RCC 26 OCTOBER 2015
POL00423310
POL00423310
PAPER ONE
Post Office Ltd - Confidential
Risk and Compliance Committee (R&CC)
Reference: R&CC Sept 15
Date: 07 September
2015
Venue: Boardroom, Finsbury Dials
Time: 14:00 - 16:00
Attending:
Jane MacLeod (JM) General Counsel Chair
Alisdair Cameron (AC) Chief Financial Officer Member
Paula Vennells (PV) Chief Executive Officer Member
Neil Hayward (NH) Group People Director Member
Jonathan Hill (JH)
Head of Risk, Banking Regulation &
and Strategy
On behalf of FS Director
David Hussey(DHu) Transformation Director Guest
Kevin Gilliland (KG) Network and Sales Director Guest
Mike Morley-Fletcher (MMF) I Head of Risk and Assurance Report
Steve Miller (SM) Head of Risk Report
Deana Herley (DHe) Audit Manager Report
Adnan Killedar (AK) Risk Business Partner Report
Georgina Blair Risk Business Partner Minutes
Mark Lawrence (ML)
Senior Implementation Manager
Report (Item 4)
Andy Masson (AM)
Delivery Manager - Property
Report (Item 4)
Apologies:
Nick Kennett Financial Services Director
Alwen Lyons Company Secretary
The Chair declared the committee quorate and opened the meeting.
MMF explained that the risk function had been assisting the business units to carry out a half-year
review of risk, in order to give ARC confidence in POL’s risk management capability. MMF asked
the Committee to review the list of 27 risks which had been identified in the March review, and
consider whether any of the suggested additional risks in the presentation which had been
identified through the recent review process should be added to the list.
The Committee discussed the risks and suggested some new or amended risks to be added to the
top list. In particular the Committee mentioned:
« Add risks of
damage to PO brand in eyes of customers and consumers
pension deficit
contract management
introducing new products without understanding agents’ capability to sell
loss of corporate memory due to high staff turnover and lack of succession planning
flight risk of employees at SLT/band 4 level
appointment of new Chairman and several new Board members may distract POL
management or may disrupt strategy
e Amend the following risks
o ‘New Front Office application delayed’ as the bigger risk is not delay in
implementation but that the application does not work once implemented
o NFSP risk has been reduced due to a new agreement with the NFSP
0000000
The Committee agreed that the wording of the top risks needed to be improved. MMF agreed to
meet individually with Committee members and their risk champions to improve the articulation
of their top risks (Action 1681).
The Committee requested that a paper be prepared for the September ARC explaining the next
steps in improving the risk assessments (Action 1682).
1
POL00423310
POL00423310
RCC 26 OCTOBER 2015 PAPER ONE
Post Office Ltd - Confidential
SM presented the summary of recent reported risk incidents. The Committee discussed the list,
and it was noted that the summary was a reporting tool intended to demonstrate where controls in
the business were failing, which helps to validate, or otherwise, the qualitative risk assessments
made in Item 1, and was not intended to facilitate a discussion on the management of each
particular incident. The Committee also noted that the lack of a coherent, centralized incident
reporting process in the business meant it was hard for the risk team to gather full data on
incidents.
The Committee agreed that the following amendments should be made to the report format for
RCC:
* an indication of the materiality of the impacts for each incident
a GE or SLT member identified as owner for each incident
relevant business unit to sign off on report for each incident to ensure accurate reporting
(Action 1683).
SM explained the proposed approach to updating ARC on the approach to compliance with the
Corporate Governance Code for the year ended 2015/16 and the creation of a control framework.
JM advised that she had been requested to bring a paper to the October Board addressing the
desired level of compliance with the UK Corporate Governance Code and that a key part of this
would be the ability of the Board to rely on the control framework.
PV noted that the arrival of a new chairman, and a new chair for ARC meant that there was a
possibility to reshape thinking about compliance with the Corporate Governance Code. A couple of
years ago the Board wanted POL to comply with the Code, but now given all else that is going on
perhaps the approach should encompass the minimum that the business needs to do to keep safe.
AC recommended that GE, and then Board, should have a discussion about the different dimensions
of the Code by determining where POL was on a scale, and examining the cost implications of
moving POL along it in increments of activity. The three options were: do nothing, a middle action
(plus cost) and compliance with the Code. The Committee requested that a paper be prepared for
GE (Action 1684).
SM presented the proposed Business Continuity resource plan covering both the business resources
(1st line) and the Central Business Continuity team (2nd line). JM clarified that the £700k request
included the opportunity cost of using frontline people to resolve the existing gaps in POL’s
business continuity framework, and that the suggested model was to bring in specialist expertise to
help develop the framework and to assist people within the business to draw up specific impact
assessments for each business area. The anticipated cost for this resource was £100 - £150k.
The Committee discussed the extent to which POL has existing business continuity and incident
reporting plans in place. KG noted that he felt recent changes within the business meant there
were some serious gaps in business continuity arrangements, but that he was unable to identify
them. DHu noted that most organisations have a dedicated person who is charge of BCP and who
ensures that plans are reviewed and tested regularly.
PV noted that as CEO she could not countenance POL having unidentified gaps in its business
continuity arrangements, and requested that KG and Lesley Sewell go away and scope the gaps in
their respective areas. It was noted that there were other parts of the business that would need to
be included (for example the call centres), not just the branch network and IT, so other people
would need to be involved.
POL00423310
POL00423310
RCC 26 OCTOBER 2015 PAPER ONE
Post Office Ltd - Confidential
ML and AM explained how they had developed an interim incident reporting process with the
assistance and oversight of AK from Risk in response to a recent failure in the notification process
when an out of hours fire alarm happened at Finsbury Dials. The Committee asked whether there
were any business continuity processes in place in the event that there was a real fire at Finsbury
Dials, which made the building unavailable for a number of days. AM confirmed that there had
once been reciprocal arrangements with Royal Mail, but that these were no longer valid, so there
was no provision in place.
ML noted that Kevin Parker, Estates Manager, is currently looking at alternative locations; for
example, it was likely that some essential staff could be accommodated in ones and twos in Crown
Offices in London.
PV requested that the work covering assessment of current business continuity planning within IT,
Network and Property should be completed by end of September and that incident management
planning across Post Office be coordinated with the work ML is doing on buildings incident
management (Action 1685).
The Committee confirmed that resource for three months (approx £100k) should be provided.
JM asked the Committee to note this paper, and explained it would be presented to ARC. AC
questioned why the paper was going to RCC, GE, ARC and Board, and it was agreed that there was
no need for the paper to go to GE and Board.
JM asked the Committee to note this paper.
DHe updated the Committee on recent audit activity. The Committee noted that some of the
outstanding audit actions were very out of date, and it was agreed that the Audit team would
require the owners of the actions to confirm dates such that by the next meeting all the actions
have been updated or completed (Action 1686).
The Committee was asked to review the minutes and actions of the previous meeting and notify the
Chair of any comments or amendments.
JM asked the Committee to note the POMS RCC minutes. JM noted that there was a need to
understand how POMS was going to assure itself that POL was complying with its compliance
requirements (as POL would be POM’s Appointed Representative). JH explained that it was likely
that it would be a mirror of what Bank of Ireland does at the moment. The Committee requested
that this be clarified (Action 1687).
JM requested that the Committee read the Charter, but noted that the Committee was not
approving it and that she had comments to feed back to Julie George. JM noted there was a lack of
clarity between IT and ISAG and the role of ATOS was unclear. It was agreed that clarity would be
obtained on the relationship between IT, ATOS and ISAG; AC requested that resources were
compared to accountabilities (Action 1688).
RCC 26 OCTOBER 2015
Post Office Ltd - Confidential
POL00423310
POL00423310
PAPER ONE
Date Ref Action Lead By Update
07/09 1688 Obtain clarity on relationship Jane 26 Oct AC & JM met Julie George
between IT, ATOS and ISAG. I MacLeod/ and Colin Plett to discuss.
Julie See Agenda Item 6.
I _ George I
07/09 1687 Clarify how POMS will assure I Susie 12 Jan Paper is being prepared
itself that POL is complying Hayward for POMS Board and will
with POM’s compliance be shared with RCC when
I requirements I _ready.
07/09 1686 Require owners of audit Garry 26 Oct See Agenda Item 9.
actions to complete or update I Hooton
I actions I I
07/09 1685 Complete work covering Mike 30 Sept Action completed - see
assessment of current Morley- update in Agenda Item 12.
business continuity planning Fletcher
within IT, Network and
Property; coordinate business
wide incident management
planning with work on
buildings incident
management
07/09 1684 Prepare a paper for GE & Jane 26 Oct Paper in preparation. Will
then Board about approach to I MacLeod go to GE and then ARC
compliance with the due to timing constraints.
I Corporate Governance Code __ I
07/09 1683 Amend format of RCC Steve 26 Oct Partly completed - see
Incident Reporting to include _ Miller Agenda Item 3.
details requested by
I Committee I I
07/09 1682 Submit paper to September Mike 16 Sept Paper submitted to
ARC explaining next steps in Morley- September ARC - action
improving the risk Fletcher closed.
assessments
07/09 I 1681 Meet individually with Mike 12 Jan
Committee members and risk I Morley-
champions to improve Fletcher
articulation of top risks
08/15 1674 Provide a regular short Martin 12 Jan Work is underway -
update on Vulnerable George update will be given in
Customer approach until this January
work is completed
05/15 1666 Conduct Risk Audit (FS) to be Garry 26 See Agenda Item 9.
presented to the Committee —_ Hooton October
01/15 1655 Prepare and implement a Steve 26 Policy will be updated in
communications plan to raise I Miller October line with policy framework
awareness of the review (see Agenda Item
whistleblowing line 2). Comms will be
tailored to requirements of
policy.
Next Meetings -
26 October 2015 Room 1.19 Wakefield 12.00 - 14.00
12 January 2016 Room 1.19 Wakefield 12.00 - 14.00