POL00423152
POL00423152
Royal Mail Group
Compliance with Legislative &
Regulatory Obligations
Post Office Limited
Internal Audit & Risk Management
Internal Audit Report: 07/083
Royal Mail - CONFIDENTIAL
February 2008
@ wi
POL00423152
POL00423152
Contents & Distribution
Executive Summary
Detailed findings
Appendices
Appendix A - Legislation & regulation impacting
on POL and potential impact of
breach
‘Appendix B- Control Assessment Framework
Appendix C - Risk profile based on self-
assessment of level of control
Appendix D - Adjusted risk profile
Appendix E - Compliance framework suggested
outline contents
Appendix F - Impact and likelihood scoring frame
Page Executive Summary & Appendices
‘Alan Cook, Managing Director, Post Office Ltd (POL)
3 Post Office Ltd Executive Team
Clive Bradley, Head of Property Projects
Nick § Gittens, Head of Diversity & CSR
4 Jackie lesley, Head of Industrial Relations
‘Alwen Lyons, Head of Mails Services Marketing
‘Andy Z McLean, Head of Operations Control
Keith Rann, Head of Supply Chain
Penny Slater, Head of Direct Sales
Clare Wardle, Head of Post Office, Legal Services
Keith Woolard, Head of Compliance
Executive Summary
Royal Mail Group Executive Team
7 Doug Evans, General Counsel
Derek K Foster, Internal Aust & Risk Management Director
Emmet & Young, External Auditors
‘Shaun Delaney, Maxime X Allen
Internal Auait Report 07/083,
Royal Mail Grou;
CONFIDENTIAL yi Pp Page 2 of 11
POL00423152
POL00423152
Executive Summary: Overview
Objectives &
approach
Whilst the POL Compliance Team provide a focus for regulated products, this does not extend to other aspects of legislative and regulatory obligations
‘The Group Compliance Director and Post Office Limited (POL) Head of Compliance have voiced concems regarding the adequacy of the control
environment across the range of legislation and regulation that impscls on POL. In addition, the strategic risk profile developed by the POL Executive
‘Team identifies failure to comply with our statutory and regulatory obligations as an area of risk
‘The overall objective isto provide an assessment of the risk that POL does not comply with its statutory or reguatory obligations and provide tools to
‘support the business unit in the ongoing assessment, monitoring and management of tis risk Specific objectives are to: identify the key gross risk
exposures; faciliate an assessment of control effectiveness around the most significant exposures; and provide an overall net assessment of risks and
deni priorities for improving the application ofa compliance framework in POL.
‘The approach identified all areas of legislation and regulation that impact on POL and, through consultation with Legal Services and the Head of
Compliance, produced from this @ list of key areas for POL, excluding areas managed entirely at Group level. Nominated members of the Executive
‘Team and Senior Leadership Population were asked fo self-asses controls in these areas using a queslonnatre previously developed and used al Group.
level, but modified for POL as agreed with the Head of Compliance. The sell-assessment was compared with information provided by Legal Services.
[AREA CONTROL ENVIRONMENT: there is @ MEDIUM risk of POL breaching its statutory and regulatory obligations,
RISK TO GROUP: LOW. There are no significant risks that have a Group impact.
Control Environment. Managing the impact of legislation on POL is complex with polices mostly, but not exclusively, owned al Group level and
responsibly for deployment in POL often spread across diferent functions, POL is embraced by the Royal Mall Group Compliance Framework, which is
specifically focused on RM Licence Conditions end Competition Law. However, given the wider trend towards an increasing regulatory burden, the
breadth of legislation impacting on POL and the complexity of the control environment required to manage its compliance, it would be appropriate for
POL to develop its own compliance framework. We have provided an outline of such a framework that sets out accountabilities, controls and governance
processes to deliver an adequate control envtronment across the range of legislation and reguation. Specific matters on which controls are sell-
‘assessed generally 2s insufcient, and which would be improved by incorporating them into a compliance framework, are compliance monitoring and
slaff awareness and understanding of thelr responsibil,
Controls Self-Assessment Perception Gap. The self-assessment of controls to enable compliance suggest a high level of contr. However, in many
‘areas of legislation the Legal Services’ view, based on judicial reviews, Itigation history, compensation claims and dialogue with regulators, suggests that
the self-assessments, iaken as 2 whole, are not fully relable. This ‘perception gap” may itself create a risk ii leads to failure to lake acon when it
\would appropriate to do so. An adjusted risk profile that reflects apparent gaps in perception of controls and also Legal Services’ assessment of the
degree of regulatory scrutiny shows, overall, a higher level of risk compared with that derived from self-assessment
‘Specific Aspects of Legislation. The principle areas of lepisation or regulation where the risk of non-compliance s highest ar:
+ Personal dala protection where POL products are being transacted by third party suppliers such as POFS;
+ Public Procurement Legislation, reflecting the newness of control measures implemented and concerns about overall levels of awareness.
Salfessessments are not available for a number of areas, wo of which warrant particular attention: Competiion Law, breach of which coud have
severe financial impact and copyrights and trademarks legislation, which offer opportunites to protect POL's intellectual property assets,
Internal Auait Report 07/083, CONFIDENTIAL
Royal Mail Group
Page 30f 11
POL00423152
POL00423152
Detailed
indings
‘The following issues were identified during the review and the corrective action and timescale were agreed withthe business. Al of the actions shown are deemed important. However, 3
further ranking (1-2) has been provided to assist in priors. Priority 1 relates to the higher risk issue.
Issue ‘Agreed Action Plan Action Owner Timing
1. Control environment
1.4 Complence framework 1. Develop end communicate an Keith Wooters 31 Dee
POL does not have its own compliance framework; it applies an RMG compliance framework, ‘appropriate compliance 2008
but the coverage is limited to compliance with the RM Licence and Competition Law. framework for POL to cover ail
key aspects of legislation
1.2 Compliance controls identified in this review.
1.2.1 Priority areas for improvement (Priority 2)
The seltossessment exercise indcals thatthe proriles ere: complance montring: sta
axvareness oftheir responsibies; further work to ensure plies owned by POL are fly fi-or-
purpose, Development ofan effective compliance Framework would adress these matters,
1.22 Business change
The eslabished change contol process enables legislave and regulatory issues to be identified
at en eary stage in ery business change, but deployment is inconsistent: for example some
Stateg¢ nitatves have not gone through change conta. Thee Is actly current in hand that
wllinereese compliance wth the process as part ofthe curent business planning ound
1.3 Controls perception
There Is “perception gapr between the sell-assessment of contrls to manage legal and
regulatory obigations and POL's ligaton record and losses history, and cancems raised by
regulatory bodes. nip
Keith Wootters 0c
1.4 Link with Critical Business Processes (CBPs) 2. Review the portfolio of CBPs in 2008
Compliance with Legal and Regulatory obligation is a CBP for POL, which was most recently light of the control enablers
self-assessed as “substantially deployed". However, the CBP is specifically concemed with identified in the self-assessment
Processes that apply to product-felated regulatory compliance rather than legislation and ‘questionnaire used in this review,
‘regulation in general. ‘and, if appropriate, amend the
porto
Business impact (Prionty 2)
+ Absence ofan overall amework creates en Inconsstentaporoach to compliance
+ Overestimaing the strength of conta! may lead to complacency and may itself create @ rik to
compliance
Royal Mail Group
Internal Auait Report 07/083, CONFIDENTIAL
Page 40f 11
POL00423152
POL00423152
Detailed findings
Issue ‘Agreed Action Pian Action Owner Timing
2, Areas of legislation or regulation where the risk of non-compliance Is high
2.1 Data Protection Act (DPA) as it apples to sales va direct channels 2. Review contractual relatorahips ava Glyn ang
‘The sellassessment raised a specific concem thet is nat clear who is responsible for seting wit) third par suppliers and 2008
standards that POL expects third paty suppers, including POFS, to adhere to and for ensuring inoouce te provision of OPA
such standards are mat, Further here i no monitaring of hid party compliance performance in conformance; develop a. action
lace. The risk to reputation is especially high given the current levels of public interest following plan to address any gaps that are
Several high profleinstances elsewhere of falure to protect personal data. Adoption of @ POL ‘denies,
pectic compliance framework wil make responsibly cea. Pret 2.
2.2 Pubic Procurement Legisation (PPL).
‘Alhough contols are settassessed os high, recent history, which includes @ “Letter before
‘Acton rom the regustry body requting appropiate convls to be putin place, suggests that
the contol envronment,estabshed in December 2007, is not mature andthe Legal Services’
leis thal awareness and understanding of tis leislation are not ye wal established
Business impact
+ Breach of data protection obligations may cause reputaton damage thet undermines POL's
driv fr grout in Financia! Senices product soles
+ Breach of PPL obligations may result awarded contracts having to be re-endered with
subsequent delays to projects or product developments
3. Incomplete self-assessment
4. Complete the outstanding sait- I I Gary Hockey-Morey I I 31m
Selt-assessment questiomsires were not completed for a number of areas of legislation; and eee Pere a II eer
‘wthout these the risk assessmentis incomplete. Amongst he areas not sel-ossessed ae foditem ta Aaah val
+ Competiion Law. Tis is an important area 1 review since the impact of he breach could be toon ‘ham ped ta chr
‘ery high= the lw allows fora fine of up to 10% of turnover prodded in Win tne!
+ The law relating to copyrghs end to trademarks, These areas are impotent in that effective I I (Prony 2)
Control wil alow POL to ensure that its own intelectual propery actels are edequatly
protected. Therefore, these represent en opportunity as wel os @ potential isk
Business impact
Faluire 1 complete the setassessment may mean that areas of noncompliance with adverse
financial consequences, and also polenta! opportunities affrded by the legislaton are
overooked.
Internal Auait Report 07/083, CONFIDENTIAL
Royal Mail Group
Page Sof 11
POL00423152
POL00423152
Legislation & regulation impacting on POL and potential impact of breach Appendix A
Royal Mail Group
Internal Auait Report 07/083 CONFIDENTIAL Page 6 of 11
POL00423152
POL00423152
Control assessment framework
pendix
GTIEIEEA EEC CU ENE Vd Oe
[oodac opeoncocoeodo ci qT
1
Hl
I
Internal Auait Report 07/083,
‘CONFIDENTIAL
Royal Mail Group
Page 7 of 1
POL00423152
POL00423152
Risk profile based on self assessment of level of control
IMPACT
Moderate Major Extreme
Minor
Insignificant
Not assessed Very high
Colour coding of isk exposures is inline with the impact and lkelInood scoring frame provided at Appendix F
High Moderate
LEVEL OF CONTROL
Low Very low
Appendix C
eee
Internal Auait Report 07/083,
CONFIDENTIAL
Royal Mail Group
Page 8 of 11
POL00423152
POL00423152
Adjusted risk profile
IMPACT
Moderate Major Extreme
Insigoifieant
Very unlikely Unlikely
LIKELIHOOD
Likely
Appendix D
x
a’
fe
0080 80000060000
Posse issu or aerate of estan fr whch st-assartme: has natbeancompltng
ised onfarnaion rovcedby lnal Sevies,nekng eye clvegdaay scaly
= Cova SLES eR q
< ee )
Very likely
Note: arrows:
rela
‘alogue wih reglatery authorties
‘eal Services’ perception of the degree of regulatory sertiny
Colour coding of risk exposures i inline with the impact and lkelinood scaring frame provided at Appendix F
Internal Auait Report 07/083,
CONFIDENTIAL Royal Mail Group noel
POL00423152
POL00423152
Suggested outline of a compliance framework Appendix E
Introductory statement from the Managing Director defining legislative and reguiatory compliance and setting out the importance of compliance
‘Scope: Areas of legislation and regulation that are applicable to POL, and distinguishing between key legislaion /reguition and other, 9s per Appendix B of this report
‘Accountability for each key area of legislation / regulation:
I there is @ RM Group level policy, the framework to identiy: policy owner; policy reference and details of how to access ET level ‘champion’ who leads on
deploying the palcy in POL; contact point for queries
: I" there is @ POL business policy, the framework to dently: policy owner (ET level “champion’); policy reference and details of how to access it contact point for
queries.
Controls, The framework sels out generic responsibilities forthe ET level champion” to ensure that appropriate controls are in place:
+ all staff and managers for whom this item is relevant, including new entrants and transferees, to be aware of how the law might impact on them and what their
responsibliies are (It may be possible to prepare as an Appendix tothe framework a matrix of sta / manager groups and relevant legisiation)
procedures are in place to ensure thet al relevant managers and non managers are kept informed of changes in requirements;
+ staff anareness is monitored perioically and supported by training where appropriate
+ there is sufficient specialist and non-specialist resource to manage and monitor compliance wit legisiative obligations;
+ legistatve risks impacted / generated by supplier dependencies or by clients have been identified;
+ suppliers are clear about what is expected of them to support and ensure compliance withthe legislation and this s reflected in supplier contracts;
+ appropriate use is made of Legal Services’ and other Corporate oversight functions’ advice in non-routine situations in which there is potential for non-compllance,
{and to explore and exploit opportunities for competitive advantage provided by the legislation / regulation;
+ there are appropriate procedures in place to ensure that the implications of new / emerging legislation are identified, evaluated and responded to appropriately
and ina timely manner,
‘operating procedures ere designed to meet the requirements of the legislation / regulation and appropriate POL or RMG policy:
+ procedures exist to ensure thal Legal Services’ and other Corporate oversight functions’ as appropriate, are consulledin the development of new products,
business processes and projects (c1oss-eferring tothe business change process, how this is @ tool fo manage compliance and requirement for conformance);
+ monitoring systems are in place to assess compliance with the legislation /regulaton, and to idently and track remedial action where performance falls short
‘Governance. Compliance with legislative and regulatory obligations is a CBP ands subject to periodic self-assessment and independent validation, which is signed off by
ihe Managing Director and reported to the Corporate Risk Management Committee bi-annually, which enables the business to provide its statutory decaration on risk and
‘contol in its annual report,
Statement that cisciplinary measures will be applied for wi, persistent or negigentnion-compliance, and a cross-reference to the RMG Whistlebiowing policy which is
‘available for suspected will non-compliance
‘Contact point for queries about the framework and for inital queries about specific aspects of legistation where itis not clear from Section 3 (suggestion: Head of
‘Compliance to be this contact point)
‘Sign-offby Managing Director.
Internal Auait Report 07/083, CONFIDENTIAL
Royal Mail Group
Page 10 of 11
POL00423152
POL00423152
Impact and likelihood scoring frame
Appendix F
LIKELIHOOD, Risk assessment
® Desai Gatos
=I vevmay Eiped neo hresl Gemslances ror an Ob an) en a
a Wilprcbabiysccarin mo eeimeanca (77-60% chan)
3 I Been dance skal ocak (@-70% chance)
a ot gorraly paced bu cod ocr at mote 20% chanca)
7 [erent Eipectd i ocr ony hecaplonalcraunsancs (es han 5% chanc) ‘
5
g.
IMPACT i
W I Desc Poon Pea CasamerSerico I Ropaton 2
5 I Exreme I Assei/protor I Deahotmaoitan I Govarmen onaary I Navona eonico I Procrgednalonal
siond reponn ‘ro oporsioal Ssnptonatmaor I mode coverage 1
pert los of fracoguscs or baal rns
mechan recon Rana cay
7 I hjor asst rttar I Deano one paren I Repeated concana or I Nason sovca I Vater moda to? 6f
ES SSmanisrasedin” I dengton st major I cove \xeLnC00
pert los of Seamer, by pie I ‘octane been
erezon gruproriieny I Sand 20 cave
paths
7 I nedars I Asst potter I Sonousnanyto I Conooms or compan I Ragonal sevice I Regonal mada
? rote mowhanste” I fcodby piuegraupe I sunt rap 10 I corage
Gerramayloact I parson Sinialy een I doe
eee io
7 [ hinar —I Aasot/ prota I Soeur toore I Oncor or comlares I Local hg aa) I Local pre
i poronorary cay I tcedby sun tane % care
Pemamayionect I Srarvtatons’” I crivintressciuahe, I aoe
tac ete SSlos goernmer
7 [insite I Asset rotor I tayrentingn I Local operat I Sorico daron
E ; eur I anaes eee
Sporty os ot enor of Prine
eas
Internal Audit Report 07/083 CONFIDENTIAL Royal Mail Group
Page 11 of 11