POL00423367
POL00423367
RCC 14 July 2016 PAPER ONE
Post Office Ltd - Confidential
Risk and Compliance Committee (R&CC) Reference: R&CC May 16
Date: 05 May 2016 Venue: Boardroom, Finsbury Dials I Time: 13:00 - 16:00
Attending:
Jane MacLeod (JM) General Counsel Chair
Alistair Cameron (AC) Chief Finance Officer Member
Alwen Lyons (AL) Company Secretary Member
Nick Kennett (NK) Financial Services Director Member
David Hussey (DH) Transformation Director Member (mid-Item 2 onwards)
Kevin Gilliland (KG) Network and Sales Director Member
Martin George (MG) Commercial Director Member
Mike Morley-Fletcher (MMF) I Head of Risk and Assurance Report
Garry Hooton (GH) Head of Internal Audit Report
Adnan Killedar Risk Business Partner Minutes
John Scott (JS) Head of Security Report (Item 9)
Jonathan E. Hill (JH) Head of Risk - Financial Services Report (Item 6)
Crown Transformation Programme
Tom Moran (TM) Manager Report (Item 10)
Steve Norris (SN) Head of Property Report (Item 10)
Apologies:
Paula Vennells (PV) Chief Executive Officer Member
Neil Hayward (NH) Group People Director Member
The Chair declared the committee quorate and opened the meeting.
JM noted apologies from PV and NH due to train service disruption.
JM explained that the RCC needs to focus on four areas in today’s meeting. The areas being:
- Executives’ declaration (see item 4)
- Policies (see item 4)
- Financial Services deep dive paper on oversight of regulatory activity in branches (see item 6)
- Internal audit reports (see item 3).
The Committee agreed the minutes of the previous meeting and the attached actions.
The Committee discussed the actions and agreed the following:
Action 1710a - MG stated that Peter Markey has left the business and sought clarification on what
was required. MG to oversee drafting of the policy for the next RCC meeting.
Action 1715 - MMF updated the committee that Deana Herley (Internal Audit) will be taking this
forward. KG confirmed that he has allocated budget for this activity and that Kevin Seller will be
responsible from his team to take this forward.
Action 1707 - NK and JM to take this forward and report to the next RCC.
Risk and Compliance Committee minutes OS May 2016 FINAL
POL00423367
POL00423367
RCC 14 July 2016 PAPER ONE
Post Office Ltd - Confidential
JM stated that it is a requirement to annually review the terms of reference of the RCC and also to
review its effectiveness against the ToR. JM stated that Georgina Blair has performed a review and
has noted a couple of exceptions which need to be considered by the Committee.
«The first exception being that the RCC is required to review any whistleblowing reports. This
is being done in today’s meeting as Agenda item 8.
* The second exception is that the RCC should receive reports from various sub-committees
and review them before they are presented to the ARC. During the year as part of a review
of governance, the sub-committees reporting to the RCC have ceased to exist. JM stated
that the Committee needs to consider the scope of the sub-committees and ensure that high
risk areas such as Pensions are covered as part of the RCC agenda and ToR. JM stated that
the ARC needs to annually review the pensions risk and a deep dive is being planned for the
GE before reporting to the ARC.
The Committee expressed satisfaction with the review of the RCC ToR. It was agreed that the RCC
members will individually review the Terms of Reference and suggest amendments based on the
changes in structure. ToR to be reviewed in next RCC meeting (Action 1717). It was also agreed
that the Corporate Services team to review RCC calendar to ensure provides comprehensive
coverage of relevant items (per ToR) and delivers to ARC on a timely basis (Action 1718).
Current audit status
GH explained the status of the internal audit reviews. Seven reviews were completed since the last
RCC of which four were part of the Internal Audit (IA) plan while three reports covered reviews
related to Business Transformation Assurance (BTA). These reports have been finalised. Four
reviews are in the process of being finalised with their reports with the respective GE members for
their review and approval. GH listed the reports that have been finalised and those under review.
MG requested GH to provide the Social Media review report to him for clearance (Action 1719).
AC stated that he has gone through three reports in his area of responsibility and has approved
the Treasury Operational risk and Critical Metric Management reports. He also stated that he will
discuss responses to findings for the review of SISD with IT Management to ensure they are
achievable as some of the issues are constrained by the existing contracts (Action 1720).
GH also stated that three reports namely, CDP, Agents Remuneration and Data Protection are
being finalised. Three BTA reports were also presented to the Committee. AC enquired from MMF
as to how will the changes in the Transformation Programme (Project Trinity) be considered for
future BTA scope and budget. MMF informed that following Transformation bootcamps in May (and
impact of Trinity), the Business Transformation and Risk and Assurance teams will review coverage
of Transformation Assurance and split with main Internal Audit plan and present the revised plan
to the RCC (Action 1721). AC also requested GH send report on the Separation Programme
review to him (Action 1722).
Audit actions
GH presented an update on the outstanding actions from previous IA reviews. GH stated that there
is now a revised process whereby GE members receive a monthly list of outstanding actions list in
their areas of responsibility. At the time of the last RCC, 32 actions were overdue of which 26 have
been cleared and 6 have been carried over and are being monitored for completion.
Risk Management Framework
MMF stated that the Risk Management Framework development plan was on schedule. There have
been some changes, due to requests for new areas to be included such as the controls self-
assessment which has resulted in a rescheduling of the plan. Development of the Corporate
Governance Compliance route map has therefore been moved back to September.
Risk sections of the annual report and accounts (ARA).
MMF briefed the Committee on the risk sections of the annual report and accounts (ARA). AC
updated the Committee on his meeting with EY (external auditors) to discuss areas to be included
Risk and Compliance Committee minutes OS May 2016 FINAL
POL00423367
POL00423367
RCC 14 July 2016 PAPER ONE
Post Office Ltd - Confidential
in the ARA. EY were of the opinion that, based on the structure and shareholding, POL could
provide more limited disclosures, for instance, much less detail on directors’ remuneration. AC
stated that he is expecting advice from EY on what sections need to be included in the POL ARA
and would update as appropriate, with Corporate Services to adapt Governance section of ARA as
appropriate (Action 1723). RCC wanted to know what do other BIS funded organisations cover in
their annual reports and JM requested AL to do research and report (Action 1724). MMF also
referred the RCC to the details of the Principal Risks in the ARA. RCC members were requested to
review the wording of principal risk, consequences and mitigations for inclusion in ARA (Action
1725).
Risk management objective
MMF reminded the GE members of the ARC request to reflect management of risks in their
objectives for 2016-17. Research with Chief of Staff and HR had suggested that this would be
better in role descriptions, which were likely to be revised after the new TOM was approved. MMF
will work with Chief of Staff and HR to develop proposal (Action 1726).
Policy Framework
MMF updated the RCC on the progress on the development and implementation of the Policy
Framework. As drafting of Corporate Services’ policies was coming to an end, MMF stated that a
lessons learnt exercise will be carried out to assess what can be done better from this pilot phase.
The next step is to start the implementation of policies which will include communicating with
stakeholders and training (if required). MG requested that MMF keeps him updated on the plan to
communicate policies to stakeholders and colleagues and how this will be rolled out/
communicated. MG stated that it is very important for embedding policies that the communication
should make clear what is required of people and also the consequences for non-conformance with
approved policies (Action 1727).
JM stated that some of the policies being reviewed today as agenda item number 5 are required for
the Banking Framework Agreement. Policies will be reviewed periodically and if required modified
based on implementation issues and/ or “user experience”. JM also stated that all policies are
aligned with POL’s Risk Appetite. JM stated that an implementation plan for policies will be
presented at the next RCC (Action 1728).
MMF stated that the list of policies have been benchmarked through EY and Appendix 3 of the
paper contains the list of policies. The highlighted policies are those that POL has not documented.
It was agreed that the need for policies will be reviewed. AC stated that the Travel and Expense
policy is already covered through a well-documented guidance which is periodically reviewed. It is
sufficient and meets requirements. The Committee agreed that this will be taken off the policies
list. The Committee also agreed that polices 26 to 29 should be part of a single overall HR policy.
MG stated that his team is developing a Customer Treatment policy which will cover all POL
business areas. The policy will be completed by end of May 2016. JM suggested that Sharon Rai
within the Security team might be able to help as the Security team have done a lot of work in this
area. MG to develop straw man (including Vulnerable and Elderly aspects) and share with RCC
members (Action 1729).
The Committee agreed that the framework should be presented to the ARC in its next meeting for
approval (Action 1730).
DH joined the meeting.
BCP framework
MMF presented the BCP framework development update to the RCC. The plan was on schedule and
some BAU work is being supported by a risk business partner to ensure the framework is
developed and implemented in time. MMF informed the RCC that a Business Protection Team test is
being planned for this month.
Risk and Compliance Committee minutes OS May 2016 FINAL
POL00423367
POL00423367
RCC 14 July 2016 PAPER ONE
Post Office Ltd - Confidential
Executive’s Declaration
MMF updated the RCC and confirmed that the Executive’s Declaration have been completed except
for two areas. Mobile communication which is being drafted and extent of POMS and FRES
oversight which NK has to review and approve.
AC enquired about the details of the oversight required. JM stated that POL sells a number of
products across its network. The two regulated products sold across the network are Travel
Insurance and Over 50s Life Insurance. There have been no significant complaints or POL has not
learnt that there are any systemic issues across the network of any significant local issues relating
to this area. In light of this, JM stated that we should focus on developing our reporting and
oversight on regulated products with a view to expand this to other products. This is what is
disclosed in the Principal Risk note for “FS Regulatory Compliance”. NK confirmed that this was not
a major risk and that no further disclosure was required.
JM informed the RCC that the POMS ARC have requested PV to attend the POMS ARC meeting. POL
has two regulated products, namely Travel Insurance and Over 50s Life Insurance which it sells
through its network. These are POMS products and the POMS ARC seeks to satisfy itself that the
products are not miss-sold. KG informed the RCC that he will be attending the POMS ARC on behalf
of PV. JM stated that POL is already reviewing this area and have found no systemic issues. There
have been no major complaints or issues reported in this area as well. This paper has been
developed by NK and JM. JH attending this session for Agenda Item 6 presented the report. The
RCC appreciated the paper.
MMF informed the Committee that seven policies (Financial Crime, Anti-Bribery and Corruption
(ABC), Anti-Money Laundering (AML), Business Continuity, IT Disaster Recovery, HR Vetting and
Whistleblowing) were included in the meeting papers for review and approval.
NK stated that he was in a HMRC session earlier and there was a lot of emphasis from the HMRC in
their audits on organisations’ vetting procedures. AC challenged whether we may might be drafting
policies that we are not compliant with and that considerable effort may be required to implement
the documented policies, resulting in additional costs that business units had not budgeted for. He
also commented that some of the language in the policies might be too onerous for practical
implementation. The RCC agreed that a Policy Impact Gap Analysis should be carried out for all
redrafted or new policies to determine what actions will be required for implementation, including
resources and costs, and consider balance between cost and level of controls in line with Post
Office’s risk appetite. AML, ABC and HR Vetting policies should be covered as a matter of urgency.
(Action 1731).
In consideration of the discussion above, the AML, ABC and HR Vetting policies were withdrawn for
gap analysis review. In addition, Neil Hayward was requested to review the Vetting policy for
approval (and it was noted that it does not need RCC or ARC approval) (Action 1732) and Al
Cameron agreed to review the Disaster Recovery policy for approval (and it was noted that it does
not need RCC or ARC approval) (Action 1733).
JS provided the Committee with an update on the HMRC audit. JS stated that currently the audit is
in Phase 1 which includes Induction and Discovery to understand the framework and identify which
services POL is regulated for. One of the discussions concerns the services we provide to
Santander. The discussion is around whether POL is an agent (regulated by FCA) or a principal
(regulated by HMRC). HMRC are going through the contract, but this has become complicated as
Santander’s contract is an old one and since then Santander has acquired a number of other
businesses. JS stated that HMRC are working at determining which branches they will be visiting /
covering as part of their audit. They are also looking at our on-boarding procedures. Next steps in
the audit will be branch visit, HMRC will inform POL in advance (two weeks before branch visit) of
which branches they have selected for their audit. A detailed audit plan will also be provided by
Risk and Compliance Committee minutes OS May 2016 FINAL
POL00423367
POL00423367
RCC 14 July 2016 PAPER ONE
Post Office Ltd - Confidential
HMRC, this will be determined by HMRC and POL Security. They will shortlist 200 branches of
which 150 will be selected for audit after discussions between HMRC and POL Security.
JS also updated the Committee on the implementation of the Promontory report. JS is looking to
recruit staff which is proving to be difficult keeping in view the role requirements and the
compensation budget. A risk assessment will be carried out as soon as the positions have been
recruited to.
SN provided an overview on Property compliance and briefed the Committee on the risks. SN
stated that as per plan, risk assessments have been nearly completed, with the final ones to be
done by end of May 2016. All residential properties have had alarms fitted. There is one exception
to this where POL has not been able to gain access to the property.
SN stated that the overall risk has come down and by end of the financial year POL will be within
its risk appetite. Training of relevant staff will be completed by June 2016 and this will be followed
by regular site visits and checks. The Committee requested Head of Property to update the RCC on
progress in its next meeting (Action 1734).
JM provided an update on the whistleblowing process. JM stated that there have been no major
incidents of whistleblowing during the financial year. A total of seven incidents were reported
which have been investigated and closed. JM stated that in the coming financial year the
whistleblowing process will be further publicised to increase awareness.
JM stated that annually the RCC needs to review the Gifts and Hospitality register. The current
process is for all staff to report any events they attend to the Central Risk team who maintain a
register. The Committee agreed that all GE members will review their Gifts and Hospitality
registers and provide updates to the Head of Risk and Assurance (Action 1735).
JM referred the Committee to the three noting papers. The Committee had no comments.
No AOB was raised.
Next Meetings - 14 July 2016 Room 1.19 Wakefield 12.00 - 14.30
8 September 2016 Room 1.19 Wakefield 13.00 - 16.00
Risk and Compliance Committee minutes OS May 2016 FINAL