POL00423347 - Post Office Risk and Compliance Committee Review of RCC Terms of Reference

Evidence on official site

POL00423347
POL00423347

POST OFFICE PAGE 1 OF [X]
RISK AND COMPLIANCE COMMITEE DECISION PAPER

Review of RCC Terms of Reference

Author: Georgina Blair Sponsor: Jane MacLeod Meeting date: 05 May 2016

Executive Summary

Context

In line with best practice and as recommended by the UK Code of Corporate
Governance a clear Terms of Reference (‘TOR’) for the Risk and Compliance
Committee (‘RCC’) should be in place and reviewed on an annual basis.

Questions this paper addresses

1. Does the RCC have a clear and agreed TOR?

2. Has the Committee fulfilled the requirements of the TOR over the last year?

3. How will the Committee ensure it uses its time effectively in future and fulfils the
requirements set out in its TOR?

Conclusion
1. The requirements specified by the TOR are clear but the TOR has not been

reviewed since March 2015.[When are we going to review it?]

2. The analysis carried out confirms that the RCC has fulfilled the requirements of its
TOR with the exception of receiving reports from several sub-committees.

3. The draft RCC timetable set out in Appendix 2 is a proposed forward agenda for
RRC meetings which will ensure the RRC fulfils the requirements of its TOR in
2016/17.

Input Sought

The members of the RRC are asked to:

1. Confirm they believe they have fulfilled the requirements of the RRC TOR as
specified by the Group Executive.

2. Feedback to the Chair any comments on the proposed timetable for future
agendas.

Strictly Confidential RCC 05 May 2016
POL00423347
POL00423347

POST OFFICE PAGE 2 OF 7

The Report

1. The RCC is responsible for supporting the Group Executive (GE) in fulfilling their
responsibilities in the effective oversight of risk management, internal control and
compliance. It was decided in March 2016 that RCC membership should be

extended to include all members of the Group Executive (GE). The TOR has not
been updated to reflect this.

2. The areas of the TOR (Appendix 1) have be assessed against the Committee
agendas, papers and decisions to ensure that the Committee has fulfilled its
requirements to the Group Executive:

a) The ‘Purpose’ of the Committee is clear and agreed by the Group Executive.

b) The ‘Meetings’ have convened in accordance with the TOR, although this review
of the effectiveness of the Committee did not take place within the year.

c) The ‘Responsibilities’ have been discharged, with the exception of:

i) Review of risk reports from the Health and Safety Committee; instead this
committee reports directly to the Board.

ii) Review of risk reports from Commercial Committee and the Business
Continuity Committee. The Commercial Committee doesn’t report to RCC
and the Business Continuity Committee doesn’t currently exist.

iii) No whistleblowing report was provided in 2015/16. One is being provided in
May 2016.

3. Areas of specific risk have been reported throughout the year and key further
actions agreed, for example cyber security and anti-money laundering in March.

Strictly Confidential RCC 05 May 2016
POL00423347

POL00423347
POST OFFICE PAGE 3 OF 7
Appendix 1
RISK AND COMPLIANCE COMMITTEE
TERMS OF REFERENCE
(March 2015)
1. Overview

The purpose of the Risk & Compliance Committee (R&CC) is to support the Executive
Team (ET) in fulfilling their responsibilities in the effective oversight of risk
management, internal control and compliance.

2. Responsibilities

The responsibilities of the Risk & Compliance Committee include, but are not limited
to:

o Reviewing the effectiveness of the risk management framework and risk
policy and the oversight of the development and implementation of the risk
management framework;

o Oversight of the current risk exposures of the business and advising on the
future risk strategy;

o Oversight of the identification and effective management of current key risks
and regular reviews of emerging risks;

o Oversight of the key operational risks facing the business including the
effectiveness of internal controls;

o Monitoring the implementation of key recommendations and management
action plans;

o Monitoring compliance with legal and regulatory obligations, including any
significant breaches;

o Receiving and reviewing risk reports from the R&CC Sub-Committees:
* Health & Safety
= Commercial
«Transformation
«Information Security

Strictly Confidential RCC 05 May 2016
POL00423347
POL00423347

POST OFFICE PAGE 4 OF 7

= Security
«Business Continuity

o Receiving and reviewing reports related to
= Anti-Money Laundering
= Bribery / Gifts & Hospitality
= Whistleblowing
= Internal Audit activity;

¢ Receiving and reviewing the draft annual internal audit plan for onward
reporting to the Audit and Risk Committee (ARC);

¢ Receiving and reviewing of the draft annual risk management plan for onward
reporting to the Audit and Risk Committee (ARC), and;

e Reviewing the adequacy of policy governance and recommending changes.

3. Authority
The Risk & Compliance Committee is authorised to:
e Seek any information it requires from anyone in the organisation in order to

perform its duties including calling anyone to the meeting to be questioned as
required; and

e Obtain outside legal or other professional advice on any matter within its
terms of reference.

4. Meetings

¢ The R&CC shall meet at least six times a year and otherwise as required;

¢ The quorum shall be two members which will be deemed competent to
exercise all or any of the authorities and powers vested in or exercisable by
the committee;

e The committee will arrange for an annual review of its own performance to
ensure it is operating effectively and recommend any changes it considers

necessary to ET for approval; and

¢ The committee will ensure its terms of reference and membership are
reviewed on an annual basis and updated as required

Strictly Confidential RCC 05 May 2016
POST OFFICE

5. Reporting

POL00423347
POL00423347

PAGE 5 OF 7

e¢ The committee shall report to Executive Team on its proceedings on all
matters within its purpose and responsibilities highlighting significant risk and
compliance matters for their attention;

« The committee shall report to the Board and Audit, Risk and Compliance

Committee as requested; and

« The committee shall input to the Post Office annual reporting as appropriate.

6. Membership

Members

General Counsel (Chair)
Chief Executive Officer
Chief Finance Officer
Group People Director
Financial Services Director
Company Secretary

Other attendees

Head of Risk & Assurance
Head of Internal Audit
Chief of Staff

Secretariat

Strictly Confidential

Jane MacLeod
Paula Vennells
Alisdair Cameron
Neil Hayward
Nick Kennett
Alwen Lyons

Arnout van der Veer
Garry Hooton

Gavin Lambert
Georgina Blair

RCC 05 May 2016
POL00423347
POL00423347

POST OFFICE PAGE 6 OF 7
Appendix 2
RCC Forward planner — proposed topics and allocation (assuming 6 meetings per year)
Items I Proposed
1) 2) 3) 4) 5) 6)
Jan Mar I May I July I Sep Nov
1. Standing Agenda Items
¢ Minutes and actions from previous RRC meetings Vv Vv Vv Vv Vv v
« Minutes from POMS RCC meetings v Vv Vv Vv v v
2. Governance Items
« Review of RCC Terms of Reference Vv
e RCC effectiveness against ToR self-assessment Vv
3. Risk Management, Internal Control and Assurance
¢ Group Risk Profile Vv Vv
«Key Further Actions & Risk Incidents Vv Vv Vv v Vv
¢ Internal Audit update v Vv Vv Vv Vv Vv
¢ Internal Audit - approval of the upcoming plan Vv
« Business Continuity - approval of annual plan Vv
4. Financial Reporting and Disclosure
e Risk disclosures for annual report and accounts Vv Vv
e Board Annual Assessment (including Executives Declaration, Key Policies and v
Control Self Assessment)
« Corporate Governance Statements
5. Compliance
e Regulation
= Anti Money Laundering Vv Vv Vv v v
«Anti Bribery & Corruption v
= Competition Law Vv
«Data Protection Vv
e Conduct/ People
= Customers (e.g. Vulnerable, Conduct issues) v
= Ethics and Code of Conduct v

Strictly Confidential RCC 05 May 2016
POL00423347
POL00423347

POST OFFICE PAGE 7 OF 7

= Fraud and Theft Vv
= Whistleblowing Vv
6. Deep Dives
= FS Deep Dives on specific issues v Vv
= Pensions v

= Health and Safety

= Incident Management, Disaster Recovery & Crisis Management

= Transformation Risk Vv

“ususisy <

= Cyber / IT Security

Strictly Confidential RCC 05 May 2016