POL00423692
POL00423692
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE RISK AND COMPLIANCE COMMITTEE OF POST OFFICE
LIMITED HELD ON TUESDAY 16 MARCH 2021 AT 10:00 VIA MICROSOFT TEAMS
Present: I Attendees:
Alisdair Cameron (Chair) (AC) Tony Jowett (Chief Information Security Officer) (TJ): Item
5
Helen Rhodes (People Shared Service Director) (deputising Peter Mitchell (Treasurer - Tax, Treasury and Supply Chain
for Lisa Cherry, Group Chief People Officer) (HRh) Finance) (PM): Item 6
Ben Foat (Group General Counsel) (BF) _ Jonny Lonsdale (Business Continuity Manager) (JL): Item 9
Amanda Jones (Group Retail and Franchise Network Director) I Martin Hopcroft (Head of Health & Safety, Environment &
(A3) Business Continuity) (MH): Item 9
Cathy Mayor (Finance Director, Commercial) (CM) Andrew Goddard (Managing Director, Payzone) (AG): Item
10
Jeff Smyth (Group Chief Information Officer) (JS) Mark Siviter (Product Portfolio Director - Mails, Retail, PUDO
& Gov services) (MS): Item 11.
Regular Attendees: Andy.Kingham (Franchise Partnering Director) (AK): Item
it
Johann Appel (Head of Internal Audit) (JA) Dan Zinner (Grotip Chief Operations Officer) (DZ): Item 12
Mark Baldock (Head of Risk) (MB) (for Items 1 - 6) Katie Secretan (Head of Strategic Partnerships) (KS): Item
12
Jonathan Hill (Compliance Director) (JH) Barbara Brannon (Procurement Director) (BB): Item 13
Tom Lee (Financial Controller) (TL) (for Items 1 - 8) Tim Perkins (Service and Support Optimisation Director)
(TP): Item 15
Sarah Gray (Group Legal Director) (SG) Sally Smith (Money Laundering Reporting Officer & Head of
Financial Crime) (SS): Item 16
Rebecca Whibley (Senior Assistant Company Secretary)
(RW) ~~ a
Apologies: =
Lisa Cherry (Group Chief People Officer)
1. Welcome and Conflicts of Interest Action
The Chair opened the meeting and advised that all papers would be taken as read.
No conflicts of interest were declared.
2. Minutes and Action Lists
2.1 The minutes of the Committee meeting held on 12 January 2021 were
APPROVED.
2.2 Progress on completion. of actions as shown on the action log was NOTED as
follows:
Action 1 from _7 November 2019 para 3.2 Supplier Contracts out of Governance
SSK: Commercial negotiations did not conclude as planned due to GDPR
complexities and the contract has been extended on an interim basis again to the
end of March. The completed contract was received on Monday and was now
awaiting review and approval from Post Office Legal. This review was expected to
complete prior to 22nd March in order that the risk is closed by the submittal of
the Audit, Risk & Compliance Committee (ARC) paper. Further update to be
provided at the next Committee meeting. The action remained open.
Action 2 from 14 January 2020 para 10.6 - Money Laundering Reporting Officer
MLRO) Annual Report: MRC were still not conducting any meetings. The action
remained open.
Strictly Confidential Page 1 of 3
POL-BSFF-0238510
POL00423692
POL00423692
Action 3 from 13 July 2020 para 3.5 Compliance Report - TelCo: The Telco sale
completed on 15 March 2021 and the action was closed.
Action 4 from 10 September 2020 para 4 Pensions Assurance: The final data has
been sent to the Royal Mail Pension Plan (RMPP). This will form the basis for the
Trustee's report to the Trustee Board on 23 March 2021. HR has have requested
advanced sight of the data to be presented. This was expected to give an initial
view of the quantum of the errors. A paper was being prepared for Project
Assurance Steerco on 8 April 2021 that will bring together the data, Post Office’s
obligations and wider considerations so that an approach to discussions with the
Trustee can be agreed. A further update will be provided at the next Committee
meeting. The action remained open.
Action 5 from 12 November 2020 para 3.1 Risk, Compliance & Audit Update — Risk
Dashboard: Updated Dashboard presented to the Committee on 16 March 2021
(see para 3.1 below) with data derived directly from ServiceNow following
successful data migration of Post Office risk data set in January/2021. Draft format
has been shared with ARC Chair. Format would be flexed in light of changing needs
and requirements. The action was closed.
Action 6 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update -
Internal Audit (Controls): An update on this work was contained within the
Compliance paper presented on 16 March 2021. [Please also refer to Action 19].
However this work has been paused and was not expected to restart for circa six
months. Accordingly, the action was closed with further updates in the Compliance
Paper in due course.
Action 7 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update -
Internal Audit (Joiners, Movers, Leavers): ThesIT actions for this have now been
completed with no discrepancies reported. HR have also confirmed this is
complete. The action was closed.
Action 8 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update -
Internal Audit (Data Deletion): Further action by IT to create an auto-delete
capability was subject to funding, which will be reviewed during 2021/22. This
action remained open.
Action 9 from 12.-November 2020 para 4.2 Cyber Security (Phishing Training): This
list was provided as requested. The action was closed.
Action:10 from 12 November 2020 para 4.2 Cyber Security (Culture): The next
steps on culture/cyber awareness were now factored into the planning for the
2021/22 Cyber programme described in March paper (see para 5.2 below). The
action was closed.
Action 11 from 12 November 2020 para 4.4 Belfast Data Center Disaster Recover
Testing: Jeff Smyth has agreed to schedule the next Disaster Recovery (DR) test
at a time in June which coincides with an opportune time in the Belfast exit
programme and a least invasive time in the PCI-DSS programme. There was some
further discussion around the dates now given some of the milestones in these
projects will be moved but the DR testing would remain in the same place (relative
to milestones) for those two programmes. In addition, IT were also looking at
doing further testing between now and the full DR test to ensure that more
assessment of resiliency was done (as far as practically possible) in parallel to the
programmes in question. The action was closed, but the Chair requested that it be
fed back that the test in June must go ahead (Rebecca Whibley to advise team).
Action 12 from 12 November 2020 para 6 Notification of Transaction Error: The
changes required in CFS have been agreed with Finance and Accenture. The date
RW
Strictly Confidential Page 2 of 6
POL-BSFF-0238510_0001
POL00423692
POL00423692
for completion was to be confirmed, but will be later than 19 March 2021 as
indicated in previous updates. The subsequent Branch Focus article would also be
delayed. The action remained open, with the Chair noting that the delay in
implementing this was uncomfortable. Amanda Jones explained that the issue was
discussed on 12 March at the Improvement Delivery Group (IDG) and direction
was that the action needed to be completed.
Action 13 from 12 November 2020 para 16 Data Governance: An updated was in
the Compliance Paper (see para 3.3 below). The action remained open.
Action 14 from 12 January 2021 para 3.1 Risk Update (MDA2): Risk rating was
reduced to 4:2 in line with signing of MDA2. The action was closed.
Action 15 from 12 January 2021 para 3.1 Risk Update (Purpose & Postmasters):
This was ongoing: Central Risk were currently supporting Retail & Franchise
Network in the identification of intermediate and local postmaster-centric risks (as
well as existing risks that that have impact postmasters). Update dataset was to
be included on GRC in next reporting period. The aim» was for this to be
underpinned by appetite statement on which ARC approval/would)be sought in May
2021. The action remained open.
Action 16 from 12 January 2021 para 3.1 Risk Update (GRC Tool): Business Case
approval was being sought for GRC Phase 2 rollout from April 2021. This would
support the rollout of risk management capacity to all Business Unit Heads and
Risk Owners thereby ensuring accountability was positioned appropriately. There
would be a requirement for Risk Owners to their review their risks every 2 months
to allow for accurate Committee/ARC updates. The action was closed.
Action 17 from 12 January 2021 para 3.1 Risk Update (Telco Sale): In light of
Telco sale the status of all associated risks have been changed to ‘inactive.’ The
action was closed.
Action 18 from 12 January 2021. para 3.2 Risk Update (Legal & Compliance Risk
Appetite): Legal & Compliance risk appetite paper was presented at the Committee
in March (see para®3.2) which provides advice on how the approach to risk
appetite would address the challenges. around Modern Slavery risks. The action
was closed.
Action _19.«from 12 sJanuary 2021 para 3.3 Compliance Update (Controls
Framework): An update on this work was contained within the Compliance paper
(see para 3.3). [Please also refer to Action 6 above]. However this work has been
paused and was not expected to restart for circa six months. Accordingly, the I
action was closed, with further updates in the Compliance Paper in due course.
Action 20 from 12,January 2021 para 3.3 Compliance Update (Data Management):
The Data Governance Steerco was already established for the data strand and was
up and running. A dedicated Data Governance lead role was being recruited (an
offer has been made) to take over the ownership of data governance and pick up
the initial work already conducted in this area e.g. identification of data owners /
stewards / SME's etc. The project was currently being led by Matthew Warren.
Further update to be provided at the next Committee meeting. The action
remained open, with the Chair commenting that this work was important and the
Committee commented the key was to be clear on overall accountabilities and a
timetable. Jonathan Hill explained this would be further addressed once the Data
Governance lead was in post.
Action 21 from 12 January 2021 para 3.3 Compliance Update (Cookies): An update
on this work was contained within the Compliance paper (see para 3.3). The action
was closed.
Strictly Confidential Page 3 of 6
POL-BSFF-0238510_0002
POL00423692
POL00423692
Action 22 from 12 January 2021 para 3.3 Compliance Update (Financial Services -
Multi-Principal Review): The team were still awaiting the first draft of this review
from the Principals. It has been chased and a response was expected within the
next 2 weeks. Further update to be provided at the next Committee meeting. The I
action remained open.
Action 23 from 12 January 2021 para 3.3 Compliance Update (Financial Services -
Mystery Shopping): An update on this work was contained within the Compliance
paper (see para 3.3). The action was closed.
Action 24 from 12 January 2021 para 3.4 Internal Audit (Mails & Parcels): More
detailed actions were agreed with Mark Siviter and the report was re-circulated.
The action was closed.
Action 25 from 12 January 2021 para 3.4 Internal Audit (Historic Matters -
Common Issues Judgment (CIJ)): Management comment wasvadded for the ARC
summary and the report was updated to reflect the latest status. A verbal update
would be provided at the ARC to reflect any further progress. Internal Audit now
track and report the remaining actions on a weekly basis; The action.was closed.
Action 26 from 12 January 2021 para 3.4 Internal/Audit (Post Office Insurance):
Audit report rating has been included in the table; The action was closed.
Action 27 from 12 January 2021 para 3.4 Internal Audit (Audit Actions): GE have
provided their approval of baseline crown jewel systems. No further follow-up
action required as update process is triggered by retirement/implementation of
key systems to baseline inventory. The action was closed.
Action 28 from 12 January 2021 para 4.1 PCI-DSS.Update: This risk has been
closed off by the tech team in discussion, with Santander tech team. They have
confirmed that Santander service will continue even while migration for the
dedicated link to the common Vocalink connection is undertaken, and all banks
(including Santander) can continue to use existing transaction types - so no
change was required from any bank. The action was closed.
Action 29 from 12 January)2021 para 4.3,Joiners, Movers, Leavers: The paper
was updated as.requested prior to submission to the ARC on 26 January 2021. The
action was_closed.
Actions 30 from 12 January 2021 para 6 Supply Chain Historical IT Risks
Questionnaire): IT have developed a “shadow IT” questionnaire and were
testing this approach locally within IT. This activity will be completed by 30 April
2021. Then theXlT will progressively use the same “amnesty and sweep” approach
across the wider business to determine scale and importance of non-IT supported
systems. The team will report back in May on IT progress findings with a proposal
for how to rollout across wider business. The action remained open.
Action 31 from 12 January 2021 para 6 Supply Chain Historical IT Risks (Further
Update): Following on from the previous update given to the Committee in
January, KPMG who undertook forensic examination of the impacted PCs have
found that no external access had been made to the devices. As a result no
compromise of Post Office data has occurred and no breach of any GDPR
obligations. KPMG made recommendations around password security and ensuring
the business had a robust asset register of all IT assets in order to ensure that this
issue could not be repeated again. The Supply Chain / IT review of all Supply
Chain sites has not uncovered any further breaches and as such no further actions
are required. The action was closed.
Strictly Confidential Page 4 of 6
POL-BSFF-0238510_0003
POL00423692
POL00423692
Action 32 from 12 January 2021 para 7 Annual Money Laundering Report (Mone'
Service Businesses (Resources)): Meeting held between Lisa Cherry, Jon Hill and
Sally Smith to discuss pressures caused by recent structural changes and impacts
to team, together with increasing workloads caused by changing criminal
behaviours — there was alignment that there were resource requirements and that
these did sit within Financial Crime. The action was closed.
Action 33 from 12 January 2021 para 7 Annual Money Laundering Report (Money
Service Businesses (MSBs)): Following the last meeting, there has been more
movement at an industry level on driving focus on resolving the issues with cash
deposits, with several banks now being more proactive and have tightened their
controls. Martin Kearsley and Sally Smith have had several meetings with UK
Finance, and the National Economic Crime Centre (NECC) Project Admiralty is now
meeting monthly. The NECC were also meeting with UK Finance and Sally Smith to
discuss further ways to drive control improvements. At this stage, the issue with
MSBs has not been raised specifically with the banks, as ifythey implement
required controls, this ceases to be an issue for Post Office. We’were also aware of
ongoing Law Enforcement/Regulator activity with certain MSBs which will likely
result in better controls. A further update will be provided to the next Committee
meeting. The action remained open, with the Chair noting that a.clear outcome
was needed by May 2021.
Action 34 from 12 January 2021 para 7 Annual Money Laundering Report (Amazon
Vouchers): Payzone were progressing changes, but«do not yet have
implementation dates, transactional changes and limitsyto the product are also
being pursued by EPay, but they have not yet confirmed date of changes. Financial
Crime have requested that Payzone press EPay for a delivery date, or ‘pause’ sales
of the product. Payzone have provided the following update: weekly meetings
were scheduled with the Financial Crime team were ongoing to.ensure progression.
Talks with EPay and Amazon regarding, fraud mitigations were continuing with
feedback expected for the next meeting. A\ticket;has been,raised with Service Now
for a pop up message. A further update would:be provided to the next Committee
meeting. The action remained open, and at the request of the Chair, Jonathan Hill
further explained that the team was also looking to impose a basket limit and a
pop up warning, which were subject to deployment time. This would reduce the
risk. The Chair noted that, the data’on.transactions should be tracked to monitor
this issue.
Action 35 from 12 January 2021,para 7 Annual Money Laundering Report (Report
revision): This was addressed in ARC report in January. The action was closed.
Action 36 from 12 January 2021 para _7 Annual Money Laundering Report
PCI DSS Programme): Session held between Jeff Smyth, Sally Smith and
relevant team members to understand types of data analysis that the team
perform. As part of data platform activity, the Financial Crime Team “use cases”
will be incorporated\into the overall platform demand plan. Their needs will be
prioritised versus other business demand. It was anticipated that requirements
gathering/analysis phase will occur in FY21 Qi, although this is subject to
Investment Committee funding prioritisations. The action was closed.
Action 37 from 12 January 2021 para 8 Pensions Assurance: David Scothern
replied to Ben Foat on 22 January 2021. Further update since then: The
pensionable pay data shows errors that date back to 2014 and contains both
overpayments and underpayments: It should be noted that this was data on
pensionable pay and allowances. This data will need to be processed by Royal Mail
Pension Plan (RMPP_ administrators to convert it into pension benefits. RMPP.
processes included the application of various underpins so errors in pensionable
pay data do not necessarily become errors in pension benefits. The action was
closed.
Strictly Confidential Page 5 of 6
POL-BSFF-0238510_0004
POL00423692
POL00423692
Action 38 from 12 January 2021 para 10 Update on Branch losses and balances on
Postmaster accounts (Change Spend): The change budgets relating to service
improvements, and including the Deloitte work, have all been put under a single
programme of work (Postmaster Service Improvement Programme) and this
Programme has been approved at Project Review Board and Investment
Committee. The programme will manage prioritisation of activities taking its lead
from the Deloitte work. The action was closed.
Action 39 from 12 January 2021 para 12 Mails Fraud Update (Analytical
Capability): he scope for this work was being looked at in the wider context of a
forensic capability being stood up within Horizon IT: there are natural synergies
around the set of capabilities to provide analytical services across a broad range
Processes and these can leverage off the work being looked at around rapid
surfacing if transactional data. Further update was to be provided in May 2021.
The action remained open.
Action 40 from 12 January 2021 para 13 Historical Matters Unit (HMU) (RACI
Matrix): A draft RACID matrix was shared with Historical Matters Committee on 18
February 2021 and with GE w/c 22 February 2021. “Additionally, draft RACID
shared with internal audit for feedback. Feedback from CFO was being reviewed
and discussions are ongoing with Finance and with Strategy and Transformation
Director relating to governance arrangements which will then be incorporated into
an updated RACID. The action remained open and it was agreed that there
remained uncertainty and about the roles within HMU andits interaction with BAU.
The Chair also highlighted assurance within HMU and Johann Appel explained that
the Internal Audit had found that governance was taken too long to formalise
within HMU. It was agreed that Graham Hemingway should meet with Gareth Clark
of IDG to finalise the RACI from both sides (HMU and BAU) and then this should
reviewed by the Chair, Ben Foat, Dan Zinner, Declan Salter and Johann Appel.
(Rebecca Whibley to inform relevant individuals)
Action 41 from 12 January 2021 para 13 HMU (GE Report): The HMU GE reports to
contain risks and controls. Risk Log for Scheme additionally shared with UKGI and
top risks reviewed at monthly monitoring meetings. Programme updates for each
workstream are included in the reading room for every Board submission. Declan
Salter calls-out any issues in,his monthly report for both GE and Board. The action
was closed.
Actions 42 - 44 from 12 January 2021 paras 14 & 15 Policies: These were
corrected prior to submission to the ARC. The actions were closed.
RW
Risk, Compliance and Audit Update
Risk
3.1
Mark Baldock introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted:
- The paper was now again in dashboard format as ServiceNow was
implemented. The team was now seeking approval for the next phase of the
ServiceNow roll out at the Project Review Board, which would email risks to
be managed beyond the Central Risk team by the relevant owners across
the business.
- There has been some challenges getting information on risks from the HMU
and all HR risks have been reviewed and added to the system.
- Postmaster risks were still being worked through but a Postmaster centric
risk view and appetite statement would be prepared soon. In a response to
a question from Amanda Jones about whether the local risk on non-
compliance with GLO findings should in fact be an intermediate risk, it was
explained that there was no difference between the importance or visibility
of a local risk and an intermediate risk
Strictly Confidential
Page 6 of 6
POL-BSFF-0238510_0005
POL00423692
POL00423692
- Risks have been included for the post-COVID future workplace based on
returning to the office round September 2021.
- Around a third of the risks were acceptable risks, meaning that if rating are
satisfactory, the business can be guided to focus on higher level risks. The
risks identified as the “top risks” were taken from ratings made by the
business and were mainly in the commercial space.
- The risk numbers and risk weights within the paper showed all risks across
the business, grouping by area and type. There might be some churn in
these risks, but ultimately the these were thought to be about right.
The Committee discussed the following points:
The Committee otherwise NOTED the Risk Dashboard for onward submission the
ARC.
Risk Appetite Statement: Legal & Compliance
3.2
Sarah Gray introduced the paper, which had been circulated previously and was
taken as readsThe.Chair questioned whether position on modern slavery and
co oe I .
The Committee therefore:
i. NOTED the latest position on the Post Office’s appetite to corporate
Strictly Confidential Page 7 of 6
POL-BSFF-0238510_0006
POL00423692
POL00423692
ii. Legal & Compliance risks and our response to the comments provided
by the Committee and the ARC in January 2021, and along with our
proposed Next Steps and timeline;
iii. APPROVED the Post Office’s appetite position to corporate Legal &
Compliance risks, subject to the amends discussed regarding
competition law and modern slavery,
for onward submission to the ARC.
Compliance
3.3
Jonathan Hill introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted and discussed:
- Controls Framework: A decision has been taken to pause this work and
review this at the end of the summer, given Public Inquiry work and the
need for business to have processes properly mapped. Controls work was
be done as needed, with Jeff Smyth particularly highlighting.the IT controls
given the KPMG report.
- Telco: The transaction completed on 15 March 2021 and the team has
moved to Shell.-Ofcom has confirmed it won’t investigate the comms
incident and in respect of PSD2, the audit was accelerated. It passed for all
bar two individuals and for these individuals remediation actions have been
agreed. Close down report on Telco sale was.expected later in the,week.
- Cookies: Compliance has worked with the.Digital team in Commercial and it
was agreed that there would be negligible commercial impact to put in
changes to place Post Office back “in the middle of the pack.” The Chair
agreed that good progress has been made, but highlighted that being
middle of pack was not a commitment and if it becomes further discussion
was required.
- Financial Crime: PipIT contract has now»been formally exited. The Chair
questioned whether individuals depositing high)values onto numerous cards
belonging to multiple partner banks .at branches located in Scotland
advising that the funds»are to pay university tuition fees was an issue.
Jonathan Hill explained the question was whether if this was what the
deposits were,actually for and whilst it\was the banks job to establish this,
Post Office supported because.of its work with NECC Project Admiralty. It
was also noted thatthe nationality,.of the individuals was irrelevant and
should be.removed from, the paper.
- Supply Chain Compliance» It was identified that there were issues with the
Note Circulation Scheme Bond, with incorrect values being paid in.
Subsequently it was established that there were 14 late Bond incidents over
the last year. These have now been investigated, root causes established
and corrective actions to prevent recurrence have been implemented.
Compliance has undertaken assurance reviews at both Birmingham and
London to ensure new controls are effective and no further issues were
identified. A formal response to the Bank of England was sent on 26
February 2021. The Bank will decide if the incident warrants losing the late
Bond facility, issuing a fine or if they take no action. No response has been
received as yet.
- Documents from the Postal Museum: The Chair also noted that he had been
asked to help allow better access to the Postal Museum to examine
documents before the deadline for filing at Court of 22 March 2021. Ben
Foat agreed he would follow up with Nick Vamos on this.
The Committee otherwise NOTED the Compliance Update for onward submission
to the ARC.
JH
BF
Internal Audit
Strictly Confidential Page 8 of 6
POL-BSFF-0238510_0007
POL00423692
POL00423692
3.4
Johann Appel introduced the report, which had been circulated previously and was
taken as read. The following points were discussed:
- Good progress had been on the current year plan but the last three audits
had been delayed in order to provide assurance to the IDG in preparation
for the Public Inquiry.
- CIj Improvement Programme: Four actions were outstanding which would
be tracked through the IDG and normal action tracking process. Johann
Appel was meeting with Declan Salter later on 16 March 2021 to agree the
management comment.
The Committee also made clear that this report should be shared with
Deloitte to ensure they were working from the same data and Internal Audit
discussions with Deloitte on this topic should continue.
- Historic Matters - Set-up and Governance: Johann Appel would also agree
management comment and finalise outstanding actions with Declan Salter
later on 16 March 2021. Johann Appel was asked:to ensure. the report was
discussed with Nick Read before it was finalised.for the ARC.
Ben Foat highlighted that when discussing HMU governance, it needed to be
made clear that governance has only been lacking/not formalised over the
last six months or so, since the creation of the’ HMU and particularly in
relation to the Historical Shortfalls Scheme (HSS) and the Stamps scheme.
- Postmaster Reporting: This has concluded that, the Management
Information (MI) currently provided was not fit.for purpose and was largely
reliant on Area Managers providing the information, with no self-serve
option. Actions were»being finalised with Nick Beal and then the report
would be issued. Amanda Jones highlighted that there was no “silver bullet”
answer to thisdissue as it depended on a number of things including data
and system investment. The.Chair noted that there were a number of MI
issues across the business and ahy,fixes would need funding. This needed
to be highlighted in the commentary and conclusions of the report before it
was submittedto the ARC.
In response to a question from Ben Foat, Amanda Jones confirmed that a
Postmaster scorecard was being developed as part of the Voice of the
Postmaster meeting, This particular audit was about the information
provided to Postmaster to help them run and grow their Post Offices. The
team were considering what could be done on Branch Hub support the
provision of this information.
- Post Office Insurance Pricing Audit: The Chair requested that Johann Appel
add more information to the report before submission to ARC as to why the
audit was rated as needs significant improvement.
- Audit Actions: It was highlighted that the outstanding audit action
regarding Cyber Security Maturity Assessment should not be postponed a
third time.
The Committee NOTED the Internal Audit update, specifically progress being
JA
JA
JA
JA
JA
Strictly Confidential Page 9 of 6
POL-BSFF-0238510_0008
POL00423692
POL00423692
made with delivery of the Internal Audit programme and completion of audit
actions.
4. Internal Audit Plan 2021/22
Johann Appel introduced the paper, which had been circulated previously and was
taken as read. It was explained that the initial plan had been adapted to address
IDG requirements. The plan was dynamic and would be reviewed quarterly.
Depending on outcome of the planned IDG reviews in Qi, some of the Postmaster
focussed reviewed could be brought into the main plan. The plan was Postmaster
centric, but the challenge was completing these Postmaster focussed reviews
alongside the required IDG work.
The Committee NOTED the draft audit programme for 2021/22 and APPROVED
the 2021/22 Internal Audit plan, for the onward submission to the ARC.
5. IT Updates
PCI-DSS
5.1 The Committee NOTED the progress made during the last reporting period and
the key risks. It was also agreed that this need not be a standing agenda item for
the Committee moving forwards.
Cyber Security
5.2 Tony Jowett introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted.and discussed:
- The Security Architecture document was late but was in progress. It was TJ
agreed that an interim update should be’ provided to the ARC in March and
Tony Jowett was asked to add this to the paper before it is submitted to the
ARC.
- On the 2021/22 Cyber Programme, the focus was on Postmaster support
and Post Office’s underlying “maturity. The programme was now going
through portfolio and financial approval»
- A second desktop exercise has been completed and the report contained
report from Nettitude (red team and pen_test supplier). Essentially the rest
went well across IT, but gaps were found in Post Office’s technical
capabilities to quickly identify the location of Personal Information within
their network. The need for this capability will be assessed as part of
programme planning for 2021/22 and could cost around £1.5m. It was TI
requested that that.the potential.£1.5m cost be “brought to life” including
the cost of the software, potential cost or risk of not doing anything and
any alternatives. This needed to be added to the paper before it was
submitted to the ARC.
- Qn the Dashboard, a follow up with GE members on the recent fake
phishing attack has been completed. Those who clicked on the link but did
not complete the follow up 5 minute training task have been individually
contacted by the relevant GE members. Another fake attack will be done
and better behaviour was required.
The Committee NOTED the status and plans regarding the reduction of risk
associated with Cyber Security.
6. Foreign Currency and Hedging
Tom Lee and Peter Mitchell introduced the report, which had been circulated
previously and was taken as read. The following points were highlighted and
discussed:
- Post Office holds inventory (foreign currency) on its balance sheet
(hedging) for which there is a policy and this needed to be accounted for
and reported correctly.
- An issue was picked up in December 2020 relating to an automated
programme (from Accenture) which should revalue any stock and then post
Strictly Confidential Page 10 of 6
POL-BSFF-0238510_0009
POL00423692
POL00423692
- the value. The programme was revaluing but was not then posting
correctly. This meant that Post office was slight overstating its balance
sheet and under stating its Profit & Loss. This affected around £25m and as
stock reduced significantly during COVID-19, the issue was not picked up
sooner. Foreign currency holdings as at the end of December 2020 were
manually revalued.
- Helen Rhodes questioned whether there was any redress with Accenture.
Peter Mitchell explained that this was being discussed with IT and that
Accenture had acknowledged they were partly at fault. However, ultimately,
Post Office had not lost money, it was just slow to recognise accounting
entries.
- Jeff Smyth questioned whether another opinion on the issue was required.
Peter Mitchell explained that himself and Tom were looking at it from a
Treasury and Accounting perspective respective, with Accenture considering
the technical solution. Manual revaluation has been used for the last three
months and this proved effective. Another opinion or.internal audit view
could be sought, but the crux was making sure the manual calculation was
correct.
- Ben Foat questioned the ramifications of this issue including exposure to
First Rate Exchange Services (FRES) and other operational implications.
Peter Mitchell explained the only implications were for the Post Office
balance sheet. An adjustment has been put through to “catch up” the
balance sheet. There was no fundamental \issue for the balance sheet or
P&L, it was just delayed recognition. There has.been no loss to FRES or the
customer. However there were clearly lessons to be learnt about
governance and testing of systems.before accepting the handover of them.
The Committee NOTED:
i. the process of revaluing foreign currency and the hedging of foreign
exchange risk at Post Office; and
ii, the summary of issues identified in year, the manual fix implemented and
planned changes to create a better process.
Mark Baldock left the meeting:
Bi-Annual Legal.Risk Review (Non GLO/Starling)
Sarah Graysintroduced, the paper which had been circulated previously and was
taken as_read. The following items were highlighted:
- The categories of risk remained the same as the previous report in
September 2020. There had been good progress in a number of areas: LCG
Academy training on the Contract Management Framework (CMF), Exit
Management, Banking Framework, Post Office Current Account as well as
for policy owners and Payzone on competition. Further training for Post
Office on competition was planned.
- The previous report focussed on contract management. There were still a
number of risks in this area as the CMF was still embedding but it was
expected there would be a reduction in future.
- Overall it was a “healthy” report.
The Committee NOTED the Bi-Annual Legal Risk Review for onward submission to
the ARC.
Law & Trends Update
Sarah Gray introduced the paper, which had been circulated previously and was
taken as read. Two areas were highlighted:
- Following the revocation of the £95,000 cap on redundancy payments, one
Strictly Confidential Page 11 of 6
POL-BSFF-0238510_0010
POL00423692
POL00423692
- individual in Post Office was identified as affected by the cap and the
difference was repaid in February pay roll. This area was rated amber
because the Department of Business, Energy and Industrial Strategy (BEIS)
has indicated that similar regulations might be introduced in future.
The Committee NOTED the new or proposed material changes to laws and
regulations since its last meeting for onward submission to the ARC.
Tom Lee left the meeting.
9. Business Continuity
Jonny Lonsdale and Martin Hopcroft introduced the paper, which had be circulated
previously and was taken as read. It was explained thatya gap analysis of the
alignment the Business Continuity Management System (BCMS) to the BSI ISO
22301 (Business Continuity) standard has been completed. The Gap,Analysis has
found that the overall status of the Post Office BCMS was non-compliant.with some
aspects of the industry standard, and in particular the lack of detailed Business
Impact Analysis (BIA) for each department. A BIA shouldbe in place for each
department to enable prioritisation of activities with the biggest impact in the
event of an issue. This underpins the BCMS and testing. There was definitely a lot
more work to do. The Committee raised the following points:
- Johann Appel was concerned that some.of the gaps identified were those
that had been identified before through Internal Audit and that had been
confirmed as closed. IT was agreed that Johann»Appel and Jonny Lonsdale
would discuss this offline.
- The Internal Audit Plan also included a review of Business Continuity in Q4.
- The Chair was pleased to séé progress in this area and questioned whether
Business Continuity Plan owners, had been identified to ensure
accountability, Jonny Lonsdale explained that the majority of owners had
been’ identified),along with BIA Champions and meetings has started to
guide individuals through the BIA and Business Continuity Plan. The key
was to document the accountability.
- Hele Rhodes questioned whether there were any inherent risks or whether IL
it was simply an issue of lack of documentation. Jonny Lonsdale explained
that ultimately, the risks were unknown because the BIA was not
documented.
- The Chair further highlighted that an end-to-end test of Horizon and cloud
migration had not been completed and this was one of the biggest risks.
Jonny Lonsdale was asked to discuss this with Howard Booth and provide an
update to the Committee at its next meeting.
The Committee NOTED the summary findings of the Business Continuity Gap
Analysis review for Post Office Group for onward submission to the ARC.
10. Deep Dive: Payzone Governance
The Committee NOTED the Payzone Risk & Compliance Update report for onwards
submission to the ARC.
11. Deep Dive: Dangerous Goods
Amanda Jones, Mark Siviter and Andy Kingham introduced the paper, which had
Strictly Confidential
Page 12 of 6
POL-BSFF-0238510_0011
POL00423692
POL00423692
been circulated previously and was taken as read. The Committee discussed the
following points:
This has always been an area of concern as branches are the first line of
defence so ultimately, Post Office could not control completely. However,
responsibilities needed to be taken seriously as the consequences of
breaches would have significant financial and reputational impacts.
However, it was a complex area and not easy for Postmaster. The key was
to improve and systemise where possible so to reduce the risk of breaches.
Andy Kingham explained that the first phase of improvement was to offer a
Horizon menu-based alternative to the manual scanning of the dangerous
goods laminate (which requires individuals to remember to scan the
laminate). This was currently being trialled in 167 branches for feedback.
Provided this feedback was positive, this would be rolled out in waves from
April 2021 onwards with the potential of a full roll-out across the entire
network by the end of quarter one 2021/22. Further phases were outlined
in the paper. The Chair requested that the timeframes were made clearer in
the paper before the paper was submitted to the ARC.
Around half of the failures from mystery shopping visits were because the
mystery shopper did not see the Postmaster put the relevant label on the
parcel. This could be addressed by printing the dabel with the transaction
(phase two). This required permission fromthe Civil Aviation Authority
(CAA). This required a three way dialogue including the CAA and Royal Mail,
but Mark Siviter was confident the CAA would agree to the proposal.
Phase three was subject to a business Case and involved simplification on
Horizon to move the Dangerous Goods transaction start point earlier and
customer self-certification via the Pin-Pad. These changes could increase
the transaction time so this needed to be considered carefully.
It was also explained that the pandemic had had the benefit of Area
Managers being in more frequent contact with branches, meaning Branch
Insight Tool data could be acted on more quickly.
Accordingly, the Committee NOTED:
the activity undertaken and planned in order to improve conformance to the
required process; and
the anticipated improvement in mystery shopping conformance as a result
of the proposed system changes
for onward submission to the ARC:
AK/MS
12.
Strategic Partner Financial Stability Update
Katie Secretan and Dan Zinner introduced the paper, which had been circulated
previously and was taken as read. The following points were raised in discussion:
The Chair questioned the strategy for building relationships with these
partners given it-was clear that shops like McColls had benefited from the
pandemic but.were still reducing the number of Post Offices in their
network. Dan Zinner explained that there was a hill to climb because of
Post Office’s history with its partners, but that the key was considering
different propositions of Post Office and ensuring better value for money,
technology and processes. Katie Secretan noted that for many smaller
stores an integrated Post Office proposition would help sell the partnership.
The partners’ approach has shifted from looking at having Post Office’s over
the whole estate to a branch by branch view. The key was to get them to
see the value of having Post Offices across their whole estate: the idea
being that partners would have Post Offices across their whole network but
that they could have flexibility on what format was used in each branch.
The Chair also questioned whether there was a place for cashless branches.
Katie Secretan explained that for most partners simplicity was key, but
Strictly Confidential
Page 13 of 6
POL-BSFF-0238510_0012
POL00423692
POL00423692
- whether cashless was the best approach would depend on looking at data
on what services customers utilise in a particular branch. A further
consideration was what services drive additional basket spend in store.
The Committee otherwise NOTED the Strategic Partner Financial Stability update
for onward submission to the ARC.
13.
Procurement Compliance & Governance
Barbara Brannon introduced the paper, which had been circulated previously and
was taken as read. The following points were highlighted:
- Lexington Communications Ltd was subject to approval by GE on 17 March
2021.
- Cheque Processing for Postal Orders and Camelot risk was due to be closed
by the end of March.
- Digidentity was to be discussed at GE on 17 March 2021. It was explained
that essentially, Digidentity were the only supplier able tovoffer the services
required for the UK Verify contract, however, Procurement were working to
ensure Post Office was not committed to an extension with Digidentity if
the requirements of UK Verify changed.
- Largely, the picture on Procurement was unchanged since January with a
two large, compliant contracts forming part.of the GE paper for 17 March
2021.
The Committee otherwise NOTED the Procurement Risk Exceptions submitted to
the Post Office Limited Group Executive and Board since January 2020 and the
Procurement Pipeline for onward submission to the ARC.
14.
Policies for Approval
The following policies were APPROVED for onward.submission to the ARC:
« Health and Safety; and
« Procurement.
15.
Postmaster Policies
Amanda Jones and Tim Perkins introduced the report, which had been circulated
previously and was taken as read. The following points were highlighted and
discussed:
- Six policies were presented for approval, which were part of a suite of 12
new policies»They have.been reviewed by Legal and had input from the
National Federation of Sub=Postmasters (NFSP).
- A Guide for Postmaster on ‘the policies was also included which was a
specific request from the ARC. The policies were internal i.e. for colleagues
and the guide sets out Post Office’s obligations to Postmaster as part of the
Postmaster support guide.
- The Chair highlighted the need to measure the outcomes of these policies
to demonstrate that they were effective and it was critical to build in
compliance and assurance testing. Tim Perkins agreed that this was vital
and that an interim set of controls were already in place to ensure policies
were working effectively. A self-assessment of controls was carried out on a
monthly basis, feeding into measure of policy effectiveness. More broadly,
there was a complaints and investigations dashboard and reporting to the
Voice of the Postmaster meeting on transaction corrections. Tim Perkins
was asked to add this detail to the ARC paper prior to submission.
- It was also noted that the Chair was listed as the GE Sponsor for the
Network Cash and Stock Management Policy but he had not been asked to
review. Jonathan Hill was asked to ensure that policy sponsors were
properly briefed before policies were submitted for approval.
- On the Termination Policy, the Committee discussed whether someone
TP
JH
Strictly Confidential Page 14 of 6
POL-BSFF-0238510_0013
POL00423692
POL00423692
- independent should be given the opportunity to review the termination
decision. Amanda Jones explained this was still being considered and she
was keen to understand what other franchises do. One option was to use
the Postmaster Non-Executive Directors. It was agreed that the policy
should be amended to include the intention that there would be some form
of independent review prior to submission to the ARC.
- On the Training Policy, questions were raised about how Post Office could
tell whether training was effective and the Chair felt that the policy should
state that onsite training would include times when cash deliveries and pick
ups happened as well as when monthly balancing was done. Tim Perkins
explained that training reviews were done at three and six month intervals
and the plan was to use branch data for better insight and to produce
dashboards. It was agreed that the policy would be amended to include
more detail on measures of training effectiveness. Ben Foat further
suggested that operational examples needed to be included)in the policy to
bring it to life and this was to be done before the policy was submitted to
the ARC. It was also agreed the Tim Perkins would feedback to Tracy
Marshall (Postmaster Effectiveness Director):
1. Concerns about the reduction in training time from 5 weeks to a digital
offer with two days face to face training and a week of shadowing.
2. Whether the half day course on loss: recovery/balancing should be
compulsory or longer.
- It was also requested that the MI from the monitoring of these policies was
reported on a quarterly basis to the Committee, with more regular reporting
to the Voice of the Postmaster meeting. (Rebecca Whibley to add to the
Committee agendas moving forward).
- Jeff Smyth also highlighted that theré»were some produced that you could
not train on in the Counter Training Office.and some support processes
could not be practiced in full. Thought needed tobe given as to how full
training on these products and processes could be given.
The following policies were APPROVED for onward submission to the ARC,
alongside the cover paper, subject.to the amendments discussed above:
* Guide to Policy Standards for Postmasters;
Postmaster Complaints Handling Policy ;
Network Transaction Corrections Policy;
Network Cash and,Stock Management Policy;
Postmaster Termination Decision Review (see amendments above);
Postmaster Training Policy (see amendments above); and
Postmaster Onboarding Policy.
TP
TP
TP
TP
RW
16.
Whistleblowing Policy
The Committee APPROVED the proposed amendments to the Whistleblowing
Policy and the appointment of the Whistleblowing Champion, for onward
submission to the ARC.
17.
Review of draft Audit, Risk and Compliance Committee meeting agenda for
30 March 2021
The draft ARC agenda for 30 March 2021 was NOTED with the following
comments:
1. The Payzone Governance Report could be a noting only item;
2. The Foreign Currency and Hedging Paper presented to the Committee
should be added to the agenda for noting only; and
3. Tracy Marshal (Postmaster Effectiveness Director) should be invited to
attend the Postmaster Policies section;
RW
Strictly Confidential Page 15 of 6
POL-BSFF-0238510_0014
POL00423692
POL00423692
subject to the agreement of the ARC Chair.
18. Any other Business
There was no other business, save that it was noted that at future meetings, the
Chair would agree with the Committee at the beginning if there were any papers
that need not be discussed, such that presenters could be stood down in good
time.
Strictly Confidential Page 16 of 6
POL-BSFF-0238510_0015