1
Post Office Ltd - Confidential
POL00423391
POL00423391
_Risk and Compliance Committee (R&CC)
Reference: R&CC May 2017
Date: 04 May 2017
Venue: Boardroom, Finsbury Dials
Time: 13:00 - 16:00
Members:
Group Legal, Risk & Governance
Jane MacLeod (JM) Director Chair
Al Cameron (AC) Chief Finance & Operations Officer Member
Alwen Lyons (AL) Company Secretary Member
Kevin Gilliland (KG) Chief Executive - Retail Member
Martin Kirke (MK) HR Director Member
1 Chief Executive - Financial Services
Nick Kennett (NK) & Telecoms Member
Rob Houghton (Rob H) Group Chief Information Officer Member
Attendees:
Richard Williams (RW)
Senior Risk Manager
Report (Paper 3.1)
Johann Appel (JA)
Senior Audit Manager
Report (Paper 5)
Deana Herley (DH)
Senior Assurance Manager
Report (Paper 3.2)
Georgina Blair
Risk Business Partner
Secretariat
Jonathan Hill (JH)
Head of Risk, Banking Regulation
and Strategy
On behalf of Chief Executive —
Financial Services and
Telecoms (Paper 5.4)
Jenny Ellwood (JE)
Head of Transformation Risk and
Assurance
Report (Paper 5.6)
Amanda Radford (AR)
Financial Controller
Report (Paper 5.2)
Martin Hopcroft (MH)
Head of Health and Safety
Report (Paper 5.5)
Sally Smith (SS)
Head of Financial Crime
Report (Paper 5.3)
James Dingwall (JD)
Interim MLRO
Report (Paper 5.3)
Angela Van Den Bogerd
(AVB)
People & Change Director
Report (Papers 5.5 & 5.6)
Russell Hancock (RH)
Supply Chain Director
Report (Paper 4.1)
Sharon Gilkes (SG)
Business Performance and IT
Transformation Director
Report (Paper 3.2)
James Carter (JC)
Kelly Taylor (KT)
HR Projects Manager
Employee Relations Manager
Report (Paper 7.1)
Report (Paper 7.1)
Apologies:
Paula Vennells
conflicts were raised.
Group Chief Executive
The Chair declared the committee quorate and opened the meeting. The Chair asked for any
conflicts of interest to be declared. Standing conflicts of interest were acknowledged and no other
Member
Risk and Compliance Committee minutes
04 May 2017
DRAFT v.02
POL00423391
POL00423391
2
Post Office Ltd - Confidential
The Committee agreed the minutes of the previous meeting and reviewed the open actions.
AP 1771 (Vulnerable Customers) - The Chair noted that a partner bank had recently asked
whether POL had a Vulnerable Customer Policy. JH explained that there is a standard procedure
for responding to such queries, and noted that there is an increasing focus on vulnerable
customers by the FCA. An update on the policy is expected at the next RCC meeting.
AP1770 (GE accountabilities) - The Chair reported that she would speak to Ben Gray about work
he might be doing in this area, and update the action.
AP1768 (Fraud Reporting) - AC noted that there was a need to confirm accountabilities in this area
given the recent reorganisation. NK explained that Bank of Ireland will start providing fraud data
to POL, and that FRES already provides data. AC and JM agreed to meet to discuss accountabilities
and to report back to the Committee (AP 1774).
AP1767 (Tax Governance) - AR explained that a paper was being prepared for May ARC giving the
context of current tax governance arrangements, the background to the HMRC report and how POL
is addressing HMRC’s findings. A strategy paper will follow later in the year. AR confirmed she
would circulate the ARC paper to RCC Committee members prior to the ARC meeting.
3.2 Executive Declarations
DH introduced the paper and explained the categorisation of declarations, and asked the
Committee to consider which declarations should be reported in the ARC paper. The Committee
discussed the declarations and requested that DH produce a summarised paper updated to reflect
their comments and recirculate it prior to ARC (AP 1775).
The Committee discussed the Camelot audit issue, and requested that KG prepare a lessons
learned report on Camelot describing what happened, how it was discovered and what the
consequences are, for the next RCC meeting (AP 1776).
3.1 Top Risks and Risk Appetite
The Chair introduced the paper, explaining that the top risks had been referenced to the group risk
profile reviewed by the Committee in January 2017 and reorganised into a format consistent with
the risk placemat. Risks had also been linked to risk appetite statements, although key risk
indicators had not yet been identified but it was expected that these would come out of the
placemat work. The Committee discussed the risks and noted that not all members had yet
commented on their risks. Accordingly they were requested to provide updates to RW so that the
risks could be updated to reflect their comments prior to submission to ARC (AP 1777).
3.3 Risk Section of the Annual Report and Accounts
The Committee noted that this section would be reviewed to reflect the changes to the top risks.
Russell Hancock joined the meeting.
4.1 Supply Chain Pilot of the Placemat
The Chair introduced the placemat pilot and explained that it would be extended to the other areas
in Finance and Operations. AC noted that the pilot had been very useful but that the assessment
process was still being developed, and that his leadership team were committed to running the
process across Finance and Operations with a full report going to September RCC. The Committee
requested an update on progress at the July meeting (AP 1778).
Risk and Compliance Committee minutes 04 May 2017 DRAFT v.02
POL00423391
POL00423391
I
Post Office Ltd - Confidential
RH explained how the process had worked in Supply Chain, and how it had helped him identify
wider risks in his area and given him a format to help monitor them. He confirmed that even
though it had been a pilot, and involved an amount of pre-work, it had not been onerous. The
Chair noted that a benefit of the placemat process was to enthuse members of the business unit
about risk management. RH noted that the challenge going forward will be to keep the outputs up
to date, and the Chair confirmed the expectation that each business unit will update their
assessment once a quarter, in an activity led by the business unit Risk Champion and supported by
the Central Risk Team. The Chair advised that at the July meeting the Committee would be
requested to consider the roll out timetable for the placemat across the business.
RH left the meeting. Rob H and SG joined the meeting. AR left the meeting.
5.1 IT Controls
Rob H introduced the paper. AC asked if the work described in the paper was meant to reassure
the Committee about the state of IT Controls. Rob H explained that the work had confirmed that
POL is outside its risk appetite with regard to IT Controls. The Committee asked Rob H to confirm
what he was most worried about. Rob H explained that it was POL SAP/HR SAP falling over and
that the current control environment would still let these systems go down but that the response
time would be better. He noted that focus was on improving the control environment through a
combination of improving hardware and improving identification of threats. Rob H explained that
SG had been preparing an operational risk ‘Tube map’ to enable informed decision making. The
Committee requested that this be brought to the July meeting (AP 1779).
AR re-joined the meeting. Rob H and SG left the meeting.
5.2 Financial Controls
AR introduced the paper and explained that Phase 2 of the project would tackle the master data,
that the team is currently making good progress and that a controls manager is being recruited.
MH and AVB joined the meeting.
5.5 Health and Safety
MH introduced the paper noting that performance was strong for all four of the key health and
safety metrics, including absence accidents and lost days. The Committee discussed the
presentation of metrics and noted the difficulty in benchmarking H&S metrics. MH noted that
reporting and oversight were to be re-considered during Q1 and new metrics identified. The H&S
subcommittee deep dive on the following day would include a review of road risk, which was a
current area of concern. AC noted a recent incident in which a driver in Supply Chain had revealed
his licence had been removed for alcohol dependency, and explained that they were looking at the
introduction of an enhanced method of breath testing and using fingerprint testing as a permission
to release keys in Supply Chain. The Network Operations Director had been asked to review safety
procedures for people who drove either their own or company cars for Post Office business
MH & AR left the meeting. SS and JD joined the meeting.
5.3 Financial Crime
SS introduced the paper. The Committee discussed the disappointing completion rate for AML/CTF
training for all back office employees, which was due to be completed by 21st April but only
appeared to have been completed by 53% of employees. Difficulties in tracking who had
completed compliance tests would be resolved once the EUM project was implemented, although
there was a great deal of data cleansing to be done before implementation.
JD explained that work commenced in February on risk-assessment work on further products and
services and is currently on track, although there has been a need to accelerate the risk
assessment of POMS and the insurance products under its umbrella. The Drop & Go risk
Risk and Compliance Committee minutes 04 May 2017 DRAFT v.02
POL00423391
POL00423391
4
Post Office Ltd - Confidential
assessment was much improved, and Laura Plunkett, the Product Manager, had been exemplary in
her approach to tackling the problems. Workshops with other product managers were being
planned. The Committee discussed the role of product managers. SS explained that HMRC are to
review Bill Payments later in 2017. The Committee noted that additional resource will be needed
to review bill payment services and this should be viewed as a priority.
The Chair noted that the Financial Crime team had flagged that vetting procedures for corporate
agents needed to be reviewed and we needed to determine what assurance was required for
changes to directors and shareholders, etc.
SS and JD left the meeting.
5.6 Transformation
JE introduced the paper noting that there had been some changes to the top risks reported in
March, namely that the Resourcing - Off Payroll risk had reduced but that Complex Change
Portfolio Delivery and IT Vendor Renegotiation / IT Supplier Capacity remained red. The
Committee noted the emerging risk posed by a Royal Mail strike.
TA joined the meeting.
5.4 FS Conduct
JH introduced the paper and explained that the conduct scorecards from Bank of Ireland and POMS
had not been ready for the RCC meeting but might be ready for ARC. The Committee noted that
the ARC would want to know how the business ensures that Customer Relationship Managers aren’t
mis-selling. JH explained that this was set out in the paper, and that the next phase of work
would be focussed on counter staff and insurance products. The Committee noted that the themes
of current FCA focus were culture and vulnerable customers. NK noted that there were no updates
as to whether the Senior Manager Regime will apply to appointed representatives, however it will
apply to POMS.
TA introduced the paper, explaining that business continuity planning continues across all sites,
with recent activity focussed on Swindon. Plans are underway for a full day exercise at the
Chesterfield (Finance Service Centre) recovery site. A business continuity workshop with Royal
Mail is planned to help assess the potential impact of a Royal Mail strike. The Committee briefly
discussed the proposed workshop and requested that TA include somebody from POL who had
experienced the last Royal Mail strike in the working group (AP 1780).
JA updated the Committee on recent audit activity, noting that two audit reports had been issued
since March ARC with a further seven reports in the process of being cleared with management for
reporting at the May ARC. The Committee noted the reviews planned for the first quarter of
2017/18 and KG thanked JA for bringing the review of Mails Processes forward.
JC and KT joined the ne
7.1 Modern Slavery
JC updated the Committee on recent activity, explaining that due diligence had been undertaken
on POL business and supply chains to identify potential areas of risk for modern slavery. A revised
Statement on Modern Slavery had been prepared in line with the legislation which must be
published within 6 months of year end.
The Committee agreed to recommend to the ARC and Board that the 2017-2018 Modern Slavery
Transparency Statement should be adopted.
Risk and Compliance Committee minutes 04 May 2017 DRAFT v.02
POL00423391
POL00423391
5
Post Office Ltd - Confidential
MK, JC and KT left the meeting.
The Committee noted the following papers
8.1 Horizon Scanning
8.2 POMS RCC minutes (February and March 2017)
8.3 Whistleblowing Report
8.4 Identity Fraud Incident Report
Nothing raised.
Next Meeting - 20 July 2017, Room 0.03 Moorgate 13.00 - 16.00
Risk and Compliance Committee minutes 04 May 2017 DRAFT v.02