RCC 6 AUGUST 2015
I Risk and Compliance Comn
POL00423297
POL00423297
PAPER ONE
Post Office Ltd - Confidential
tee (R&CC)
Reference: R&CC May 15
Date: 01 May 2015
Venue: Boardroom, Finsbury Dials
Time: 10:00 - 12:00
Attending:
Jane MacLeod
General Counsel
Chair
Alisdair Cameron
Chief Financial Officer
Member (by telephone items 1-4)
Nick Kennett
Financial Services Director
Member
Paula Vennells Chief Executive Officer Member
Alwen Lyons Company Secretary Member
Steve Miller Head of Risk Report
Georgina Blair Risk Manager Report
Garry Hooton Head of Internal Audit Report
Martin George Commercial Director Report
Paul Beaumont Risk Manager Minutes
Apologies:
Neil Hayward Group People Director
The Chair declared the committee quorate and opened the meeting.
Action 1660 was agreed to be closed, the remainder of the actions were covered by the agenda
item discussions or were brought forward to the 22 June meeting. For action 1657 (POMS
reporting), it was agreed that the reporting process should be that papers discussed initially at
POMS RCC would subsequently be tabled at POMS ARC and would then report into POL ARC.
However, the format was still to be agreed and the action would be carried forward to the next
meeting.
The committee aaah the minutes of the rah eet and the attached actions.
SM outlined the principles in the paper and explained that bringing them to life did not require the
construction of elaborate systems. Instead what was key was executive sponsorship and building
capability in the 1* line. A series of actions for the 1° line to own with support from the second line
risk team was outlined.
SM added that there would not be a ‘one size fits’ all approach, more important was understanding
and engagement from the different areas of Post Office. For example, it was understood that in the
1% line the level of understanding of risk ownership would be less in some parts of the Post Office
than others, so greater support would be need to be dedicated to those areas.
SM confirmed that training was to be provided to the first line on the three lines of defence model
and what was required within ‘first line’ risk; initially focussing this training on all the designated
risk champions. It was agreed that FS could be used as an example of best practice to help
facilitate learning. The committee agreed the Principles paper would be submitted to the GE. It was
also decided that an overview of the three lines of defence and responsibilities should form part of
the leadership agenda at the next SLT away day. (Action 1658)
SM presented a high level gap analysis of Post Office’s compliance on the requirements of the UK
Corporate Governance Code. There were a number of gaps to fill, but we had to decide as a
business where we wanted to be on the maturity curve and the cost versus compliance costs of
actions taken. It was suggested, by the Committee, that if the appendix was simplified to all the
items Post Office would need to ‘explain’ (under the comply or explain aspects of the code) then
1
RCC 1 May 2015
POL-BSFF-0238112
POL00423297
POL00423297
RCC 6 AUGUST 2015 PAPER ONE
Post Office Ltd - Confidential
this would be a good way of focussing attention on the gaps and what compliance aspects we
should dedicate resource to as a priority. It was agreed that a simplified version of the gap analysis
would be produced together with a status report and what was planned to be achieved in the next
financial year. (Action 1663)
The Committee discussed these and some amendments were proposed, mainly for the Principal
Risk ‘underperformance in income’. It was agreed that this was one of the biggest risks facing the
Post Office; but the title of the risk should be amended to better reflect the ‘profitability’ aspects of
underperformance. It was decided that in the response to this risk we should capture that expense
reduction is also a key required response if Post Office is not hitting its profit targets. It was also
agreed to get further feedback from Commercial Committee on making the responses less tactical
and more strategic. The high rating of the people and capability risk should be checked prior to it
going to the ARC as well as amending the detail around ownership of the sales capability risk and
the wording around the FS risks.(Action 1659)
The Committee also suggested that the future calibration of the heat map could be considered to
ensure that the highest risks are shown in proportion to the other risks and to show trends (risk
increasing or decreasing).
For the presentation in the Annual Report and Accounts it was agreed that industrial action should
be given greater prominence than it was currently as this remained a key risk. On pension risk, it
was highlighted that if we were publicly to outline this risk to the DB scheme, then we would need
to be aware that in considering any further potential actions we should ensure that impacted staff
were made aware of these risks as well.
Operational and legal risks should add ‘telephony’ to regulatory risk and we should bring out
stronger the high regulatory risks for the FS business. Cost management and efficiency measures
as responses to underperformance should also be brought out in the response column.
It was agreed to incorporate the committee’s feedback in updating the risks for ARC. (Action
1664)
The risks inherent in ‘self-reporting’ were discussed. But it was confirmed by SM that this was
common industry practice. The proposed approach was that the risk team would work with 1° line
risk champions on facilitating reporting of ‘key incidents’ and thresholds for reporting would be
agreed. The paper was approved.
Martin George described a number of good practices that were found in the Post Office. However,
there was a need for a consistency of approach and an agreed Post Office wide definition of what
constituted a vulnerable customer. As part of this process he was reviewing current best practices
at Post Office as well as that of external firms and partner organisations. He agreed to report
progress at the next meeting (Action 1649)
Steve Miller explained that good discipline for future policy approvals would be that each policy for
approval/re-approval should be accompanied by a short note outlining the key changes together
with a track changed version of the policy. The Committee stressed that policies that impacted on
best outcomes for our customers should be prioritised.
Garry Hooton updated the Committee, the Internal Audit plan in the papers had been approved by
2
RCC 1 May 2015
POL-BSFF-0238112_0001
POL00423297
POL00423297
RCC 6 AUGUST 2015 PAPER ONE
Post Office Ltd - Confidential
the ARC and were for noting. The committee requested that when audit reviews were presented to
the ARC that the business owner responsible for implementing agreed actions should be present
when the Internal Audit was presented.
It was agreed that GH would brief Alisdair Cameron on the travel expenses issues outlined in the
papers (Action 1665). Garry Hooton confirmed that the Conduct Risk (FS) Audit would be
presented to the June meeting (Action 1666)
The report was noted. The Committee asked that as well as refreshing awareness of the
requirements, the risk team should work with the Commercial team to ensure that their reporting
process was working properly bearing in mind the very low returns reported (Action 1667)
ID cards Policy and the (4) Information Security Policies were noted.
None
RCC 1 May 2015
POL-BSFF-0238112_0002
RCC 6 AUGUST 2015
Post Office Ltd - Confidential
POL00423297
POL00423297
PAPER ONE
Action Summary and Updates
Date Ref Action Lead By Update
05/15 1667 To refresh Gifts and Steve 6 August
Hospitality Policy awareness Miller
and discuss reporting process
with Commercial
05/15 1666 Conduct Risk Audit (FS) to be I Garry 6 August Done - action closed.
presented to the Committee Hooton
05/15 1665 Internal Audit to brief Garry 6 August Done - action closed.
Finance Director on travel Hooton
expense issues raised in
report
05/15 1664 Incorporate Committee Steve 6 August Done for May ARC - action
feedback into key risk Miller closed.
descriptions for Annual
Report and Accounts
05/15 1663 Corporate governance code Steve 7 Sept
‘gaps’ and proposal on work Miller
to improve compliance for
15/16 ARA to be presented to
the Committee and Board
03/15 1660 Discuss reporting lines of Jane 1* May Transformation Director
Business Transformation risk I MacLeod and General Counsel are
and assurance roles with the joint sponsors. Reporting
Transformation Director line for the transformation
assurance team is to GC
with a dotted line to the
TD - action closed
03/15 1659 Revise presentation of Steve 6 August Done for May ARC - action
principal risks in line with Miller closed.
feedback from committee
members and present to May
ARC
03/15 1658 Provide a risk management Jane 6 August Done July 3 - action
session for the SLT at the MacLeod/ closed.
next appropriate opportunity Neil
Hayward
03/15 I 1657 Discuss interaction between — Jane 6 August I See agenda item 6.
POL and POMS with regard to I MacLeod
reporting at RCC with
Financial Services Director
03/15 1656 Develop proposal for sub- Steve 6 August To be covered in wider
committee reporting to RCC Miller/ governance review —
and discuss at GE Alwen action closed.
Lyons
01/15 1655 Prepare and implement a Steve 7 Sept Whistleblowing framework
communications plan to raise I Miller currently under review.
awareness of the Action point carried
whistleblowing line forward to next meeting.
01/15 1653 Gather views from committee Steve 1* May Closed by proposal
members on incident Miller presented to RCC on 1
reporting de-minimis limits May - action closed.
and provide an update.
4
RCC 1 May 2015
POL-BSFF-0238112_0003
RCC 6 AUGUST 2015
01/15
1652
Post Office Ltd - Confidential
Prepare note clarifying the Steve 15* May
current approach to Miller
compliance with the new
Corporate Governance Code
POL00423297
POL00423297
PAPER ONE
Closed by note presented
on 1 May and superseded
by action 1663 - action
closed
01/15
12/14
1649
1646
Commercial Director to give Martin 6 August
an update on vulnerable George
customers- definition and
proposed best practice at the
next meeting.
Provide a report on the list of Steve 1* May
policies that need to be Miller
approved. Updated March
2015: Produce a paper
Proposing an appropriate
process.
Closed by RCC paper on 1
May - action closed.
12/14
1644
Hold a scenario-analysis Steve 6 August
workshop to try and identify Miller
unexpected risks.
IT risks workshop held in
May - action closed.
Next Meeting- 6 August 2015 Room 1.19 Wakefield 14.00 - 16.00
RCC 1 May 2015
POL-BSFF-0238112_0004