pension valuation and accounting;
(iv) Separation accounting risks; including pensions and treasury;
(v) Valuation of accounting provisions;
(vi) Risk of fraud/burglary in the Network and Cash operations;
(f) The ARC was comfortable with the approach, alongside the separate
ISAE 3402 IT audit which had been jointly commissioned by the Post Office
and Fujitsu.
(g) The Chairman asked at what level of materiality the E&Y team would report.
AG explained that this would be similar to previous years. Although E&Y did
put a figure on P&L materiality, they would propose to report any identified
audit adjustments above £600k to the Committee and, as a general rule,
6 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Limited — Strictly Confidential
insist on changes to the accounts for any single item or accumulation of items
with an effect of over £5-6 million. This was accepted.
(h) The Chairman informed the meeting that he would pick up the Ernst & Young
fees with the CFO outside the meeting
ACTION:AM/CD
(i) I The external audit plan was agreed. The external auditors left the meeting.
POLARC12/13 MATTERS REFERRED TO ARC BY THE BOARD
Governance of the “Eagle” Contract
(a) NK joined the meeting.
He presented the paper and explained the governance processes now in
place with the Bank of Ireland (Bol) following agreement of the new contract.
The Committee was informed of the arrangements and the governance
committees put in place to monitor performance. The Committee asked that
the minutes of future Regulatory Risk Committees (RRC) be provided for the
ACTION: NK ARC.
(b) NK noted the termination rights currently contained in the contract. Bol was
obliged to provide certification within 15 days of each quarter end to assure
Post Office that Bol was meeting its requirements in respect of:
(i) Tier One Ratio and Capital buffers
(ii) Liquidity
(iii) NSFR requirement
and that it had not breached any of the terms of the contract creating a
Termination Obligation.
(c) The Chairman asked if this gave the Business sufficient warning of any
problems. NK assured the Committee that the Bank was obliged to give Post
Office early warning of any capital or liquidity problems and Post Office had a
buffer above the regulatory and statutory requirements set by HM Treasury
(HMT), the Bank of England (BoE) and the FSA.
(d) Post Office had also established a system for tripartite meetings with HMT
and BoE, to which the FSA was also invited. The purpose of this meeting
was to give Post Office a medium to long term view of the banking
environment and how any developments might affect the Post Office.
(e) NK explained that the FSA would soon be splitting to form two organisations:
the Prudential Regulation Authority (PRA) and the Financial Conduct
Authority (FCA). This should lead to a strengthening of regulatory
relationships and give the Business more comfort.
(f) The Committee asked NK to provide an interim update on the regulatory
ACTION: NK position in September 2013, 6 months after the changes had taken effect.
Audit Risk and Compliance Committee meeting-13/02/13 7 of 131
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Limited — Strictly Confidential
(g) IThe Chairman noted that it would be useful at the same meeting to look at
ACTION:NK scenarios in which Post Office would need to respond to a termination event.
(h) NK reported that Post Office deposits had grown substantially above the
planned £16.6 billion target agreed with the FSA. The parties were working
together to agree a commercially sustainable position on pricing for Bol whilst
ensuring protection for Post Office customer assets and the Post Office
brand.
NK explained the securitisation of assets by Bol and noted that the new
contract required consent from the Post Office to securitise any Post Office
customers’ assets. The terms were designed to ensure that Post Office
customers’ assets were managed effectively but also ring-fenced in the event
that a transfer to an alternative provider became necessary.
NK then left the meeting.
Uncommitted Credit Facilities
ACTION: (i) I The CFO asked for the Committee’s views on the proposals relating to
CD/Company uncommitted loan facilities which had been put forward to the Board. He
Secretary noted that banking counterparties would require a resolution of the full Board.
(j) I The Committee discussed the proposals to enter into two loan facilities. CD
confirmed that these proposals had been discussed with the Shareholder and
no concerns had been expressed.
(k) I The Committee endorsed the following recommendations to the Board:
(i) approval for Post Office to enter into external borrowing facilities up to a
maximum value of £100m, such that external borrowing of up to £50m
may be drawn down at any one time;
(ii) approval for the CFO and Head of Corporate Finance to conduct
negotiations with counterparties and sign and deliver the loan and
related documentation
(iii) approval for the form of Board resolution included in the paper, subject
to review by Susan Crichton (Head of HR and Corporate Services).
POLARC12/14 ANY OTHER BUSINESS
ACTION: (a) It was agreed that the schedule of meeting dates for 2013 should be revised
Company to allow for meetings in February, May, September and November. The
Secretary Company Secretary was asked to recirculate the dates.
POLARC12/15 CLOSE
There being no further business, the meeting was declared closed.
8 of 131 Audit Risk and Compliance Committee meeting-13/02/13
19 eouelidwiog pue ysry UpNY
el/zo/eL-Bunaew en
LELJO6
Post Office Ltd. & Bank of Ireland (UK) Regulatory Risk Committee
QBR Meeting
16" November 2012, 11.00 - 1.00pm. Board Room, Bow Bells House, London.
Key Decisions and Actions
Bank of Ireland Members: Post Office Members: In Attendance: Apologies:
Debra Codack Bol(UK) Roger Gale (POL) Hope Stack (Secretary) David Me Gowan BOI (UK)
Alec Hughes Bol (UK) Jonathan Hill (POL) Kevin Gilliland(POL)
Richard Holden (Chair) Bol (UK) I Jeremy Law (POL) Susan Crichton(POL)
David Mason (POL) Nick Fahy BOI (UK)
Nick Kennett (POL)
Malcolm Staite (POL)
Key discussion points:
Governance:
Meeting minutes of 19" October were approved and matters arising updated.
BOI (UK) Regulatory & Operational Risk Monitoring:
Compliance Report Highlig!
T&D Reviews — It was agreed that a full root & branch review of the in-branch T&D framework would take place following the full deployment of the
video mystery shopping programme.
Savings Mystery shopping results for T&D Reviews in Q3 showed some slight improvement on Q2 results; with a caveat that Q3 volumes were lower
than those undertaken in Q2. It was agreed that the success of the credit card re-accreditation programme would be assessed at the end of Q4
Financial Promotions — Deterioration in quality of submissions from POL is impacting on Bank ability to sign off promptly. An action was agreed to
review stakeholder responsibilities in light of the recent structural change and the need for clarity of accountability in the new structure for the different
elements of the FP production and approval cycle. It was agreed that it would be helpful to bring in the Product Managers as part of the review.
-Video Mystery Shopping - Feedback received to-date suggests that the pilot has been a success. However, a date has not yet been agreed for a full
rollout. The Committee agreed that the next phase should, include counter staff as Banks risk is not limited just to FS’s.
The Mortgage Pilot 3 month interim review showed positive indicators following post validation calls which were carried out on small sample of 14
customers. The Pilot will continue lead by 10 Mortgage Specialists. Further discussions took place re the expected outcome of the pilot and next steps.
POL00423141
POL00423141
pue 6ujeewi
2
POL00423141
POL00423141
3 -
g
3
Financial Special Capability
- The red rated issues reported on mystery shopping were to be raised at BOI (UK) BRC and require both short term and long term solutions to address.
The Committee noted that significant efforts have been made to improve levels of compliance in relation to the in-branch sale of credit cards and that
these should begin to have a positive impact in the near future.
Top 5 Risks
- Top 5 Risks to be updated following discussion by the Committee
Customer Complaints MI & TCF Scorecard
- Both sets of MI currently under review. AH presented a draft ‘PO Distribution - Conduct Risk Dashboard’ to the Committee and confirmed the intention
> that this will replace the distribution related elements of the POFS TCF Scorecard. It was agreed that AH would finalise the proposal in this regard and
a present the final version to the Committee in January.
ra AOB - Terms of References
2 - The Committee ToR is to be revised to reflect recent changes and will be presented at the December meeting for approval.
9
&
2 Open actions out of 16'" November POL & BOI (UK) meeting
3
a Action Owner Due Date I Update as at 23rd November Status
3 126. I T&D Review Process — J.Law took an action to keep the JL n/a Closed
2 Committee updated on the progress of the overall review of
8 the T&D framework
FA 127. I Crown T&D Reviews — DC took an action to extract the DC/RG I 12" Dec DC to provide detail behind results to RG I Closed
o detail (question and results per branch) behind the results as agreed. This action was closed as
a reported on page 7 of Monitoring report, and provide these to complete 26" November.
2 Roger Gale.
& 128. I Financial Promotions Submissions — Agreed that a RACI DC/JH/JL I 12" Dec Provide Committee with an update on the I Open
oe should be completed with all key stakeholders in light of new review at the next meeting.
operating structure.
129. I Video Mystery Shopping — Phase IT DC/DM_I Dee/Jan DC/DM to discuss plans for next phase of I Open
Video Mystery shopping and advise
Committee
130._I Financial Specialists Capability RG/IL to provide an update on the paper_I Open
i) Provide paper on summary of the key issues RG/JL Jan presented by AH to the Committee in
highlighted, the impact of the issues and how they September at the January Committee
can be addressed in short/long term. meeting.
ii) Provide NK&JL a copy of RCA paper presented Closed
by DM/AH at 19" Oct meeting NKIJL I Nov HS circulated a copy of the RCA paper as
requested
4
&
2
&
B
a
o
§
131. I Regulatory Risk Assessment JH 12" Dee JH to provide Committee with update at Open
i) AH to circulate supporting document on the Dec meeting
Customer Detriment Risk Assessment Process
JHISL I 19Dec I JH to provide Committee with update at
Dec meeting. Open
AH Nov AH provided document and was Closed
circulated to the Committee members
132. I Top 5 Risks to revised reflecting the current relevant risks AH Jan AH to update and present to the next QBR I Open
meeting.
133. I AH presented a draft ‘PO Distribution - Conduct Risk AH to finalise the proposed Open
Dashboard’ to the Committee and confirmed the AH Jan Dashboard and present the final
intention that this will replace the distribution related version to the Committee in January.
elements of the POFS TCF Scorecard.
134. I The Committee ToR will be revised to reflect recent changes RH 12" Dec Revised ToR to be presented at 12" Dec Open
and presented at the December meeting for approval. meeting
135. I Schedule of 2013 meeting dates — JH requested that some of JH Nov/Dec _ HS re-sent copy of 2013 schedule to JH Closed
the 2013 meeting dates change to facilitate POL availability. for review and feedback
Previous actions out of POL & BOI (UK) meetings
Action Owner Due Date I Update as at 23rd November Status
121. POL Branch classification and the development of Local SL 29" Nov __I HS circulated a copy of the presented Closed
Branches — It was agreed SL would circulate here
presentation to the Committee and advised she would be
available to answer any questions members of the Committee
might have following the meeting.
received from SL of POL
Approved by: Richard Holden, Chairman
Date: 12" Decebmer 2012
POL00423141
POL00423141
NL
S
a
LELJOZL
19 eouelidwiog pue ysry UpNY
el/zo/eL-Bunaew en
Post Office Ltd. & Bank of Ireland (UK) Regulatory Risk Committee
QBR Meeting
12" December 2012, 10.00 — 12.00pm. Board Room, Bow Bells House, London.
Key Decisions and Actions
Bank of Ireland Members: Post Office Members: In Attendance: Apologies:
Debra CodackBol(UK) Jonathan Hill (POL) Hope Stack (Secretary) Roger Gale (POL)
Alec Hughes Bol (UK) Jeremy Law (POL) Nick Fahy BOI (UK)
Richard Holden (Chair) Bol (UK) _ I David Mason (POL) Nick Kennett (POL)
Malcolm Staite (POL)
Key discussion points:
Governance:
th
Key decisions of 16" November were approved and all open actions were updated.
BOI (UK) Regulatory & Operational Risk Monitoring:
T&D Reviews — The overall rating of Crown T&D reviews for the month was Amber. Generic Reviews reported no change at amber and significant
improvement was noted on the Thematic Mystery Shopping of credit cards with an overall rating graded green (24 green & 4 red). All mystery shops
were noted to be carried out post the POL credit card training in early November.
Exceptions report was presented with additional detail on each exception following queries raised by POL at November meeting. The Committee was
advised that further monitoring would take place in Jan/Feb 2013
Generic Compliance Reviews — The Committee was again made aware of the review findings in terms of the number of staff who are unaware of the
procedure to follow in the event of a customer wishing to make a complaint - This has now increased to an exception rate of 83% over the last 3 months.
-Video Mystery Shopping pilot (phase II) — All video mystery shops associated with phase II of the pilot (a mix of credit card & savings products)
have been completed across a total of 17 locations. The assessment process was confirmed as being underway and DC advised findings to date show an
increase in Red results for phase II. . DM advised that POL will be compiling a report in relation to the performance of the pilot, which will be made
available to the committee for review once complete. In terms of full roll out of Video Mystery Shopping, POL advised that it would be preferable to
first identify whether it could be procured from one of their existing mystery shopping providers such as ABA(POL are subject to public procurement
rules which make it simpler to procure services from existing suppliers). RH confirmed that he understood the challenge faced by POL in this respect,
but stressed that any party wishing to be considered for the tender process must be capable of demonstrating their ability to deliver the service
effectively.
RRC 142
POL00423141
POL00423141
=
3s
2.
3
o
a
a
a
Bulsue s.
€1/Z0/EI-Bunsew sen iWU0D eouelIdWiog pue Sry IPNY
LEL JOEL
POJV Compliance update
Branch Mystery Shopping— the monthly report demonstrated continuing improvement in relation to the number of green ratings now being achieved.
AH highlighted the CPP mis-selling- FSA Fine and advised that POJV Compliance would be carrying out an analysis of the sales practices that led to the
FSA taking action against CPP to ensure that BOI (UK) has no similar regulatory compliance exposure. An update will be provided at the next meeting.
Gender neutral pricing — It was confirmed gender neutral pricing has been introduced for all insurance products.
Deposit Protection — Raising Consumer Awareness- while the FSA’s new rules in this regard are not applicable to POL, a range of ‘voluntary’ measures
were to have been considered by the POL Executive Committee. J. Hill took an action to circulate an update to the Committee ahead of the next meeting in
January 2013
Regulatory Risk Assessment & Management Process
Regulatory Watch List — due to the unavailability of data, this report was noted to be incomplete. AH confirmed that, assuming the data is available, an
updated report will be produced for the January 2013 meeting.
BOI (UK) Risk Planning Register — This report is not available until working day 20, it was agreed the Secretary would circulate once available. (Secretary
issued this report to the committee & attendees 21" December 2012)
Customer Complaints Report — The Complaints report (in a temporary format) was presented to the Committee and the Chairman confirmed an action to
liaise with Bob Tennant in order to agree how future Complaints reports would be presented. Separately, a POL review of Post Office Complaints was noted
to be currently underway and JH suggested POL would engage with the BOI (UK) complaints team once their review was complete. AH added that he will
restart the production of the quarterly analysis of in-branch complaints in the new year.
TCF —
Outcome I - Complaints from CMCs with regards to PPI mis-selling — It was noted that 91% complaints are not upheld and a very significant percentage
(circa 70%) did not have PPI policy for the product against which the complaint was raised. DC advised that work is in progress within BOI UK to implement
a simplified process for dealing with DSAR requests from CMC’s in relation to PPI claims. Longer term this should see a reduction in the number of
speculative complaints that subsequently come in. Several of the larger CMC’s have signed up to the simplified process, and BOI UK Risk team would be
engaging with Rob Lear of Group Customer Complaints to maximise opportunity.
Voice of Customer/Social Media Update - As NF was unable to attend the meeting, it was agreed this item would be carried forward to QBR.
AOB - Terms of References - A number of small queries were raised in relation to the TOR:(i) it was advised NK would only attend meetings on a
quarterly basis;(ii) Under the “Duties” section of the document, it was requested that “POL” is removed from “Voice of the Customer and Social media
reports”; and (iii) there was an action for the Committee to agree how its duties align to those of other POL/BOI (UK) Committees in terms of responsibility
and reporting.
2013 Schedule of meeting dates — HS confirmed that the proposed set of 2013 meeting dates are with POL for review and approval. JH committed to
reverting on the dates w/c 15" December.
RRC 142
POL00423141
POL00423141
2
HEL JO BL
€1/Z0/EI-Bunsew sen iWU0D eouelIdWiog pue Sry IPNY
Open actions out of 12" December 2012 POL & BOI (UK) meeting
Action Owner Due Date I Update as at 23rd November Status
136. ] Video Mystery Shopping phase IT DM 21/01/2013 I DM to provide update at QBR meeting. Open
i) POL POC Review report to be made available to
the committee for review once complete. NK/DM/
ii) Full VMS roll out Plan — POL to provide BOI UK JH 21/01/2013 I Update to be provided to Committee at
with update on the status of the Project next meeting Open
137. I CPP mis-selling- FSA Fine — AH to carry out an analysis of AH 21/01/2013 I AH to update at next meeting Open
the sales practices that led to the FSA taking action against
CPP to ensure that BOI (UK) has no similar regulatory
compliance exposure. Update to be provided by AH at the
January meeting.
138. I Deposit Protection — Raising Consumer Awareness - JH JH Jan 2013 JH to circulate paper presented to Senior Open
took an action to circulate an update to the Committee ahead Executive
of the next meeting in January 2013.
139. I BOI (UK) Risk Planning Register — This report was not HS 21/12/2012 I Secretary issued this report to the Closed
available until working day 20, Secretary would circulate once committee & attendees 21" December
available. 2012.
140. I Customer Complaints Report
i) The Chairman confirmed an action to liaise with RH 21/01/2013 I Update to be provided at Jan meeting. Open
Bob Tennant in order to agree how future
Complaints reports would be presented.
ii) A POL review of Post Office Complaints is work
in progress. J.Hill suggested POL would engage
with BOI (UK) complaints team once their review JH 21/01/2013 I JH to provide update at Jan meeting Open
was complete.
iti) __ AH to restart the production of the quarterly AH 21/02/2013 Q4 report to be made available at Open
analysis of in-branch complaints in the new year. February meeting,
141. I Terms of Reference — Further minor changes requested by RH 21/01/2013 I TOR to be amended and represented to Open
members to be updated, amended TOR will be presented at the for approval
next meeting for approval
142. I 2013 Schedule of meeting dates — POL to confirm approval JH 21/01/2013 I JH to provide Committee with agreement Open
of all proposed meeting dates for 2013
on the scheduling of monthly meetings.
RRC 142
POL00423141
POL00423141
2] 84) Jo Say
E1/Z0/eI-Bujsew seyWog souelIdwiod pue ¥sRY IPNY
LELJOGL
Open actions out of 16" November POL & BOI (UK) meeting
and presented at the December meeting for approval.
meeting with the committee adding some
minor amends RH to update
Financial Promotions Submissions — Agreed that a RACI Jan 2013 DC engaged with Gp Change Mgt who Open
should be completed with all key stakeholders in light of new will arrange RACI review allowing
operating structure. continuity. DC took action to follow uy
Financial Specialists Capability RG/JL to provide an update on the paper
i) Provide paper on summary of the key issues RG/JL presented by AH to the Committee in
highlighted, the impact of the issues and how they September at the January Committee
can be addressed in short/long term. meeting.
ii) Provide NK&JL a copy of RCA paper presented Closed
by DM/AH at 19" Oct meeting NKISL I Now HS a a copy of the RCA paper as
requ
132. I Top 5 Risks to be revised reflecting the current relevant risks AH Jan AH to update and present to the next QBR I Open
meeting.
133. I AH presented a draft ‘PO Distribution - Conduct Risk AH to finalise the proposed Open
Dashboard’ to the Committee and confirmed the AH Jan Dashboard and present the final
intention that this will replace the distribution related version to the Committee in January.
elements of the POFS TCF Scorecard.
134. I The Committee ToR will be revised to reflect recent changes RH 12" Dec Revised ToR was presented at 12" Dec Closed
Closed actions of previous POL & BOI (UK) meetings
Approved by: Richard Holden, Chairman
Date: 21% January 2013
RRC 142
POL00423141
POL00423141
Bulsue siaew pue Busou se] Ay) Jo SONU “I
1. Minutes of the last meeting and matters arising
Post Office Ltd — Strictly Confidential
®
Risk and Compliance
Committee (R&CC)
See Distribution Reference: R&CC/MIN/JAN13
MINUTES OF THE POST OFFICE RISK & COMPLIANCE COMMITTEE HELD IN 148
Date: 21 January 2013
OLD STREET AT 13.30 HRS ON 21° January 2013
POL00423141
POL00423141
1. Introduction
Present Susan Crichton HR & Corporate Services Director Chair
Chris Day Chief Financial Officer Member
Paul Brown Head of Mails & Retail Services (for Member
Commercial Director)
Simon Baker Head of Programme & Planning (for Chief Member
Information Officer &Strategy Director)
Hugh Flemington Head of Legal Report
Jonathan Hill Head of Financial Services Risk Report
Mark Pearce Head of Information Security Report
Heather Bignell-Blye Regulatory Risk Business Partner - Data Report
Protection & Privacy
Nigel Tuppen Business Risk & Assurance Manager Report
Malcolm Zack Head of Internal Audit Report
Rob Bolton Risk & Assurance Adviser Secretariat
Apologies Susan Barton Strategy Director Member
Lesley Sewell Chief Information Officer Member
Martin Moran Commercial Director Member
Nick Kennett Financial Services Director whe
1.1. The Chair welcomed everyone to the meeting. Apologies had been
received from Susan Barton, Lesley Sewell and Martin Moran.
2. Minutes of
Previous Meeting
2.1 The minutes of the last meeting had been circulated and were accepted
as an accurate record by those present
3. Outstanding
Actions from the
Previous Minutes
3.1. The actions from the previous meeting were discussed
Action 1505 Updated paper had been provided — this is a work in progress
but action considered completed
Action 1510 Nothing further, Susan Crichton to discuss with the
Communications Director outside of the meeting. Action closed
Action 1512 ExCo meeting now scheduled for 5"" February, including Internal
Audit, to review proposed risk management strategy for the year. An ExCo
risk session to be arranged - Action Completed
Action 1516 Verbal update provided and feedback to be discussed as part of
agenda item — Action Completed
16 of 131
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
1, Minutes of the last meeting and matters arising
Post Office Ltd — Strictly Confidential
Action 1517 Action Completed
Action 1518 Agenda item — Action Completed
Action 1519 Action carried forward
Action 1520 Action carried forward
Action 1521 Verbal update provided. It was agreed that any reporting from
the Network Compliance Forum to the R&CC should be by exception and
that Malcolm Zack should attend the Network Compliance Forum - Action
Completed
Action 1522 Malcolm Zack to be invited to future Network Compliance 1522 - NT
Forums and any reporting from that forum to the R&CC to be by
exception.
4 PCI Update 4.1 As requested at the last meeting Mark Pearce had provided a paper that
identified the RAG status for PCI across all channels:
Horizon — Green
Paystation - Green
Post & Go - Green
RMG Call Centre - Red
MP stated RMG red status as RMG not planning to issue a remediation plan
until end of January 2013.
Products: Service Suppliers - Amber
MP confirmed amber status due currently 80% through the top 12 suppliers.
Planned to complete by the end of February 2013.
e-Business Platform - Amber
MP stated that amber status as not yet confirmed if Capgemini services were
out of scope for PC
Homephone & Broadband - Green
MP stated there was a requirement for suppliers to be PC! compliant but not
certified.
4.2 In summary it was agreed that Horizon certification had been achieved
which was noteworthy however there was still some work to be done in all of
the other areas.
Action 1523 Provide a summary paper identifying the issues relating to I 1523- MP
the RMG Call Centre and Capgemini services to assist with the
escalation to the MSA Board
Action 1524 PCI issues to be raised at next MSA Board 1524 - SB
5. Data 5.1 Heather Bignell-Blye provided a paper over the need for a Privacy & Data
Governance Protection Governance structure, explained its recommendations, and that
Susan Crichton was the sponsor for Data Governance in the Business
5.2 The need for such a role was agreed but was highlighted by Chris Day
that this should be done in a way as not to increase overall head office costs.
Audit Risk and Compliance Committee meeting-13/02/13 17 of 131
1. Minutes of the last meeting and matters arising
18 of 131
Post Office Ltd — Strictly Confidential
POL00423141
POL00423141
5.2 It was agreed in the meeting that the development of Data Governance
and the appointment of a Head of Privacy should be aligned to and taken
forward within the scope of Project Javelin.
Action 1525 Progress establishing Data Governance and the
appointment of Head of Privacy aligned to and within the scope of
Project Javelin
1525 -
HBB/SC
6. Audit & Risk
Committee
Update
7. Revised Risk &
Compliance
Committee Terms
of Reference
6.1 Malcolm Zack provided a verbal update from the Audit & Risk Committee
(ARC). He stated the Chair of the ARC had requested an update on the
policies in place within Post Office Ltd, the availability of these policies and
whether the Business was compliant with them.
Action 1526 Put together a proposal for the next R&CC for the
management of policies within Post Office Ltd to ensure all policies are
in place, available and that the Business is compliant against them.
Action 1527 Put together a response to the next available ARC,
following the March R&CC meeting, identifying Post Office Ltd
approach to the management of policies to ensure all are in place,
available and that the Business is compliant against them.
7.1 The updated terms of reference together with Malcolm Zack’s paper
relating to the linking of the ARC and the R&CC had been circulated in
advance of the meeting. There was no further discussion and the meeting
agreed the new terms of reference for the Risk & Compliance Committee
1526 —
MZ/NT
1527 -
MZ/NT
8. Enterprise Risk
Management
Update
8.1 Nigel Tuppen explained that a new Risk Policy had been developed in
liaison with Internal Audit and this had been circulated for approval. This was
discussed and endorsed by the meeting and it was agreed that the policy be
submitted to the ARC for final sign off.
8.2 NT gave an update over ERM and stated that Strategy and Network &
Sales directorates had not yet fully identified their key risks and that the
overall process for identifying risks was still very “bottom up”. He stated this
should be resolved by planned session with the ExCo to discuss and review
key risks.
8.3 NT explained that there was an inconsistent approach to the use of the
project server programme management tool. He highlighted that some
programmes didn’t have any risks identified on this tool. He also stated that
the development of the interface between project server and the Stratex risk
tool was in progress at the technical build stage.
8.4 The Key Risks paper was reviewed and discussed. In particular there
was a discussion around identified key risks relating to information security
and the need for a progress update on this in next meeting.
Malcolm Zack highlighted need to show the movement of the key risks for the
next update meeting. Also to consider also showing risks that are have a high
impact but low likelihood
8.5 The Programme risks were discussed and MZ queried what had
happened to justify the downward movement identified on the heat map. It
was therefore agreed at the meeting that the SPMO should be invited to
attend the R&CC to provide an update on the Network Transformation
programme to explain key risks and their movement.
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Ltd — Strictly Confidential
8.6 NT highlighted need for year-end report to be prepared, approved and
issued in readiness for end of year. Chris Day confirmed Sarah Hall would
pull this report together using the latest key risks identified by ExCo and the
Directorates. Agreed this should be ready by early to mid-April.
Action 1528 Risk Policy to be submitted to the next available ARC for 1528 —
final sign off. SC/NT
Action 1529 Movement of key risks to be shown in future ERM updates. I 1529- NT
Action 1530 High impact and low likelihood risks to be shown within 1530 — NT
future risk reports to the R&CC.
Action 1531 SPMO to be invited to the next R&CC meeting to provide an I 1531 — NT
update on the Network Transformation programme.
Action 1532 Year-end report to be prepared by mid-April using the latest I 1532 —
key risks identified by ExCo and Directorates. CD/SH
Action 1533 Report on the key information security risks resulting from I 1533 —
the Buffalo report to be provided to the next R&CC. LS/SB
9. Internal 9.1 Nigel Tuppen presented update and stated that a desk top status had
Controls now been completed for each of the areas within the framework following
Framework discussions with relevant management.
9.2 He confirmed that the next step was to perform further testing in each of
the areas but initially focusing on the areas specifically related to the end of
year assurance statements that are provided to clients. This would be
completed by the end of March 2013 and he also advised that he was liaising
with Internal Audit & Risk Management as it was planned for them to be
involved in some of the testing to be completed. Extended testing in the other
areas of the framework would be completed in Q1 of 2013/2014.
10. Business 10.1 Nigel Tuppen explained that a new Business Continuity Manager had
Continuity recently started. He referred to the new Business Continuity Management
(BCM) Policy that had been circulated for approval and asked if there any
questions or comments. There was nothing further and it was agreed that the
new BCM policy be submitted to the next ARC for final sign off.
Action 1534 Business Continuity Management policy to be submitted to I 1534 —
the next available ARC for final sign off SC/NT
11. Any Other 11.1 There was nothing further raised
Business
12. Next Meeting I The next meeting of the Risk and Compliance Committee is scheduled to be
held on 18" March 2013 Meeting to be held in the POL Boardroom from
13.30pm - 15.30pm
Audit Risk and Compliance Committee meeting-13/02/13 19 of 131
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Post Office Ltd - Strictly Confidential
13. Summary I Ref. Action Lead Status
of Actions
Carried 1519 Enterprise Risk Management to be added to next Susan
Forward Transformation Board agenda Barton
, Sj a ——— Susan
Carried Enterprise Risk Management and the identification of Crichton /
1520 I risks to be discussed at the next ExCo Strategy
Forward " Susan
Refresh meeting Barton
Malcolm Zack to be invited to future Network Nigel
New Action 1522 I Compliance Forums and any reporting from that forum Tuppen
to the R&CC to be by exception
Provide a summary paper identifying the issues Mark
New Action 1523 I relating to the RMG Call Centre and Capgemini services Pearce
to assist with the escalation to the MSA Board
5 7 Simon
New Action 1524 I PCl issues to be raised at next MSA Board Baker
Heather
Progress establishing Data Governance and the Bignell-
New Action I 1525 I appointment of Head of Privacy aligned to and within Blye/
the scope of Project Javelin Susan
Crichton
Put together a proposal for the next R&CC for the Malcolm
management of policies within Post Office Ltd to Zack /
New Action I 1526 I eure all policies are in place, available and that the Nigel
Business is compliant against them Tuppen
Put together a response to the next available ARC, Malcolm
following the March R&CC meeting, identifying Post Zack /
New Action 1527 I Office Ltd approach to the management of policies to Nigel
ensure all are in place, available and that the Business Tu
. ; Ls ppen
is compliant against them
Susan
Risk Policy to be submitted to the next available ARC Crichton /
ieee 1528 for final sign off Nigel
Tuppen
Movement of key risks to be shown in future ERM Nigel
New Action 1529 updates Tuppen
High impact and low likelihood risks to be identified Nigel
New Action I 1530 I Vithin future risk reports to the R&CC Tuppen
SPMO to be invited to the next R&CC meeting to Nigel
New Action 1531 I provide an update on the Network Transformation Tuppen
programme
5
20 of 131 Audit Risk and Compliance Committee meeting-13/02/13
1
POL00423141
POL00423141
Minutes of the last meeting and matters arising
Post Office Ltd — Strictly Confidential
13. Summary Hy Action Lead Status
of Actions
. a Chris Day
Year-end report to be prepared by mid-April using the
New: Aetion a latest key risks identified by ExCo and Directorates i ra
Lesley
Report on the key information security risks resulting Sewell /
New Action I 1533 I from the Buffalo report to be provided to the next R&CC I Simon
Baker
Susan
Business Continuity Management policy to be Crichton /
New Action I 1534: I « bmitted to the next available ARG for final sign off Nigel
Tuppen
6
Audit Risk and Compliance Committee meeting-13/02/13 21 of 131
POL00423141
POL00423141
Minutes of the last meeting and matters arising
®
Speak Up Policy
The Post Office is committed to conducting business
with the highest standards of honesty, integrity and openness
where our colleagues feel able to raise concerns internally.
Main topic areas Getting help
e Policy statement In the first instance,
@ Confidentiality and protection of workers - Yaa policy should
—_ telat be directed to your
@ Underpinning legislation line manager. y
@ When should concerns be raised? Line managers can
. obtain advice by
@ How should concerns be raised? contacting the MY HR
. . Help Adviceline
@ How will concerns be dealt with?
Colleagues should call
Alternatively visit the
My HR Help website.
The Post Office.V1 30/04/2012
1
22 of 131
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
1, Minutes of the last meeting and matters arising
Scope
Policy
statement
Confidentiality
and protection
of workers
Underpinning
legislation
The Post Office.V1
This policy applies to all colleagues of the Post Office.
This policy is effective from 01 April 2012.
This policy does not form part of contracts of employment. We reserve the right
to amend this policy from time to time.
The Speak Up Policy sets out the process by which workers, i.e. colleagues and
others who are contracted to personally perform work on behalf of the Post
Office, can raise concerns in confidence and if required, anonymously about
serious malpractice in the organisation in the knowledge that concerns will be
acknowledged and action taken where appropriate.
Any worker who raises a legitimate concern in good faith under this process will
not in any way be liable to disciplinary action or loss of benefits, rights or
prospects as a result of their action.
Disciplinary action may be taken against any worker who is shown to have used
these procedures to make malicious or misleading allegations.
Confidentiality is not the same as anonymity. Workers who raise concerns are
sometimes understandably concerned about their position, and may wish to
remain anonymous.
However, it is often difficult to conduct an effective investigation without being
able to discuss it fully with the person who raised the concern. The helpline staff
will ask callers if they are willing to provide a contact name and number, but
callers do not need to provide contact details.
Although the business will attempt to investigate anonymously raised concerns
wherever possible, practical difficulties may prevent investigations from being
undertaken in certain cases.
Workers are protected by the Public Interest Disclosure Act (PIDA), which
provides workers with the right not to suffer any detriment or dismissal by the
employer if they raise a concern which qualifies as a protected disclosure.
PIDA identifies protected disclosures as those which are made in good faith and
are reasonably thought to show one or more of the following:
e That a criminal offence has been committed, is being committed or is likely to
be committed
e That a person has failed, is failing or is likely to fail to comply with any legal
obligation to which he /she is subject
e That a miscarriage of justice has occurred, is occurring or is likely to occur
e That the health or safety of any individual has been, is being or is likely to be
at risk
30/04/2012
Audit Risk and Compliance Committee meeting-13/02/13
23 of 131
POL00423141
POL00423141
1, Minutes of the last meeting and matters arising
When should
concerns be
raised?
How should
concerns be
raised?
How will
concerns be
dealt with?
The Post Office.V1
¢ That the environment has been, is being or is likely to be damaged; or
e That information about any of the above matters is being or is likely to be
deliberately concealed
A disclosure will not qualify as protected if the person making the disclosure
commits an offence by making it.
Workers should raise a concern if they are aware of, or suspect, wrongdoing
which affects others (eg. customers, members of the public, colleagues or the
Post Office).
Some examples of situations where a worker may raise a concern are:
e Fraud
e Giving or taking of bribes
e Financial malpractice
e Misreporting
Practices that might put individuals or the environment at risk
.In the first instance workers should raise concerns with their line manager, or a
senior HR manager in the Post Office. They will either act on the information
given to them, or pass it to the relevant person who can deal with it.
It is recognised that sometimes raising a concern directly with the business will
not be possible, for example, if the worker considers that the line management
may be involved in the issue or if they have a concern about confidentiality.
In such instances workers should contact the “Speak Up” confidential reporting
line, which is run by InTouch MCS Ltd, an independent company. Access to the
reporting line can be made by phone or via an on-line web service. InTouch will
treat concerns in complete confidence and the worker does not have to provide
contact details.
The worker will be requested to provide information about their concern, for
example the history of the concern, relevant individuals and the reason why they
are particularly concerned about the situation.
There is no requirement to provide contact details. However, not providing details
may reduce the business’ ability to make a thorough investigation into the
concerns raised. All calls to the Speak Up line will be acknowledged within five
working days.
Details of the concern raised will be forwarded to the Post Office who will act on it
in the most appropriate way. Any resulting investigations will be made by people
with appropriate authority who have the technical and professional knowledge
needed for the particular case.
It is possible that the business may wish to directly contact the worker to request
additional information. This will be done only where the worker has given
express consent and are happy for a representative from the Post Office to
30/04/2012
24 of 131
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
Minutes of the last meeting and matters arising
Investigation
outcome
Responsibilities
Where to go for
more
information
The Post Office.V1
speak directly to them. In all cases the individual's concern will be treated
sensitively and in confidence.
Where concerns about serious malpractice are raised through other routes, such
as other business helpdesks, and the concern would appear to be sufficiently
serious to be covered by the Public Interest Disclosure Act, this should be
investigated and managed in line with this policy.
The Post Office does not have to inform a worker who raises a concern the
outcome of any investigation and in some cases the Post Office may need to
protect confidentiality or rights of other individuals and workers. However, the
Post Office may provide an update on progress where this is deemed
appropriate.
Executive Team
e Approval of the Speak Up Policy
e Ensuring that resources are made available within the Post Office as required
Risk and Compliance Team
e The development and maintenance of the Speak Up Policy
e The development and maintenance of the framework and associated high
level processes
« Coordinating the receipt of cases from the Post Office’s helpline provider and
reporting back on progress and outcomes
e Reporting incidents and outcomes to the Audit and Risk Committee and to
CEC
e Chairing a working group consisting of the subject matter experts, to ensure
that serious claims are effectively investigated
e Contractual management of the 3rd party helpline provider
Speak Up (whistleblowing)
To report a concern:
e Telephone tand choose to either speak to an operator, or
leave a voicemail message
e Alternatively leave a message using the confidential on-line web based
service using www.intouchfeedback.com/royalmail
If clarification is required as to whether or not a claim raised b)
relevant to the Speak Up Policy, email riskandcomplianc
contact the Risk and Compliance team.
Bullying & Harassment Helpline
A free helpline, operated by an independent company, to offer confidential advice
relating to bullying or harassment concerns:
30/04/2012
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
1. Minutes of the last meeting and matters arising
Grapevine
To report ai bout a crime relating to the Post Office:
Telephone:
Forms There are no forms relevant to this policy.
Related There are no related documents to this policy.
documents
The Post Office.V1 30/04/2012
5
26 of 131 Audit Risk and Compliance Committee meeting-13/02/13
2. Risk Management within Post Office Limited
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Confidential
Risk Management Strategy 2013-2014
1. Purpose
The purpose of this paper is to:
1.4
1.2
Inform the committee on the current status of the Enterprise Risk Management
(ERM) framework in Post Office Limited.
Request that the Committee approves the next stage of the ERM development
approved by the Executive Committee as explained in the Executive Committee
paper which follows.
2. Background
2.1
ERM has been implemented by the Post Office Risk and Compliance function
during 2012. It has gathered risks using a bottom up method. It now needs a top
down view from the Executive Committee and a structured plan for the next
stage of its development.
3. Current Situation and Summary of Action Needed.
3.1
3.2
3.3
Stage 1 - To commence February 2013
Draft and approve Risk Management Policy
Confirm Governance of the Risk Management Framework
Appoint the new Head of Risk
Stage 2 - Commence April 2013
Establish Executive Committee top level business wide view of risk
Directorate level risk assessment
Communicate with Senior Leadership Team
Regular Risk reviews
Define Risk Appetite and Risk Tolerance
Develop the Business Controls Framework
Stage 3 — January 2014 onwards
Develop next stage of strategy
Refine techniques
Establish ongoing auditing of risk management frameworks
4, Recommendations
POL00423141
POL00423141
The Audit, Risk and Compliance Committee is asked to approve the next stage of the ERM
development.
ARC Risk Management Strategy 2013-14 Malcolm Zack — Head of Internal Audit
13 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
Page 1 of 1
27 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
28 of 131
Confidential - Draft for discussion Ver 2.0
POST OFFICE LTD EXECUTIVE COMMITTEE
Risk Management Strategy 2013-2014
1. Purpose
The purpose of this paper is to:
1.1 Inform the committee on the current status of the Enterprise Risk Management
(ERM) framework in Post Office Limited.
1.2 Request that the Committee approves and visibly leads the next stage of the
ERM development.
1.3 Recommend approval to the Board.
2. Background
2.1 ERM has been implemented by the Post Office Risk and Compliance function
during 2012. The business has nominated risk champions and risk coordinators
in each Directorate and commenced transferring information from spreadsheet-
based risk registers into a dedicated software tool called “Stratex”.
2.2 The approach has built detailed information around risks to business objectives.
The “bottom up” approach has been moderated and used to inform the Risk and
Compliance Committee of the top risks that could potentially impact the
organisation.
2.3 The Risk and Compliance team has drafted a risk policy and is building a
business controls framework.
3. Current Situation and Action Needed.
3.1 The output from Stratex provides a partial view of top risks but now needs to be
complimented by a top down view from senior executives.
3.2 The Executive Committee to support the ERM approach and apply it across the
business. The approach will need to:
e Be proportionate to the current risk maturity of the organisation.
« Recognise the different risk profiles in each Directorate.
e Be scalable and grow with the business as it develops over the next few
years.
3.3 The Executive Committee to provide the strategic top down input to the risk
framework and to fully endorse the risk management policy.
Risk Management Strategy Malcolm Zack — Head of Internal Audit Page 1 of 4 February 5" 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential - Draft for discussion Ver 2.0
4, Plan
Stage 1 - Target 31% March 2013
41 The Risk and Compliance function will draft a Risk Management Policy to apply
across the organisation.
4.2 The Executive Committee will review and approve the policy and recommend its
approval by the Board.
42 Confirm the Governance Structure of the Risk Management Framework
e Agree the position, relationship and relative risk responsibilities of the Audit
and Risk Committee, (ARC) and the Risk and Compliance Committee
(R&CC). (Refer to Appendix 1)
o The R&CC will report its activity and highlight key risks and issues to
the upcoming ARC.
o The R&CC will notify the ExCo of key risks and issues for its
attention.
o The R&CC will invite Directorates to present their current views of risk
o The ARC may also invite Directorates to present and will review the
overall ExCo view of risk.
e¢ The R&CC will finalise the Terms of Reference for the R&CC and primary
content of meetings.
e Agree the linkage between Head of Internal Audit and Head of Risk.
4.3 Appoint the new permanent Head of Risk.
4.4 Strengthen the risk management framework.
e Identify and assess risks using risk mapping.
e Improve the Action planning with clear dates and ownership..
e Improve the monitoring and reporting of progress of actions using the ERM
Stratex tool.
e Share results of Directorate Risk reviews at ExCo meetings.
45 The Executive Committee to establish its top level business wide view of risk.
Identify and assess the top 15-20 risks to achieving the strategic objectives.
Create first Executive “Board Level” Risk Map.
Create the initial action plan.
Assign ExCo members to each risk and action plan.
Assign an ExCo member to present first draft to the ARC (possibly April) or
to the Board
e Agree to review and update the ExCo risk map and action plans each
quarter.
Stage 2 — Target to complete December 31% 2013
46 Commence integration to next level.
e Share the ExCo Risk map with the SLT and risk champions
Risk Management Strategy Malcolm Zack — Head of Internal Audit Page 2of4 February 5" 2013
Audit Risk and Compliance Committee meeting-13/02/13
29 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
30 of 131
Confidential - Draft for discussion Ver 2.0
e Implement in Directorates using workshop and risk map approach
47 In each Directorate - Flow down the top risks from the Executive
e Identify which ones does the business unit under review link to.
Identify own top risks related to own top objectives.
¢ Identify if there are risks at this level that should be promoted upwards.
48 Refine the library of risk maps, action plans and provide input to the Stratex tool.
e Quarterly each Directorate will review its risks and input to the ERM tool.
e Improve the quality of Directorate review of business risks at the Risk and
Compliance Committee and/or ARC where appropriate.
¢ The Transformation Board will review and manage the risks and
interdependences of the Transformation Programme
49 Alongside risk map roll out:
« Work with the Executive Committee to define the company’s risk appetite
and risk tolerance concepts to be ratified by the Board. (Head of Risk)
e Review Stratex model and populate with output from risk workshops
(ongoing — Head of Risk to lead).
« Develop the Business Controls Framework which supports the
management of risk.
e Track risks arising from results of audits (internal, external) and input
these into the risk management framework.
e¢ Develop Workshop material and training where needed
4.10 The Executive Committee will start its quarterly reviews and update the ARC or
Board, explaining movements in the key risks and highlighting new ones.
Stage 3 — January 2014 —onwards
e Develop the next stage of strategy. (Head of Risk)
e Assess status, benchmark, consider longer term move towards
recognised ISO risk Management standards. (Head of Risk)
e Identify if some Directorates require more sophisticated techniques (e.g
Financial Services). — (Head of Risk)
e Establish ongoing auditing of risk management framework and provide
advice/support where required. (Head of Internal Audit)
5. Recommendations
The Executive Committee is asked to:
51 Approve and visibly support the next stage of the ERM development.
5.2 Recommend approval to the Board
Susan Crichton
5" February 2013
Risk Management Strategy Malcolm Zack — Head of Internal Audit Page 3of4 February 5" 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Appendix 1
Confidential - Draft for discussion Ver 2.0
Board
Receives Audit Committee
Chairman's report
Periodic
Financial
Matters
Internal Audit
External Audit
Board referred
Risk Issues for
the Audit
Committee
Audit and Risk Committee
Oversees:
System of Financial and Operational control
Reporting Practices and Disclosure
Oversight of risk management framework employed
by the business
Give Direction to Internal Audit/External audit
Meet at least 4 times a year.
¢ Summaries of
audit work done
by business
areas. (e.g
Branch/Supply
Chain audit
teams)
e Fraud risk
¢ Ethics and code
of conduct
¢ ExCo risk
presentations
Report
Summary of Activity
Risk Highlights for Audit
Committee attention
Key risk maps
Report
e Key highlights to
ExCo where
Each
required. (e.g
Reputational Risk)
Meetin;
Status of
Strategic risk
Risk &
Compliance
Activity.
Status of Risk
Management
Framework
3rd Party Risk
and Compliance
Activities
Risk and Compliance Committee
Oversee identification, assessment of risks and
management of risks.
Risk Management Framework
Risk Policy
Risk Appetite
Risk Acceptance
Meet at least 4 times a year
3-4 weeks prior to ARC
Periodic
Directorate risk
review assessments
and presentations.
Transformation Board
Risks of
Transformation
Risk highlights
from Internal
Audit
Risk Management Strategy
Ongoing through the year:
Directorates identify, assess and manage
their risks
Malcolm Zack — Head of Internal Audit
Audit Risk and Compliance Committee meeting-13/02/13
Page 4 of 4
Programme
February 5" 2013
of 13
2. Risk Management within Post Office Limited
1. Purpose
POL00423141
POL00423141
Confidential
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Regulatory Risk Framework & Controls
The purpose of this paper is to:
44
1.2
1.3
1.4
2. Background
2.1
3. Activity to date
provide the Committee with an oversight of the regulatory landscape in which Post
Office operates;
describe the control framework that exists in Post Office to manage this;
provide the committee with a view of actions in place to address any identified gaps
in the framework; and
gain the committee's approval to the proposal for review of the control framework.
Prior to separation, Post Office largely relied on Royal Mail Group to set the
framework for managing regulatory risk. As an independent company, it is necessary
that Post Office has in place its own arrangements.
3.1 A refresh of the regulatory landscape (originally documented in 2004) has been
carried out to reflect current legislation, regulation and applicable codes of practice.
This has been validated and augmented by Bond Pearce LLP.
3.2 A desktop exercise has been carried out to identify:
. The impact of the regulation on each directorate;
. The primary owner of policy for this regulation;
. The accountable ExCo member,
. Monitoring and assurance controls in place to assure compliance with the
regulation.
3.3 The impact, likelihood and aggregate risk for each regulation has been assessed
and the risks have been prioritised on this basis.
3.4 The complete landscape can be seen in the associated spreadsheet ‘filename?’
3.5 The individual ExCo members have endorsed the outputs from this exercise.
Regulatory Risk Framework & Controls Susan Crichton Page 1 of 2
32 of 131
6" February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
4. Outputs
44 As a result of the above activity, the following list of high regulatory risks has been
established for Post Office:
Regulatory risk Policy Directorate Policy Assurance
Owner
Significant loss of I Martin Commercial Data Protection I Annual training
customer data by I Moran Policy
Post Office
Significant loss of I Lesley Strategy (inc IT I Data Protection I Supplier
customer data by I Sewell & Change) Policy contracts
3” party supplier Audit &
inspection
programme
42 There are no policy or assurance gaps associated with the identified significant risks.
43 The full framework of regulatory risks can be found in the associated spreadsheet:
‘Reg framework — list of applicable regulations’
44 Where a gap exists in the control framework for other risks, the accountable ExCo
member has commissioned an action plan to address this within the next 6 months
5. Proposals
5.1 It is proposed that the Risk & Compliance Team will maintain the regulatory
landscape document in its new format.
5.2 It is proposed that the current status of controls will be maintained through the
Internal Control Framework, with a report produced which will form the basis of
regular monitoring by control owners with oversight provided by the Risk &
Compliance Team.
5.3 It is proposed that a summary scorecard will be developed by the Risk & Compliance
Team with a quarterly summary provided to the Risk & Compliance Committee.
6. Recommendations
The Committee is asked to:
6.1 Confirm that the regulatory framework identified is comprehensive;
6.2 Agree that the controls in place are adequate to manage the significant risks
identified;
6.3 Endorse the approach to monitoring; and
6.4 Agree that the ARC should review the scorecard and landscape annually.
Susan Crichton
6" February 2013
Regulatory Risk Framework & Controls Susan Crichton Page 2 of 2
6" February 2013
Audit Risk and Compliance Committee meeting-13/02/13
33 of 131
LEL JO ve
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
(aioe Led 7 aa
Freeman carne Perea
TROT [Emm ronarrea Pe Tae TR TT
faintest foes preteen ey
freedoms
fart tae or
Largest
fe hanes)
faerie [oT oer ow kr krona [omac wees Ie RH eT
Lat =
fen [needa ws tow er Fanon fot ren ee
faci rc
ay eo I NON sehen ar [nna Deon renent POLOpeab ral POTN a
pte ry rarely [city apron
fossa zs pt iar ene ey fen Oe
STE [poe a ha
far as ny
freee md ama,
pone aiug
franc fr ae fw heer Fnac oS Finer oerterasdne Jo wi 8 now
leroy cutee Mina! Pep cone
fst tao ere potrsweepene
[cepa gaa a Fae oT aT ETT
firma fn pty ores Paar pais
TT =m Rasa Te a PONTE
race DA formate Wer =r Raa ee poate a pa PON a
ners ve "i
froma fants pia k= [ee capsersoneer Ty [secs repre POURS
[cron Conran ke wer kor lamer bara py
itn at
Jose,
POL00423141
POL00423141
1m uaWaBeUEIN ¥
5
x
2
a
Q
3
8
&
3
&
Es
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
LeL Jose
faD% sen snaie Fst re Cama per pve
Jnr renner lsc et
Jessen loser
fk sty pk
erase carla
enerecnne
bese ace ey
few arc
cu ean
joss
[sas rarcn torte ame face Fane ae
fenton 008 nom formes reese
[esate onthe sence
[asa eee oc I= emer
[econ aegis ro re fener foarte teats
ferry fesnat dana foreneceteewnd
frre aa —— aw low
[rao a Ta peat aa anal Tae aT
[sry roe tern mse cng er
lrtetcremtmces I fete Fn potty nrc we
[rae earayont¥c i seers
fcc tne fart.
Jesirpmersnorot fo tv wtb edo
Jute nied oven [ton prcrars,
free
fone fs ore fow low Fronee Jryonstwateny—— frstns rere
fey
[viva rpms
Jat ied oven [ton pce,
face \casameaababa A a a
Jesonorpoee mt
rt)
foe recs
eine
a TAS
POL00423141
POL00423141
1m uaWaBeUEIN ¥
5
x
2
a
Q
3
8
&
3
&
Es
LEL JO 96
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
fcr bbe f= mgr
Jstendcompanes ain rama
ftescrannes potty ounce
RT TET re oa waa
fear weet
fara Pat sa aor low io
lemvamee Snr
[amg over
[estaicwiterequed feqwesiocrtyor std. dpe wth
Jy. pon fern ane
far ryt [ee
Toy RTAT far oR Ta rT
com ere = Raa oe [americans [pear ary
[eran farses aya = [ee caparsoneer al
Jose,
Ps cto
ora scr
fencing pk
ese ace ey
feet py
ats
Joss
[paaDa RE A sane = rome
ag nd
pS a [eS EEN
SP RAAT AD SOT Rear a oe
ine NERS ee ANG Rapa ses ee Prataonr
ena formate aye i [ae copaeersoneer
Jer tty
fang women
Fess amin eSATA Frnt fom Pe capsceseees ra
ATE TSTAT ETT wT aT roa Fane Se POET ae
frente Scone
fies
bers
a ER eT — ID aT a TST aT ETS [se IS POR Oo OTER oaR
Fst ae A ep Te re dT SOT = [Rami PaaS — fi rear pa — WOT oa
a To TT
(epi 289
Sd
POL00423141
POL00423141
17 BOUIO 1S0q UIMIM JUSWABEUEWY 4SIY °Z
oe
a
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
LeL Jo Ze
Jiser Vea ey Wak JORDI Wwe alr ews ow l= frees: a os
ang peas RA HT [ae elo [ow = Raa oe fa atayrag — Iaareaeanr moa — POTS Rapa Re
aera fou = Terre Soe I
[sere ne Tn OT frites Te ow Rear
ert
ae [sts inmate = amare
font oer me
Sa FST WONT [A TAT Taser ae a
a fori te ara Tae
A IT frites Se ow = TST
fer
fresno Wa sper oe al a ow fer [Ecorse ae
air a a io for [Raps Fearne
io poe
fae iow how
fate sign Pons in rma ene Ss ow how
ate Diaeed grou IDO eres ow = ae a
loses agai i DCE =
fase fori tee Sys may
fot wine
[rc eso ER Tee SRE ae ra Fe cxpacesonees
feosen 2 [tere
[ramen — Ta os oT
lennon pes no
RTT er Ta sar
[Rea ea yaaa eT ST Tae ae a
lennon en eat pao how leat Bese met
fsertraaesr hg: how fwat Ree i re NTT
[ctor sabe Fara = jaar i ne RT
fect Wi ego low fat ase nse gh
aa SaaaTanLl ara fc
[cen ering coueneton tied or
Fre aa fre Ca ra ar cod aT ORT
lewarngramst [ong
RT TE TRE —— SAS TTT aware a aera
aT TTA poate coal aT
fates 96 [rwsve rams fons eon
[ero (tinge ates 208,
[ri Carne ry ae naan Wen pedro [a evar ee a eT
kitene fssctscityden foc Joey
frowns mn epem 250 cag tt cnn tar oar fewer ae a a NT
Jincigvpeitng we pobcn er fect 0 (hbw mds fesse
[sansa " =
ty TT foor dani Tne a Tia
POL00423141
POL00423141
N
2
&
g
=
a
3
B
a
@
3
fo
2
=
=
5
x
2
a
Q
3
8
&
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
POST OFFICE LIMITED AUDIT, RISK AND COMPLIANCE COMMITTEE
Treasury Risk Management: Framework, Policies and Authorities
1 Purpose
The purpose of this paper is to:
1.4
1.2
1.3
Provide the Committee with an overview of the treasury risks to which the Post
Office is exposed;
Describe the actions that are taken to mitigate these risks;
Propose a framework of treasury policies and procedures to identify, manage
and control treasury risks, including:
. The associated authorities and limits.
. The governance and reporting mechanisms.
Gain approval for the framework, policies and authorities such that the
Committee recommends to the Post Office board the adoption of this
framework, policies and authorities.
2 Background
24
2.2
2.3
On the 26" March 2012, Post Office Limited took control of its own treasury
activities from Royal Mail, but to maintain continuity and to de-risk the transfer,
retained the same approach and investment limits that had been applied within
Royal Mail treasury. There have been no breaches to these policies.
A review of treasury risks of Post Office Limited has now been carried out and
Post Office has developed its own treasury policies. This paper:
. Recommends an overall approach to treasury risk management;
. Describes the principal risks the Post Office is exposed to;
. Based on the above two points proposes a treasury management
framework, which sets out the procedures to identify, manage and
control treasury risks.
The new framework, policies and authorities will be in place by 31% March 2013.
Treasury Risk Management: Chris Day Page 1 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
2. Risk Management within Post Office Limited
Confidential
3 Treasury Risk Management Approach
3.1 The key principle of Post Office’s treasury risk management is to minimise risk
3.2
3.3
3.4
by taking a cautious approach. As appropriate, and without compromising this
key principle, the most cost-effective solutions are sought.
The treasury management framework has therefore been designed to:
. protect financial asset values.
. minimise income statement volatility.
. ensure the Post Office can meet its financial obligations as they fall due
via appropriate short term liquidity management.
. set out an appropriate capital structure and secure long term funding to
meet overall business objectives and shareholder return requirements.
The key areas of risk that treasury manages to protect asset values and
minimise income statement volatility are:
. Foreign exchange risk - arises from the holding of currency balances in
the network and cash centres to meet “on demand” requirements from
customers.
. Commodity risk — arises from the movements in the price of diesel, gas
and electricity used throughout the business.
. Interest rate risk — adverse movements in interest rates will negatively
impact the cost of funding.
. Insurance risk - Post Office has appropriate and adequate insurance
programmes in place to cover material loss categories at optimal cost.
. Adverse movements in asset values and income statement volatility are
also created via counterparty exposures as a result of treasury and
commercial activity.
Short term liquidity management objectives are met as follows:
The Post Office has access to a £1.15 bn working capital facility provided by the
Department of Business, Innovation and Skills (BIS). Funding requirements
must be notified to BIS 2 days in advance. Forecasting variances may lead to a
shortfall between the amount drawn down and the actual amount required. The
strategy to mitigate the risk of a shortfall between notified and actual funding
requirements is to hold a liquid investment reserve of £50m and to have
uncommitted facilities of £50m available for drawdown’
In addition, Post Office is a member of the Bank of England (B of E) Notes
Circulation Scheme. The scheme allows the Post Office to declare and
" Note - As facilities are uncommitted, they may not always be available for drawdown. Actual facilities
in place are £80m but drawdown is limited to £50m per working capital agreement with Department of
Business, Innovation and Skills.
Treasury Risk Management: Chris Day Page 2 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
39 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
Notionally “deposit” cash with B of E reducing the Post Offices funding
requirement on a daily / overnight basis. The operation of the scheme requires
the provision of collateral facilities to B of E. These are currently provided by
RBS and total £550m split £350m intraday facility and £200m overnight facility.
3.5 Long term funding is managed through on-going dialogue with Government, to
ensure an appropriate capital structure and / or long term funding is in place
over 3 -5 year time horizon. Currently, Post Office is in year one of a three year
funding plan which has been agreed with Government. This provides the
following:
. Funding of £410m in FY 2012/13.
. Funding of £415m in FY 2013/14.
. Funding of £330m in FY 2014/15.
. Working capital facility of £1.15bn expiring on 31° March 2016.
4 Recommendation
The Committee is asked to:
« Acknowledge the treasury risks to which the Post Office is exposed
e Recommend the proposed framework of treasury policies and procedures to
the Post Office Limited Board, including:
« The governance and reporting mechanisms.
« The associated approvals and limits
5 Treasury Risks
5.1 The principal treasury risks to which the Post Office is exposed are described in
this section with recommendations as to how each risk should be managed.
5.2 Foreign Exchange Risk
Nature of Risk
Post Office foreign exchange risk principally arises from the holding of currency
balances in the network and cash centres to meet “on demand” requirements
from customers.’ All currencies are purchased from FRES. The risk arises
from time of purchase from FRES to sale of currency to the customer. The size
of balances on hand is determined by historic demand.
? Pre order and online sale of currency is transacted via the Post Office JV with FRES
Treasury Risk Management: Chris Day Page 3 of 24
Framework, Policies and Authorities January 2013
40 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
Size of Risk
Post Office holds balances in 72 currencies. On average, currency holdings are
approximately £58m but can peak at over £100m during holiday periods. EUR
and USD comprise over 80% of the total balance as illustrated in the table
below.
Amore detailed analysis by currency is shown in appendix 1.
Applying a policy of hedging 90% of each currency balance over £0.5m (as
described in 7.2), leaving 10% of the balance unhedged and not hedging
balances below £0.5m, the “expected” gain / loss in the income statement
would be on the approx. + / - £0.86m based on actual currency volatility over
the last 12 months.
Foreign Exchange Risk Management Recommendation
. Up to 90% of the average forecast holding 1 month forward for all
balances over £1m will be hedged where an active FX market exists.
. Hedging of forecast average holdings 1 month forward between £0.5m -
£1m is at the discretion of the Head of Corporate Finance. Hedges will
be up to 90% of the forecast holding 1 month forward where an active
FX market exists.
. Forecast average holdings 1 month forward below £0.5m will not be
hedged.
5.3 Commodity Risk
Nature of Risk
Post Office is exposed to movements in the price of diesel, gas and electricity
used throughout the business.
Treasury Risk Management: Chris Day Page 4 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13 41 of 131
2. Risk Management within Post Office Limited
42 of 131
Confidential
Size of Risk
The annual expenditure on commodities is approximately £8m split as follows:
diesel, £3m, gas, £3m and electricity £2m. Historically, Post Office commodity
volumes have been included within the Royal Mail hedging program and it is
intended to continue with this arrangement.
The size of annual expenditure is relatively small for Post Office Limited and
hedging of commodity exposures at these volumes would not be economic on a
standalone basis. Royal Mail has much larger exposures to these commodity
types and operates a comprehensive 3 year rolling commodity hedging program
to provide financial planning certainty for future financial years. Post Office
volumes comprise the following approximate percentages of the total hedged by
Royal Mail: diesel 2%, gas 9%, electricity 9%.
As Post Office is a small participant in the overall commodity hedging program
and the values are relatively immaterial for the Post Office, Royal Mail policies
and targets have been reviewed and are considered appropriate for adoption by
Post Office.
Current hedge position for future years
The table below summarises the current hedge position across all commodities.
For FY2013/14 forecast requirements are fully hedged, FY2014/15 is 80%
hedged and FY2015/16 is 25% hedged.
POL00423141
POL00423141
FVIII Gam Be Nel al a TYROS FY TET Gea ged I FY
Trerge ‘erage ‘erage
edge % wedge edge
Completed
an Dae: by a ae a eas
_IAost sun Jue Oct-Dec Jan-Mar Japct~Jun July Sept Oct Dee Jan-Mar Jaen wun JuySept Oct-Dec Jan Mar
Sets
reat 2» >» » » I » I » 2
oa! ® © ® I © I» » io
Santa o » « I » I @ % 2 Fa
Tonia 2 =» so I » I » % 4 x I #
‘Mie fo tm tte too I tm I mm I I 3
eta a ey 0
tors nl oo » © I o I # 0 2 I 4
Biss Sep3 imo 00 so I sm I ww I
+ esreonary ras to adhance he next quarers volumes Wil be allowed
Commodity Risk Management Recommendation
. Continue to participate in the current commodity hedging programmes
with Royal Mail.
5.4 _ Interest Rate Risk
Nature of Risk
Adverse movements in interest rates will negatively impact the Post Offices cost
of funding.
Post Office funding is via a £1.15bn floating rate working capital facility from BIS
maturing in 2016. Interest is calculated at LIBOR + 0.5%. Post Office earns
commission (credited to revenue) at a rate of LIBOR — 0.125% on the balances
of benefit payments held by JP Morgan. This arrangement expires in 2015 with
an option to extend for a further 2 years. In general, the refund of benefit
payments is at least equal to the Post Office borrowing requirement as the
balances are considerably larger than the facility. The commission (interest)
Treasury Risk Management: Chris Day Page 5 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
2. Risk Management within Post Office Limited
Confidential
receivable on benefit refunds creates a natural hedge against the interest
payable on the working capital facility.
Size of Exposure
The net interest expense is shown below. Note, this is net interest payable and
excludes the commission discussed above.
FY FY FYYTD
£’m 2011/12 = 2012/13 = -2012/13
Actual Budget Actual
Net Interest 6 8 3
Interest Rate Risk Management Recommendation
. Continue to utilise the “natural hedge” offset opportunity provided
through LIBOR based floating rate interest payable on the working
capital facility and LIBOR based interest receivable on the refund of
benefits paid on behalf of government.
5.5 Insurance Risk
Nature of Risk
Post Office faces the following insurable risks; crime, property / business
interruption, employers and public liability, motor directors and officers and
personal accident. Post Office has appropriate and adequate insurance
programmes in place to cover these material loss categories at optimal cost.
Programme summary
seco full valve uninve
50m 50m
£250 € ond E loss for EL & FL, came
aggregated of F.sm.
£m Ean € loss on
[DEDICTISLE the primory layer mE ond E loss £250 each ond every loss Motor
norogeregares. ni excess ni exces:
ImsuReR Liberty and Uoyds 2avich ne Liberty ‘che
TOTAL PREM
rrowun £721,307 £215,107 £682,147 £11200 24700 21,634,463)
(nett)
Directors and officers liability remains a shared policy with Royal Mail Group
Insurance Risk Management Recommendation
. Current programme executed in October 12. No changes required.
Treasury Risk Management: Chris Day Page 6 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
43 of 131
2. Risk Management within Post Office Limited
Confidential
5.6 Counterparty Risk
Summary
Post Office Limited exposure to financial counterparties? primarily results from
the following transaction types:
. Individual contracts to support Post Office financial services
activity. Exposure is primarily generated through the clearing of debit
card and cheque receipts, processing of benefit payments and
collections associated with ATM withdrawals. Total exposure approx.
£420m.
. Corporate banking and Treasury activity. Principally investment of
surplus funds (covered in the Short term Liquidity Management section
5.7 below) and settlement processing. Total exposure approx. £220m
. Over the counter cash transaction services. Withdrawals via the
Post Office branch network for retail banking customers. This creates
exposures equal to the amount paid out by the Post Office on behalf of
the bank and the commission due for providing this service to each bank.
Total exposure approx. £40m
Exposures by transaction type are summarised below:
POL00423141
POL00423141
Counterparty Exposure by Transaction Type
-£'m
Benefits Reimbursed
Sale of bank notes
ATM clearing
Debit card clearing
Cheque clearing
Money Market Funds
Deposits
Corporate Banking
Comm's receivavble gy
Payments reimbursed
0 20 40 60 80 100 120 140 160 180 200
[Hf hcividual contract exposures [jij Treasury exposures [jij Over the counter exposures
Exposures by transaction type and counterparty are detailed in appendix 2.
° POL also has v short term corporate c/party exposures resulting from cash distribution activity. This exposure is o/s scope of
this paper
Treasury Risk Management: Chris Day Page 7 of 24
Framework, Policies and Authorities January 2013
44 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
Post Office Counterparties
The counterparty population supporting Post Office financial activity is shown in
the graph below. Where a counterparty is shown with a £nil exposure this is
because the Post Office always has a net payable position to that counterparty.
Maximum Net Exposure by Counterparty - £'m
‘SwiP
Santander
RBS MMF
RBS
NS&I
Nationwide
NAB- Clydesdale
NAB - Yorkshire
Moneygram
Lloyds/HBOS
Pot) SS
INVESCO
———
TT
IGNIS
Global payments
HSBC
co-op
ck ok
FCC —[——
Badass
Link /801(A1M's) (1) SS
Bank of Ireland
°
20 40 60 80 100 «1202140160180
The largest exposures are generated by clearing activity (cheques, debit cards,
ATM's), reimbursement for the settlement of benefits and investment of surplus
funds via money market deposits.
A full list of financial counterparties and net exposures is shown in appendix 3
with activity by counterparty shown in appendix 4.
Counterparty strategy and principles
. Over the counter. Continue to grow counterparties for this commercial
offering subject to appropriate counterparty credit checks.
. Consolidate corporate banking services into a smaller number of service
providers.
. Maintain banking relationships required for geographic purposes (i.e.
Bank of Ireland and Clydesdale).
. Ensure sufficient investment funds are available to diversify risk.
. Head of Corporate Finance to approve counterparty selection for all
contracts involving financial institutions (except the appointment of new
over the counter customers).
Treasury Risk Management: Chris Day Page 8 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13 45 of 131
2. Risk Management within Post Office Limited
46 of 131
5.7
Treasury Risk Management:
Framework, Policies and Authorities
Confidential
. Counterparty selection will consider the risk arising from existing
exposures to a particular counterparty when contracts are renewed /
awarded, including the appointment of new over the counter customers.
Short term Liquidity Management
Nature of Risk
Funds in excess of daily /short term liquidity requirements are deposited with
financial institutions. A combination of money market funds and bank deposit
accounts are used to manage this together with DMO. Investment of funds
creates an exposure to financial counterparties.
Size of Exposure
The Post Office will receive a second tranche of funding of £415m in April 2013
from the government. This together with daily and seasonal cash flow variation
is likely to lead to a significant cash surplus, potentially above £500m during H1
FY 2013/14. This situation is likely to be repeated in H1 F2014/F15. The current
number of counterparties and limits will not be sufficient to allow all surplus cash
to be deposited. Credit limits by investment type / category will be increased to
accommodate the additional inflow of funds. These proposed new limits are
detailed below. The Treasury and Financial Services Committee (see section
6.1) will be updated on a regular basis and will recommend changes as
appropriate.
IGNIS 30 30
INVESCO 30 30
RBS MMF - Institutional 50 30]
SWIP Investments 100 50
Blackrock 50 50f
Unallocated 0 60
Total 250}
Unallocated MMF Govt stk / gilts 0 150]
Total 150]
Barclays - FIBCA 30 30
DMO Govt Deposit Unlimited Unlimited
Short Term liquidity Management strategy and principles
. Deposits with money market funds which invest in corporate /
institutional funds limited to £250m in total. Exposure to new
counterparties will be capped at £30m per counterparty.
. Deposits with money market funds investing in Government stock limited
to £150m in total. Investments in individual funds to be capped at £50m.
Chris Day
January 2013
Page 9 of 24
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
. Where a single counterparty has segregated institutional funds and
government stock funds, investments can be made in both funds subject
to the limits above.
. Deposits with banks limited to £30m per banking group. The number of
bank counterparties will remain flexible to provide additional investment
capacity.
. Where possible align investment activity with other financial activity with
the same counterparty but without creating additional risk. i.e. use of
money market fund from corporate banking counterparty. RBS corporate
bank account and RBS money market fund (ensuring risks are
independent).
. Maintain sufficient funds to ensure diversification of risk.
Treasury Risk Management: Chris Day Page 10 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13 47 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
6 Treasury Risk Management Framework: Governance and Reporting
The following structures are recommended to govern and report on treasury risks
6.1 Treasury Risk Governance
Treasury risks are governed through the following structures:
Post Office Board: Authority to approve policies and approval limits relating to
treasury risk management resides with the Board. Treasury risk management
includes but is not limited to the following: foreign exchange, commodity,
insurance, interest rate, short term liquidity management, long term funding /
borrowing and counterparty. The board will delegate authorities to facilitate the
operation of treasury risk management and the daily operation of the treasury
function as detailed in section 6 and 7 of this document.
Audit, Risk and Compliance Committee: Financial risk management policies
and approval limits are recommended to the Board for approval by the Audit
Committee.
Treasury and financial services committee: The treasury and financial
services committee meets on a quarterly basis to review financial risks, report
on and recommend changes to policy to the audit committee as required. The
treasury and financial services committee composition incudes; CFO, Head of
Corporate Finance, Treasurer.
The Board has delegated the following specified authorities to the CFO and
Head of Corporate Finance (HofCF). Treasury reports to the HofCF.
Authorities:
CFO Approval of Investment instrument limits
Approval of counterparty selection criteria
Approval of counterparty limits
Authorities:
Approval of counterparties
Approval of counterparty limits within the approved investment
instrument limits
Head of
Corporate
Finance
Daily operation of treasury activity is delegated to the following panels:
Treasury Risk Management: Chris Day Page 11 of 24
Framework, Policies and Authorities January 2013
48 of 131 Audit Risk and Compliance Committee meeting-13/02/13
S1/ZO/eI-Bunsew aayiWog soueldwog pue ysSRy IPNY
LE JO 6b
Confidential
Members appointed by:
Treasury
Authorisation
Panel Head of Corporate Finance
Authorities:
Investment and borrowing approval
Current composition:
Charles Colquhoun,Louise Fairhurst, Ruth
Pearson, Carl Nielsen, Lorraine Finnie,
Andrew Smith.
Members appointed by:
Dealing Panel .
Head of Corporate Finance
Activities:
Execution of approved daily investment /
borrowing transactions
Current Composition:
Andrew Ashsall, Martin Knights, Ryan
Skidmore, Louise Fiarhurst, Ruth Pearson
Members appointed by:
CFO together with any oneI
BCP member
Banking Control
Authorities:
Opening & closing bank accounts,
Maintenance of bank mandates.
Exclusions: Authorisation of payment
instructions
Current Composition:
Mark Wood, Sue Oxley, Dawn Brooks, Alison
Bolsover
Panel (BCP) Opening and closing of
bank accounts
Any two signatures from BCP, or a POL director or company secretary, following prior
approval from POL Treasurer
Other banking instructions
{other than payment
instructions)
Any one member of BCP, or a POL director or the company secretary
Banking Members appointed by:
Authorisation
Panel Any one member of BCP
Activities: Authorisation of payment instructions
Members appointed by:
Payment panel
Any one member of BCP
Activities: Release of payments to bank
Limits: <£ 50 k - Any one payment panel member. >£ 50K - Any two payment panel members
Treasury Risk Management: Chris
Framework, Policies and Authorities
Day Page 12 of 24
January 2013
POL00423141
POL00423141
aweBeueW YS “Z
Parl B0yIO 1S0q
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
6.2 Treasury Risk Management Reporting
Policy breaches will be immediately reported to the CFO
The Treasury and Financial Services report will be produced on a quarterly basis.
The contents of the report will include: foreign exchange risk management,
interest rate risk management, commodity risk management, counterparty
exposures, long term funding update and short term liquidity management.
Together with any policy changes required and review of any policy breaches.
The Treasury and Financial Services Committee will meet on a quarterly basis. It
will review the Treasury and Financial Services report and consider any other
treasury risk management issues as required. The committee will be scheduled
such that at half year and full year the Treasury and Financial Services report will
be forwarded to the audit committee. The audit committee will receive a bi-
annual update on treasury risk and activity as a result of this.
Treasury Risk Management: Chris Day Page 13 of 24
Framework, Policies and Authorities January 2013
50 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
7 Financial Risk Management Framework: Policies & Authorities
The following treasury policies and authorities are recommended to manage the treasury
risks that have been identified:
71 Short term Liquidity Management / Investment Risk
Risk Management Objective
Ensure the security of funds invested. Minimise investment exposure to
individual financial counterparties via use of appropriate instruments. i.e. Money
Market Funds (MMF). Diversify MMF risk over a number of counterparties.
Corporate deposits used for investment of late advised funds and un-forecasted
outflows.
Investment Risk Management Policies
Investment is only allowed in sterling denominated funds / accounts.
a) Money Market Funds:
« The fund must be AAA rated.
e The Post Office proportion of the total fund managed must not be greater
than 10% of the total fund.
« Funds must have a stable or accumulating net assets value with daily
liquidity.
b) Bank deposits:
« Bank must have a long term credit rating of at least single A.
e Bank must be a member of CHAPS (A list of CHAPS banks is attached in
appendix 5).
Authorities
e Only treasury is authorised to invest surplus funds.
* CFO is authorised to approve counterparty limits.
¢ CFO is authorised to approve investment instruments.
« Head of Corporate Finance is authorised to approve counterparties.
Treasury Risk Management: Chris Day Page 14 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
51 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
Maturity and investment limits are as shown in the table below
Amount: <£300m <£100m <£50m <£300m <£50m >£50m
P up to3 up to6
Maturity:
ity: uptotmonth} oan months I UPt@tyear I Overtyear I Over year
Investments
Authority: porate
a Authorisation I Authorisation I Authorisation fo e I otherboard I POL board
Finance (*) member
panel panel panel
(")- Head of Corporate Finance is also authorised to invest with amaturity of up to 5 years for the purpose of providing collateral for the notes circulation
scheme
7.2 Foreign Exchange Risk
Risk Management Objective
Minimise the impact on the income statement of movements in foreign exchange
rates on currency balances held to satisfy “on demand” transactions by
customers.
FX Risk Management Policies
. Up to 90% of the average forecast holding 1 month forward for all
balances over £1m will be hedged where an active FX market exists.
. Hedging of forecast average holdings 1 month forward between £0.5m -
£1m is at the discretion of the Head of Corporate Finance. Hedges will be
up to 90% of the forecast holding 1 month forward where an active FX
market exists.
. Forecast average holdings 1 month forward below £0.5m will not be
hedged.
. The maximum maturity of financial instruments used to hedge foreign
exchange exposures will be 6 weeks.
. Foreign currency balances can only be hedged using foreign currency
forwards and swaps.
. FX hedging instruments can only be used to hedge exposures generated
by holding currencies to meet “on demand” transactions by customers.
Authorities
. Only Treasury is permitted to transact hedges to protect against foreign
currency movements.
. The Chief Financial Officer is authorised to amend the list of approved FX
hedging instruments.
. The Head of Corporate Finance is authorised to approve financial
counterparties for hedging.
Treasury Risk Management: Chris Day Page 15 of 24
Framework, Policies and Authorities January 2013
52 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
. The Head of Corporate Finance is authorised to determine the currencies
to be hedged.
. Transactions to hedge exposures not created by currency holdings to
meet on demand requirements must be approved by the CFO, up to £50m
and the Post Office board above £50m.
Accounting for Foreign Exchange instruments used to hedge On demand
Exposures
Exchange gains and losses on currency balances together with gains and losses
resulting from revaluing associated hedges will be recognised in the income
statement as and when they occur. Hedge accounting and the designation of
hedging instruments to underlying exposures will not be undertaken due to the
short duration of the hedges.
7.3 Commodities Risk
Risk Management Objective
Minimise the impact on the income statement of movements in commodity
prices.
Policies
. If economic to do so treasury will hedge commodity exposures forward to
a maximum of 3 years based on forecast future usage.
. The hedging time horizon for all commodity programmes and the
associated foreign exchange will be no more than 36 months.
. Major recurring fuel oil, power and gas exposures are reviewed by the
Commodity Price Risk Management Board (CPRMB). A Royal Mail
committee which meets quarterly and at which Post Office is represented.
. Permitted hedging instruments are spot purchases, currency deposits,
forward contracts, call options, matched options (e.g. cylinders) and
swaps. Futures will not be used without specific authority of the Chief
Financial Officer.
Accounting for commodity hedges
The Post Office will designate commodity cash flow hedges against forecast
underlying exposures. Unrealised gains and losses on hedges will be deferred in
reserves. This will be recycled to the income statement when the hedge matures
to match forecast expenditure.
Approvals
. Only treasury is permitted to transact hedges to protect against
commodity price movements.
. Commodity hedging counterparties are approved by the CFO.
. Commodity hedge transactions are approved by the Head of Corporate
Finance.
Treasury Risk Management: Chris Day Page 16 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
53 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
54 of 131
7.4
7.5
Confidential
Interest Rate Risk
As noted in section above the risk of adverse movements in interest rates on the
floating rate LIBOR working capital facility is offset by LIBOR based commission
receivable on the refund of benefits payments from the government. This forms
an effective natural hedge.
Any changes to this strategy will be approved by the Audit, Risk and Compliance
Committee and board.
No hedging instruments for interest rate risk management are currently
authorised.
Funding / Borrowing
Policy
Borrowing is only permitted in sterling.
Borrowing is only permitted as per the funding agreement with Department of
Business, Innovation and Skills as follows:
. Working capital facility of £1.15bn expiring on 31% March 2016.
. Maximum £50m external facilities.
. Maximum £50m leasing.
Together with facilities to support Post Offices participation in the notes circulation
scheme. Maximum £550m.
Treasury Risk Management: Chris Day Page 17 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
Authorities
Authorities to drawdown under the facilities are as follows:
‘Amount: <£50m <£50m <£50m
enh Maturi Overnight ‘to 6 month: Over 6 month:
ceri ity: ernigl upto6 months 6 months
Authority, [One of Treasury: ee Head of Corporate Finance cro
panel
‘Note: Total maximum external borrowing (exc BIS& leasing) istimited to £50 m
‘Amount: <£50m <£50m
Leasing & Maturity: <8 years <8years
Contract Hire
ae Head of Corporate Finance (with prior ro
- approval from CFO)
Note: Total maximum leasing isimited to £50m
‘Amount: up £ 500m up£1.15bn up£1.15bn
Working Capital
Loan Facitity
with BIS
Maturity: up to 12 months up to 12 months > 12months
[One of Treasury Authorisation
panel
Authority: Head of Corporate Finance cro
7.6 Guarantees
Nature of Risk
Guarantees that are provided by Post Office Limited create a financial exposure if they
are called.
Policy
In general, Post Office will not enter into financial / bank guarantees.
Approvals
Only CFO is authorised to issue bank guarantees / performance bonds.
Chris Day
January 2013
Treasury Risk Management: Chris Day Page 18 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13 55 of 131
2. Risk Management within Post Office Limited
56 of 131
Confidential
Appendix 1 — Foreign Exchange by currency
<£0.1m 49 i} 1 47 0 0] JEst.volatility 10% 0.04
£0.1m -£0.5m]} 15 4 7 12 3 3] JEst.volatility 10% 0.37
EGP 1 1 1614 92 104 12% 0.01
NZD 1 1 161 1.9 21 11% 0.01
CHF 1 1 191 1.4 15 8% 0.01
HRK 11 87 9.7 10% 0.00
aia PLN 164 49 5.6 13% 0.00
BGN 11 23 25 9% 0.00
THB 164 475 50.6 6% 0.00
AED 1.0 5.6 6.0 7% 0.00
CAD 1 2 11 1.5 16 5% 0.01
£1m -£10m I AUD 2 3 2 2 1.5 16 10% 0.02
TRY 2 3 4.4 27 29 6% 0.01
USD 12 21 23 22 1.5 16 7% 0.09
a) EUR 35 60 63 62 1.2 1.3. 9% 0.31
POL00423141
POL00423141
Treasury Risk Management:
Framework, Policies and Authorities
Audit Risk and Compliance Committee meeting-13/02/13
Chris Day
January 2013
Page 19 of 24
2. Risk Management within Post Office Limited
Confidential
Appendix 2: Gross Counterparty Exposures by Transaction Type
POL00423141
POL00423141
£m Product /Service
‘Over the Counter I Treasury I Individual contracts
Financial Money Debit Sale of,
Institution I Payments Comm's Corporat: Market Cheque card. ATM bank
reimbursed receivavble Total Banking Deposits Funds Total clearing
ing clearing _notes Reimbursed Totall
Total Gross
Benefits Exposure
Bank of, "
Ireland 3 3
Link / Bol
(ATM's) 90
Barclays 7 1 8 1 a
TPS 160
Blackrock 50 50
CO-OP 1 i
HSBC 1
Global
payments Ey
IGNIS
INVESCO
JP Morgen
Uoyds /
HBOS 15 207
NAB 30
Nationwide 2 2
NS&I 2
RBS 6 aq 3
RBS MMF
SWIP
8s
gs
88u
Total 33 6” 39 6 2% 190 216 100
Treasury Risk Management: Chris Day
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13
Page 20 of 24
57 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
Appendix 3: Net Counterparty Exposures
e
SoSSnn8ooi SSSSur SSRSu
BSoScon8oot888Suo083880
30
(150)
50
33 6 (350) 6 20 190 685 669]
(2) Growth bond payablesto Bot (4) Clearing of debit card receivables from multiple c/parties
(2) Processing of benefit payments: (5)Small business banking
(3) Clearing of cheques from multiple counterparties {6} Note circulation scheme & uncommitted facilities
Treasury Risk Management: Chris Day Page 21 of 24
Framework, Policies and Authorities January 2013
58 of 131 Audit Risk and Compliance Committee meeting-13/02/13
2. Risk Management within Post Office Limited
Confidential
Appendix 4: Summary of services by counterparty
POL00423141
POL00423141
Maximum
Counterparty I Owner I Service Exposure I Comment
& Duration
Barclays Treasury I Corporate deposit £30m Manage fluctuations
(o/night) in daily forecast cash
flow
IPSL (via FSC Clearing of cheques received I £160m As this is a clearing
contract with through network. Cheque (2 day process, risk lies with
Barclays) clearing contract signed with I clearing) banks on which
Barclays but managed by cheques are drawn
IPSL i.e. this is
disaggregated over a
number of counter
parties
CO-OP FSC Postal order clearing Enil Post Office is a net
payer as CO-OP is
paying bank for PO's
FSC Camelot lottery payments / —_I £nil cashed
collection Post Office is net
payer due to
purchases of lottery
tickets
Lloyds Treasury I Scottish widows (SWIP) £50m Investment of short
Money market fund term surplus cash
Citi Treasury I Uncommitted loan facility Enil
£30m
National Supply Sale of GBP notes to £30m Exposure attached to
Australia Clydesdale to support their settlement by
Bank Group — note issuance. Clydesdale for notes
Clydesdale Sale of £50 notes purchased
Ignis Treasury I Money market Fund £30m Investment of short
term surplus cash
Invesco Treasury I Money market Fund £30m Investment of short
term surplus cash
HSBC Treasury I Bank accounts to support £1m Overnight exposure
debit card clearing relating to clearing of
debit / credit card
transactions
Global FSC Clearing of card payments £60m As this is a clearing
Payments — received through network process, risk lies with
(via contract banks on which debit
with HSBC) cards are issued i.e.
this is disaggregated
over a number of
counter parties
Link / Bank of I FSC ATM cash servicing £90m Average overnight
Ireland exposure £90m. Can
peak at £130m after
bank holidays
JP Morgan FSC Processing of benefits £90m Overnight exposure
settlements £90m. Intraday
exposure can be as
high as £150m
Treasury Risk Management:
Framework, Policies and Authorities
Chris Day
January 2013
Audit Risk and Compliance Committee meeting-13/02/13
Page 22 of 24
59 of 131
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
RBS Treasury I Intra-day and overnight E£nil
facilities and provision of
RTGS account to support
Treasury I Post Office membership of Enil
note circulation scheme
Treasury I Primary corporate banking £nil - £5m
partner for Post Office
settlements etc.
Treasury I Uncommitted loan facility Enil
£50m
Santander Fsc Small business banking Enil
Yorkshire Treasury I Corporate deposit £1m To be closed
bank (owned
by National
Australia
Bank Group)
Treasury Risk Management: Chris Day Page 23 of 24
Framework, Policies and Authorities January 2013
60 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
2. Risk Management within Post Office Limited
Confidential
Appendix 5 - Chaps Banks.
Bank of America (N.A)
Bank of England
Bank of Scotland (HBOS)
Barclays Bank PLC
Citibank N.A
CLS Bank International
Clydesdale Bank PLC
The Co-operative Bank PLC
Danske Bank
Deutsche Bank A.G
HSBC Limited
J.P. Morgan Chase Bank
Lloyds TSB Bank PLC
National Westminster Bank PLC
The Royal Bank of Scotland PLC
Santander UK PLC
Standard Chartered
State Street Bank
UBS A.G.
Treasury Risk Management: Chris Day Page 24 of 24
Framework, Policies and Authorities January 2013
Audit Risk and Compliance Committee meeting-13/02/13 61 of 131
3. Annual Report and Accounts
62 of 131
Annual Report and Accounts
Chairman's Foreword
It is with great pleasure and pride that I write the Foreword to the first Annual Report and
Accounts which the Post Office has ever published as an independent company.
As this Report explains in more detail, the Post Office has embarked on a remarkable
turnaround to reverse the trend of years of declining revenues, Post Office closures and a
reputation for inconvenience and queues.
Thanks to our Shareholder, the Government, we are investing £1.34 billion into the Post
Office network over 3 years up to April 2015. There is no longer a programme of Post Office
closures. Instead, we are modernising the network, increasing our opening hours, offering
new services, developing new methods of interacting with our customers, working with our
key partners in new ways, cutting costs and increasing our revenues. All of this is intended
to put the Post Office on to a secure financial footing for the long-term, reducing our
dependence on the taxpayer to the minimum, and to change our culture so that we are
always on the front foot, responding to changes in the world around us in partnership with
the key people on whom we depend for the delivery of our services. [If we are successful in
achieving these changes, the conditions for the successful mutualisation of the Post Office
should be in place - a very exciting prospect which could in itself help to secure the kind of
self-sustaining Post Office which we all want to see in the future.]
Aseries of important changes has already happened and there are many more in the
pipeline.
We ceased to be a Division of the Royal Mail Group and became an organisation in our own
right on x April 2012. Since then, I have completed the formation of my Board and we are
now operating Board governance in keeping with best practice in the corporate world. Full
details of the Board members and our Board Committees are on p y. I am delighted to have
been able to appoint such a range of able people with varied backgrounds who are all
committed to supporting and challenging the Post Office as it pursues the changes which
must be made if we are to secure its future.
We have achieved a number of notable successes in this, our first independent, year. For
the second year running, our revenues are up on the previous year despite the difficult
economic environment. We have made great headway in our plan to modernise the network
of branches run by our agents. 1200 of these branches have been converted to new
operating models which give much better service to our customers, resulting in turn in higher
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
3. Annual Report and Accounts
footfall and turnover. And we have made real inroads on the costs of running our Crown
offices where the annual deficit has reduced to £40 million. We have also won a large
number of new Government contracts under which we are providing some completely new
services and enabling central and local government to realise significant administrative
savings. We are also offering new financial services, maintaining our appeal to customers
who come to us for the reliability and transparency of our financial offers. [Need to say
something positive about changes in Mails]
But while we are clear about what we need to do to continue these developments and add to
them, the going is not easy. This turnaround, like any other, requires people throughout the
organisation and their partners to work in new ways. We need to win new business on
proper commercial terms - something which is difficult in current economic circumstances.
And we need to reduce our high fixed costs while at the same time finding the resources to
operate on our own two feet and to modernise and innovate - catching up after years of
under-investment.
Paula Vennells, the Post Office's Chief Executive Officer, will explain in more detail about
what we have been doing and our plans for the future in the following pages.
I would like to thank her for her commitment and hard work as well as her top team and all
the people who work to support the Post Office network for their efforts to bring about these
remarkable changes and plan for what needs to follow in the coming months and years.
I am also very grateful to Donald Brydon, Chairman of the Royal Mail, for the help and
support which he has given us as we have stepped out on our own, while at the same time
maintaining a crucial commercial relationship between us.
We owe a great deal to our Shareholder whose belief in the importance of the Post Office to
the core fabric of our country, and willingness to back that belief with real investment for the
future, is central to our plans. I would particularly like to thank Edward Davey [when did he
move???], Norman Lamb and now Jo Swinson - the three Ministers with whom we worked
particularly closely in 2012/13 and their key officials in the Shareholder Executive for their
guidance and support.
Finally, I would like to thank the people who represent many of the people through whom we
deliver our services, Andy Furey, Brian Scott and George Thompson. These are testing
times for our relationships and we all know we need to work together in new ways if we are
to achieve our shared goal of a thriving, relevant Post Office secure in its future for
generations to come. They are all important members of our Shareholder Forum where, with
Audit Risk and Compliance Committee meeting-13/02/13 63 of 131
POL00423141
POL00423141
3. Annual Report and Accounts
64 of 131
colleagues from other organisations with a stake in the Post Office, they are working ona
proposed definition of our public purpose.
The Post Office has a long and honourable 350 year old history. We need to hang on to the
essence of what has made it great and made it loved, while at the same time making it fit for
the future. It is in that context that this Reports and Accounts should be seen. They report on
the first steps of progress into the future - a future which blends the trust, integrity and
accessibility for which the Post Office is renowned with the contemporary relevance,
innovation and professionalism of a financially sound 21st century company.
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
POST OFFICE LTD
Publication of our Report and Accounts — Key Messages
4. Background and Purpose
14 The purpose of this paper is to set out plans for the publication of the Post Office’s
Report and Accounts for the financial year 2012/13. It deals with key messages and
the overall suggested tone of the document. It also proposes a timeline for clearance
of the report and sets out proposals for the style and promotion of the publication.
1.2 This will be our first such Report and Accounts as an independent company. We
should therefore seek to surprise, to demonstrate an innovative approach and to find
ways of standing out from other such reports. This paper sets out an initial direction
of travel.
2. Tone and key messages
2.1 The report is planned for publication in June against the backdrop of tight budgetary
control within the company, a difficult external economic environment which is putting
pressure on margins and discussions with Government around future strategy and
post-2015 funding positions.
2.2 We will work to align messages in the Report and Accounts with those currently
being worked up for our future strategy (on which the Communications and Strategy
teams are working together).
2.3 Subject to that process, we propose that the tone of the report should therefore be
one of:
- solid progress on fundamentals creating confidence for the journey ahead (with a
sense that in key areas, such as Network and Crown Transformation, the
turnaround has started, albeit in difficult circumstances)
- excitement at the innovation and change capabilities of this newly independent
company to deliver commercial and social value: the spirit of a start-up
- realism as to the task ahead, and empathy with subpostmasters and colleagues
as we work together in challenging circumstances
An outline report structure appears as Annex 1. An illustration of the proposed overall
tone can be seen in the initial draft of the Chairman’s Statement given at Annex 2.
A draft Corporate Governance statement and statutory Directors’ Report are provided
at Annex 3. To provide context - at Annex 4 - we also produce a draft of what the
Financial Review within the Accounts might look like based on Q3 forecasts.
Ultimately the tone, messages and approach need to be driven by what the financial
results reported will say.
3. Key messages within the Report and Accounts Document
3.1 We are a fully independent Company — a commercial business with a social purpose
- which operates and reports to pic standards.
3.2 We have made solid progress over the past year and are on track towards financial
sustainability. Significant steps have been taken as part of this: a new Board,
progress on transforming the business, the creation of the Stakeholder Forum.
Report and Accounts Mark Davies and Chris Day Page 1 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 65 of 131
3. Annual Report and Accounts
66 of 131
3.3
3.4
3.5
3.6
5.1
5.2
5.3
5.4
5.5
5.6
Strictly Confidential
We are also creating a new culture for this new independent company: more focused
on the customer, more innovative and flexible in the face of change: a culture which
recognises our unique place in society, and listens to all those with whom we
engage.
We are developing a strategy which will position us as a multi-channel company
which remains at the heart of communities — delivering key and essential services
across financial services, mails, government services and beyond.
But we are also realistic about the challenges we face, such as the economic
environment, the di I revolution and customer perceptions around relevance and
effort. We have no illusions about the hard work ahead, but our determination to
deliver the business transformation of the decade is undimmed.
We are proud to be part of the social and economic fabric of the UK. We will work
with Government to realise the commercial and social potential of our network.
Timeline
An outline of the timetable is given at Annex 5. The structure and approach to the
report will be cleared through corporate governance mechanisms in advance of year
end with Board sign off in late May and publication from early June.
Publication and promotion
We plan to produce an annual report in such a way that it reinforces our core
communications aim of both surprising and reassuring. We intend to surprise readers
about the ways in which the Post Office is changing, but also reassure that the Post
Office retains its traditional values around trust and social purpose. We intend to
seek to reinforce these points through the style of the annual report. It will be
authoritative and comprehensive, in the way one would expect from an organisation
of our size and status, but also that it surprises: that we do things slightly differently.
We propose that traditional paper copies of the report are produced alongside an
interactive digital version. We will also produce a video version, with interviews from
the chairman, chief executive, members of staff, customers and subpostmasters.
To this end we are seeking specialist agency advice and are assessing the way in
which other businesses approach their Report and Accounts (by examining examples
of last year’s publications from a range of other companies)
In the spirit of seeking to develop an innovative approach, the content of our report
will include an introduction from the Chairman and an executive summary from the
Chief Executive but could also provide space for comments and reflections from
members of staff, customers andsubpostmasters. Involving a broad range of Post
Office people emphasises the ‘surprise’ element — few companies would take this
approach — and showcases our ways of working: engaging, listening and learning.
We also plan to commission new photography for the report and engage an agency
to support this project. Work on identifying an appropriate agency is ongoing. The
project will be funded from the communications budget.
A full PR and stakeholder plan will be developed around the report, including a
launch event which we suggest takes place outside London and with regional
elements (with Board members and ExCo involvement). The PR plan will build on the
success of the media work around our half-year results.
Report and Accounts Mark Davies and Chris Day Page 2 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
6. Key Risks
6.1 Key stakeholders may choose not to engage in the process, and the media plan may
lead to criticism (depending on the status of wider business issues such as network
transformation). Given the ‘routine’ nature of companies producing annual report we
will have to fight all the harder to gain media interest.
6.2 We also need to ensure we engage all relevant stakeholders in the development of
the report, at appropriate levels and with clarity around their expectations.
6.3 We will mitigate these risks through effective project planning and a flexible response
to the changing external environment. We will have a clear defined early view of what
the core Report and Accounts looks like but have scope for adjustment and flexibility
in the way we implement the media / stakeholder engagement around its launch.
Chris Day and Mark Davies
February 2013
Report and Accounts Mark Davies and Chris Day Page 3 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 67 of 131
POL00423141
POL00423141
3. Annual Report and Accounts
68 of 131
Strictly Confidential
Annex 1
High Level Outline of Report and Accounts structure
Chairman’s Statement
Performance Highlights
Chief Executive's Review
- Personal Comments
- Progress as an independent company on plan to 2015
- Network Modernisation —- Agents and Crowns plus direct / digital channels.
- Front Office developments
- Financial Services Developments
- Telephony and Travel developments
- Mails developments
- Developments in support infrastructure developments — Cash carrying, IT and
administration
- Mutualisation / Ways of Working
- Looking forward
Aview from a Subpostmaster
Aview from a Crown Counter Colleague
A view from a customer
A view from a small business customer
Financial Review - Financial numbers with general explanation of movements
Business Review - covering
e Strategy - Government policy / funding position. Progress in this area.
Developments / challenges ahead
e People - Numbers, diversity, involvement, engagement
e Community - Network — CSR — Involvement — Social Value — Engagement with
Stakeholders
« Business Risks
Directors and advisers — biographies/pictures
Corporate governance — covering
e Compliance Statement, making reference to the UK Corporate Governance Code
Development of Processes
Roles of Chairman, Chief Executive and Non-Executives and attendance at meetings
Governance and Committee Structures
Mutualisation developments
Risk management /internal control overview
Directors’ Remuneration Report - tbe
Directors’ report - covering
e Principal activity, business review and employee engagement/CSR (cross ref to review
section above) and standard Directors’ report content (dividend, donations etc)
Post Office Group consolidated Financial Statements and notes
Post Office company Financial Statements and notes
Report and Accounts Mark Davies and Chris Day Page 4 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Annex 2
Draft_— Chairman's statement — Post Office Ltd Report and Accounts 2012/13
The Post Office is an integral part of the social and culture fabric of the United Kingdom.
I am delighted therefore to be playing a part in another important chapter in its 350 year
history by presenting its first Report and Accounts as an independent company.
This independence is important. Setting out on our own as a commercial business with a
social purpose was a landmark step in a journey which we intend will place the Post Office
on a sustainable footing. We will be less reliant on the taxpayer, and more focused on
customers and their needs in a fast-changing world.
Our vision is of a multi-channel Post Office - embracing the innovation and agility demanded
in a digital world while also retaining our place at the heart of communities. The Post Office
is changing, and will change more, but our commitment to supporting High Streets across
the UK is unwavering.
Over the next few pages, chief executive Paula Vennells will set out the steps we have taken
during 2012/13 to set us on this path towards a sustainable future.
The thoughts of subpostmasters and staff from across the business are also included. I
thank them for their work to establish the business as an independent company.
It is they who collectively hold the stewardship of this company and it is they who have
delivered the significant progress covered in this report.
I would also like to thank our partners, particularly Royal Mail Group and the Bank of Ireland,
and also the Department for Business, Innovation and Skills for its support over this period. I
would particularly like to thank the three ministers with whom we worked in 2012/13— Edward
Davey, Norman Lamb and Jo Swinson - for their guidance and support.
The year saw a number of significant developments, from the further strengthening of the
Post Office board to solid progress towards the transformation of hundreds of Post Offices of
all shapes and sizes.
Report and Accounts Mark Davies and Chris Day Page 5 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 69 of 131
3. Annual Report and Accounts
70 of 131
Strictly Confidential
Independence has also led to innovative thinking about our future. This will be reflected in a
new strategy which will articulate a vision of the Post Office in 2020. In the creation of a
Stakeholder Forum, which has brought together a wide range of organisations to define the
public purpose of the Post Office, we have started to consider how our future as a
sustainable business might be enhanced by mutualisation.
Meanwhile we are continually challenging ourselves to ensure that as we change we engage
our people - customers, staff, subpostmasters - in a way which meets these mutual
aspirations: open to challenge, prepared to change, listening and learning.
The financial picture we face as we start our journey is encouraging, albeit against the
backdrop of a difficult economic climate and ever more competitive markets. You can read
more about this in Chris Day's Financial Review on page xx.
The challenges we face mean that the Post Office must be as ready as at any time in its
history to take new approaches. We must be more adaptable and, crucially, ever more
focused on the people who matter most to our business: our customers.
The Post Office needs to become the oldest company in the UK with the mentality of a start-
up business.
It is in that context that this Report and Accounts should be seen. They report on the first
steps of progress into a new future for a new Post Office: a future which blends the trust,
integrity and accessibility for which the Post Office is renowned with the contemporary
relevance, innovation and professionalism of a financially sound 21“ century company.
Report and Accounts Mark Davies and Chris Day Page 6 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Annex 3 — Corporate Governance Statement and Directors’ Report
Statement on Corporate Governance
Post Office Limited (the “Post Office”) became an independent company on 1 April 2012.
Corporate Governance Principles
As the Post Office is not a company whose shares are listed and traded on a public
exchange, it is not formally required to report on its compliance with the UK Corporate
Governance Code (the “Code”). Nonetheless, the Board of the Post Office believes this is
an appropriate benchmark for reporting on corporate governance and the following report
therefore follows the model expected of large listed companies.
In its first year of independence, Post Office has established a full Board and Committee
structure and has set principles for good governance which follow the provisions of the
Code, so far as they can apply to a Government-owned entity which has no private or
institutional external shareholders.
Legal Ownership Structure
Post Office considers its principal shareholder to be the Shareholder Executive of the
Department of Business, Innovation and Skills (“ShEx”). ShEx manages the Government's
interest through a legal shareholding in the Company, in the form of one Special
Redeemable Preference Share in Post Office Limited, issued on 1 April 2012.
A strong link remains between Royal Mail and Post Office — Post Office has a long term
agreement in place to continue to supply Royal Mail products and services through its
network. That link is currently reinforced in the corporate structure by a common Group
holding company which holds shares in both the Post Office and Royal Mail main operating
companies. This will remain in place until there is a change in ownership of Royal Mail.
ie
[ Rovat Mai}
The Articles of Association of Post Office set out the circumstances in which the Board of
the Post Office must seek the Shareholder’s consent or notify the Shareholder in advance
of proposed changes in the business. Such matters include significant expenditure (over
£20 million), entry into borrowings or financial commitments over £50 million, new areas of
proposed business and changes to Board membership.
Neither Royal Mail Holdings ple nor ShEx have any day to day involvement in the
operations of the Post Office or the management of its branch network and staff.
The Board
Alice Perkins was appointed as Chairman of the Board in July 2011, marking the first step
on the road to building an independent Board for the Post Office. Neil McCausland joined
Report and Accounts Mark Davies and Chris Day Page 7 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 71 of 131
3. Annual Report and Accounts
72 of 131
Strictly Confidential
POL00423141
POL00423141
in September 2011 as the Senior Independent Director and, in the year under review, a
further four non-executive directors have been appointed, each bringing particular skills and
experience relevant to the business targets of growth, modernisation, customer focus and
business efficiency.
The Board therefore now comprises two executive Directors and six independent Non-
Executive Directors, including the Chairman. This provides a strong level of independent
challenge to decision-making and enables the Post Office to call upon a wide range of
experience and opinion. Short biographies of all members of the Board appear on page X
of this Annual Report.
The roles and responsibilities of the Chairman, the Chief Executive Office (“CEO”) and the
Senior Independent Director have each been agreed by the Board and [can be found on
the Post Office website].
All Directors’ appointments and the terms under which they serve, including Non-Executive
Directors’ fees and any changes in the total remuneration for each Executive Director,
require the consent of ShEx as the principal Shareholder.
Paula Vennells, CEO and Chris Day, Chief Financial Officer (“CFO”), have signed
employment contracts with the Post Office dated 29 October 2010 and 3 May 2011
respectively.
The Executive Directors’ contracts require them to devote their working time to the Post
Office. Neither of the Executive Directors is a director of any public company.
The contracts provide for 6 months’ notice of termination to be given by the director and 12
months’ notice to be given by the Company. [The standard form of contract is available for
inspection on request from the Company Secretary]. [The Company maintains rights to
claw back incentive amounts subsequently found to have been based on incorrect
accounting information. Such provisions have never needed to be enforced.]
Non-Executive Directors are not employees of the Company but provide services under the
terms of an individual Letter of Appointment, signed at the commencement of their
directorship. [The standard form of letter of appointment is available for inspection on
request from the Company Secretary.]
All the Non-Executive Directors are entirely independent of the Company, having no other
connection or financial interest in the Post Office, other than as customers and taxpayers.
Non-Executive Directors’ Terms of Office
Director Date of appointment Term of Unexpired term Committee
office at 31 March 2013 memberships
Alice Perkins 21 July 2011 Rolling 12 I N/A Nominations
month (Chair)
contract Remuneration
Neil MCausland 22 September 2011 3 years 1 year 175 days Remuneration
(Chair)
ARC
Nominations
Tim Franklin 19 September 2012 4 years 3 years 172 days ARC.
Virginia Holmes. 4 April 2012 3 years 2 years 4 days Pensions (Chair)
Nominations
Remuneration
Alasdair Marnoch 18 May 2012 3 years 2 years 48 days ARC (Chair)
Susannah Storey 18 April 2012 3 years 2 years 18 days ARC
Pensions
Report and Accounts Mark Davies and Chris Day Page 8 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Board Meetings
Formal Board meetings were held X times during the year to 31 March 2013. As well as
considering strategic plans and approving new project proposals and policies, the Board
received a financial and performance update and a report from the CEO (including health
and safety) at each meeting.
One additional conference call meeting was held during the year to finalise the extension of
the agreement with the Bank of Ireland and the sale of Midasgrange Limited (“Project
Eagle”). In addition, special workshops were held to allow greater time for debate and
increase the Board’s detailed understanding of single issues such as IT and the development
of the annual operating budget.
There is a formal Schedule of Matters Reserved for the Board which includes major capital
expenditure, entry into significant borrowings, acquisitions or disposals of any material part of
business and entry into different geographic areas or business activities. These are the types
of matter which could involve significant expenditure or would require Shareholder approval
from ShEx. The Board's Terms of Reference, including the Schedule of Matters Reserved for
the Board, can be found on the Post Office website.
The Board’s primary focus in the year to 31 March 2013 was on setting the strategic direction
for the business, in preparation for completion during 2013/4 of the Strategic Plan and
Funding Agreement with Government for the period 2015-2020. Three specific strategy
sessions were held in June and November 2012 and in January 2013.
The first draft of the Strategic Plan and Funding Agreement was submitted to ShEx for
discussion on [31 March 2013]. Approval of a final plan and agreement for future funding for
the period 2015-2020, to include business targets such as objectives for the size and shape
of the Post Office network and customer satisfaction measures, is expected by [31 October
2013).
Figure 1: Proportion of Board time spent in 2012-2013
Attendance at Board and Committee meetings
Directors are expected to attend all Board meetings, unless prevented from doing so by
illness or unavoidable personal circumstances. Apologies for absence are formally recorded
in the minutes of the meeting.
Report and Accounts Mark Davies and Chris Day Page 9 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 73 of 131
3. Annual Report and Accounts
74 of 131
Strictly Confidential
In the year under review, the Board established sub-committees which met regularly during
the year to undertake more detailed reviews in specialist areas, as recommended by the
Code. Such focus areas included accounting policy and practices, risk and controls,
executive remuneration, the processes for evaluation of performance, and the nomination
and appointment of new directors or the removal of directors from the Board; and Pensions.
POL00423141
POL00423141
Board ARC Mutualisation I Nominations Pension Remuneration
Committee Committee Committee Committee
Alice Perkins 12/12 Bt 4 2/2 = 3/3
Paula Vennells 12/12 5 14 3 eI 2127
Chris Day 12/12 it 4 - UT -
Neil McCausland 12/12 3 14 2/2 = 3/3
Tim Franklin® S/S 12 B - - -
Virginia Holmes 12/12 - /4 2/2 77 3/3.
Alasdair Marnoch* 10/11 3/3 14 : - :
Susannah Storey 12/12 3/3 14 : 6/6* :
“from date of appointment
T in attendance, by invitation
Board Sub-Committees
Audit, Risk and Compliance Committee
The Audit, Risk and Compliance Committee (“ARC”) looks, not only at financial performance
and policies, including any changes to accounting policies and controls within the business to
ensure that the directors can fulfil their statutory responsibilities to produce proper financial
accounts each year, but also at the levels of risk which exist within the Post Office and the
steps taken to mitigate against risks.
Following its separation from the Royal Mail Group in April 2012, the Post Office has been
building its own risk management, internal control and internal audit procedures and this will
be an area for further development during the 2013/14 financial year.
In the year under review, the ARC met [3] times, under the leadership of Alasdair Marnoch.
Alasdair is a Chartered Accountant and has recent and relevant experience as a Finance
Director of customer-facing and service businesses, including recent involvement with
MyCSP, the first pensions mutual organisation developed by the Government with and for
members of Civil Service Pension schemes.
One of the ARC’s primary responsibilities during the period was to review both the half year
trading statement and the full year accounts, to assess the validity of assumptions made and
the accounting policies used and to consider the ways in which Post Office should present its
financial performance as a newly independent entity.
A second major responsibility has been to promote the development of a risk management
framework suited to the complex nature of Post Office business. This will take some time
and is a key focus area for the coming year. The development of more sophisticated risk
management and control procedures and the establishment of a full internal audit
programme are areas of high priority now that the Post Office is an independent entity.
Post Office intends to implement a full Enterprise Risk Management system to help in
assessing, measuring and mitigating against risk, where this is possible, in each of the main
business areas — the Post Office Network, Mails Services, Front Office of Government
activities, Telephony and Broadband Delivery and, perhaps most importantly, in the
developing area of Financial Services. Post Office has a target to grow its public perception
as a reputable and reliable financial services organisation.
Report and Accounts Mark Davies and Chris Day Page 10 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
The Board recognises that it is not possible to eliminate risk entirely. A chart showing the
principal risks and uncertainties facing the business and the steps taken to mitigate against
key risks is included in the Financial Review on page X.
In this period, a new Head of Internal Audit was appointed and the transition from using the
Royal Mail internal audit function to building a new internal team has begun. This is one
element in the re-examination of internal controls within the business.
The ARC works with both the internal audit team and Ernst & Young, the external auditor.
There is no current intention to change the existing audit relationship but the ARC will
continue to monitor the independence of the auditor and will, in future years, consider
whether the audit should be put out to competitive tender, in line with best practice applying
to listed companies.
Remuneration Committee
The Remuneration Committee is made up of three Non-Executive Directors and is chaired by
Neil McCausland, the Senior Independent Director. The Committee met for the first time in
October 2012, remuneration for senior executives having previously been under the control
of the Royal Mail Holdings plc Remuneration Committee.
The Committee is responsible for making recommendations to the ShEx on the remuneration
of the Executive Directors. In doing so, it also reviews the remuneration policy and packages
of the most senior leadership team, being the roles which report directly to the Chief
Executive. It also obtains information on salary levels across the business and within external
organisations of comparable size in order to set remuneration levels within an appropriate
context.
The Chief Executive may attend meetings, at the invitation of the Chairman, to discuss
matters relating to the remuneration of the CFO and members of the Executive Committee
but the Committee upholds the principle that no individual may be involved in discussions
concerning their own remuneration.
The full Terms of Reference of the Remuneration Committee can be found on the Post
Office website.
The Committee is able to consult on remuneration matters with the HR & Corporate Services
Director, other members of the HR team and with external consultants. In the year under
review, advice was primarily obtained from New Bridge Street Consultants on market
practice and benchmark development. New Bridge Street Consultants have no other links
with the Company which could compromise their independence.
No material changes can be made to Directors’ base salaries, benefits or incentives without
the consent of ShEx. A priority for the Remuneration Committee in this period was to agree
with ShEx performance criteria for short and long term incentive schemes in which the
Executive Directors were invited to participate.
Further details of the schemes now in place, and a table setting out the remuneration paid to
all Directors in the year to 31 March 2013, are provided in the Directors’ Remuneration
Report on page X.
Nominations Committee
The Nominations Committee is chaired by Alice Perkins, the Chairman of the Company. It
met for the first time in December 2012, with director appointments up to that time having
been made according to specific criteria, following discussions with ShEx.
Report and Accounts Mark Davies and Chris Day Page 11 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 75 of 131
3. Annual Report and Accounts
76 of 131
Strictly Confidential
The primary role of this Committee is to recommend to the Board any changes in Board
membership and to manage the process for recruiting and replacing directors. The Board
has only recently been completed and no immediate changes are expected. The Committee
will keep under review the balance of skills, experience and diversity available within the
Board and each of the Board Sub-Committees.
The Nominations Committee will also oversee the process for Board and Committee
performance evaluation.
Diversity
The Board believes that, at this stage of the Company's development, building talent and
diversity within the Post Office community merits special attention. The Board has therefore
delegated authority to the Nomination Committee to monitor the development of a talent
management programme and to receive regular reports on diversity at all levels of the
organisation.
POL00423141
POL00423141
Post Office does not intend to operate a quota system to ensure a fixed representation of
any particular group but will seek balance in making appointments, particularly at senior
levels.
Its general policy will be to recruit for talent, using a range of recruitment solutions, including
encouraging open applications through its own website, engaging specialist independent
recruitment consultants and operating school leaver, graduate and apprentice schemes.
Over Christmas 2012 the Post Office welcomed XXX previously unemployed individuals to
work in branches over the busiest period of the year. XXX have since taken up permanent
positions in the Company.
Report and Accounts Mark Davies and Chris Day Page 12 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Pension Committee
The Pensions Solution, adopted in April 2012, saw a substantial transfer of assets from the
Royal Mail Pension Plan (“RMPP”) to the Government, in return for the Government
assuming the obligations for past service liabilities. The transfer was made possible by
European Union State Aid funding.
As part of the solution, the pension fund was sectionalised, with Post Office assuming
responsibility for setting the investment strategy for funds relating to Post Office employees
and pensioners.
The Board has delegated authority to a specialist Pension Sub-Committee to appoint
professional advisers, to enter into negotiations with the Trustees of the RMPP on the
valuation of the funds, strategic asset allocation for the Post Office sections and to monitor
investment performance. The Committee reports back to the full Board so that its work can
dovetail with executive recommendations and union negotiations on pay and benefits.
In August 2012, the Committee recommended to the Board the appointment of AON Hewitt
as investment advisers. Working with AON Hewitt and with Towers Watson, the appointed
actuary for the RMPP, the Committee has satisfied itself as to the fair value of assets
transferred into the Post Office section at 31 December 2012 and has revised the investment
principles with the aim of maintaining the long term sustainability of the Scheme and
protecting against an unmanageable increase in liabilities for the Post Office in the future.
[Further paragraphs about the implications of Project Robin, if agreed, and the valuation
exercise].
Mutualisation Sub-Committee
An additional sub-committee, open to all Directors, was established to consider future
ownership models for the Post Office, following the Government's publication in July 2012 of
responses to the consultation on “Building a Mutual Post Office’. The Mutualisation
Committee met [4] times in the period.
A summary of the valuable work undertaken to date on perceptions of the Post Office and
the steps which would need to be taken to secure a successful future, whether in an existing
form of mutual structure or a different organisational model, appears on page X.
The establishment of the Stakeholder Forum to discuss the steps towards potential
mutualisation has enabled the views of many different groups to be expressed and the Board
is grateful to all those who have contributed ideas and enthusiasm to this important project.
Independence of the Committees
As membership of the Mutualisation Committee is open to the full Board, it follows that
executive directors attend and participate fully in these meetings, though the Committee
retains a majority of independent non-executive directors. The Pensions Sub-Committee is
made up of two Non-Executive Directors and the current CFO. All of the other sub-
committees are constituted solely of independent Non-Executive Directors.
Performance Evaluation
The Board intends to carry out an annual evaluation of the effectiveness of the Board and of
the Board sub-committees. In recognition of the fact that appointments to the Board and sub-
committees were finally completed only in September 2012, the initial performance
Report and Accounts Mark Davies and Chris Day Page 13 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 77 of 131
3. Annual Report and Accounts
78 of 131
Strictly Confidential
evaluation will take the form of an informal assessment by the Chairman and Non-Executive
Directors of overall effectiveness in the period. Separately, an appraisal of the personal
effectiveness of the Chairman will be led by the Senior Independent Director.
The performance of the CEO is assessed half yearly by the Chairman as part of the Group's
standard performance appraisal structure; the performance of the CFO is similarly assessed
by the Chief Executive. The results of performance appraisals are reported to the
Remuneration Committee. The Remuneration Committee is then responsible for assessing
whether performance criteria for awards under the Company's variable incentive schemes
have been met and for recommending payments to be made, with the approval of the Board
and ShEx.
The Executive Committee
Below main Board level, the Executive Committee is the most senior management body and
is made up of the CEO and each of her direct reports, supported by the business unit heads
who report to members of the Executive Committee.
The Executive Committee (“"ExCo”) implements the strategy agreed by the Board and
monitors business performance and development at a day-to-day level. It meets formally at
least once a month to discuss proposals for new business development, receive financial
and other performance reports, review the results of personal performance assessments
undertaken throughout the organisation and address urgent issues which have arisen within
the business requiring senior level resolution.
Under the delegated authorities established by the Board, individual ExCo members are
responsible for the decisions taken in their own area up to a set limit [value of £Xm for
budgeted expenditure and up to £Xm for unbudgeted expenditure]. Above this level there is
a process for escalation of business proposals for approval, through ExCo as a body and the
Post Office Board and, ultimately, to ShEx, if so required by the Company's Articles of
Association.
The CEO, CFO and the Company Secretary attend both Board and ExCo meetings which
facilitates and strengthens the communication channels between the senior leadership team
and the Board and its Committees.
[The Terms of Reference of the Executive Committee have been set out in writing and are
available to download from the Post Office website.]
Report and Accounts Mark Davies and Chris Day Page 14 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Directors’ Report
The Directors present the financial statements for Post Office Limited (the Company). These
financial statements relate to the 52 weeks ended 31 March 2013 (2011 25 March 2012).
Principal activities
The Company's principal activities are the provision of access to a wide range of Government,
financial, travel and retail services through its network of Post Office branches and other
channels across the United Kingdom (UK).
Review of the business and expected future developments
Information contained within the Chief Executive's Review and the Financial Review on pages X
to X constitutes the business review required by the Companies Act 2006 and is incorporated
into this directors’ report by reference.
Results and dividends
The profit after taxation for the year was XX million (2012 £37 million). The Directors do not
recommend the payment of a dividend (2012 £nil dividend).
Pensions
[Wording to be agreed.]
Political and charitable contributions
During the year, the Company made charitable contributions amounting to £XXX,XXX (2012
£320,108). No political contributions were made in the year (2012 Enil).
Research and development
Research and development expenditure during the year amounted to Enil (2011 £nil).
Policy on the payment of suppliers
The Company's policy is to use its purchasing power fairly. Payment terms are agreed in
advance for all major contracts. For lower value transactions, the standard payment terms
printed on the purchase order apply. It is Company policy to abide by the agreed terms. The
Company has sought to comply with the Department for Business, Innovation and Skills (BIS)
Better Practice Code. The number of days’ purchases in creditors at the balance sheet date was
XX days (2012 33 days).
Land and buildings
The net book value of the Company's land and buildings, based upon a historic cost accounting
policy and excluding fit-out, is I £XX million (2012 £11 million). In the opinion of the Directors,
the aggregate market value of the Company's land and buildings at the year end exceeded their
net book value by at least £XX million (2012 £45 million).
Directors and their interests
The following served as Directors of the Company during the year ended 31 March 2013 and
remain in post as at the date of approval of these financial statements.
A Perkins CB
CM Day*
T A Franklin (Appointed 19 September 2012
V AHolmes (Appointed 4 April 2012)
A Marnoch (Appointed 23 May 2012)
N W McCausland
S J Storey (Appointed 18 April 2012)
P A Vennells*
*executive directors
No Director has a beneficial interest in the share capital of the Company. All the Non-Executive
Directors are considered to be independent, having no financial connection with the Company
other than by virtue of the fees paid for their services as a director. The emoluments of directors
are set out in the Directors’ Remuneration Report which appears on pages X to X.
Report and Accounts Mark Davies and Chris Day Page 15 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 79 of 131
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Insurance and qualifying third party indemnity provisions for Directors
Post Office Limited maintains directors’ and officers’ liability insurance for the benefit of all
directors and officers of the Company.
A partial qualifying third party indemnity provision (as defined in section 234 of the Companies
Act 2006) was and remains in force for the benefit of all the Directors of Post Office Limited and
former Directors who held office during the year. The indemnity is granted under article 129 of
Articles of Association or Royal Mail Holdings plc, the ultimate parent company. The indemnity is
partial in that it does not allow the Company to cover the costs of an unsuccessful defence of a
third party claim.
The new regulations for listed companies from 2013 will require the strategic report to
include consideration of human rights issues, as well as social and community issues. It
will also require a gender split for directors, managers and employees (table to be
considered for inclusion in this year’s Corporate Governance Report under the heading
of Diversity).
People
Our goal is to ensure that all employees are engaged and involved in the business and are
aligned and equipped to meet business objectives. As part of our commitment to drive better
service for customers we continue to focus on improving the quality of our leadership,
professionalising key roles and achieving greater employee involvement in decision making.
Extensive training and development programmes have been put in place to support our ambition
to create a high performance customer-oriented sales culture. This ambition is further supported
by a range of bonus schemes which are based on the achievement of business targets.
Underpinning all of this is a need for dignity at work, where everybody feels valued, is treated
fairly and equally with everyone playing a full part in helping the Company to achieve its goals.
Regular employee opinion surveys are conducted to allow employees an opportunity to express
their views and opinions on important issues. This two-way communication encourages all
employees to contribute towards making business improvements.
Corporate Responsibility
Post Office Limited is committed to carrying out its activities in a socially responsible manner in
respect of the environment, employees, customers and local communities. [Further information
will be provided in the Business Review].
Disabled employees
The Company's policy is to give full consideration to applications for employment from disabled
persons. Employees who become disabled whilst employed receive full support through the
provision of training and special equipment to facilitate continued employment where
practicable. The Company provides training, career development and promotion to disabled
employees wherever appropriate.
Post balance sheet events
To be confirmed post year end.
Going Concern
After analysis of the financial resources available and cash flow projections for the Company,
the Directors have concluded that it is appropriate that the financial statements have been
prepared on a going concern basis. Further details are provided in accordance with the
fundamental accounting concept in note 1 to the financial statements.
Audit information
The Directors confirm that, so far as they are aware, there is no relevant audit information of
which the auditor is unaware and that each Director has taken all reasonable steps to make
themselves aware of any relevant audit information and to establish that the auditor is aware of
that information.
Report and Accounts Mark Davies and Chris Day Page 16 of 24
ExCo 12 February 2013
80 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Auditor
The auditor, Ernst & Young LLP, is deemed to be reappointed under section 487(2) of the
Companies Act 2006.
By Order of the Board
Alwen Lyons
Secretary
Post Office Limited (company number 2154540)
148 Old Street, London EC1V 9HQ
Report and Accounts Mark Davies and Chris Day Page 17 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 81 of 131
3. Annual Report and Accounts
82 of 131
Strictly Confidential
Annex 4 — Draft outline of potential Finance Report content
Financial review
NOTE: This statement includes indicative content although much is still to confirm as shown
by ‘xxx’ and square bracketed comments. All 2012-13 outturn references are currently
populated with Quarter 3 forecast data and all statements, roundings etc are to be checked and
validated once year end outturns are known. We also need to consider referencing to 53 weeks
in 2012-13.
Chris Day [Insert picture]
Chief Finance Officer
Summary results
The Post Office has delivered a sound performance in its first year as an independent company.
Turnover has increased in three of the four core product pillars. This has enabled investment to build
the brand and drive future growth and allowed improvements in the supporting infrastructure to the
network, however, the scale of transformational change ahead remains significant and wider economic
conditions continue to be challenging
Operating profit before exceptional items was £95 million (2012 £61 million). Cashflow was
XXXXXXXXXXXXXXXX (2012 £xm).
Profit and Loss Summary
2012-13 2011-12
£m £m Variance
Turnover 1,020 980 40
Network Subsidy Payment 210 180 30
Revenue 1,230 1,160 70
People Costs (261) (251) (9)
Agents’ Costs (481) (483) 2
Other Operating Costs (425) (395) (30)
Share of profit from joint ventures and 31 31 0
associates
Operating profit before exceptional items 95 61 33
Revenue
Post Office Revenue has increased by £70 million to £1,230 million, including an increase in the
Network Subsidy Payment from Government of £30 million. The Post Office segments income into four
pillars; Mails & Retail, Financial Services, Government Services and Telephony Services.
2012-13 2011-12
£m £m Variance
Mails & Retail 410 392 18
Financial Services 280 264 15
Government Services 162 164 (1)
Telephony Services 129 120 8
Other 40 39 i}
Turnover 1,020 980 40
Network Subsidy Payment 210 180 30
Revenue 1,230 1,160 70
Report and Accounts Mark Davies and Chris Day Page 18 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
The table below shows the year on year movements of the £70 million increase
Revenue - Prior Year to Current Year
30
18 —————
= =
2011-12 Mails & Retail Financial Government Telephony — Network 2012-13
Revenue Services Services Services Subsidy Revenue
Payment
Mails & Retail
Mails and Retail revenue of £410 million (2012: £392 million) has increased by £18 million.
Royal Mail products’ turnover has increased by £11 million driven primarily by the tariff rises introduced
by Royal Mail in April 2012. [more to add at year end on the volumes growth areas.] Retail turnover has
increased by £2 million due to the collectibles relating to the Jubilee and the Olympics memorabilia, as
well as the introduction of new products [to confirm details for year end]. Income from sales of lottery
tickets has risen by £3 million as the high number of rollover draws drove sales volumes up.
Financial Services
Financial Services revenue of £280 million (2012: £265 million) has increased by £15 million.
Personal Finance Services income rose by £22 million driven by the implementation of a new contract
with the Bank of Ireland, which has increased commissions received. Savings products have
performed well — particularly x, y and z — along with the introduction of a new mortgage product. The
value of savings held in Post Office branded accounts has increased by £x million during the year to £y
million. There has been decline in the traditional financial services products, most notably a £3.3
million decline in income from NS&I as NS&! has sought to encourage customers to use its online
channel.
Government Services
Government Services revenue of £162 million (2012: £164 million) has decreased by £2 million. There
has been [continued] growth in income from the passport check and send service which is £2 million
higher. [Rate vs volume impact to be confirmed at year end]. However, the anticipated growth in
income from identity related services has been disappointing. Revenue from the Post Office Card
Account is £5 million lower as customer numbers continue to reduce. [volume and LIBOR variances vs
PY to be checked]
Telephony Services
Telephony Services revenue of £129 million (2012:£121 million) has increased by £8 million. Income
from the Post Office Homephone and Broadband product rose by £10 million primarily due to higher
customer numbers following xxxxxxx [the introduction of more service packages offering options for
Report and Accounts Mark Davies and Chris Day Page 19 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
83 of 131
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
inclusive calls with effect from April 2012]. [Statement to be validated]. Income from e top ups was £2
million below prior year as more customers migrate away from pre-pay.
Network Subsidy Payment
The Network Subsidy Payment has increased by £30 million this year to its peak of £210 million before
it begins to reduce with effect from 2013-14 reflecting reduced requirement following progress made
with the Network Transformation programme. [to confirm wording]
Costs
Post Office costs have risen by £37 million to £1,167 million (2012: £1,129 million)
Costs - Prior Year to Current Year
(30)
£m (9)
— ——
2 (1,467)
(4,429)
2011-12 , People Costs. Agents Costs : Other : 2012-13
OperatingCosts
Staff costs
Staff costs of £261 million (2012:£251 million) have increased by £9 million primarily due to the impact
of separation from Royal Mail Group, which is largely offset by savings in intercompany charges from
Royal Mail Group Ltd, and some pay rises.
Agents’ costs
Agents’ costs represent almost half of the cost base and have reduced by £2 million to £481 million
(2012: £483 million). Adjusting for a one-off payment made to Agents last year of [£4] million the
underlying year on year movement would be £xxm. [Need to explain further depending on outcome.]
Other Operating Costs
Other operating costs have increased by £30 million to £425 million (2012: £395 million), driven by
additional investment to drive future revenue growth and build the brand, as well as establishing the
framework for longer term efficiencies and improving the supporting infrastructure across the Network.
Share of Joint Venture and Associate profits
Share of Operating Profit from the joint ventures (First Rate Exchange Services Limited) and associate
(Midasgrange Ltd until its sale on [1] September 2012) was £31 million (2012: £31 million).
Report and Accounts Mark Davies and Chris Day Page 20 of 24
ExCo 12 February 2013
84 of 131 Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Exceptional Items
2013 2012
Exceptional items £m £m
Operating exceptional items: . . . . . . . .
______ Transformation costs _ . _ _ ____ (80) (2)
__.....!mpairment of property, plant and equipment __ _ ____ (79) (36)
Utilisation of Government grant 118
Non-operating exceptional items: 7 .
Asset disposal : _ 2 1
Business disposals (30)
Net exceptional items (69) (37)
Transformation costs include the costs of delivery of major change: Network Transformation
introduces new style agency offices and seeks to improve fundamentally the profitability of the Crown
network. IT Transformation creates the IT infrastructure appropriate for an independent business with
ambitious growth plans.
Network Transformation resulted in costs of £33m for agents’ compensation and £26m programme
costs. £11 million of redundancy costs mainly related to the Crown network, costs of £10 million
related to transforming our IT infrastructure and there was £1 million for other exceptional costs.
The non Network Subsidy [check if there is better terminology for this] Government grant funding is
included within operating exceptional items to match the associated costs. Government grant funding
received of £118 million has been utilised against £66 million capital expenditure, £33 million Network
Transformation related agents’ compensation and £20 million Network Transformation programme
costs.
Property disposals during the year mainly comprise the sale of freehold of Woking Crown office. The
loss on disposal of Post Office Limited’s interest in our associate investment in Midasgrange Ltd was
£30 million.
Free cash flow
Operating profit of £95 million (2012 £61 million) is higher by £33 million.
Capital expenditure of £68 million (2012 £32 million) is higher on account of investment in Network
Transformation, Supply Chain and IT infrastructure.
Redundancy and exceptional items comprise a cash inflow of £47 million (2012: outflow £17 million)
mainly resulting from the receipt of Government grant funding of which £118 million (2012- £nil) has
been spent in the year. The grant has been used towards capital expenditure above, Network
Transformation costs £46 million (2012 £XX million), redundancy £11 million (2012 £12 million) and IT
infrastructure £10 million (2012 £xx million). There were other exceptional items of £4 million (2012 £5
million).
Net debt has decreased by £xx million year on year as shown in the table below
2013
£m
Net debt brought forward 25th March 2012, Oe
Free cash flow (see pageXX)
Interest earned on pension escrow investments (included within the free cash flow above)
Increase in loans and borrowings - accrued non cash interest on shareholder loan
Foreign currency exchange impact on cash and cash equivalents
Total net debt
Report and Accounts Mark Davies and Chris Day Page 21 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 85 of 131
3. Annual Report and Accounts
86 of 131
Strictly Confidential
Pensions
On 1 April 2012 — after the granting of State Aid by the European Commission on 21 March 2012 —
almost all of the pension liabilities and pension assets of the Royal Mail Pension Plan (RMPP), built up
until 31 March 2012, were transferred to HM Government. On this date, the RMPP was also
sectionalised, with Royal Mail Group Ltd and Post Office Limited each responsible for their own
sections in future. This arrangement left the RMPP fully funded on an actuarial basis in respect of
historic liabilities at this date.
Pension Plans
Post Office Limited is a participating employer within the Post Office Section of the Royal Mail Pension
Plan (RMPP) and is a participating employer within the Royal Mail Defined Contribution Plan (RMDCP).
Royal Mail Group Ltd is the principal employer of the Royal Mail Senior Executives’ Pension Plan
(RMSEPP) and Post Office Limited is a participating employer within RMSEPP. RMPP and RMSEPP
are both defined benefit plans on a career average basis.
The balance sheet pension position has changed from a deficit of £206 million at March 2012, to an
asset of £xx million at March 2013. The improvement in position is primarily due to the transfer of
almost all of the pension liabilities and pension assets of the Royal Mail Pension Plan (RMPP), built up
until 31 March 2012, to HM Government on 1 April 2012. Since 1 April 2012 xxxxXxxxxXxXxxxx.
Both defined benefit plans are now closed to new members. RMSEPP closed on 31 December 2012
and has no active members. New employees are offered membership of the defined contribution plan,
RMDCP.
2013 2012
£m £m
Operating pension costs . (26) (24)
Exceptional pension costs (relating to redundancy) _ _ (XX) XX).
Net pension interest credit/(charge) 3 2
Pension charges (XX) (XX)
The £2 million increase in operating pension costs is caused principally by changes in market
conditions, resulting in a pension charge for RMPP equating to 17.8 per cent of pensionable pay,
compared to 17.1 per cent last year. The percentage applied to the pensionable payroll is determined
at the beginning of the financial year and is intended to represent the amount by which liabilities will
increase due to employing active members for one more year.
The net pension interest credit reflects the unwinding of the discount on the plans’ liabilities, less the
long-term expected rate of return on the plans’ assets.
Pension cash payments for all Plans
Following the transfer of almost all of the pension liabilities and pension assets of the RMPP to HM
Government explained above, the future funding of ongoing pension contributions into RMPP and
deficit payments into RMSEPP is being discussed with the respective pension trustees. The payments
for 2012-13 disclosed in the table below were based on the arrangements that were in place for the
2011-12 financial year.
2013 2012
£m ém
Regular pension contributions (XX) (24)
Funding of the pension deficit - RMSEPP_ ee _. (XX) A)
Payments relating to redundancy (XX) (XX)
Net cash payments (XX) (XX)
Regular pension contributions have increased/decreased due to xxxxxxxxxx. The regular future
service contributions cash rate for RMPP expressed as a percentage of pensionable pay remained at
17.1 per cent (2012 17.1 per cent). The regular rate of employee contributions for the RMPP remains
unchanged at six per cent.
Report and Accounts Mark Davies and Chris Day Page 22 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
Pension deficit recovery payments by Post Office Limited have xxxxxxxxxxx. The £1 million (2012 £1
million) deficit payment relates to RMSEPP. There was no RMPP deficit payment in either year as a
result of State Aid clearance granted on 21 March 2012 and the subsequent transfer of almost all of
the pension liabilities and pension assets of the RMPP to HM Government on 1 April 2012.
Treasury management overview
Following the transfer of Post Office Limited from the ownership of Royal Mail Group Ltd to Royal Mail
Holdings plc on 1 April 2012, Post Office Limited has operated an independent Treasury function and
manages its own financial assets (including network cash) and financial liabilities (mainly Government
loans).
The treasury function derives its authority from the Board and provides regular reports for Board
review. It has the authority to undertake financial transactions relating to the management of the
underlying business risks however it does not engage in speculative transactions and does not operate
as a profit centre. The principal financial instruments utilised are deposits and borrowings
Facilities
The terms of the Government borrowing facilities and the associated Framework Agreement impose
constraints on the purposes for which they can be used and the availability of external borrowing. Post
Office Limited's treasury policy is to minimise the amount drawn down on the loan in order to reduce
the interest charge. The facility is limited to a maximum of £1.15bn or the amount of security available
(mainly network cash) whichever is the lower. The facility is available at 2 days’ notice.
At 31 March 2013 the company was financed as follows:
Borrower: Post Office Limited Average
Purpose Interest rate* Facility Facility Utilised maturity
% end date £m £m date
Network Cash [0.8] 2016 1,150 118 2013
* Average interest rate of loan drawn down
Financial risks and related hedging
[The company is exposed to currency and commodity price risk. The company operates hedging
policies via Royal Mail Group Ltd.tbc]
Events after the reporting period
XXKXAHKXHXKKKHKK
Chris Day
Chief Financial Officer
Post Office Limited
XX June 2013
Report and Accounts Mark Davies and Chris Day Page 23 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13 87 of 131
3. Annual Report and Accounts
88 of 131
Strictly Confidential
Annex 5 - Timetable showing key dates and meetings
Date Activity
13 February I ARC meeting — review of Corporate Governance disclosures
Mid Provide template for year end financial statements to EY for technical review
February prior to issuing to the Audit Committee
27 February I Post Office Board Meeting — review of key messages for year end
(November Board action point)
24 February I Period 11 month end hard close
4 March Pension Committee meeting — initial review of potential year end
accounting assumptions for pension
March EY perform audit procedures on Period 11 results
13 March ARC meeting — review of template for year end financial statements
Late March I EY period 11 closing meeting
341 March Year end
4 April Pension Committee — phone call or by correspondence to agree pension
assumptions for recommendation to the Board
April EY field work
Late April EY year end closing meeting
20 May For information - RMG Board meeting to approve financial statements
21 May Audit Committee, followed by Board Meeting (as last year, subject to
confirmation with the Company Chairman and ARC Chairman)
— to approve the financial statements and delegate authority
(i) to the Audit Committee to undertake any further detailed review, as
needed; and
(ii) to a sub-committee of the Board to give final approval for publication
5 June Audit Committee (subject to confirmation) - to review the final form
Report & Financial Statements and recommend final approval
Early June I Board Sub-Committee (subject to confirmation but usually constituted
of the Chief Executive and CFO) - to give final approval for publication
From early I Announce results (subject to alignment and discussion with Royal Mail)
June
Report and Accounts Mark Davies and Chris Day Page 24 of 24
ExCo 12 February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
POL00423141
POL00423141
3. Annual Report and Accounts
Strictly Confidential
POST OFFICE LTD
AUDIT, RISK AND COMPLIANCE COMMITTEE
Key management personnel accounting disclosure requirements under IFRS.
1. Purpose and background
1.41 The Post Office has decided to report under IFRS and include the accounting disclosures
expected of a FTSE listed plc where applicable.
1.2 IAS 24 ‘Related Party Transactions’ has the stated objective of ensuring that financial
statements contain the disclosures necessary to draw attention to the possibility that the
financial position of the entity may have been affected by the existence of related parties and
transactions with them. These related party transactions are required to be disclosed in a
note to the financial statements.
1.3 A person is a related party if:
e — they have control or joint control of the entity
e they have significant influence over the entity or
«they are a member of the key management personnel (KMP) of the reporting entity or of
a parent of the reporting entity.
1.4 The purpose of this paper is to define the KMP for the Post Office and to ask the Audit, Risk
and Compliance Committee to note that this is the definition that will be applied for the 2012-
13 financial statements.
x Interpretation of IAS 24
241 IAS 24 defines KMP as ‘those persons having authority and responsibility for planning,
directing and controlling the activities of the entity, directly or indirectly, including any director
(whether executive or otherwise) of that entity.’
2.2 Interpretation of the standard suggests that the definition is intended to include supervisory
boards and anyone who has responsibility for management of a significant part of the
business, although they may not hold the title of director. If these persons are carrying out
duties normally carried out by directors they are likely to be considered to be KMP.
2.3 Membership of a ‘management committee’, which takes decisions which are delegated to it
by the Board, is put forward as an example which falls within the definition of KMP. On this
basis it is likely that the members of the Executive Committee (ExCo) will be considered to
be KMP as ExCo has authority for planning, dictating and controlling the entity's activities
under delegated authority from the Board.
3. Disclosure requirements
3.1 The accounting standard requires disclosure of KMP compensation in aggregate and for
each of the five following categories:
e Short term employee benefits: Wages, salaries, social security contributions,
holiday pay, profit share, bonuses payable within 12 months of the year end, medical
Key management personnel Chris Day Page 1 of 2
disclosure requirements under IFRS. February 2013
Audit Risk and Compliance Committee meeting-13/02/13 89 of 131
POL00423141
POL00423141
3. Annual Report and Accounts
90 of 131
Strictly Confidential
care, car allowance. We expect that the 10/11 LTIP due to be paid in June 2013
would be disclosed here.
e Post-employment benefits: Pensions, life insurance, medical care. For defined
contribution schemes the disclosure should be the aggregate contributions payable
into the schemes for the KMP. Where defined benefit schemes are not operated
solely for the benefit of the KMP it is difficult to calculate the total recognised cost in
respect of the KMP. An acceptable alternative is to disclose the current service cost
attributable to the KMP.
e Other long-term benefits: Long-service or sabbatical leave, any deferred
compensation not payable within 12 months of the year end. We need to investigate if
the 11/12 or 12/13 LTIP (if approved) is required to be disclosed here.
e Termination benefits: Compensation for loss of office, ex-gratia, redundancy.
e Share-based payment: Share options and other grants of shares.
3.2 In addition to the above the general disclosure requirements of IAS 24 which apply to the
wider definition of a related party would apply to KMP. Therefore any transactions, or
balances held with KMP would also need to be disclosed. This would include any of the
following transactions if not captured by the specific disclosure requirements noted above:
e Purchases/sales of goods
e Rendering/receiving of services
e Leases
e Provisions of finance (loans)
* Guarantees
3.3 It is likely that the members of the Executive Committee (ExCo) will be considered to be
KMP as ExCo has authority for planning, dictating and controlling the entity's activities
under authority from the Board. Therefore there may be a requirement for the members of
the ExCo, as well as the Board, to sign a certification to confirm the pay they have
received during the year and that they have had no transactions of the above nature with
Post Office Limited as a company.
4. Conclusion
44 It is our view that, in the case of POL, the KMP would constitute the Board of Directors
and the members of ExCo and that the above disclosures would need to be made for the
POL financial statements for the year ended 31 March 2013.
5. Recommendation
5.1 The Audit, Risk and Compliance Committee is asked to:
Note that the Post Office Key Management Personnel under IAS 24 is defined to include
the members of the Post Office Board and the members of the Post Office Executive
Committee.
Chris Day
February 2013
Key management personnel Chris Day Page 2 of 2
disclosure requirements under IFRS. February 2013
Audit Risk and Compliance Committee meeting-13/02/13
4. Internal Audit
POL00423141
POL00423141
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Internal Audit - Activity Report
1. Purpose
The purpose of this paper is to:
1.1
1.2
1.3
1.4
1.5
Inform the committee of the recent activities of the two internal audit functions.
Summarise the results of the Royal Mail audits for 2012/13 to date as requested
at the November 13” 2012 committee.
Summarise the status of recommendations.
Outline remaining audits for 2012/13.
The Committee is requested to note the activity and provide comment.
2. POLIA activity November 2012 to February 2013
21
2.2
2.3
Appendix 1 summarises the activity of POLIA including coordination with Royal
Mail Internal audit team and status of their recommendations made during 2012
audits.
POLIA activity has been focused mainly on RMIA coordination, team set up and
recruitment, advisory work on the Risk Management strategy including a full risk
workshop with the Finance senior team, and support to the Information Security
Finance Roadmap and Data Protection projects.
It is intended to highlight significant implementations by management in POLIA
activity summaries where appropriate going forward.
3. Royal Mail Internal Audit Activity in Post Office.
3.1
3.2
Appendicies 2, 3 and 4 are provided by RMIA and summarises the results of the
Royal Mail Audits, recommendations status and audit plan for remainder of FY
2012/3
The completed and reported assignments are
Business Risk Assurance (Reported July) This examined the overall assurance
framework in place at Post Office shortly after its separation from Royal Mail.
Information Security Management (reported August)
Operation of the POLSAP environment (Used for Supply Chain and Finance) —
reported November.
Supplier Contract Management (reported November)
Horizon system — examination of items arising from the external audit
management letter. (reported January)
Network Transformation — Financial Controls (Reported January)
3.3. Appendix 2 details the top findings from each of these audits and the status
reported by management to Royal Mail Internal Audit as at January 2013. The
top issues and themes from each are summarised below. Full copies of the
reports are available to the committee upon request.
Internal Audit Activity. Malcolm Zack — Head of Internal Audit Page 1 of 3
13” February 2013
Audit Risk and Compliance Committee meeting-13/02/13
91 of 131
4, Internal Audit
92 of 131
POL00423141
POL00423141
Confidential
Top priority issues and themes.
Whilst the audits cover different areas with differing issues, the recurring themes
are governance, coordination and oversight.
The business risk assurance environment will benefit by more centralised
oversight and coordination. Improved visibilty to the Risk and Compliance
Committee and ultimately the Audit Committee is required. It was
comparatively segmented at the time of the review but the Risk and
Compliance team have since commenced work to update the business
controls framework, and monitoring of processes. The terms of reference
of the Risk and Compliance Committee and its linkage to the Audit and
Risk Committee has been revised and strengthend.
o NB. The establishment of the Internal Audit function in Post Office
since the audit will assist in improved coordination and oversight.
The Information Security Framework was found to be fragmented across
POL and third parties, with insufficient POL resource which did not have
enough oversight over the security activities of third parties. The audit did
recognise some improvements since the previous review. Action is being
taken to embed better information security needs in supplier contreatual
requirements, within new products and services and to develop security
training and awareness.
o NB this audit was conducted and reported prior to the recent
information secuity review undertaken by IT.
The Post Office Finance and Supply Chain systems are operated on
POLSAP. This review assessed the general computing control
environment and also followed up on progressed raised by the 2011/12
external audit on IT security related issues.
The review noted improvements were needed in a number of areas but
none of these individually of high risk. Progress is needed to resolve
interface issues between the Post and Go system and POLSAP. Control
over leavers whose IDs still had access to the system and clarity of
ownership of the end to end change management process needed
addressing. The review also noted that some progress had been made in
resolving the SAP Security issues from the external audit. Management
have undertaken further work since that review and a short follow up of
POLSAP in February 2013 should reconfirm actions taken.
Governance and formalisation was also a theme in Supplier Contract
Management which was reported at the November 13" Audit Risk and
Compliance Committee. The review noted that further work was needed
in the overall application of standard policies and procedures and
maintenance of documentation. There were differences in the way
contracts were managed and more formalisation needed in areas such as
documentation, legal review and recording of key decisions such as
authorisations. Management had work underway at the time of the
review.
A review on specific IT areas of the Horizon system followed up on
findings from the external audit Management Letter on security
Internal Audit Activity. Malcolm Zack — Head of Internal Audit Page 2 of 3
13” February 2013
Audit Risk and Compliance Committee meeting-13/02/13
4, Internal Audit
POL00423141
POL00423141
Confidential
weaknesses noted in the 2011/12 external audit. These focused around
the use of shared generic user accounts which had priviged access and
security policies. Actions on these and those arising from the POLSAP:
have been addressed by IT and reported through to the Risk and
Compliance Committee.
« Strengthening of the financial framework for the assessment and
selection of branches for the Network Transformation conversion
programme was needed and is being implemented. There were errors in
the sample of spreadsheet tools used and the audit highlighted that the
batching approach used was potentially allowing some branches to pass
the tests when on an individual basis they would have been marginal or
subject to further assessment. Review and approval mechanisms are in
place and it is essential to maintain these and the improved assessment
methods given the high pace of branch conversion required.
3.4 The remaining Royal Mail internal audit activity for 2012/3 includes:
Assurance support for the E&Y payroll controls
Master Data change process review (Request from IT)
Support to the Bank of England Notes Circulation Scheme — process
narrative. (This has been been completed historically each year)
Link Scheme - Annual attestation of compliance requirement. (May
commence post March 2013)
POLSAP security controls — final follow up and check.
Appendix 4 provides a summary
3.5 The recommendations status is summarised in appendix 3. Forty four actions
have been raised by Royal Mail Internal Audit for 2012 of which as at January
2013, 18 (41%), have been reported as completed. A significant tranche are due
for completion by management through February and March. Details on the
status of each action point are available but have not been included in the papers
due to size.
4. Requested Action
41 The Audit, Risk and Compliance Committee is asked to
Note the activities and status and provide comment or direction to the
Internal audit teams.
Malcolm Zack
13” February 2013
Internal Audit Activity. Malcolm Zack — Head of Internal Audit Page 3 of 3
13” February 2013
Audit Risk and Compliance Committee meeting-13/02/13
93 of 131
LEL JO b6
109 eouelIdwiog pue ysIy IIPNY
el/zo/eL-Bunaew aanw
Appendix 1 - POLIA Internal Audit Activity Summary
POL00423141
POL00423141
Summary
Highlighted Implementations — last 3 months
Royal Mail IA work on Financial Controls in Branch investments completed, LINK work
delayed because a new standard issued and Fujistu need to implement this first..
Business Controls framework audit planned for February start. POL SAP follow up
underway.
POLIA recruitment underway. One individual appointed to start March 4" Standard
documentation designed, audit plan drafted, advisory work underway in several business
areas. POLIA team expected to be in situ through May 2013. POLIA supporting
Information Security Programme through Working and Steering Committee and Data
Protection Programme. Risk Strategy for 2013/14 proposed for Executive Committee
Key security and operational controls in the POLSAP computer environment
upny [et
Ownership for end to end POLSAP change management process assigned
Key IT supplier contracts reviewed by procurement with legal support
Contractual information security requirements embedded into Transformation
programme
Activity Resp Type Status
Financial Controls in NT Programme Royal M Audit
Horizon - IT controls Royal M Audit
LINK - attestation Royal M Audit
POL SAP Follow up Royal M Audit
‘Change controls over master data Royal M Audit
Information Security Project - Buffalo MZ Advisory
Data Protection Project - review of
methods/output Mz Advisory
E&Y liasion and status MZ External Audit
[Assurance Mapping/3 lines of defence MZ Advisory
Team set up and recruitment MZ Set up
2013:4 Objectives and plans MZ Set up
Risk Management Framework/Strategy MZ Risk Mgt
Finance Risk Assessment and Mapping MZ Risk Mgt
Treasury Risk Framework MZ Advisory
Induction, branch and cash centre visits MZ Setup
Bank of Ireland Liaison MZ Setup
Finance Systems - Project MZ Advisory
IA benchmarking - other Post Office IA depts MZ Set_up
Recommendations status — Royal Mail — Jan 25 2013
Total raised in current year — 44
# reported as completed by management -— 18
# reported as in progress/on track — 26
8 actions in progress due to be completed by end of
January, 2 in February. The next major tranch of
actions will be due by end of March.
None reported as significantly overdue. See
appendix 3 from Royal Mail Internal Audit
Recommendations Status — POLIA raised actions
Reporting will commence in FY 2013/14.
POL00423141
POL00423141
COMPLETED ASSIGNMENTS
Commentary:
Key Business Risk Assurance
Findings -
Developing an assurance framework: POL need to do more work to identify the assurance required by the business against that which is currently
undertaken. Analysis by POL in 2012 highlighted some key gaps, but further work is needed to ensure assurance requirements are identified and met.
Implementing an integrated assurance model: Central management of compliance and assurance across the business has become outdated and
requires more formalisation to ensure clear ownership and oversight. An updated integrated controls assurance framework is now under development.
Monitoring of business critical processes: The critical business process schedule has not been maintained nor have the processes been recently
assessed. Compliance recognised this in April 2012 and have drafted a proposal to establish a suitable internal controls framework.
Reporting to the Risk and Compliance Committee (R&CC): There was overly detailed reporting of the findings and results of assurance activity to the
R&CC making it difficult to identify significant issues. This is being addressed by the re-focus of the R&CC on key risks and issues arising from assurance
activity.
Consistency of supplier compliance assurance: Although a number of key contracts require suppliers to provide POL management with evidence that
they are meeting their contractual obligations, and allow POL to audit this information, this is not standard across all suppliers.
What is being done —
Developing an assurance framework: The key assurance requirements are to be confirmed, and any gaps in the provision of compliance and assurance
activity will be identified.
Implementing an integrated assurance model: An internal controls and assurance framework is to be developed and deployed, with executive level
ownership, which covers entity level controls to ensure against key business risks and obligations.
Monitoring of business critical processes: Critical business processes will be identified and the executive level ownership of these processes will be
confirmed and agreed. Self assessment and independent validation of these processes and the associated key controls will be defined and implemented.
Reporting to the Risk and Compliance Committee (R&CC): The revised R&CC terms of reference has been agreed. There is now monitoring of
management reporting to ensure there is sufficient focus on key risk and compliance issues for management review and direction of mitigating actions.
zs
a
Consistency of supplier compliance assurance: Standard contract terms and conditions are being developed to allow POL to maintain appropriately
transparent arrangements and monitoring of performance with all key suppliers.
JOD puke ¥sSIy TIPNY
POL00423141
POL00423141
upny [et
Information Security
Findings -
The control environment is somewhat fragmented with control over Information Security activities spread across third party providers and within teams in
both RMG and POL. The POL Information Security team have made a number of improvements to the control environment over the past two years,
including to Payment Card Industry (PCI) requirements and risk management, and POL has a direct relationship with Fujitsu which, from an Information
Security perspective, is now well managed.
The Information Security team is not provided with sufficient information to have adequate oversight of the frequency and effectiveness of a number of
activities provided by RMG, CSC, and other third parties. These activities include user access, IT asset management, and threat and vulnerability
management. Some other activities do not have well documented audit trails and are not always undertaken in a structured manner, including compliance
management and training.
The POL Information Security function appears somewhat under-resourced. The Information Security team has recognised that investment in resources
and technology is required to alleviate weaknesses in the current control environment.
What is being done -
+ Contractual requirements for Information Security (including risk, access, asset, threat and vulnerability management) are to be embedded in the new
supplier requirements as part of the IT & Change Transformation Programme.
+ A process is to be developed to enhance and monitor the engagement between the Information Security function and new product and service projects to
ensure that Information Security requirements are embedded before the services are made available to customers.
+ Compliance with 1S027001 certification is to be reviewed and a process to monitor and performance manage compliance will be developed and deployed.
* Information Security policies are to be communicated that i) require new starters to sign-off acceptance to the user policy before being granted access and
ii) make business process owners responsible for the regular performance of user access and system role reviews. A new process will monitor compliance
with these controls.
* The accuracy of the IT hardware and software asset register is to be confirmed, and a process established to manage information assets in future.
+A process for identifying and reacting to Information Security threats is to be developed, and appropriate specialist resource will be made available to
deliver this process. Regular internal vulnerability scanning for high risk Information Security services will be implemented, including those currently
managed by RMG.
+ A training and testing strategy and plan will be implemented that incorporates annual testing, and the results will be reported to senior management.
POL00423141
POL00423141
POLSAP
Findings —
Transaction data: The responsibility for reviewing exceptions on the Paystation and Post&Go to POLSAP interfaces has not been defined. The review
identified that there are approximately 800 issues which are being investigated in relation to the completeness of the Post&Go interface, some of which are
several years old. There are no predefined service levels for the resolution of these issues specified in the contract with the third party, Wincor.
Access to software: One of the 25 new and modified user access requests sampled was not correctly documented as approved, and another request
was processed as a temporary role change in error when it was a permanent change. Further testing identified six users within the P&BA team that had
left the business but still had active accounts, and nine users where the user had a role that needed removing from their profile.
Change management: Whilst a formal change management process is in place, the responsibility for the end-to-end process has not been defined.
Sample testing identified one change that had not been communicated to the POLSAP testing team.
Supplier service provision: The scope of the monthly reviews with third party suppliers has not been defined, and the results are not reported to the
Information Security Management Forum.
The 2011/12 E&Y Management Letter identified a number of areas for improving POLSAP system controls. The IA&RM review identified that there are
some areas where further work is required, where the completed action has yet to be evidenced in the operation of the control. It should be noted that
there are some completed actions that have not been in place for the entire financial year.
>
S
2
La
8
a
eau 39)
What is being done -
Transaction data: Responsibility for monitoring the accuracy and completeness of the interfaces between Paystation, Post&Go and POLSAP has been
assigned to appropriate members of staff. Service level agreements between POL and Wincor for the timely resolution of transaction data errors during
the interfaces between Paystation, Post&Go and POLSAP are being drafted.
Access to software: A review of POLSAP user access in POL P&BA, Supply Chain, Steria and Fujitsu is scheduled for Q3 2012/13. The process for
identifying and taking action on POLSAP user accounts where the user has left the business is to be reviewed
Change management: All POLSAP changes that require user acceptance testing will be routed to the POLSAP testing team prior to implementation.
Supplier service provision: Third party user access reviews are to be assessed to ensure that the scope includes all areas of the application that POL
determines as priority for review. The results of the third party user access reviews will be documented within the minutes of the Information Security
Management Forum.
Outstanding E&Y recommendations: All remaining actions are to be completed by the end of Q3 2012/13. IA&RM will review this progress.
9
ey
a
LEL JO 16
w
EL 40. 86
0 pue sia pny
wi aanIu
POL00423141
POL00423141
upny [et
Supplier Contract Management
Findings —
Governance Policies and Procedures: Although individual working practices have been developed for each supplier contract, ranging from contract
administration to commercial contract management, there are no formal standard policies and procedures that cover the whole Contract Management
function, although these are under development. There are inconsistencies between contracts over activities including risk management, supplier
engagement, relationship management, and review of service provision.
Documentation of Changes: There is a formal process in place to ensure that changes are agreed with the supplier and POL stakeholders and reviewed
by contract management before implementation. However, contract documentation, authorisations and other key documents such as minutes of
governance meetings were often stored on local hard drives rather than in a central repository. Some authorisations are informally recorded in email
correspondence and in the sample reviewed were not always sufficiently clear to evidence whether approval had been provided.
Legal Services Review: Although Contract Managers consult Legal on contract changes, there is no agreed formal process for them to review or sign off
on contract amendments, nor is there a process for Legal to review or audit contracts on a regular basis. A formal process is currently under development
between Contract Management and Legal.
Benchmarking: The right to undertake benchmarking is not included in all key contracts.
Exit Plans: Sample testing identified that the exit clause in the Ingenico contract does not specify which party bears the exit costs, and the exit clause in
the Fujitsu contract is unclear as to how Intellectual Property Rights (IPR) to the Horizon system would be transferred to POL. The Fujitsu IPR issue is
currently being managed through the IT Transformation Programme.
What is being done —
Governance Policies and Procedures: Formal policies and procedures across the Contract Management function are under development, along with a
formal process for the risk management of all supplier contracts.
Documentation of Changes: A single document repository for all authorised changes and a process to review compliance with documentation processes
are to be implemented.
Legal Services Review: A formal process to obtain Legal concurrence for changes to contract terms and conditions is currently being developed.
Benchmarking: A process to identify and assess opportunities to benchmark key supplier performance is to be implemented.
Exit Plans: Key supplier contracts are to be reviewed to ensure that the contracts cover: responsibilities for exit costs in the event that a supplier gives
notice; licences for supplier owned software; and, access to data post exit.
pue ysry pny
eau 39)
9
ey
a
POL00423141
POL00423141
Horizon E&Y Management Letter Actions
Findings -
Generic privileged accounts: Generic privileged accounts remain in use on Horizon by Fujitsu.
Password parameters: E&Y recommended that POL operate a single Information Security Policy, however POL management use two separate policies,
one for Horizon and one for POLSAP respectively.
In addition, POL management have not completed the E&Y recommendation to review key password parameters, as these have not been defined.
Testing also identified two password parameters configured in the Horizon application that did not comply with the Horizon Security Policy.
What is being done -
Generic privileged accounts: A paper was presented to the November POL Risk and Compliance Committee where any residual business risks
associated with this control were accepted by IT and Change on behalf of the business.
Password parameters: Any residual business risks associated with POL having two separate security polices for Horizon and POLSAP were accepted by
IT and Change on behalf of the business at the November POL Risk and Compliance Committee meeting.
Key password parameters are to be reviewed and defined, and the Horizon Security Policy is to be reviewed and changed to reflect the findings of this
review. In addition the process for manually changing privileged account passwords on the Oracle databases and Linux operating systems is documented
within the Horizon Security Policy.
Key password parameters will be reviewed on a periodic basis. Once defined, management will perform a review of key password parameters to ensure
that the third party supplier is implementing the Horizon Security Policy.
POL00423141
POL00423141
8
2
&
Network Transformation Financial Controls
Findings —
Review and authorisation of investment costs pipeline: The control that is designed to assess (pass / fail) batches and individual branches has not
worked effectively, as evidenced by:
+ Errors identified in the control spreadsheets used by Network Transformation (NT) and Finance teams (subsequently rectified);
_ + Design of the spreadsheet used by Finance is such that, on an individual basis, all branches will pass the initial review;
6. + Acommercial decision was taken to pass two batches that were escalated on the basis of the initial review. The high costs associated with branches in
2 these batches is distorting the cumulative figures that are designed to be used as part of the decision process; and,
2 + No reconciliation between the source data received from Network and that processed by Finance.
° Financial Assessment prior to the branch proceed decision: Controls are in place to prevent investment in high risk branches. However, poor quality
of documentation received from Agents, results in duplication of effort leading to delays in the process. Short term revisions to the test for risks have been
introduced and accelerated the processing of branches for inclusion in the programme. This does not weaken the control as branches cannot proceed to
contract stage without having passed the full risk assessment.
No controls have been put in place in relation to the following:
+ Joint approval by Finance and Network to proceed to contract stage. However, if the actions identified by Finance to strengthen other controls are
completed then POL should give consideration to the need for this control.
+ Review, validation and approval by Finance of all contract data prior to release of contracts for agent signature, or prior to POL signature on return of
signed contracts from the agent.
wi aanIu
What is being done -
Review and authorisation of investment costs pipeline: The existing process have been reviewed to ensure that both elements of the control (i.e.
branch and batch) are achieved. Sample checks of investment batches are to be performed to ensure they have been processed accurately within
Finance. Investment batch data is to be reconciled to that provided by the Supply team.
Financial Assessment prior to the branch proceed decision: The process for escalation of branches with one / two issues from the financial
assessment is to be documented as part of the control framework. In conjunction with the Network team a document is to be produced outlining the
financial assessment process, detailing the specific requirements for use by Agents when completing their finance assessment pack.
Other controls: The need for a control requiring joint approval to proceed to contract stage is to re-considered in light of other improvement activity listed
above. A mechanism is to be introduced to ensure that the finance information that is to be included in the agents contract is reviewed by Finance on a
sample basis prior to the contract being sent out.
6
POL00423141
POL00423141
3
FA
Appendix ‘Summary of IARM Actions '
&
Key [Summary of actions by month due
Not yet due but ability to deliver isin doubtOR Overdue] [Overdue
land abilty to deliver is in doubt [Due sun 12
[Due Sep 12
Not yet due, but significant slippage expected OR [Due Oct 12
[Due Nov 12
[Due Dec 12
Currently overdue
Not yet due, but some slippage expected
Not yet due, but on target
(Action Completed
Review Title [Summary of actions by review
Due Dec 12
[Due Mar 13
Business Risk Assurance
Key Controls in POLSAP
[Due Feb 13
[Due Mar 13
No. actions 8 I 9 I 10] 11 [ 12] 13 [ 14 I 15 I 16
°
Leb Jo ZOL
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
POL00423141
POL00423141
owas ey POL Pn ry 206
pny jeweyut “y
0. Tstamaon ogame Se stamin tito I omperins I am I ow [few ime street wo moe ire oe
7 ere on
rr fe ore [inst I onpineriss I 30 RE S5,_ fretowemme chet ireoucenatevieto et
=e re Or
‘Transom Jnmsetee I onmiesatns I 40 ~ _ fterovimme stnasemsuce nevi he
ronotousinivis —_fopodienbrarie marco pec of panel ocr arate. covets I acta wa wn fotrretes eer scin s 5en
son Pere ont wansranvehame res mers oremreinsonbeaimeneniareI cy I ceca i 1p fotnmrees per acs ins wl sien Supa
Aeon tamanenin gon tc poet = = " A [irre etn tnd
Var tadnentikionrene fremont ters mdhow#OLb tegen on ksh ba ia dha npaey a © » ee es
Conn Marogemert fre eigen cor moe WP. mre I Nownbe * 2 2 fone mgr ees
rose te. wth pote opty wae roomy mee I towne 2 “ 3 Poneman ees
viomaiorssaty —rrtity Morapmer efamaon Seay Rikers eH; ar, aman Seay] hae agers « s 15 fosnisccny por vii procs ro pay rr,
an kein pee warren the manga nd ats of he cite ou ys = [ aces [ [ 2 [ wa [etree oper can wh Mal 2k,
ninmehwanec eon fran an ot to 06 ch 58 co orice I owen I m0 ” Ei eeaet lennon
‘eo feotion and wae fe aarp 78 eeics I owen I 10 2 10 onrocradeonre rab e cena ah
‘ab Tt ody 280d 248d
500 days as agreed per RMG/ POL MSA. So far three assignments (Payroll Data Analytics, Agents Remuneration and Business Risk) cancelled totalling 120 days, replaced by additions below.
Purists names ib porno mand ou
Ne neue attestation of compliance requirement. reese I Al Mey 2013 co a 2 Seidnpee defer tadielaate erage Gti
Fwrour scat
ciation cnt (secre se oa sowmmemntI psy » 2 a eee
caveat ore rh an Pp [seas I iceey » en ere
ey le or CT) rr Soe
awarmanciy fmisinarer Raa AA cAI ARITA] aww I . i a ree
‘mercer fn ch om ent re ston I y 10nd
Namcraierstwme — fonodrenemransin ono mmriandbintcanin site tanotinged. I sone I may B 5 fepeeenarey
sb Tot tom Bom 0m
rnd Tota sooo 212.0%" 384d
4. Internal Audit
POL00423141
POL00423141
Confidential
POST OFFICE LTD AUDIT, RISK AND COMPLIANCE COMMITTEE
Post Office Limited Internal Audit
Status and proposed 2013/4 plan
1. Purpose
The purpose of this paper is to:
1.1
1.2
1.3
1.4
Outline the status of the set up and recruitment of the Post Office Limited
Internal Audit (POLIA) team.
Outline the proposed internal audit plan for Post Office for Financial year
2013/2014
Outline the resourcing approach for the above.
Request final direction and approval from the Audit and Risk Committee of the
audit plan and resourcing.
2, Background
21
2.2
2.3
2.4
2.5
The Royal Mail Internal Audit function has been engaged to provide internal audit
services while Post Office sets up its own function. The ARC on November 13
2012 supported the proposal by the POL Head of Internal Audit of three Internal
Audit Managers supported by a co-source arrangement with an external provider.
The three roles will work across the business but with some specialist focus and
background.
e Audit Manager — IT
e Audit Manager — Programmes and Projects
« Audit Manager — Network and Supply Chain
The latter two roles are more generalist and are expected to devote
approximately 50% of their time in the specialist areas.
The co-source arrangement is currently budgeted for 100 man days (half a man
year) and will support the team where specific expertise or additional temporary
headcount is needed for certain audits or reviews. All co-source staff will be
under the direct supervision of POLIA.
The Royal Mail Internal Audit team were originally contracted by management in
2012 to provide an agreed audit plan and support for 2012/13 totalling 500 man
days up to 31 March 2013.
Internal Audit represents the 3 line of defence in the model of risk management
and control. Post Office also has several functions in the 2™ line of defence,
including a Supply Chain Compliance Team who conduct compliance against a
number of external standards across the cash centres and the Field Support
Advisors who conduct audits of cash and valued stock at branches with some
compliance work. These report through to management, not Internal Audit. This
paper therefore focuses on the plans for Internal Audit.
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 1 of 4
13” February 2013
Audit Risk and Compliance Committee meeting-13/02/13
103 of 131
4, Internal Audit
POL00423141
POL00423141
Confidential
3. Current Situation
Malcolm Zack
Head of Internal Audit
(Previous 3 roles Brakes,
Visa, Sainsburys)
r 1
Vacancy Vacancy Garry Hooton
‘Audit Manager
Audit Manager Audit Manager Network/Supply Chain
iv Programmes/projects (Brakes, Superdrug,
Forte)
Joins March 2013
3.1 At the time of writing, the Audit Manager - Network and Supply Chain is due to
start on March 4" 2013. Recruitment for the IT Audit manager is at interview
stage and the search process for the third role is just completing.
3.2 Due to notice periods, it is unlikely that the team will reach full compliment before
May 2013.
3.3 The business has used approximately 400 man days of the 500 originally agreed
with Royal Mail. This is mainly due to delays and some cancellations of audits
earlier in the year. Royal Mail have indicated that they would be prepared to run
this over into Q1 if required.
3.4 The co-sourcing arrangement has recently commenced tendering through
government procurement processes. This is likely to run through to May before
finalised.
3.5 Recommendation 1
It is recommended that rather than a “hard break” with the Royal Mail on the 31%
March 2013 as originally planned, that the remaining contracted 100 days be
utilised to good effect in Q1 2013/4 while the POLIA team arrives and is
inducted. The exit from Royal Mail support will be completed by 30" June at the
latest. This provides the following benefits:
e Allows POLIA to complete recruitment, proper arrival and induction.
¢ Maintains internal audit activity.
« Allows POLIA audits to commence in the branch and cash areas.
¢ Smooths the transition.
e Utilises contracted days as far as possible.
The 2013/14 plan therefore provides for Royal Mail to conduct follow up work on
its 2012 audits and complete remaining work.
The ARC is requested to approve the resourcing recommendation
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 2 of 4
104 of 131
13” February 2013
Audit Risk and Compliance Committee meeting-13/02/13
4, Internal Audit
POL00423141
POL00423141
Confidential
4. Construction of the Internal Audit Plan 2013/2014
4.1
4.2
43
5.1
5.2
5.3
The traditional approach for formulating an audit plan would take into account the
organisation's information in its risk registers, the Board’s top risks complimented
by Internal Audit’s own views based upon management input and previous
experiences and audits.
However, The company risk management processes are still evolving with
bottom up risks yet to be fully complimented by a top down review — the company
view of risk is thus still in formation. Therefore the 2013/2014 internal audit plan
has been built based on the following.
e Risks structured around risk types.
e Risks identified during induction and visits to business sites and discussions
with POL management.
« Risks documented by the risk and compliance team and presented to the
Risk and Compliance committee.
e lA review of risk registers
¢ Discussions with the Royal Mail Internal Audit team and Director.
The plan for 2013/14 recognises the following outlined in section 3.
e POL internal Audit team recruitment in progress, staff will be arriving during
Q4 2013 and early Q1 2013/2014 and going through induction.
Some finalisation to 2012/2013 Royal Mail [A work needed.
Flexible approach required.
ARC to review at each quarter.
Co-sourcing going though tender for availability post April 2013.
The need for the POL IA team to gain knowledge of PO processes through
the year.
Summary of Plan and candidate list.
The Committee is referred to the “Plan on a Page” in Appendix 1. This shows a
“candidate list” with suggested priorities. The list is deliberately more than the
team will be able to conduct in the year so that the audit committee can input on
priorities and preferences. The committee is also referred to appendix 2 which
explains the reviews in more detail.
The audit plan is currently weighted for quarters 2 and 3. This six month period
will be when the POLIA audit team gains traction. Quarter 4 (Jan to Mar 14) is
left as light to allow for changing business risks and priorities, requests from
management or the ARC which will arise or to accommodate Q3 audits that
require more time than anticipated. The plan assumes an annual man day
availability of 200 man days per audit manager but plans for 80% (160 days).
The plan should allow for advisory work and ongoing support to business areas
besides specific audits.
5.3.1. The Committee should note that the team will be involved in supporting
key areas such as the development of the risk management framework.
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 3 of 4
13” February 2013
Audit Risk and Compliance Committee meeting-13/02/13
105 of 131
4, Internal Audit
106 of 131
5.5
5.6
5.6
POL00423141
POL00423141
Confidential
The plan will be reviewed quarterly with the ARC to allow for repriortisation as
necessary.
Any request received from management which upon review requires significant
resource or reorgansiation of the plan will be discussed with the Audit Committee
Chairman. Small requests that can be easily accomodated and are of sufficient
risk, will be managed by the team.
The main themes for the POLIA in its first full year are to:
+ Providing on-going assurance over the change programmes
including Finance SAP, Network Transformation, the IT Change
programme and the overall management by the Strategic Programme
Management Office.
+ Establishing stronger assurance over the management of cash in the
supply chain, supply chain compliance teams and examination of the
effectiveness of the branch auditing methods, scope and techniques
+ Focus on key IT risks including security, protection of personal data
and access and governance around the System Integration.
+ There is a mix of strategic areas complimented by assurance work
over operational areas.
Recommendations 2
6.1 The Audit Committee members are requested to:
« Review the proposed plan.
e Determine the relative priorities as suggested.
« Provide any necessary direction or amendment.
Approve the plan and the flexible resourcing approach.
6.2 An approved copy will be circulated to the Risk and Compliance committee and
Executive Committee members.
Malcolm Zack
13" February 2013
Internal Audit Plan 2013/14 Malcolm Zack — Head of Internal Audit Page 4 of 4
13” February 2013
Audit Risk and Compliance Committee meeting-13/02/13
POL00423141
POL00423141
4. Internal Audit
¥ x oe
x & ye Pa & ¥ 3
So Ss FF FF § sfF
SF FCEESE EF Els
EF EEFEFEEEEEE
ap cfe XW ECT FLEES E/E?
far Royal Mail IA - Follow ups of 2012 audits ° n/a
Royal Mail IA - Completion of LINK review e n/a
Royal Mail 1A - Completion of Critical Business Controls Framework I © nfa
Royal Mail IA - ISO 27001 review of AEI system (mgt request) e
Network security configuration ° v 20
ICash Centre Audits - Observation of approach - level of assurance
lgained from 2nd line defence team e v vvge 25
Swindon Stores - Operations Review e v 20
}Q2 Benefits Realisation - Management and Methods e vw vw v 25
Management of the SPMO- e v 15
Data Security - controls around protection of personal data. e v v v 30
Treasury - Review of procedures and control framework e 20
Branch Audits - Assessment of approach used by the Network Audit
teams and Assurance gained. e v vv 30
Software Licence review ° v 1s
ISAP Security - POL SAP - short random reviews e v 7
ISAP Security - HR SAP e vv 1s
Eagle Contract - Application of controls and processes agreed. ° v v vvge v 20
]Q3 Business Continuity - Readiness assessment e v vv vv vw 20
Policy Compliance assessment - Anti - Bribery and AML e v v 30
Isystems Integrator- Review of Governance model employed. e vv v vv 15
Branch Audits and Losses e v v 20
ITransformed branches - review of value vs investment e v v v v 20
Branch Profile Model - review of use e 10
Foreign Exchange - management of end to end process e v v v 25
Manchester Cash centre - management of closure e v v 15
Information Security Governance - review of improvement plan and
its application ° v v 15
IT change management e v 15
Board effectiveness review/Executive Committee Effectiveness e vw v 10
jaa [Social media - management of risk ° 7 7 7 v.15
Complaints Management e v v °
Expense Management e v 0
Penetration Testing e v oO
PCI - DSS e v vw oO
JOR - ROLL OVER OF Q3 audits if more time needed
Q1-04 Project/Programme Audi
Finance Systems - SAP - Core Finance/MI e vvv v 40
Network Transformation Programme e vvgv v Yvvye 40
IT & Change programme e viv vvvvv Vv 40
Q1-04 E&Y liaison 5
Q1-04 Risk Management support to business/liasion with Head of Risk 20
101-04 — [Objectives and personal development requirements 10
}Q1 Royal Mail - 1A - finalisation/adminstrative work 3
jQ1-04 ICommittee support (ARC, R&CC etc) 5
Man Days assigned 617
Budget - 3 managers at 160 days (pre contingency) 480
Contingency 120
Total Days@ 200 man days per year 600
To allocate -137
Audit Risk and Compliance Committee meeting-13/02/13 107 of 131
HEL JO 8OL
dwiog pue SI 1IpNY
WOD soul
el/zo/eL-Bunaew en
POL00423141
POL00423141
Appendix 2 Details of Proposed Reviews Page 1 3
>
Type Description Outline of Review Risk Sources 7
[Strategic Benefits Realisation - Management and Methods A [Areview of the overall approach for transformation , and [Transformation Programme Risk
application of guidance issued to selected individual projects, and IMap "Benefits of Crown
the measurement methods being used. transformation are not realised to
The risk is that projects and programmes don’t apply sufficient _Isupport breakeven objective"
data/metrics before and during the programme to enable the
project to be properly assessed during and post implementation I "Benefits planed as part of the
lagreed business cases are not
robust and are not realised as
planned"
BAU top 12 risks "Risk that benefits
from strategic programmes are not
implemented or achieved"
Strategic Management of the Strategic Programme Management ‘A IThe SPMO provides the programme management for the Internal Audit Assessment. The
Office. Transformation Programme. Its information and guidance to the ISPIMO is a key coordinating body for
Transformation Board is critical for decision making. As part of I the strategic programme
the Internal Audit ongoing review of projects and progarmmes in
Post Office, this function needs to be amongst the first reviews so
{that the overall state of management control can be confirmed.
Strategic {Transformed Branches B [Branches that have been converted. How has performance Internal Audit Assessment. The
altered? Are benefits being measured and are the results as Royal Mail internal audit focused
lexpected? lon financial controls for selecting
land evaluating branches for
conversion and the investment to
be made available. This review is
effectively a post implementation
lassessment
Strategic Systems Integrator - Governance B [A key change in the management of the IT infrastructure is the IIT Team/CIO Risk Discussion with
lestablishment of a Systems Integrator to manage the key
[suppliers to Post Office IT. Governance of the relationship
between the SI, Post Office and the 3rd parties will be an
lessential componant of the future IT operations. Area of risk
identified by ClO
Internal Audit
dwiog pue SI 1IpNY
LUO oul
el/zo/eL-Bunaew en
LEL JO 6OL
POL00423141
POL00423141
Appendix 2 Details of Proposed Reviews Page 2 3
>
Type Description Outline of Review Risk Sources &
strategic Finance System: Ongoing programme/project assurance role focusing through the I Transformation Programme Risk
programme on governance, risk management, issue Map. "Finance Transformation -
management, control design, IST, UAT, Go/No go criteria, PIT "Emerging IT separation/support
services approaches impact current
FTP business case and plan”
Finance Risk Map (Dec 12) ~
Strategic Network Transformation Programme Ongoing Programme/project assurance role focusing on Internal Audit Assessment
governance, risk management, issue management, branch
conversion role out, changes in process and link to the network
audit team work
strategic I and Change Programme Ongoing Programme/project assurance role focusing on Internal Audit Assessment
lgovernance, risk management, issue management, changes in
systems which will feed into future IT audit work
IT Network security configuration [A review of the security of the local area network and how IT _ Internal Audit Assessment and Top
prevent unauthorised access to sensitive data. Compliment to _I12 BAU risk Map " IT&C Information
security reviews conducted in 2012 on SAP and Horizon security governance, processes and
resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data”
IT [SAP Security - POL SAP random audits, Randomised short reviews to ensure actions taken following the Internal Audit Assessment and Top
lexternal audit review in 2011 y/e remain effective. SAP Security
jand User Administration — random checks of key parameters ~
longoing assurance/identification of changes.
12 BAU risk Map " IT&C Information
security governance, processes and
resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data”
FEL JOOLL
dwiog pue SI 1IpNY
WOD soul
el/zo/eL-Bunaew en
POL00423141
POL00423141
Appendix 2 Details of Proposed Reviews Page 3 3
>
Type Description Outline of Review Risk Sources 7
IT [SAP Security - HR SAP B SAP security in past years was not reviewed within the HR system IInternal Audit Assessment and Top
- only POL SAP (Finance and Supply Chain).Basic configuration —_I12 BAU risk Map " IT&C Information
review plus review to ensure appropriate segregation of duties _ {security governance, processes and
land control of access to personal data resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data”
ir Data Security - controls around protection of data: A [Derived from the IS Information Security review underway as at [Internal Audit Assessment and Top
Q3 2012/3. The top 12 information assets have been defined by I12 BAU risk Map " IT&C Information
IT. This review will test the logical and physical controls being —_ security governance, processes and
placed around the personal data at risk. resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data”
" POL fails to complay with Data
Protection Legislation
ir [Software Licence review B [Due to the separation of Royal Mail and Post Office, there Internal Audit assessment
remains some risk that software licences may have not been
properly assigned or applied. Software Licencing review.
Unlicenced risks, duplication and cost risks, process for obtaining,
granting, managing and removal of licences, legal.
Guidance of users Tools for detecting.
Breach of licencing can result in fines and penalties but most
siginificantly in damage to reputation.
ir information Security Governance B [Review of the application of recommendations anticipated from internal Audit Assessment and Top
the 2012/3 Deloittes review following Project Buffalo 12 BAU risk Map " IT&C Information
security governance, processes and
resourcing is not adequate to
effectively protect the Post Office
from accidental damage, theft or
misuse of its data”
dwiog pue SI 1IpNY
LUO oul
el/zo/eL-Bunaew en
LELJO LLL
Type
Appendix 2 Details of Proposed Reviews
Description
Outline of Review
POL00423141
POL00423141
Page 4 g
Es
4
Risk Sources &
(Core Operations
Branch Audits - Assessment of Assurance
Detailed examination of the branch auditing processes.
[Assessment of scope, branch coverage and auditing techniques.
[Assessment of the degree of assurance that the board can obtain
from current approaches.
Internal Audit Assessment
Core Operations
Swindon Stores - Operations Review
[Swindon is a core operational site supporting the valued and non
valued stock distribution across Post Office. It was last reviewed
in 2010. Some parts significantly automated, others manual. Key
risks include security, financial loss, continuity to branches and
general operations.
Internal Audit Assessment
Core Operations
[Supply Chain Compliance - Cash Centres Assessment of
IAssurance.
Detailed examination of the cash centre auditing processes.
[Assessment of scope, branch coverage and auditing techniques.
[Assessment of the degree of assurance that the board can obtain
from current approaches.
Internal Audit Assessment
Core Operations
Business Continuity - Readiness assessment
Assessment of the actual plans in place across key operational
jand business sites in POL. Whilst a project is underway to
establish a full Business Continuity Management, process and
policy, documents and plan exist in various locations. The audit
Iwill determine the company's readiness and ability to react
quickly after notification of a major incident.
Review of current in progress BCM policy and procedures and
future plans.
Link to management of company reputation.
Includes IT Disaster Recovery/Incident management
internal Audit Assessment and top
12 BAU risk Map - "Loss or
lunavailibility of IT Infrastructure"
Core Operations
Management of Branch Losses
Linked to the network audit assessment. Review of how the
company captures, assesses, prevents and recovers cash losses
identified in the branch network. May be extended to the cash
centres.
Management suggestion and 1A
jassessment
Core Operations
Branch Profile Model
Linked to Branch Auditing, fraud management, losses and
physical security. The model helps the Security team and Finance
loperations identify branches that may need specific audit
attention or investigation. The model has been recently
revamped and improved. Review to determine its effectiveness
in driving branch selection and identifying anomolies.
IA Assessment
FEL JOZLL
4
&
2
&
B
a
o
g
3
el/zo/eL-Bunaew en
POL00423141
POL00423141
Appendix 2 Details of Proposed Reviews PageS 3
>
Type Description Outline of Review Risk Sources 5
Finance [Treasury - Assessment of management processes A Review of the goverance, risk management, processes and IA assessment - complexity of risk
controls employed by the newly established POL treasury and discussion with Treasury
function following the separation from Royal Mail. Management
Finance Treasury - Cash Management process and controls A IReview of the process, controls, decision making and 1A assessment - complexity of risk
authorisation for managing the amount of cash to be held in the and discussion with Treasury
branch network vs balances in cash centres or with the Bank of _IManagement
England. Optimisation of interest earnings vs sufficient stock in
the network
Finance/ Management of Foreign Exchange B [End to End review of the management of foreign exchange in __IIA Assessment
Core Operations branches, to cash centres inclduing Hemel Hempstead and
compliance to Treasury decisions and policy.
Governance Policy Compliance assessment B [ARC request to test compliance to policies. As there are over 100 [ARC request. - Nov 13 2012
business policies, this review cannot test compliance to allof —_Imeeting
them in one review. Some of these will form part of other
reviews. It is proposed to select 3-4 key policies for testing in
2013. Suggested areas include AML, AntiBribery and Data
Protection compliance
Governance Board/Executive Committee effectiveness review B IThe POL Board and Executive Committee, will be in their second [Management suggestion and 1A
year of operation since separation. The board and its committees [assessment
are an essential part of corporate Governance. This review has
been suggested by the head of HR and Corporate Services. It may
benefit by being a joint review with the Head of Internal Audit
jand an specialist 3rd party evaluator.
[Areas include; role of the Board and Directors, Board support and
role of company secretary, Decision making, composition and
succession planning, performance evaluation, Audit, Risk and
Remuneration, Relations with Shareholders,
Financial Services Eagle Contract B [Review of application of controls agreed in contract, payments [Management suggestion. - subject
land operation of governance. ito further discussion
POL00423141
POL00423141
Appendix 2 Details of Proposed Reviews Page 6 3
FA
4
Type Description Outline of Review Risk Sources &
Other Operational Complaints Management C Complaints are aggregated by Service Management and reported [Management suggestion and IA
upwards. Due to the customer service and reputation risks lassessment
involved, effective complaints management can build
lopportunity from customer feedback, encourage company
learning and correct process and policy. The review will focus on
the completness of the information gathering, the analysis and
reporting and the action taken by affected business areas.
Other Operational —_I Expense Management C Expense Management. Approx £5-£6m processed annually IA assessment Can be considered
through the SAP HR system ( excludes direct booked with Capita). Ilow risk/impact by management but
Whilst not a large business risk, expense fraud and irregularities is]4 common problem with
common among organisations. Much is may be of low reputational risk
materiality but for public organisations abuse/misuse of expenses
by management especially senior management has reputational
impact. (MPs, local authority leaders for example). This can be as
damaging on the organisation as it is on the individual regardless
lof the levels involved
dwiog pue SI 1IpNY
Other Operational _ Social media - management of risk B [Social media presents opportunity for Post Office. The IA Assessment - emerging trend
immediacy of social networks and tools and instant
communication increases the risk of reputational damage either
malicously or unintentionally. Review of company policy over
lusage by communications staff and general staff and its
application. - Assessment of the residual risk facing the
organisation
LUO oul
Other Operational _ I Review of Penetration Testing C [Penetration testing is usually exercised by third parties who IA - Assessment - link to general
attempt to break through an organisation's firewalls and logical information security risks
defences. Weaknesses identified should be followed up by
management. This review would focus on the scope of
penetration testing employed, the results and action taken by
management. Links to general information security and data
Isecurity/governance activity underway in the business.
el/zo/eL-Bunaew en
LELJOSLL
FEL JO PLE
4
&
€1/Z0/EI-Bunsew eanjuW0g souelIdWi0g
POL00423141
POL00423141
Appendix 2 Details of Proposed Reviews Page 7
Type Description Outline of Review Risk Sources
(Other Operational [Management of Manchester closure B IThe Cash centre may be closed during 2013. As this will hold 1A Suggestion
significant assets, there is some risk of loss, A short review of the
approach and methods of business transfer to other sites could
be considered, including verification of physical assets and
lequipment for transfer, sale or disposal.
lOther Operational
Review of PCI DSS compliance audits
B [Overview of the PCI compliance programme managed by
Information Security.
IA - Assessment - link to general
information security risks
g
Es
>
z
a
POL00423141
POL00423141
5. Specific matters referred by the Board to ARC
Strictly Confidential
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Information Security and Data Asset Review
1. Purpose
The purpose of this paper is to:
1.1. Provide the Committee with an update on developments, progress and actions with
the Information Security agenda for Post Office. It is for noting purposes only.
2. Background
2.1. Since our update to the Committee in November, we have been progressing three
strands of Information Security activity, with the majority of actions completed and a
new plan generated:
Priority action plan: this covers a range of priority activities that are focused on
improving our current Information Security controls and management;
Data asset review: this is focused on producing an initial assessment of Post
Office’s top 13 supplier/partner contracts. These were categorised by potential for
significant reputational risk should we encounter a loss of our business
information;
Independent review of Post Office’s Information Security: this was to provide an
independent view of Post Office’s information security approach and a road map
of improvement activity.
2.2 This paper provides an update and actions on each of the above areas.
3. Priority action plan
3.1. The following priority actions have been completed since November:
.
Post Office staffs have been reminded about the importance of protecting
information by Data Protection awareness communication.
The Privacy / Data Protection Governance structure has been presented and
approved by the Risk & Compliance Committee.
The Major Incident Management process has been reviewed, and
improvements have been implemented, to ensure an early alert mechanism
for escalating potential security breaches to the attention of senior managers.
The Clear Desk and Screen Policy has reviewed and communicated via the
senior leadership team; assurance activity is in place to ensure compliance.
Information Security training for new staff and annual refresher training for all
staff has been finalised and will be rolled out in March.
Information Security and Data Asset Review Lesley Sewell Page 1 of 5
February 2013
Audit Risk and Compliance Committee meeting-13/02/13
115 of 131
116 of
POL00423141
POL00423141
5. Specific matters referred by the Board to ARC
Strictly Confidential
. The Post Office Information Security Policy has been reviewed and will be
published through the Risk & Compliance Committee.
* A Data Protection Handbook providing guidance and process has been
drafted and will be rolled out to branches via Horizon and Branch Focus in Q1.
Data Asset Review
4.1 We have continued the review of our top ranked data assets held by third parties on
behalf of Post Office. A model has been developed to enable a quantitative
assessment to be carried out and this work has identified the top-13 risk areas which
are viewed as having the highest risk of brand damage and customer privacy
protection. The core contracts have been reviewed by our external law firm, and the
Information Security risk has been assessed internally; other supplementary contracts
in the chain are in the process of being reviewed. From the review the following points
are noteworthy:
4.2 Bank of Ireland whilst not currently ISO 27001 compliant are working towards this
standard and they are two thirds of the way through the process. At this stage in the
review we have not identified any significant areas for concern, but we are continuing
our work with Bank of Ireland to understand more detail of their supply chain.
4.3 RAPP who manage and host the Marketing database for Post Office hold a
significant amount of personal and account data. We understand their security
architecture which is ISO 27001 certified and the measures they take to protect Post
Office data. We are currently reviewing the amount of customer and account data
being maintained, to ensure it is appropriate and further review of the contract is
underway.
4.4 Our top 13 contracts have been reviewed with regard to Data Protection and
understanding our position from an ICO (Information Commissioners Office)
perspective, whether we are likely to be considered as controllers of the data or a
processor. In the majority of cases the contracts are clear, however there are some
exceptions which do require further investigation. Further work is required to clarify
whether operational practices accurately reflect the contractual clauses (as the ICO
takes both into consideration), and an action plan to address any gaps will be
prepared.
4.5 Most third parties have capped their liability in relation to data issues and in some
instances there are specific exclusions or limitations in addition to a cap. Where the
core contract forms part of a larger chain (e.g. POCA) there are two instances where
Bond Pearce have identified that our entitlement to recover from the third party is
capped at a sum lower than our potential liability to the end customer (POCA / HP and
DVLA / Cogent). In terms of indemnification for data issues, we benefit from
indemnities in some but not all of the contracts reviewed; some of these indemnities
are uncapped (e.g. Cogent) - which is in our favour.
4.6 The first stage of the review is scheduled to complete at the end of February, and
the minimum Information Security standards will be implemented for all top 13
contracts and an action plan for our suppliers will be agreed during March.
Information Security — Independent Review Findings
5.1 Deloitte have been engaged to complete a review of Information Security within Post
Office, covering a maturity and gap analysis against information security standards
Information Security and Data Asset Review Lesley Sewell Page 2 of 5
February 2013
Audit Risk and Compliance Committee meeting-13/02/13
Sp
,e
POL00423141
POL00423141
cific matters referred by the Board to ARC
5.2
5.3
Strictly Confidential
(1S027001/2)'. The high level findings have been agreed. The details are currently
being reviewed by all key stakeholders within Post Office and a detailed plan
encompassing the activities currently underway and future road map has been
prepared.
The key findings from the review are as follows:
e The Information Security team is significantly under resourced and there is
insufficient internal resource to provide appropriate security input into new and
on-going projects; or assurance activities with our key suppliers/partners. The
recruitment of a Head of Information Security is underway, and to support our
recent separation from RMG additional security specialists are being recruited.
e We do not have a comprehensive view of the Information Security risk
environment and the existing Information Security policy set is incomplete.
There is a mixture of legacy RMG policies and gaps in the policy set.
« On-going training and awareness across Post Office is not currently proactively
managed and there is no rolling security awareness campaign of Information
Security policies.
e There is a need for greater oversight and a formal assurance programme of our
third parties Information Security controls. Whilst there are some assurance
activities such as PCI (Payments Card Industry) compliance testing and
governance structures for our suppliers/partners, it is not consistent. A standard
framework is required for the management of Information Security controls
operated by third parties.
e There were gaps identified in the existing Information Security governance
forums, it is recommended that an Executive level forum will be created which
will report through to the Risk & Compliance Committee quarterly.
Deloitte have recommended an action plan, outlined in Appendix A. This has been
reviewed by the project team to assess the level of resources and support required.
In addition, we have aligned the plan with the activities currently underway. The plan
includes:
* Mobilising the Information Security team to ensure that the POL Information
Security objectives are met, with clear accountabilities and structure.
e Improve the Information Security risk control and review framework, which will be
aligned to the wider risk activities across Post Office.
¢ Implement a high level Information Assurance Strategy and supporting policies,
and wider monitoring and compliance to the Data Protection Act.
e Develop a framework of security management (including audit rights and clarity
of contracts) for our suppliers, and implement controls to address the risks
inherent in legacy contracts.
1 1$027001/2: An International Standards covering the specification of and management of an organisation’s
Information Security Management System. The guidelines and general principles for initiating, implementing,
maintaining, and improving information security management within an organisation.
Information Security and Data Asset Review Lesley Sewell Page 3 of 5
February 2013
Audit Risk and Compliance Committee meeting-13/02/13
117 of 131
POL00423141
POL00423141
5. Specific matters referred by the Board to ARC
Strictly Confidential
e Conduct a training and awareness programme, including the development of
campaigns to address identified risks.
¢ Aligned to our Separation activities review the current security infrastructure
protecting the key components such as our network and asset management.
6. Summary
The Committee is asked to note the positive progress which has been made and it is
proposed that quarterly updates are provided to ARC and the Risk and Compliance
Committee on progress.
Lesley Sewell
February 2013
Information Security and Data Asset Review Lesley Sewell Page 4 of 5
February 2013
118 of 131 Audit Risk and Compliance Committee meeting-13/02/13
5. Specific matters referred by the Board to ARC
Strictly Confidential
POL00423141
POL00423141
Appendix A - Deloitte proposed Information Security transformation roadmap
The Deloitte POL Information Security Review proposes the following Information Security
roadmap:
A >
‘OBJECTIVES QUICKWINS —QH2013. I -Q22013 : 032013: 042013 : Q12014” KEY MILESTONES
‘Work Stream 1 i Responsibilities:
=) =
+ Team Mobisaton
1S Rsk Stategy
Defined
Work Steam 2
1S Risk process
+ Inermatn ik review
za I nom
Posi
key: Work Steam 3 pase!
+ Security Strategy and
ow I Poles Rotout of Secuy
or
%
Work Steam $ Baseline physical
‘Supplier Maragemert Develop and roll-out framework for new: prea et
. suppliers with the five pillars appranch
eo: Tening and
Work Steam 5 awareness cootent
3 Geveloped
I SO] I
; HQ vrroites
e ‘entiied
Work Seam 6
Reboat hel
+ teoremen I aes oe
Renew managenect
:¢@ o
1. Team Mobilisation is development of job descriptions and recruitment of the required
Information Security staff.
2. Information Risk review includes definition of the underlying data relationship and
baselined security controls.
3. Information Security Strategy and Policies includes a refreshed policy set, and
Information Security minimum standards.
4. Information Security Supplier Management implements the minimum standards with the
top 13 suppliers and ensures a consistent governance structure.
Training and Awareness is for both Head Office staff and the staff in the branches.
Security Infrastructure Review - to review the current security infrastructure for our
Pa
network and implement where appropriate regular vulnerability assessment process.
This will be aligned with our separation from RMG.
Information Security and Data Asset Review Lesley Sewell
February 2013
Audit Risk and Compliance Committee meeting-13/02/13
Page 5 of 5
119 of 131
POL00423141
POL00423141
pecific matters referred by the Board to ARC
SECRET
POST OFFICE AUDIT, RISK AND COMPLIANCE COMMITTEE
Bank of Ireland (UK) pic Capital & Liquidity
1. Purpose
The purpose of this paper is to:
1.1 update the Committee on the Bank of Ireland (UK) plc’s capital and liquidity
position against its regulatory and Eagle contract (FSJVA) requirements,
following the request at the Committee meeting in November 2012. The update
is set out in the presentation attached.
2. Background
241 As part of the requirements of the FSJVA the Bank of Ireland (UK) plc (the Bank)
is required to meet capital and liquidity standards, providing Post Office Ltd with
comfort that our customers’ deposits are secure.
2.2 The Bank’s capital and liquidity reports are part of the early warning system that
would enable Post Office Ltd to take action in accordance with the termination
provisions of the agreement, should this become necessary.
2.3. Certain information in the presentation has been provided with specific
permission of the Bank and is commercially sensitive. The Committee is asked
to treat the information as secret.
2.4 As requested at the previous Committee, Nicholas Kennett presented the
attached paper to Alasdair Marnoch, Tim Franklin and Chris Day in January
2013.
3. Conclusion
3.1 As advised at the November Committee, the Bank’s capital and liquidity
attestation has met the terms of the FSJVA and no further action is required.
We will continue to monitor the position.
4, Recommendations
The Committee is asked to:
41 note the update as set out in the attached presentation.
Nicholas Kennett
Director, Financial Services
6" February 2013
ARC Bank of Ireland (UK) plc Capital & Liquidity Nicholas Kennett Page 1 of 1
6" February 2013
Audit Risk and Compliance Committee meeting-13/02/13
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
LEL JO LZ
PROJECT EAGLE
POL00423141
POL00423141
SECRET
Eagle
Bank of Ireland (UK) plc Capital & Liquidity
23'4 January 2013
Eagle_BOI capital & liquidity POL ARC Feb 2013 v0.1
ONY 01 pieog eu Aq paliajai sioeW oWoads °¢
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
LEL JO ZZb
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
Agenda
POL00423141
POL00423141
1.Bank Capital Requirements
2.Bank of Ireland (UK) plc capital status
3. Bank Liquidity Requirements
4. Bank of Ireland (UK) ple liquidity status
5.Post Office termination rights in the FSJVA
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
&
g
g
OUV 01 pleog ey) Aq
aouelIdwog pue ysry jIpny
€1/Zo/eI-Bunsew aayiwiwi0g
LeL Jo ezh
1. Bank Capital Requirements
POL00423141
POL00423141
Bank Capital
The difference between the value of a bank’s assets and its liabilities. The bank capital represents the net
worth of the bank to investors. The asset portion of a bank’s capital includes cash, government securities and
interest-earning loans like mortgages, letters of credit and inter-bank loans. The liabilities section of a bank's
capital includes loan-loss reserves and any debt it owes.
Bank Capital is made up of Tier 1 capital (Core Tier 1 (now Common Equity Tier 1) capital and non-Core Tier
1 capital) and Tier 2 capital. The most critical of these is Tier 1 capital.
Tier 1 Capital
+ The predominant form of Tier 1 capital must be common shares and retained earnings. The remainder of
the Tier 1 capital base must be comprised of instruments that are subordinated, have fully discretionary
non-cumulative dividends or coupons and have neither a maturity date nor an incentive to redeem.
* Common Equity Tier 1 must be at least 4.5% of risk-weighted assets at all times.
* Tier 1 Capital must be at least 6.0% of risk-weighted assets at all times.
* Total Capital (Tier 1 Capital plus Tier 2 Capital) must be at least 8.0% of risk weighted assets at all times.
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
@
ONY 01 pleog ey) Aq paliajei siayeW oYlDedg “¢
FEL JO bZL
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
POL00423141
POL00423141
1. Bank Capital Requirements — Basel III (from January 2015)
Buffer
Capital
Conservation
Buffer
Total
Tier 4 Common
6.0% Equity
Capital
Minimum Implementation of
Capital Additional Buffers
Requirement
Tier 2
Capital
+
Ea
Non-Core
Tier 1
Capital
Core Tier 1
Capital
Minimum
Capital
Requirement
inc. Buffers
2.0%
1.5% 7.0%
7.0%
= The minimum common equity capital
requirement will rise from 2% to 4.5%
= Tier 1 capital , which includes CET1 capital,
will increase from 4% to 6%
= The “capital conservation buffer’, which sits
above the regulatory minimum, will be 2.5%
and will consist of common equity
= The “counter-cyclical buffer” ranges
between 0% and 2.5% of common equity
capital (or other fully loss-absorbing capital)
= This only comes into effect when there is
excess credit growth
= It will be implemented on a national basis
= Systemically Important Financial
Institutions (SIFls) may be required to hold
additional capital on the basis that they are
“too big to fail”
Source: Association for Financial Markets in Europe
&
gs
3
®
D
g
2
a
a
>
a
Oo
Post Office®
©
IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00423141
POL00423141
1. Bank Capital Requirements — Phasing the move to Basel III
Phase-In arrangements for Basel Ill changes to regulatory capital requirements @
uy 01 pleog ay) Aq pauiajas sisyew omadg °¢
Percentage of risk-weighted Percentage of required
assets deductions
z 100 ; ;
4 Bl Capital conservation buffer
a 90 (left-hand scale)
g BSB Minimum CET1 capital ratio
9 80 (left-hand scale)
3
= 70 a Phase-in of deductions from CET1 capital
3 (right-hand scale)
8 60 —{§- Minimum Tier 1 capital ratio
3
3 (left-hand scale)
a 50
8
3
3 40
= 30 a) Phase-In arrangements will be effective
8 from 1st January each year
7 - b) Current FSA regulatory Core Tier 1 capital
10 requirement
0 c) Basel III will strengthen capital definitions
201213 14 15 16 17 18 19 201213 14 15 16 17 18 19 through new CET1 capital deductions
Minimum CET1 capital plus Phase-in of deductions from
capital conservation buffer CET1 capital
Source: BIS and BoE (2012)
@
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
LE JoSZzL
POL00423141
POL00423141
LEL JO ozb
2. Bank of Ireland (UK) Capital Status (as at 30‘ September 2012)
uy 01 pleog ay) Aq pauiajas sisyew omadg °¢
4
=
2 r 4 — -
=
- 2.0% Tier 2 Capital 3.5%
g 4
3 r “ ”
Eagle Buffer’
5 15% Kelle = Core
3 1 Capital ; L Core Tier 1 9.0%
g I Total ss cr Tier 1 L 3.0% Capital
3 Total 8.0% Capital (CET 1)
g Tier 1: (CET 1)
3 6.0% of, od Common %
8 ae Equity Capital nee
3
S
4 L a 4
“ Minimum Regulatory Minimum FSJVA Bol (UK) Actual
Capital Requirement (as at 30" September 2012)
Requirement
(15* January 2015)
Post Office®
IN THE STRICTEST COMMERCIAL CONFIDENCE
aouelIdwog pue ysry jIpny
€1/Zo/eI-Bunsew aayiwiwi0g
LEL JO LZL
3. Bank Liquidity Requirements
POL00423141
POL00423141
Bank Liquidity
Cash and other financial assets that banks possess that can easily be liquidated and paid out as part
of operational cash flows. Examples of core liquidity assets would be cash, government bonds and money
market funds. Banks typically use forecasts to anticipate the amount of cash that account holders will need to
withdraw, but it is important that banks do not over-estimate the amount of cash and cash equivalents
required for core liquidity because unused cash left in core liquidity cannot be used by the bank to earn
increased returns.
The Liquidity Adequacy Rule, the Individual Liquidity Guidance, the Liquidity Coverage Ratio and the
Net Stable Funding Ratio
Liquidity Adequacy Rule
= “4 firm must at all times maintain liquidity resources which are adequate, both as to amount and quality to ensure
that there is no significant risk that its liabilities cannot be met as they fall due” — FSA BIPRU 12.2.1R
= “4 firm must ensure that it maintains at all times liquidity resources sufficient to withstand a range of severe stress
events which could impair its ability to meet its liabilities...” - FSA BIPRU 12.2.3R
Individual Liquidity Guidance
= At least annually a Bank must carry out an Individual Liquidity Adequacy Assessment, which is then
reviewed by the FSA (the Supervisory Liquidity Review Process or SLRP). The outcome of this process is
the FSA's Individual Liquidity Guidance (ILG), which sets out the FSA’s guidance as to the amount and
composition of the liquid assets buffer a bank should hold.
= If this is breached and a remediation plan not agreed then the Guidance can turn into a Requirement
ONY 01 pleog ey) Aq paliajei siayeW oYlDedg “¢
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
©
aourlIdwog pur ysry JIpny
I-Buysew seywwog
3. Bank Liquidity Requirements
POL00423141
POL00423141
The Liquidity Adequacy Rule, the Individual Liquidity Guidance, the Liquidity Coverage Ratio and the
Net Stable Funding Ratio (continued)
Liquidity Coverage Ratio (LCR)
= From 1% January 2015 the LCR will come into effect, replacing the measures employed by the FSA but still
managed by them or by then the FCA & PRA. Revisions to the minimum standards have been agreed on
6 January 2013. The LCR is part of the Basel III framework.
= The LCR aims to ensure that a bank has an adequate stock of unencumbered high quality liquid assets
(HQLA) which consists of cash or assets that can be converted into cash at little or no loss of value in
private markets to meet its liquidity needs for a 30 calendar day liquidity stress scenario.
= The range of assets that can be included in the HQLAs has been widened as part of the new changes,
ostensibly to try and free up bank lending and prevent a return to global economic recession.
Net Stable Funding Requirement (NSFR)
= The NSFR requires that available stable funding (equity and liability financing expected to remain stable
over a one-year time horizon) at least equals the matching assets, i.e. Illiquid assets which cannot be
easily turned into cash over the following 12 months. As a result of the agreement on the LCR the “Group
of Governors and Heads of Supervision” (GHOS) will now focus on developing the NSFR framework.
The aim is to introduce the NSFR in 2018.
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
@
Aq pauiajai siayjew oytoads °¢
uy 0} pleog eu
EL/Zo/eI-Bunaaw sapiWWog souelIdwog pue ysRy UpNY
LEL JO 6ZL
4. Bank of Ireland (UK) Liquidity Status (as at 30" September 2012)
POL00423141
POL00423141
Bank of Ireland (UK) is substantially exceeding its regulatory minimum liquidity requirement and currently
holds a surplus of:
Surplus over the regulatory
liquidity requirement
(as at 30" September 2012)
Duy 0} pizog ayy kq pauiajes suoTEW oW!Dads “sg
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00423141
POL00423141
® 2.
5. Post Office termination rights in the FSJVA a
As previously presented to the Board, Post Office has a termination right if: &
= Bol’s minimum core tier one capital ratio falls below the threshold; g
= Bol fails to maintain liquid assets required by the regulator; J
= Bol breaches the Net Stable Funding Ratio (NSFR) (to the extent that these rules apply to Bol when they become 3
operational from 2018); or
= Bol, or its parent, becomes insolvent.
To support these rights, Bol must inform Post Office immediately of any threshold breach; failure to do so is in
itself a breach of the contract.
To provide the Post Office with some notice of the potential that Bol may breach a termination benchmark,
Bol must provide Post Office with regular updates of its financial position, including:
= Formal update on its capital and liquidity status and immediate notice if it becomes aware of any capital or liquidity issues
that might give rise to a termination event.
= 15 days after each public announcement of annual and half yearly results and any interim management statement Bol must
provide a certificate stating:
= Its Minimum Core Tier One Ratio, the actual Core Tier One Ratio and any Common Eauity Tier 1 (CET1) Capital buffers or
other requirements applicable to Bol;
= Bol’s regulatory liquidity requirement and its position against the benchmark;
= Any NSFR requirement and Bol’s position;
= That Bol is not in breach of the termination obligations, or of any remediation plan agreed with the regulator.
= After each half year financial announcement a senior Bol executives must provide a trading performance update.
= Bol must provide a presentation of its annual results, including a summary of any Recovery and Resolution Plan (RRP)
submitted to the regulator and summaries of any ARROW Letters received from the FSA as far as they relate to the Post
Office or Bol’s obligations to the Post Office. ()
Post Office® IN THE STRICTEST COMMERCIAL CONFIDENCE
POL00423141
POL00423141
Supplementary Documents
Post Office Ltd
Audit Risk and Compliance Committee meeting
13 February 2013
Location:
The Board Room, 148 Old Street, London, England, EC1V 9HQ, United Kingdom
ATTENDANCE LIST
ATTENDEES SIGNATURE
Alasdair, Marnoch
Neil, McCausland
Susannah, Storey
Also in attendance
Alwen, Lyons
Alice, Perkins
Chris, Day
Lesley, Sewell
Malcolm, Zack,
Paula, Vennells
Sarah, Hall
Susan, Crichton
Tim, Franklin
Additional access
Martin, Edwards
Audit Risk and Compliance Committee meeting-13/02/13 131 of 131