Agenda
POL00423690
POL00423690
POST OFFICE LIMITED
Meeting: Audit, Risk & Compliance
Committee
Date: 30 March 2021
Time: 09.00 - 11.30
Location: 1.19 Wakefield, Finsbury Dials, 20
Finsbury Street, London, EC2Y
9AQ / Microsoft Teams
Present: Invited Attendees:
Carla Stent (Chair)
Tom Cooper (NED, UKGI)
Alison Rodwell (BEIS ARAC NED Observer)
Tim Perkins (Service and Support Optimisation Director):
Item 2
Zarin Patel (NED)
Regular Attendees:
Tracy Marshall (Postmaster Effectiveness Director): Item
2
Amanda Jones (Retail and Franchise Network Director):
Item 2 & 9
Tim Parker (Group Chairman, POL)
Nick Read (Group CEO)
Sally Smith (Money Laundering Reporting Officer & Head
of Financial Crime): Item 3
Tom Lee (Financial Controller): Item 4.3
Alisdair Cameron (Group CFO)
Ben Foat (Group General Counsel)
Andrew Paynter (Audit Partner, PwC)
Amanda Bowe (Post Office Insurance ARC Chair): Item 7
Jonny Lonsdale (Business Continuity Manager): Item 8
Martin Hopcroft (Head of Health & Safety): Item 8
Sarah Allen (Senior Manager, PwC)
Rosie Clifton (Manager, PwC)
Andy Kingham (Franchise Partnering Director): Item 9
Mark Siviter (Product Portfolio Director - Mails, Retail,
PUDO & Gov services): Item 9
Johann Appel (Head of Internal Audit)
Mark Baldock (Head of Risk)
Jonathan Hill (Compliance Director)
Rebecca Whibley (Senior Assistant Company Secretary)
Hugo Sharp (Deloitte Partner)
Regular Attendees:
Ken McCall (SID)
gdom, London (Toll)
Conference I!
Pin (if applicable)
Strictly Confidential
Time Item Owner Action
09.00 1. Welcome & Conflicts of Interest Chair Noting
09.05 2. Postmaster Policies Tim Perkins, Approval
2.1 I Postmaster Complaints Handling Tracy Marshall &
Policy Amanda Jones
2.2 I Network Transaction Corrections
Policy
2.3 I Network Cash and Stock
Management Policy
2.4 I Postmaster Termination Decision
Review Policy
2.5 I Postmaster Onboarding Policy
2.6 I Postmaster Training Policy
2.7 I Guide to Policy Standards for
Postmasters
1
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508
POL00423690
POL00423690
Agenda
09.30 3. Whistleblowing Policy Review Sally Smith Discussion &
Approval
09.40 _I4. Previous Meetings Chair
4.1 I Minutes (26 January 2021 & 26 Approval
February 2021)
4.2 I Action List Noting
Update from External Audit Andrew Paynter Noting
Draft Risk and Compliance Noting
Committee Minutes (16 March 2021)
(subject to RCC Chair review)
09.45 I 5. Risk, Compliance and Internal Audit
Updates
09.45 5.1 I Risk Update Mark Baldock Noting
09.55 5.2 I Risk Appetite Statement: Legal & Ben Foat & I Noting & Approval
Compliance Jonathan Hill
10.05 5.3 I Compliance Update Jonathan Hill Noting
10.15 5.4 I Internal Audit Update Johann Appel Noting
10.25 6. Internal Audit Plan 2021/22 Johann Appel I Noting & Approval
10.35 7. Update from Subsidiaries: Post Office Amanda Bowe Noting
Management Services (ARC)
10.45 8. Business Continuity Review Jonny Lonsdale Noting
& Martin
Hopcroft
11.00 9. DeepDive: Dangerous Goods Andy Kingham, Noting
Mark Siviter &
Amanda Jones
11.20 10. I Committee Terms of Reference Review Rebecca Noting
Whibley
11,25 11. I Any other business All Noting
Items for Noting
These items will not be presented to the Committee and any questions should be sent to the Secretary for
submission to the author for response. Questions and answers will be recorded as appendices to the meeting
minutes.
% Cyber Security Tony Jowett Noting
2. Procurement Governance & Compliance Barbara
Brannon
a Law & Trends Sarah Gray &
Ben Foat
4. Bi-Annual Legal Risk Review (Non Sarah Gray &
GLO/Starling) Ben Foat
2
2 of 183
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0001
POL00423690
POL00423690
Agenda
POST OFFICE LIMITED
5. Strategic Partner Financial Stability Update Emma
Conway/Dan
Zinner
6. DeepDive: Payzone Governance Andrew Goddard
7. I Foreign Currency and Hedging Tom Lee & Peter
Mitchell
Items for approval via Written Resolution
These items will not be presented to the Committee and approval will be sought via Written Resolution to be
signed by members prior to the meeting. Any questions relating to these items should be sent to the Secretary
for submission to the author for response.
1.__I Policies for Approval/Noting Jonathan Hill Approval
1.1 I Summary Paper
1.2 I Health & Safety
1.3 _I Procurement Policy
Next ARC Meeting: Tuesday 18 May 2021 at 09.30 to 12.00 in 1.19 Wakefield, Finsbury Dials, 20
Finsbury Street, London, EC2Y 9AQ
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 3 of 183
POL-BSFF-0238508_0002
POL00423690
POL00423690
Tab 2 Postmaster Policies
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Postmaster Policies Meeting Date: I 30 March 2021
Amanda Jones, Retail and
Franchise Network Director
Tim Perkins, Service and
Author: Support Optimisation Director
Sporisor Reviewed & approved by
sponsor for presentation to the
Committee.
Input Sought: Decisions
The Committee is asked to approve the six new Postmaster policies (set out in the Appendices),
to be effective from the date of Audit, Risk & Compliance Committee’s (ARC) approval:
Postmaster Complaint Handling Policy
Network Transaction Corrections Policy
Network Cash and Stock Management Policy
Postmaster Termination Decision Review Policy
Postmaster Onboarding Policy
Postmaster Training Policy
The Committee is asked to separately approve the issuing of a policy guide for postmasters
(also set out in the Appendices), considering the legal advice, to be issued from a date to be
confirmed after ARC’s approval:
« Postmaster Guide to Policies
Previous Governance Oversight
The policies listed above were approved by the Risk and Compliance Committee on 16 March,
subject to the following additions, which have been completed.
1. In the Termination Decision Review Policy, to make clear that the Review Panel referred
to is independent and external.
2. In the Postmaster Training Policy, to make clear that a trainer will be present at the
postmaster’s first cash collection, delivery and branch monthly balancing.
Executive Summary
Following the Group Litigation Order (GLO), Post Office set about ensuring that its processes
complied with the findings of the GLO.
The focus on processes delivered a large number of changes to the support that Post Office
offers postmasters, but these processes were not necessarily governed by a policy at the point
of process changes being made. Primarily this was the case because no policy existed in the
first instance or the policy was so dated that it was irrelevant to the processes undertaken pre
or post the GLO.
Having policies in place for the support Post Office provides postmasters will bring Post Office
in line with best practice franchise businesses. The purposes of the policies are to provide
i,
Internal
4 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0003
POL00423690
POL00423690
Tab 2 Postmaster Policies
@
guidance, set down principles and highlight risk areas, while also ensuring that Post Office is
able to support postmasters effectively and compliantly with the GLO.
As part of an overall review of postmaster support policy requirements, this paper seeks
approval for four new postmaster policies to reflect how Post Office will provide support to
postmasters as well as a guide to policies that will be made available to postmasters.
Questions addressed
1. What policies are required to support the changes made to postmaster support following
the GLO?
2. What policies have recently been developed and now require approval?
3. What further policy work is required to ensure there is a full complement of postmaster
support policies in place and how will these be continually reviewed in the future?
Report
Background
1. Following the Common Issues Judgment and Horizon Issues Judgment in the GLO, Post
Office focused on improving processes to ensure compliance with the outcomes of the
judgments.
2. Whilst process improvements were delivered, Post Office has identified that there was an
absence of overarching policies for these processes to sit under. Where policies previously
existed, they were often very aged and did not bear relevance to the processes that Post
Office had improved.
3. As such, Post Office has set about developing a set of postmaster policies across key areas
of postmaster support.
Postmaster Policies
4. Post Office has identified that a comprehensive suite of postmaster policies is required to
demonstrate and ensure GLO compliant support to postmasters in the following areas:
Network Monitoring and Audit Support
Network Cash and Stock Management
Network Transaction Corrections
Postmaster Account Support
Postmaster Accounting Dispute Resolution
Postmaster Contractual Performance
Postmaster Suspension
Postmaster Termination
Postmaster Termination Decision Review
Postmaster Complaint Handling
Postmaster Training
Postmaster Onboarding
oy The policies relating to Network Monitoring and Audit Support, Postmaster Account Support,
Contractual Performance, Postmaster Suspension and Postmaster Termination are already
approved and in use.
6. The policy relating to Postmaster Accounting Dispute Resolution is ready for ARC approval
by written resolution following offline reviewing with members of the ARC and legal.
Internal
Post Office Limited - Audit, Risk & Compliance Commit 5 of 183
POL-BSFF-0238508_0004
POL00423690
POL00423690
Tab 2 Postmaster Policies
@
7. This paper seeks approval of the policies relating to Postmaster Complaint Handling,
Network Transaction Corrections, Network Cash and Stock Management, Postmaster
Termination Decision Review, Postmaster Onboarding and Postmaster Training. These
policies can be found in the appendices to this paper.
8. This paper also seeks approval of the Postmaster Guide to Policies which can be shared with
postmasters. This document can also be found in the appendices to this paper.
9. Previous papers to the RCC and ARC indicated that a Postmaster Accountability policy would
also be developed. Following a review of the requirements for this particular policy, the
requirement for such a policy has been de-scoped.
10.All policies and the policy guide have been reviewed by Post Office internal stakeholders,
the National Federation of Subpostmasters (NFSP) and have had external legal oversight
from Herbert Smith Freehills or Norton Rose Fulbright.
Policy Overviews
11.The Postmaster Complaint Handling policy sets out the standards relating to the
management of postmaster complaints, that a fair process is followed for all postmaster
complaints and that any complaint raised is taken seriously and investigated fully. It also
gives guidance on the identification of whistleblowing reports. To help the ARC understand
the application of the policy in practice, the Complaint Handling process is included in
Appendix 8 and the template used for internal reporting of complaints and progress against
resolving them is at Appendix 9.
12.The Network Transaction Corrections policy details the standards behind how Post Office
identifies and issues Transaction Corrections and Transaction Acknowledgements, ensuring
that postmasters are notified without undue delay and that support is provided to
understand the reasons behind the issuing. The process for issuing a Transaction Correction
is included in Appendix 10 to this paper to help the ARC understand the application of the
policy in practice and the list of controls that are monitored within Service and Support are
in Appendix 11 (Operational Controls Self-Assessment) for the same purpose.
13.The Network Cash and Stock Management explains the principles to ensure that postmasters
are supported effectively in managing cash and stock provisions in branch.
14.The Postmaster Termination Decision Review policy sets out how Post Office will deal with
any situation whereby a postmaster does not agree with a decision to terminate their
agreement, either by notice or immediately.
15.The Postmaster Onboarding policy details the principles that ensure that new postmasters
are supported effectively in their early days, ensuring that the onboarding process meets
regulatory and contractual obligations.
16.The Postmaster Training policy sets out the standards for ensuring that postmasters receive
a comprehensive training provision to support the effective running of their branch(es).
Postmaster Guide to Policies
17.The Postmaster Guide to Policies is a document that can be shared with postmasters and is
a guide to the principles that Post Office teams need to follow and how these principles are
linked to specific policies.
18.A legal review of this document has identified some legal risks in the publication of this
docu
.
Internal
6 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0005
POL00423690
POL00423690
@
19.These risks have been mitigated to some extent by including wording in the guide and each
policy to state that they do not form part of the contract with postmasters, and through
ensuring that the guide will not be issued to postmasters prior to them entering into a
contract with Post Office.
20.These risks should also be taken in perspective with Post Office’s desire to provide
reassurance to postmasters that Post Office has robust policies in relation to postmaster
support following the GLO and its desire to be transparent in its dealings with postmasters.
Next Steps & Timelines
21. Following approval of the six policies, Post Office will ensure that:
e all relevant teams are fully trained on the new policies by the end of April 2021.
e the policies will be reviewed annually, for approval at RCC, beginning April 2022.
22.Policies previously approved at RCC and ARC in 2020 and 2021, will be updated and
resubmitted with a list of changes at the RCC meeting to take place on the 4‘ May 2021,
and the ARC meeting on the 18" May (following the request from the ARC Chair), in line
with the annual review requirements of the policies.
23.In addition to the annual review of policies, as requested by the RCC, there will be quarterly
reporting to the RCC on compliance with the Postmaster policies.
24.Following approval of the policy guide, Post Office will ensure that:
e the guide is published to postmasters in line with the re-issue of the Postmaster
Support Guide.
e the guide is made available for postmasters to access online.
e the guide will be reviewed annually in line with policy approvals beginning April 2022.
Internal
POL-BSFF-0238508_0006
POL00423690
POL00423690
Tab 2 Postmaster Policies
Appendices
1. Postmaster Complaint Handling Policy
2. Network Transaction Corrections Policy
3. Network Cash and Stock Management Policy
4. Postmaster Termination Decision Review Policy
5. Postmaster Onboarding Policy
6. Postmaster Training Policy
7. Postmaster Guide to Policies
8. Postmaster Complaint Handling Process
9. Postmaster Issue and Complaints Dashboard Template
10. Transaction Correction Issuing Process
11. Operational Controls Self-Assessment
5
Internal
8 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0007
POL00423690
POL00423690
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Whistleblowing Policy Review & Meeting Date: I 30 March 2021
Report
Sally Smith, Money Laundering
Author: Reporting Officer & Head of Sponsor: Ben Foat, Group General Counsel
Financial Crime
Input Sought: Discussion & Approval
The Committee is asked to:
- review and discuss the whistleblowing review and its conclusions as part of its role in
monitoring the adequacy and effectiveness of the Group's whistleblowing systems and
controls; and
- approve the proposed amendments to the whistleblowing policy* and the appointment of
the Whistleblowing Champion.
Previous Governance Oversight
Annual Whistleblowing report and policy review July 2020. These proposed policy amends and
the accompanying report were approved at POL Risk & Compliance Committee on 16 March
2021.
Executive Summary
Post Office is able to demonstrate that it has good policies and procedures in place which have
been followed. Post Office's Whistleblowing Team have reviewed past whistleblowing reports
for evidence of subsequent 'detriment' to the reporters which found no evidence of 'detriment’.
As a result of the review of whistleblowing policy, processes and culture, there are a number of
recommended enhancements to improve and mature these areas, including the creation of a
Non-Executive Board Director Whistleblowing Champion.
‘ The revised Whistleblowing Policy (clean and track changed) is available in the Reading Room.
CONFIDENTIAL,
POL-BSFF-0238508_0008
POL00423690
POL00423690
Questions addressed
1. Are the current whistleblowing arrangements adequate in light of the GLO and the Public
Inquiry?
Is there any evidence of detriment to whistleblower reporters or subjects?
3. What improvements are required to enable anyone who is aware of, or suspects,
wrongdoing which affects others (e.g. Postmasters, customers, members of the public,
colleagues or the Post Office) to raise their concerns and be confident that those concerns
will be acted upon
Report
4. Anumber of improvements have been implemented since 2017, these include:
e Enhancing Post Office policy and procedures, including attendance by whistleblowing
team at industry forums to learn best practice
e Raising awareness through communications and posters (which in turn has led to an
increase in reports received)
« Developing monthly MI and providing to key stakeholders
e Regular reporting to RCC and ARC, including an annual whistleblowing report which
summarises all whistleblowing reports received over the previous 12 months,
compared to the prior 12 months. This report also details any issues or outcomes,
together with key activities delivered to drive reporting
However, it was recognised that more could be done to improve the maturity of the Post
Office approach and as part of the review of this, Post Office approached Protect (the UK
whistleblowing charity) for support. This has included a self-assessment and industry
benchmarking of the regulatory requirements, current industry best practice and Protect’s
Code of Practice on effective whistleblowing arrangements, and a training workshop which
was attended by some GE members and senior managers.
5. A review of high-level summaries of the 163 whistleblowing reports and investigations
received since 2013 was undertaken by Post Office to identify if there was any evidence of
‘detriment’ to reporters and specifically Postmasters. These cases were also considered,
at a high level, for conformance to Post Office’s obligations arising from the Common Issues
Judgment (CIJ) from the GLO. The review is summarised in Appendix 1 which shows 103
cases where no detriment was suffered by the whistleblowing reporter, the subject or
anyone associated with the report, and 15 cases which show acts which could be argued
to be detriment to the subject of the report, but which were considered by Post Office to
be justified in the circumstances.
CONFIDENTIAL,
POL-BSFF-0238508_0009
POL00423690
POL00423690
@
6. The monthly MI pack produced on whistleblowing has been updated to provide more
granular data on issues that are raised by or about Postmasters.
7. As part of the work reviewing Postmasters complaints and issues handling, a review has
also been undertaken to ensure that there is sufficient understanding across teams that
interact with and capture those complaints and issues, so that any that are in fact
whistleblowing reports are passed to the Whistleblowing Team and investigated and
resolved in accordance with the whistleblowing policy.
8.
, and as part of the work with Protect
a review was undertaken of the oversight, governance and resourcing for whistleblowing.
It is agreed that we should have a dedicated Whistleblowing Manager within the Compliance
Team to manage whistleblowing but also to assist in the conduct of investigations. External
recruitment for this role is nearing completion and it is hoped to have this in place for end
April/early May. In addition, an approach was made to the ARC Chair to discuss creating a
Whistleblowing Champion at Non-Executive Director level, following which Zarin Patel has
been asked to fulfil this role, and has agreed, subject to ARC approval.
9. Following migration of the external speak up line and website to the new Navex Global
EthicsPoint platform, call enhancements have been implemented to include an IVM that is
specific to Post Office and provides reassurance to callers as below:
e Thank you for calling the Post Office Whistleblowing Speak Up line. Post Office is
committed to ethical behaviour in all our business dealings and your call and any related
reports will be treated confidentially and respectfully to the extent legally permissible.
Protecting our colleagues, Postmasters and customers is the number one priority for
Post Office, and this includes protecting those that raise concerns. To maximize
confidentiality, this Speak Up line is operated by NAVEX Global, an unaffiliated, third-
party service provider.
10. To address the lack of formal training, a new module has been developed in Success Factors
and is currently being undertaken by all employees for completion by 1% April 2020,
together with a number of planned communications for employees and Postmasters to raise
awareness.
Self-assessment and benchmarking
11. The outcome of the Protect self-assessment and industry benchmarking was in line with
expectations given that the benchmark is modelled around best practice and the bar is
deliberately set very high.
12. Post Office achieved a score of 86% for its written policy and procedures and there were
no specific recommendations, indicating that the basic foundations put Post Office in a good
place to improve.
13. It was in the areas of training, engagement and communications that further work was
identified.
14. The need for formal training and awareness in Post Office had already been recognised,
with budget to develop a training module included in 2020/21.
15. The table below shows the overall performance of Post Office v. organisations with a
comparable number of employees and also within the financial services sector which has a
3
CONFIDENTIAL,
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 of 183
POL-BSFF-0238508_0010
POL00423690
POL00423690
y Review
@
more mature approach to whistleblowing, given the additional regulatory obligations for
this sector (see Appendix 2 for scores within these overall areas):
3
Governance 72% 67%
Engagement 24% 39%
Operations 36% 55%
Total 46% 60%
e It should be noted that nearly all organisations come out very poorly for Engagement
the first time they do self-assessment - this is because the main resolution for this area
is training which is generally costly, and most often not seen as a priority. Usually
selected people and teams have some form of training, but not enough and not company-
wide. Also, there is a heavy score weighting for Line Manager training, and this is an
area that Post Office was unable to demonstrate.
e Organisations also tend to score poorly in the area of Operations and there are a number
of factors here:
o Whistleblowing process maturity tends to reflect the cases organisations have had to
deal with — if an organisation has not had any cases that are material/significant, or
had whistleblowing reporter claims of detriment, then they are less likely to have
matured their processes.
o Included in this area are questions about seeking feedback from whistleblowers about
their experiences or doing ‘tests’ or ‘stress tests’ of the whistleblowing processes -
most organisations do not do this, but it is best practice.
« A number of organisations re-run the self-assessment and benchmarking exercise
annually to help them demonstrate continuous improvement as part of their Board
reporting which means the benchmark is continually rising as organisations improve. We
will re-run the self-assessment in June 2020 (and annually thereafter) following the
implementation of planned enhancements to show how Post Office is building on its
improvements.
Whistleblowing Policy Review
16. In addition to further enhancements suggested by the Protect self-assessment work and
the changes to whistleblowing roles,
17. The policy has been amended to reflect the following new roles and governance oversight:
e The creation of a Non-Executive Director Whistleblowing Champion to oversee that:
o A'whistleblowing culture’ is promoted across Post Office, ensuring employees are
genuinely encouraged to speak openly and honestly about their concerns and
misgivings
o The current arrangements are always challenged and assessed for areas of
continuous improvement
4
CONFIDENTIAL,
Post Office Limited - Audit, Risk & Compliance Committee-30/0
POL-BSFF-0238508_0011
POL00423690
POL00423690
Tab 3 Whistleblowing Policy Review
o Employees are always supported in raising a concern
o Barriers to speaking up are uncovered and addressed 3
o The whistleblowing team, senior managers and leaders receive training on the
importance of whistleblower support
o Root cause analysis is undertaken for all cases and issues, so that continual
improvements can be made in the relevant areas
e The creation of a new dedicated Whistleblowing Manager to manage whistleblowing
processes and investigations, triaging reports and assigning to investigating managers,
completing root cause analysis and ensuring any corrective controls are implemented,
designing and delivering a programme of training and awareness
18. A number of amendments and additions have been made to reflect best practice, enhance
the policy and help encourage reporting. These include:
e Removal of some duplication and clarifying the definition of whistleblowing, the
investigations process and the treatment of reporters
e Providing more information to reporters (e.g. other external advice available)
¢ Clarification of some of the definitions used in the policy
e Clarification that reporters do not need to provide evidence and the different reporting
types along with the benefits and disadvantages of open/confidential/anonymous
reporting
e Anew minimum control standard for line managers.
e« Anew minimum control standard for checking that whistleblowers feel supported
Conclusions and Recommendations
19. Post Office has a good policy and reports received have been managed in accordance with
that policy, although clearly further work on engagement including training together with
operational improvements are needed and are being quickly remediated Whilst the policy
and process were intended to cover employees and the protections afforded them under
the law, reports have historically been received from postmasters, their teams, customers
and the general public, and these reports have always been investigated and managed
under the whistleblowing policy. Improvements to communications and awareness have
been made in recent years, but the lack of training for all employees and, in particular, line
managers needs addressing.
20. The work with Protect has highlighted that whistleblowing process maturity tends to reflect
the cases organisations have had to deal with. To date, Post Office has not had any material
reports, or found evidence of significant or material (or disclosable) wrongdoing through
the whistleblowing channel. By quickly implementing the recommendations within this
report, management believes that it would put Post Office in a good place.
21. Prior to the Protect self-assessment, it had been recognised that a training and
communications programme was required in 2020/21 and this was budgeted for, although
this was hampered by Covid, and the loss of the role supporting this work in November
2020.
22. The following lists key recommended activities to be delivered in 2021/22 (see Appendix 3
for full actions and timescales):
CONFIDENTIAL,
Post Office Limited - Audit, Risk & Compliance Commit 13 of 183
POL-BSFF-0238508_0012
POL00423690
POL00423690
Tab 3 Whistleblowing Policy Review
@
¢ Continue to work with Protect to identify improvements and enhancements
e Provide the monthly whistleblowing MI pack to all GE members to ensure visibility 3
¢ Quarterly meetings with the Whistleblowing Champion to review cases and activities,
together with monthly meetings with the postmaster and customer complaints teams to
ensure that complaints or issues they receive that are in fact whistleblowing, are
appropriately identified and investigated.
e Work with the People Function and L&D to enhance on-boarding and line manager
training relating to whistleblowing
« Review and update the Whistleblowing Team’s procedures, including those relating to
the whistleblower and mechanisms to obtain feedback from whistleblowers
e A programme of continual communication and awareness, including refreshing posters
for office locations as staff return to work locations following Covid
e Update Settlement Agreements to remove potential ambiguity
« The Protect self-assessment benchmarking should be undertaken again in June 2021 and
annually thereafter to test and demonstrate improvements achieved from planned
activities
CONFIDENTIAL,
14 of 183 Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
POL-BSFF-0238508_0013
@
Appendix 1 — Whistleblowing Report Review
POL00423690
POL00423690
Number of Whistleblowing Records Reviewed (From 25/04/2013 to 25/01/2021)
REVIEW FOR DETRIMENT
Number of cases ongoing (no apparent detriment and no CI) breaches identified in investigation of complaint to date).
Number of historic cases where information is insufficient for assessment
These predate whistleblowing falling under the remit of the Financial Crime Team. The most recent record is 23.09.2017
Number of Whistleblowing Reports NOT within Scope of the Whistleblowing Policy
« Employment matters between Postmaster and the Postmaster’s employees: 5
Properly dealt with outside of Whistleblowing channels e.g. dignity at work: 11
Properly referred to external organisations such as RMG: 5
Other cases which did not meet WEB criteria (These cases are quite varied but include for example, PMs are calling for advice from the
Security team; a report raised by a known individual harassing branch staff, and errors/mistakes relating to applications for hardship
grants): 9
.
Number of Whistleblowing Reports WITHIN scope of the Whistleblowing Policy
* No detriment suffered by the Reporter, the Subject or anyone associated with the Report: 103, including
6 cases where inadequacies with POL’s policies and procedures alleged but where no specific detriment to an individual identified
(for example, two complaints related to the same alleged incident of sexual harassment which took place outside of POL
premises. The reporters were not the victim of the alleged incident; one of the POL managers was present at the time and the
reporters were concerned that the manager didn’t take any action/ provide support when the alleged victim returned to work. HR
could not investigate any further due to lack of information).
1 case where reporter withdrew complaint due to slow response time. The Reporter was subject to a grievance which was raised
by the Subject of the WB report. Legal advised the WB disclosure should be investigated subsequent to the grievance being
heard. The POL employee who was due to investigate the WB disclosure left the business without informing the WB team which
caused delays. The WB team did contact the Reporter to encourage them to pursue the case, but did not receive any response.
« Detriment suffered by the Subject, with Detriment justified based upon evidence and rationale: 15
© 12 cases where PMs have been suspended and/or terminated due to ongoing operation issues.
« 2 cases where the agent assistant/clerk was dismissed by the PM for suspected/admitted theft.
1 case there were formal consequences for the Branch Manager, which were justified upon investigation. In addition, in this case,
the Subject was said to have obtained copies of witness statements which, had the WB disclosure not been made anonymously,
could have compromised the Reporter's identity. Enquiries were made but these were not able to determine how or if the witness
statements had been shared with the Subject.
CIJ CONFORMANCE REVIEW
118
CI) Issues NOT relevant
142
CONFIDENTIAL
POL-BSFF-0238508_0014
140 OL
£8
JOD 9 4SIY ‘IPN - Par!W] BOWJO IS0q
POL00423690
POL00423690
4
5
o
x
CI) Issues ARE relevant: 21 (including 1 case still ongoing)
o Dealt with in a GLO conformant Manner: 12 (including 1 case still ongoing)
© Not dealt with in a GLO Conformant Manner: 9 - While suspensions appear to be justified by the circumstances, the PMs were
suspended without pay (predates the CIJ). This is being separately considered by the Historical Matters Unit and will be
remediated as appropriate.
21
CONFIDENTIAL
vu
S
2
2
g
g
w
POL-BSFF-0238508_0015
POL00423690
POL00423690
Tab 3 Whistleblowing Policy Review
Appendix 2 - Protect Review Recommendations
3
Accountability 61%
Written Policy and Procedures 86%
Review and Reporting 59%
Total 72%
Accountability - 61% Considers the roles different individuals have and their engagement
with the whistleblowing arrangements. Clear accountability structures will help staff better
understand their roles in relation to the whistleblowing arrangements. Active engagement from
senior leaders may improve staff trust and confidence in your whistleblowing arrangements.
Recommendation - You have a good score in this area. In order to improve on this score in line
with best practice, you need to show how senior leaders within your organisation engage with
the whistleblowing arrangements and actively demonstrate a commitment to workers raising
concerns without fear of reprisal. You also need to ensure that designated personnel (for
example the whistleblowing champion and team) clearly understand their roles and
responsibilities.
Written Policy & Procedures - 86% A well drafted whistleblowing policy helps to provide
staff with a clear understanding of what whistleblowing is and the processes by which an
individual can raise and/or escalate a concern. It will also provide staff with assurances about
victimisation and confidentiality
Recommendation - You have achieved a good score in this area and there are no specific
recommendations at this stage
Review & Reporting - 59% Considers the processes by which you review and report on
whistleblowing arrangements. Conducting reviews enables organisations to practically see
whether whistleblowing arrangements are effective in practice and action learning points.
Recommendation - You have achieved a good score in this area, but additional work should be
considered to strengthen governance. When reviewing the arrangements, recommendations
should be assigned ownership with a timeline for completion. Serious concerns raised and
positive outcomes from whistleblowing cases should be reported to the Board. These should be
redacted in order to protect the identity of the whistleblower. You could consider incorporating
an overview of management information on whistleblowing in published data e.g. annual
reports.
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 17 of 183
POL-BSFF-0238508_0016
POL00423690
POL00423690
Tab 3 Whistleblowing Policy Review
3
Communications 30%
Training 8%
Total 24%
Communications - 30% Engaging regularly with staff is essential to building a strong speak
up culture. Staff will not have confidence in whistleblowing arrangements if they are not aware
of them.
Recommendation - This section requires improvement. We recommend that you review your
communications materials to ensure that you engage with different staff groups and cultures.
Messages encouraging staff to raise concerns might be included in various media such as
posters and staff training. Finally, think about how you test staff awareness and confidence in
the whistleblowing arrangements (for example by using staff surveys, focus groups and exit
interviews)
Training - 8% Clear and detailed training on whistleblowing provides your workforce with a
good understanding of arrangements. Training can help embed the importance of
whistleblowing and key policy messages.
Recommendation - This section requires improvement. We recommend that staff, designated
managers and line managers receive in-depth training on whistleblowing. In most
circumstances line managers or named designated contacts are the first people to receive a
whistleblowing concern. Accordingly, line managers should receive appropriate training in order
to accurately identify concerns and effectively handle the individual raising the concern. This
minimises the likelihood that concerns will be escalated further and helps make best use of
your resources. You may wish to review how you provide training to your workforce (e.g.
instructor led by e-learning).
Support and Protection 41%
Recording and Investigations 56%
Resolution and Feedback 18%
Total 36%
Support & Protection - 41% Considers internal processes in place for supporting and
protecting staff who raise whistleblowing concerns. Implementing effective processes for
managing confidentiality and victimisation will help to ensure staff are appropriately supported
and protected when they raise concerns. Implementing clear policy messaging and protocols
for supporting and protecting staff who raise concerns is essential.
Recommendation - This section requires improvement. We recommend that you operate
multiple support networks within your organisation to enable whistleblowers to seek support
when raising concerns (such as whistleblowing advocates trade unions and Employee
10
CONFIDENTIAL
18 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0017
POL00423690
POL00423690
Tab 3 Whistleblowing Policy Review
@
Assistance Programs). Consider how you ensure that confidentiality is maintained throughout
the whistleblowing process. You should ensure the risk of victimisation is considered in each
whistleblowing case and that appropriate safeguards are put in place to prevent this. Finally, 3
you should ensure that any settlement agreement that you have with staff clearly states that
nothing in the agreement prevents staff from making a whistleblowing disclosure.
Recording & Investigations — 56% This section considers the processes by which you record
and investigate concerns. Having clear processes and principles for recording and investigating
concerns will help to ensure consistency in handling a whistleblower.
Recommendation - You have achieved a good score in this area. We recommend that you
periodically review management information to ensure consistency of processes in recording
concerns. You should ensure that investigation guidance is clear on the key principles that are
to be followed when whistleblowing concerns are investigated (such as confidentiality,
competence and independence). You should ensure that an independent internal function
conducts periodic reviews of your investigations, to ensure that the principles have been
followed.
Resolution & Feedback - 18% This looks at your processes for resolving concerns and how
you provide feed receiving feedback from whistleblowers. Clear processes on feedback after
the investigation will help give your staff confidence that their concerns have been addressed.
Recommendation - This section requires improvement. We recommend that you implement
standard processes for resolving any substantiated concerns. Where possible ensure that you
provide feedback to whistleblowers on the outcome of concerns that are raised (subject to
limitations imposed by confidentiality). Consider how you seek feedback from whistleblowers
at the end of the process and use this information to improve your arrangements.
11
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
19 of 183
POL-BSFF-0238508_0018
POL00423690
POL00423690
Tab 3 Whistleblowing Policy Review
Appendix 3 - Whistleblowing Action Timetable
Action By when Status 3
Protect training workshop January Complete
Review how complaints are captured by various back February Complete
office teams and enhance procedures to correctly
triage potential whistleblowing complaints and pass to
whistleblowing team
Design and deliver employee survey via One Comm February Complete
(440 responses fed into Protect self-assessment)
Enhanced Whistleblowing monthly MI to provide more I February Complete
granular detail about Postmaster/agent assistant
reports
Protect self-assessment and benchmarking February Complete
Review all historic whistleblowing reports February Complete
Whistleblowing Manager role designed, approved and February Complete
advertised
Whistleblowing Champion role approved in principle February Complete
Navex Global Speak Up Line - call enhancements to February Complete
include IVM that is specific to Post Office and provides
reassurance to callers
Review and update Whistleblowing Policy March Complete
Determine whether there is any evidence of detriment I March In progress
to whistleblower reporters or subjects
RCC and ARC whistleblowing approach and policy March Pending
approval
Interviews for new Whistleblowing Manager role and End April In Progress
recruitment
Design and deliver new employee Success Factors 1t April In progress
whistleblowing training module
Design and deliver new Team Talk whistleblowing 1% April Complete
training module for DMB staff and Supply Chain (non-
Success Factor users)
Design and deliver postmaster whistleblowing April In progress
awareness communications
Establish monthly meetings with the postmaster and April
customer complaints teams to review complaints or
issues
Training and induction for Whistleblowing Manger May
Design a programme of continual communication and May
awareness
Establish quarterly meetings with Whistleblowing May
Champion
Design and deliver employee survey via One Comm May
Review and update all whistleblowing processes and May
guidelines
Re-run Protect self-assessment benchmarking June
Annual whistleblowing report to RCC and ARC July
Enhance on-boarding and line manager training relating I July
to whistleblowing
12
20 of
83
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0019
POL00423690
POL00423690
Tab 3 Whistleblowing Policy Review
Refresh and deliver new whistleblowing posters to all I July
Post Office back office locations and DMBs (dependent on
Covid) 3
13
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 21 of 183
POL-BSFF-0238508_0020
Tab 4.1 Minutes (26 J:
22 of
83
nuary 2021 & 26 February 2021)
POL00423690
POL00423690
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 26" JANUARY 2021 AT 20 FINSBURY
STREET, LONDON EC2Y 9AQ AT 08.30AM (VIA CONFERENCE CALL)!
Present:
Invited Attendees:
Carla Stent (Chair)
Ken McCall (SID) (KM)
Sam Banks (Analyst Independent Audit): Observer
Richard Sheath (Partner, Independent Audit):
Observer
Tom Cooper (NED, UKGI) (TC)
Sally Smith (Money Laundering Reporting Officer &
Head of Financial Crime): Item 5 (SS)
Zarin Patel (NED) (ZP) (to 10:00am only)
Regular Attendees:
Ian Holloway (Director of Risk & Compliance, Post
Office Insurance): Item 6 (IH)
Tom Lee (Head of Finance Financial Accounting and
Controls): Item 7 (TL)
Tim Parker (Chairman, POL) (TP)
Christine Kirby (Financial Controls Manager): Item
7. (CK)
Nick Read (Group Chief Executive Officer) (NR)
Alisdair Cameron (Group CFO) (AC)
Andy Jamieson (Head of Tax): Item 8
Amanda Jones (Retail & Franchise Network
Director): Items 9 & 10 (AJ)
Ben Foat (Group General Counsel) (BF)
Andrew Paynter (Audit Partner, PwC) (AP)
Tim Perkins (Service and Support Optimisation
Director): Item 9&10(TP)
Declan Salter (GLO Director): Item 11 (DS)
Sarah Allen (Senior Manager, PwC) (SA)
Graham Hemingway (Historical Matters Portfolio
Lead): Item 11 (GH)
Rosie Clifton (Senior Manager, PwC) (RC)
Tony Jowett (Chief Information Security Officer):
Item 12 (TJ)
Johann Appel (Head of Internal Audit) (JA)
Mark Baldock (Head of Risk) (MB)
Jonathan Hill (Compliance Director) (JH)
Rebecca Whibley (Senior Assistant Company
Secretary) (RW)
Hugo Sharp (Deloitte Partner) (HS)
Apologies:
Zarin Patel (from 10:00 onwards)
Action
1. Welcome and Conflicts of Interest
1.1
Government guidance on
A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call
home working.
requirements of the Company’s Articles of Association, the location of
the meeting was agreed to be the Company’s Registered Office.
given the current
However, given the
1.2
The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
1 Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0021
POL00423690
POL00423690
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
requirements of section 177 of the Companies Act 2006 and the
Company's Articles of Association.
Policies: Investigations Policy
ZL Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. The following points were discussed:
- The existing policy had not been used for some time and as such,
the policy has been completely overhauled, following an industry
approach.
- The policy sets out minimum standards for how Post Office will
conduct investigations wherever they might take place in the
business to ensure a consistent approach, building on comments
in Fraser J‘s judgment.
- The Chair noted that an issue that was made clear from the
Group Litigation Order (GLO) was the attitude of the investigator.
Whilst issues like the duty of good faith would only apply in the
Post Office/Postmaster — relationship (not commercial
relationships), it was agreed that the attitude of the investigator
should be addressed in the policy.
- It was also noted that matters such as the independence of the
investigator and the level of expertise needed should also be
clear in the policy. It was explained that the policy was simply a
framework and other policies were still relevant such as Conflicts
of Interest. Nonetheless, it was agreed that these matters should
be made clear in the policy, including references to other policies
as appropriate.
- Ken McCall questioned whether the policy considers service level
agreements (SLAs) with Postmasters and Board/Committee
review of the relevant metrics in this regard. Ben Foat explained
that such matters were for specific Postmaster polices and this
policy was very much a minimum standards framework.
- Ken McCall was also concerned about the accessibility of the
policy, particularly for Postmasters, and how the policy would be
rolled out. It was explained that this was an internal policy, rather
than Postmaster facing. Nonetheless Compliance was developing
a one to two page summary to make the policy more accessible
as well as engaging with relevant Policy Owners to ensure they
understand the requirements and can evidence compliance.
- Tom Cooper requested that the policy also be externally
reviewed.
Accordingly, the Committee APPROVED the Investigations Policy,
subject to:
i. The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent
and have the appropriate expertise and appropriate
references to other relevant policies; and
ACTION:
BF
STRICTLY CONFIDENTIAL 2
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2 23 of 183
POL-BSFF-0238508_0022
Tab 4.1 Minutes (26 Jai
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
24 of
83
ii. The policy being externally reviewed, and the results of this
review being considered and included as appropriate.
Previous Meetings
SL The minutes of the meeting of the Audit and Risk Committee held on
24 November 2020 were APPROVED and AUTHORISED for signature
by the Chair.
a2 Progress against the completion of actions as shown on the action log
was NOTED.
Action 1 from 27 July 2020 (para 4) Pensions Assurance: See update
to action 5 from 22 September 2020 below. Quantification to be known
in March 2021 and an update to be provided to the Audit, Risk &
Compliance Committee (ARC) or Board as required at this point. An
update paper was also presented to the Committee for noting (see para
14 below). The action remained open.
Action 2 from 27 July 2020 (para 6) Update from Subsidiaries: The
Master Services Agreement and Master Distribution Agreement
amendments were executed by both parties on 5 January 2021 via
Web3. The action was closed.
Action 3 from 22 September 2020 (para 4.1) Risk Appetite Statements:
Legal and Compliance Risk Appetite Statement paper was presented to
the Committee for noting (to be approved at a later date) (see para
4.2). Further statements were in train including IT (with Jeff Smyth,
Group Chief Information Officer) and Operations (Postmasters) (with
Amanda Jones, Retail and Franchise Network Director). There was
further discussion regarding prioritisation during the meeting, see para
4.2 below. The action remained open.
Action 4 from 22 September 2020 (para 5.5) SuccessFactors: This
action was address by a noting paper presented to the Committee (see
para 14). The action was closed.
Action 5 from 22 September 2020 (para 6.4) Pension Assurance: The
quantum is likely to be known in March 2021 following analysis and
review by the Trustee. The approach to correcting the members
benefits including any proposed clawback will be discussed by the
Trustee and Post Office following the Trustee Board meeting on 23
March 2021. The intention was to engage early with the Trustee to
ensure Post Office’s preferred approach was known. A further update
was to be provided to the ARC or Board as required in March 2021. An
update paper was also presented to the Committee for noting (see para
14 below). The action remained open.
Action 6 from 22 September 2020 (para 7.3) Suspense Accounts: An
update paper was provided to the Committee (see para 9). The action
was closed.
Note: Action 7 in the papers was a duplicate of Action 2 above (due to
copy and paste error).
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0023
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
Action 8 from 24 November 2020 (para 3.1) Risk Dashboard: At this
point the Risk team was not in position to provide system-aggregated
Dashboards as it was finalising the risk management transition from
RSA Archer to ServiceNow (IRMPro). This had just been completed. A
refreshed set of GRC risk reports in line with ARC requirements was to
be presented to ARC in March 2021. The action remained open.
Action 9 from _24 November 2020 (para 3.2) Risk Policy (Legal &
Compliance Risk Appetite): The Legal & Compliance Risk Appetite paper
has been developed and has been shared with the Chair. However, this
is still a work in progress and as such, the Committee was not asked to
approve the Risk Appetite statement at its January meeting.
Accordingly, the Committee may discuss and feedback as required in
the meeting. The further iteration was to be shared with the Committee
prior to its next meeting if so required. (See para 4.2 below). The action
remained open.
Action 10 from 24 November 2020 (para _3.2) Risk Policy (Risk
Management Responsibilities): See para 4.1 where the ARC has
approved the division of risk management responsibility between the
ARC and Board. The action was closed.
Action 11 from 24 November 2020 (para 3.2) Risk Policy (Approval
subject to amendments): Risk Policy scope was amended as required
and the Board approved the final policy in January 2021. The action
was closed.
Action 12 from 24 November 2020 (para 3.2) Risk Policy (Page
Numbers and Policy Paper): Page numbers were viewable on the tabs
created by Diligent Boardbooks, this included the page range for each
section. The policies before the Committee in January 2021 are to be
approved by parallel Written Resolution included as either a track
changes version (where changes are minor) or the existing policy
(where the changes are more substantial i.e. a complete re-write). The
action was closed.
Action 13 from 24 November 2020 (para 3.4) Internal Audit (Data
Privacy (Document Retention)): A revised action was agreed, and the
completion date re-stated to 31 March 2021. This was to be tracked
through the usual process and reported back to the ARC. The action
was closed.
Action 14 from 24 November 2020 (para 3.4) Internal Audit (Deep
Dives): Deep dive audits to be added to IA plan as follows: Financial
Crime Q4 FY21, Loss Prevention FY22 tbc, Compliance Function FY22
tbc and Risk Management Framework FY22 tbc. The action was closed.
Action 15 from 24 November 2020 (para 4.3) Suspense Accounts: All
elements have been completed and the report was approved by the
Board for publication. The action was closed.
Action 16 from 24 November 2020 (para 7.1) Post Office Insurance
Travel Refund Complaints: A memo in response to this action was
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
25 of 183
POL-BSFF-0238508_0024
POST OFFICE LIMITED
POL00423690
POL00423690
provided to the Committee via email on 4 January 2021. The memo
was also available in the Reading Room. The action was closed.
Action 17 from 24 November 2020 (para 9.1) Historical Matters Unit
(RACI Matrix): Discussions concerning UK Government Investments
(UKGI)/Department of Business, Energy & Industrial Strategy (BEIS)
involvement in Historical Shortfall Scheme (HSS) approvals, which
directly affects the operation of the schemes, have continued during
December and were expected to be finalised during January. A verbal
update was provided to the ARC (see para 11 below). Further update
will be provided in March 2021. The action remained open.
Action 20 from 24 November 2020 (para 10.1) Payzone Risk Report:
Capita have confirmed to PipIT that they need to stop using Post Office
branches and find another method. PipIT have asked if they can have
two weeks to sort out a new provider which Post Office/Payzone has
agreed to and the proposal was for PipIT to stop using Post Office by
31 January 2021. (Note: PipIT is the gateway for Zeepay, Glow remit
etc. If PipIT stop using Post Office branches, then the others will also
be stopped). A further update will be provided when it is confirmed
PipIT have stopped using Post Office. The action remained open.
Action 21 from 24 November 2020 (para_12.1) Deep dive:
Transformation Office Change Update 2020: Dan Zinner and Saira
Burwood met with Tom Cooper on 15 January 2021 to discuss the action
regarding metrics on Change controls. Mark Baldock also joined the
meeting as he was transitioning all the controls into a new tool
(ServiceNow) which would then be able to provide a suite of reports on
the controls. These reports and dashboards would be provided to ARC
on a regular basis once ServiceNow transition was complete and Mark
agreed to give Tom early sight of these when available. The action was
closed.
3.3 The draft minutes of the Risk and Compliance Committee held on 12
January 2021 were NOTED.
4. Risk, Compliance and Internal Audit Updates
STRICTLY CONFIDENTIAL
POL-BSFF-0238508_0025
POL00423690
POL00423690
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
41 Risk Update
Mark Baldock introduced the paper, which had been circulated
previously and was taken as read. The key points were summarised as
follows:
- Governance, Risk & Compliance (GRC) tool (move from Archer
to Service Now): Phase 1 was now complete with 520 risks
moved, with the system was now live in the central risk team
and Archer has been decommissioned. Work had now started on
phase 2 which was rolling out the risk capability to the business
and migration of controls for IT, Finance and the Portfolio Office,
which would allow formal links of the controls to the risks.
- Key Risks:
o Commercial: There has been a long standing risk around
the Master Distribution Agreement (MDA) with Royal Mail,
however this has reduced due to the signing of MDA2.
However, the team was still speaking to business to
ensure the score was correct and consider whether more
mitigation was required. A further risk noted was adverse
trading due to macroeconomic environment.
o Operational: Postmaster risks were already articulated,
but further work was to be carried out, as well as
considering whether other risks had an impact on
Postmasters. The Chair noted a discussion in the Internal
Audit meeting that morning about how to implement
controls around Postmaster risks and how to validate GLO
initiatives. Mark Baldock was asked to pick this up with I ACTION:
Jonathan Hill with an update to be provided at the March I MB
meeting. Multiple partner fragility was also noted as a key
operational risk due to the economic threats to the high
street.
o People: There were long standing risks about work life
balance and work pressures on colleagues, which had been
exacerbated recently given the greater degree of
uncertainty about easing of lockdowns. Much was being
done by management, however there was a concern that
some colleagues may suffer from burnout. Zarin Patel
questioned how this might affect work being done in the
risk and control environment. Nick Read explained that the
risk and need for improved engagement in the current
lockdown was recognised and Lisa Cherry (Group Chief
People Officer) and Richard Taylor (Group Corporate
Affairs, Brand and Communications Director) were
working through the engagement strategy.
- Risk management by the Board & ARC: Recognising that there
was a need to clearly differentiate where risk was managed, it
was recommended that:
o the Board should provide oversight of (and direction on)
management of the key strategic business risks that could
STRICTLY CONFIDENTIAL 6
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2 27 of 183
POL-BSFF-0238508_0026
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
28 of
83
threaten the delivery of the Post Office’s strategic
objectives, including setting the risk appetite and focus on
key risks.
o ARC should support the Board and consider what needs to
be referred to the Board. Otherwise, it should focus on
audit and compliance risks and controls.
The Committee made it clear that the ARC should get an overall
picture of risks, with material commercial, strategic and
reputational risks escalated for Board consideration.
Ken McCall requested that the following be reviewed:
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about
funding;
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of
material long term industrial action; and
- Paragraph 27 relating to adverse external economic factors,
noting that much of this was outside Post Office’s control and
that, some elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with
Ken McCall and provide an update for the next Committee meeting.
The Committee NOTED the current status of key risks and GRC
implementation and APPROVED the proposals on the role of the Board
and ARC with respect to oversight of Post Office risk management as
set out in paragraph 31 of the paper.
ACTION:
MB
4.2
Risk Appetite Statement: Legal & Compliance
Ben Foat introduced the paper, which had been circulated previously
and was taken as read. It was summarised as follows:
- This is a noting paper for the direction of travel for the risk
appetite statement for Legal and Regulatory risks across the
business and as such, the business needed to be comfortable
with the appetites.
- There were six statements and risks have been split into
statutory and regulatory.
- There were three areas which were adverse to appetite:
competition, Anti-Money Laundering(AML) and pensions.
- The paper was a living document and would change over time.
The next steps were to ensure there were Key Risk Indicators
(KRIs) in place and then operationalise, with engagement with
the 1* line of defence.
The Committee discussed the following points:
- Ken McCall questioned why the risk rating for competition was
adverse. Ben Foat explained that this was due to the
consequences of the risk being so severe as well as Post Office’s
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
POL-BSFF-0238508_0027
POL00423690
POL00423690
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
dominant mails position and being number two or three in the
bill payments market. There were no specific breaches or
incidents, but the controls were not considered sufficient.
Competition law was not well understood in the business and
needed to be such that it was in the minds of colleagues engaging
with other market players. As such training by Pinsent Masons I ACTION:
was being arranged. It was requested that Ben Foat consider the I BF
wording of paragraph 14 relating to “breaching tolerance” as, in
fact, it was more about needing stronger controls.
- Tom Cooper highlighted that Pick Up Drop Off (PUDO) was a I ACTION:
competition risk given the investment being made in the Express I BF
Post Office proposition and noted an argument could be made
about state aid. This was to be considered and, if appropriate,
added to the paper.
- The Chair noted that the risk relating to Post Office being in a I ACTION:
less competitive position due to new legislation or regulation was I BF
really a commercial risk. This should be corrected in the paper.
- Following a question from the Chair, it was explained that whilst
AML risk was rated red, the financial crime risk was rated green
as AML was a subset of financial crime where there had been
some specific breaches.
The Chair noted the extensive work that had gone into the paper and
questioned whether, given the resourcing pressures, it was better to
work on KRIs to trigger a red/amber/green rating. The Committee
agreed but noted that Legal and Compliance and Postmaster related
activity were important areas in which to have risk appetite statements.
There was also a suggestion that areas that were less under pressure
in the short term could also be considered (such as finance). As such,
Mark Baldock was asked to look at identifying the KRIs for Postmasters I ACTION:
with the Network team and consider working on statements for one or I MB
two other areas for update at the March Committee meeting (in the
usual Risk Paper).
Otherwise, the Committee NOTED the draft corporate Legal &
Compliance Risk Appetite Statements which will be shared with the
Senior Leadership Team so that these can be further refined and
assessed within the business in commercial decision making.
STRICTLY CONFIDENTIAL 8
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2 29 of 183
POL-BSFF-0238508_0028
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
30 of
83
43
Compliance Update
Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. It was summarised as follows:
- Controls Framework: Work was being undertaken with the
Historical Matters Unit (HMU) to ensure the correct controls were
embedded into the relevant areas, so as to meet obligations
arising from the Common Issue Judgment (CIJ), Horizon Issue
Judgment (HIJ) and the stamps review. There was an existing
controls framework in Finance and IT (although the latter was
being overhauled), but there was no consistent approach across
the rest of the business. This was what the Framework was to
provide, such that the business could self-assess controls with
assurance provided by Compliance. Ken McCall noted that the
report outlined that there had been changes to the Postmaster
Onboarding process and questioned whether this meant the
onboarding process was quicker. Jonathan Hill was asked to
confirm this point for update at the next meeting. This area was
ultimately owned by Dan Zinner, Group Chief Operating Officer,
but supported by Amanda Jones (Retail and Franchise Network
Director), Finance and Legal. Nick Read highlighted that
recruitment of the Postmaster Director and the Customer
Experience Director was critical but would require careful
recruitment criteria.
In response to questions from Ken McCall raising concerns about
the wording of this section in the report (paragraph 11), it was
confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than
the controls themselves. Key was evidence of controls and a
consistency of approach. The HMU team was working with the
relevant business areas to address this. However, the Chair
asked Jonathan Hill to further consider before the next meeting
any underlying issues (not just related to mapping), what
controls were in place and whether or not they were appropriate.
Zarin Patel also requested that the Committee have sight of the
KMPG review of the HIJ when this was ready, noting that there
were a lot of papers regarding Postmasters before the Committee
and the Board and therefore questioned whether the issue was
under control. Al Cameron explained that much work had been
done to ensure legal compliance with the judgment, but work
was on-going and KMPG and Deloitte were likely to raise issues
that had not yet been considered. As such the controls
framework was very important and must be sustainable.
- Data: The site review was now coming to an end and the main
focus was now on disclosures required for 5 February 2021. So
ACTION:
JH
ACTION:
JH
ACTION:
JH
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0029
POL00423690
POL00423690
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
far, nothing had been found in the reviews that had not already
been disclosed. However, work was on-going.
- Cookies: Previous direction was that Post Office should look to
be in the “middle of the pack” when it comes to cookies. The
recent decision in France against Google and Amazon Europe was
noted and it was explained that typically (pre-Brexit), the
Information Commissioner's Office (ICO) aligned with Europe. As
such, the Digital and Compliance teams were looking at the
commercial impact of tightening the approach to cookies, with a
view to still remaining in the “middle of the pack.” The Chair
requested that the team carefully consider appropriate
benchmarking in a post Brexit world.
- Fire Risk Assessments: The Committee requested to be kept up
to date regarding the outstanding actions in respect of fire risk
assessments undertaken in June and July which are currently I ACTION:
being investigated by the Head of Health & Safety. This was to I JH
be included in the Compliance report for the March meeting.
The Committee NOTED the Compliance update, in particular:
- The Controls Framework update;
- The Data Management activities; and
- Post Office’s approach to cookies.
4.4 Internal Audit (IA) Update
Johann Appel introduced the paper which had been circulated
previously and was taken as read. The following points were discussed:
- The team continued to make good progress and have finalised a
further five audits since November 2020 and issued one interim
report.
- IT Controls Framework (ITCF): This was continuing to improve
but the report highlighted that the operation of the ITCF had been
interrupted by the absence of key personnel and no second line
assurance. This was further discussed in paragraph 12 below.
- Mails and Parcels: The audit highlighted several issues
concerning worsening performance with respect to compliance
with Prohibited and Restricted Items (Dangerous Goods)
requirements. Segregation of parcels and accuracy of Mail
Redirection forms were similarly underperforming. Unless
segregation performance improved, there was a risk that Post
Office could be liable for increased service credits under the new
agreement with Royal Mail. Tom Cooper and Ken McCall were
concerned that this was an on-going issue that did not seem to
be being addressed. Johann Appel was asked to send Tom I ACTION:
Cooper a summary of the audit actions from the report and aI JA
detailed review of this issue, including what could be done at
STRICTLY CONFIDENTIAL 10
Post Office Limited - Audit, Risk & Compliance Commit
31 of 183
POL-BSFF-0238508_0030
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
32 of
83
source and what other carriers were doing in this area. An update
was requested for the next meeting in March 2021
(accountability sitting with Amanda Jones (Retail and Network
Franchise Director) and Mark Siviter (Product Portfolio Director -
Mails, PUDO, Retail and Branch Identity Services)).
- Interim Report on Historic Matters - CIJ Operations Improvement
Programme: It was noted that the chart in the report was
outdated and there were now 23 green actions, 10 amber and 1
red. The key finding was that there was no formal handover
process between the HMU and Operations. Nick Read highlighted
that in this area, the business was legally compliant, but not
necessarily fit for purpose. This was a key focus for the next six
months to ensure Operations, IT and culture were all fit for
purpose. A GLO Dashboard would be presented to the Board on
a monthly basis to give an overview of progress.
- Belfast Exit Follow-Up and PCI Compliance: These were both
follow up reviews. Governance and day-to-day management
have improved since previous reviews, but there were still
significant risks that were largely outside the control of
programme teams and this reduced confidence that objectives
will be achieved as planned. Nick Read was requested to re-
establish the regular dialogue with the Ingenico CEO.
- There was one outstanding audit action (Health & Safety
Response to COVID-19) and this was on track for completion by
the end of January 2021.
- It was noted that the planned audits on GLO Historical Shortfall
Scheme - Claims and Payments and Strategic Platform
Modernisation were due to be deferred from March 2021 to the
next audit year as evidence was not yet available.
Otherwise, the Committee NOTED the Internal Audit update,
specifically progress being made with delivery of the Internal Audit
programme and completion of audit actions.
Zarin Patel left the meeting.
ACTION:
RW
(agenda,
inform)
ACTION:
NR
ACTION:
NR
Money Laundering Annual Report
Sally Smith introduced the paper, which had been circulated previously
and was taken a read. The following points were discussed:
- Theconclusion was that the framework of Anti-Money Laundering
(AML) / Counter Terrorist Financing (CTF) controls were generally
effective and Post Office was complying with its regulatory
requirements under the Money Laundering Regulations (MLRs).
- However, the challenges were: the increase in scams, increasing
regulatory scrutiny and the potential introduction of the
Economic Crime Levy. A particular challenge was the increasing
volume of Suspicious Activity Reports (SARs) due to increased
cash deposits. Furthermore, the additional SARs were causing a
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
11
POL-BSFF-0238508_0031
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
resourcing issue within the central team. Roles and
responsibilities changing across the business was making Fit &
Proper a challenge, but this was being managed.
There were some on-going data issues impacting premises and
agent data with manual work arounds in some areas.
The Financial Conduct Authority (FCA) has written to all banks
requesting updates on their controls regarding cash deposits. The
team was working closing with the Banking Framework 3 (BF3)
team to ensure the AML accountability requirements were clearly
assigned in the Framework. Ultimately, accountability was with
banks and Post Office cannot replicate a Know Your Customer
(KYC) process for all banking customers in the UK. Ken McCall
noted that with increasing bank closures, the pressure on Post
Office would only increase and questioned whether there could
be cost recovery under BF3. Nick Read explained commercial
discussions with the banks were on-going with the role of Post
Office, regulation and costs all being live issues.
Tom Cooper questioned what key change was required to resolve
the AML and BF3 issue. Sally Smith explained that there were
existing controls that the banks have at their disposal that can
be deployed, but each bank has different infrastructures and
customer needs. Some banks used chip and pin for deposits
which made setting limits on volume and value easier. Other
banks still use paper deposits, and others were made up of
smaller institutions with different processes and levels of
sophistication. In addition, the pace of change in the banks is
slow. However, pressure from the National Economic Crime
Centre (NECC) Project Admiralty and the 2020 National Risk
Assessment would likely bring the issue further onto the banks’
radar, together with work through the Banking Framework
Agreement (BFA) AML Sub Group. The problem arose as the
banks had fully considered the challenges when depositing
through Post Office. The Chair advised that whilst conversations
regarding the banks’ responsibilities should continue, Post Office
could not rely on banks entirely and investment in analytics was
also important. It was noted that the fundamental challenge is
not having real time data or analytical capability at point of
deposit in the branches. This linked to loss prevention and
honouring the CIJ (see paragraph 9 below).
In response to questions from Ken McCall, it was explained that
MoneyGram can block transfers to certain countries and change
limits at a branch level. This was an on-going daily contact with
the MoneyGram.
On technology, Sally Smith explained that she was discussing
this area with Jeff Smyth (Group Chief Information Officer) to see
if there was anything that could assist the team, noting that Post
Office did not currently actively monitor cash and MoneyGram
(as this is the responsibility of the Banks and Moneygram,
respectively and would be a significant task for Post Office to
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
12
33 of 183
POL-BSFF-0238508_0032
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
34 of
83
replicate). Post Office could demonstrate that enough was being
done internally to augment the bank / Moneygram controls. The
Chair highlighted that additional resources/technology must be
part of the BF3 commercial negotiations.
- On resourcing, more was required but this should be in the
business and banking team (1° line of defence), rather than the
central team (2"¢ line of defence).
Accordingly, the Committee APPROVED the recommendations within
paragraphs 9 - 12 of the report (including the table on pages 3-7),
noting that all actions must have due dates, and paragraph F of the
Annual Report of the Money Laundering Reporting Officer, prior to the
Annual Report being issued to the regulator, Her Majesty’s Revenue and
Customs (HMRC).
6. Update from Subsidiaries: verbal update
Post Office Management Services (ARC)
6.1 The Committee NOTED the update from the Post Office Insurance (POI)
ARC.
Annual Report & Accounts Update
Tk Al Cameron introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Work was actively progressing to complete the Annual Report
and Accounts (ARA) for the financial year end 29 March 2020.
The ARA was largely drafted but needed some considerable
updates given the events over the last six to eight months.
Outstanding issues included:
1. A provision for Post Group Litigation Order and the
calculation of the accounting estimate in respect of the HSS,
as well as disclosure updates in respect of this scheme, the
contingent liability for Starling litigation and subsequent
events disclosure for the historical criminal cases.
2. Impairment on insurance business investment which was
likely to be around; !RRELEVAN’
A provision for hard to place branches, which might be up to
although there was a question as to whether this was
event or a new decision for inclusion in accounts to the
financial year end 29 March 2020. (Tom Cooper noted that
this was a joint reputational issue for Post Office and the
Government and needed to be discussed at the Board). Note:
This was subsequently discussed at the Board meeting later
on the same day.
4. The wording regarding contingent liabilities needed to be
discussed.
5. The Committee would need to agree that the CCRC issue was
included as a subsequent event (as it was in the future as at
29 March 2020).
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
13
POL-BSFF-0238508_0033
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
- Adetailed going concern assessment then needs to be completed
for a period of 18 months (rather than 12 months) from accounts
submission. Therefore, forecasts were being examined. PWC
have made it clear that unless a viability statement covers a
period of 18 months, they would likely include an emphasis of
matter paragraph in their opinion. Tom Cooper remarked that his
team were discussing this disclosure with BEIS Finance.
- The intention was for the Committee to review the accounts for
approval (for onward submission to the Board) on 26 February
2021.
- The sections relating to Risk and Remuneration would largely be
unchanged but the CEO and Chairman’s report were being
completely redrafted.
The Committee NOTED:
i. the status of the Post Office Limited Group Annual Report and
Accounts for the year ended 29 March 2020
ii. the key items required for completion and signing of the ARA;
and
iii, the plan for completion and signing.
Tax Update & Tax Strategy
Andy Jamieson introduced the paper, which had been circulated
previously and was taken as read. The key points were highlighted as:
- VAT: This was complex to manage on a day-to-day basis and this
year has seen some additional challenges, namely Brexit (with
new reporting requirements for goods to Northern Ireland),
making tax digital, changes of income and introduction of Web3
which has allowed automation of tax coding. COVID has meant
no “in person” HMRC audits, but an online audit had been
completed.
- Corporation tax: As performance was improving, Post Office
would likely be in a position to pay this tax in 2022/23.
- Employment taxes: Historically, Post Office has not had any
expertise in this area and HMRC have expressed concerns.
However, an expert has now been recruited to review HR
processes and build in improvements.
- Feedback was to be provided by HMRC on the IR35
implementation in their March report.
The Committee NOTED the Tax Update and APPROVED the annual
review of the Tax Strategy.
Update on branch losses and balances on Postmaster accounts
Tim Perkins introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Performance has continued to be positive. Average loss per
“iper trading period per
}per trading period per branch. This has been
branch to
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
14
35 of 183
POL-BSFF-0238508_0034
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
36 of
83
driven by proactive intervention, less cash in network, timeliness
of corrections and improved training.
Next steps were to continue with these interventions and see
what can be done to improve the speed of corrections and
improvement in stock. Work was being done with HMU to remove
the “settled centrally” terminology from Horizon and add a
dispute button at the point of settling.
Tom Cooper queried when the minimum value that can be settled
centrally would be changed from £150 to £0, noting he thought
this had been removed previously. Tim Perkins explained that
Accenture had just quoted to do this, and it was requested that
Tim Perkins provide the date as to when this would happen to
the Committee once he is advised of it.
In response to further questions about branches being able to be
‘rolled’ into the next trading period and how disputed items were
dealt with, Tim Perkins explained that balances are moved to a
Postmaster account to allow an investigation to take place to
establish the cause of the loss. A button would also be added to
Horizon to allow immediate dispute.
Age of the transaction error was the crucial, rather than the
number of errors. At present, measurements were based on
transactions over two months old. A measurement of 45 to 60
days (depending on the type of transaction) was being
considered to take into account how long client reconciliation
takes.
At the request of Ken McCall more detail was provided on the
process where a cash declaration had not been done for 10 days
or for trading period roll overs (where not done for 60 days).
First, the Postmaster would be called by the team (bearing in
mind any branch closure) and the issue would be escalated to
the Area Manager. Where repeated contact has to be made, the
branch will also be visited to ensure they understand the
requirement and to understand the barrier(s) to completion.
There would also be a conversation with the contract advisor
team about contract performance.
It was confirmed that branches with high cash holdings or highest
levels of cash deposits have excellent compliance with the branch
accounting requirements. However, for branches with high levels
of cash deposits, more transaction errors were seen, and this was
an area of focus, particularly as to whether better equipment
could be provided. Additional support from Area Managers and
Security Managers was being provided with a visit every month.
The Committee commented that key was to tackle this issue at
source. Al Cameron explained that any proposed changes had
been postponed given ongoing process reviews in this area.
The Chair noted that it was good to see the figures decreasing
but that it would be useful to see a dashboard of branch balances
and transaction corrections, possibly as an addition to the
ACTION:
1
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
15
POL-BSFF-0238508_0035
POL00423690
POL00423690
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
reporting on post GLO remediation. (Tim Perkins and Amanda I ACTION:
Jones to action for the next Committee meeting). TP/AJ
- Via email outside the meeting, Zarin Patel also suggested that I ACTION:
route cause analysis should be undertaken into the gross I TP/AJ
losses/gains and net balances as these seemed very high
(paragraph 8 of the paper). (Tim Perkins and Amanda Jones to
consider for update at the next Committee meeting).
The Committee NOTED the update on balances posted to Postmaster
customer accounts following a request at the Committee in September
2020.
10. Postmaster Policies
10.1 Amanda Jones introduced the paper, which had been circulated
previously and was taken as read. It was explained that these three
policies were being proposed to formalise the improvements made to a
number of processes in response to the CIJ. Each policy was taken in
turn:
- Network Monitoring and Audit Support Policy: Norton Rose
Fulbright (NRF) (external lawyers) have reviewed the Postmaster
process changes which this policy covers. The Chair questioned
why the Risk Appetite section was missing. It was confirmed that
the risk appetite was averse, but that this linked back to the
earlier discussion regarding the risk appetite statement for
Postmasters and the need for clear KRIs, which were particularly
required to judge if the policy was being embedded and enforced.
This section should be added into the policy in line with the work
to be completed on KRIs for Postmasters (see action above in
paragraph 4.2).
ACTION:
TP/AI/
MB
ACTION:
There was also an action to carefully consider references to TP/AJ
“employee” throughout the document.
It was also confirmed that this was an internal policy (not
Postmaster facing), but a similar version would be created as
part of the Postmaster manual. It was explained there would be
an overarching document demonstrating how the policies fit I ACTION:
together and it was agreed this would be presented to the I TP/AJ
Committee in March 2021 with the Chair requesting that it be
clear in this document who was the audience of which policy.
- Postmaster Account Support Policy: This policy had been
reviewed by NRF. A different approach was being taken by the
former loss recovery team, which was to be supportive and
understanding of discrepancies.
It was explained that the three policies interfaced to provide
support to Postmasters. The Network Monitoring policy related to
STRICTLY CONFIDENTIAL 16
Post Office Limited - Audit, Risk & Compliance Commit
37 of 183
POL-BSFF-0238508_0036
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
38 of
83
investigation, Account Support was for proactive support and
Dispute Resolution sets out the tiers of support provided in the
event of a discrepancy (section 4 of the policy).
The Chair questioned the wording of the risk appetite section and
it was requested that this was reviewed before the policy was
published/implemented.
With respect to the writing off of discrepancies, it was explained
that the team were working hard to reduce the number and size
of discrepancies. There were no caps on amounts that could be
written off over a period of time as the controls to approve the
write offs ultimately formed part of the finance processes.
- Postmaster Accounting Dispute Resolution Policy: NRF have
reviewed the Postmaster process changes which this policy
covers.
Tom Cooper questioned whether after the Tier 3 support level
(section 4 of the policy) litigation was the only option,
considering that the amount could be small. Tim Perkins
explained that the account support processes were used to
consider how the discrepancy should be dealt with and whether
it should be written off, with a lot of engagement with the
Postmaster. Where there were persistent losses or carelessness,
then this would be dealt with from a contractual performance
perspective i.e. termination on notice.
The Committee requested that the following elements were
included in the policy:
1. A suggested timetable for decision-making;
2. Who would be involved in making decisions under Tier 3
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records,
Horizon data etc.);
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
Zarin Patel (by email outside of the meeting) also raised the following
points:
i. Both the Postmaster Account Support Policy (para 2.5 and
4.1) and the Network Monitoring and Audit Support Policy
(para 2.5) referred to “reasonable and fair investigations”
without adequately defining this; and
ii. The Network Monitoring and Audit Support Policy should
address skill set and attitude of lead auditors and how the
ACTION:
TP/AI/
MB
ACTION:
TP/AJ
ACTION:
TP/AJ
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
17
POL-BSFF-0238508_0037
POL00423690
POL00423690
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
new culture would be embedded so they did not approach the
audit with preconceived biases.
Accordingly, the following policies were APPROVED by the Committee:
e Postmaster Account Support Policy (subject to a review of the
wording of the risk appetite section and addition of a definition
of a “reasonable and fair investigation”); and
« Network Monitoring and Audit Support Policy (subject to the
addition of a risk appetite section and a definition of a
“reasonable and fair investigation” as well as the skill set and
attitude of the lead auditors and how the new culture would be
embedded).
The Postmaster Accounting Dispute Resolution Policy was to be revised
in line with the Committee's discussions (including a review of all risk
appetite references) and approved by written resolution after the
meeting.
11. Historical Matters Unit: Fraudulent Claims Controls & Delegation
of Authority
11.1 Declan Salter and Graham Hemingway introduced the paper which had
been circulated previously and taken as read. The key points were
highlighted as:
- Responsibilities, accountabilities and decision-making
authorities: Work was being done to produce an operating
charter and a RACI, including delegated authorities and
accountabilities. This has taken longer due to engagement with
BEIS and UK Government Investments (UKGI). A ways of
working document has been agreed, but a decision-making flow
chart was still being updated. Once complete, it was to be I ACTION:
circulated to the Board at its CCRC meeting. Further discussions I GH/DS
were being held on reporting to BEIS/UKGI.
- Mitigations against risk of fraudulent claims: Fraud risks were
being actively managed by Herbert Smith Freehills (HSF) and the
Project team covering 21 separate fraud risks as set out in
appendix 1 of the report. By way of email outside the meeting,
Zarin Patel suggested that the team consider best practice for
fraudulent claim controls, such as those used for Payment
Protection Insurance (PPI) claims. Graham Hemmingway
provided the following response: the mitigations have been
compiled and reviewed by his team, which included programme
and project managers as well as business analysts with
experience of managing PPlI-type claim schemes at Lloyds
Banking Group, Barclays, Nationwide, RBS and Co-op Bank.
Further Declan Salter’s experience has also fed into the ongoing
risk management activities, particularly around risk of
interception of emails. Internal Audit or an external team could
review the mitigations as part of their planned reviews.
STRICTLY CONFIDENTIAL 18
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2 39 of 183
POL-BSFF-0238508_0038
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
40 of
83
- Data relating to fraudulent claims and eligibility to be appended
to_ the CCRC Board pack: MI showing latest eligibility results
(values and volumes) from HSS was already being distributed as
part of an MI pack that HSF share with Board members on a
weekly basis. Information relating to identification of fraudulent
claims has been shared as part of the CCRC Board packs since
14 January 2021. In response to questions from the Committee,
Graham Hemingway further explained that eligibility checks were
a standard under the Terms of Reference of the HSS. Work was
still being done to work through the data and evidence available
on each claim, which was difficult due to the age of some claims.
It was also confirmed that the team was looking to instruct legal
counsel to understand rules around deceased estates and
bankruptcy in other jurisdictions (mainly Scotland and Northern
Ireland), which was necessary for a small sub-set of claims.
Otherwise, the Committee NOTED how risks relating to fraudulent
claims are being managed in the Historical Shortfall Scheme (and the
Stamps Scheme) and that controls were in place to confirm the
eligibility of claims.
12.
12.4
IT Controls Assessment
Tony Jowett introduced the paper, which had been circulated previously
and was taken as read. The main focus of work in the IT Controls was
the Internal Audit Report actions and focus of the improvement effort
was on the controls of greatest risk, namely those areas connected with
the management of the third-party estate through the lens of Post
Office’s crown jewel systems. The Committee requested that there be
a detailed review of this, and this review would be reported to the
Committee, targeting the next meeting.
On resource constraints flagged by the Internal Audit report, Tony
Jowett further explained that the size of the team had been doubled
and someone had been appointed to the business continuity role but
was not yet in post.
The Committee NOTED the status and plans regarding the reduction of
risk associated with IT Controls.
ACTION:
TJ
13.
AOB
13.1
There being no further business, the meeting was closed at 11:27.
14.
14.1
Items for Noting
The following papers were circulated to the Committee prior to the
meeting, but were not discussed at its meeting and NOTED by the
Committee:
- Pensions Controls
- Success Factors
- Cyber Security
- Joiners, Movers, Leavers (JML)
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
19
POL-BSFF-0238508_0039
POL00423690
POL00423690
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
- Law & Trends
- Accountable Person*
- Mails Fraud Update**
*Outside of the meeting, Tom Cooper requested that paragraph 18
needed to be amended to remove the following line: “There is a UKGI
representative on the POL Board, who have oversight of the Group
Executive ("GE”) and are able to challenge and review relevant
decisions made by the AP and the GE team" as his role on the Board
was not linked to the role of the Accountable Person.
** Subsequent to the meeting, Tom Cooper questioned whether power
outages (affecting label printing) had implications for the integrity of
branch accounting and accuracy of postmaster balances. Declan Salter
has confirmed that, absent fraudulent activity, there would be no
financial loss. Furthermore, that, in this regard, there are no system
related integrity issues.
Chair
Meeting Actions:
Para Action Detail Action
No.
2.1 Investigations Policy: Accordingly, the Committee APPROVED the I Ben
Investigations Policy, subject to: Foat
Ss The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent and
have the appropriate expertise and appropriate references to
other relevant policies; and
The policy being externally reviewed, and the results of this review being
considered and included as appropriate.
4.1 Risk Update: The Chair noted a discussion in the Internal Audit meeting I Mark
that morning about how to implement controls around Postmaster risks I Baldock
and how to validate GLO initiatives. Mark Baldock was asked to pick this
up with Jonathan Hill with an update to be provided at the March meeting.
Multiple partner fragility was also noted as a key operational risk due to
the economic threats to the high street.
4.1 Risk Update: Ken McCall requested that the following be reviewed: Mark
Baldock
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about funding;
STRICTLY CONFIDENTIAL 20
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2 41 of 183
POL-BSFF-0238508_0040
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
42 of
83
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of material
long term industrial action; and
- Paragraph 27 relating to adverse external economic factors, noting
that much of this was outside Post Office’s control and that, some
elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with Ken
McCall and provide an update for the next Committee meeting
4.2
Risk Appetite Statement: Legal & Compliance: It was requested that
Ben Foat consider the wording of paragraph 14 relating to “breaching
tolerance” as, in fact, it was more about needing stronger controls.
Ben
Foat
4.2
Risk Appetite Statement: Legal & Compliance: Tom Cooper
highlighted that Pick Up Drop Off (PUDO) was a competition risk given the
investment being made in the Express Post Office proposition and noted
an argument could be made about state aid. This was to be considered
and, if appropriate, added to the paper.
Ben
Foat
4.2
4.2
Risk Appetite Statement: Legal & Compliance: The Chair noted that
the risk relating to Post Office being in a less competitive position due to
new legislation or regulation was really a commercial risk. This should be
corrected in the paper. . NS _
Risk Appetite Statement: Legal & Compliance: As such, Mark Baldock
was asked to look at identifying the KRIs for Postmasters with the Network
team and consider working on statements for one or two other areas for
update at the March Committee meeting (in the usual Risk Paper).
Ben
Foat
Mark
Baldock
4.3
Compliance Update: Ken McCall noted that the report outlined that there
had been changes to the Postmaster Onboarding process and questioned
whether this meant the onboarding process was quicker. Jonathan Hill was
asked to confirm this point for update at the next meeting.
Jonatha
n Hill
4.3
Compliance Update: In response to questions from Ken McCall raising
concerns about the wording of this section in the report (paragraph 11),
it was confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than the
controls themselves. Key was evidence of controls and a consistency of
approach. The HMU team was working with the relevant business areas to
address this. However, the Chair asked Jonathan Hill to further consider
before the next meeting any underlying issues (not just related to
mapping), what controls were in place and whether or not they were
appropriate.
Jonatha
n Hill
4.3
Compliance Update: Zarin Patel also requested that the Committee have
sight of the KMPG review of the HIJ when this was ready, noting that there
were a lot of papers regarding Postmasters before the Committee and the
Board and therefore questioned whether the issue was under control.
Jonatha
n Hill
4.3
Compliance Update: Fire Risk Assessments: The Committee requested
to be kept up to date regarding the outstanding actions in respect of fire
risk assessments undertaken in June and July which are currently being
Jonatha
n Hill
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
21
POL-BSFF-0238508_0041
POL00423690
POL00423690
Tab 4.1 Minutes (21
POST OFFICE LIMITED
investigated by the Head of Health & Safety. This was to be included in
the Compliance report for the March meeting.
4.4 Internal Audit Update: Johann Appel was asked to send Tom Cooper a I Johann
summary of the audit actions from the [Mails & Parcels] report. Appel
4.4 Internal Audit Update: a detailed review of [the Dangerous Goods] I Rebecc
issue, including what could be done at source and what other carriers were I 4
doing in this area. An update was requested for the next meeting in March I Whibley
2021 (accountability sitting with Amanda Jones (Retail and Network
Franchise Director) and Mark Siviter (Product Portfolio Director - Mails,
PUDO, Retail and Branch Identity Services)).
4.4 Internal Audit Update: Nick Read highlighted that in this area, the I Nick
business was legally compliant, but not necessarily fit for purpose. This I Read
was a key focus for the next six months to ensure Operations, IT and
culture were all fit for purpose. A GLO Dashboard would be presented to
the Board on a monthly basis to give an overview of progress.
4.4 Internal Audit Update: Belfast Exit Follow-Up and PCI Compliance: I Nick
These were both follow up reviews. Governance and day-to-day I Read
management have improved since previous reviews, but there were still
significant risks that were largely outside the control of programme teams
and this reduced confidence that objectives will be achieved as planned.
Nick Read was requested to re-establish the regular dialogue with the
Ingenico CEO.
9.1 Update on branch losses and balances on Postmaster accounts: I Tim
Tom Cooper queried when the minimum value that can be settled centrally I Perkins
would be changed from £150 to £0, noting he thought this had been
removed previously. Tim Perkins explained that Accenture had just quoted
to do this, and it was requested that Tim Perkins provide the date as to
when this would happen to the Committee once he is advised of it.
9.1 Update on branch losses and balances on Postmaster accounts: I Tim
The Chair noted that it was good to see the figures decreasing but that it I Perkins
would be useful to see a dashboard of branch balances and transaction I /
corrections, possibly as an addition to the reporting on post GLO I Amanda
remediation. (Tim Perkins and Amanda Jones to action for the next I 2°"eS
Committee meeting).
9.1 Update on branch losses and balances on Postmaster accounts: Via I Tim
email outside the meeting, Zarin Patel also suggested that route cause I Perkins
analysis should be undertaken into the gross losses/gains and net I /
balances as these seemed very high (paragraph 8 of the paper). (Tim I Amanda
Perkins and Amanda Jones to consider for update at the next Committee aones
meeting)
10.1 Postmaster Policies: It was confirmed that the risk appetite was averse, I Tim
but that this linked back to the earlier discussion regarding the risk I Perkins
appetite statement for Postmasters and the need for clear KRIs, which /
were particularly required to judge if the policy was being embedded and I Amanda
enforced. This section should be added into the policy in line with the work I 70nes /
STRICTLY CONFIDENTIAL 22
Post Office Limited - Audit, Risk & Compliance Commit
43 of 183
POL-BSFF-0238508_0042
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
44 of
83
to be completed on KRIs for Postmasters (see action above in paragraph
4.2).
Mark
Baldock
10.1
Postmaster Policies: There was also an action to carefully consider
references to “employee” throughout the document.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: It was explained there would be an overarching
document demonstrating how the policies fit together and it was agreed
this would be presented to the Committee in March 2021 with the Chair
requesting that it be clear in this document who was the audience of which
policy.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: The Chair questioned the wording of the risk
appetite section and it was requested that this was reviewed before the
policy was published/implemented.
Tim
Perkins
Amanda
Jones /
Mark
Baldock
10.1
Postmaster Policies: The Committee requested that the following
elements were included in the policy:
1. A suggested timetable for decision-making;
2. Who would be involved in making decisions under Tier 3
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records, Horizon
data etc.);
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: Zarin Patel (by email outside of the meeting) also
raised the following points:
i. Both the Postmaster Account Support Policy (para 2.5 and 4.1)
and the Network Monitoring and Audit Support Policy (para 2.5)
referred to “reasonable and fair investigations” without
adequately defining this; and
ii. The Network Monitoring and Audit Support Policy should address
skill set and attitude of lead auditors and how the new culture
would be embedded so they did not approach the audit with
preconceived biases.
Tim
Perkins
/
Amanda
Jones
Historical Matters Unit: Fraudulent Claims Controls & Delegation
of Authority: A ways of working document has been agreed, but a
decision-making flow chart was still being updated. Once complete, it was
Graham
Heming
way /
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
23
POL-BSFF-0238508_0043
POL00423690
POL00423690
Tab 4.1 Minutes (26 Jai
ary 2021)
@
POST OFFICE LIMITED
to be circulated to the Board at its CCRC meeting. Further discussions I Declan
were being held on reporting to BEIS/UKGI. Salter
12.1 IT Controls: The main focus of work in the IT Controls was the Internal I Tony
Audit Report actions and focus of the improvement effort was on the I Jowett
controls of greatest risk, namely those areas connected with the
management of the third-party estate through the lens of Post Office’s
crown jewel systems. The Committee requested that there be a detailed
review of this, and this review would be reported to the Committee,
targeting the next meeting.
STRICTLY CONFIDENTIAL 24
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 45 of 183
POL-BSFF-0238508_0044
Tab 4.1 Minutes (2
lary 2021 & 26 February 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
46 of
83
MINUTES OF AN ADDITIONAL MEETING OF THE AUDIT, RISK AND COMPLIANCE
COMMITTEE OF POST OFFICE LIMITED HELD ON FRIDAY 26'* FEBRUARY 2021 AT 20
FINSBURY STREET, LONDON EC2Y 9AQ AT 08.30AM (VIA CONFERENCE CALL)*
Present:
Invited Attendees:
Carla Stent (Chair) Tom Lee (Financial Controller) (TL)
Ken McCall (SID) (KM)
Christine Kirby Financial Controls Manager (CK)
Tom Cooper (NED, UKGI) (TC)
Zarin Patel (NED) (ZP)
Regular Attendees:
Tim Parker (Chairman, POL) (TP)
Nick Read (Group Chief Executive Officer) (NR)
Alisdair Cameron (Group Chief Finance Officer)
(AC)
Andrew Paynter (Audit Partner, PwC) (AP)
Sarah Allen (Senior Manager, PwC) (SA)
Rachel Owens (Director, PwC) (RO)
Rosie Clifton (Senior Manager, PwC) (RC)
Rebecca Whibley (Senior Assistant Company
Secretary) (RW)
Apologies:
N/A
Action
1. Welcome and Conflicts of Interest?
A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call given the current Government
guidance on home working. However, given the requirements of the
Company’s Articles of Association, the location of the meeting was agreed
to be the Company's Registered Office.
1,2
The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
requirements of section 177 of the Companies Act 2006 and the
Company’s Articles of Association.
Annual Report & Accounts
Alisdair Cameron introduced the papers, which had been circulated
previously and were taken as read. He also referred to a short summary
note that had been circulated via email to the Committee on 25 February
2021. It was noted that Her Majesty’s Treasury (HMT) had approved the
£285m funding for the Historical Shortfalls Scheme (HSS) late on 25
February 2021. There were conditions attached to this approval which
were still being clarified, however it was agreed that these were not
* Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
2 This meeting is an addition to the scheduled meetings so standard items, such as minutes and matters arising,
have been carried over to the 30 March 2021 meeting.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0045
POL00423690
POL00423690
2.2
material such that the Committee could not consider the review and
approval of the Post Office Limited Group Annual Report and Accounts for
financial year end 29 March 2020 (ARA) at its meeting.
Alisdair Cameron outlined that there was a lot of documentation that
required signature before the ARA could be finalised, namely the Funding
Agreement with the Department of Business, Energy & Industrial Strategy
(BEIS), letter of support from BEIS, three year working capital facility
extension, loan agreement with BEIS, HSS Operations agreement and
Equity agreement. The Funding Agreement included a change to the
definition of a Post Office location, subject to a Cabinet write around to
other Government departments. Tom Cooper confirmed one department
had raised an issue, on which there would some back and forth, but it was
not thought the definition would change as a result. The letter of support
was highlighted as important for the Committee and the Board as it would
state : “However, we confirm that it is our present intention that BEIS’s
support for Post Office will continue and we will inform Post Office
immediately if that situation changes.” This was key for the HSS payments
and going concern assessment.
STRICTLY CONFIDENTIAL
POL-BSFF-0238508_0046
POL00423690
POL00423690
2.3
On the going concern assessment, Al Cameron explained that:
IRRELEVANT
NR/AC
STRICTLY CONFIDENTIAL
POL-BSFF-0238508_0047
POL00423690
POL00423690
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
@
POST OFFICE LIMITED
2.4 Zarin Patel questioned how the disclosure regarding Defined Benefit
Pension Scheme would be made. Al Cameron explained that the disclosure
was minimal because (1) there was not much information available, (2)
those affected had not yet been advised of the issue and (3) it was unclear
that there would be material exposure for Post Office. Any figures would
only be available in the next month or so, which would be after the
signature of the accounts. The figures would fall into three categories: (1)
those who have not yet had their pension quote (quotes would be
corrected and liability would be zero), (2) those who have drawn their
pension, and these would be honoured and not reduced and (3) those who
have had a quote but have not drawn their pension and it depended on
the cost as to whether these could be honoured. There would also be
discussions around the proportion of costs that the Trustees should share.
At present, as there was no clarity over the amounts involved, it was not
clear that more should be disclosed.
In response to a question from Tom Cooper, Al Cameron also confirmed
that a 7% contribution by Post Office had not been confirmed due to lack
of paperwork: the Scheme was in surplus, although there was a theoretical
risk that if the Scheme went into deficit, Post Office might be asked to
contribute more. However, Post Office could argue against this, but this
would involve discussions with Royal Mail. Andrew Paynter stated the
auditors had proposed a couple of additional words to the disclosure to
make it clear this was based on the current funding contribution.
2.5 At the request of Al Cameron, the Committee also confirmed that the tone
struck the right balance between apologising for the past and
demonstrating that Post Office was now moving forwards. Tom Cooper
mentioned that he had a few comments about the budgeting cycle that he I AC/TC
would share with Al Cameron directly.
3. Audit Summary Memorandum FY 2019/20
3.1 Andrew Paynter introduced the paper, which had been circulated
previously and was taken as read. He noted that many items had already
been discussed but highlighted the following:
STRICTLY CONFIDENTIAL 4
Post Office Limited - Audit, Risk & Compliance Commit 49 of 183
POL-BSFF-0238508_0048
Tab 4.1 Minutes (2
ary 2021)
@
POST OFFICE LIMITED
POL00423690
POL00423690
50 of
83
- Impairment of fixed assets: The assets of Post Office needed to
be underpinned by future cash flows. This was an exercise done
every year with cash flows updated and the same cash flows
have been looked at for the going concern assessment. The
auditors were comfortable with the impairment calculation.
There.was. headroom over carrying value assets: this
was i!R® in June and was now down to The auditors
were ‘comfortable with this, the discount model used and
impairment on the insurance business.
- Defined Benefit Pension Scheme disclosure: As the Scheme was
in surplus, the auditors were comfortable with the
disclosure.
- CCRC: Given timing of the accounts and the unfolding of the
events, this was a post balance sheet event as at 31 March 2020
and not a contingent liability.
- Going concern: This was addressed on page 10 of the report,
with auditors concluding that this basis of preparation was
appropriate, with the material uncertainty identified.
- Controls: These were discussed with the Committee last June
and most were now closed.
- Telco unadjusted misstatements: At the Chair's request, Al
Cameron confirmed these would be corrected/cleared when the
sale completes.
Andrew Paynter further highlighted the incremental costs of the audit for
financial year 2019/20, which had run for circa 9 months and that these
were being discussed with Al Cameron. It was also noted that fees for
financial year 2020/21 also needed to be agreed. All fees were to be
approved by the Committee and should be brought back for approval once
agreed with the auditors.
AC
o.2 Given the confirmation of the HSS funding, the Committee agreed it was
appropriate to recommend the ARA for approval to the Board, with a
delegation to the Group Chief Finance Officer, the Group Chief Executive
Officer and the Chair of the ARC to finalise prior to signature. Tim Parker
confirmed he was content with this approach.
3.3
Accordingly, the Committee:
i. NOTED the status of the Post Office Limited Group Annual
Report and Accounts (ARA) for the year ended 29 March 2020;
ii. NOTED the main changes in the ARA since they were last
presented to ARC in June 2020;
iii. NOTED the plan for completion and signing of the ARA;
iv. NOTED and DISCUSSED the key judgements and decisions
made in determining the disclosures made in the ARA in respect
of key estimates, judgements and other significant matters (see
above minutes);
Vv. NOTED the Audit Summary Memorandum financial year
2019/20; and
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
POL-BSFF-0238508_0049
POL00423690
POL00423690
Tab 4.1 Minutes (26 Ja ary 2021)
POST OFFICE LIMITED
vi. APPROVED the ARA for onward submission to the Board,
subject to the matters discussed and agreed during the meeting,
and with a delegation to the Group Chief Finance Officer, the
Group Chief Executive Officer and the Chair of the ARC to finalise
prior to signature.
Audit FY 2020/21 Update: IT Controls
4.1 Rachel Owens introduced the paper, which had been circulated previously
and was taken as read. It was highlighted that there was good progress
being made and more progress would be seen as Tony Jowett’s (Chief
Information Security Officer) initiatives continue into the next financial
year. The Committee otherwise NOTED the Audit FY 2020/21 Update on
IT Controls.
AOB
5.1 There being no further business, the meeting was closed at 09:30. The
Board met immediately after the Committee to approve the accounts.
Chair
Meeting Action:
Para Action Detail Action
No.
23 The Committee carefully considered the Starling disclosures, especially in I Nick
light of the recent legal case vs Uber. The Committee requested that an I Read/Al
update on Starling be brought to the Board in May 2021. toon
an
Zinner)
2.5 Tom Cooper mentioned that he had a few comments about the budgeting I Al
cycle that he would share with Al Cameron directly. rom"
‘Tom
Cooper
31 Andrew Paynter further highlighted the incremental costs of the audit for I Al
financial year 2019/20, which had run for circa 9 months and that these I Cameron
were being discussed with Al Cameron. It was also noted that fees for
financial year 2020/21 also needed to be agreed. All fees were to be
approved by the Committee and should be brought back for approval once
agreed with the auditors.
STRICTLY CONFIDENTIAL 6
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 51 of 183
POL-BSFF-0238508_0050
Bye
Post Office Limited Audit, Risk & Compliance Committe
\CTH
POL00423690
POL00423690
27/07/2020
JA communication plan should be developed with Richard Taylor (POL
Icroup Communications Director) should the issue become public
knowledge.
3. A quantification of the error, a remediation plan and debrief should
be presented to the Committee in September, where the Committee
}will consider the position/status.
I4.Pensions Assurance will remain as a standing agenda Item until
frurther notice.
2.The Pensions team are to Inform the Unions to avold a whistle blow.
Maxine Cross
Before May 2021
ARC/Board Meeting & atI
May 2021 ARC/Board
meeting
Board- Meeting
Board Meeting
123/032021: See update to action 8 below.
19/01/2021: See update to action 6.4 from 22/09/2020
below. Quantification to be known in March 2021 and update
to be provided to ARC or Board as required at this point. An
lupdate paper will also be presented to the Committee for
noting on 26 January 2021.
02/11/2020: Points 1 & 2 are completed - Issue has been
reported to the Pension Regulator. Richard Taylor has put in
place reactive communications and a joint statement has
been issued to employees, Point 3 Is still outstanding and will
be reported to January ARC or Board as required.
POL-BSFF-0238508_0051
POL00423690
POL00423690
ony oy T Ts co eT oes Te a
I. — Co - 1 oo ane
- a : : . SS ee
ole oo _ oo
rr—“_*_‘*‘COCON oe — rrrrr—
_ _ _ a _
bees ce ae —hrrt—“—OSNOsw~SOSCSCSCSN :
ae : a . te er a A
_ I - I
oo oo oe oe . an .
a oo ee oe /
_ rr r—t~—r~—— _ I
a pe ae oe ee co oe
}23/03/2024: HR will meet the Trustee on 24 March 2021
following their Board meeting on 23 March 2021. This will beI
the first sight of the impact of the errors. Once the impact is
lunderstood, the teams will meet with Lisa Cherry and Al
Jcameron on 31 March 2021 and then discuss with Steerco on
18 April 2021. It should be noted that the Trustee's
Jcalculations are based on Post Office's data which Is believed
lto be final. However the Trustee has asked for assurance that
Jthe Unions are supportive of the reconstruction work. Work
Before May 2021 _ to get that assurance from them Is on going. Further update
IARC/Board Meeting & atIto be provided before and at the May 2021 Committee
May 2021 ARC/Board Imeeting.
meeting
March-2021-ARC-or- I19/01/2021: The quantum Is likely to be known in March
Pensions Assurance: ZP raised concern at the levels of stress/upset
the cawback could cause for members, particularly where members,
had passed away, and requested the following be presented:
8 I 22/09/2020 64 Maxine Cross
a-Siahe of tee complcatone end controls in place Board-Meeting [2021 following analysis and review by the Trustee. The
Fenner ct neato nsares . January 2021-ARG-OF [approach to correcting the members benefits including any
: . Board-Mesting [proposed clawback will be discussed by the Trustee and POL
Jotlowing the Trustee board meeting on 23rd March. We
intend to engage early with the Trustee to ensure our
preferred approach is known. A further update will be
provided to the ARC or Board as required in March 2021. An
lupdate paper will also be presented to the Committee for
noting on 26 January 2021.
102/11/2020: This will be addressed at the January 2021 ARC
Jor Board Meeting as required,
POL-BSFF-0238508_0052
POL00423690
POL00423690
I ce i _
a a ue
I a
ok a
. : ce
oo ae o
ae a a
a
. oe
a
.
ao :
I
123/03/2021: The RACIO Is being expanded to include HSS
Jaovernance changes, specifically, monthly reviews with
JUKGI/BEIS and quarterly reviews to also include Treasury.
JAdaitionally, RACIO updates are required pending agreement
Jas to funding and POL governance arrangements relating to
Jc1) and HD conformance, which remains under discussion at
0G based on recent proposals for this work, Further update
Historical Matters Unit: Responsibilities, accountabilities and decision} May 2021 ARC Meeting [to be provided at the May 2024 Committee meeting. Work
making authorities were still being clarified with RACI matrixes. The] Graham March-2021-AR¢- — Iassoclated with Fraudulent Claims controls Is now being
11 I 24/11/2020 oa [Chair noted that the delegation of authority to the HMU needed to bel gor Meeting Jaddressed as part of standard project management
clearer. It was agreed that this would be presented to the January 2024 ‘away I january-2024-ARG- Iprocesses/activities. (see also action 37)
JARC meeting. Meeting
'20/01/2021: Discussions conceming UKGI/BEIS involvement
in Historical Shortfall Scheme (HSS) approvals, which directly
lafects the operation of the schemes have continued during
December and are expected to be finalised during January. A
verbal update will be provided to the ARC relating to the
latest position agreed as at the meeting dates in January
}2021. Further update to be provided In March 2021.
POL-BSFF-0238508_0053
POL00423690
POL00423690
2
&
POL-BSFF-0238508_0054
POL00423690
POL00423690
_ __
L _
[Compliance Update: Ken McCall noted that the report
there had been changes to the Postmaster Onboarding process and
20 I 26/01/2021 43 Iquestioned whether this meant the onboarding process was quicker. I Jonathan Hill Mectin ners
Lionathan Hill was asked to confirm this point for update at the next 9
meeting.
omy TESTI
Jconcems about the wording of this section in the report (paragraph 11),
It was confirmed that it was the mapping of processes for activities
Jaddressing the CI) that had no consistent approach, rather than the
Icontrols themselves. Key was evidence of controls and a consistency of May 2021 ARC Meeting }23/03/2021; The Controls Framework programme has been
21 I 26/01/2021 43 Jonathan Hill I March-2024-ARc- put on hold. Please refer to the Compliance paper. Furthe
March 2021 ARC
123/03/2021: An update will be provided at the meeting in
fapproach. The HMU team was working with the relevant business areas
to address this. However, the Chair asked Jonathan till to further
consider before the next meeting any underlying issues (not just
elated to mapping), what controls were in place and whether oF not
lupdate to be provided In May.
23
43
ry ire Risk Assessments: The Committee
requested to be kept up to date regarding the outstanding actions In
respect of fire risk assessments undertaken In June and July which are
lcurrently being investigated by the Head of Health & Safety. This was to
be included in the Compliance report for the March meeting.
Jonathan Hill
123/03/2021: An update Is provided in the Compliance paper.
Further update to be provided in May confirming actions
Iclosed.
POL-BSFF-0238508_0055
POL00423690
POL00423690
Ss
Update on branch losses and balances on Postmaster accounts:
[Tom Cooper queried when the minimum value that can be settled
lcentrally would be changed from £150 to £0, noting he thought this had
123/03/2021: A new test and launch plan for the Horizon
Jchange Is underway with launch dates mid-end April (elther
Update @ May 2021
28 I 26/01/2021 oA been removed previously. Tim Perkins explained that Accenture had Tim Perkins ARC Meeting 114th April or 28th April depending on the number of test
jjust quoted to do this, and It was requested that Tim Perkins provide Update-@ March 2024 I cles which need to be completed). Further update to be
Ithe date as to when this would happen to the Committee once he Is ARG- Meeting provided in May 2021.
ladvised of it,
~ Pihecinota i sont se he ges scan I 4: The nmbe
: Ss - eran sa an pring resI_ Mating, the Ve ofthe acts
cee Me : leds 2 in uc eee anal
[Update on branch losses and balances on Postmastei
2 Via email outside the meeting, Zarin Patel also suggested that route Update @ May 2021 I23/03/2021: Tim Perkins will provide a verbal update on this,
& 30 I 26/01/2021 oa Icause analysis should be undertaken into the gross losses/gains and I Tim Perkins & ARC Meeting point, upon his return from leave, at the ARC meeting on
. Inet balances as these seemed very high (paragraph 8 of the paper). __I Amanda Jones I Update-@-March-2024- [Tuesday 30th March. Further update to be provided at the
(Tim Perkins and Amanda Jones to consider for update at the next ARC-Meeting [May 2021 meeting.
lcommittee meeting)
rostmaster Policies (NetWork Monitoring and Audie Support
Policy): It was confirmed that the risk appetite was averse, but that
this linked back to the earlier discussion regarding the risk appetite Update @ May 2021 I23/03/2021: Alongside the postmaster policies creation and
Jstatement for Post masters and the need for clear KRIS, which were fim Perkins / ARC Meeting [review We are also reviewing isk appetite statements win
31 I 26/01/2021 tot Amanda Jones Mark Baldock, with the alm of defining a set of operational
particularly required to judge if the policy was being embedded and Update-@March-2024-
Jenforced. This section should be added into the policy in tine with the I/ MAK Sldock} "pac Mecting [Usk appetite statenients for use ln these and future policies,
lwork to be completed on KRis for Postmasters (see action above in Update to be provided in May 2021.
paragraph 4.2)
Postmaster Policies (Network Monitoring and Audlt Support 3703/2021; THs pont Is noted and wile considered Th the
32 I 26/01/2021 10.1 IPolicy): There was also an action to carefully consider references to I TIM Perkins & I Update @ March 2021 lreview of this policy which Is currently taking place. Further
Amanda Jones ARC Meeting
employee” throughout the document. oat to be provided in May 2021.
oe Eaatees ioe ee
yo aL ___IPolicies submission. Re yended for closure.
[23/03/2021:, Alongside the postmaster policies creation and
Update @ May 2021 review, we are also reviewing risk appetite statements with
Postmaster Policies (Postmaster Account Support Policy): The _ I Tim Perkins /
34 I 26/01/2021 10.4 IChair questioned the wording of the risk appetite section and it was ‘Amanda Jones ARC Meeting Mark Baldock, with the alm of defining a set of operational
fequestd that he wae reviewed before the ply wae ark Baldock] OPde-@ March 202% 16 Sopot statements for use In these and fture poles
published/implemented. JUpdate to be provided in May 2021.
POL-BSFF-0238508_0056
POL00423690
POL00423690
oo
be
Seu
De
Postmaster Policies: Zarin Patel (by email outside of the meeting)
Jalso raised the following points:
I.Both the Postmaster Account Support Policy (para 2.5 and 4.1) and
tite Network Monitoring and Audit Support Policy (para 2.5) referred to
Update @ May 2021
}23/03/2021: The point about "reasonable and fair
Investigations” in both policies Is noted and Is being
Jconsidered In the review of these policies which Is currently
taking place.
5 ” Tim Perkins & ARC Meeting
36 I 26/01/2021 10.4 freasonable and fair investigations” without adequately defining this; I ,randa jones I update @ March 2024-[As part ofthe training plan, well also address some of the
ii. The Network Monitoring and Audit Support Policy should address io jure! aspects that Influence the attitude of our postmaster
Iskill set and attitude of lead auditors and how the new culture would be ‘9 i:
Jermbedded so they did not approach the audit with preconcelved biases. an update wil be provided at the May 2021 Meeting.
I23/03/2021: The RACIO Is being expanded to include HSS.
Igovernance changes, specifically, monthly reviews with
UKGI/BEIS and quarterly reviews to also include Treasury.
Historical Matters Unit: Fraudulent Claims Controls & Delegation of Update @ May 2021. Additionally, RACIO updates are required pending agreement
JAuthority: A ways of working document has been agreed, but a decision] Graham. las to funding and POL governance arrangements relating to
ARC Meeting Ly a 1g 9
37 I 26/01/2021 wa making flow chart was still being updated. Once complete, it was to be I Hemingway / I yo 4.eng ‘2ea¢-IC1) and HI conformance, which remains under discussion at
Icirculated to the Board at Its CCRC meeting. Further discussions were I Declan Salter DG based on recent proposals for this work, Further update
being held on reporting to BEIS/UKGI. Sweeting tobe provided at the May 2021 Committee meeting. Work
lassoclated with Fraudulent Claims controls Is now belng
jaddressed as part of standard project management
wrocesses/ activities. (see also action 11
SFT AOLE ST Cones en UpaTER ET UTE TOTTI —
lactions:
I- Platform update through Service Now integration - agreed
rT Controls: The main focus of work in the IT Controls was the Intemal] vith PRS
JAudit Report actions and focus of the improvement effort was on the
Update @ March 2021 I- KPMG review of existing IT controls underway
[controls of greatest risk, namely those areas connected with the ARC Meeting (report to I- Controls second line TOM in development - aligned with
38 I 26/01/2021 12.4 management of the third-party estate through the lens of Post Office's I Tony Jowett I eer vided at july [Finance but with input from KPMG
Icrown jewel systems. The Committee requested that there be a detailed 2021 ARC Meeting) I- Sample of Controls for Managing Suppliers focusing on
review of this, and this review would be reported to the Committee, Horizon initially being analysed as a Joint exercise with
targeting the next meeting Horizon IT GLO team with lessons to be spread across all 3rd
party suppliers once complete. Further update to be provided
at the May Committee meeting.
[Annual Report & Accounts 2019/20: The Committee carefullyI Nick Read/Al
20 I 26, considered the Starling disclosures, especially in light of thel Nick Read/s June 2021 Board —_I23/03/2021; This Is to be addressed at the June 2021 Board
5/02/2024 2.3 cameron (Dan
recent legal case vs Uber. The Committee requested that an} "ira Meeting Meeting.
lupdate on Starling be brought to the Board in Mav 2021
POL-BSFF-0238508_0057
POL00423690
POL00423690
[ASAUAT REDOH ET Latte errata aa lag ‘Wentioned that]
ore wit
jorandum FY 2019720" Andrew Paynter
further highighted the Incremental costs of the audit for finance
lyear 2019/20, which had run for circa 9 months and that theseI 7
41 I 26/02/2021 3.1 lwere being discussed with Al Cameron. It was also noted that} Al Cameron I May 2021 ARC Meeting I22403/2021: APprovel of fees will be requested at the May
frees for financial year 2020/21 also needed to be agreed. All feesI
were to be approved by the Committee and should be brought]
hack f once anteed with the auditor
ca
&
POL-BSFF-0238508_0058
Post Office Limited
Year ending 28 March 2021
Audit and Risk Committee Report - Update
Private and confidential
March 2021
We have prepared this report solely for the use of Post Office Limited. This report forms part of the continuing
dialogue between the company and us and therefore it is not intended to include every matter, whether large or
small, that has come to our attention, through our audi. For this reason, this report should not be made
available to third parties, and if any third party were to obtain a copy without prior written consent, we would not
accept any responsibilty for any reliance that they might place on it.
© 2021 PricewaterhouseCoopers LLP. All rights reserved. In this document, ‘PwC’ refers to the UK member
firm, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see
www. pwe.com/structure for further details.
POL00423690
POL00423690
HOS Cy GEL
>
Su
a” &
POL-BSFF-0238508_0059
UIT BOWJO SO
a
&
>
Fa
Ss
2
%
fe)
g
£81 JO19
Update to the Audit & Risk Committee (“ARC”)
Completion of 2019/2020 accounts
We have now completed the 2019/2020 audit and we signed the Post Office Limited
consolidated financial statements on 22 March 2021. We concluded our work over
significant areas such as impairment of goodwill / PPE, Going Concern, ‘Historical
Matters” (HSS and CCRC), Pensions and “Hard to Place” branches, as well as our
detailed review of the revised financial statements. There were no further findings beyond
those identified and communicated to you at the February 2021 Audit & Risk Committee.
The accounts for Payzone Bill Payments Limited were signed on 23 March 2021, with the
POMS accounts expected to be signed on 26 March 2021.
Update to planning and interim 2020/2021
Our 2020/2021 audit risks remain consistent with those communicated to the Audit & Risk
Committee in our Audit Plan presented in November 2020. See appendix 1 for an extract
from that Audit Plan showing our current risk assessment.
Ahead of the year-end fieldwork commencing, we will meet with key stakeholders across.
the business to update our understanding of business issues and performance. We will
engage in early discussions to conclude on the appropriate accounting treatment for key
transactions/contractual arrangements. These include accounting for the Telco disposal,
the new contract with Yoti, the recognition of an asset in respect of the BEIS HSS
settlement funding guarantee, as well as the most appropriate Income Statement
presentation (following the change in the Investment funding approach by Government).
We will report on these and other issues (as well as any updates to our risk assessment)
as part of our normal year-end reporting to the Audit & Risk Committee.
We have continued to attend cash counts at branches throughout December to March. By
the time of the ARC we will have attended year end cash counts at London, Birmingham,
Glasgow, Hemel Hempstead and Sheffield.
In November and December, we performed some interim testing across revenue,
property, plant and equipment, intangible assets, journals and payroll. We were unable to
finalise our work in this area, in part due to impact of the ongoing finalisation of the
2019/2020 audit. We will complete this testing as part of the year end fieldwork.
Fees
As part of the finalisation of the 2019/2020 year end audit, additional fees of f
have been agreed in relation to the additional work required since June 2020. This
included work over the judgements relating to Going Concem; provisions and
disclosures in respect of the HSS and CCRC positions; updated impairment
assessments in light of COVID-19; and work on the revised financial statements. Total
audit fees for 2019/20 were i'r with audit hours more than 10,500.
Adialogue in relation to the 2020/2021 audit fee is ongoing, with an agreement in
principle by management to move away from a “fixed fee” landscape, such that POL
assumes more of the hours “volume risk” with an underpinned rate per hour off:
The detail in relation to this approach will be progressed in the next few weeks now that
the 2019/20 audit has concluded. We will agree specific working practices and project
management protocols (for both management and the audit team), aimed at optimising
the delivery of an efficient audit.
Akey factor in budgeting the quantum of hours required for the 2020/2021 audit will be
whether or not a “two phase” audit process is again required, as well as agreeing the
level of complexity associated with key risks such as HSS/CCRC and Going Concern
that should be assumed heading into the audit. We will be discussing this with
management during April, in tandem with discussions regarding the most appropriate
accounts timetable around which to plan the audit.
Timetable
We are currently scheduled to commence the main audit fieldwork in the week
commencing 26 April 2021, with work concluded by the time of the Audit & Risk
Committee meeting on 29 June 2021.
POL00423690
POL00423690
arepdy jipny jewerxg ¢'p geL
POL-BSFF-0238508_0060
£81 Jo z9
LZ/€0/0¢-2en WWD eouRTdWOD % ¥SIY IPNY - PaI!WI] BOW 180d
POL00423690
POL00423690
resented in November 2020
2.3 Risk assessment
arepd ypny jewarx3 ¢"y GEL
For those risks that we have assessed as an audit risk, we have considered whether they give rise to an elevated or significant risk as described below. This assessment is performed for
each individual financial statement line item. Further detail of our assessment of risk, and our proposed approach, is detailed in the following pages.
Audit risk Higher
Lower
Group risk assessment
Higher audit focus
Significant risk
Elevated risk
Normal risk
Lower Financial Impact Higher
Significant risk e Elevated risk e@ Normal risk [ 2019/2020 risk assessment
Significant risk: These areas require specific focus
because they require significant judgements or are not
routine. Testing includes an evaluation of the controls in
place as well as substantive testing.
Elevated risk: Although not considered significant,
the nature of the balance/area requires specific
consideration.
Identified risk
Risk of management override of control*
Fraud in revenue recognition*
Going concen
Postmaster litigation
Impairment of fixed assets
Impairment of intangible assets subject to amortisation
Impairment of goodwill - POMS
/Accuracy of telecoms revenue
Telecoms disposal
‘Capitalisation of intangible assets
VAT accounting
‘Assumptions in the pension schemes’ liabilities
‘Classification and recognition of Trading Profit
IFRS 16 - first year full adoption
“These risks are required by auditing standards, applicable to all audits.
Changes to our risk assessment:
‘Accounting for the potential disposal of the Telecoms business has
been identified as an elevated risk for 2020/21, reflecting the proposed
sale and potential complexity re the associated accounting treatment.
© IFRS 16 - first year full adoption has been reduced to a normal risk,
reflecting the second year application of IFRS 16 accounting.
‘© Whilst fraud in revenue recognition remains a significant risk, we have
updated our assessment to reflect the impact of COVID-19 on trading
and have identified completeness of revenue as a potential additional
significant risk for the following streams; Fixed, Horizon to CFS and
Third Party. See Appendix 4 for our detailed assessment of all revenue
streams. At this time Existence/occurrence remains a significant risk
and we will update our risk assessment closer to the year end date
POL-BSFF-0238508_0061
Tab 4.4 Draft Risk and Compliance
POL00423690
POL00423690
Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE RISK AND COMPLIANCE COMMITTEE OF POST OFFICE
LIMITED HELD ON TUESDAY 16 MARCH 2021 AT 10:00 VIA MICROSOFT TEAMS
Present:
Attendees:
Alisdair Cameron (Chair) (AC)
Helen Rhodes (People Shared Service Director) (deputising
for Lisa Cherry, Group Chief People Officer) (HR)
5
Peter Mitchell (Treasurer - Tax, Treasury and Supply Chain
Tony Jowett (Chief Information Security Officer) (TJ): Item
Finance) (PM): Item 6
Ben Foat (Group General Counsel) (BF)
Jonny Lonsdale (Business Continuity Manager) (JL): Item 9
Amanda Jones (Group Retail and Franchise Network Director)
(AJ)
Martin Hopcroft (Head of Health & Safety) (MH): Item 9
Cathy Mayor (Finance Director, Commercial) (CM)
Jeff Smyth (Group Chief Information Officer) (JS)
I Mark Siviter (Product Portfolio Director - Mails, Retail, PUDO
Andrew Goddard (Managing Director, Payzone) (AG): Item
10
& Gov services) (MS): Item 11
Regular Attendees:
Johann Appel (Head of Internal Audit) (JA)
Andy Kingham (Franchise Partnering Director) (AK): Item
it
Dan Zinner (Group Chief Operations Officer) (DZ): Item 12
Mark Baldock (Head of Risk) (MB) (for Items 1 - 6) Katie Secretan (Head of Strategic Partnerships) (KS): Item
12
Barbara Brannon (Procurement Director) (BB): Item 13
Tim Perkins (Service and Support Optimisation Director)
(TP): Item 15
Sally Smith (Money Laundering Reporting Officer & Head of
Financial Crime) (SS): Item 16
Jonathan Hill (Compliance Director) (JH)
Tom Lee (Financial Controller) (TL) (for Items 1 - 8)
Sarah Gray (Group Legal Director) (SG)
Rebecca Whibley (Senior Assistant Company Secretary)
(RW)
Apologies:
Lisa Cherry (Group Chief People Officer)
1. Welcome and Conflicts of Interest
The Chair opened the meeting and advised that all papers would be taken as read.
No conflicts of interest were declared.
Action
2. Minutes and Action Lists
2.1 The minutes of the Committee meeting held on 12 January 2021 were APPROVED.
22 Progress on completion of actions as shown on the action log was NOTED as follows:
Action 1 from 7 November 2019 para 3.2 Supplier Contracts out of Governance -SSK:
Commercial negotiations did not conclude as planned due to GDPR complexities and
the contract has been extended on an interim basis again to the end of March. The
completed contract was received on Monday and was now awaiting review and
approval from Post Office Legal. This review was expected to complete prior to 22nd
March in order that the risk is closed by the submittal of the Audit, Risk & Compliance
Committee (ARC) paper. Further update to be provided at the next Committee
meeting. The action remained open.
Action 2 from 14 January 2020 para 10.6 - Money Laundering Reporting Officer
(MLRO) Annual Report: MRC were still not conducting any meetings. The action
remained open.
Strictly Confidential Page 1 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 63 of 183
POL-BSFF-0238508_0062
Tab 4.4 Draft Ris!
64 of
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Action 3 from 13 July 2020 para 3.5 Compliance Report - TelCo: The Telco sale
completed on 15 March 2021 and the action was closed.
Action 4 from 10 September 2020 para 4 Pensions Assurance: The final data has been
sent to the Royal Mail Pension Plan (RMPP). This will form the basis for the Trustee's
report to the Trustee Board on 23 March 2021. HR has have requested advanced sight
of the data to be presented. This was expected to give an initial view of the quantum
of the errors. A paper was being prepared for Project Assurance Steerco on 8 April
2021 that will bring together the data, Post Office’s obligations and wider
considerations so that an approach to discussions with the Trustee can be agreed. A
further update will be provided at the next Committee meeting. The action remained
open.
Action 5 from 12 November 2020 para 3.1 Risk, Compliance & Audit Update - Risk
Dashboard: Updated Dashboard presented to the Committee on 16 March 2021 (see
para 3.1 below) with data derived directly from ServiceNow following successful data
migration of Post Office risk data set in January 2021. Draft format has been shared
with ARC Chair. Format would be flexed in light of changing needs and requirements.
The action was closed.
Action 6 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update — Internal
Audit (Controls): An update on this work was contained within the Compliance paper
presented on 16 March 2021. [Please also refer to Action 19]. However this work has
been paused and was not expected to restart for circa six months. Accordingly, the
action was closed with further updates in the Compliance Paper in due course.
Action 7 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update - Internal
Audit (Joiners, Movers, Leavers): The IT actions for this have now been completed
with no discrepancies reported. HR have also confirmed this is complete. The action
was closed.
Action 8 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update - Internal
Audit (Data Deletion): Further action by IT to create an auto-delete capability was
subject to funding, which will be reviewed during 2021/22. This action remained open.
Action 9 from 12 November 2020 para 4.2 Cyber Security (Phishing Training): This
list was provided as requested. The action was closed.
Action 10 from 12 November 2020 para 4.2 Cyber Security (Culture): The next steps
on culture/cyber awareness were now factored into the planning for the 2021/22
Cyber programme described in March paper (see para 5.2 below). The action was
closed.
Action 11 from 12 November 2020 para 4.4 Belfast Data Center Disaster Recovery
Testing: Jeff Smyth has agreed to schedule the next Disaster Recovery (DR) test at
a time in June which coincides with an opportune time in the Belfast exit programme
and a least invasive time in the PCI-DSS programme. There was some further
discussion around the dates now given some of the milestones in these projects will
be moved but the DR testing would remain in the same place (relative to milestones)
for those two programmes. In addition, IT were also looking at doing further testing
between now and the full DR test to ensure that more assessment of resiliency was
done (as far as practically possible) in parallel to the programmes in question. The
action was closed, but the Chair requested that it be fed back that the test in June
must go ahead (Rebecca Whibley to advise team).
RW
83
Strictly Confidential Page 2 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0063
Tab 4.4 Draft Ris!
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Action 12 from 12 November 2020 para 6 Notification of Transaction Error: The
changes required in CFS have been agreed with Finance and Accenture. The date for
completion was to be confirmed, but will be later than 19 March 2021 as indicated in
previous updates. The subsequent Branch Focus article would also be delayed. The
action remained open, with the Chair noting that the delay in implementing this was
uncomfortable. Amanda Jones explained that the issue was discussed on 12 March at
the Improvement Delivery Group (IDG) and direction was that the action needed to
be completed.
Action 13 from 12 November 2020 para 16 Data Governance: An updated was in the
Compliance Paper (see para 3.3 below). The action remained open.
Action 14 from 12 January 2021 para 3.1 Risk Update (MDA2): Risk rating was
reduced to 4:2 in line with signing of MDA2. The action was closed.
Action 15 from 12 January 2021 para 3.1 Risk Update (Purpose & Postmasters): This
was ongoing: Central Risk were currently supporting Retail & Franchise Network in
the identification of intermediate and local postmaster-centric risks (as well as
existing risks that that have impact postmasters). Update dataset was to be included
on GRC in next reporting period. The aim was for this to be underpinned by appetite
statement on which ARC approval would be sought in May 2021. The action remained
open.
Action 16 from 12 January 2021 para 3.1 Risk Update (GRC Tool): Business Case
approval was being sought for GRC Phase 2 rollout from April 2021. This would
support the rollout of risk management capacity to all Business Unit Heads and Risk
Owners thereby ensuring accountability was positioned appropriately. There would
be a requirement for Risk Owners to their review their risks every 2 months to allow
for accurate Committee/ARC updates. The action was closed.
Action 17 from 12 January 2021 para 3.1 Risk Update (Telco Sale): In light of Telco
sale the status of all associated risks have been changed to ‘inactive.’ The action was
closed.
Action 18 from 12 January 2021 para 3.2 Risk Update (Legal & Compliance Risk
Appetite): Legal & Compliance risk appetite paper was presented at the Committee
in March (see para 3.2) which provides advice on how the approach to risk appetite
would address the challenges around Modern Slavery risks. The action was closed.
Action 19 from 12 January 2021 para 3.3 Compliance Update (Controls Framework):
An update on this work was contained within the Compliance paper (see para 3.3).
[Please also refer to Action 6 above]. However this work has been paused and was
not expected to restart for circa six months. Accordingly, the action was closed, with
further updates in the Compliance Paper in due course.
Action 20 from 12 January 2021 para 3.3 Compliance Update (Data Management):
The Data Governance Steerco was already established for the data strand and was
up and running. A dedicated Data Governance lead role was being recruited (an offer
has been made) to take over the ownership of data governance and pick up the initial
work already conducted in this area e.g. identification of data owners / stewards /
SME's etc. The project was currently being led by Matthew Warren. Further update to
be provided at the next Committee meeting. The action remained open, with the
Chair commenting that this work was important and the Committee commented the
key was to be clear on overall accountabilities and a timetable. Jonathan Hill explained
this would be further addressed once the Data Governance lead was in post.
Strictly Confidential Page 3 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
65 of 183
POL-BSFF-0238508_0064
Tab 4.4 Draft Ris!
66 of
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Action 21 from 12 January 2021 para 3.3 Compliance Update (Cookies): An update
on this work was contained within the Compliance paper (see para 3.3). The action
was closed.
Action 22 from 12 January 2021 para 3.3 Compliance Update (Financial Services -
Multi-Principal Review): The team were still awaiting the first draft of this review from
the Principals. It has been chased and a response was expected within the next 2
weeks. Further update to be provided at the next Committee meeting. The action
remained open.
Action 23 from 12 January 2021 para 3.3 Compliance Update (Financial Services -
Mystery Shopping): An update on this work was contained within the Compliance
paper (see para 3.3). The action was closed.
Action 24 from 12 January 2021 para 3.4 Internal Audit (Mails & Parcels): More
detailed actions were agreed with Mark Siviter and the report was re-circulated. The
action was closed.
Action 25 from 12 January 2021 para 3.4 Internal Audit (Historic Matters - Common
Issues Judgment (CIJ)): Management comment was added for the ARC summary and
the report was updated to reflect the latest status. A verbal update would be provided
at the ARC to reflect any further progress. Internal Audit now track and report the
remaining actions on a weekly basis. The action was closed.
Action 26 from 12 January 2021 para 3.4 Internal Audit (Post Office Insurance): Audit
report rating has been included in the table. The action was closed.
Action 27 from 12 January 2021 para 3.4 Internal Audit (Audit Actions): GE have
provided their approval of baseline crown jewel systems. No further follow-up action
required as update process is triggered by retirement/implementation of key systems
to baseline inventory. The action was closed.
Action 28 from 12 January 2021 para 4.1 PCI-DSS Update: This risk has been closed
off by the tech team in discussion with Santander tech team. They have confirmed
that Santander service will continue even while migration for the dedicated link to the
common Vocalink connection is undertaken, and all banks (including Santander) can
continue to use existing transaction types - so no change was required from any
bank. The action was closed.
Action 29 from 12 January 2021 para 4.3 Joiners, Movers, Leavers: The paper was
updated as requested prior to submission to the ARC on 26 January 2021. The action
was closed.
Action 30 from 12 January 2021 para 6 Supply Chain Historical IT Risks
(Questionnaire): IT have developed a “shadow IT” questionnaire and were testing
this approach locally within IT. This activity will be completed by 30 April 2021. Then
the IT will progressively use the same “amnesty and sweep” approach across the
wider business to determine scale and importance of non-IT supported systems. The
team will report back in May on IT progress findings with a proposal for how to rollout
across wider business. The action remained open.
Action 31 from 12 January 2021 para 6 Supply Chain Historical IT Risks (Further
Update): Following on from the previous update given to the Committee in January,
KPMG who undertook forensic examination of the impacted PCs have found that no
83
Strictly Confidential Page 4 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0065
Tab 4.4 Draft Ris!
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
external access had been made to the devices. As a result no compromise of Post
Office data has occurred and no breach of any GDPR obligations. KPMG made
recommendations around password security and ensuring the business had a robust
asset register of all IT assets in order to ensure that this issue could not be repeated
again. The Supply Chain / IT review of all Supply Chain sites has not uncovered any
further breaches and as such no further actions are required. The action was closed.
Action 33 from 12 January 2021 para 7 Annual Money Laundering Report (Money
Service Businesses (MSBs)): Following the last meeting, there has been more
movement at an industry level on driving focus on resolving the issues with cash
deposits, with several banks now being more proactive and have tightened their
controls. Martin Kearsley and Sally Smith have had several meetings with UK Finance,
and the National Economic Crime Centre (NECC) Project Admiralty is now meeting
monthly. The NECC were also meeting with UK Finance and Sally Smith to discuss
further ways to drive control improvements. At this stage, the issue with MSBs has
not been raised specifically with the banks, as if they implement required controls,
this ceases to be an issue for Post Office. We were also aware of ongoing Law
Enforcement/Regulator activity with certain MSBs which will likely result in better
controls. A further update will be provided to the next Committee meeting. The
action remained open, with the Chair noting that a clear outcome was needed by May
2021.
Action 34 from 12 January 2021 para 7 Annual Money Laundering Report (Amazon
Vouchers): Payzone were progressing changes, but do not yet have implementation
dates, transactional changes and limits to the product are also being pursued by EPay,
but they have not yet confirmed date of changes. Financial Crime have requested
that Payzone press EPay for a delivery date, or ‘pause’ sales of the product. Payzone
have provided the following update: weekly meetings were scheduled with the
Financial Crime team were ongoing to ensure progression. Talks with EPay and
Amazon regarding fraud mitigations were continuing with feedback expected for the
next meeting. A ticket has been raised with Service Now for a pop up message. A
further update would be provided to the next Committee meeting. The action
remained open, and at the request of the Chair, Jonathan Hill further explained that
the team was also looking to impose a basket limit and a pop up warning, which were
subject to deployment time. This would reduce the risk. The Chair noted that the data
on transactions should be tracked to monitor this issue.
Action 35 from 12 January 2021 para 7 Annual Money Launder Report (Report
revision): This was addressed in ARC report in January. The action was closed.
Action 36 from 12 January 2021 para 7 Annual Money Laundering Report (PCI_DSS
Programme): Session held between Jeff Smyth, Sally Smith and relevant team
members to understand types of data analysis that the team perform. As part of data
platform activity, the Financial Crime Team “use cases” will be incorporated into the
overall platform demand plan. Their needs will be prioritised versus other business
demand. It was anticipated that requirements gathering/analysis phase will occur in
FY21 Q1, although this is subject to Investment Committee funding prioritisations.
The action was closed.
Action 37 from 12 January 2021 para 8 Pensions Assurance: David Scothern replied
to Ben Foat on 22 January 2021. Further update since then: The pensionable pay
data shows errors that date back to 2014 and contains both overpayments and
underpayments: It should be noted that this was data on pensionable pay and
allowances. This data will need to be processed by Royal Mail Pension Plan (RMPP_
administrators to convert it into pension benefits. RMPP processes included the
Strictly Confidential Page 5 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
67 of 183
POL-BSFF-0238508_0066
Tab 4.4 Draft Ris!
68 of
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
application of various underpins so errors in pensionable pay data do not necessarily
become errors in pension benefits. The action was closed.
Action 38 from 12 January 2021 para 10 Update on Branch losses and balances on
Postmaster accounts (Change Spend): The change budgets relating to service
improvements, and including the Deloitte work, have all been put under a single
programme of work (Postmaster Service Improvement Programme) and this
programme has been approved at Project Review Board and Investment Committee.
The programme will manage prioritisation of activities taking its lead from the Deloitte
work. The action was closed.
Action 39 from 12 January 2021 para 12 Mails Fraud Update (Analytical Capability):
he scope for this work was being looked at in the wider context of a forensic capability
being stood up within Horizon IT: there are natural synergies around the set of
capabilities to provide analytical services across a broad range processes and these
can leverage off the work being looked at around rapid surfacing if transactional data.
Further update was to be provided in May 2021. The action remained open.
Action 40 from 12 January 2021 para 13 Historical Matters Unit (HMU) (RACI Matrix):
A draft RACID matrix was shared with Historical Matters Committee on 18 February
2021 and with GE w/c 22 February 2021. Additionally, draft RACID shared with
internal audit for feedback. Feedback from CFO was being reviewed and discussions
are ongoing with Finance and with Strategy and Transformation Director relating to
governance arrangements which will then be incorporated into an updated RACID.
The action remained open and it was agreed that there remained uncertainty and
about the roles within HMU and its interaction with BAU. The Chair also highlighted
assurance within HMU and Johann Appel explained that the Internal Audit had found
that governance was taken too long to formalise within HMU. It was agreed that
Graham Hemingway should meet with Gareth Clark of IDG to finalise the RACI from
both sides (HMU and BAU) and then this should reviewed by the Chair, Ben Foat, Dan
Zinner, Declan Salter and Johann Appel. (Rebecca Whibley to inform relevant
individuals)
Action 41 from 12 January 2021 para 13 HMU (GE Report): The HMU GE reports to
contain risks and controls. Risk Log for Scheme additionally shared with UKGI and
top risks reviewed at monthly monitoring meetings. Programme updates for each
workstream are included in the reading room for every Board submission. Declan
Salter calls-out any issues in his monthly report for both GE and Board. The action
was closed.
Actions 42 - 44 from 12 January 2021 paras 14 & 15 Policies: These were corrected
prior to submission to the ARC. The actions were closed.
Risk, Compliance and Audit Update
RW
Risk
3.1
Mark Baldock introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted:
- The paper was now again in dashboard format as ServiceNow was
implemented. The team was now seeking approval for the next phase of the
ServiceNow roll out at the Project Review Board, which would email risks to
be managed beyond the Central Risk team by the relevant owners across the
business.
- There has been some challenges getting information on risks from the HMU
and all HR risks have been reviewed and added to the system.
- Postmaster risks were still being worked through but a Postmaster centric risk
view and appetite statement would be prepared soon. In a response to a
83
Strictly Confidential Page 6 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0067
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
3.2
The
ARC
question from Amanda Jones about whether the local risk on non-compliance
with GLO findings should in fact be an intermediate risk, it was explained that
there was no difference between the importance or visibility of a local risk and
an intermediate risk
Risks have been included for the post-COVID future workplace based on
returning to the office round September 2021.
Around a third of the risks were acceptable risks, meaning that if rating are
satisfactory, the business can be guided to focus on higher level risks. The
risks identified as the “top risks” were taken from ratings made by the business
and were mainly in the commercial space.
The risk numbers and risk weights within the paper showed all risks across
the business, grouping by area and type. There might be some churn in these
risks, but ultimately the these were thought to be about right.
The Committee discussed he following points:
Ben Foat highlighted the need for the relevant business areas to consider risks
before they are reported to the Committee and Mark Baldock confirmed the
system reports would be run a week after the end of each two-monthly
reporting period and would then be circulated to GE for input.
Ben Foat also questioned the 63 risks listed for Legal, Compliance and
Governance (LCG_. Mark Baldock advised that these were a combination of
LCG-owned risks and legal & compliance risks owned by other parts of the
business (such as Commercial). He would include such ‘horizontal’ analysis of
such corporate-wide risks in the next version of the Dashboard
It was also agreed that Mark Baldock would consider how to present the
Enterprise risks (see slide 6 of the paper) in relation to legal and regulatory
non-compliance as the risk was very dependent on what law/regulation was
not complied with,
It was agreed that Mark Baldock would share the risk dashboard with Deloitte
and that he should join up with Deloitte as part of their work on post GLO
compliance.
The Chair requested that Mark Baldock produce a covering paper for the
dashboard to make it clear which risks were changing.
Committee otherwise NOTED the Risk Dashboard for onward submission the
Risk Appetite Statement: Legal & Compliance
MB
MB
MB
MB
SG
Strictly Confidential
Page 7 of 15
POL-BSFF-0238508_0068
POL00423690
POL00423690
id Compliance Committee Minutes (1¢ 21) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
MB
Compliance
ag Jonathan Hill introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted and discussed:
- Controls Framework: A decision has been taken to pause this work and review
this at the end of the summer, given Public Inquiry work and the need for
business to have processes properly mapped. Controls work was be done as
needed, with Jeff Smyth particularly highlighting the IT controls given the
KPMG report.
- Telco: The transaction completed on 15 March 2021 and the team has moved
to Shell.-Ofcom has confirmed it won’t investigate the comms incident and in
respect of PSD2, the audit was accelerated. It passed for all bar two individuals
and for these individuals remediation actions have been agreed. Close down
report on Telco sale was expected later in the week.
- Cookies: Compliance has worked with the Digital team in Commercial and it
was agreed that there would be negligible commercial impact to put in changes
to place Post Office back “in the middle of the pack.” The Chair agreed that
good progress has been made, but highlighted that being middle of pack was
not a commitment and if it becomes further discussion was required.
- Financial Crime: PipIT contract has now been formally exited. The Chair
questioned whether individuals depositing high values onto numerous cards
belonging to multiple partner banks at branches located in Scotland advising
that the funds are to pay university tuition fees was an issue. Jonathan Hill
explained the question was whether if this was what the deposits were actually
for and whilst it was the banks job to establish this, Post Office supported
because of its work with NECC Project Admiralty. It was also noted that the
nationality of the individuals was irrelevant and should be removed from the JH
paper.
- Supply Chain Compliance: It was identified that there were issues with the
Note Circulation Scheme Bond, with incorrect values being paid in.
Subsequently it was established that there were 14 late Bond incidents over
the last year. These have now been investigated, root causes established and
corrective actions to prevent recurrence have been implemented. Compliance
has undertaken assurance reviews at both Birmingham and London to ensure
new controls are effective and no further issues were identified. A formal
response to the Bank of England was sent on 26 February 2021. The Bank
will decide if the incident warrants losing the late Bond facility, issuing a fine
or if they take no action. No response has been received as yet.
- Documents from the Postal Museum: The Chair also noted that he had been
asked to help allow better access to the Postal Museum to examine documents
before the deadline for filing at Court of 22 March 2021. Ben Foat agreed he
would follow up with Nick Vamos on this.
BF
The Committee otherwise NOTED the Compliance Update for onward submission to
the ARC.
Internal Audit
Strictly Confidential Page 8 of 15
C Post Office Limited t, Risk 8
POL-BSFF-0238508_0069
POL00423690
POL00423690
Tab 4.4 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
3.4 Johann Appel introduced the report, which had been circulated previously and was
taken as read. The following points were discussed:
- Good progress had been on the current year plan but the last three audits had
been delayed in order to provide assurance to the IDG in preparation for the
Public Inquiry.
- CIj Improvement Programme: Four actions were outstanding which would be
tracked through the IDG and normal action tracking process. Johann Appel
was meeting with Declan Salter later on 16 March 2021 to agree the
management comment.
- Historic Matters - Set-up and Governance: Johann Appel would also agree
management comment and finalise outstanding actions with Declan Salter
later on 16 March 2021. Johann Appel was asked to ensure the report was JA
discussed with Nick Read before it was finalised for the ARC.
Ben Foat highlighted that when discussing HMU governance, it needed to be
made clear that governance has only been lacking/not formalised over the last
six months or so, since the creation of the HMU and particularly in relation to
the Historical Shortfalls Scheme (HSS) and the Stamps scheme. The
Committee also made clear that this report should be shared with Deloitte to
ensure they were working from the same data and Internal Audit discussions JA/AI
with Deloitte on this topic should continue.
- Postmaster Reporting: This has concluded that the Management Information
(MI) currently provided was not fit for purpose and was largely reliant on Area
Managers providing the information, with no self-serve option. Actions were
being finalised with Nick Beal and then the report would be issued. Amanda
Jones highlighted that there was no “silver bullet” answer to this issue as it
depended on a number of things including data and system investment. The
Chair noted that there were a number of MI issues across the business and
any fixes would need funding. This needed to be highlighted in the JA
commentary and conclusions of the report before it was submitted to the ARC.
In response to a question from Ben Foat, Amanda Jones confirmed that a
Postmaster scorecard was being developed as part of the Voice of the
Postmaster meeting. This particular audit was about the information provided
to Postmaster to help them run and grow their Post Offices. The team were
considering what could be done on Branch Hub support the provision of this
information.
- Post Office Insurance Pricing Audit: The Chair requested that Johann Appel
add more information to the report before submission to ARC as to why the
audit was rated as needs significant improvement.
- Audit Actions: It was highlighted that the outstanding audit action regarding
Cyber Security Maturity Assessment should not be postponed a third time.
The Committee NOTED the Internal Audit update, specifically progress being made
with delivery of the Internal Audit programme and completion of audit actions.
4. Internal Audit Plan 2021/22
Johann Appel introduced the paper, which had been circulated previously and was
taken as read. It was explained that the initial plan had been adapted to address IDG
requirements. The plan was dynamic and would be reviewed quarterly. Depending on
outcome of the planned IDG reviews in Qi, some of the Postmaster focussed reviewed
Strictly Confidential Page 9 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 71 of 183
POL-BSFF-0238508_0070
Tab 4.4 Draft Ris!
72 of
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
could be brought into the main plan. The plan was Postmaster centric, but the
challenge was completing these Postmaster focussed reviews alongside the required
IDG work.
The Committee NOTED the draft audit programme for 2021/22 and APPROVED the
2021/22 Internal Audit plan, for the onward submission to the ARC.
IT Updates
PCI-DSS
5.1
The Committee NOTED the progress made during the last reporting period and the
key risks. It was also agreed that this need not be a standing agenda item for the
Committee moving forwards.
Cyber Security
5.2
Tony Jowett introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted and discussed:
- The Security Architecture document was late but was in progress. It was
agreed that an interim update should be provided to the ARC in March and
Tony Jowett was asked to add this to the paper before it is submitted to the
ARC.
- On the 2021/22 Cyber Programme, the focus was on Postmaster support and
Post Office’s underlying maturity. The programme was now going through
portfolio and financial approval.
- A second desktop exercise has been completed and the report contained
report from Nettitude (red team and pen test supplier). Essentially the rest
went well across IT, but gaps were found in Post Office’s technical capabilities
to quickly identify the location of Personal Information within their network.
The need for this capability will be assessed as part of programme planning
for 2021/22 and could cost around It was requested that that the
potential cost be “brought to life” including the cost of the software,
potential cost or risk of not doing anything and any alternatives. This needed
to be added to the paper before it was submitted to the ARC.
- On the Dashboard, a follow up with GE members on the recent fake phishing
attack has been completed. Those who clicked on the link but did not complete
the follow up 5 minute training task have been individually contacted by the
relevant GE members. Another fake attack will be done and better behaviour
was required.
The Committee NOTED the status and plans regarding the reduction of risk
associated with Cyber Security.
Tj
Tj
Foreign Currency and Hedging
Tom Lee and Peter Mitchell introduced the report, which had been circulated
previously and was taken as read. The following points were highlighted and
discussed:
- Post Office holds inventory (foreign currency) on its balance sheet (hedging)
for which there is a policy and this needed to be accounted for and reported
correctly.
- An issue was picked up in December 2020 relating to an automated
programme (from Accenture) which should revalue any stock and then post
the value. The programme was revaluing but was not then posting correctly.
This meant that Post office was slight overstating its balance sheet and under
stating its Profit & Loss. This affected around £25m and as stock reduced
significantly during COVID-19, the issue was not picked up sooner. Foreign
currency holdings as at the end of December 2020 were manually revalued.
- Helen Rhodes questioned whether there was any redress with Accenture. Peter
Mitchell explained that this was being discussed with IT and that Accenture
83
Strictly Confidential Page 10 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0071
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
had acknowledged they were partly at fault. However, ultimately, Post Office
had not lost money, it was just slow to recognise accounting entries.
- Jeff Smyth questioned whether another opinion on the issue was required.
Peter Mitchell explained that himself and Tom were looking at it from a
Treasury and Accounting perspective respective, with Accenture considering
the technical solution. Manual revaluation has been used for the last three
months and this proved effective. Another opinion or internal audit view could
be sought, but the crux was making sure the manual calculation was correct
- Ben Foat questioned the ramifications of this issue including exposure to First
Rate Exchange Services (FRES) and other operational implications. Peter
Mitchell explained the only implications were for the Post Office balance sheet.
An adjustment has been put through to “catch up” the balance sheet. There
was no fundamental issue for the balance sheet or P&L, it was just delayed
recognition. There has been no loss to FRES or the customer. However there
were clearly lessons to be learnt about governance and testing of systems
before accepting the handover of them.
The Committee NOTED:
i. the process of revaluing foreign currency and the hedging of foreign exchange
risk at Post Office; and
ii, the summary of issues identified in year, the manual fix implemented and
planned changes to create a better process.
Mark Baldock left the meeting.
Bi-Annual Legal Risk Review (Non GLO/Starling)
Law & Trends Update
Strictly Confidential Page 11 of 15
POL-BSFF-0238508_0072
Tab 4.4 Draft Risk and Compliance
ittee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Tom Lee left the meeting.
Business Continuity
Jonny Lonsdale and Martin Hopcroft introduced the paper, which had be circulated
previously and was taken as read. It was explained that a gap analysis of the
alignment the Business Continuity Management System (BCMS) to the BSI ISO 22301
(Business Continuity) standard has been completed. The Gap Analysis has found that
the overall status of the Post Office BCMS was non-compliant with some aspects of
the industry standard, and in particular the lack of detailed Business Impact Analysis
(BIA) for each department. A BIA should be in place for each department to enable
prioritisation of activities with the biggest impact in the event of an issue. This
underpins the BCMS and testing. There was definitely a lot more work to do. The
Committee raised the following points:
- Johann Appel was concerned that some of the gaps identified were those that
had been identified before through Internal Audit and that had been confirmed
as closed. IT was agreed that Johann Appel and Jonny Lonsdale would discuss
this offline.
- The Internal Audit Plan also included a review of Business Continuity in Q4.
- The Chair was pleased to see progress in this area and questioned whether
Business Continuity Plan owners had been identified to ensure accountability.
Jonny Lonsdale explained that the majority of owners had been identified,
along with BIA Champions and meetings has started to guide individuals
through the BIA and Business Continuity Plan. The key was to document the
accountability.
- Hele Rhodes questioned whether there were any inherent risks or whether it
was simply an issue of lack of documentation. Jonny Lonsdale explained that
ultimately, the risks were unknown because the BIA was not documented.
- The Chair further highlighted that an end-to-end test of Horizon and cloud
migration had not been completed and this was one of the biggest risks. Jonny
Lonsdale was asked to discuss this with Howard Booth and provide an update
to the Committee at its next meeting.
The Committee NOTED the summary findings of the Business Continuity Gap
Analysis review for Post Office Group for onward submission to the ARC.
JL
10.
Deep Dive: Payzone Governance
The Committee NOTED the Payzone Risk & Compliance Update report for onwards
submission to the ARC.
11.
Deep Dive: Dangerous Goods
Amanda Jones, Mark Siviter and Andy Kingham introduced the paper, which had been
circulated previously and was taken as read. The Committee discussed the following
points:
- This has always been an area of concern as branches are the first line of
defence so ultimately, Post Office could not control completely. However,
responsibilities needed to be taken seriously as the consequences of breaches
would have significant financial and reputational impacts. However, it was a
complex area and not easy for Postmaster. The key was to improve and
systemise where possible so to reduce the risk of breaches.
- Andy Kingham explained that the first phase of improvement was to offer a
Horizon menu-based alternative to the manual scanning of the dangerous
goods laminate (which requires individuals to remember to scan the laminate).
This was currently being trialled in 167 branches for feedback. Provided this
feedback was positive, this would be rolled out in waves from April 2021
onwards with the potential of a full roll-out across the entire network by the
end of quarter one 2021/22. Further phases were outlined in the paper. The
Strictly Confidential Page 12 of 15
Post Office Limited - Audit, Risk & C
POL-BSFF-0238508_0073
Tab 4.4 Draft Ris!
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Chair requested that the timeframes were made clearer in the paper before
the paper was submitted to the ARC.
- Around half of the failures from mystery shopping visits were because the
mystery shopper did not see the Postmaster put the relevant label on the
parcel. This could be addressed by printing the label with the transaction
(phase two). This required permission from the Civil Aviation Authority (CCA).
This required a three way dialogue including the CCA and Royal Mail, but Mark
Siviter was confident the CCA would agree to the proposal.
- Phase three was subject to a business case and involved simplification on
Horizon to move the Dangerous Goods transaction start point earlier and
customer self-certification via the Pin-Pad. These changes could increase the
transaction time so this needed to be considered carefully.
- It was also explained that the pandemic had had the benefit of Area Managers
being in more frequent contact with branches, meaning Branch Insight Tool
data could be acted on more quickly.
Accordingly, the Committee NOTED:
i. the activity undertaken and planned in order to improve conformance to the
required process; and
ii. the anticipated improvement in mystery shopping conformance as a result of
the proposed system changes
for onward submission to the ARC.
AK/MS
12.
Strategic Partner Financial Stability Update
Katie Secretan and Dan Zinner introduced the paper, which had been circulated
previously and was taken as read. The following points were raised in discussion:
- The Chair questioned the strategy for building relationships with these
partners given it was clear that shops like McColls had benefited from the
pandemic but were still reducing the number of Post Offices in their network.
Dan Zinner explained that there was a hill to climb because of Post Office’s
history with its partners, but that the key was considering different
propositions of Post Office and ensuring better value for money, technology
and processes. Katie Secretan noted that for many smaller stores an
integrated Post Office proposition would help sell the partnership. The
partners’ approach has shifted from looking at having Post Office’s over the
whole estate to a branch by branch view. The key was to get them to see the
value of having Post Offices across their whole estate: the idea being that
partners would have Post Offices across their whole network but that they
could have flexibility on what format was used in each branch.
- The Chair also questioned whether there was a place for cashless branches.
Katie Secretan explained that for most partners simplicity was key, but
whether cashless was the best approach would depend on looking at data on
what services customers utilise in a particular branch. A further consideration
was what services drive additional basket spend in store.
The Committee otherwise NOTED the Strategic Partner Financial Stability update for
onward submission to the ARC.
13.
Procurement Compliance & Governance
Barbara Brannon introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted:
- Lexington Communications Ltd was subject to approval by GE on 17 March
2021.
- Cheque Processing for Postal Orders and Camelot risk was due to be closed by
the end of March.
Strictly Confidential Page 13 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
75 of 183
POL-BSFF-0238508_0074
Tab 4.4 Draft Ris!
76 of
and Compliance Committee Minutes (16 March 2021) - pending Chair Review
POL00423690
POL00423690
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
- Digidentity was to be discussed at GE on 17 March 2021. It was explained that
essentially, Digidentity were the only supplier able to offer the services
required for the UK Verify contract, however, Procurement were working to
ensure Post Office was not committed to an extension with Digidentity if the
requirements of UK Verify changed.
- Largely, the picture on Procurement was unchanged since January with a two
large, compliant contracts forming part of the GE paper for 17 March 2021.
The Committee otherwise NOTED the Procurement Risk Exceptions submitted to the
Post Office Limited Group Executive and Board since January 2020 and the
Procurement Pipeline for onward submission to the ARC.
14.
Policies for Approval
The following policies were APPROVED for onward submission to the ARC:
e Health and Safety; and
«Procurement.
15.
Postmaster Policies
Amanda Jones and Tim Perkins introduced the report, which had been circulated
previously and was taken as read. The following points were highlighted and
discussed:
- Six policies were presented for approval, which were part of a suite of 12 new
policies. They have been reviewed by Legal and had input from the National
Federation of Sub-Postmasters (NFSP).
- A Guide for Postmaster on the policies was also included which was a specific
request from the ARC. The policies were internal i.e. for colleagues and the
guide sets out Post Office’s obligations to Postmaster as part of the Postmaster
support guide.
- The Chair highlighted the need to measure the outcomes of these policies to
demonstrate that they were effective and it was critical to build in compliance
and assurance testing. Tim Perkins agreed that this was vital and that an
interim set of controls were already in place to ensure policies were working
effectively. A self-assessment of controls was carried out on a monthly basis,
feeding into measure of policy effectiveness. More broadly, there was a
complaints and investigations dashboard and reporting to the Voice of the
Postmaster meeting on transaction corrections. Tim Perkins was asked to add
this detail to the ARC paper prior to submission.
- It was also noted that the Chair was listed as the GE Sponsor for the Network
Cash and Stock Management Policy but he had not been asked to review.
Jonathan Hill was asked to ensure that policy sponsors were properly briefed
before policies were submitted for approval.
- On the Termination Policy, the Committee discussed whether someone
independent should be given the opportunity to review the termination
decision. Amanda Jones explained this was still being considered and she was
keen to understand what other franchises do. One option was to use the
Postmaster Non-Executive Directors. It was agreed that the policy should be
amended to include the intention that there would be some form of
independent review prior to submission to the ARC.
- On the Training Policy, questions were raised about how Post Office could tell
whether training was effective and the Chair felt that the policy should state
that onsite training would include times when cash deliveries and pick ups
happened as well as when monthly balancing was done. Tim Perkins explained
that training reviews were done at three and six month intervals and the plan
was to use branch data for better insight and to produce dashboards. It was
agreed that the policy would be amended to include more detail on measures
of training effectiveness. Ben Foat further suggested that operational
examples needed to be included in the policy to bring it to life and this was to
TP
JH
TP
TP
83
Strictly Confidential Page 14 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0075
POL00423690
POL00423690
Tab 4.4 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
be done before the policy was submitted to the ARC. It was also agreed the TP
Tim Perkins would feedback to Tracy Marshall (Postmaster Effectiveness
Director):
1. Concerns about the reduction in training time from 5 weeks to a digital
offer with two days face to face training and a week of shadowing. T™?
2. Whether the half day course on loss recovery/balancing should be
compulsory or longer.
- It was also requested that the MI from the monitoring of these policies was
reported on a quarterly basis to the Committee, with more regular reporting
to the Voice of the Postmaster meeting. (Rebecca Whibley to add to the RW
Committee agendas moving forward).
- Jeff Smyth also highlighted that there were some produced that you could not
train on in the Counter Training Office and some support processes could not
be practiced in full. Thought needed to be given as to how full training on
these products and processes could be given.
The following policies were APPROVED for onward submission to the ARC, alongside
the cover paper, subject to the amendments discussed above:
« Guide to Policy Standards for Postmasters;
« Postmaster Complaints Handling Policy ;
e Network Transaction Corrections Policy;
« Network Cash and Stock Management Policy;
« Postmaster Termination Decision Review (see amendments above);
«Postmaster Training Policy (see amendments above); and
« Postmaster Onboarding Policy.
16. Whistleblowing Policy
The Committee APPROVED the proposed amendments to the Whistleblowing Policy
and the appointment of the Whistleblowing Champion, for onward submission to the
ARC.
iv, Review of draft Audit, Risk and Compliance Committee meeting agenda for
30 March 2021
The draft ARC agenda for 30 March 2021 was NOTED with the following comments:
1. The Payzone Governance Report could be a noting only item;
2. The Foreign Currency and Hedging Paper presented to the Committee should RW
be added to the agenda for noting only; and
3. Tracy Marshal (Postmaster Effectiveness Director) should be invited to attend
the Postmaster Policies section;
subject to the agreement of the ARC Chair.
18. Any other Business
There was no other business, save that it was noted that at future meetings, the
Chair would agree with the Committee at the beginning if there were any papers that
need not be discussed, such that presenters could be stood down in good time.
Strictly Confidential Page 15 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 77 of 183
POL-BSFF-0238508_0076
POL00423690
POL00423690
Tab 5.1 Risk
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Risk Report Meeting 30 March 2021
Date:
Author: Mark Baldock, Head of Risk Sponsor: AL Cameron, Chief Finance
Input Sought: Noting
The Audit Risk & Compliance Committee (ARC) is asked to note the current status of key
risks, our risk appetite activity and GRC implementation.
Executive Summary
ARC is asked to
. note the key risks we currently face with particular focus on those in the Strategic,
Postmaster, Commercial, People, Operational and Financial space
. note our risk appetite activity
. note current progress on the design and build of the GRC tool
Report
. What are our key risks (new and existing) and their materiality?
. What is the status on risk appetite?
. What is the status of GRC implementation?
Key Risks
1. As at the end 2/2021 the Post Office had 556 active risks (14 enterprise, 90
intermediate, 453 Local). Detailed analysis is provided in the appendix.
2. Overall the Post Office’s risk profile is broadly stable and being effectively managed with
clear focus on priority areas such as Postmaster and HMU risks. The key risks we face
(new & existing, top-down & bottom-up) are primarily in 6 areas namely Strategic,
Postmaster, Commercial, People, Operational and Financial.
Strategic
3. These concern risks arising from pursuing a strategy which is subsequently seen as
poorly defined, and/or is based on flawed or inaccurate data or fails to support the
delivery of commitments, plans or objectives due to a changing macro-environment.
Risks are increasing.
4. There is a need to secure shareholder alignment/agreement on the optimal balance
between securing the requisite trading profit and the importance of maintaining ongoing
support for Postmasters, given the challenges faced in a pandemic environment. It is
also the case the Post Office Brand could be threatened by the imminent court
judgements and the outcome of the Judge led Inquiry.
5. A-key workstream in this area is our support of the Historical Matter Unit in articulating
a set of risks which can be mitigated and tracked. Work continues but risks already
1
Confidential
78 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0077
POL00423690
POL00423690
Tab 5.1 Risk
@
identified include (i) the poss! 'y of additional claims being against the Post
Office from postmasters not part of the original court action and (ii) the
possibility the ongoing Inquiry is critical of the Post Office response to the
findings. On the latter effective participation in the Inquiry is being managed by a
specific workstream with work is overseen by an executive chaired Steering Group.
External support is also being provided by Lexington
6. To ensure all risks in this complex and multi-layered environment are being surfaced
Central Risk are sighted on the outputs of the recent established Improvement Delivery
Group. We have also agreed with emerging recommendations from the Deloitte
Postmaster journey review. This seeks to place Central Risk at the heart of the Voice
of the Postmaster forum to understand all the risks associated with postmasters, the
controls in place to mitigate these risks, setting a clear risk appetite for each area as
well as identifying out assurance requirements across the 3 Lines of Defence over the
key risks.
Postmasters
7. It is important to note the Post Office have proactively supported Postmasters during
the pandemic such that remuneration has increased overall this year (compared to
2019/20) and is forecast to increase slightly in 2021/22. Clearly the pandemic has a
material (but reducing) impact on the number of branches such that we needed to
request a waiver in 6/2020 to the 11,500 network target. More recently the Deloitte
Postmaster journey review has been shared with the Board. In addition, we are aiming
for mediation on workers’ rights claim. We acknowledge that although there is great
deal of work to do we consider a lot of progress has been made, particularly in recent
months. In light of this we consider the risk profile is reducing.
8. Central Risk are proactively supporting the business in the identification of a wide range
of postmaster-centric risks around, for example, dispute resolution, transaction
corrections, cash & stock management, complaints handling, on-boarding,
training and contract performance. The recently produced Postmaster policies (with
their minimum control standards) are a key input into this work. Urgent discussions are
already underway to ensure the risks are correctly articulated, rated and appropriate
mitigation plans in place. They will have a supporting risk appetite statement as well.
The outcome of this work will be reported to ARC in 5/2021. As we have advised before
notwithstanding such risks evidence shows Postmasters continue to trade strongly
during the ongoing difficult trading conditions (particularly around Mails & Parcels) and
have not reacted strongly to the GLO judgements.
Commercial
9. The overarching risk we face in this space is that our Commercial proposition is
unattractive because existing products are too complex or confusing and new products
are cost ineffective, unable to be scaled and/or unattractive to the market. Overall risk
position is flat.
10. Key downstream risks include (i) existing and emerging requirements of Post
Office (new and existing) customers across the various sectors not being met
and (ii) the Post Office being unable to offer a relevant ID Service which meets
customer need and remains relevant to the market. A series of recent initiatives are a
direct response to such risks.
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
79 of 183
POL-BSFF-0238508_0078
Tab 5.1 Risk
80 of
POL00423690
POL00423690
@
11. For example, the Post Office’s joint venture with Yoti will enable companies to use Post
Office and Yoti identity verification services for fraud detection, E-signatures and
customer authentication services. This will support the expansion of our identify
services and help secure new additional revenue for Postmasters.
12. In addition, we have also partnered with Amazon to launch a click and collect trial in
200 branches in Newcastle, Preston, and Edinburgh. This will allow customers to pick
up Amazon parcels at their local Post Office. If the trial works the click and collect
system could expand to other parts of the UK.
13. Finally the Post Offices’ decision to sell its Broadband and Home Phone service to Shell
Energy allows for a greater focus on our core services, albeit we are unable to invest
the outcome of the sale for profit. This sale had the advantage of reducing our overall
risk profile given the residual Telco risks were formally closed following completion of
the sale.
IRRELEVANT
L which ended our exclusive mail distribution agreement with them,
hence the Amazon partnership mentioned earlier.
15. Weare also at an advance stage of our work on Banking Standard Framework 3.
16. There remain commercial risks around adverse trading performance in part
prompted by the ongoing consequences of the pandemic although trading continues to
be strong in Mails and Parcels. Nevertheless a risk remains that travel insurance will
continue to be adversely impacted. Although POI have successfully launched a COVID
compliant product (and a travel product is back on sale) ongoing and unpredictable
European travel restrictions is likely to continue to hamper travel recovery well into
2021.
People
17. These concern risks of potential ineffective leadership and engagement, a sub-optimal
business culture, inappropriate behaviours, the unavailability of sufficient capacity and
capability, industrial action and/or non-compliance with relevant employment
legislation/HR policies resulting in negative impact on performance. Since 1/2021
Central Risk and HR have undertaken a significant review of risks in this area. Overall
risk position is flat.
18. A risk remains around prolonged industrial action in the event the Post Office fails
to proactively engage with CWU and Unite, albeit we have recently secured a pay deal
with the former. There is concern some form of industrial action will take place due to
the planned reduction of the DMBs (albeit the re-commencement of DMB franchising
has not yet been agreed). In terms of mitigation a dispute resolution has been put in
place (including GOLD teams), relevant stakeholders engaged and supporting
operational contingency plans designed.
19. A further risk recently identified is that as the macro-pandemic environment extends
and unemployment rises we could experience increased resistance from impacted
colleagues during any consultation around any further organisational re-
structure . The Organisational Design team are utilising macro unemployment data
Confidential
83 Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0079
POL00423690
POL00423690
Tab 5.1 Risk
@
and internal data to understand risk categories for potentially impacted individuals and
will plan accordingly. This work is planned to complete by end of 5/2021.
20. Post Office continue to face potential risks around an inadequate Work-Life balance.
In this context Central Risk are supporting the HR-led ‘Future of the Workplace’
workstream to identify risks and mitigations associated with the various options being
considered. This includes flexible home/office models that could be put in place/piloted
from 6/2021 with limited changes in 9/2021.
Operational
21. These are risks that would arise from potentially inadequate, poorly designed or
ineffective/inefficient internal processes resulting in fraud, error, impaired customer
service (quality and/or quantity of service), non-compliance and/or poor value for
money. A key focus here is around whether the Post Office are being sufficiently
supportive of Postmasters. Overall risk position is flat.
22. Another operational risk remains the potential financial fragility of multiple
partners, albeit the current financial monitoring of large multiple partners suggests the
situation is relatively stable. Retail partners are having a mixed lockdown. Convenience
section is doing better than the High Street. It is also the case that McColls and WHS
are reducing their number of branches (which improves risk over time) and the recent
Telco sale will reduce our regulatory and compliance risk profile.
23. Safety performance remains strong. A new audit is being planned. We continue to rely
heavily on Fujitsu and the contract extension has not yet been signed.
24. Finally, work continues on the development and delivery of a refreshed network strategy
coupled with the delivery of new flexible & attractive propositions (including increased
automation).
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 81 of 183
POL-BSFF-0238508_0080
Tab 5.1 Risk
82 of
83
POL00423690
POL00423690
@
IRRELEVANT
28. A separate update paper has been tabled on Legal & Compliance appetite on which ARC
approval is being formally sought. In parallel with this Central Risk have been working
with the business in pulling together an initial set of supporting KRIs along with potential
data sources and indicative tolerances. Although work continues such KRIs might
include, for example, the number of Gifts & Hospitality breaches, the number of material
AML breaches), a percentage increase in the number of Suspicious Activity reports. We
plan to include the latest LCG appetite and KRI trends in the standard Dashboard from
5/2021.
29. Building on this Central Risk are in discussion with Retail & Franchise Network around
an Operational risk appetite which will pick up our work on articulating postmaster-
centric risks (see paragraphs 21 and 7). We plan an internally agreed position by end
of 3/2021 with ARC approval being sought in 5/2021.
GRC implementation
30. As ARC will be aware the Post Office have embarked on a journey to implement a
corporate approach (and supporting tool) to Governance, Risk and Compliance (GRC).
31. Phase 1 went live, on time, in mid 1/2021 and involved, essentially, migrating the
Central Risk dataset from RSA Archer to Service Now. This forms the backbone of the
Risk Dashboard. We have now secured Phase 2 funding. This focuses on the rollout of
risk management capability beyond Central Risk to Business Unit Heads and individual
Risk Owners and migrating the POI risk dataset from Xactium. In addition we will
migrating the IT, Finance Controls and Strategic Portfolio Office controls onto Service
Now (linking them to their associated risks for the first time) as well as deliver a Vendor
Risk Management capability.
32. We plan a phased deployment between April-July 2021 within initial focus on the rollout
of risk management (potential piloted first in IT, Comms and Legal), then the migration
of the IT Controls before, finally, the Finance Controls. The latter is targeting 7/2021 to
avoid extensive workload during the ‘year end’ period.
33. GRC does not directly impact on Postmasters. However, a more efficient and effective
identification, assessment and response to Postmaster-centric risks, other broader risks
(which have a direct impact on Postmasters) and a linked assessment of the
effectiveness of the associated controls will clearly enhance our ability to deliver our
Strategic Purpose. We will report on progress at the next ARC.
Next Steps
34. The ARC are asked to
. note the key risks we face with particular focus on those in the Strategic,
Postmaster, Commercial, People, Operational and Financial space.
. note the update on risk appetite
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0081
POL00423690
POL00423690
Tab 5.1 Risk
@
° note current progress on the design and build of a GRC tool
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
83 of 183
POL-BSFF-0238508_0082
£81 JO 68
\dWog 9 SRY ‘IPMY - PAW BONO ISOq
3
8
9°
8
3
3.
&
2
&
S
S
@
N
POL00423690
POL00423690
dn ¥SIY LS GEL
are
Appendix: Central Risk Dashboard (January-February 2021)
1. Ratings, Categories & Response
Miao by eg ©
sum
Residual Ratings: Banding satisfactory. Will be assuring 6 very high
risk ratings are compliant and, if so, secure detailed mitigations. 28
risks have no rating. These are in the Tech/Security space as just been
added to the system. Now being addressed.
Risk Category: Shows 109 risks (of 556) are in Legal & Regulatory
space. Although recent risk appetite work has seen an increase in the
number of such risks classification to be reviewed in next report. It is
expected this will result in a more equitable spread across the
categories. Cross-thematic report to be included in next Dashboard.
Risk Response: 168 risks have an ‘accept’ response. Need to align this
with the RAS. In most cases the residual rating is low but some are not.
Challenging in next reporting period.
17 risks do not have a response - the majority are result of internal
risk transfer where importing business unit need to formally reconfirm
response. To be addressed in next period,
Confidential
POL-BSFF-0238508_0083
LZ/€0/0€-BanIWWOD eoue!IdWOD »g ¥SIY IPNY - Pay!WI] eO4JO 1S0q
eel jose
2. Risk numbers
Summary
This table provides a corporate ‘horizontal’ view of the Post
Office's 556 active risks by number. The ‘x’ axis lists the
individual GE Commands with the 'Y’ axis providing the
enterprise risk categories.
Key headlines
+ This is work in progress and is influenced by the accuracy
of risk allocation (by GE Group and individual
classification). Central Risk now assuring this data so there
may be some further recalibration
+ Group Commercial: has a material number of Legal &
Regulatory risks (generally in the non-compliance space)
reasonable spread but interestingly has
no Change or Technology risks
* General Counsel: not surprisingly has a significant number
of Legal risks in part influenced by the recent work on
appetite. Central Risk will be check this allocation
: in : a high proportion of risks are in the
(eyber) securtey space
+ Group Operations: a material number of change related
risks but little classified as operations as these are picked
up within Retail & Franchise Network
+ Group People: a reasonably equitable spread
+ Group Historical Matters: very light on the number of
identified risks. Central Risk in proactive discussions to
ensure increased articulation in the next reporting period.
Confidential
Post Office Risks Number (by GE command and Enterprise Category)
rategory I c the I y iu mY ue i ib —}
Health & Safety
Information
Legal & Regulatory
Marketplace & Brand
Operational
People
Reputation
Security
Strategy
Technology
POL00423690
POL00423690
dy SI LS EL
alep
POL-BSFF-0238508_0084
£81 JO 98
dog 9 ¥SIy IPN - Par] B00 IS0q
Fy
8
fe}
S
3
3
2
@
iS
Ss
gS
Nv
3. Risk weighting
POL00423690
POL00423690
dn isla LS Ged
are
Summary
This table complements the earlier table by providing a
corporate ‘horizontal’ view of the Post Office’s 556 active risks
time by average risk rating (i.e. a summary total of
idual risk ratings divided by the number of risks).
The *x’ axis lists the individual GE Commands with the 'Y’ axis,
providing the enterprise risk categories.
Key headlines
+ As before this is work in progress as the data is influenced
by the accuracy of risk allocation. Central Risk now fully
assuring this data so there may be some recalibration at
end of the next period
* Group Commercial: th:
but have a higher wi
Strategy space
. i ise : their 57 risk have a higher risk
weighting in H&S, Legal and People in part because of the
work underway around postmaster risks
+ Group Historical Matters: even though very light on the
number of risks the risk weight is relatively high compared
to other GE Groups. This is not surprising and is likely to
increase as more risks get articulated.
108 risks are equitably spread
tin the Financial, Security and
Confidential
Post Office Risks Number (by GE command and Enterprise Category)
Business
Unit
Category
Health & Safety
Information
Legal & Regulatory
IMikt.place & Brand
Operational
ity
Strategy
Technology
Strictly Confidential
POL-BSFF-0238508_0085
LZ/€0/0¢-2en WWD eouRTdWOD % ¥SIY IPNY - PaI!WI] BOW 180d
€81JO18
4. Enterprise Risks: Summary
aan ¢]
Enterprise Risk Tithe
Commercial: Risk the Post Office Commercial
ropostion is unattracbve because the exateng products,
Owen
020 tre too complex of confising, new product are Cost
005 Woedley — emectve, unable to be scaled and unattractive to the
ae Health and Safety: Risk that the Post Office busness
BO wan 8 stall ave adversely anpacted by health and safety
Mopcroft event (¢.9. pandemic), detimental business activites
oe and/or physical secunty
RKO Financial: Risk that the Post Offces has risufficent
020 Cameron funding and/or uncontroted costs m the short-, medium
006 and long-term.
RKO
F KO nen Foat LEGal Risk the Post Office is unable to-comely with
Be legslatve and regulatory changes.
RKO Gay Technology: Risk that the Post Office s unable to
deiver a new Front Office system and has an nePlecove
017 Waker waster Recovery regme.
a Reputation: fesk that the Post Office reputation
RKO Richard —_ becomes severely damaged: reewed
920 Taylor —_ethcal volations and/or adverse stance to corporate
soon responsbaty
RKO Oy, Marketplace and Brand: Rak the demand for Post
020 Cire Offce services ond products across the vanous sectors
ou decines and/orloyaity to the Brand reduces
POL00423690
POL00423690
dn sie LS Gel
are
$Uysy yy
1
Summary
unattractive to the market.
: Because of external H&S events (e.g. pandemic), detrimental business activities and/or external factors there is a risk that the Post Office business and its staff
are adversely impacted.
Financial
Legal: Risks the Post Office is unable to comply with legislative and regulatory ot
14 enterprise risks of which 11 have a rating of 16+. These risks are the apex of the overall risk data set with their ratings shaped directly by their downstream risks and the
effectiveness of their mitigating activity. These risks tend to get managed through the aggregated activity at the intermediate and local level. Key risks in this area include:
‘Commercial: Risks the Commercial proposition is unattractive because existing products are too complex or confusing, new products are cost ineffective, unable to be scaled and
Risks the Post Office has insufficient funding and/or uncontrolled costs in the short-, medium and long-term such it is unable to deliver its strategic objectives.
ns and/or the outcome of other external legal activity
Confidential
Strictly Confidential
10
POL-BSFF-0238508_0086
£81 JO 88
LZ/€0/0¢-2en WWD eouRTdWOD % ¥SIY IPNY - PaI!WI] BOW 180d
POL00423690
POL00423690
7”
a
S
a
2
g
<
§
2
3
oe
5. Intermediate Risks: Summary
Retin meter, 2 I Risk Iowsin Enterprise Risk Tithe Trend
ee aa asad I Cestemer remanence net sata te clang
S22 Hid, SIM Shag Stet cee soumeecarears, >
RKO Group Non-compliance with Pricing Super-Cs
Gro 4. Gommmer PeAwatice: Rak at PO! not rensy ores t
074 Ovtton Gay imusjudged the outcome.
ae croup fare of 1D Services to meet customer need
RKO sua SOUP Ree at he Post Once may note atte eer >
c S20 Hiker Commer evant iD Serves whch
RKO pg Group POI product sales below forecast: Rk that Post
- 220 Barton omnes fice Insurance product sles remain sgndcanty =
WS) fi) S20 mee rnemaccanmeonen none x peciones >
Redaced income from Dighal products and
BS Ut Siew, Seren tak es ate dal pad >
ret Sentcos comets taiteby fsiced hn cote
id Po = to physical products and services.
exo Group Insufficient POX EBITDAS: Rik that Post fice
29 Soran Garner Insrance ENTDAS conten spcny Blom =
Summary
90 intermediate risks of which 37 have a rating of 16+ including:
POI (Non-compliance with Pricing Super-Complaint): Risk that POI is not ready for new FCA price walking regime rules go live. Central Risk working with the business on detailed
mitigation plan. POI Board paper on dealing with FCA changes and winning within market. Key controls include project plan, project quality control and development of strategy
for maximising return within the market.
POI: Risk Post Office Insurance product sales remain significantly below forecast resulting in reduced revenue Travel product back on sale. Significant uncertainty remains around
rate of recovery. quarantine restrictions increase doubt. Branch sales continue to be at low level.
: Risk existing/emerging requirements of Post Office (new and existing) customers across the various sectors are not met such that
customer demand declines rapidly. Central Risk working with the business on detailed mitigation plan
Commercial (1D Services): Risk may not be able to offer a relevant ID Service if requisite Government funding is not forthcoming. Reviewing a faster roll out of the tablet services
to ensure ready for the travel bounce-back period. Discussing an awareness campaign with Marketing. Regular meetings with Government Departments on role PO can play
6
iL
Confidential
POL-BSFF-0238508_0087
LZ/€0/0¢-2en WWD eouRTdWOD % ¥SIY IPNY - PaI!WI] BOW 180d
£81 Jo68
6. Local Risks: Summary
Residual Risk Hestnap C
Mental and physical heath and safety through
crime such as, ‘and hate crime: fei
Siar meee ond payscl salty ough came sch
1, wolence and hate crane.
RKO
RKO Tem Support External fraud: Risk of fraud being carried out by
Peskans Optmisat external partes
388 Ce
Foanoal
RKO 44, Performa Insufficient Squidity (COVID & BREXIT): Resk
“ 020 SMX nce that Post Office s facng months of exceptonaly poor
188 Business tradng condibons.
Analyses
RKO Andrew Franchise
Boo Kachte’ Partees’ Health and Safety Breach ~ Branch
Network
Risk of aim or breach of regulatory requrements.
Gemaeoe EE UY
ame 8
RKO fm SEXES ten compliance with GLO findings: Rsk of non
stent 020 TT, SHOROM Compkence wid the findings of he GLO across
73 Oot Festmester
BX ycan Tax ‘Me Lables: fas thatthe group may enter #
920 Xety Treasury postion of Net Lobes
Mistorical Matters overturned convictions: Rsk
oro Sau ‘sonnet,
20 Sake = s dealngs with its
Vor customers
Summary
453 local risks of which 51 have a rating of 16+ including:
H&S: Risk to postmasters & supply chain employees’ mental and physical safety given their visibility and accessibility and the demand of the pandemic . Safety video on Branch
Hub and increasing the number of Health Check calls to branches.
Risk that Group may enter a position of Net Liabilities which may trigger a number of events such as default on commercial agreements and funding arrangements.
Situation is being closely monitored along with pre-emptive action for impacted arrangements if required
= : Rating recalibrated this period. Mitigations include removal of maintained error limits, removal of Limit on settling centrally
<£150, review of ATM transaction corrections and investigation of Camelot data integrity issue.
Historical Matters overturned convictions: Because of ongoing Group Litigation actions the Post Office is perceived as dishonest, disrespectful or incompetent in its dealings with
its employees, Agents, partners and/or customers which leads to loss of sales and and/or increased costs through fines and legal fees.
Seriety Conndentiat
12
Confidential
POL00423690
POL00423690
dn sie LS Gel
alep
POL-BSFF-0238508_0088
Corporate Legal & Compliance Risk
Appetites: An Update
POL00423690
POL00423690
30 March 2021
Jonathan Hill, Director of
Compliance
Sarah Gray, Group Legal Director
Ben Foat, Group General! Counsel
Noting/Approval
The Committee are asked to:
le note the latest position on the Post Office’s appetite to corporate Legal &
Compliance risks and our response to the comments provided by RCC/ARC in
1/2021, along with our proposed Next Steps and timeline; and
ii. approve the Post Office’s appetite position to corporate Legal & Compliance risks.
Confidential & Legally Privileged
POL-BSFF-0238508_0089
POL00423690
POL00423690
Confidential & Legally Privileged
POL-BSFF-0238508_0090
POL00423690
POL00423690
Confidential & Legally Privileged
POL-BSFF-0238508_0091
POL00423690
POL00423690
Confidential & Legally Privileged
POL-BSFF-0238508_0092
POL00423690
POL00423690
Confidential & Legally Privileged
POL-BSFF-0238508_0093
Tab 5.3 Combined Compliance & Internal Audit Update
POL00423690
POL00423690
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Title: Compliance and Audit Report a 30 March 2021
Jonathan Hill, Director: Compliance Al Cameron, Group Chief Finance
Author: Johann Appel, Head of Internal Sponsor: Officer
Audit Ben Foat, Group General Counsel
Input Sought: Noting & Decision
The Committee is asked to:
1. note the Compliance update.
2. note the Internal Audit update, specifically progress being made with delivery of the
Internal Audit programme and completion of audit actions.
Executive Summary
This paper provides an update on key and emerging risks, compliance matters and an update
on the latest internal audit position.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 95 of 183
POL-BSFF-0238508_0094
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
Compliance
1. Following a decision made by members of the Investment Committee in February, the
Controls Project work was stopped, pending a review at the end of the summer.
2. The value of having one master controls framework and IT enabling tool was recognised
in the Investment Committee sub-group discussion. Although the approach was to be on
a modular, tranche basis, carrying out controls and process mapping in parallel, it was
decided that;
i. The business has enough to focus on now, especially with the Public Inquiry,
ii. in order to put controls in place, the business first needs to have processes mapped,
and
iii. it needs to have a clear standardised process framework on which to put controls.
Summary of work completed:
3. A Controls Framework was designed together with the user requirements for an
operational controls ServiceNow-based system. Deloitte had agreed to review and
benchmark the Controls Framework and offer advice on the design and use of the controls
tool. This work has been put on hold pending the review in the summer.
4. Recruitment of 3 Controls Analysts to support the project to review, assess and assure
the controls identified. The initial scope of work was to capture controls for process
improvements that had been put in place following the GLO.
5. It had been assumed there would be process maps in place for each of the business units
impacted by the Common Issues judgement (“CIJ”) and Horizon Issues judgement (“HIJ”),
which the analysts could review for controls. However, few process maps were identified
and where they did exist, they were not up to the required standard, with some being out
of date.
6. During the period November - December, ahead of a comprehensive Controls tool being
built in ServiceNow, a temporary Power Apps workflow tool was developed. This tool
would ‘house’ the controls and allow self-assessment by the business prior to assurance
by the analysts. Following testing of the system, a training pack was produced to support
the system users.
7. The Business Analysts in the Historical Matters Unit CIJ team started workshops with
business units in January; the first being the Branch Reconciliation team (BRT).
8. Further sessions were held with the business areas to gain more information on the
controls and provide training on the use of the Power Apps tool.
9. The Controls team also started work with the Postmaster Onboarding Team. An initial
review indicated that more work was required to create effective process maps and
document controls.
10. As at 19" February, 40 Branch Reconciliation controls had been added to the Power Apps
tool and were awaiting assessment by the Controls Analysts.
Data Protection in relation the Telecoms Sale to Shell
11. Compliance has established a post-completion BAU process for management of Subject
Access Requests (SARs), including requests regarding personal data for ex-customers of
the Telecoms business, for whom Post Office will remain responsible.
12. During the transaction it was identified that that c5,000 ex-customers were still using a
Post Office provided e-mail account. All impacted customers with closed accounts were
2
Confidential
96 of 183 Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
POL-BSFF-0238508_0095
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
contacted on 15" February to inform them that their email accounts were expired and that
they would be deleted in 28 days’ time. The incident and investigation documents have
been updated to reflect this closure task
Ofcom
13. Communications Incident - Ofcom has now confirmed it will not be investigating the
comms incident reported in September 2020 on the basis that we have put in corrective
actions and self-reported.
14. Complaints data - Ofcom will continue to publish the details of Post Office complaints in
this year’s annual service report because it focuses on historical information. Ofcom has
not yet decided when it will remove Post Office from the quarterly complaints reports as
the Post Office brand will remain in use post sale for up to 12 months.
15. PSD2 - The FCA has approved the ECE notification and received both audits confirming
conformance.
Data Management - Remote Location / Back Office and Oasis Searches:
16. A project ran in conjunction with Legal, the Historical Matters Unit and Compliance has
been progressing since Q3 2020.
17. The objective of this was to provide an assurance to Post Office, our legal team and the
Courts that we have conducted reasonable and appropriate searches for any relevant
information and have considered any documentation that may be found
18. A review of the boxes identified was completed with all relevant material assessed by the
appropriate external law firms for relevance to the various work streams.
19. Any in-scope materials were added to disclosure packs or further analysis was carried out
to test for significance to the various workstreams.
20. This work is now completed for the Criminal Cases Review Commission (CCRC), the Post-
Conviction Disclosure Exercise (PCDE) and Starling. An assessment is to be run for
applicability for applicants to the Historical Shortfall Scheme (HSS) with a recommendation
due to go the Historical Matters Committee the week commencing 15" March.
Record Retention
21. All Data Owners were identified and provided with a copy of the Retention Schedules,
Remediation Logs and copies of the Document Retention and Disposal and Protecting
Personal Data policies.
22. The Compliance and CISO teams are starting to work with the business on the remediation
logs. There are concerns around the remediation plans and how these can be progressed
with initial thoughts that a remediation project may be required.
Record management in branches
23. Compliance, Property Services and the Network team are in the process of standing up a
mini-project to implement a change programme for Records Management with the
Branches. This project will look to:
24. There are several outstanding issues on this yet, these are:
e Designing a robust indexing system based on the products and services offered in
branch so that we can be sure that the right information is being archived
e Designing the correct Standard Operating Procedures for the indexing, boxing up and
transporting of boxes to Oasis
e Identifying the best method for transportation of boxes and a decision on where the
funding is being provided for associated costs
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 97 of 183
POL-BSFF-0238508_0096
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
98 of 183
e Procuring enough boxes to ensure that we can cover the entire network
« Developing Comms to go out to PMs on this project.
e Create a new process for record archiving on a regular basis and not just on the closure
of a branch as is the process today
25. Given the demands to complete the Data Management exercise for 22" February for the
CCRC this project is due to start in late Q4 2020-21 or early Q1 2021-22
Post Office Ltd approach to Cookies:
26. We have updated our cookie banner, which has addressed concerns that our previous
approach was increasing the risk of being non-compliant and falling outside of the agreed
“middle of the pack” approach. It now delivers a clear and simple guide to why cookies
are used and how customers can tailor their preferences. The Digital team has assessed
that these changes will have a negligible commercial impact
27. With the recent publication of the draft e-Privacy Directive proposing browser solutions
which give individuals more control over their consent to cookies through whitelisting and
major organisations such as Google phasing out the use of third party cookies, Data
Protection and the Digital team are agreed that prudent actions are appropriate to reflect
our evolving approach balanced against maintaining Post Office's ability to be competitive
in the market.
General Data Protection Regulation (GDPR) Contract Remediation
28. The Contract Remediation project was formally closed at the end of July as reported to
the previous RCC. Work is ongoing on and the number of outstanding contracts is 3 fewer
than reported at the previous Committee meeting.
29. We now have an agreed approach on the Fujitsu Horizon Contract and, as part of the
Telecoms sale, a signed Data Processing Agreement for Fujitsu Telecoms.
30. Monthly Contract Review Group meetings continue to monitor progress and support
negotiations. This will continue until all outstanding contracts are finalised.
Freedom of Information Requests:
31. Asa direct result of the GLO, HSS, the public inquiry and having Postmaster seats on the
Board we are seeing a change in the number and complexity of Freedom of Information
requests.
Freedom of Information Requests (1 September 2020 — 2™ March 2021)
Historical Matters General Requests Total Requests
Related Requests
01.09.20 — 02.11.20 12 27 39
03.11.20 — 02.03.21 25 35 60
Total Requests 37 62 99
32. The more complex cases deal with information which may be either Legally Privileged,
Commercially Sensitive, Provided in Confidence or containing Personal Data. There is a
balancing act between transparency and protecting Post Office’s commercial and legal
interests.
33. As a result of this complexity, Legal and Compliance are having to prepare briefs for GE
and Board as many of the requests involve sensitive subjects such as the decision by POL
to seek to have Justice Fraser recused during the Common Interests hearing.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0097
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
34. Compliance and Legal meet on a weekly basis with internal and external counsel to ensure
that any released information is in line with information released to the Inquiry and to
responses made for similar requests by BEIS/UKGI.
Compliance with Money Laundering Regulations
35. Suspicious Activity Reports (SARs) continue to rise, with 2,955 between 27" October 2020
to 25 February 2021 (compared to 1,074 in the same period last year). The rise is
primarily driven by:
e The continued identification of cases linked to complex banking investigations
e Branches raising concerns about customers undertaking multiple consecutive high
value cash deposits, and
e Reports from cash centres concerning an increase in branches returning high volumes
of Scottish and N.I notes.
e We also continue to see an increase in suspicious activity from Bureau de Change
transaction monitoring despite international travel restrictions and lockdown.
36. In this same period there were 375 Financial Crime investigations (compared to 218 in
de
IRRELEVANT
October 2020, and this led to an improvement in stakeholder engagement, however, this
has since declined. We are engaging with the product teams to refresh the approach.
39. Payzone - Capita’s contract with PIPIT was exited on 31%t January and remaining re-seller
contracts are being reviewed as part of ongoing Bill Payment and Payzone assessments.
40. The product team is continuing to progress controls for Amazon vouchers, with a pop-up
warning being deployed week commencing 22™ March. 39 transactions by 12 customers
totalling £27.8k were identified in SAR reports in February, of which c.£11.3k was refused
and prevented by branches following targeted training and awareness via Area Managers.
The pop-up warning will be applied to other high-risk vouchers, but there is no deployment
date yet. In respect of other more robust controls, the product team had hoped that EPay
(the client the vouchers are processed through) would implement these (e.g. voucher
volume/value limits), but the only option identified so far is to set a sales limit that would
trigger the sales at that location being switched off, which is likely to cause genuine
customer disruption and confusion in the Network. A solution is needed if the product is
to remain on sale.
41. As highlighted in the 2021 MLRO report, the accredited Financial Investigations Officer
within Security Operations who assisted with the review of SAR disclosures relating to
37.
38.
5
Confidential
99 of 183
Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0098
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
possible Post Office employees and postmasters left the business at short notice in
December and the replacement resource will not have the required accreditation. The
Financial Crime team are monitoring volumes and assessing resource impact and at the
time of writing this report there are a number that are awaiting initial review.
Anti-Bribery and Corruption (“ABC”) update
42. An issue was reported in December in relation to a Network employee who received a gift
from a customer, which included £60 in cash. This was not identified until after the
customer left the branch. The branch was advised to return the funds to the customer
but as they have not returned to the branch the branch has been advised to give the cash
to charity and provide evidence that this has been done.
Whistleblowing Update
43. Please refer to the separate agenda item.
Fit & Proper (F&P) update
44, Redeclarations for Cohort 1 were completed in good time, with a large number of sole
traders completing via the new Branch Hub option. This option is not yet available to
limited companies and partnerships, and there is currently not a timescale for delivering
this solution. A number of issues were fixed with the release of the changes to
accommodate MoneyGram-only and ‘paused’ branches, but there are still some
outstanding issues and a meeting is planned to understand the extent of these and ensure
a smooth handover to the new team responsible for agent F&P declarations.
45. Work continues with HR and recruitment to implement better processes for direct
employee F&P tests, and there have been no issues in the last 2 months.
External Threats
46. The FCA have started a consultation into Strong Customer Authentication (SCA) and they
are exploring the option of increasing the contactless limit from £45 to £100. The risk of
increased card fraud has been assessed and it is not believed that this will pose a
significant financial crime risk to Post Office.
47. MT Global Limited, a Money Service Business, was fined £23.8 million by HMRC for
significant breaches of the regulations between 2017 and 2019. This is the largest ever
fine issued by HMRC. The failings related to risk assessments and associated record
keeping, policies, controls and procedures. We do not believe Post Office is at risk as the
Compliance team carries out risk assessments before product and service go-live and
periodically throughout their lifecycle, as stated in the group policy.
48. The FCA has launched criminal proceedings against NatWest for allegedly failing to prevent
money laundering, in the first prosecution brought under rules introduced in 2007. It is
alleged that NatWest systems and controls failed to adequately monitor and properly
scrutinise transactions linked to a corporate customer account that was undertaking
increasingly large cash deposits between November 2011 and October 2016. It is alleged
that £365m was paid in over that five-year period, including £264m in cash. No individuals
are being charged.
Supply Chain Compliance
49. During the remote Supply Chain assurance work at the end of 2020, it was identified that
there were issues with the Note Circulation Scheme Bond, with incorrect values being paid
in. Subsequently it was established that there were 14 late Bond incidents over the last
year. These have now been investigated, root causes established and corrective actions
to prevent recurrence have been implemented. Compliance has undertaken assurance
reviews at both Birmingham and London to ensure new controls are effective and no
further issues were identified. A formal response to the Bank of England was sent on 26"
6
Confidential
100 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0099
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
February. The Bank will decide if the incident warrants losing the late Bond facility, issuing
a fine or if they take no action.
50. A number of issues were also raised in the remote assurance relating to H&S, many
relating to fire door issues. Six are on track to be resolved by end February and the
remaining one is likely to be resolved in March, all other fire door issues have been
resolved.
Multi Principal Review of 1% line controls.
51. This was reported at the previous meeting. The final report is now due at the start of April,
which we will share at the following Committee meeting.
ATM strategy and Post Office LINK membership.
52. As part of the Post Office strategy of taking over the Bank of Ireland (Bol) ATM estate it
has become clear that 2" and 3" line oversight needs to be in place for this business
activity. In particular LINK membership, which is required as part of this programme,
requires control obligations to be met, as ATMs are part of the UK’s critical infrastructure
and LINK is overseen by the Bank of England.
53. Compliance and Internal Audit are working closely with the 1° line product team through
workshops to determine both the type and amount of 2" line oversight that will be
required for both LINK membership but also more widely over our running of the ATM
estate.
54. The first milestone will be the end of April 2021 when Post Office will send a draft
application to LINK for membership. This will need to include identified controls.
Compliance Monitoring
55. With the implementation of the latest Covid-19 lockdown we agreed with our Principals to
suspend branch mystery shopping. Following the Government announcement of the
planned easing of restrictions, our mystery shopping company is undertaking a survey of
their mystery shoppers to see when they would be willing to commence activity. This is
unlikely to be before mid-April and subject to national variations within the UK.
56. Sales of Travel Insurance are currently suspended in branch; all of our other financial
services products remain on sale and promotional activity is ongoing for both protection
and savings business. As with previous lockdowns, we have been focussing on remote
monitoring measures to review performance such as cancelations, complaints and
customer validation calls and regular governance meetings with the Principals remain in
place.
FS Key Regulatory updates
57. A summary slide of the key future developments is included in the reading room at
Appendix 1.
58. As part of the Government and FCA’s focus on access to cash, the FCA is assessing what
role it should play in overseeing Post Office as part of this critical cash infrastructure. Nick
Read is meeting with the Chief Executive of the FCA to discuss this on 22" March 2021.
In advance of this meeting Ed Smith, the Head of FCA Retail Banking Supervision, has
asked for some additional clarity from Post Office in relation to the wide array of financial
and related services we provide and their regulatory status. We have provided a response
to the FCA with the support of legal and external counsel. Our hope is that this summary
information provided will give FCA a rounded view of our services in this area rather than
leading into further scrutiny and regulation. This dialogue needs to be managed carefully.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 101 of 183
POL-BSFF-0238508_0100
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
Compliance and external counsel are providing advice and a brief for the 22"? March
meeting.
Vulnerable Customer FCA Forward Guidance publication in February.
59. The published guidance has followed the lines of the previous vulnerable customer
consultations. The FCA expects regulated firms and its Appointed Representatives to
ensure the interests of vulnerable customers are protected throughout the product life
cycle. There are no new hard rule requirements, but it expects to see firms meet good
practice by following the guidance and it has outlined examples of good and poor practice.
60. Post Office has had vulnerable customer on our agenda for some time and we have a
number of good practices we put in place, particularly during the pandemic. However, our
Principals are undertaking a gap analysis on the guidance to assess if there is anything
additional, that they or the Post Office should be doing.
61. The Overall Compliance Dashboards (Appendices 2 and 3) are included in the reading
room.
Confidential
102 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0101
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
Internal Audit
Progress against Internal Audit plan
62. Delivery of the 2020/21 programme is making good progress, with a further four audits
completed in the current reporting cycle (3 POL and 1 POI).
63. Current delivery status is as follows:
POL Internal Audit Plan POI Internal Audit Plan
Status: Total Audits = 28 Status: Total Audits = 6 @
7
u 28 6
= Completed = Fieldwork = Deferred = Completed = Reporting
Target number of reviews based on revised plan for 2020/21 approved by ARC (18 Internal control reviews & 10 change assurance reviews).
Details of the aucit plan status are included in the reading room (Appendix 7).
'2)P01 ARC approved baseline plan for 2020/21. One additional audit is currently being planned for delivery in @4/Q1.
64. A re-prioritised Internal Audit programme was approved at the May ARC meeting in
response to Covid-19. A more dynamic (quarterly rolling) audit plan was adopted and is
being reviewed at each ARC. Further revisions to the plan was approved at the September
ARC meeting and is included in the reading room (Appendix 7).
65. An urgent request was received from the GE to support the Improvement Delivery Group
(IDG) in assuring all improvements (c.400) in preparation for the Public Inquiry. Three
reviews from the 2020/21 IA plan have been deferred in order to create capacity to
support this work.
66. The following audits are in progress or planned for delivery in Q1:
Review Sponsor Timing I Status
1__I HD Operations Improvement Programme Declan Salter Feb Fieldwork
2 I Change Controls Effectiveness Dan Zinner Feb-Mar I Fieldwork
3 I IDG Support & Assurance - Phase 1 Dan Zinner Feb-May I Fieldwork
4 I Third Party Revenue Data Assurance Al Cameron Feb-Apr I Fieldwork
5 I IDG Support & Assurance - Phase 2 Dan Zinner May Not Started
6 I Historical Shortfall Scheme - Claims & Payments I Declan Salter April Not Started
7 I Note Circulation Scheme (BoE Controls) Al Cameron May Not Started
8 I Payzone Control Environment Owen Woodley June Not Started
9 I Treasury Operations Al Cameron June Not Started
10 I Strategic Platform Modernisation (SPM) Set-up Zdravko Mladenov I April Not Started
9
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 103 of 183
POL-BSFF-0238508_0102
POL00423690
POL00423690
Tab 5.3 Combined
ompliance & Internal Audit Updat
@
Internal Audit reviews completed
67. The following POL audits were completed during the current reporting cycle:
ny Historical Matters - CIJ Improvement Programme (Final Draft Report)
2 Postmaster Reporting (Management Information) (Final Draft Report)
3 Historical Matters —- Set-up & Governance (Final Draft Report)
68. Our findings and observations from these reports are summarised below (para. 69-71),
with the full reports available in the reading room (appendices 4-6).
69. Historical Matters - CIJ Operations Improvement Programme (Ref.2020/21-15)
Following the judgments from the Group Litigation Order, Post
Not Rated Office has undertaken a programme of improvements to
. . overhaul culture, practices and procedures throughout every
Progress with completion of I part of the business. In addition to launching the Historical
NRF recommendations: Shortfall and Stamps Schemes, as part of its operational
improvement plan, and to address issues which arose from
group litigation concluded last year, Post Office has
established a new Historical Matters business unit (HM) to
oversee and deliver the programme of improvements.
34 Work on formally implementing operational improvements as
a result of the CIJ findings has been ongoing since June 2019
and has involved teams from across the whole of POL’s
operations.
mComplete Min Progress This report is not rated due to the evolutionary nature of the
Postponed audit work. Our interim report was issued in January 2021
and this has since been adopted as a management tracking
tool to drive actions. The Ops Improvement Project was
Sponsor: originally planned to have concluded their work in December
Declan Salter 2020, but the complications introduced by the OE activity
have meant that the project had to be extended until March
Audit actions: 2021.
5
Whilst the remaining actions will not be fully completed until
the end of March 2021, there is a clear route to ensure that
this deadline is achieved (detailed in the body of the report).
A key lesson to be learned by the Ops Improvement Project
and HMU is around the need for robust handover processes
when passing changes into BAU operations.
1
i}
6
Appendix 4 Internal Audit will continue to track and validate the
remaining actions as part of the assurance provided to IDG in
preparation for the Public Inquiry.
Management Comment provided by Declan Salter (Director - Historical Matters)
The Internal Audit of the CI] Operations Improvements has provided reassurance that the set up and
governance of the CIJ related workstreams has been effective and robust with the formal handover of
operational improvements to BAU now agreed and in place. While much work has been undertaken,
with 29 of 34 NRF action completed (with one postponed) the report clearly identifies the outstanding
work to be completed; Item 4 - Policies and Procedures , item 12 - Operator engagement (both on
track to be completed by the end of the financial year) and Items 15 - Policies and procedures Operator
engagement and 16 - Trading Statements which are being progressed. The latter two involve HM IT
and progress is being made to provide a postmaster centric solution.
10
Confidential
104 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0103
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
70. Postmaster Reporting (Management Information) (Ref.2020/21-19)
This audit assessed the provision of management information to
Postmasters and the controls in place to ensure that the Postmaster
has the means to effectively manage and develop their business.
The scope included assessment of data accuracy, integrity &
reliability, management information presentation, variation &
usability, and ease of accessibility.
Needs Significant Improvement I We conclude that the provision of management information to
Postmasters in its current form, is not fit for purpose. The
frequency and quantity of information provided to Postmasters
Sponsor: varies depending upon their volume of weekly customer sessions,
Amanda Jones with all branches categorised according to a three-tier system. The
area manager structure was revised in April 2019 to ensure every
Audit actions: branch receives support. Each area manager is responsible for
2 between 75 and 125 branches of all types and sizes and is the main
3 source of provision of management information for those branches.
1 The three-tier system means that, of necessity, there is a greater
6 priority afforded to the needs of the busier branches, leaving the
smaller branches feeling unsupported. There is limited information
available to Postmasters on a self-serve basis, largely due to a
Appendix 5 legacy of under-investment which imposes a_ significant
administrative burden on the area manager population and results
in disparity in the frequency that branches receive management
information, with smaller (tier 3) branches receiving information as
infrequently as once every six months.
Our audit also considered the output from the recent Postmaster
consultation, where participants indicated that readily available
access to more and improved management information is a
priority for the majority of Postmasters. Additionally, Internal
Audit have directly consulted with Postmasters to understand their
perspective and requirements for management information.
Management Comment provided by Amanda Jones (Retail and Franchise Network Director)
I am pleased that this audit has identified the current limitations we have in being able to provide relevant
and timely MI for Postmasters, in a format that works best for them; this finding is consistent with one
identified by the current Deloitte review. Having access to key Management Information is critically important
to enable Postmasters to operate their Post Offices effectively and for POL to support them to thrive.
The report notes that MI provision of MI is limited due to the variability of Area Manager visits (e.g. smaller
branches receive visits less frequently). Whilst this statement is true, the limitations are largely driven by
the lack of MI specifically developed for Postmasters. For example, when an Area Manager visits a branch
face to face, they will go through the Branch Insight Tool data with the Postmaster, but aren’t able to
electronically send it to them, neither is the PM able to self-serve. Other reports such as Sales reports, will
be emailed to Postmasters if a face to face visit isn’t due. This has been the only way to share MI whilst Area
Managers have been remote working due periods of lockdown. Therefore, it is important to note that whilst
it is timely to review the appropriateness of the current branch tiering support model, this in itself will not
address the issue of limited MI for Postmasters.
Being able to provide meaningful MI to Postmasters will require input and investment from across business
areas. As part of the ‘Hot-Housing’ programme which started in 2019, a piece of scoping work was completed
to determine the MI requirements for Postmasters as-well as the Area Manager. I expect much of this scoping
is still relevant, however, properly addressing the MI requirements for PMs will require funding and this is
currently not on the plan for FY 21/22.
To deliver some improved MI to Postmasters in the short term, the Business Transformation Unit are
exploring options and costs, e.g. making existing Postmaster MI such as Remuneration and sales reports
available to self-serve on Branch Hub.
11
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 105 of 183
POL-BSFF-0238508_0104
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
71. Historical Matters - Set-up and Governance (Ref.2020/21-15)
Following the judgments from the Group Litigation Order, Post
Office has undertaken a programme of improvements to overhaul
culture, practices and procedures throughout every part of the
business. In addition to launching the Historical Shortfall Scheme,
as part of its operational improvement plan and to address issues
which arose from group litigation concluded last year, Post Office
has appointed a new Director, reporting to Tim Parker and Nick
Read, to head up a separate business unit responsible to implement
the claims schemes and the programme of measures that will
oversee the delivery of the operational improvements to address
the criticisms from the Common Issues Judgment (CIJ) and the
Horizon Issues Judgment (HIJ).
Historical Matters Business Unit (HMBU) has been through a period
of clarification and refinement of its governance and structure. The
design and implementation of the operating model has taken
significantly more time and effort than initially anticipated and was
initially under-resourced. It has not yet been fully formalised,
agreed and embedded.
Not Rated
(Advisory Review)
Sponsor:
Declan Salter
Appendix 6
However, this does not mean that HMBU is operating without
governance and control. The claimant schemes activities operate
within well-defined governance principles supported by the
adoption of core ‘change’ controls since they were launched. As
such, key activities could be carried out without an overarching
HMBU level governance being present. The core ‘Change’ controls
are being phased out, but its transition has not been well structured
and clearly articulated.
Working in collaboration with HMBU, we have identified areas that
require management focus in order to deliver a clear, complete and
agreed operational model which must be clearly communicated
across Post Office. In addition, we have made suggestions and
proposed improvements intended to assist management in their
efforts.
Although there are key elements pending completion, in our
opinion, HMBU is implementing the elements of governance
required, although, its pace of delivery must be increased.
Management Comment provided by Declan Salter (Director - Historical Matters
HM is confirmed by IA as operating effectively, with expected elements of governance in place since its
formation in August 2020 and appropriate controls over scope and change mirroring those in place in
wider POL BAU areas. As the areas of work being managed are both complex, non-discretionary and
with extreme time pressures, focus remains on supporting these key activities and achieving as positive
an outcome for POL as possible taking into account the serious nature of the historical events and the
far-reaching impacts both on Postmasters, as well as on the wider organisation and beyond.
These challenging activities are beginning to bear fruit, both in terms of favourable outcomes (for
example the recent positive CCRC feedback on the necessary disclosure exercise), completion of key
pieces of work (for example the Settled Centrally change implemented recently) and positive outcomes
for Postmasters (the commencements of compensation payments for c. 300 Postmasters as part of the
Historical Shortfall Scheme), along with our positive participation in the Inquiry, which is supporting
and helping manage the impact of this crucial, extensive and demanding activity for POL, both across
GE/business areas and also at an individual level where necessary. All of these are helping to contribute
to changing the perception of POL for the wider public and importantly for Postmasters both past and
present. These activities remain ongoing, and challenging in nature, but we are approaching the end
12
Confidential
106 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0105
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
of the beginning and have an appropriate structure and team in place to face into these challenges.
During this seven month period since its inception, while effort has been spent on establishing expected
elements of governance, structure and formality - focus has necessarily been on the extensive demands
of the work, both in responding to the changing demands of the work itself, but also in securing support
and funding from our shareholder, BEIS and Treasury. This has taken a lot of senior management time
and effort and resulted in some elements of governance and control, such as an Operating Charter and
RACID being largely drafted but not yet finalised. The impact of changes in organisation during this
period has additionally impacted on the completion of this activity and wider discussions remain ongoing
within the wider business, the resolution of which are a necessary precursor to final agreement to and
implementation of full governance/control arrangements.
Work to agree protocols for the handover of work to BAU areas has been accelerated and as some of
these BAU areas themselves undergo change, have been revised and it is expected this will continue
to happen, but the importance of establishing this is fully acknowledged and remains a key objective.
The feedback of Internal Audit as part of the production of this report has been welcomed, with a
number of areas highlighted in the report being confirmed as addressed and with actions in train to
address the remaining outstanding areas. It is accepted that the pressures of work as outlined above
have impacted on the speed of delivery, particularly on work to extend work on controls. Due to the
size of the significant financial impact of the work involved, it has been necessary to ensure continued
focus on management of both general workload and external legal firm spend, which will continue to
be necessary to ensure value for money.
As interaction with UKGI, BEIS and Treasury has increased in the last quarter - and is expected to
continue over an extended period - heralding the introduction of new governance requirements, it is
expected that delivery of key control elements as part of this interaction (e.g. Measurements of success,
KPI monitoring, financial reporting etc.), will help address some areas highlighted in this report.
Looking ahead, it is envisaged that some of the ‘ongoing’ areas of work, for example in Operations and
TT, will naturally transition to BAU accountabilities, with handover arrangements planned to support
this. Other discrete activities with little crossover into BAU, for example the completion of the Historical
Shortfall Scheme, are expected to complete with handover activities limited to closure processes,
knowledge transfer and archiving - again, with support and involvement from IA being sought to ensure
the appropriateness of these closure activities for the organisation.
Post Office Insurance (POI) Audit Programme
72. The table below shows the status of the POI audit programme:
Review Timing I Status / Rating
1 I Cyber Security (POL-POI Gap Analysis) Aug
2 I Incident and Breach Management Aug Reporting “1
3 I Data Governance: Ethics, security and privacy
«Phase 1 - Third Party Data Security Sept
* Phase 2 ~ Data Governance Dec
4 I Special Investigation (Confidential) Sept Complete (not rated)
5 I Pricing: Principles, policies and process
Nov
6 I Financial Promotions Communications Jan Reporting
7 I Effectiveness of Risk Management - original plan a4 Planning
8 I Channel review: Non-branch sales - original plan Cancelled (no longer
compelling).
‘1 This audit was delayed due to special investigations undertaken at management request and with POI ARC approval.
13
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 107 of 183
POL-BSFF-0238508_0106
Tab 5.3 Combined
POL00423690
POL00423690
ompliance & Internal Audit Updat
@
73. Post Office Insurance: Pricing principles, policies and process - Due to the adverse audit
rating, a summary of the audit findings is provided below for information:
Internal Audit undertook a review of Pricing within POI as part of its 2020/21 plan. This was
predicated on the conclusion of the Morpheus and Nemesis programmes, whereby POI had
set up an in-house pricing capability for Travel and Home products. As an FCA regulated
entity, POI has a responsibility to treat customers fairly. Pricing is a significant element of
fairness and is an area facing ongoing scrutiny and challenge from the regulator, as well as
being of critical strategic importance to the commercial success of the entity.
We found that the POI pricing function had developed significantly in the past year to meet
the demands of the new operating model, and a continuing drive to increase maturity was
evident. However, a number of weaknesses in the risk and control environment were
identified. Specifically, operating risks and the related controls were not clearly documented,
and controls were not subject to regular review. As a result, the expected control standards
were unclear and did not reflect certain operational changes that had increased the inherent
risk around price changes. The report was rated ‘Needs Significant Improvement’.
A pricing error, resulting in financial loss, was reported by the business immediately prior to
the start of fieldwork. Management conducted its own review (with Board oversight) into the
cause and impact of this incident. A number of actions were instigated to improve risk and
controls management across Pricing and the wider business. All due audit actions have been
completed on time, and the area continues to receive significant management and Board
focus.
Status of Audit Actions
74. The movement and ageing of audit actions are shown in the table below (status at 22
March 2021). There are currently no overdue actions.
Audit Action Status (POL): Agei
Open actions at last ARC 35) Open (not yet due) 33
Less: Actions closed in period 7 Overdue (<60 days) 0
Add: New actions in period 15 Overdue (>60 days) 0
Total open actions 33 Total open actions 33
Confidential
108 of 183
Post Office Limited - Audit, Risk & Compliance Committe
14
POL-BSFF-0238508_0107
POL00423690
POL00423690
Tab 5.3 Combined Compliance & Internal Audit Update
@
Appendices*
Compliance
Appendix 1: FS Regulatory Calendar
Appendix 2: Compliance Dashboard summary
Appendix 3: Compliance Dashboard
Internal Audit
Appendix 4: IA Report: Historical Matters - CI) Improvement Programme
Appendix 5: IA Report: Postmaster Reporting (Management Information)
Appendix 6: IA Report: Historical Matters - Set-up and Governance
Appendix 7: Internal Audit Plan for 2020/21
+ Appendices are accessible in the Diligent Reading Room.
15
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 109 of 183
POL-BSFF-0238508_0108
Tab 6 Internal Audit Plan 2021/22
@
POL00423690
POL00423690
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: 2021/22 Internal Audit Plan Meeting Date: I 30 March 2021
Author: I Johann Appel: Head of Internal I co cor: Al Cameron: Chief Financial
“I Audit . . Officer
Input Sought: Decision
The Committee is asked to:
«note the proposed internal audit programme for 2021/22;
«consider if the proposed reviews individually and collectively represent an appropriate
programme to support management in their activities and to provide assurance to the
Audit, Risk & Compliance Committee (ARC) over key risks to Post Office;
© approve the internal audit programme for 2021/22.
Previous Governance Oversight
The proposed internal audit programme was reviewed by the POL Risk and Compliance
Committee (RCC) on 16 March 2021.
Executive Summary
An integrated audit plan has been prepared to provide assurance over principal business risks
and significant change activities. This paper sets out the process followed to identify and select
the audit candidates.
The proposed internal audit programme for 2021/22 consists of 24 audits (16 internal control
reviews and eight change / programme assurance reviews). In addition, we will also perform
around five audits in POI.
Confidential
110 of 183
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0109
POL00423690
POL00423690
Tab 6 Internal Audit Plan 2021/22
@
Introduction
1.
The Post Office annual risk-based Internal Audit plan for 2021/22 has been prepared in
accordance with the applicable requirements of the Internal Audit Charter as approved by
the ARC in May 2020, as well as the professional standards of the Chartered Institute of
Internal Auditors (CIIA).
. The proposed Internal Audit Plan was developed with input from Post Office GE and the
wider business, and was benchmarked against industry.
The Planning Context
3.
. The proposed 2021/22 Internal Audit plan is ‘Postmaster Centric’ and supports the new
Post Office risk profile is impacted by continued and significant internal change, increased
regulatory scrutiny and market pressures. The 2021/22 Internal Audit plan is designed
to provide assurance over the organisation's principal risks, core processes and material
change activities.
Purpose and Post GLO improvement activities.
. In 2017/18 we introduced a three year rotation plan for core processes. Core processes
are usually mature and generally expected to be well controlled, but warrant cyclical
validation due to their criticality to the business. The first 3-year rotation was completed
in 2019/20; the 2020/21 plan included the start of the second cycle of core process
reviews, however, many of the core process reviews had to be delayed in light of Covid-19
priorities. The 3-year rotation plan is therefore being re-assessed and reprioritised. The
full three rotation plan is included in para 13.
The Planning Process
6. The following diagram shows the process we followed to identify, assess and prioritise the
processes and activities to be assured in 2021/22:
Source: Strategic Objectives, Legal Entities, Org
= Structure, Business Units (incl. HMU), Products, Core
Processes, Change Portfolio.
Postmaster impact, Inherent Risk, Strategic
= Priorities, Control Frameworks, Prior audit results &
Risk Assessment coverage, Risk Events, Change impact, Brand impact,
Value at Risk, Regulations
Informed by: Post Office Purpose, Post GLO improvements,
Benchmark = Industry benchmarking (Deloitte, PwC, KPMG, CIIA), Planning
workshop, Internal Audit ‘Hot Topics’
1 Input from: Senior Management, RCC, ARC, Alignment with
resource budget, Other 2" line and external assurance activities
2021/22 Audit +
Plan
2
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 111 of 183
POL-BSFF-0238508_0110
Tab 6 Internal Audit Plan 2021/22
POL00423690
POL00423690
The Planning Results
7. The proposed list of audits was discussed and agreed with GE members and senior
management and their feedback and requests have been incorporated.
8. The tables below outline the proposed internal audits to take place in 2021/22. Internal
and external events may cause priorities and risk profiles to change, and management
may have additional requests during the year for advisory support or audit assistance. In
consequence, we may consider amending the plan as the year progresses. We will also
re-assess and refresh the plan at least quarterly to ensure it remains relevant. We will
seek ARC approval for all material changes to the plan.
9. Table 1 represents the baseline plan for internal control reviews, including reviews of the
The target delivery is 16
Historic Matters Unit and Post GLO improvement activities.
reviews. High level audit scopes for each review can be found in Appendix 1.
Table 1: Internal Control Reviews (target = 16 reviews)
Rank I Proposed Review GE Sponsor(s: RESET icf
pi pi (s) Impact? Timing
Priority Audits
1 IDG Support & Assurance - Phase 2 I Dan Zinner Direct Qi
GLO Historical Shortfall Scheme -
2 Claims & Payments Declan Salter Direct Qi
3 Note Circulation Scheme (BoE Al Cameron No Qi
Controls)
4 IDG Support & Assurance - Phase 3 I Dan Zinner Direct Q2
5 GLO Stamp Stock Scheme Declan Salter Direct Q2
Rolling Plan
6 Payzone Control Environment Owen Woodley No ql
7 Treasury Operations Al Cameron Indirect Qi
Effectiveness of Second Line — ,
8 Financial Crime Function Ben Fost Indirect Qe
9 CFS Application Controls Al Cameron No Q2
10 Effectiveness of Compliance Ben Foat Indirect a2
Function
at IML Deep Dive Jeff Smyth Indirect Q3
12 IT Operations and Incident Jeff Smyth Indirect a3
Management
13 Cyber Security Jeff Smyth Indirect Q3
14 ATM Link Scheme Assurance Owen Woodley No Q4
15 Third Party Data Validation Al Cameron Indirect Q4
Business Continuity (Incl. Post- .
al crisis assessment and ITDR) A Carrere Direct 04
3
Confidential
112 of 183
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0111
Tab 6 Internal Audit Plan 2021/22
POL00423690
POL00423690
10. Table 2 below shows a list of reviews with a Postmaster Focus. We expect that many of
these processes will be covered through our IDG assurance work. We will assess the
need for end-to-end reviews of these areas based on the outcome of the IDG assurance
work and the Public Inquiry.
Table 2: Alternative reviews with a Postmaster Focus
A Postmaster
Rank I Proposed Review GE Sponsor(s) Impact?
1 Horizon Application Controls (follow I Jeff Smyth (Simon Direct
up KPMG recommendations) Oldnall)
2 Postmaster Journey Follow-up Amanda Jones Direct
(Placeholder)
Postmaster Performance '
3 Management & Offboarding Amanda Jones Direct
4 Postmaster Issue Resolution Amanda Jones Direct
5 Revenue Protection (Deep Dive) Dan Zinner Direct
6 Postmaster On-boarding Process Dan Zinner Direct
7 Branch Cash Forecasting Al Cameron Direct
8 TransTrack Application Controls Russell Hancock Direct
9 Stamp Stock Controls Al Cameron Direct
11. Table 3 represents assurance provided over Post Office’s change risk. The baseline plan
is for eight change assurance reviews. This is an indicative list based on the current
change portfolio and will be reviewed and updated continuously as the portfolio of
change programmes develop and the risk profile changes.
Table 3: Programme Assurance (target = 8 reviews)
it Postmaster —
Proposed Review GE Sponsor Impact? Timing
Strategic Platform Modernisation
1 (SPM) Setup & Business Case Zdravko Mladenov Direct Ql
2 I Belfast Follow-up - Part 2 Jeff Smyth Direct Qi/2
3 I PCI Follow-up - Part 2 Jeff Smyth Direct Q2
4 I SPM Mobilisation/Delivery Jeff Smyth Direct Q3/4
5 I Change Controls effectiveness Dan Zinner No Q4
6 I Belfast Follow-up - Part 3 Jeff Smyth Direct Q3/4
7 I Placeholder Change Project (TBC) TBC tbd TBC
8 I Placeholder Change Project (TBC) TBC tbd TBC
4
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 113 of 183
POL-BSFF-0238508_0112
POL00423690
POL00423690
Tab 6 Internal Audit Plan 2021/22
12. Table 4 is our ‘watch list’ of alternative topics and additional areas for consideration
during the year, should either the assurance needs for the priority areas decrease or risk
levels for items on our watch list increase. The watch list will also inform the 2022/23
internal audit plan.
Table 4: Watch list alternative topics (top 10 items only)
Topic / Area
1 ITCF Follow up
2 Financial Controls Framework
3 Management of Strategic Partners
4 Compliance with Prompt Payment Regulations
5 Product Risk Assessment (MoneyGram / Lottery Products / ATMs)
6 Top Down / Overarching People Review / Onboarding Process
7 ServiceNow Implementation
8 IT DR (Deep Dive After Belfast Exit - Q4/2021/22)
9 Effectiveness of IT Security - Operational (2"¢ Line)
10 I Management Information (Fit for purpose / standardised / one version of truth)
Three Year Rotation Plan
13. We introduced a rotational audit plan in 2017/18 to assess core business processes over
a three year cycle in order to provide regular assurance on the effective operation of
controls over critical business processes. The rotational plan in the table below has been
based on the last review of these processes, known issues and ongoing remedial
programmes.
Core Processes - 3 Year Rotation Plan
Year 1: 2021/22 Year 2: 2022/23 Year 3: 2023/24
Financial Reporting Controls"? I Financial Reporting Controls Financial Reporting Controls
Third Party Data Validation "1 Third Party Data Validation Third Party Data Validation
Contract Management Supply Chain Management
Sales (Product tbc)
(Strategic Partners) ‘? (CVviT)
Branch Cash Forecasting "? Payroll Employee Expenses
Business Continuity "? Financial Close Process Agents Remuneration
IT Operations + Fixed Assets FS Conduct Management
Cyber Security “* Procure to Pay Recelvabic) freer
Treasury Operations “t Client Settlements Process Sales (Product tbc)
Regulatory Compliance ‘2
N1 ~ Included in 2021/22 rolling plan, _N2 ~ To be prioritised once other priority audits have been completed.
Confidential
4 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0113
POL00423690
POL00423690
Tab 6 Internal Audit Plan 2021/22
Post Office Insurance Internal Audit Plan
14. We will carry out a programme of internal audit reviews on behalf of Post Office Insurance
(POI), as per the Master Service Agreement between POL and POI. The 2021/22 plan is
pending approval by the POI ARC, and will be reported to the POL RCC and ARC once this
is done.
Financial Impact
15. The approved headcount for the internal audit team is 6 FTEs. We are currently at full
headcount. The co-source requirement to support delivery o!
estimated at approximately 470 days with a total cost of jinreev
16. The cost implications of the co-source element of delivering the internal audit plan is as
follows:
Number of I Estimated effort (days) I Co-source cost
Category A
Core Internal Audit 16 i
crangeronrio 35 [IRRELEVANT
Total 24M neni
"2 2020/21 plan was for 26 audits.
N2 The increase in forecasted cost for change assurance is to provide for SME input into complex programmes, such as Belfast Exit, SPM
and PCL.
17. During 2018/19, we benchmarked the cost of providing Post Office internal audit services
against Deloitte’ Global Auditing Information Network (GAIN) Survey. Post Office
spends around of revenue on internal audit, which was found to be comparable with
similar size FS org i and higher than similar size retail organisations
We believe that the level of spend on internal audit is appropriate for the nature
and size of the organisation and that this benchmark is still relevant.
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
115 of 183
POL-BSFF-0238508_0114
£8 JOOLL
LZ/€0/0¢-2en WWD eouRTdWOD % ¥SIY IPNY - PaI!WI] BOW 180d
Appendix 1 - High level audit scope statements
Rank I Proposed Review High Level Scope
To provide independent validation and assurance over key improvements in support of
1 I (Be Spores. Assurance <phase a the Inquiry. Around 400 improvements have already been identified, which will be
validated for completeness and effectiveness. Testing will prioritise highest Postmaster
impact actions and will be proportionate to the risk.
Review of the scheme governance arrangements, including oversight, reporting,
2 GLO Historical Shortfall Scheme — Claims & Payments I escalation and claimant journey. Review of operational controls to ensure the prompt
and proper resolution of claims.
. a Review the controls over BoE notes held in vaults, the process of moving notes to
3 Note Circulation Scheme (BoE Controls) ' r ‘ ia . ud
borrow’ from BoE and accuracy of declaration to BoE and accounting treatment.
Same as item 1. This is a placeholder to validate additional improvement in preparation
4 I IDG Support & Assurance - Phase 3 of the Inquiry or as a result of the Inquiry.
Review of rationale, set up and controls of the scheme, including controls over the
5 I GLO Stamp Stock Scheme j " 5 "
logging, assessment and payment of claims.
P To include compliance with POL Group Policies and progress to bring IT systems,
6 Payzone Control Environment 4. P ns pm P prog eB IT sy:
equipment, security and resilience up to an acceptable standard.
Assess the design and operating effectiveness of end to end Treasury operations,
7 Treasury Operations including Governance, Policies & Procedures, Skills & Capabilities, SOD, bank mandates, &
DOA.
. . P . " Review of Financial Crime function activities, to include team resilience. Will consider
8 I Effectiveness of Financial Crime Function ‘ " ates ; "
both first and second line activities, and clear separation between the lines.
_ Review general application controls including OS, Database and application access,
9 CFS Application Controls bi PP : bs PP
system and change control, IT operations and DR.
10 I Effectiveness of Compliance Function Review of scope vs. expectations across business, particularly of the interaction between
first and second line activities and the split between compliance and the first line.
7
Confidential
POL00423690
POL00423690
Ny
Ss
is}
ry
S
POL-BSFF-0238508_0115
Lz/e0/0¢-BanIWWOD souelIdWO g YSRY “IPNY - PATIL] B0WJO 180d
€8LJOLLL
Rank I Proposed Review High Level Scope
11. I JMLDeep Dive Review status of ML roadmap, in-depth testing of joiners, movers, leavers, PAM, RBAC,
SoD and re-certification. Review integration/automation, etc.
Provide assurance that IT services are delivered consistently, reliably and at an
appropriate level of service. This includes management of infrastructure changes,
12 I IT Operations and Incident Management monitoring of operational IT infrastructure, and issue diagnosis and resolution. The
backup and recovery of systems in the event of an incident or service interruption is
covered separately under IT DR (incl. in Business Continuity).
Assess the implementation of the agreed actions and evaluate the level of progress
, 5 towards increased Cyber Security Maturity following the 2019 and 2020 Deloitte
Cyber S Maturity A: t) 5 ; ‘ .
13 iyber'Security (Maturity Assessment): assessments. Progress will be assessed across the highest risk domains and those areas
highlighted by the 2020 review to be in most need of improvement.
Following the takeover of ATMs from Bol, Post Office need to join the Link Scheme, which
14 I ATM Link Scheme Assurance has a requirement for annual attestation by the 3rd line that the Link Scheme controls
were complied with.
15 I third Party Data Validation Review Business Process and IT controls for key revenue generating third parties to
ensure accuracy, reliability and integrity of data. Perform data analytics as necessary.
, a at To assess how the learnings from the business response to Covid-19 have been
Business Continuity (Incl. Post-crisis assessment and . ‘ .
16 TDR) embedded in BC management. To include a review of overall BCP processes and focus on
ITDR for Horizon.
8
Confidential
POL00423690
POL00423690
4
a
ca
c
2z/1ZOZ UEld PNY
POL-BSFF-0238508_0116
POL00423690
POL00423690
Tab 7 Update from Subsidiaries: verbal update (POMS ARC)
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Post Office Insurance Audit & Risk I meeting pate: I 30 March 2021
Committee Update
: . Amanda Bowe, Chair of the Audit
Author: fan Holloway, Director of Risk & Sponsor: & Risk Committee, Post Office
Compliance, Post Office Insurance Insurance
Input Sought: Noting
The Committee is asked to note the report from the Post Office Insurance Audit & Risk
Committee.
Executive Summary
This paper provides a concise update for the Post Office Limited Audit, Risk & Compliance
Committee (POL ARC) on matters which the Post Office Insurance Audit & Risk Committee (POI
ARC) considered on 25 March 2021.
Questions addressed
1. What are the key points which will be considered at the POI ARC meeting?
Report
What are the key points considered within the POI ARC meeting?
2. At and extraordinary meeting of the POI ARC and Board on 23 March 2021, the financial
statements for the 19/20 year were reviewed and a plan agreed for their completion
and filing at Companies House. Following consideration of all relevant matters, the accounts
were signed on a going concern basis. After thorough analysis, it was agreed to write down
non-travel goodwill b leaving a residual balance ot . This reduction does not
have an impact on POI’s regulatory capital, cash / liquidity or our operational capability.
The FCA have been informed of this reduction. The accounts were filed on 27 March 2021.
3. Internal Audit has completed a review of data governance. It has recommended a clearer
operational structure for data ownership within POI which Management are currently
developing. The Internal Audit plan for 2021/2, the budget for Internal Audit, and the
Internal Audit Charter were approved by the Committee.
4. The risk management report noted the ongoing risks to POI's travel business.
Considerable uncertainty remains as to whether European travel will be allowed before the
middle of August, and therefore the bulk of the Summer travel season may now be lost.
Cashflow and capital continue to be monitored closely and management has produced a
‘resilience’ plan in mitigation of liquidity risk. Third parties supporting POI have largely
performed well within the Covid environment, but concerns were noted on the performance
of Ageas (for household claims), and Cardif (for pet claims), where service handling for
post first notification claims calls are significantly out of tolerance. Management have
1
STRICTLY CONFIDENTIAL
118 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0117
POL00423690
POL00423690
Tab 7 Update fr s: verbal update (POMS ARC)
@
agreed to come back with clearer actions and timescales for bringing these performance
measures back within agreed parameters.
5. The Committee also requested further work to demonstrate our approach to vulnerable
customers, including the timing and use of a vulnerable customer flag, and if necessary,
to update the POI vulnerable customer policy. This will come back to the next ARC given
its importance.
6. A joint principal report (involving POI, Bank of Ireland and Capital One), covering oversight
of Post Office Limited as Appointed Representative presented to the Committee. This
identified a number of issues concerning the planning and execution of mystery shopping
which is a key network sales control tool. Overall POI identified that the mystery shopping
based oversight framework falls short of principal requirements and the Committee was
concerned that earlier steps to improve with oversight of POL as the AR of POI may not be
fully embedded. Significant change is required to ensure that these issues are rectified.
Management is considering steps to improve the overall structure of oversight. It was
recognised that there are no indications of actual customer detriment and the volume of
business conducted through by POL branches has reduced considerably in recent years,
reducing the impact of this risk. Nonetheless, the Committee will be keeping this risk
under close review.
7. The Committee reviewed the Conduct Dashboard and agreed a number of minor changes
to conduct metrics. It was noted that travel insurance cancellations are again climbing
following further pessimism around the timescales for it being possible to take holidays in
Europe. Broadly other metrics are where Management would expect them to be.
8. The Senior product managers with SMCR responsibility for motor, household, pet, travel
and protection presented on risks and controls within their areas and attested on the quality
of controls in terms of risk coverage.
9. Policies on data and cyber security, pricing and product reviews were recommended to,
and approved by, The Board.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Commit
119 of 183
POL-BSFF-0238508_0118
Tab 8 Business Continuity Review
@
POL00423690
POL00423690
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Business Continuity Gap Analysis I Meeting Date: I 30 March 2021
ATthae Jonny Lonsdale (Business Sionsave Alisdair Cameron, Chief Finance
. Continuity Manager) r . Officer
Input Sought: Noting
The Committee is asked to note the summary findings of the Business Continuity Gap Analysis
review for Post Office Group.
Previous governance oversight
The Risk & Compliance Committee on 16 March 2021.
Executive Summary
Background: In an effort to determine the status of the Business Continuity Management
System (“BCMS”) the Business Continuity Manager has completed a gap analysis on its
alignment to the BSI ISO 22301 (Business Continuity) standard. The folders of documentation
provided by Tim Armit have been assessed as part of this review.
Standard: A BCMS aligned with ISO 22301 is based on Business Impact analysis and takes
into consideration the organisation as an entirety. It includes disaster recovery and business
continuity plans that focus on the recovery of specific activities, operations, functions, sites,
services,etc.
Conclusion: The Gap Analysis has found that the overall status of the Post Office BCMS is non-
compliant with some aspects of the industry standard, and in particular the most concerning
gaps are in the following areas;
1. Business Impact Analysis
2. Business Continuity Plans
3. Governance Framework
4. Exercising and Testing
Confidential
120 of 183
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0119
POL00423690
POL00423690
Tab 8 Business Continuity Review
Questions addressed
1. Does Post Office have a fit for purpose BCMS in line with the BSI IS022301 standard?
2. What changes are needed to the BCMS to meet the requirements of the standard?
Report
Audit, risk and control
4. Post Office does not have a detailed Business Impact Analysis for each department;
therefore, the organisation does not have a process of determining the criticality of business
activities and associated resource requirements to ensure operational resilience and
continuity of operations during and after a business disruption. Although the Post Office
does not have documented BIA’‘s, the RCC and ARC should take assurance that disruption
to key activities have been limited during the pandemic and its work from home strategy
which displays that the organisation is aware of its key activities.
5. Not recognising the critical activities in an organisation prevents identification of risks which
need to be prioritised in preparedness for a major incident resulting in an unacceptable
standard of resilience. However, the Post Office manages major incidents effectively through
its escalation process and should have some comfort in the response to the pandemic
outbreak which limited impacts to the continuity of its products and services.
6. A departmental business continuity plan allows those accountable to design their own
recovery strategy. This includes the minimum business continuity objective (staff resource),
the time of which to resume the key activities and location. Although I have seen some
departmental plans (Supply Chain) which detail response procedures and alternative
locations, this is not replicated through the business and if we do not have these
documented procedures our ability to respond to incidents will be impacted.
Stakeholder and workforce engagement
7. A group of Business Continuity Plan owners and BIA Champions have been identified to roll
out the refreshed BCMS. These stakeholders will be required to complete a Business Impact
Analysis and Business Continuity Plan with the guidance of the Business Continuity Manager.
Completion of these sessions will be held on a 1-1 meeting basis to ensure the information
is completed effectively and consistently.
Critical Systems
8. It is also noted that the critical branch supporting system, Horizon, has not been fully
disaster recovery tested therefore confidence in that the system would remain operational
in the event of a Data Centre outage is not established. Testing on Horizon is planned for
this year and it is expected a full failover test will be completed.
Financial Impact
3. There is limited financial impact to implement the refreshed BCMS. However, a Service
Now module has been identified as a useful tool to aid the BCMS effectiveness although
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 121 of 183
POL-BSFF-0238508_0120
POL00423690
POL00423690
Tab 8 Business Continuity Review
@
122 of
this is in the early stages of discovery therefore no business case has been put forward
for approval.
Risk Assessment, Mitigations & Legal Implications
4. The present work area recovery strategy for the Chesterfield office is to relocate to the
SunGard site in Leicester. This contract expires on the 31%t March and a decision has been
made not to extend the contract. The Post Office is aware of the risks associated with
ending this contract and have plans in place to mitigate this. With many colleagues now
working from home this decision will have limited impact. If laptops are damaged in an
incident, there may not be enough spare laptops in storage to replace a large number. A
desktop strategy is currently being considered with IT in order to mitigate this risk and for
colleagues to leave laptops at home when coming to work in one of the offices.
5. There is no defined list of up to date critical suppliers of products and services that support
the strategies of the BCMS. This may result in not identifying risks associated with
suppliers which could be mitigated or used to plan contingencies if they become
unavailable. For example, COVID response, impacts and business resilience.
6. A list of our most high value or most dependent external partners have not been
established which prevents appropriate Business Continuity strategies being developed to
ensure we meet the needs of those customers. By creating this list, we can identify our
SLAs and ensure these timescales can be achieved in the event of a Business Continuity
incident.
Stakeholder Implications
7. Each department or team will be required to complete a BIA during Q1 with the assistance
of the Business Continuity Manager. Each BIA will take approximately 1 hour to complete
with an additional hour for the Business Continuity plan.
8. There is a risk that due to the lack of training and awareness for colleagues in regard to
the identification of Business Continuity risks we currently a number of unknown risks
which require mitigation in order to ensure the Post Office can continuity to provide its
products and services at an agreed level. A competency matrix will be established to
identify what training would be the most appropriate for the BCMS stakeholders.
9. Once BIA’s and Business Continuity plans have been created, a series of scenario-based
testing exercises will be scheduled that each Business Continuity plan holder will require
to attend. The Gap Analysis found that one department of the organisation has a robust
testing and training programme of Business Continuity activity in place which was Supply
Chain.
10. An annual audit should be agreed for our Internal Audit team to review the BCMS against
the BSI 22301 standards to ensure a degree of compliance is achieved and improvements
measured following this gap analysis.
Confidential
83 Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0121
Tab 8 Business Continuity Review
POL00423690
POL00423690
@
Other Options Considered
11. Implementing a BCMS framework is to inform and drive continual, effective, cross-
functional, multi-level continuity planning through holistic, integrated risk management
practice in the following ways;
12. Establish a control environment to link corporate governance, risk management, business
planning and operational performance to the Post Office strategic direction (business
continuity programme);
13. Invest time, tools and techniques to ensure BCMS is a fully embedded, auditable business
management process;
14. Provide senior managers with opportunities to obtain a sound understanding of business
continuity management and requisite skills to implement business continuity effectively;
15. Ensure the framework is sufficiently flexible to meet the challenges of scalability, different
department business profiles and various geographic needs coupled with governance,
regulatory and legal regimes;
16. Assist and manage events that require information and resource coordination across
multiple business functions;
17. Uphold a resilience philosophy in which the Post Office business continuity capability
always reflects the needs, technology, structure and culture of its business.
Next Steps & Timelines
18.
For Post Office BCMS to achieve compliance with IS022301 standard the following BCMS
schedule of work is to be completed over the course of the next 12 months;
Creation of BIA Create BC Plans Testing Schedule Plan Internal Audit
of BCMS
BIA Roll Out Create Internal / Create Competency I Create BCMS annual
External Incident Matrix for workflow
Communications Stakeholders
statements
Identify Key Create BC Create Improvement
Suppliers & Review Sharepoint site for Tracker
BCP Status document repository
Identify Contractual I Training &
Obligation Awareness Sessions
Create Framework Create BCMS
Document invocation Severity
Matrix
4
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 123 of 183
POL-BSFF-0238508_0122
Tab 8 Business Continuity Review
@
POL00423690
POL00423690
Review and update
BC Risks in Risk
Register (SNOW)
Review Business
Continuity Policy
Confidential
124 of 183
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0123
POL00423690
POL00423690
Tab 9 DeepDive: Dangerous Goods
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Prohibited and Restricted Items
Title: Progress Update Meeting Date: I 30 March 2021
Mike Elliott, Network Sales.
motor Development Manager Sponsor: Amanda Jones, Retail &
Andy Kingham, Franchise Franchise Network Director
Partnering Director
Input Sought: Noting
The Committee is asked to note:
i. the activity undertaken and planned in order to improve conformance to the required
process.
ii. anticipated improvement in mystery shopping conformance as a result of the proposed
system changes.
Executive Summary
Since 2012, Post Office has contracted with Royal Mail to help meet its obligations to the CAA
(Civil Aviation Authority) for checking the list of prohibited and restricted items and any
applicable packaging, volume, quantity, labelling and product restrictions that apply prior to
posting any item. Royal Mail provides a comprehensive A-Z list that gives detailed information
about the things that cannot be posted with us, or where restrictions are in place and covers
all our UK mail and International mail services. This list of prohibited and restricted items
reflects Royal Mail’s general terms and conditions.
During the most recent audits, the CAA have highlighted that Post Office Ltd. can only act in
the capacity as the first line of defence regarding the acceptance or refusal of prohibited and
restricted items. Whilst the ultimate responsibility lies with Royal Mail, Post Office Ltd. takes
this responsibility seriously.
To monitor compliance levels for Prohibited and Restricted Items (P&RI), Mystery shopping is
completed on a monthly basis by IPSOS. Since its inception, POL results have been inconsistent,
falling below acceptable levels in most months. Over the last 6 months compliance levels for
International performance peaked at 77% and inland 56% - (latest wave was Period 9, due to
mystery shopping being paused due to the pandemic).
This paper provides an update on the progress to date to deliver performance improvements
and outlines the next steps we are and need to take to improve compliance levels further for
the acceptance of Dangerous goods items.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 125 of 183
POL-BSFF-0238508_0124
POL00423690
POL00423690
Tab 9 DeepDive: Dangerous Goods
Questions addressed
. Why do we need to improve conformance levels for Prohibited and Restricted items?
. What is the impact of not doing this?
. What steps have been implemented since the last update (July 2020) to address this?
. What additional steps are planned to improve compliance further?
. What is the current focus in the network to address this?
eport
1. Why do we need to improve conformance levels for Prohibited and Restricted items?
URWNE
iz
To comply with national and international regulations governing the carriage of mail, and to
ensure that mail in transport does not present a danger to the general public, we restrict or
prohibit certain items from entering our network and the Royal Mail pipeline.
We want to ensure the mail is safe for everyone, with many items, such as batteries, aerosols,
nail varnish and perfumes (amongst other items and substances), considered as dangerous
goods under transport legislation. For items posting overseas, other postal administrations may
have different prohibitions and restrictions. All the individual and country specific restrictions
and prohibitions add further complexity to the transaction at the counter.
Area Managers have continued to focus their efforts on driving increased awareness and
understanding in order to deliver improvements in conformance as BAU activity on branch visits
and Teams calls. This has been underpinned with additional training where required and
through frequent communications.
The latest mystery shop results described below, show performance levels for Inland continue
to remain static ranging between 44% and 55%* with International between 65% and 90%*.
*number of branches correctly following the correct process based on mystery shopping
2020/21 YTD Mystery Shop Performance - periods 3:10
(N.B. limited P10 data due to cessation of Mystery Shopping mid-period)
MS Performance
P
eIniand = Internationa’
Confidential
126 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0125
POL00423690
POL00423690
Tab 9 DeepDive: Dangerous Goods
@
The graph below shows the number of parcels disposed of per 100,000 items of mail
accepted, as a result of the parcel containing a prohibited or restricted item. This data is
provided by Royal Mail. This shows an improving trend year on year as follows:
2018/19 1.7 items disposed of per 100,000 items of mail
2019/20 1.6 items disposed of per 100,000 items of mail
2020/21 YTD 1.1 items disposed of per 100,000 items of mail (Period 11 0.6)
The target for 2021/22 is 0.5 items per 100,000 items, and we are confident that this will be
achieved following on from the planned Horizon system updates. Area Managers will continue
to make targeted interventions with branches using the Branch Insight Tool (BIT).
2. What is the impact of not doing this?
The Civil Aviation Authority may withdraw the authorisation of individual PO Branches to sell
parcels in the event of non-compliance. The limitation of POL liability to an aggregate amount
of £20 million per year - although POL has not to date received any claims for compensation
from RMG for non-compliance with the MDA dangerous goods compliance requirements. In
addition to this, there are reputational risks to the POL brand in the event of an incident
occurring as a result of mail accepted in branch.
3. What steps have been implemented since the last ARC update (July 2020) to address this?
A meeting was held with RM and the CAA to discuss performance at the end of April, this was
attended by senior members of the POL mails and network teams. POL and RM have continued
their monthly Dangerous Goods working group to discuss performance and monitor
improvement activities.
Following these meetings, and after several consultations with Postmasters during lockdown 1,
there were a number of suggestions made for improvements. All improvements were scoped,
prioritised and are being tracked in a project plan, some of which have already been
implemented as part of phase 1 and some are in flight within phases 2 and 3. Following the
implementation of each phase, we expect to see marked improvements across all Prohibited
and Restricted metrics.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 127 of 183
POL-BSFF-0238508_0126
POL00423690
POL00423690
Tab 9 DeepDive: Dangerous Goods
@
128 of
We are confident that the planned system changes described below, will drive a significant
improvement in conformance as we are minimising risk by removing the reliance on the counter
colleague to follow the correct process.
Phase One:
« Horizon System Changes - We will be able to offer a Horizon menu-based alternative to
the manual scanning of the dangerous goods laminate. The Dangerous Goods process
will be integral to the Mails transaction and will form a key part of the Mails conversation
with customers without the need to use additional support aids such as the existing
Dangerous Goods laminate. The current process relies on the colleague remembering to
use the laminate. This new process is currently going through Network gateway for UAT
testing and Postmaster feedback.
Trial across 167 branches commenced on 11" March 2021 and finished on 20" March
2021, feedback from Postmasters is currently being reviewed with the potential of a full
roll-out across the entire network by the end June 2021.
(Accompanying this paper is a PDF document that demonstrates the changes from the existing
to the new Horizon customer journey).
¢ Branch Insight Tool (BIT) enhancements - The initial review in July 2020 identified the
need for improved management information to support the identification of ‘At Risk’
branches. Following this review, from Q3 of last year, individual branches are now scored
and ranked to prioritise those branches with significant non-conformance. This is based
on overall Mails volumes, interception volumes, previous mystery shop results and
Dangerous Goods laminate scan percentages. This development within the BIT tool, now
provides Area Managers with improved visibility of overall performance across their
areas. Looking forward, this will facilitate both reactive and pro-active actions to drive
improvements in conformance.
4. What additional steps are planned to improve compliance further?
Phase Two (subject to CAA approval):
e Labels Compliance - We are working on a solution to enable the Horizon system to print
both the ID8000 and Lithium battery label. Our worst performing mystery shop scenario
is where these labels are required. Forcing the label to print during the transaction will
drive further improvements in conformance by removing the option to add the label at a
later stage. (The current anticipated to go live for phase two is mid-June 2021).
Phase Three (subject to business case):
« Simplification - We have requested a quote to update Horizon from our IT suppliers to
see if we can move the DG transaction start point to earlier in the Post Mail items journey
and will be subject to costings and appropriate finance approval.
e Customer Self-Confirmation - Further system changes are planned as part of phase 3
leading to a requirement for customers to confirm their self-declaration using Pin-Pad
devices for Mails items. (The current anticipated to go live date for phase 3 is the end of
July 2021, with a dependency on the availability of Ingenico resource).
Confidential
83 Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0127
POL00423690
POL00423690
Tab 9 DeepDive: Dangerous Goods
@
5. What is the current focus in the network to address this?
The current focus in the network is as follows:
e Postmaster Engagement - The Horizon system changes, (described in phase 1) above,
are now ready for testing and we have engaged with Postmasters to seek their input
regarding the original needs analysis and whether the new system design will deliver
against these needs.
e Targeted Activity - Conformance Champions are in place across the 9 regions and they
have been asked to lead regular sessions with their teams to increase focus and
awareness across each area. Area Managers are now contacting their worst 20 branches
based on zero scans of the Dangerous Goods laminate which highlights marginal/non-
existent activity at the counter. This activity will continue ongoing which will lead to
greater reach and positive impact across the network in the worst performing branches.
e Contractual Intervention - Work is progressing to agree and deploy a formal contractual
process, where following three interventions and support provided by Area Managers, a
branch continues to be non-conformant. We expect this to be in place by the beginning
of the new financial year.
Conformance improvements expected
As a result of the anticipated Horizon improvements we expect to see a significant improvement
in conformance to the process, as the necessary prompts and interventions are systems
generated and will address current failure points.
For phase 1 we expect to see conformance improve as follows:
« Increase inland dangerous goods conformance to c.70%
« Increase international dangerous goods conformance c.85%
For phase 2 we anticipate conformance for inland and international dangerous goods
conformance to improve to c.90%.
The anticipated improvements from the implementation of phase 3 changes would see
conformance improvement to c.95% with the inclusion of customer confirmation.
N.B. In addition to the Management Information we have available to report on the use of new
Horizon screens versus the use of the laminates, with Mystery Shopping due to recommence
on 12/04, we will also be able to report on actual conformance improvements. We should start
to see the benefits in the next wave of Mystery Shopping, but it will take two or three Mystery
Shop waves to fully embedded each phase.
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2 129 of 183
POL-BSFF-0238508_0128
POL00423690
POL00423690
Tab 10 Committee Terms of Reference Review
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: oon Terms of Reference I meeting pate: I 30 March 2021
muthar Rebecca Whibley, Senior Assistant Sponsor: Veronica Branton, Group
Company Secretary Company Secretary
Input Sought: Noting & Approval
The Committee is asked to:
1. note the outcome of the review against the Terms of Reference, confirming that the
responsibilities under the Terms of Reference for financial year 2020/21 have been met
save for the exceptions outlined in the report;
2. note and approve the actions to address the matters not adhered to; and
3. approve the revised Terms of Reference for onward submission to the Board.
Executive Summary
The Financial Reporting Council's (FRC) Guidance on Board Effectiveness 2018 refers to the
need for “properly structured and appropriate terms of reference.” As part of the annual
Governance Report to the Board, the Board Committees review their Terms of Reference to see
whether any changes are required and to evaluate whether the Committee’s responsibilities
have been discharged.
The complete review against Terms of Reference is available in the Reading Room alongside
the Terms of Reference applicable in FY 2020/21.
The following elements of the Terms of Reference have not been complied or have only been
partially complied with in FY 2020/21 and suggested remedial action is outlined below:
Item Remedial Action Commentary
7. Approve the Group Treasury and banking I This last approved in March 2020 and was due to
policies be approved in March 2021 but has been moved
to May 2021 due to capacity issues in the Treasury
team. This will therefore be reviewed and
approved in May 2021.
36. Independence of internal audit including an I There has been no review of non-audit services
annual review of any non-audit services provided I provided by, particularly, Deloitte as Internal
by internal audit Audit Co-Source. It is recommended that the
Committee receive a report from Deloitte and
Internal Audit covering non-audit services and
fees annually moving forwards.
38. External Audit reappointment, fees and scope I The Committee has not formally reappointed the
of engagement approval auditors for FY 2020/21, due to the delay in
approving the Annual Report & Accounts. The
Board reappointed the auditors for FY 2020/21 at
its meeting on 18 March 2021.
As already recognised at its meeting on 26
February 2021, Committee should approve the
fees and this should also include scope of
engagement for onward submission to the Board
CONFIDENTIAL
130 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0129
Tab 10 Committee Terms of Reference Review
POL00423690
POL00423690
@
in early 2021/22 (Latest action update is that this
is due to be completed in May 2021).
Moving forwards, these matters should be dealt
with at the Committee meeting dealing with the
Annual Report and Accounts approval and the
Company Secretariat will ensure that these
matters are subsequently approved by the Board.
41. Approval of External Audit Plan
The Committee noted this plan, but moving
forwards the Committee should approve.
43. Review of Representation Letter
The Committee did not review this letter and it is
suggested this review is undertaken in future
years.
45 & 48. Annual Review of External Audit services
including independence, non-audit fees,
qualifications, expertise and resources of the
external auditor and the effectiveness
This has not been done in a formal way, but it is
covered in the audit report for FY 2019/20 and
FY2020/21 Audit Plan. It is suggested that a more
formal annual review is carried out following the
approval of the Annual Report and Accounts
moving forwards.
72. Circulation of Committee Minutes to the whole
Board
This has not been done previously, but now all
Board members have access to the Committee
Reading Room on Diligent Boardbooks containing
all signed minutes and draft minutes (post Chair
approval) will be circulated to all members of the
Board. The majority of the Board attend the ARC
in any event with standing invites to the Chair of
the Board and Lisa Harrington should they wish to
attend.
The review has also shown that the Terms of Reference does not include the following items
which are, in practice, responsibilities of the Committee or are not responsibilities of the
Committee and as such, the Terms of Reference should be revised accordingly (subject to Board
approval):
1. The Committee has authority to approve policies under the Group Key Policy Framework
pursuant to the Matters Reserved to the Board and in practice, approves most Group
Key Policies.
. The Tax Strategy is approved annually by the Committee.
3. Banking policies are not approved by the Committee so should be removed.
Appendices
d.
2. Current Terms of Reference
3. Revised Terms of Reference (Clean)
4
CONFIDENTIAL
. Table of Review against the Terms of Reference
. Revised Terms of Reference (Track Changed)
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
131 of 183
POL-BSFF-0238508_0130
POL00423690
POL00423690
Tab 12.1 Cyber Security
@
POST OFFICE LIMITED
AUDIT & RISK COMMITTEE REPORT
Title: Cyber Security Update Meeting Date: I 30 March 2021
. Tony Jowett, Chief Information .
Author: Security Officer Sponsor: Jeff Smyth, Group CIO
Input Sought: Noting
The Committee is asked to note the status and plans regarding the reduction of risk associated
with Cyber Security.
Previ
ous Governance Oversight
Rolling item at each Committee.
Executive Summary
We continue with our programme of work to develop higher levels of cyber maturity.
Progress continues on track in all areas.
We describe the focus of our 21/22 programme balancing the needs for focus on inquiry,
postmasters and cyber maturity increase.
We describe the results from our second desktop cyber incident drill.
Our current cyber operations dashboard and resulting highlights are discussed.
Questions addressed
BYNE
. What is the latest update on the cyber programme?
. What is the focus of our 21/22 cyber programme?
What are the results from the recent cyber incident desktop drill?
. What are the highlights from the current Cyber Operations dashboard?
Confidential
132 of 183
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0131
POL00423690
POL00423690
Tab 12.1 Cybi
Report: Programme Update
1. The Status of the actions from the recent cyber maturity audit is as per the table below
all are complete or on track within target dates
Finding Status Target Date
Target maturity levels for cyber I Completed - target maturity levels I 30/9/20
security should reflect POL's risk I to stay as is unless risk appetite
profile changes significantly
POL's list of crown jewels should I Completed - approved by GE 30/11/20
be agreed with the business
Security architecture is not fully I Completed — next update Q3 2021 I 28/2/21
documented revised date
There is no documented long- I Completed - next update Q2 2021 I 31/12/20
term cyber strategy
There is no end-to-end I In Progress - being developed in I 31/3/21
programme defined for Cyber line with 21/22 planning cycle -
programme focus discussed in this
paper
The cyber action tracker requires I Completed 30/9/20
updating
JML processes are not fullyICovered under JML paper - I 31/3/21
integrated requirement is to introduce
automation of workflow where
feasible
There is no documented strategy I Completed 28/2/21
for Cloud security revised date
2. The roadmap for the cyber programme and dependencies is described in the next section.
Report : What is the focus of our 21/22 cyber programme?
3. Since we planned our 2020/21 programme the world of the Post Office has changed
significantly. As per the above table we have developed a new cyber strategy which we
have adapted to focus on three themes:
a. Postmaster support
i. Activities that directly support postmasters which will cover but not
be limited to hardening of counter terminals, detection/prevention of
external fraud against postmasters, fraud detection within the network
and rationalisation of access management controls.
ii. Indirect postmaster support - through providing cyber input to key
programmes that are aimed at keeping postmasters at the centre of what
we do e.g., SPM, PCIDSS, Banking Framework
b. Inquiry-related improvements - resulting from the CIJ, HIJ and other
inquiry-related activity
c. Group-wide Cyber maturity increases - those activities that reduce the
overall risk to the whole organisation and help ensure that the Post Office
exists/is not taken out for a significant amount of time. The Group functions
cannot exist without postmasters and vice versa. These improvements are
aimed at us reaching our cyber maturity targets.
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
133 of 183
POL-BSFF-0238508_0132
POL00423690
POL00423690
Tab 12.1 Cyber Security
@
134 of
4.
Bt
A one-page view of the programme is at Appendix 1.
The programme is now going through portfolio and financial approval.
Report : What are the results from the recent cyber incident desktop
drill?
6.
10. During the exercise a number of interruptions were made by Nettitude as the incident
We previously reported to the committee that, whilst we had confidence in our defences,
we were keen to perform a number of desktop incident drills. We have recently completed
the second of these and this is described below.
We engaged Nettitude (our red team and pen test supplier) to run the test for us using
skilled personnel to simulate potential large-scale loss of customer data.
The test was designed to be as realistic as possible and was run remotely due to COVID
restrictions. The following constraints applied:
a. No malicious code was to be introduced by Nettitude during the incident.
b. Any PII data used during the exercise was fake and randomly generated.
c. Nettitude would not provide any 3rd party Incident Response resources - we
could only use our own and other third party if we had them.
The scenario we tested was as follows:
a. You have this morning received communication from a freelance security
researcher at email address stumpyukili “"} sent via the “Contact Us”
web form on the Post Office website.
b. The researcher claims to have found some interesting data on the internet: An
individual who posted the data on the paste site claims to be in possession of
full dump of customer data from the Post Office.
c. The researcher has sent you 3 x sample of records. The security researcher has
copied and pasted the message in his message to the Post Office.
progressed with new and emerging facts.
a. Inject 1 - You are unable to find the claimed information online. After
communication with the security researcher, he enquires if Post Office offer a
bug bounty and if so suggests 0.1 BTC might be a suitable bounty to pay in
return for the URL to the paste site.
b. Inject 2 - The Post Office may pay the bounty or convince the researcher to
supply the URL (or completely disengage with the researcher). If more
interaction with researcher, they send the URL to the paste.
c. Inject 3 - The Post Office confirm that the 2x samples are consistent with data
that they hold. The samples claim to come from The Post Office and the paster
has provided an email address and demand for 0.1BTC for full copy of the dump.
Researcher eventually discloses the URL: Pastebin.com/VEBjcYBB
Confidential
83
Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
POL-BSFF-0238508_0133
POL00423690
POL00423690
Tab 12.1.C
d. Inject 4 - Multiple Post Office customers contact The Post Office claiming that
they have received phishing emails that contain specific and accurate
information only held by the Post Office.
11. The results of the test are discussed below - taken directly from the Nettitude report with
no edits.
12. The scenario presented to the Post Office was complex and contained uncertainties along
with issues that cut across multiple departments. As such, representatives from the
Cyber Security Team, Major Incident Management Team and Data Protection Team were
involved in the exercise.
13. In terms of People, The Post Office staff performed to a very high standard during the
exercise. They were presented with a wide range of complex issues and they were quickly
able to identify the risks and develop strategies for managing the risk. They closely
followed the processes documented in relevant policies. Each of the relevant stakeholders
demonstrated that they had an excellent grasp of the documented policies that they were
responsible for. The decision making, based on available information was also excellent.
All the representatives on the exercise pooled their knowledge in order to work their way
through an increasingly complex set of problems.
14. In terms of Process, during the exercise, documented processes were tested to their
limits and withstood complex issues that progressively escalated in severity. It was
apparent to Nettitude that a lot of thought and planning had gone into the development
of the documents. As the scenario progressed The Post Office correctly escalated their
response at the appropriate junctures, and seamlessly handed off ownership to the correct
stakeholders. In the previous tabletop exercise delivered to the Cyber Security Team, gaps
were found in the documented Cyber Security Incident Response processes. Those gaps
have now been closed, thus during the initial phase of the incident, the incident was
correctly categorised and subsequently correctly escalated into the Major Incident
Management Team. The participants in the exercise were able to identify which team had
overall ownership of the incident during its progress and were able to identify the correct
organisations and Post Office stakeholders to notify at the correct time.
15. j
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 35 of 183
POL-BSFF-0238508_0134
POL00423690
POL00423690
Tab 12.1 Cyber Securit
@
16. In summary
a. The Post Office Cyber Security, Major Incident and Data Protection staff
successfully completed the tabletop exercise.
b. Gaps previously identified in the Post Office’s Cyber Security Incident Response
documentation were confirmed to have been closed.
c. No gaps were found in respect of the Post Offices current documentation for
managing security incidents.
Report: What are the highlights from the Current cyber dashboard?
17. Appendix 2 shows the current cyber operational metrics dashboard.
18. Key points to_note:
Confidential
136 of 18 Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0135
POL00423690
POL00423690
Appendix 1 Cyber 21/22 Programme & Alignment with Priorities 2
ee SES I
g I
6
Confidential
3
q
a
&
POL-BSFF-0238508_0136
POL00423690
POL00423690
Appendix 2 Cyber Dashboard f
Cyber Operations tee eeneeeeneeenneennneenneennennnaetnnanenninennesnnncennnnnetnnnctnnincnnesenneennacnneennnty
Page Break
7
Confidential
POL-BSFF-0238508_0137
SOq
POL00423690
POL00423690
Cyber Operations 2
IRRELEVANT
Page Break
Confidential
POL-BSFF-0238508_0138
SOq
POL00423690
POL00423690
Cyber Compliance
IRRELEVANT
Confidential
POL-BSFF-0238508_0139
POL00423690
POL00423690
Tab 12.2 Procurement Governance & Compliance
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Procurement Governance &
Title: " Meeting Date: I 30 March 2021
Compliance Report
muthar Barbara Brannon, Procurement Sponsor: Alisdair Cameron, Group Chief
Director Finance Officer
Input Sought: Noting
The Committee is asked to review the report, noting the Procurement Risk Exceptions submitted
to the Post Office Limited Group Executive and Board since January 2020 and to consider and
give direction in respect of the contracts in the Procurement pipeline which are high value and
at risk of being awarded or extended non-compliantly.
Previous Governance Oversight
e November 2020 - RCC & ARC Report
e January 2021 - RCC & ARC Report [no Board submission required]
Executive Summary
As a business in receipt of public funds Post Office Limited (POL) is bound by the Public Contract
Regulations (2015). PCR 2015 oblige POL to behave in a fair, objective & transparent way when
contracting with 3" party suppliers. Additionally, set procedures must be followed for spend
above £25k and £189k.
The purpose of this report is to set out both breaches to Post Office governance and key controls
around contracts and compliance to PCR regulation in the award of contracts.
The aim of collating this information is to drive improvement in awareness and compliance
behaviour across the organisation. The second and primary aim is to work with GE and Business
Units to commence commercial reviews in a more timely way ensuring POL obtains value,
commercial and contractual flexibility fitting the requirements and business strategy of the
organisation.
In March 2020, Post Office Board requested prior approval of all Exceptions. This was revised
in September 2020 to above threshold Exceptions >£189k only in a revision to existing
governance. From November 2020 sub threshold exceptions will be submitted to the Group
Executive for prior approval and reported retrospectively to RCC and to ARC.
A Procurement Risk Exception Note is required to accompany all Exception Requests and a
Legal Risk note for requests >£189k.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 141 of 183
POL-BSFF-0238508_0140
POL00423690
POL00423690
Tab 12.2 Procurement Governance & Compliance
@
Questions addressed
1. How many and what types of procurement risk exceptions have occurred in the past
quarter?
Since the last RCC report at the end of January there have been two Procurement Risk
Exceptions submitted to the Group Executive for approval.
e NCR SSK Support - Interim extension of 30 days to 28.02.2021
NCR SSK Support - Interim extension of 30 days to 31.03.2021
We also have a lapsed contract with our auditors, PWC which is an internal governance
breach. A compliant extension option exists to extend but they are currently working at
risk preparing an audit plan for 2020/21 while commercial terms are negotiated. This has
not been resolved since the last RCC report in January.
2. What are we doing about it?
Active reviews continue with Business Units with the highest values relating to non-
compliance.
A visual breakdown on all Open incidents at 5/03/2021 is available in Appendix 1.
3. What is in the current Procurement pipeline which is high value and at risk of being
awarded or extended non-compliantly?
One Procurement risk exception has been submitted for Board approval.
a) Lexington Communications - Circa
The PR&Comms team wish to extend the existing non-compliant contract
Lexington Communications out to September 2021 in order to cover immediate
business requirements relating to GLO
Aggregated value is forecast at circa jj.
A Procurement Risk Exception request has been submitted to the March Board for
consideration.
There are two pending Procurement Risk Exceptions
b) Digidentity - TBC
Contract and settlement negotiations with Digidentity are continuing. A full commercial
overview and risk analysis will go to GE and Board in due course, noting that by
2
Strictly Confidential
142 of 183 Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
POL-BSFF-0238508_0141
POL00423690
POL00423690
Tab 12.2 Procurement Governance & Compliance
@
accepting a non-compliant extension from GDS, and therefore, commercially entering
into an extension with Digidentity to provide the services, a Procurement Risk
exception must be considered and approved.
c) Grant Thornton - TBC
Further services will be required in order to close the sale process for Home Phone and
Broadband. The services are described as subject matter expert review and assistance
with negotiating challenges/questions arising from the Shell draft Completion
Statement. A Procurement Risk Exception request shall be raised in May for the
services which are anticipated for delivery in late May/early June into July.
Conclusion
Risk Exceptions are subject to extensive internal governance, legal and risk review, in line with
POL governance guidance on value and risk. This is reflected in the material reduction in the
value of open risks over the past 3 years.
Individually, all large value non-compliant contracts have been reviewed by appropriate Post
Office governance forums with agreement on next steps and actions towards remediation
allocated where appropriate and/or available.
Executive support towards moving POL towards a more compliant footing is very strong, but
equally as important there is extensive support towards the cultural change required to ensure
that Procurement activities and outcomes will support longer term business strategies and we
reduce commercial risk making our 3" party arrangements fit for purpose.
Report
4. What are the potential consequences of non-compliant awards?
a) Pre-contractual remedies overview: During a Procurement, an aggrieved party can
seek an interim injunction suspending the tender or the implementation until the court
decides on an outcome.
b) Post-contractual remedies: The court can order an ‘ineffectiveness order’ rendering
the contract void &/or can award damages.
5. Why are these incidents of non-compliance occurring, and what can be done about it?
Non-compliant awards may be made for a number of reasons at the Post Office.
a) Low value, time constrained or highly sensitive/specialist engagements are not
uncommon.
b) Large commercial arrangements cannot often be easily competed or unravelled
without operational impact, and re-procurement may be subject to a pending evolution
of a supporting Business Strategy and/or completion of large, and complex technical
programmes of work to maintain or enhance services prior to a possible exit.
c) The contractual arrangements may pre-date PCR 2015 regulations or the contract
novated during separation from RMG, automatically becoming non-compliant at the
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 143 of 183
POL-BSFF-0238508_0142
POL00423690
POL00423690
Tab 12.2 Procurement Governance & Cor
@
renewal point. Non-compliant awards are frequently made on a tactical basis to extend
contractual services while public tender processes are executed.
d) Delays to public sector panels of suppliers becoming available. The Post Office makes
extensive use of this low-cost route to market and new/refreshed panels are subject
to frequent delays from Crown Commercial Services. Single interim extensions [of
periods under 12 months] while tender processes are run are considered to be low
risk legally.
e) Changes in scope or value over the term of a contract may render the extension or
renewal of services non-compliant. Material changes to the scope of a contract may
render the whole contract non-compliant.
f) Disregard for, or lack of understanding of the regulations.
6. Why are we receiving this report?
A decision to collate this information into a single location was taken in the Autumn of
2016. The aim is to track and improve our overall compliance and commercial results as
an organisation, while also ensuring perceptions are accurate. However, it should be noted
that it will facilitate timely responses to Freedom of Information requests which adds risk
to the Post Office commercial landscape.
7. Are any of these breaches arguable on regulatory grounds or are they all breaches?
A full explanation of the individual compliance breaches for direct awards over £189k
[previously £164k & £181k] threshold is attached in Appendix 1. Each entry details the
nature of, and the value of the breach. The threshold is altered every two years based on
the FX rate between GBP and the Euro.
The Procurement Compliance Register does not at present give an indicative risk level
attached to the award. This information is provided to the accountable executives under
internal governance processes in the form of a PCR risk note before a contract above
threshold is entered into, and if necessary, under Legal Privilege. In addition, all
signatories to a contract have sight of the Risk note as part of the Contract Authorisation
Form [CAF].
All entries are compliance breaches. A period of challenge applies to each PCR breach once
an aggrieved party becomes aware or ought to have become aware. This risk finally
expires at 6 years from the date of breach. The defensibility of a legal challenge is outlined
within a Risk Note.
8. How many of the breaches were approved in advance and how many retrospectively?
All contracts entered into during this period were compliant with internal governance
processes on contract and commercial review.
9. I Why were the approvals given?
The rationale for approval is relevant to the individual service and is detailed within
Appendix 1.
10. What were the unapproved, material breaches?
There were no unapproved, material breaches during this period.
Strictly Confidential
144 of 183 Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0143
POL00423690
POL00423690
Tab 12.2 Procurement Governance & Cor
@
11. Describe what you are doing about the breaches. Where we are in breach, do we have a
plan to come back into compliance and over what time period will that plan take effect?
a) A forward view of material contracts falling under each Business Unit is currently
prepared by the relevant Procurement Manager for discussions with their key
stakeholders. The maturity of this look ahead view does vary currently and is
consistently a high priority activity within the team.
b) Sourcing options papers are prepared for review by contract managers and key
stakeholders [risk, legal, security] with routes to market agreed. In many cases these
are dependent on evolving business and operating model strategies and the
Procurement team are actively involved helping to advise and review options as
thinking evolves.
c) Where a non-compliant award is proposed due to time pressure, Procurement are
actively working on long term mitigation with awards made on an interim basis to
meet urgent operational needs.
d) Each RCC member now receives a regular report on compliance within their business
unit[s].
e) A Risk & Governance process requires a Risk Exception report to be created for non-
compliant direct awards with GE sign off.
f) Awards over £189k must have prior Board approval before being entered into.
g) All Professional Services engagements must be approved in writing in advance by the
CFO/COO. A compliant panel of preferred consulting partners has been appointed and
proposed engagements outside of this panel are subject to additional review and
challenge.
h) Procurement provides training as part of the revised Induction process for new staff.
Training packs are being updated for existing staff and a new training module made
available on Successfactors. Ad hoc training sessions for interested Business Units are
also run.
i) Anew Intranet site has been launched for Procurement to improve visibility of process,
regulation, and the panels of approved compliant suppliers available to POL business
units.
j) Arevised POL Procurement Policy and supporting processes is in progress giving more
granular guidance.
k) Using Crown Commercial Services frameworks, panels of Preferred Suppliers are being
refreshed and updated across a wide range of spend categories to reduce time to
market, improve compliance and greatly improve commercial outcomes and legal risk.
!) A planned change to operational systems will, once live, give Procurement earlier
visibility of potential compliance issues eg: contractual value thresholds.
Risk Assessment, Mitigations & Legal Implications
12. As a business in receipt of public funds POL is bound by the Public Contract Regulations
(2015). PCR 2015 oblige POL to behave in a fair, objective & transparent way when
contracting with 3 party suppliers. Additionally, set procedures must be followed for
spend above £25k and £189k.
13. Failure to abide by the legislation or “slicing and dicing” contracts exposes POL to risk,
both as far the commercial outcomes of the contracts as well as the reputational damage,
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Commit
145 of 183
POL-BSFF-0238508_0144
POL00423690
POL00423690
Tab 12.2 Procurement Governance & Compliance
@
legal remedies, censure & fines that can follow the discovery of a breach. Our compliance
to PCR can be requested under a Freedom of Information request at any time.
14. The PCR Compliance Register allows for the tracking of breaches to PCR regulations at the
Post Office and internal governance processes. One aim of collating this information is to
drive improvement in awareness and compliance behaviour across the organisation. The
second and primary aim is to work with GE and Business Units to commence commercial
reviews in a more timely way ensuring POL obtains value, commercial and contractual
flexibility fitting the requirements and business strategy of the organisation.
15. Contract and financial governance policy and processes at Post Office are set by the Legal,
Risk and Governance team with clear guidelines for staff availably on the Company
Secretariat team intranet site. This sets out steps to be taken to obtain financial and
contractual approvals prior to making a binding commitment to an external party. Non-
compliance to internal governance processes are also captured within this report.
Strictly Confidential
146 of 183 Post Office Limited - Audit, Risk & Compliance Commit
30/03/2
POL-BSFF-0238508_0145
Tab 12.2 Procurement Governance & Compliance
POL00423690
POL00423690
Appendix 1 - All Open Material Incidents
10/01/2018. Software etal & Francrise lAmanda Jones nal maintenance and supper preously provided under
(ina) Regulation 32 exemption for IPR. Covar's new exsived anda
comalant oute found. Negotiation are unde way.
SRS PR (corporate Afar & Comma chard Taylor —[Cardew Group (vec aard-ne aroeurement engagement
7/03/2020. I Schwere ir jasmin interchange POL inherited te Glany system and suppor contrads Fom Royal
(interim) Mai was srt of, then descoped from compliant OIEU tender for
13k Offic 2015.
39/03/2020. ITSehiware ir je Smah (CM Accent Part of te Galan solution for Swindon sons, the future of
(itor) ‘swindon hasbeen under consideration for sometime and these
licenses and support contracts have boon old over year on year
in the abeence ofa long tam direction
79/03/2020 Media (Mareting Brand (Emma Gat ontrack extended to cover OIEU process time ine which has been
Sorngham letended due to Covi. Compieton dve March 2021
3970372020. (Marketing (Wareting & Brand (Emma cr ‘No frameworks and no appetite in sins for fl JEU. Limited
{sarngham lather suppliers who have access tothe marator imlar
oftware, Software Ressler not an option. Approved by Board
‘March 2020
21/05/2020 [Bupsiy Cain (Operations &Supaly Chan [Asda Cameron [Kings Secure [Medi tveahodInter'm contac aut n place while POL els ATM terminals Fam
“ecrnologet Smits. Board aporovl granted
70572020 upaiy ain (Operations &Supaly Chan [Asda Cameron [Cardtrones [PEROIED level Interim contact uti since whe POL ws ATM terminals Fam
Smita. Board aporovl granted
BS/O52020" (Saas ‘Wareting Brand (Emma ‘piash [edium treahoid Reorocurementexerse was underway BA due to Cova-i9 and
Isorngham budge restints this exercise had to be put on hold. Also require
Inout om soluton architect and workload hes prevented this
25/05/2020 IBankingServess [Reta & Franchise ‘Owen Woodley (Convact extended with Barclays beyond te limits the OEU
lowes
35/05/2020 [Banking Senieas [fetal & Fanchise (Owen Woodley Barclays Postal rders/Camelot cheques Sevice orginal with Cop.
ey terminated te contract inorder to et cheque cing
(market Barclays steaped nto sick up serve as very similar to
leneque clearing. Work undeeaytorevow if tean be tendered
liogside the main cheque ceasing seviees.
TO/O7/2020 Publ Aars (corporate Aas & CommIchardTayor —Ilexngton (vee award for GLO related PR serves. Board aparval even.
{communications
0/07/2020 [Marketing IMareting Brand [Emme (PAgoos! (iret award trademark eevee. Contact Wansfered aeons to
sprngham [Marketing ut compliance stator was unknown and wae to ate
retender. WIP for 2021,
0/07/2020 Prfestonal Seve [Finance [lsd Coron Lexie New [Threenoidbreacned - was previouly compliant
02/11/2020 [Auditors Finance ‘lade Cmeron [PwC Ik compliant contact sin lace out has apsed during contact
Inegetiations. 1-2 yea extension should have been signed before
(octoer. This hasn't happened as we have not agreed fees or
Inext yeas suet with Pw thus fr,
101/0872020 IPrfestonalSeviews ICommercal (Owen Woodley (Gant Thornton (Urgent nancial supsortrequredin relation to HPBB sale
1/11/2020 Professions Sevies finance ‘ada Cameron [Smith & oard requested addtions! professional adveesupoer tw form I
\Wiiamson indenendent view of te way in wich the Grouss funding
agreements, financing arrangements, headroom limits, oss
(efeute, commercial contract mplatons and net amity
lxceotion: the "Facitia”) nave been forecart
Y6/i2/2020_ Professions eviews Commerc (Owen Woodley (Grant Thornton (Urgent financial suppor required in relaton to HPBB Fle
30/01/2024 IF Haréware ir Uetfsmyth [NCR item 1 month extension wnie commercl negotatons
interim) leoncide.
Ba/O2/202i I Hardware i Uetfsmyth (NCR item 1 month extension while commerdal negotiations
inti) leone.
jexcluding Audit Value
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0146
147 of 183
POL00423690
POL00423690
Tab 12.3 Law & Trends
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Law & Trends Report eating 30 March 2021 I
Date:
Author: Sarah Gray, Group Legal Director Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting
The Committee is asked to note the new or proposed material changes to laws and regulations
since the last Audit, Risk & Compliance Committee (ARC).
Executive Summary
There are 6 matters for the Committee to note (details of which are set out in the Appendix):
1. The Restriction of Public Sector Exit Payments Regulations 2020 revoked
The Restriction of Public Sector Exit Payments Regulations 2020 (“the Regulations”) came into
force on 4 November 2020 and set a £95,000 cap on exit payments (“the Cap”) for public sector
authorities. After extensive review of the application of the Cap, the Government has concluded
that the Cap may have had unintended consequences and the Regulations were revoked from 12
February. HR have identified one former employee who was affected by the Cap and will be
entitled to the additional sums that would have been paid had the Cap not been applied.
2. Supreme Court rules Uber drivers are workers
The Supreme Court has unanimously ruled that Uber drivers are employees under the
Employment Rights Act 1996 and are entitled to the national minimum wage, annual leave
entitlements and other legal protections afforded to employees. The judgment represents part of
a continuing trend for courts to find ‘worker’ status where they consider it appropriate to do so
on the facts. Whilst unhelpful, it should be noted that the Uber case focused on a different strand
of the ‘worker’ definition to the one being argued in the Starling case.
3. Public Contract Regulations (“PCR”) Post-Brexit
The key changes to PCR following the UK's separation from the EU are mostly practical changes
which will impact how POL conducts its new procurements from 1 January 2021, including
limitations on the enforceability of EU law and treaties; introduction of “Find a tender
service” the new UK e-notification service to replace OJEU; and inflight procurements, new
procurements and concluded frameworks. Procurements inflight as at 1 January will continue to
be subject to the unamended PCR regulations. New procurements will be subject to the
amended PCR regulations. Also, the operation of framework agreements concluded prior to 1
January will be subject to the unamended PCR regulations. POL is compliant with the post-
Brexit requirements.
4. State Aid - Update
Strictly Confidential
148 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0147
POL00423690
POL00423690
Tab 12.3 Law & Trends
@
A consultation (closing at the end of March) has been launched on the proposed approach for
establishing a new subsidy control regime to replace the state aid regime of the EU. POL is
preparing a response.
a
FCA finalised Guidance on the Vulnerable Customer
The FCA have issued finalised Guidance for firms on the fair treatment of vulnerable customers.
The Guidance highlights the actions firms should take to understand the needs of vulnerable
customers to make sure they are treated fairly. This has become a key focus for the FCA due to
the impact of coronavirus. Post Office Compliance Team have been aware of the guidance and
are considering the collection of vulnerability data to assist with their review of current practices.
-
Trial Witness Statements in the Business and Property Courts
From 6 April 2021, witness statements for use at trial in the Business and Property Courts only
will have to comply with the newly published Practice Direction 57AC (the “PD”). The PD therefore
will not affect any matters brought before employment tribunals e.g Starling nor will it have any
impact on the Public Inquiry. It was introduced following judicial disapproval of witness
statements crafted by lawyers containing extensive reference to documents rather than
embodying the language of the witness. It makes substantial changes to the preparation and
content of witness statements. POL Legal will put a guidance document on the LCG Academy
intranet page.
Questions addressed
1. What new or proposed material changes to laws and regulations should the Committee
be aware of?
2. What are the implications to the Post Office business?
Report
See Appendix.
12.3
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committ
149 of 183
POL-BSFF-0238508_0148
Appendix 1
1. Law & Trends Report: New material updates
POL00423690
POL00423690
Issue I Why it matters? Latest Developments Impact on Post Office Action
1. The As reported at RCC in November I A former employee has been identified I As the Regulations have only been in force I The Government still has the power to
Restriction 2020, a Cap of £95,000 on exit I who was directly affected by the Cap I for a short period of time, Post Office does I implement legislation and they have
of Public I payments in the public sector was I whilst it was in force. They will be entitled I not have significant steps to undo/ reverse. I indicated they may have another
Sector Exit I introduced and applied to I to request from Post Office as their I Payment to a former employee who exited I attempt at bringing in similar
Payments employees’ exit payments from 4 I former employer, the amount they would I during the period the Regs were in force the I regulations. Post Office HR will continue
Regulations
2020
revoked
Supreme
Court rules
Uber drivers
are workers
November 2020.
The Regulations provided
that Post Office “must not” pay exit
payments (such as those due upon
redundancy) at amounts in excess
of £95,000. As such they purport to
override employees’ —_ existing
expectations (some of which are
contractual) to redundancy
payments.
However, the Government revoked
these Regulations on 12 February
this year.
have received had the Cap not been in
place
sum they would have been due [£x] had the
Cap not been in place.
Future exits by senior employees may cost.
Post Office more as a result of the revocation
of these Regs.
to monitor any developments.
It is anticipated that if they do revisit
exit cap regs, that they will only apply
to new joiners rather than existing
employees.
Strictly Confidential
POL-BSFF-0238508_0149
°
a
POL00423690
POL00423690
eZb GeL
Issue Why it matters? Latest Developments Impact on Post Office Action
Public Post - Brexit, PCR 2015 remains I The key changes are: For the time being, there is no reason to see I To ensure compliance, POL’s Web 3
Contract but, the Public Procurement why the current changes would not work or I solution for contract management/e-
Regulations I (Amendment etc.) (EU Exit) I 1. The UK's new “Find a Tender” how they would not be anything but I procurement tool has been re-
(PCR) post- I Regulations 2020 has been service for publishing contract favourable for POL. configured so that it interfaces with the
Brexit published as a UK statutory notices went live on 1 January Find a Tender Service. Procurement
instrument to amend procurement
legislation to reflect necessary
changes required by the UK leaving
the EU.
2021, replacing the Official Journal
of the European Union (only for
United Kingdom).
2. EU references have all been deleted
from PCR.
3. The Government have published
new guidance for Below Threshold
Contracts allowing for more
flexibility. This will allow POL the
option to reserve contract
opportunities by location;
and/or reserve contracts to
SMEs/VCSEs only (subject to
restrictions).
4. Cross-Border Interest test - no
longer applies to England, Wales
and Scotland contract opportunities.
5. EC Treaty Principles - no longer
applies to England, Wales and
Scotland contract opportunities.
As a result of the NI Protocol Agreement
where POL procures below threshold
supplies into NI and there is cross border
interest (ie from a supplier in a EU
Member State) POL must advertise the
contract opportunity and conduct a
competition in accordance with the EC
POL may want to support local business and
have the option to procure from local
suppliers, subject to complying with POL
internal procurement guidance. POL still has
the option to contract with a supplier across
the border but would have to follow the old
process of advertising in the OJEU with the
burden adhering to the competitive EC Treaty
principle process.
Gov Guidance in Procurement Policy Note
11/2 Reserving Below ‘Threshold
Procurements will allow POL to reserve
procurements by location and or to
SMEs/VCSEs. Certain restrictions apply (eg,
ensuring value for money, management of
risk, use of model contracts) and POL must.
also comply with its own _ internal
procurement policy.
notices can therefore be published
direct from Web 3 into the new e-
notification hub. POL is otherwise
ensuring compliance with the changes
to PCR (of which there are few
procedural changes) and the business
may take advantage of the new
freedom to reserve procurement.
Separately, the Government has issued
a Green Paper consultation on reforms
to procurement law. The aim is to
streamline tendering procedures, make
them more open, flexible (to replace
negotiated and competitive dialogue)
and limit tendering (in crisis or extreme
urgency). There are proposals for
publication of annual pipelines and any
contract amendments. The Government
also aims to carry out a review of the
court process and introduce a Tribunal
System for some challenges and
remedies other than damages.
The consultation closes on 10 March
2021. The Procurement Director
(Barabara Brannon) is _ currently
reviewing the Green Paper and co-
ordinating a proposal for the
consultation. Anyone who wishes to
contribute, should contact Barabara.
Strictly Confidential
=
J
g
POL-BSFF-0238508_0150
POL00423690
POL00423690
: :
: ;
= 5
Issue Why it matters? Latest Developments Impact on Post Office Action
Treaty Principles and POL’s internal Thereafter, POL is to await publication
procurement policy. of response to consultation and update
accordingly.
4, State Aid- I From 31 December 2020, the State I From 1 January, until the UK establishes I The new regime consists of a subsidy control I POL is currently coordinating a response
Update Aid (Revocations and Amendments) I detailed rules for a domestic subsidy I system and consists of: to the Consultation.
(EU Exit) Regulations 2020 revokes I regime, it will be now operating under an + long-term replacement for the EU’s
EU State aid rules and the EU no I interim subsidy regime. After 1 Jan 2020, prescriptive state aid regime,
Bo) longer has any power to investigate I when awarding subsidies, _ public + more dynamic in providing support
g and take decisions on state aid I authorities should take into account: to businesses to encourage job
Oo measures granted by the UK. creation and growth across the UK,
Fy 1. Giving a subsidy correctly + based on principles ensuring
8 [The exception is state aid that (subject to _ international delivery of strong benefits and good
c affects trade between Northern obligations)- a subsidy is value for money in a timely and
3 Ireland and the EU - this would be currently defined as a measure effective way,
g subject to the Protocol on which is given by a public + local authorities, public bodies and
o Ireland/Northern Ireland. ] authority; makes a financial or the devolved administrations in
> in-kind contribution to an Edinburgh, Cardiff and Belfast will
& enterprise; and affects be empowered to decide if they can
an international trade; issue taxpayer subsidies.
Fs 2. Whether the subsidies are
Re prohibited; and
a 3. Whether the subsidy meets the
g terms of the principles in the UK-
EU Trade and Cooperation
Agreement (if over £350,000).
The Government has launched a public
consultation to consider and inform the
further development of its new Subsidy
Control regime. The Consultation closes
on 31 March 2021.
In its consultation the Government is
asking for views on:
+ whether the UK should apply its
own additional principles on
subsidy control, as well as those
set out in the UK-EU Trade and
Co-operation Agreement
+ how best to ensure transparency
across the system
+ the possible roles and
responsibilities of the
independent body that will
oversee the new system
Strictly Confidential
POL-BSFF-0238508_0151
POL00423690
POL00423690
Issue Why it matters? Latest Developments Impact on Post Office Action RAG 1
+ how this independent body could
have some role in supporting o
enforcement of the principles,
alongside normal judicial review
standards
+ how the system could seek to
introduce exemptions consistent
with our international
obligations (for example, natural
disaster relief or in response to
global economic emergencies)
5. FCA Following consultations in July 2019 I The FCA has now finalised its Guidance I The FCA’s view of vulnerability is as a Tt should be noted that this is guidance
finalised and 2020, the FCA published a for firms on the fair treatment of spectrum of risk. All customers are at risk of I rather than mandatory and there is no
draft consultation Guidance for vulnerable customers. The Guidance becoming vulnerable, but this risk is immediate requirement to implement
guidelines I Firms on the Fair Treatment of aims to provide a framework that allows I increased by having characteristics of any changes.
Vulnerable Customers. The firms to accurately assess whether they vulnerability. These could be poor health,
on the
Guidance is on how regulated firms I are treating vulnerable consumers fairly, I such as cognitive impairment, life events
Vulnerable I would meet the FCA Principles for I ensuring consistency across the financial I such as new caring responsibilities, low
Customer _I Business and they apply to POMS, I services sector. The Guidance sets out _ resilience to cope with financial or emotional
Capital One, BOI and POL (as an
appointed representative of POMS).
Since then, the business have been
considering further work, notably
around culture and understanding
the makeup of our customer base.
The FCA considers 47% of the
population could be regarded as
potentially vulnerable.
Strictly Confidential
the FCA's expectations on:
understanding the needs of vulnerable
consumers; ensuring that frontline staff
have the necessary skills and capability
to recognise vulnerability; and for firms
to consider the characteristics of
vulnerability present in their target
market or customer base and how they
can meet customers’ needs through the
design of products and services, their
customer services and their
communications.
shocks and low capability, such as poor
literacy or numeracy skills. As such, one key
requirement for POL is to better understand
our customer database.
Post Office would be required to consider
anything that would have an impact on
vulnerability. Consideration needs to be
made across the whole life cycle of a
product from its design to distribution and
thereafter.
POL has provided vulnerable customer
training on SuccessFactors and produced
accessibility guidance.
Notwithstanding the above, our two
principals are both doing a gap
analysis to review processes to
evaluate where the needs of vulnerable
consumers have not been met, so that
improvements can be made.
For example in POMS call centres they
will be asking customers to self-
identify their vulnerability.
POL-BSFF-0238508_0152
POL00423690
POL00423690
Issue Why it matters? Latest Developments Impact on Post Office Action
Strictly Confidential
POL-BSFF-0238508_0153
POL00423690
POL00423690
H2 Legal Risk Report 20/21 30 March 2021
Sarah Gray, Group Legal Ben Foat, Group General
Director Counsel
Noting
The Committee is asked to note this report and endorse current actions designed to mitigate
the risks identified and suggest any further actions that should be implemented.
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0154
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0155
POL00423690
POL00423690
@
Appendix 1: Annual Legal Risk Report
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0156
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0157
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0158
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0159
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0160
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0161
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0162
POL00423690
POL00423690
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0163
POL00423690
POL00423690
11
Strictly Confidential & Legally Privileged
POL-BSFF-0238508_0164
POL00423690
POL00423690
Tab 12.5 Strategic Partner Financial Stability Update
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Strategic Partner
Title: Financial Stability update Meeting Date: 80 March 2021
Emma Conroy, Interim Head of
lauthor: Strategic Partnerships / Ed Dyer, sponsor: [Dan Zinner, Group Chief OperationsI
orking Capital & Cash Management (Officer
Lead
Input Sought: Noting
The Committee is asked to note the partner financial stability update.
Previous Governance Oversight
Audit, Risk & Compliance Committee (ARC) papers Mar 20 and Nov 20, Risk & Compliance
Committee (RCC) Mar 21
Executive Summary
1.
At the ARC meeting Nov 20, discussion was held as to the rigour around the monitoring
and tracking of Strategic Partners, the ask was to provide the committee with confidence
that the business had a robust solution in place to support monitoring and mitigation of
risk and to come back to you in May, we are on track in delivering this for the May
committee.
This paper provides an update specifically on‘! here risk has been greater over
the past 18 months. We update on the current trading position of where some
positive news has been communicated in the last few weeks, and given previous
concerns, this news should provide the business with some comfort around the stability
‘inaterial change has been seen since the last update, albeit news in the last few days
has been positive in terms of Jan & Feb trading Y performance up at 74% & 84%
retrospectively. Interim HY results are due from in 29 April, therefore we propose
to provide a further update at the ARC meeting in May.
Questions addressed
4.
What is the current financial status & risk to the most concerning of our strategic partner
Confidential
166 of 183
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0165
POL00423690
POL00423690
Tab 12.5 Strategic Partner Financial Stability Update
Report
What is the curr
strategic partne
ncial status & risk to the most concerning of our
{IRRELEVANT/ status: AMBER)
preliminary results for the 53-week period ended 29 November 2020 are due to
be published on 23 March 2021. The trading update published on 10 December 2020
pointed to adjusted EBITDA pre IFRS 16 of between
Revenue growth of 2.3% has been offset by margin pressures driven by a change in
shopping behaviours during the pandemic to deliver EBITDA lower than the previous
financial year.
ontinues to suffer from an overleveraged balance sheet, with a net debt to
‘atio of c.3.1x as at 29 November 2020.
a Importantly,
which has agreed to amend
‘acilities to offer improved headroom against
covenants, a realigned amortisai hedule and an extended maturity date to February
‘acility consists of a revolving credit facility < and an pete
This follows the salé"Of its head office for! meevs
[ to become the single
wholesale supplier to th n 2027. The agreement
also covers th
three years. Whils'
partner risk.
9. The market reacted pi
price increasing from jms! before to trading around mas! as at 9 March 2021.
10. Prior to the extension king facilities, Experian’s reporting of supplier payments
beyond terms showed delay payments to suppliers on a growing basis from 63
days in February 2020 to 156 days by January 2021. This suggests cash conservation in
order to comply with banking covenants. The support from it anking syndicate
should enable the business to improve payments to suppliers, which we will monitor over
the coming months.
11.
Ht ontinues to deliver against its closure plan announced last year which has seen
the Post Office branches reduced from 608 to 522, with a view to this reducing to 456
by June 2021. We are currently collating with the network a RAG status report by partner
of those locations that are critical / important / managable risk, to ensure we understand
at any one time the level of critical risk within the partner estates.
12. In conclusion, the recent announcement from tis positive as it provides a period
of stability to deliver against the turnaroun: n. However, it is important that POL
remains alive to the risk of failure given jirevevant; overleveraged financial position which
leaves it vulnerable to trading downsides or adverse shocks. We will continue to monitor
i I closely.
Confidential
Post Office Limited - Audit, Risk & Compliance Commit 167 of 183
POL-BSFF-0238508_0166
Tab 12.5 Strategic Partner Financial Stability Update
POL00423690
POL00423690
Revenue Nov-is f
Operating Profit/(Lezs) Nov-18
Net DebyEBITDA Nov-20
Net azsets 24-May-20
Market cap 09-Mar2t
[Experian Delphi Score (out of 200) E
lExperian - Odds of Failure (next 12 menths)
inlus of outstanding CCX
[Number or POL branches
JPOL Income YTD (Em)
JPOL Income YoY (4)
lpOL Income YTD v Target (%8)
Red flags:
Announced plans to close 300 stores in Feb-20 (including 152 PO branches).
Bank debt of cf ‘lis approx. 5.7x pre-IFRS 16 EBITDA off
which is high relative to typical lending limits of 4x.
Supplier payments being stretched (see graph below), suggesting cash flow
pressures,
Obtained support from its banking syndicate on 1 March 2021 to offer
improved headroom against covenants, a realigned amortisation schedule and
rended maturity date to February 2024. The yod: ity consists of a
revolving credit facility and an amortising{ IRRELEVANT {This
the sale of its head office foe Janldsry ZOZL, Which Sppears to
have been a condition of the debt fac structure,
Delayed release of interim results from 14 July to 4 August (indication that
something needed resolving).
4.of the 8 directors appointed in 1:
(CO), FR
2 months:
Vear end: November
Interim period end: May
1-year share price trend
en
Source: Hergreaves Lanadown
Operating profit in y/e Nov-19 driven by insctevartigoadyill impairment.
Supplier Payments Beyond Terms
SP Pgh gO PLP
et ee
—incievan] —etndustry 2 verege
Saree: txgerart ened
Post Office”
Confidential
168 of 183
Office Limited - Commereial in Confidence
12.5
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0167
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone G
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Payzone Bill Payments Deep Dive
Title: Report Meeting Date: I 30 March 2021
Michelle Embrey, Quality & Risk
Manager
Andrew Goddard, Payzone Bill
Payments Managing Director
Author: Sponsor:
Input Sought: Noting
The Committee is asked to note the Payzone Risk & Compliance Update report.
Previous Governance Oversight
This is a follow up action for a deep dive from the previous Audit, Risk & Compliance Committee
(ARC) meeting on 22 September 2020. The paper was reviewed at the Risk & Compliance
Committee on 16 March 2021.
Executive Summary
This paper provides a summary of the following items within the Payzone Bill Payments (PZBP)
business:
e Key risks and mitigations
Internal governance
Compliance with regulation
Internal audit
Complaints and whistleblowing
Customer and employee satisfaction
A comprehensive risk register exists within PZBP, with mitigations in place and reviewed
monthly by the senior management team. Improvements in the internal governance have been
implemented in the areas of risk management, change control, business continuity and
information security as well as the ongoing project to align key PZBP policies with the Post
Office (POL). The internal audit conducted by POL concluded that the control environment in
PZBP is appropriate for the size and complexity of the organisation. Ownership of the PZBP
legal register has been transferred from POL group legal to PZBP and reviewed annually at the
PZBP Board.
Complaint handling improvements have been identified to incorporate feedback from
customers, retailers and client. The overall Trustpilot scores remain high at 4.5, reflective of
strong retailer and customer helpdesk support, with some of the highest scores in the last 12
months in Period 11. Employee satisfaction levels remain positive, with small negative changes
in wellbeing during the lockdown, and engagement following the first of two major
organisational restructures within 6 months.
Overall, the business has progressed significantly in incorporating controls, policies, and risk
management practices, with further improvements identified and resourced.
Questions addressed
1. What are the key risks within PZBP and what are the mitigations for these?
2. How is the internal governance embedded into the PZBP operation?
3. Are PZBP fully compliant with relevant regulations?
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2 169 of 183
POL-BSFF-0238508_0168
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone Governe
@
4. I What is the complaints and whistleblowing process?
5. What are the customer and employee satisfaction levels?
Report
1. Key Risk
The following risks are extracted from the PZBP risk register that is aligned with the POL
risk register;
a. Intermediate Risk — the ability for PZBP to deliver the 5 yr plan (risk score 9)
This risk has been promoted to become the intermediate risk at group level. The 5-
year plan on revenue and cost lines has been re-forecasted as a response to the
changing priorities due to the demands on the business from the Covid-19 pandemic.
At this stage, we continue to monitor the changes in customer buying behaviour (cash
to digital) and the requirements / desire of clients to enter into exclusive contracts as
well as plans to migrate to digital payments.
b. Poor trading conditions in the current pandemic (risk score 9)
The lockdowns during 2020/21 have had a significant impact on the bill payment trading
conditions with performance running behind original budget whilst holding up against
LY at 95%, and 96% of target (year to date week 49). Performance has been impacted
due to vulnerable customers shielding at home, clients working with customers to offer
credit and payment holidays, and branch and store closures/reduced opening hours
driving non-cash customers to pay through alternative means. We have continued to
negotiate with key clients by signing new Energy clients in Bright and Jersey and driven
new volume from agreements re-signed with E.On, EDF and via our energy platform
partners, Siemens and Itron, and we will drive additional revenue from new deals with
Allpay and Capita.
c. The impact of the Covid-19 pandemic on clients (risk score 6)
We are starting to see some of the smaller Energy companies struggle and fail due to
bad debt and cash flow impact. Their customers however are being absorbed by the
big 6 suppliers e.g., Robin Hood Energy taken over by British Gas, and this will drive
transactions into our networks. The transport industry has been significantly impacted
and will continue until people can travel freely, albeit we have positive engagement
with the likes of National Express Coach & Bus, GoAhead, First Group, Transport for
Wales, and Lothian Bus.
d. The long-term impact of the pandemic on finances (risk score 6)
Notwithstanding the changeable impact from Covid-19, the actions completed within
the PZ credit management function has resulted in a reduction in retailer debt to below
the levels seen pre-pandemic at only 0.5% for failed direct debits and a collection rate
at 99%. Close daily monitoring and integrated credit, helpdesk and field support have
resulted in the improved performance.
e. The dependency on third parties (risk score 6)
Throughout the 12 months of the pandemic there is a risk to business-critical activities
that have a high dependency on third parties which have a possibility for high exposure,
2
Confidential
170 of 183 Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0169
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone Governe
@
for example, PLS which provide PZBP’s device engineering resource. The key suppliers
were contacted and requested to complete a questionnaire to understand their business
continuity plan arrangements in place to enable service levels to resume during the
pandemic situation. Regular calls are in place with key suppliers to monitor the service
during this changeable situation.
2. Internal Governance
a. Responsibilities
The PZBP Board of Directors are responsible for the overall business strategy and
ensuring that an efficient system of internal controls are in place. These functions
include risk management, compliance, internal audit, change control, financial
accounting, information security and business continuity.
The senior management team are responsible for overseeing the process of
communications with the board by regularly reporting and informing on relevant
aspects and be actively engaged with the business to enable well informed decisions.
The senior management team also oversees the implementation of the strategy, the
risk culture, code of conduct and the integrity of the financial information. The senior
management team identify, manage and mitigate actual or potential conflicts of
interest.
b. Framework
PZBP have ensured that the organisational framework is suitable, effective and
transparent. The effectiveness is a result of appropriate human resource allocation.
A particular focus being on the improvement of the following internal controls:
. Improvement of the risk culture and management
. Change control with the implementation of the change advisory board and will be
further enhanced with the introduction of the gating process
° Business continuity and information security evidenced by PZBP’s ability to
efficiently continue operations in the current pandemic crisis and the achievement
of the UKAS accredited certifications ISO 27001 information security and ISO
22301 Business continuity.
The overall framework and relationship with POL governance is detailed in the process
flow map in Appendix 1.
c. Policy Update
In an effort to align the key policies within PZBP, a gap analysis exercise was conducted
comparing PZBP and Post Office policies. The result of this was a list of 28 policies that
should be adopted, or PZBP specific policies created where adoption is not possible.
This paper provides a summary of the current status of the review with full detail in
Appendix 2. The recommendations put forward to the PZBP board are as follows:
. Adoption of 19 policies with no addendums or variations which will be submitted
to the PZBP April Board meeting
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
171 of 183
POL-BSFF-0238508_0170
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone Governe
@
. A variation required for 1 policy (the variants of Modern Slavery and Vulnerable
Customer have already been approved by PZBP board), to be actioned by the July
PZBP board meeting
. There are 5 policies that are currently classed as under review and will be
implemented by the July PZBP board meeting
3. Compliance with Regulation
Compliance with regulations within PZBP is externally audited by a UKAS accredited
certification body as part of the ISO 27001 Information Security and ISO 45001
Occupational Health and Safety certifications. PZBP were found to be compliant with
applicable legislation.
A dedicated PZBP legal register is now managed by PZBP Legal Counsel and linked into
the POL legal register and is reviewed annually by the PZBP Board.
4. Internal Audit
An internal audit was conducted within the finance and IT functions by the POL audit team
in 2019. This audit concluded that the control environment in PZBP is appropriate for the
size and complexity of the organisation. There were 15 findings raised and of these only
2 are ongoing (See Appendix 3), to be completed by August 2021. PZBP are due to be
audited again in Q1 of the 2021/2022 auditing schedule once the schedule is approved by
ARC.
PZBP have 2 internal auditors responsible for the internal audit programme across all
functions within PZBP. This process assesses the quality of the internal control framework
by reviewing existing policies and procedures to ensure they remain suitable and comply
with the requirements of the ISO certifications. PZBP is also externally audited as part of
the UKAS accredited ISO standards. PZBP are currently certified to the following ISO
standards:
. ISO 9001:2015 Quality Management Systems
. ISO 45001:2018 Occupational Health and Safety Management Systems
. ISO 14001:2015 Environmental Management Systems
° ISO 27001:2013 Information Security Management Systems
. ISO 22301:2014 Business Continuity Management Systems
5. Complaints and Whistleblowing
The total number of customer complaints logged during 2020 were low, with an average
of just 2 complaints per month.
There are a series of improvements to the made that have been instigated and will be
completed by Q3 2021
. SLAs to be introduced on response and completion
* Targets should be introduced and linked into business KPI's
° Complaints to be formally defined to ensure all complaints received are logged
. Technical upgrade to CRM system to capture complaints
. Complaint reporting to be included in business performance KPI's regularly
communicated to the senior management team.
Confidential
172 of 183 Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0171
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone Governe
@
There have been no instances of whistleblowing within PZBP during 2020. However, a
number of improvements have been identified, including adopting the group
Whistleblowing policy, appointing a whistleblowing officer and improved awareness of the
process. This will be completed by the July PZBP Board meeting
6. Customer and Employee Satisfaction
a. Customer Satisfaction
The customer satisfaction is currently evaluated via a monthly customer satisfaction
survey and ongoing Trustpilot reviews. The results from the 2020 data show that customer
satisfaction is high with a Trustpilot score of 4.5 and the customer satisfaction survey
producing an average satisfaction level of 94%. Appendix 5 highlights the improving
Trustpilot scores with P11 showing the highest scores in the year against categories such
as friendly, going the extra mile, and overall satisfaction. Any retailers that are highlighted
via these channels that have provided a customer with a poor service are issued an
etiquette form and followed up, and this process needs to be enhanced.
There are a series of improvements that are currently being implemented and are
scheduled for completion August 2021
e Alignment of the PZBP surveys to the POL survey
e Customer satisfaction follow-up process and reporting
« NPS improvements
b. Employee Satisfaction
PZBP has assessed employee satisfaction via two pulse surveys in both April and
December 2020. The individual pulse surveys showed an increase in mental and physical
wellness from April to December and also showed a slight increase in individuals’
productivity in this same period. This increase from April to December is likely to be a
reflection of employees accepting the working from home requirement that was introduced
in March 2020, in response to the pandemic crisis. There was also a major restructure
implemented in September 2020 which explain the few areas that saw a minor decrease
in satisfaction (see Appendix 4). The high-level responses collated from these pulse
surveys were presented to the management team. Engagement champions were involved
in order to generate and implement the action plan.
A further pulse survey will be released in April 2021 and full engagement survey will be
released in November 2021, and then annually thereafter.
Next Steps & Timelines
7. The key group policies recommended for adoption to be submitted for approval to the April
2021 PZBP Board meeting, with the physical security variation and review of the remaining
key group policies submitted to the July 2021 PZBP Board meeting.
8. The implementation of the complaints process improvements scheduled to commence May
2021, customer satisfaction improvements to be implemented by August 2021, pulse
survey in April 2021 and the engagement survey will be released in November 2021.
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
173 of 183
POL-BSFF-0238508_0172
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone Govemance
Appendix 1: Governance Framework
-—
2
E
2. ———I
a
Senior Management
12.6
6
Confidential
174 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0173
POL00423690
POL00423690
ayzone Governance
Appendix 2: Policy Update
Department
Confit of Intarect wv
Corporate I contract execution v ¥v
Governance
wi Curent statement cannot be adopted dveto PZ not having
Modern clovery tatement ME:, PZBP could be included in future erations with
amendments
Fick Appetite Statement v
Risk
Ri v
Financial crime v
‘Anti-money laundering & WA
Financial [counter tetroricm funding
Crime I Vsnenble custoner Current poly cannot be adopted duc to PZ not having
ober cut v com
HMA Tek proper
standards SZ
Antisbibery % corruption
Business I Bucineze continuity v
Continuity I maragement
Legal
Pare ed ee
Freedom of information v
Data
Protecting perzonal data
Protection ad v
Document tention policy I
Internal Audit I internat audit charter ¥
[ror v
Cyber Security} Cyber &information ecurty I
Procurement I Procurement Y_I Procurement policy icin draft form
Heath&
ity _[ealth & safety Y _Ibiccuscion with BAH with regard to applicability to PZEP
Physical v
sical
Physical secur
Security 7"
Conduct Code v
Code af business
Human I standards SZ
a Hera WBS Fe WS EAE PL SRST HERS
Resources I vhistleblowing v aera Bey
Equality diversity & ar
inclusion
Finance I Post Otfice treasury \_I Further review by an individual with <pecitic experience
7
Confidential
Post Office Limited - Audit, 5 of 183
POL-BSFF-0238508_0174
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone Govemance
Appendix 3: Internal Audit
I Action
Finding Rating er Date Response Status
Finance
Scope Area: Governance
Financial policies and The main process are documented. Further Ongoing
1, I Processes do not fully p2_I Stephenie I 54 49/49 I Work required regarding VAT and debtman but
* I reflect the current Smith these are due to changes. Completion date
operation scheduled for July 2021
Scope Area: Core Financial Processes
ATSA\is in place with Takepayments. A project
is underway to enable the separation of the
25/10/20
110/20 I anking structure. Completion date scheduled
for Aug 2021
Client Trust bank
accounts remain in the
name of PZUK
Confidential
176 of 183 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
POL-BSFF-0238508_0175
POL00423690
POL00423690
Tab 12.6 DeepDive: Payzone Governance
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 177 of 183
POL-BSFF-0238508_0176
Tab 12.6 DeepDive: Payzone Govemance
@
POL00423690
POL00423690
178 of
Appendix 4: High-level Pulse Survey Results
December 2020 Pulse Survey
April 2020 Pulse Survey
53% response rate
75% response rate
100% of respondents are feeling between great and
okay physically
93% of respondents were feeling between great and
okay physically
98% of respondents are feeling between great and
okay mentally
94% of respondents were feeling between great and
okay mentally
93% of respondents say their current working
environment enables them to be productive within
their role
91% of respondents said that their current working
environment enabled them to be productive within
their role
83% of respondents say that their work schedule is
flexible enough for them to balance their
responsibilities between family & personal.
91% of respondents said that their work schedule was
flexible enough for them to balance their
responsibilities between family & personal
93% of respondents say that their manager listens to
their ideas and feedback
95% of respondents said that their manager listen to
their ideas and feedback
84% of respondents say that their line manager
creates an environment which encourages team
collaboration and clarify of direction
91% of respondents said that their line manager
creates an environment which encourages team
collaboration and clarify of direction
Confidential
83
Post Office Limited - Audit, Risk & Compliance Committe
10
POL-BSFF-0238508_0177
Tab 12.6 DeepDive: Payzone Governance
POL00423690
POL00423690
Appendix 5: End user Customer Satisfaction Results
Driver Score Friendly [Professional [Knowl [Understanding [EWiciency [Ease [clean & TdyI
Period on 32208] 91.50% 32.10% S17 32.505 3350%I 50.80%
Period 02 95.50%] 95.80% 96.30% 95.405 95.605 32.90%I 94.00%
Period 03 33.60%I 94.20% 33.50% 93.505 93.505 92.10%] 89.90%I
Period os 95.20%I 95.60% 35.00% 94.70% 95.204 98.20% 91.90%
Period 05 33.50%[ 95.30% 38.50% 34.10% 33.40% 93.40%I 98.60%
Period 06 95.60%] 95.20% 96.00% 35.00% 95.50% 93.20%I 91.80%
eniod07 95.40%I 96.0% 95.30% 96.00% 96.00% 98.10%I 93.00%
Period 08 93.50%I 94.30% 93.50% 92.70% 93.00% 93.10%I 92.00%!
Period 09 34.40%] 93.50% 35.00% 93.70% 34.80% 92.20%] 91.60%I
Period 10 pal acs on oer ETA
ear azn/s{ Palo [esos] —s7.105 s700%] 36.20% 35.20%] sa7ex] 20%
[Wait Time Acceptable [Satisfaction [Emotional impact [Perceived Walt Time [Clear Directions [Average [PERCEIVED WANT TIME) [Opportunity [
Period 1 36.00%I 90.80% 77.50% 74.10% 32.708 13] Saal
Period 02 97.40%I 95.20% 35.80% 74.10% 94.705 10] 5
Period 03 35.50%I 93.20% 33.20% 71.30% 92.60% 3
Period oa 97.80%I 94.30% 33.00% 32.305 93.00% 10] ag
Period 05 95.70%I 92.50% 35.50% 35.80% 34.80% al a2
Period 06 95.50%I 93.50% 35.90% 35.505 38.10% 3] 225
Period 07 97.50%I 95.40% 38.40% 38.50% 35.80% I a ar)
Period cs 35.80%] 92.00% 35.10% 32.20% 32.90% 1] 550]
Period 09 36.30%] 92.50%) 87.10%) 71.60% 93.30% 352 336 A 264]
Period 10 a T7 Zi 220% Fr x r
Period 1 38 2 0056 89.20%) 84.20%) 25.90% 273 7097 sof _205]]
‘TRUSTPILOT REVIEW BY STAR RATINGS
11
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 179 of 183
POL-BSFF-0238508_0178
POL00423690
POL00423690
Tab 12.7 Foreign Currency and Hedging
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Foreign Currency and Hedging Meeting Date: I 30 March 2021
Author:
Tom Lee, Financial Controller
Pete Mitchell, Treasurer Sponsor:
Al Cameron, Group Chief
Finance Officer
Input Sought: Noting
The Committee is asked to note:
The process of revaluing foreign currency and the hedging of foreign exchange risk at Post
Office.
The summary of issues identified in year, the manual fix implemented and planned changes
to create a better process.
Previous Governance Oversight
.
Presented to Risk & Compliance Committee on 16 March 2021
Executive Summary
1.
Post Office have a requirement to hold foreign currency inventory of notes and coins to
support the travel business. They buy and sell foreign currency both centrally from First
Rate Exchange Services via Hemel and at individual branch level. The Group's foreign
currency risk management objective is to minimise the impact on the profit or loss account
of fluctuations in the exchange rates. The Group hedges its foreign currency risk through
external forward contracts.
The foreign exchange movements are recorded at individual currency level, by branch, in
the Core Financial System on the SAP platform. Foreign currency holdings as at the end of
December 2020 were manually revalued. This manual revaluation demonstrated issues with
the auto-revaluation programme causing a £1.4m understatement of realised exchange
differences in profit and loss account. A catchup posting was made in P9 to recognise this
amount and a manual fix has been put in to mitigate this risk going forward. Post Office
paid Accenture to design and implement the FX programme in SAP. A project is currently
underway to fix these issues within the FX programme.
Confidential
180 of 183
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
POL-BSFF-0238508_0179
POL00423690
POL00423690
Tab 12.7 Foreign Currency and Hedging
Questions addressed
1. How is foreign currency revalued at Post Office?
2. Is our hedging strategy and processes fit for purpose?
Report
1. The aim of this paper is to provide an overview of foreign currency revaluation at Post Office
and how the Group seeks to hedge against its exposure for foreign currency risk.
Foreign Currency
2. Post Office branches hold numerous foreign currencies that may be bought from, or sold
to, customers. Reserves of foreign currency are held at the cash distribution centre in Hemel
Hempstead. The bulk of foreign currency holdings relate to Euros (c.65%) and US Dollars
(c.20%). Foreign currencies are supplied to Post Office by First Rate Exchange Services,
the joint venture with Bank of Ireland.
3. Accounting standards require foreign currency holdings to be recorded at the spot exchange
rate between the functional currency (for Post Office, this is Pounds Sterling) and the
foreign currency at several points in time:
a. Initial recognition (purchase of foreign currency).
b. Reporting date (period end and year end).
c. De-recognition (sale/settlement of foreign currency).
Exchange differences arising on the revaluation of foreign currency holdings at period or
year end are considered unrealised and are not immediately recognised in profit or loss.
Exchange differences arising on the revaluation of foreign currency when it is sold or settled
are considered realised and are immediately recognised in profit or loss. Any unrealised
exchange differences relating to the sold or settled foreign currency are also now recognised
in profit or loss.
4. In February 2020 an auto-revaluation programme was implemented in the Group’s Core
Finance System (“CFS”). Accenture built and tested the programme, with review and final
sign-off performed by Post Office. The programme executes every weekend.
5. Subsequent to implementation, several interrelated issues were identified with the auto-
revaluation programme, namely:
a. The programme does not realise exchange differences in profit or loss unless the
branch holding is zero when the programme is executed on a weekend.
b. The programme assumes that exchange differences should only be realised in profit
or loss if the sale results in a branch holding of zero for said foreign currency. Due
to this, if the branch holding remains above zero then the exchange difference is
treated as unrealised. There is no partial recognition of exchange differences in profit
or loss for currency sold during the week.
c. When the branch holding is zero at the point of revaluation, the programme realises
exchange differences in profit or loss. However, there is no associated posting to
clear out the unrealised exchange difference to profit or loss. Due to this, the
unrealised value builds up on the balance sheet, even if the associated foreign
currency has been sold.
6. Foreign currency holdings as at the end of December 2020 (P9) were manually revalued
and have been revalued monthly since. This suggested that the issues with the auto-
revaluation programme had caused a £1.4m understatement of realised exchange
differences in profit or loss. A manual journal adjustment has been posted into CFS to correct
2
Confidential
Post Office Limited - Audit, Risk & Compliance Commit
181 of 183
POL-BSFF-0238508_0180
POL00423690
POL00423690
Tab 12.7 Foreign Currency and Hedging
@
the profit or loss account, which was effectively a catchup journal for balances which should
have flowed within the year.
7. Post Office Limited (POL) were reliant on Accenture’s design of the FX programme and hence
guided by them on the initial proposal. A common approach adopted by many organisations
who do not have internal expertise
8. Accenture have been re-engaged to investigate and correct the issues identified in the auto-
revaluation programme. This work is currently underway and is expected to deliver a
solution by [year end]. We are working closely with Accenture to ensure that the revised
programme is thoroughly tested and addresses all issues identified.
9. In addition, the foreign currency revaluation process at Post Office has been reviewed, and
the following improvements are to be implemented by [year end]:
a. Responsibilities consolidated into Treasury, facilitating more oversight and control
over the end-to-end process.
b. Bi-monthly manual revaluation performed, providing a timely sense-check against
the auto-revaluation programme so that discrepancies can be quickly escalate and
investigated.
c. New validation checks and re-calculations built into the balance sheet reconciliations
for foreign currency general ledger accounts, providing additional assurance over
the accuracy of the auto-revaluation programme.
Hedging
10.The Group is exposed to foreign currency risk resulting from balances held to operate Bureau
de Change services. The Group’s foreign currency risk management objective is to minimise
the impact on the profit or loss account of fluctuations in the exchange rates. The Group
hedges its foreign currency risk on Euros and US Dollars, principally through external
forward foreign currency contracts to cover near-term future revenues with a number of
providers, including First Rate Exchange Services Holdings Limited.
11.FX hedging strategy has been reviewed and benchmarked. POL are hedging 80-120% of
their exposure, up to a five weeks in the future. This in line with market practice using FX
forwards to manage the exposure. Minor adjustments could be made to both the length
and the percentage of hedges, this would not have negated the issue.
12.The FX hedging process is split into 2 parts, the calculation of the hedge is prepared by the
Commercial team and executed by the Treasury team. Up until December 2020 when the
FX issue was highlighted there was minimal review and oversight by the Treasurer. A
monthly review with the commercial team is now in place. We are also discussing the options
to give Treasury more control of the end to end process. All hedges are currently recorded
on a spreadsheet, which is saved on a secure SharePoint site, however, this opens up risk
to manual errors when recording the hedges and is not best practice. We currently place all
hedges with one bank and the process is managed by Email and telephone, this is not best
practice.
Conclusion
13.The hedging strategy and processes are not the reason for the FX issue, there is some room
for improvement but there is no material issue or risk with the hedging.
14.The SAP FX programme implemented by Accenture in February 2020 to revalue the Balance
Sheet and post realised gains and losses is not working as expected, overstating the cash
position and understating the Profit and Loss, as a result of not sweeping balances to the
Confidential
182 of 183 Post Office Limited - Audit, Risk & Compliance Commit
POL-BSFF-0238508_0181
Tab 12.7 Foreign Currency and Hedging
@
POL00423690
POL00423690
Profit and Loss. The issue was not discovered early, due to the cumulative nature of the
problem and reduced trading levels, masking the issue.
15.A good implementation partner should have manually revalued the solution for us, for at
least three months post Go Live, to ensure programme was working in different levels of
trading. We are paying a premium to Accenture for their depth of expertise.
16.POL were reliant on Accenture’s design of the FX programme and hence guided by them on
the initial proposal. A common approach adopted by many organisations, who do not have
internal expertise to lean on. Other Treasurers and SAP experts I consulted share my view
on this. We pay Accenture because they are the experts in SAP development and solution
design.
Actions
Action: Owner Completion Date
Realised Gains and Losses for the identified Tom Woodhouse Monthly until fix in place
calculation errors manually recalculated
Create Request to Quote (RTQ) for Accenture I Pete Mitchell/Tom 19/03/2021
containing the Target actions Woodhouse
Accenture to quote time and cost to complete I Accenture 26/03/2021
the Target actions
Treasury to start 2nd review of Balance Sheet I Pete Mitchell 12/03/2021
reconciliations associated with FX movement
Implement automated FX trading process Pete Mitchell 23/04/2021
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/2
183 of 183
POL-BSFF-0238508_0182