RCC 7 SEPTEMBER 2015
Post Office Ltd - Confidential
POL00423370
POL00423370
PAPER EIGHT
Risk and Compliance Committee (R&CC)
Reference: R&CC August 15
Date: 06 August 2015
Venue: Boardroom, Finsbury Dials
Time: 14:00 - 16:00
Attending:
Jane MacLeod (JM) General Counsel Chair
Alisdair Cameron (AC) Chief Financial Officer Member
Nick Kennett (NK) Financial Services Director Member
Paula Vennells (PV) Chief Executive Officer Member (Items 1 - 7)
Alwen Lyons (AL) Company Secretary Member
Neil Hayward (NH) Group People Director Member (Items 1 - 8)
Steve Miller (SM) Head of Risk Report
Georgina Blair Risk Manager Minutes
Garry Hooton (GH) Head of Internal Audit Report
Martin George (MG)
Commercial Director
Report (Item 7)
Andy Garner (AG)
I Head of Managed Services
Report (Item 7)
Andy Phillips (AP)
Graduate Trainee, Commercial
Report (Item 7)
John Scott (JS)
Head of Security
Report (Item 8)
Mike Morley-Fletcher (MMF).
Head of Risk and Audit
Guest
Apologies:
None
The Chair declared the committee quorate and opened the meeting.
Action 1667 (refresh the gifts and hospitality process with Commercial) was discussed and SM
confirmed that the risk team were in the process of reminding the Commercial team of the
requirements. NK queried why the action was confined to Commercial and was reminded that the
Gifts and Hospitality report at the last meeting had shown very few reports from Commercial.
Action 1666 (present the Conduct Risk Audit to the Committee) had not in fact been closed, as a
timing issue meant the papers were not cleared in time to be presented to the meeting. The audit
will be presented at the September meeting.
For Action 1660 (clarify Business Transformation reporting line for risk and assurance) JM noted
that there were regular BT risk workshops but that these were not governance meetings, and it had
been agreed with the Transformation Director that transformation risks would be presented to the
RCC as a regular item from October onwards.
For Action 1657 (POMS reporting at RCC) JM confirmed that going forward POMS RCC minutes
would be presented to the POL RCC (see item 2) and noted that POMS ARC papers would be
presented to the POL ARC.
The committee agreed the minutes of the previous meeting and the attached actions.
The committee asked NK whether there were any concerns arising as a result of the Collinsons
audit. NK noted that POMS had recently undergone a series of audits which had generally shown
that it was in good order, despite having only recently been established.
JM asked if the approach to customer detriment was the same in POL and POMS, and NK confirmed
that as customer delivery is managed through POL the approach is the same.
POL-BSFF-0238185
POL00423370
POL00423370
RCC 7 SEPTEMBER 2015 PAPER EIGHT
Post Office Ltd - Confidential
NK clarified that POMS has regulatory authority and responsibility for online and telephone sales at
present but does not commence oversight of sales within POL branches until 1°* October.
AC noted that the style of minute taking in the POMS minutes was more detailed than in the POL
RCC meeting, and wondered if this created a risk of recording something that might be taken out of
context at a later date. The Committee discussed the more comprehensive style of minute taking
required by a regulatory authority and JM noted that the FCA would be looking for evidence of
challenge to be demonstrated in the meeting. The Committee requested that JM speak to Victoria
Moss to stress importance of capturing this in the POMS RCC minutes (Action 1668).
SM presented the updated risk profile, which included a method of comparing POL’s stated risk
appetite to the risk exposure of each top risk. This enabled the Committee to consider whether the
level of risk exposure was in line with the amount of risk the business was comfortable taking.
Incidents and metrics were used to demonstrate whether the qualitative evaluation of risk
exposure (the risk score) was correct. The Committee discussed the report and agreed that it was
a good start and that work should continue to improve the articulation of controls, and the quality
and number of metrics and incidents. It was agreed that SM would engage with Committee
members to gain their feedback on the top risks prior to presentation of the revised risk profile in
the September meeting (Action 1669).
PV queried why Sparrow was not included in the list of the top risks and it was agreed that there
would be a separate discussion with JM to determine the appropriate treatment for Sparrow
(Action 1670).
The Committee was asked to note the examples contained in these papers as further detail on
incidents as mentioned in the risk profile update.
SM gave an update on the current status of business continuity planning in the business. The
Committee discussed the situation and agreed that there was both a need to understand POL’s
business continuity landscape in order to identify the gaps, and to test and improve business
continuity arrangements on existing key systems.
JM explained that there is no existing resource in the business who can do this (the business
continuity function is currently being backfilled by a risk business partner who is spending most of
his time on business continuity elements in current procurement processes). JM agreed to
determine the scope of the task and estimate the cost and then discuss with AC (Action 1671).
The Committee noted that it was likely that there were existing business continuity processes in
place covering key systems used in customer critical functions such as Supply Chain and the call
centres. PV requested that the key systems were identified and the relevant SLT members asked if
they were confident that business continuity arrangements were in place (Action 1672).
SM briefly explained that there was no single POL-wide incident management process but instead a
series of disparate reporting lines, and that further work was needed to identify the optimum
solution for POL. The Committee approved the suggested next steps which include a report to the
September RCC (Action 1673).
MG and AP updated the Committee on the work that had been done on POL’s approach to elderly
2
POL-BSFF-0238185_0001
POL00423370
POL00423370
RCC 7 SEPTEMBER 2015 PAPER EIGHT
Post Office Ltd - Confidential
and vulnerable customers since the last Committee meeting. This had included a review of the
existing processes and procedures in place and identification of the gaps. It had been discovered
that a Disability and Discrimination working group had been established and it was proposed that
the vulnerable customer work would include their input.
The Committee discussed the definition of vulnerable customers, and recommended that the word
‘elderly’ was dropped from the description, as not all elderly customers are vulnerable, nor all
vulnerable customers elderly. It was noted that it was sometimes challenging to identify
vulnerable customers, particularly in the case of temporary vulnerability such as bereavement. AC
requested that the costs of any proposed initiatives be reported.
MG agreed to provide a one page update to each successive Committee meeting until this work is
completed (Action 1674).
PV requested that MG identify the most common sensitive situations where vulnerable customers
were encountered (for example, an elderly person whose phone line has developed a fault, or a
customer whose relative has died) and ensure that special arrangements were in place and had
been communicated to the relevant staff. A short summary of this activity should be provided to
the next meeting (Action 1675).
JS provided the Committee with key highlights from the Anti-Money Laundering (AML) report.
It had been identified that up to 2% of branch transactions exceeded the 15,000 Euro limit
imposed by POL’s class of registration with HMRC. A top-performing branch was currently being
investigated for performing transactions above permitted limits and the Committee agreed that it
was important that correct action was taken with regard to the agent who had failed to follow the
required procedure. The Committee discussed whether POL should consider offering higher value
transactions; JM explained that a higher value of transaction brought more onerous customer due
diligence requirements and any proposal would need to take this into account. JS explained that
the 4" Anti-Money Laundering Directive will reduce the Euro limit to 10,000 Euros and the
Committee noted that this is a relatively small amount. JS explained that HMRC was concerned
because we cannot track customer spending between different branches.
JS also explained that HMRC were suggesting that POL has ownership and liability for AML matters
relating to bill payments on six of our bill payment clients, because of the structure of the
contracts.
The Committee discussed the potential mismatch between the contractual responsibility for AML
which lies with our banking partners, and the regulatory expectation that we will be carrying out
appropriate monitoring and training.
JS explained that there was currently no dedicated AML resource at managerial level, although he
was recruiting for a band 4 position which was intended to cover both Financial Crime and AML. JM
explained that in order to get a clear understanding of what POL’s risk and responsibilities were
around AML an external review would be commissioned which would, initially, be funded from the
legal budget.
JS mentioned that they were also looking at possible technological solutions to help with
monitoring, and the Committee recommended that this be discussed with the Back Office
programme. NK asked JS to meet him and Jono Hill to discuss forex and bill payment issues
(Action 1676).
GH updated the Committee on recent audit activity.
With regard to contract management, the Committee requested that a list of the big contacts and
3
POL-BSFF-0238185_0002
POL00423370
POL00423370
RCC 7 SEPTEMBER 2015 PAPER EIGHT
Post Office Ltd - Confidential
those responsible for them be produced (Action 1677).
The Committee also requested clarification of the assurance programme over IT transformation
(Action 1678).
JM proposed that David Hussey, Transformation Director, be co-opted on to the Committee. The
Committee agreed (Action 1679) and asked whether there should be someone from Network
present. JM said she would discuss Network representation with Kevin Gilliland (Action 1680).
JM stated that the rolling agenda would be reviewed at the September meeting.
POL-BSFF-0238185_0003
RCC 7 SEPTEMBER 2015
Post Office Ltd - Confidential
POL00423370
POL00423370
PAPER EIGHT
Action Summary and Updates
Date Ref Action Lead By Update
08/15 1680 Discuss Network Jane 7 Sept Kevin Gilliland or Network
representation on the RCC MacLeod representative to attend
with Kevin Gilliland, Network on 7 September - closed.
Director i
08/15 1679 Co-opt Transformation Jane 7 Sept David Hussey to attend on
Director onto Committee MacLeod 7 September - closed.
08/15 1678 Provide the Committee with Garry 7 Sept Included in agenda item 7
clarification of the assurance I Hooton
programme over IT
transformation
(Internal Audit report)-
closed.
08/15 1677 Produce a list of the big Garry 7 Sept List of top contracts by
contracts and those Hooton spend obtained from
responsible for them Procurement - closed.
08/15 1676 Meet NK and JH to discuss John 7 Sept Meeting set up for 8
forex and bill payment Scott October - closed.
issues.
08/15 1675 Identify the most common Martin 7 Sept Summary of activity
sensitive situations where George completed provided -
vulnerable customers were
encountered and ensure that
special arrangements are in
place and have been
communicated to the
relevant staff - provide short
summary of this activity
closed.
08/15 1674 Provide a regular short Martin 26 Oct
update on Vulnerable George
Customer approach until this
work is completed
08/15 1673 Present plan, scope of the Steve 7 Sept
work required and resourcing I Miller
model for POL’s Incident
Management Process
08/15 1672 Identify key systems and Steve 7 Sept
operations and ask SLT Miller
members if they are
confident that business
continuity arrangements are
Next report 26 October.
Included in agenda item 4
(Business Continuity
Planning & management) -
closed.
Included in agenda item 4
(Business Continuity
Planning & management)
- closed.
in place
08/15 = 1671 Scope business continuity Jane 7 Sept Included in agenda item 4
resource needed and MacLeod (Business Continuity
estimate the cost and discuss
with Alisdair Cameron
08/15 1670 Determine the appropriate Jane 7 Sept
treatment (risk or issue) for I MacLeod
Sparrow
08/15 1669 Gain feedback from Steve 7 Sept
Committee members on top Miller
risks prior to presentation of
Planning & management)
- closed.
Reputational risk to be
included in POL’s risk
register, which
incorporates the impact of
Sparrow - closed.
Completed in preparation
for Risk Champions
Meeting on 19 August -
the revised risk profile closed.
08/15 1668 Speak to Victoria Moss to Jane 7 Sept
stress importance of MacLeod
5
POL-BSFF-0238185_0004
RCC 7 SEPTEMBER 2015
Post Office Ltd - Confidential
capturing evidence of
challenge in POMS RCC
minutes
POL00423370
POL00423370
PAPER EIGHT
05/15 1667 To refresh Gifts and Steve 7 Sept
Hospitality Policy awareness Miller
and discuss reporting process
with Commercial
05/15 I 1666 Conduct Risk Audit (FS) to be I Garry 7 Sept FS senior management
presented to the Committee I Hooton leave commitments meant
audit not yet cleared. Due
to be cleared in w/c
14/09.
05/15 1663 Corporate governance code Steve 7 Sept Included in agenda item 3
‘gaps’ and proposal on work Miller (Corporate Governance
to improve compliance for Code & Control
15/16 ARA to be presented to Framework).
the Committee in preparation
for presentation to the ARC
in September and Board in
October
03/15 1657 Discuss interaction between Jane 6 August Done - POMS RCC minutes
POL and POMS with regard to MacLeod to be presented to POL
reporting at RCC with RCC - action closed.
Financial Services Director
01/15 1655 Prepare and implement a Steve 26 Whistleblowing framework
communications plan to raise I Miller October currently under review.
awareness of the Action point carried
whistleblowing line forward to next meeting.
01/15 1649 Commercial Director to give Martin 6 August Done - see item 7 of
an update on vulnerable George August 2015 meeting -
customers- definition and
proposed best practice at the
next meeting.
action closed.
Next Meeting - 26 October 2015 Room 1.19 Wakefield 12.00 - 14.00
POL-BSFF-0238185_0005