Z1/60/¢}-Bujsew sayuWog souRlIdwod ® ¥SI4
L2ZJ0L
Post Office Risk and Compliance Committee Agenda
POL00423693
POL00423693
© &
8
a
Ey
13 September 2017
Start Time Finish Time
13.00 16.00
Present In Attendance
Jane MacLeod(Chair) Johann Appel
Al Cameron Richard Williams
Mark Davies Amanda Radford
Martin Edwards: Georgina Blair
1.19 Wakefield, Finsbury Dials
Kevin Gilliland Deana Herley
Rob Houghton Jonathan Hill
Martin Kirke Jenny Ellwood
Nick Kennett
Paula Vennells
Sally Smith (item 3.3)
Tim Armit (item 3.6)
Ben Foat (item 6.1 and 6.3)
Barbara Brannon (Item 6.2)
Paul Blackmore (item 8.1 and 8.2)
Chris Russell (item 8.3)
Apologies
4.1 Executives’ Declaration and
Risk section for ARA
Report and Accounts including top risks and
executive declaration.
Agenda Item Action r ARC Purpose Time
Needed
1. Members to declare any conflicts of interest Chair 13.00 — 13.05
conflicts of interest ,
(5 minutes)
2. Minutes and action lists Approval To approve the minutes of the meeting held on 20" Chair
July and update on actions
3. Key Operational Risks Discussion & v To review the management of key operational risks. 13.05 — 14.05
3.1 FS Conduct approval Jono Hill (60 minutes)
3.2 Change* al La Jenny Ellwood
3.3 Financial Crime* discussed Sally Smith
at ARC
3.4 IT Controls Framework & DR (others for Rob Houghton
3.5 Finance Controls noting) Amanda Radford
3.6 Business Continuity Tim Armit
4. Annual Report and Accounts Approval v To approve the risk section for the 2016/17 Annual 14.05 - 14.25
Deana Herley /
Richard Williams
(20 minutes)
POL-BSFF-0238511
127307
Z1/60/¢}-Bujsew sayuWog souRlIdwod ® ¥SI4
Post Office Risk and Compliance Committee Agenda (cont.)
POL00423693
POL00423693
© &
8
a
Ey
Agenda Item Action For Purpose Le:
Needed ARC
5. Risk Questions & v To note results of roll out of placemat in LRG and 14.25 - 14.45
5.1 LRG Placemat Noting Finance and Operations. Chair (20 minutes)
5.2 Finance & Operations Alisdair Cameron
Placemat
6 Compliance Questions & v 14.45 — 15.20
6.1 Regulatory Framework Noting To discuss the legislative and regulatory framework Ben Foat (35 minutes)
6.2 Procurement Compliance applicable to Post Office.
reporting To review the Procurement compliance report Barbara Brannon
6.3 Criminal Finances Act To note the requirements of the CFA Ben Foat
7. Audit Questions& = of 15.20 — 15.40
7.4 Internal audit report noting To note the Internal Audit Report. Johann Appel (20 minutes)
7.2 Camelot lessons learned To note Camelot lessons learned Kevin Gilliland
8. Policies Approval v To approve new and updated policies for onward 15.40 — 15.55
8.1 AML & CTF submission to the appropriate non-executive body for Paul Blackmore (15 minutes)
. . final approval.
8.2 Whistleblowing Paul Blackmore
8.3 Data Protection Chris Russell
8.4 Code of Business Martin Kirke
Standards
9. Noting papers Noting 15.55 — 16.00
9.1 Horizon Scan v Chair (5 minutes)
9.2 POMS RCC minutes Nick Kennett
9.3 Insurance Renewal Al Cameron
10. Any Other Business
CLOSE 16.00
POL-BSFF-0238511_0001
2. Minutes and action lists
1
Post Office Ltd - Confidential
POL00423693
POL00423693
Risk and Compliance Committee (R&CC)
Reference: R&CC July 2017
Date: 20 July 2017
Venue: 0.03 Moorgate, Finsbury
Dials
Time: 13:00 - 16:00
Members:
Group Legal, Risk & Governance
Jane MacLeod (JM) Director Chair
Al Cameron (AC) Chief Finance & Operations Officer Member
. Group Communications, Brand &
Mark Davies (MD) Corporate Affairs Director Member
Martin Edwards (ME) Group Strategy Director Member
Rob Houghton (RH) Group Chief Information Officer Member
Nick Kennett (NK) Chief Executive - Financial Services I Member
Martin Kirke (MK) HR Director Member
Paula Vennells (PV) Group Chief Executive Member
Attendees:
Richard Williams (RW)
Senior Risk Manager
Report (Paper 4.1)
Elena Nistor (EN)
Audit Manager
Report (Paper 5)
Deana Herley (DH)
Senior Assurance Manager
Report (Paper 4.1)
Georgina Blair
Risk Business Partner
Secretariat
Jonathan Hill (JH)
Head of Risk, Banking Regulation
and Strategy
Report (Paper 3.1)
Jenny Ellwood (JE)
Head of Transformation Risk and
Assurance
Report (Paper 3.2)
Amanda Radford (AR)
Financial Controller
Report (Paper 3.6)
Martin Hopcroft (MH)
Head of Health and Safety
Report (Paper 3.7)
Sally Smith (SS)
Head of Financial Crime
Report (Paper 3.3)
Roger Gale (RG)
Sales and Trade Marketing Director
On behalf of Chief Executive
Retail
John Whitefoot (JW)
Employee Relations and Policy
Director
Report (Paper 6.5)
Rebecca Barker (RB)
Head of IT Risk and Compliance
Report (Paper 3.5)
conflicts were raised.
Apologies:
Kevin Gilliland Chief Executive Retail Member
Alwen Lyons Company Secretary Member
The Chair declared the committee quorate and opened the meeting. The Chair asked for any
conflicts of interest to be declared. Standing conflicts of interest were acknowledged and no other
Risk and Compliance Committee minutes
20 July 2017
Risk & Compliance Committee meeting-13/09/17
DRAFT v.03
3 of 227
POL-BSFF-0238511_0002
POL00423693
POL00423693
2. Minutes and action lists
2
Post Office Ltd - Confidential
The Committee agreed the minutes of the previous meeting and reviewed the open actions.
The Committee noted there had been some confusion over the description of AP 1776 ‘Camelot
Audit Lessons Learned’ and that it was not necessary for the current Camelot Audit to complete
before preparing a summary of lessons learned.
For points (i) & (ii) the JML update and audit, the Chair explained there was ongoing activity. MK
gave an update on (iii) the data cleanse activity underpinning regulatory training, noting that this
was much improved and that a process to update the data for new joiners had been developed.
3.6 Finance Controls
AR updated the Committee on the investigation into an unsupported £0.5m debit balance
discovered relating to the now-closed Merlin Cash Centre (incident initially reported in May 2017).
Investigation had revealed control gaps in POLSAP processes, and remediation had been
implemented, including a manual authorisation process for POLSAP journals, and further
remediation was planned.
3.1 FS Conduct Risk
JH introduced the paper noting that there were no issue of particular regulatory concern. JH noted
that a review of red video mystery shop results had shown that some Customer Relationship
Managers (CRMs) strayed from the approved regulatory wording during their customer discussions.
JH briefly explained the training and monitoring processes for CRMs to explain how such incidents
were resolved.
The Committee observed the putative training requirements included in FCA’s Insurance
Distribution consultation paper (which include 15 hours of CPD annually) and discussed the burden
of regulatory training which falls on branches as result of selling regulated products. The
Committee noted that there was a limit to how much training branches could absorb. The
Committee requested a further briefing on the potential training requirements of the Insurance
Distribution Directive in order to consider the future compliance burden against capacity in the
branch network (AP 1781). JM explained that the legal team had developed a regulatory
framework in response to an ARC action which would help inform the discussion, and the
Committee requested that the regulatory framework be brought to the September RCC meeting for
discussion (AP 1782).
The Committee discussed the POMS scorecard and requested that it be developed to make it more
similar to Bank of Ireland's scorecard & include some commentary (AP 1783).
3.2 Change Risk
JE introduced the paper. The Committee discussed the report and requested that the report be
developed to give more information about benefits realisation (AP 1784).
3.3 Financial Crime
SS introduced the paper and summarized the regulatory updates. The Money Laundering, Terrorist
Financing and Transfer of Funds (Information on the Payer) Regulations 2017 came into force on
Monday 26th June 2017 but the eKYC (electronic know your customer) requirements were still
unclear. Post Office would find it difficult to retain copies of ID documents the in branch, either
electronically or physically, and work was underway to clarify the requirement with the regulator.
Actio: ME to discuss with SS whether the eKYC requirements could be met through the
identity proposals that ME’s team were working on. (AP 1785).
The Committee briefly discussed the branch registration process, noting that a new process was
now in place. SS noted that with the increase in concern around terrorist financing, it was
Risk and Compliance Committee minutes. 20 July 2017 DRAFT v.03
4 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0003
POL00423693
POL00423693
ion lists
3
Post Office Ltd - Confidential
important that this risk be considered as part of the screening requirements for new agents. SS
confirmed that there was work currently underway to assess the risk of unintentional terrorist
financing through the branch network.
SS noted that during August identity checking would be introduced at lower transaction levels; a
likely consequence would be an increase in transactions that needed to be investigated and
depending on levels, POL’s monitoring capability to deal with increased volumes would need to be
kept under review.
3.4 Annual Gifts & Hospitality Report
SS introduced the annual gifts and hospitality report, explaining that the existing process suffered
from gaps and a lack of enforcement. SS explained that a new gifts and hospitality reporting tool
had been developed, which would allow quarterly reporting for each business function, and which
was expected to be implemented during August. The Committee will be presented with an interim
gifts & hospitality report in November to demonstrate the outputs of the new reporting system (AP
1786).
The Committee briefly discussed the reporting limits and approved the proposed increase in the
hospitality reporting limit from £100 to £200 and the decrease in the gift given reporting limit from
£200 to £100.
3.7 Health and Safety
MH presented the H&S update. The Committee noted the increase in Supply Chain accidents and
the preponderance of parcel related incidents, and queried whether there was any single cause.
MH noted that no particular reason for the spate of accidents had been found. The Committee
discussed the age profile in Supply Chain, noting that the risk of back strain and similar injuries is
more likely in an aging workforce. AC noted that some offices had several members of staff off at
the same time which was affecting quality of service targets. MK noted that Royal Mail had the
same issue with regards to many of its operational staff.
MH noted that an annual Health & Safety ‘deep dive review’ had recently been undertaken by the
GE H&S Sub Committee (Safety Board) and focused on the three areas of property, security and
road risk for commercial and business drivers. The Committee briefly discussed the issue of
cladding around buildings and any potential fire risk. AC explained that relevant buildings in the
property estate were being tested.
MH also explained that mental health first aiders were to be rolled out across the business. OH
Assist would train up to 60 people across the business to act as ‘first responders’ to sign post help
to any members of staff showing signs of suffering from mental health issues. The Committee
approved of this initiative and noted that suitable comms should accompany the roll out to explain
the role of the mental health first aiders.
3.5 IT Controls and IT Tube Map
RB presented the IT Controls Update, explaining that development of the IT Controls Framework,
based on COBITS, was on track and that all 11 priority Cobit 5 processes had been reviewed and
the core suppliers’ controls identified, and gap assessments completed. The Chair queried whether
appropriate documentation processes were in place and RB noted that policies, processes and
standards were being developed as part of the framework.
RH presented the IT Risk Update, including the IT Tube Map. The Committee discussed the rate at
which IT risks were expected to reduce and noted that the tube map was helpful in displaying
changes in expected control status over time but because of scale was not able to show a gradual
diminution of risk.
3.8 Business Continuity
The Committee noted the paper
Risk and Compliance Committee minutes. 20 July 2017 DRAFT v.03
Risk & Compliance Committee meeting-13/09/17 5 of 227
POL-BSFF-0238511_0004
POL00423693
POL00423693
2. Minutes and action lists
4
Post Office Ltd - Confidential
3.9 DR Testing
The Committee noted the paper.
4.1 LRG Placemat
The Chair introduced the LRG Placemat using some slides (added to meeting records as Paper
4.1.1.1). The Committee discussed the placemat and the presentation of risks and controls. The
Chair explained that work was ongoing and that the September meeting would include a refined
LRG placemat, the first results from Finance and Operations. Work would now commence on the
roll out of the Placemat to Retail and FS&T business units.
4.2 Risk Incidents
RW gave the Committee a summary of the reported risk incidents since the last meeting. The
Committee discussed the categorisation of incidents, noting that fraud, theft and robbery should
be categorised as one category as incidents often changed appearance as an investigation
proceeded.
6.2 & 6.3 Financial Crime and Anti-Bribery and Corruption Policies
The Committee approved the Financial Crime and Anti-Bribery and Corruption Policies.
6.2 Protecting Personal Data
The Committee noted that this policy was a necessary part of the preparations for GDPR. RH had
some comments on the policy and agreed to send them to the Chair. This policy remains in draft.
6.1 Vulnerable Customer Policy
The Committee discussed the Vulnerable Customer Policy at length.
The Committee approved the Vulnerable Customer Policy.
6.5 Code of Business Standards
JW explained the approach taken to updating the Code of Business Standards. The Committee discussed
the revised Code and requested further work. The Committee requested that JW gather feedback and
update the policy and recirculate it for approval.(AP 1787).
The Committee noted the paper.
The Committee noted the following papers
7.1 Horizon Scan
7.2 POMS RCC minutes
Next Meeting - Wednesday 13 September 2017, Room 1.19 Wakefield, 13.00 - 16.00
Risk and Compliance Committee minutes 20 July 2017 DRAFT v.03
6 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0005
POL00423693
POL00423693
POL Risk and Compliance Committee
Action List
Status Report as at: 06/09/2017
Meeting AP ref ACTION Action Owner I Due Date STATUS Opens
20/07/2017I 1787 ICode of Business Standards - Update report and John Whitefoot I 13/09/2017 ISept Agenda item 8.4 To dose
circulate for feedback
20/07/2017I 1786 IInterim Gifts and Hospitality report - Committee to {Sally Smith 08/11/2017
review interim gifts and hospitality report demonstrating
the outputs of the new reporting system Open
20/07/2017I 1785 IeKYC - Discuss with Sally Smith whether eKYC Martin Edwards I 13/09/2017 ISS and ME have discussed. ME to
requirements could be met through the identity provide verbal update if required. To close
proposals that ME's team is working on
20/07/2017I 1784 Change Fisk - Develop change risk report to focus on [Jenny Ellwood I 08/11/2017 I September update have focused on Open
the key themes we have concerns
about which include benefit realisation.
IA wider review and revision of the risk
report will be completed for November
20/07/2017I 1783 IPOMS compliance scorecard - Develop POMS Jonathan Hill 08/11/2017 IWork is under way with POMS to. Open
compliance scorecard to make it more similar to Bank of identify possible improvements
Ireland's scorecard & include some commentary
20/07/2017] 1782 IRegulatory framework - Discuss regulatory framework IJane MacLeod 13/09/2017 ISept Agenda item 6.1 To close
created in response to ARC action at RCC prior to
discussion at September ARC
20/07/2017I 1781 IInsurance Distribution Directive - Provide a briefing IJonathan Hill 08/11/2017 IJH can provide verbal update in Sept Open
on the potential training requirements of the IDD in order meeting
to consider the future compliance burden against
capacity in the branch network
04/05/2017 I 1776 ICamelot Audit Lessons Learned - Produce a paper on IKevin Gilliland [13/09/2017 ISept Agenda item 7.2 To close
the lessons learned (what happened, how we found out
about it, potential consequences) for September RCC
04/05/2017 I 1774 IFraud Reporting - Hold meeting between JM, AC (& Jane MacLeod/AlI13/09/2017 ISuperceded by placemat reporting Closed
NK?) to agree accountabilities for fraud reporting and ‘Cameron/ Nick
data to be reported Kennett
09/03/2017 1773 IRCC Terms of Reference - to be reviewed and updated IJane MacLeod I09/11/2017 Open
based on changes in PO structure
POL-BSFF-0238511_0006
Jane Macleod [13/09/2017
Will be an output of the development
of the regulatory framework (see
POL00423693
POL00423693
Closed
109/03/2017 1770
IGE accountabilities map - to be refreshed / updated
based on the new structure following discussions
IAP1782)
POL-BSFF-0238511_0007
3.1
FS Conduct
POL00423693
POL00423693
POST OFFICE PAGE 1 OF 3
RISK & COMPLIANCE COMMITTEE
Financial Services Conduct Risk Update
Author: Jonathan Hill Meeting date: 13 September 2017
Executive Summary
Context
1.
This paper updates the Committee on current risks and actions in respect of
conduct risk. One of the key risks on the FS Risk register (also reflected in the
Post Office and POMS risk registers) relates to conduct risk. Conduct risk in the
regulated financial services context refers to risks to customers from poor product
design, distribution and selling processes as well as those risks relating to poor
product fulfilment.
Questions this paper addresses
2:
This paper provides an update on the key conduct risks and how they are being
managed.
Conclusions
3
Although the business faces some conduct risk challenges, some of which are
referred to below, they are being managed within the overall risk appetite. Post
Office has an averse risk appetite for not complying with law and regulations or
deviation from business’ conduct standards. Key assurance on this is provided
through the MI dashboards and reports from Bol and POMS (attached).
However, there remain challenges from changes to the business model, including
regulatory changes, which require on-going focus to maintain conformance and
compliance. Our Principals can require us to cease activities where we cannot
demonstrate adequate controls to mitigate conduct risk.
Input Sought
5.
The R&CC is asked to note these developments.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-023:
9 of 227
8511_0008
3.1. FS Conduct
10 of 227
POL00423693
POL00423693
POST OFFICE PAGE 2 OF 3
The Report
Key Risks, governance and management information
6.
Conduct risks are measured and reviewed by FS&T Risk together with our Principals
on an on-going basis and management information is provided on the key risk
areas. These are reviewed at the Bol-Post Office Customer and Conduct Risk
Committee and POMS-Post Office Joint Compliance Committee, which meet
monthly.
Current risks and issues
Customer Relationship Managers (CRMs)
7.
10.
Li.
12.
As at 8 August there were 511 CRMs. The majority of these are active and digital
tablet enabled. During July a new Telecoms tablet journey was enabled, allowing
CRMs to engage with customers on Post Office Homephone, broadband and fibre
products. It is planned that the CRM programme will pause at this number of CRMs
for a period allowing the knowledge and processes of all the product journeys to
bed in.
We have a more positive engagement with customers (on an introductory basis)
on FS products through CRMs, which is carried out within a Training and
Competence (“T&C”) scheme that FS&T Risk oversee and monitor. Nevertheless
as we seek to innovate the CRM network, we need to ensure that the conduct and
operational controls in place remain appropriate.
The latest Video Mystery Shopping results for July were positive with only 3 out of
29 shops graded red. In each of the three red VMS the CRM did not provide an
overview of the full range of savings accounts and in two instances the customers
were not encouraged to read the application pack and consider the information
before making an application.
The T&C Framework outlines the process Senior/ Support Managers need to follow
when dealing with red VMSs. The actions are completed, documented and reported
back in the monthly BOI Regulatory Review VMS Report.
The weekly ASPM/RSDM development call includes a VMS performance update.
This includes a broadcast of the weekly results, the main causes of red & amber
grades and the actions ASPM’s and CRM’s need to undertake.
We will monitor the next round of mystery shops at the respective Bol and POMS
Committees.
Advertising breaches and issues
13,
14.
Bol repeated a concern that had been previously raised in relation to ensuring that
marketing materials passed their approval ‘sell by’ date are re-reviewed and re-
submitted for approval. Recent recruitment in the marketing team should make
these incidents less likely. The Head of Marketing has been asked to provide a
written response ahead of the next Bol Customer and Conduct Risk Committee.
On a related issue Bol monitoring has raised an issue in relation to a worsening
trend of out of date literature in branches. From its monitoring activity (April-June)
60% of branches have been found to have out of date literature available to
Strictly Confidential ROC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0009
3.1
FS Conduct
POL00423693
POL00423693
POST OFFICE PAGE 3 OF 3
customers either on display or behind the counter. FS&T Risk will work with the
Retail Network team to ensure customers are given the appropriate literature and
review what more can be done to improve compliance in this area.
Branch Regulatory knowledge
15. A recurrent monitoring theme from both Principals is a concern about the level of
product or regulatory knowledge shown by a counter colleague when tested. Whilst
there may have been some gaps identified we are working with our Principals to
ensure that the questions tested are appropriate. For example, we would agree
that a counter colleague should know how customers can make a complaint but
would not necessarily expect them to answer questions about the FOS process.
Future issues
16. There are a number of significant regulatory initiatives on the horizon that impact
on Post Office and POMS:
a. General Data Protection Regime (GDPR) - February 2018. This project is being
led by the DPO and we are working with the team to assess and implement the
requirements
b. Vetting and ‘Fit and Proper’ - this is becoming an increasing priority for many
of our regulators (e.g., FCA and HMRC). There is a new vetting process in place,
but we need to risk assess new requirements (e.g., from HMRC) and assess
whether the scope of checks needs to increase.
c. Senior Managers and Certification Regime (SMCR) - extension to all regulated
firms by 2018. This will have a direct impact on POMS. POMS is leading a
project to implement this, which POL FS&T Risk is supporting, as it is the
company directly impacted. The FCA has confirmed, as expected, in its latest
Consultation Paper that Appointed Representatives such as Post Office will not
be directly subject to SMCR. However, further guidance on the approach to
SMCR for Appointed Representatives will follow.
d. Insurance Distribution Directive, one of the proposed key requirements is
increased CPD training for counter staff. POMS is leading a project to implement
this by February 2018, working with the Post Office Training and FS&T Risk
teams.
e. Payment Services Regulations (Payment Services Directive 2) rules were
finalised in July 2017 to be implemented in January 2018. As well as impacting
on the conventional payment business these are of significant strategic impact
as these regulations will open up access to the personal banking market for
new types of payment firms and also allow third party firms to perform
aggregation functions on behalf of and with the permission of consumers.
f. Vulnerable customers: This is an FCA/Ofcom priority area. A vulnerable
customer policy was agreed at the July RCC. We will shortly instigate risk
assessment work together with the Retail Business Unit to assess whether we
have any significant gaps in our approach.
Jonathan Hill
Head of FS&T Risk & Regulation
Strictly Confidential ROC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
11 of 227
POL-BSFF-0238511_0010
L2Z IO ZL
Z1/60/¢ }-Bujsew eeyiWOD aouelIdwiod * YS!
Risk ratings
POL00423693
£
BOI Post Office a
Performance measured in July 2
July risk ratings and how they compared
toJune
Red rated MS shops
Red rated CRM shops
Red rated counter shops
Black rated MS shops
MS mutiple red/black shops
‘Aor B rated mortgage cases
D rated mortgage cases
MS meeting QAT benchmark
Distribution complaints
Mis-selling complaints
Conduct survey results
Mystery shopper experience
NPS survey results
Branch product knowledge
Branch regulatory knowledge
Specialist/CRM knowledge
Branch advertising reviews
Advertising breaches/issues
Social media breaches/issues
Savings cancellations
Competent specialists
Supervisor spans of control
BO! supervisor reviews
“
Pi
Pia
“
ae
Pra
Pi
Pid
ae
Pr
o
Pia
ae
POL00423693
Risk ring and overall Green rated Amber rated Red rated July v June ratings Performance against our FACE commitments
performance rating KRIs KRIs KRIs
N = > Accessible [i
Committed
BR
w
>
> 1
a 3 Distribution of KRI risk ratings between February
av 1 2017 and July 2017
This month we were within tolerance for 19 out of the 20 KRIs we
Based on the weighted
= measured. 16 of our KRIs were rated green and 3 of our KRis were rated Vv 0
cumulative outcome of
amber. One of our KRIs was rated red. In comparison, in June we exceeded
the KRis we measured in 1
tolerance in 2 of our KRis and in May we exceeded 3 of our tolerances.On One KRI remained
July, the overall risk
fife leaner average, in each month between February and July, we were within _red, one KRI moved
“ . tolerance in 18 of the KRIs we measured and exceeded tolerance in 2. out of red and no
KRisfelltored. eh = Mar = Apr. May Jun Jul
Exceptions and key trends
CRM mystery shops - the CRM credit card pilot, which resulted in a number of red-rated mystery shops, has now ceased, CRM savings shops have improved, with 12 out of 70
(17.1%) being red rated in the 3 months to the end of July. Only 3 out of 29 shops were graded 'red' in July. While these shops relate to lower-risk introductory activities, remedial
actions are being followed up with Post Office and progress will be kept under close oversight for a period.
‘Advertising breaches and issues - Two material financial promotion breaches were recorded in July and related to in-branch current account leaflets remaining in the public
domain after their withdrawal dates, POL have confirmed that the reapprovals ‘were! missed’ as a result of the impact of the organisational restructure on the Marketing function.
This is the third month in a row that there have been such material breaches and, as such, this has been followed up with Post Office.
Branch regulatory knowledge - 2 out of 54 branches were rated red for ‘conduct and culture’ during the last three months. The red ratings resulted from a range of different issues.
The most prominent related to regulatory processes including the location of the branch ‘operations manual’ and gaps in staff knowledge of the FOS process. There were no red
rated branches in July.
Quality of Mortgage Advice - An improvement in 'C' grade cases from 9 to 2 in July and only 1 'D' case, improved the proportion of initial case checks passing QAT file checks, with
95.9% (89%) achieving an ‘A’ or 'B' grade. The 'D' grade related to advice which was considered unsuitable based on conflicting file notes. The QAT team continue to work with POL
to mitigate these errors.
Please note, reporting in relation to a number of new KRis will commence in September.
<4> Remained green <4 Remained amber <P Remainedred A Improvedtogreen A Improvedtoamber W Felltoamber W Fell to red
BOI Group classification : Red (Confidential) - distribute only with sender's permission
1
POL-BSFF-0238511_0011
Lu60/e L-6i
L@ZJOEL
POL00423693
POL00423693
n
B
9
CONDUCT RISK SCORECARD g
a
irrent a
Rating Criteria [ee 8
[Area Measure [green [Amber [Red Jul-17] Jun-17]_May-17[__Apr-17[__Mar-17I_Feb-17]_Jan-17I
Complaints '1,000- I1,500-
Number of Opened complaints o-1,000I1,500 _I2,000 399 395; 345; 299) 314 264] 324]
lox aix-_[31%-
Percentage of upheld complaints j20% _I30% —_I100%. 38.3%I 50.6%I 34.0% 33.7% 36.8%I 31.3%] _27.5%I
No of FOS cases upheld 0-3 I4-7 [8+ Ol 0 0 7 0 7 7
Mystery Shopping/VMS_ = [1% = 20% =
Proportion of shops rated red in the month 10% _I20% _I100% 20.8% 118% 7.0% 5.0% 0.0%] 13.0%I 20.0%
Number of shops rated black in month oot Q Ol Ol O Ol o
Branch Monitoring [Number of red rated findings in the month fs [53 [10+ 1 5 a 7 5 1
lox tise _]1590-
[call Monitoring (Travel) Percentage of red rating calls in the month 10% [14% {100% 25%I 42%I 40%I 24%6I 19%I 20%I 15%I
0% - 11%] 15%-
[call Monitoring (Life) Percentage of red rating calls in the month 10% _I14% __ I100% 12% 15% 10% 10% 6% 2294
[Cancellations Percentage of products to sales, cancelled withinthe lo%- e%- I11%-
(Motor, Home, Pet, Business, Motorcycle) Icooling off period (14 days) 5% 10% 100% 3.5%I 4.1%] 3.5% 3.6% 4.1%I 2.9%! 2.8%!
[Cancellations Percentage of products to sales, cancelled withinthe I0%- I10%- I15%-
\(Life & Over 50s) lcooling off period (30 days) lox 14% — I100% 9.0%
[cancellations Percentage of products to sales, cancelled within the Jo%- I10%- _I159%-
\rravel) cooling off period (30 days) lox {14% [100%
lo%- fex- [11%-
[Claims (Travel, Protection, Home and Pet) Percentage of claims repudiated 5.9% I10% — I100% 5.7% 7.6% 4.9% 5.2% 6.1%I 4.6% 4.6%
[Training & Competence Percentage of POMS staff completed mandatory fi00%6- I95%- Iao%-
training ose [90% [0% 100% 100% 96% 97% 100%I __100%I _87%I
Percentage of Call Center staff completed mandatory soos. lose. lo0%-
training os [90% [or 100% 100% 100% 100% 00%I 100%] 100%
Percentage of Branch staff completed mandatory 100% - [95%- [90%
Itraining (MS) jos% _I90% —_Io% 98%I 92%I 88%I
Percentage of Branch staff completed mandatory __I100%- I75%- _I69%-
training (CRM) [80% 170% I0% 75% 72% 72%I 86%
[Customer Satisfaction Proportion of customer responses to NPS surveys that
(CES) Iconfirm adequate information was provided at the so I79-60_I>59 75%I 76%I 77%I 77%I 77%I 82% 88%I
INet Promoter Score point of sale in the previous 3 months
(NPS) I(Scores based on 3MRA) Bs _ [3430 I>30 41] 38] 38] 38 2 a2 40I
Financial Promotions ancial Promotions right 1st Time [50%+ [35-49% 35%] 78%I 879%I 75% 51%] 45%I 65%) 529%I
ascents Number of Severe Incidents (rated 1 or 2) io a 2 22 3 1 4 3 1 1
[Number of unresolved Incidents JO-15 16-20 I20+ 13] 15 13} 17] 21 20} 14
POL-BSFF-0238511_0012
14 of 227
POL00423693
POL00423693
POST OFFICE PAGE 1 OF 9
AUDIT AND RISK COMMITTEE INFORMATION
PAPER
3.2 Change Risk Update
Author: Jenny Ellwood Sponsor: Angela Van Den Bogerd Meeting date: 13 September 2017 (RCC)
Executive Summary
Context
This report provides an update on the delivery status of the Change Portfolio, the key
risk themes under management and the current highest scoring risks, referred to as
the ‘top risks’ within the Change Portfolio.
Questions addressed in this report
e What is the current delivery status of the Change Portfolio and key delivery
challenges?
e What are the key risk themes being managed at present and mitigation plans?
e What are the current top risks currently being managed within the Portfolio and
what is the performance of risk management based on the mitigation plans?
e What are the types of portfolio risks and how has this mix changed?
Conclusion
1. The current delivery status is Amber and the EUM and Success Factor
Programmes are experiencing some significant challenges.
2. The key risk themes we continually push against are: 1) what does the next 12-
18 months change activity look like and can we do it all, 2) what is the impact on
the network and is it manageable, 3) Why do we continue to underspend and 4)
what impact does this have on our benefits profile?
3. In terms of current top risks these are EUM Effectiveness, Delivery of 2017/18
Plan and IT Vendor Renegotiations. Work is underway on the mitigation activities
to move these risks to their target risk score position. An approved revised plan
and business case for EUM is expected by October, a review of the 2017/2018
change activities is underway with a detailed update scheduled for the Executive
Change Group (ECG) by the end of September and work is progressing well with
IT Vendor renegotiations with a Letter of Intent with Atos being signed and an
agreement secured to proceed with SISD contract changes to reflect a service
cost reduction and the transfer of some work in-house.
4. The type and mix of the portfolio remains broadly unchanged in this reporting
cycle. Key MI to evidence this is shown within the appendices. The new
integrated plan being developed, along with parallel capacity work, is also driving
discussions on potential risks and dependencies and progressing well. For this
reporting period the Portfolio risks have reduced to 25 and remain consistent
with the nature and complexity of the individual projects and the timeline.
5. Monthly health checks continue and Programmes are demonstrating they
understand their deliverables, risks and issues and work continues to improve
dependency identification, tracking and monitoring.
Input Sought
The ARC are asked to note the progress made since the last ARC, the top risks being
faced, how they are being managed and mitigated and to advise on any additional
areas/topics that should also be taken forward.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0013
POL00423693
POL00423693
3.2. Change
POST OFFICE PAGE 2 OF 9
The Report
What is the current delivery status of the Change Portfolio and key delivery
challenges?
1. At the end of August 2017, the overall Post Office change portfolio status
remained Amber, this is taking into account the individual status of each
programme.
2. In terms of the Portfolio delivery status, we are currently reporting Amber. Key
delivery challenges include:
« Capacity: We are currently in the process of assessing (at project level)
capacity constrained areas’ ability to support all change. The output of this
review will be used to reassess the assumptions in the Strategic Plan.
« Enhanced User Management (EUM): The programme continues to explore
deployment options of the new identity management system and the Steering
Committee has identified significant additional scope required to ensure it is
effective and manageable within the Network.
« Success Factors payroll data migration: This has experienced ongoing
difficulties such that the current migration planned for October/November
2017 (which itself reflected an earlier 3 month’s delay) is under threat. A root
cause analysis exercise has been undertaken which suggests that issues have
arisen with the payroll data load particularly where employee records have
needed amendment during the period of upload thereby constraining payroll
comparison testing.
« Ongoing testing capacity: Constraints continue to be monitored and priorities
and appropriate scheduling are reviewed on a weekly basis. No immediate
concerns but one we continue to monitor through the integrated plan work.
What are the key risk themes being managed at present and mitigation plans?
3. In terms of key risk themes, we continually face challenges which are: 1) what
does the next 12-18 months change activity look like and can we do it all, 2) what
is the impact on the Network and is it manageable, 3) why do we continue to
underspend and 4) what impact does this have on our benefits’ profile?
4. To address the challenge of what the next 12-18 months looks like and the
impact on the Network, an extensive review of the Change Portfolio is underway.
This work has been led by the People and Change Director and has included
consideration of the impact of change on a number of key areas: IT, Network
Operations, HR Service Centre and Finance Service Centre. A full update on
activities is shown in paragraphs 14 to 15.
5. Additionally, work continues to try and establish the true impact and
requirements to meet the General Data Protection Regulation (GDPR). The
programme has recently confirmed that:
e 17 out of 114 projects that have already gone live were concerned with the
use of personal data; and,
« 45 out of 199 project that are still in-flight have been identified as involving
the use of personal data. 20 of these have been classified as ‘high priority’.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 15 of 227
POL-BSFF-0238511_0014
16 of 227
POL00423693
POL00423693
POST OFFICE PAGE 3 OF 9
6.
The project team has contacted 13 of the 20 high priority projects to confirm
their current lifecycle stage and the extent of the use of personal data. At this
stage the true impact of the work required to meet the GDPR is still unclear and
clarificatory work continues this month.
In terms of the Portfolio cost underspend, which currently stands at 7% at P4,
Finance are working closely with the Programme Finance Directors to establish
root cause and re-forecasts. Within period 4 we did see the cost spend
increasing gradually, however, they still remain significantly under both the
original budget and the current re-forecast. The current reason for variances are
as follows:
« Telco (Newcall) costs - are £3m above forecast as the next tranche payment
is sooner than anticipated, this is not an undersnend, but a timing issue.
* Network Development (ND) costs - are down} ND re-forecast was
planned for P5 reporting. P4 costs are in line
reforecast: i) IT Netwarks
) Risk & Resilience }raseveh), iv) Other IT
In terms of benefits we have continued to deliver the total value of benefits
anticipated each year. However, this has not necessarily derived from the
original Programme projected benefits specified, i.e. some Programmes have
delivered more which has compensated for those Programmes that have
experienced difficulties. The Change Finance Director is assessing what forum is
best to review and regularly challenge both costs and benefits tracking and a
proposal is to be made to the People and Change Director this month.
Discussions are already underway on the benefits MI we require reporting by
each Programme. The approach will be that Programme benefits tracking will be
consolidated into a central view via the Finance Directors. A review of the
approach taken in each Steering Committees will also be undertaken to ensure it
allows an appropriate level of monitoring and challenge.
What are the top risks currently being managed within the Portfolio?
9.
10.
11.
There are currently 25 open risks being managed at a Portfolio level, a net
reduction of -1 from the last ARC report in July 2017. The current top risks are:
i) EUM Effectiveness
ii) Delivery of elements within the 2017/18 Plan
iii) IT Vendor Renegotiations
The EUM programme is continuing to manage a number of challenges that must
be overcome to ensure full and effective deployment of the new Horizon system
access model. These include the need to obtain accurate data from agents, an
ability to communicate training requirements and to enable access to training
material to agents, agents’ assistants and PO Branch employees, to be able to
access data to confirm the vetting and compliance training status of all Horizon
users and to have business processes in place to manage data, password
management and system access issues.
Retail will now take the lead on the deployment phase of the project and work is
underway to develop an appropriate and scalable implementation plan.
Additionally, an Inflight Review has been undertaken to support Retail and looks
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0015
3.2. Change
POL00423693
POL00423693
POST OFFICE PAGE 4 OF 9
to answer the question on whether we can be confident that the Programme will
deliver from where we are now. Recommendations from both the Inflight and
the Network Operations Review were presented to the EUM Steering Committee
on 5 September and a plan and revised Business Case is now being produced for
approval in October.
Risk Title Risk a ation Plan Due date I Target
@ There is a risk that EUM Tdentify gaps within the T. Ongoing
EUM does not perform as SF/EUM design - 7 June 17 (all
effectiveness I expected due to actions)
* being unable to collate
accurate data from our
Developing end to end process I 2. Ongoing
maps with risks and controls
agents (all of which is Identifying the key business 3. Complete
being provided by decisions that still remain
branch staff) outstanding
* POL staff/agents not Explore alternative options to I 4. Complete
having an individual
email address which can
be used to communicate
logins and training
information, and
agents not being able to
access SuccessFactors
via the internet/browser
solution and therefore
not being able to access
training material and
test.
meeting the business outcome
(i.e. using Horizon for agents’
training, building an interface
between Horizon and
SuccessFactors)
GE workshop to make required I 5. Complete
decisions (decision on Action 4
outputs)
To clarify the ‘burden of proof’ I 6. Complete
by our FS clients and RMG on
how much evidence they
require for us to provide on
transacting/selling on their
behalf
Explore with Network the 7. Complete
genuine reasons when Dual
Login is used and whether this
needs to remain or a
workaround can be put in place
This all leads to our
inability to address the key
business goal, which is for
POL to prove to its client
that persons transacting
on its behalf are suitably
qualified and vetted. Revised business case and 8. Oct 17
replan
Model office and pilot 9. Complete
completion
Deployment approach proposal I 10. Complete
to SteerCo
12.
13.
With regard to IT vendor renegotiations, since the last ARC the Post Office has
signed a Letter of Intent with Atos. Agreement has also been secured to proceed
with SISD contract changes to reflect a service cost reduction, the transfer of
some work in-house. A new Client Executive has also been appointed. Work is
underway on reforming ways of working and restructuring the governance
framework.
Revenue baseline and principles agreed with Fujitsu. Now drafting supporting
Memorandum of Understanding for signature by end of September 2017. Ways of
working (including behaviours and collaboration) being monitored formally at
monthly governance board.
Current
RAG
rget
= 7 Ta
Risk Title Risk RAG
Mitigation Plan Due date
(ii) There is a risk that IT 1. Establish Legal support to assist in I 1. Complete
IT Vendor I Vendors engagement vendor contract renegotiations
Renegotiations I proves difficult and 2. Hire negotiation and procurement I 2. Complete
they display poor expertise
behaviours through 3. Contract Managers in place to 3. Ongoing
renegotiations which manage transition and ensure
could impact successful Vendor SLAs and commitment is
change delivery maintained
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 17 of 227
POL-BSFF-0238511_0016
3.2. Change
18 of 227
POST OFFICE
POL00423693
POL00423693
PAGE 5 OF 9
7 7 Current aaah Target
Risk Risk RAG Mitigation Plan Due date RAG
Provide support and guidance to 4. Ongoing
Senior Stakeholders (IT & other
Business Areas) regarding any
high level strategy discussions
with any of the impacted Vendors.
Short Term Actions:
Enforcement of clear relationship
management governance on
vendors, everything will go 5. Ongoing
through the vendor manager,
internal comms to be issued to
provide structure around the
vendor manager engagement and
key contacts
Stand up relevant vendor
management governance forums
Renegotiation of Atos contract 6. 30 Sept 17
(Project Armada) (Atos proposal
now approved) 7. 30 Sept 17
Fujitsu (Project Everest) scope
obtained with a view to
understand ownership of key 8. 30 Sep 17
activities (post in-house move)
Long Term Action:
Decision regarding Atos 9. Mar 18 /
(maintain/exit) Sep 18
14. The People and Change Director hosted a capacity review workshop on 8 August
2017 where all 76 projects within the current change portfolio were presented to
the 5 capacity constrained areas (IT, FSC, Retail, Network Ops and HRSC) for an
initial impact assessment. A follow up workshop was held on 29 August 2017 at
which it was concluded that:
* IT and Network Operations are the main areas where capacity will cause
impact on delivery. Additionally Network Operations, HR Service Centre and
Finance Service Centre will require appropriate early engagement from the
projects and sufficient lead-in time to uplift resource to accommodate any
increased activities;
« There are still unknowns that will impact ability to deliver e.g. GDPR; and,
* Recommendations to include need for prioritisation of all projects to make
priority calls where capacity constraints exist and ongoing demand
management by constrained areas.
15. It is scheduled to present the findings and next steps to GE/ECG on 18
September 2017.
" "i Current Neheaetl Target
Risk Title Risk RAG Mitigation Plan Due date Ree
Delivery of I There is a risk that we Completion of a review to understand I ECG - Sep
elements of I will not be able to deliver the implications of major 2017
the 2017/18 I all of the 2017/18 plan programmes on a wider range of
plan due to multiple capacity constrained resources to establish
constraints the feasibility of programme delivery.
16. A full list of the 25 portfolio risks is shown as an Appendix.
What are the types of portfolio risks and how has this mix changed?
17. At the last ARC meeting there were 26 portfolio level risks. The current total is
25 which, however, has been subject to churn in the intervening period in that 4
risks were closed namely:
Strictly Confidential
RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0017
3.2. Change
POL00423693
POL00423693
POST OFFICE PAGE 6 OF 9
18.
19.
Capacity of IT Key Suppliers: There was a risk that key IT suppliers cannot
meet our change demands due to the pace of change and the concurrency of
activities resulting in delays to our “Change Portfolio” delivery plans. This
was closed on the basis that it was deemed that elements of this risk were
captured and managed under another risk (‘Complex Portfolio Planning & IT
Management’.
Resourcing Risk (Payroll Legislation): There was a risk that HMRC legislative
changes that came into effect in April 2017 could cause significant impact to
Change resourcing model and the way that it uses contractor staff. The risk
was closed on the basis that it had been managed down to target.
Unintended consequences on Operational Performance (People): There was a
risk that staff departures as a result of change being implemented may
impact the effectiveness of the control environment increasing likelihood of
new operational risks. The risk was closed through merger with a similar
portfolio risk (‘Op Performance — Process’).
Delivery (Integrated Plan Delivery Performance): There was a risk that our
delivery is all back ended and we hit business with too much change all at
once. Closed on the basis of replacement with risk on our ability to deliver
the 2017-18 change plan due to multiple capacity constraints.
The 3 new risks opened are:
GDPR: see paragraphs 5 to 6.
Delivery of 2017/18 Plan: see paragraphs 14 to 15.
Model Office Testing Capacity/Resilience: The Model Office is designed to test
counter releases and services in a live environment. There is a risk that the
introduction of new network routers and platforms (HNGA) introduces
complexity and additional time as testing needs to cover different branch
types, network routers and platforms (HNGX and HNGA). An additional risk
is that the Model Office has limited visibility of change projects in the pipeline,
which results in an ability to effectively plan and prioritise activities within
Model Office. We will monitor the demand from the integrated planning
activity and consider the capacity of the Model Office as a constraint during
this transition.
The table below, illustrates how the mix of risks at portfolio level continues to
flex and shows the open portfolio risks by severity.
Total
August 17 0 3 13 9 oO 25
uly 17 0 3 14 10 ° 27
June 17 ° 2 15 9 o 26
F et erit a) 0% 8% 58% 35% 0% 100%
Number of New Risks 4
Number of Emerging Risks 6
Number of Closed Risks 4
Figure 1: Please note the minor/moderate risks are managed at a local level and not escalated to the Portfolio view.
The risk reported as critical in May was around EUM effectiveness and as work is underway on mitigations this has
reduced slightly,
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
19 of 227
POL-BSFF-0238511_0018
L@Z $0 0%
LU6O/EI-Bujeew aayiwU0d aouerIdwog »g ¥SIY
POL00423693
POL00423693
aBueUD Z'E
POST OFFICE PAGE 7 OF 9
Appendix: Change Portfolio risks and supporting metrics
The Portfolio
4 + Grids
Risk Title ARe Are ARC cURRENT? «Ranking
1 I EUM Effectiveness v v
2 Delivery of 2017/18 Plan v
3 IT Vendor Renegotiations v v v
4 Complex Portfolio Planning & IT Management v v
5 I IT Delivery Capability v
6 Operational Impact of Generic Training Expiry Dates v
7 I IT Change Operating Model
8 Data Risk
9 GDPR v
10 I Financial Risk - Insufficient Funds to deliver Transformation
11. I Transformation Delivery oversubscribed
12 I Unintended consequences on Operational Performance - Process
13 I Availability of Key Skills and Knowledge
14 I Adverse Impact of Change / Organisational Change on Agents
15 I Accounting & Reconciliation
16 I Financial Risk - Benefits/Revenue Realisation
17 I Deployment of Non-Compliant Solutions/Systems
18 I ITNBA Incumbent Supplier Proactive Engagement ~ BT
Strictly Confidential RCC 13 September 2017
POL-BSFF-0238511_0019
ZLUG0/¢ }-Bunsew saniUiog soueldwod »g YS!
L2Z IO 1%
POL00423693
POL00423693
aBueUD Z'E
POST OFFICE PAGE 8 OF 9
Grids
Ranking
TARGET
Grid Ranking
Risk Title CURRENT
Responsible use of public funds
20 Strategy & Design: Conflict between current BaU and Transformation
activities
21 Reputational Damage - Media risk
22 I Reputational Damage - Political stakeholder risk (local government)
23 I Reputational Damage - Political stakeholder risk (national government)
34 I Poor coordination of communications about change activity with
stakeholders and employees
25 I Model Office Testing Capacity / Resilience *NEW*
Strictly Confidential RCC 13 September 2017
POL-BSFF-0238511_0020
12230 2
Z1/60/¢}-Bujsew sayuWog souRlIdwod ® ¥SI4
POST OFFICE
The Churn
The table below details the number of risks open and closed
over the last rolling 12 months.
Portfolio Open/Closed Risks
se es eeededanadaDA DOOD D
ie ae e Le ee Pg - ee e
No. of Opened Risks ~——No. of Closed Risks
Figure 2: A comparison of open/closed risks (by month)
Risk Weighting
Each portfolio risk has a weighting score calculated by
multiplying their impact/probability scores. When added
together this provides a cumulative portfolio score which
currently stands at 242.
The overall risk severity score has reduced by around 9%
since April 2017. This has been the result of risk closures.
The risks continue to be monitored in line with the change
portfolio risk review process.
Strictly Confidential
PAGE 9 OF 9
8
B
as os)
Pe)
ey mn 0H) a seen
22) G9 gy ed
3) en ee) ane
°
Augi6 Sep th OtI6 Nowl6 Ot tawt? FabiT Mar? Ape? Mayl? het? MAT Apt?
Figure 3: Current cumulative portfolio risk weighting score by month
Figures 4 and 5 illustrate the anticipated impact of a
reduction in the number of active risks over the next 6
months will have on the residual risk weighting.
weacre
wesc
— ————
Figure 4: Current portfolio risk weighting (Aug 2017) Figure 5: Projected
portfolio risk weighting (Feb 2018)
RCC 13 September 2017
POL00423693
POL00423693
BURY ‘Z'E
POL-BSFF-0238511_0021
POL00423693
POL00423693
3.3. Financial Crime
POST OFFICE Page 1 of 7
RISK & COMPLIANCE COMMITTEE
3.3 Financial Crime Risk Update
Author: Sally Smith Sponsor: Jane MacLeod Meeting Date: 13" September 2017
Executive Summary
Context
This paper updates the Risk and Compliance Committee on progress with the HMRC
Regulatory Activity project which has been established to manage both the HMRC’s Anti-
Money Laundering (AML) and Counter Terrorist Financing (CTF) audit and the risk
assessment work being undertaken to address Financial Crime Risks.
Questions this paper addresses
« What is the current position with the HMRC Audit and potential penalties?
« What is the current position on progress with the Financial Crime risk assessment
work and next steps?
« What are the impacts for Post Office of regulatory changes
Conclusion
1. Regular meetings are being held with HMRC and the HMRC audit action plan is on
track. The penalty natice_in.respect of historic premises registrations has now been
received and paid HIRRELEVANT)). HMRC are still considering the regulatory position
relating to Bill Payrters“and potential penalty for regulatory breaches relating to
Bureau de Change.
2. Risk Assessment work has progressed well and will be ‘business as usual’ by the
end of the current financial year. The Financial Crime Team are to support and
deliver workshops to product managers to embed the methodology across the
business.
3. Post Office continues to work with HMRC to understand the implications of the new
Fit & Proper test regime and for HMRC to clarify their interpretation and guidelines
in respect of eKYC and retention of identity documentation.
Input Sought
The R&CC is asked to review this report and consider whether further actions should be
undertaken.
INTERNAL. Page 1 of 7 Paper 3.3 Financial Crime Risk
Update RCC September 2017
Risk & Compliance Committee meeting-13/09/17 23 of 227
POL-BSFF-0238511_0022
POL00423693
POL00423693
3.3. Financial Crime
The Report
HMRC Audit status
4. Further meetings have been held with HMRC on the 26" July 2017 and the 23
August 2017. An updated Bureau de Change action plan was presented by the
project team in July, with improved timescales for delivery, and this has been
accepted by HMRC and is currently on track:
« New customer data capture and identification/address verification thresholds
and data capture improvements delivered into the Network on 30 August
2017
« A daily feed of all Bureau de Change activity into a central Post Office data
depository, with appropriate tools for rules based exception reports together
with the ability to undertake ad-hoc and holistic transaction monitoring is
scheduled for delivery at the end of January 2018
« Subject to procurement timeframes, PEPs and Sanction screening is expected
to be delivered by end February 2018 and eKYC by end April 2018.
5. HMRC advised they are considering a penalty in respect of breaches of Regulations
19 and 20:
« Regulation 20 (Risk Based Approach) - HMRC cited ‘behavioural’ failures
relating to the lack of up to date Bureau de Change risk assessments and
processes, and failings in relation to AML/CTF policy documentation (the 2012
version was current until 2016, with no evidence of review).
« Regulation 19 (Record Keeping) - HMRC cited observation of a lack of
knowledge as to where and how data was stored (no data dictionary
maintained), there were delays in data provision and that missing
transactional and due diligence data was identified during the audit. As such
HMRC believe POL was in breach of the requirements to maintain due diligence
information for a minimum of five years.
« The starting penalty is £5,000, although turnover and gross profit are also
taken into consideration. Based on financial information provided by the
useay de Change product. team... HMRC. estimate a.penalty. in. the. region of,
jprrevevarr) although they are! IRRELEVANT I
information provided is still under review by forensic accountants within
HMRC, and the pre-penalty notice will not be received until this work is
complete, and a decision about Bill Payments is made as this may impact
apportionment of costs of premises registration (see point 7. below). These
per annum and currently all costs are allocated to the
Buréau dé Change business - if Bill Payments are ruled as in scope for HMRC
regulation, this will increase the Bureau de Change gross profit calculation
and could increase amount of penalty calculation.
6. HMRC confirmed that whilst there were previous historic failings relating to Staff
Training (Regulation 21), they had evidence that throughout the audit Post Office
had been continually improving their AML/CTF communication plan to address this.
ad
INTERNAL. Page 2 of 7 Paper 3.3 Financial Crime Risk
Update RCC September 2017
Office was unable to monitor the; _
24 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0023
3.3. Financial Crime
POL00423693
POL00423693
been entered into, HMRC had not identified many specific failures. Therefore Post
Office will not be fined for breaches to regulations 7 & 21 but are likely to receive
a warning.
After the meeting un the 26" July 2017, Post Office wrote formally to HMRC in
relation to the legal view that it was not directly regulated for Bill Payment services.
This is being considered by HMRC as part of a sub-sector review and is still with
the HMRC Policy and Legal teams for a decision. Until a decision is reached, HMRC
will not audit the Post Office in respect of this activity.
The penalty notice relating to historic premises registration issues was received on
10" August 2017; ) and has been paid.
Financial Crime Risk Assessment Update
9. The action plan in Appendix A gives full updates, but in summary:
« Drop and Go, MoneyGram, Gift Cards, Travel Money Card, International
Payments and Postal Orders are complete and will be tracked for annual
review going forward.
« Bill Payments work is due to be completed at the end of August and will be
issued to the product manager for review and sign-off. The Bureau de Change
control strength and residual risk scores are being re-evaluated as the
remediation solutions are delivered.
« Of the remaining products and services, the following approach will be
adopted:
i. Residual risk was last calculated in October 2016 by Thistle Initiatives,
this is now being reviewed in line with business changes and controls
identified from the high risk re-assessments completed. Current
assessment is that there are no high risk products and services
remaining that require remediation work, but this will be confirmed at
November R&CC once the work is complete.
ii. Product Manager risk assessment workshops will be rolled out from the
end of September 2017 in conjunction with the proposed Product
Manager training by Cranfield School of Management - attendees will
complete the Product Information Pack for their products and services
after these workshops. The Financial Crime Team will check these
completed documents against the existing risk assessment, and amend
residual risk calculations, as appropriate. These will then be diarised
for annual review going forward, along with the 8 high risk products
and services.
10. Non-conformance issues in the Network in July and August 2017/18 include 30
incidents identified at 24 branches:
e 17 branches are on the non-conformance watch list and manually monitored
monthly
e 1 branch has been added this quarter
e 1 branch has been removed this quarter
11. The volumes of suspicious activity reports (SARs) have reduced by c.20% in July
and August and this appears to be in relation to MoneyGram. MoneyGram
implemented new identification requirements from 20 June 2017 to meet new
requirements under the money laundering regulations and all transactions now
INTERNAL. Page 3 of 7 Paper 3.3 Financial Crime Risk
Update RCC September 2017
Risk & Compliance Committee meeting-13/09/17
25 of 227
POL-BSFF-0238511_0024
POL00423693
POL00423693
require identification to be presented and recorded. Customers sending or
receiving £800 or more have to present ID at the counter and upload an image of
their ID direct to MoneyGram via a dedicated upload portal in order for the
transaction to be completed. MoneyGram then check these against the details
captured at POS before they release the funds. At this stage we are not sure if the
reduction is because suspicious activity is being driven elsewhere, or staff fail to
be suspicious because they have taken identification. A branch focus article is
planned 14 September 2017 to raise awareness of the need to report all
suspicions. We will continue to monitor.
Anti-Bribery and Corruption (ABC) Risk Assessment update
12. The following has been completed since the last update in July:
« ABC policy - being submitted to September 2017 ARC for final approval.
« Gifts and Hospitality reporting tool launched.
« ABC training launched 8" September 2017.
AML/CTF training update
13. HR have confirmed that a process has been established to ensure that all new back
office staff and contractors complete training within 30 days of joining. Financial
Crime Team have established ongoing compliance checks.
14. As atthe time of writing there are c. 130 branches that have not completed training
as required and the Branch Standards Team are working through appropriate
intervention options with the Contracts Team and the Network Team to ensure
completion.
POMS MLRO report
15. A report on POMS activity has been produced by the Financial Crime Team and
MLRO and is being presented to the September 2017 POMS R&CC and ARC. No
material weaknesses have been identified and the governance framework is
currently considered to be effective in managing and overseeing the AML risks
within the POMS business.
16. From the risk assessment undertaken in April 2017, there were only minor
recommendations made and POMS evidenced a clear reporting structure in which
financial crime concerns are escalated efficiently to senior management. The
policies, procedures, monitoring, controls and both internal and external audits to
mitigate exposure to financial crime are in place and communicated effectively to
third parties. The risk assessment evidenced that all insurance products within
POMS remit were within the risk appetite set by the business.
Regulatory updates
17. eKYC - HMRC advise that they have not reached a decision internally regarding
the adequacy of eKYC for customer due diligence and the interpretation issues
between themselves and the JMLSG. We understand that a number of
organisations are raising queries with HMRC regarding this issue and Post Office is
to write formally to HMRC to request response and guidance regarding this issue
18. Fit & Proper test - HMRC is still undertaking internal analysis of the interpretation
and application of the requirements, in conjunction with discussions with the top
11 organisations directly regulated by them. Following the meeting on 26" July,
Post Office provided to HMRC some detail around the due diligence undertaken at
INTERNAL, Page 4 of 7 Paper 3.3 Financial Crime Risk
Update RCC September 2017
POL-BSFF-0238511_0025
POL00423693
POL00423693
on-boarding. We are expecting further guidance and clarification by the end of
2017. Post Office have until the date of our next annual registration (1% June 2018)
to comply with these new requirements.
19. There has been no further guidance or update relating to the Fifth Money
Laundering Directive announced on 30 November 2016 and the updates given in
March remain current.
External threats
20. There have been no new issues since the July 2017 report.
INTERNAL, Page 5 of 7 Paper 3.3 Financial Crime Risk
Update RCC September 2017
POL-BSFF-0238511_0026
PROJECT / SPECIFIC
TASK
AML/CTF Branch Training
Failures Review
Risk Assessment Tool
RAT Ref 2015/7 - Digital
Passport/ Digital Check &
Send
Branch Premises
Registration Policy &
Procedures Review
Santander Business
Deposits/Time Saver Deposit
Project
EUM Project
INTERNAL
2017
STATUS
In Progress
In Progress
In Progress
In Progress
In Progress
In Progress
COMPLETION
DATE
30/09/2017
30/09/2017
28/02/2018
15/09/2017
30/09/2017
30/09/2017
POL00423693
POL00423693
WEEKLY UPDATE
01.09.17
Data received from Branch Standards Team confirming the
number of individuals who took more than five attempts to pass
the AML/CTF training. We are at present reviewing the findings
which will be drafted into a high level report.
04.09.2017
The tool has been reviewed and its question bank updated to
reflect regulation changes. We are also in the process of creating
a new portal to make it more user friendly.
04.09.17
Product Owner has confirmed that service will only be available to
branches with AEI. The project is currently in design and test
stage, and is expected to go live in February 2018. No financial
crime concerns at this stage.
01.09.17
Updated Policy and Procedures have been drafted and circulated
to stakeholders for review.
01.09.2017
A report setting out the risks and concerns in relation to the
existing and proposed service has been created and circulated to
stakeholders for comments.
18.08.17
The project team have confirmed that they are looking for
potential alternatives or better controls around RUID. They also
advised that passwords would be managed at branch level.
Financial Crime Team has advised that if passwords are not
controlled centrally, there is a potential risk that if a staff member
leaves, there ID could be passed on to new members of staff.
Page 6 of 7. Paper 3.3 Financial Crime Risk Update RCC September
POL-BSFF-0238511_0027
ZLUG0/¢ }-Bunsew saniUiog soueldwod »g YS!
L2Z $0 6Z
PROJECT / SPECIFIC
TASK
Bureau de Change Product
Information Pack (PIP) In Progress
Update
Postal Orders - Monitoring
and Controls tO ROO tess
JMLIT Section 7 Requests
Policy and Procedures In Progress
Review
Product and Service Residual
Risk Reassessment (From TI In Progress
Asessment in October 2016)
INTERNAL
2017
COMPLETION
DATE
30/09/2017
30/09/2017
15/09/2017
30/09/2017
POL00423693
POL00423693
WEEKLY UPDATE
31.08.2017
PIP has been updated in line with the changes made to the
product. This at present is with the product manager for review.
04.09.17
The Financial Crime Team are working with the product manager
to review and improve existing monitoring.
18.08.17
Process guide has been drafted and circulated to stakeholders for
review
04.09.2017
A reassessment of previously completed risk assessments is
underway to review if generic business changes have changed
any of the key risk areas.
Page 7 of 7. Paper 3.3 Financial Crime Risk Update RCC September
‘UU IeoURULY “E"e.
POL-BSFF-0238511_0028
POL00423693
POL00423693
3.4. IT Controls Framework and DR
POST OFFICE PAGE 1 OF 9
RISK & COMPLIANCE COMMITTEE ADVISORY PAPER
3.4.1 IT Controls Update
Author: Rebecca Barker Sponsor: Sharon Gilkes, Rob Houghton Date: 13 September 2017
Executive Summary
Context
The purpose of this paper is to update the RCC on the status of the IT Controls
Framework (ITCF); the most recent remediation plans; any emerging issues or
developments; and the next steps of the project.
Questions addressed in this paper
1. What is the current status of the ITCF?
2. What are the latest control/remediation results & what does this mean?
3. How will the controls reduce our risks?
4. What are the next steps?
Conclusion
1. Of the 193 controls in the ITCF, 108 are implemented, 64 are partially in place
(they do not fully mitigate the risk) and 21 controls are missing. Compared to other IT
Control Framework projects, the level of control gap is not unusually large for this
stage in the transformation. However, the issues highlight control gaps that would not
be expected at similar large and high-profile organisations, and provide a particular
challenge for the Post Office as a result of the extensive levels of outsourcing.
2. We are marginally below our forecast of the key controls being implemented. This
is because a number of remediation activities are reliant on key programmes including
the Security Operations Centre (SOC) and the implementation of the new Service
Integrator Target Operating Model. Remediation activities will be implemented as
these programmes deliver during 2017/18 and we are adjusting our plan to reflect
this.
3. We have reviewed the Manage Security and Manage Security Services RACM and
identified a number of controls that will reduce the overall risk severity on the IT Risk
Register; we are prioritising these.
4. We have set a target to close the remaining gaps in the ITCF by March 2018. We
expect to have controls operating against all identified key risks by fiscal year end,
with every control having been through at least one round of self-assessment and
sample audit checks undertaken on each process.
Strictly Confidential RCC 13 September 2017
30 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0029
POL00423693
POL00423693
3.4. IT Controls Framework and DR
POST OFFICE PAGE 2 OF 9
Input Sought
The RCC is asked to note the progress made and comment on the approach and
priorities.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 31 of 227
POL-BSFF-0238511_0030
POL00423693
POL00423693
POST OFFICE PAGE 3 OF 9
The Report
What is the current status of the ITCF?
1.
We are proceeding with the 11 processes in Tranche 1 (Priority 1 —- see
Appendix 2) included in the original scope of the ITCF. These are currently
going through remediation assessment: ensuring that controls owners are being
identified and remediation actions are being assigned. Remediation is being
monitored by IT Risk Management and KPMG.
We have reviewed and have full remediation plans for 4 Processes: Incident
Management, Change Management, Manage Security and Manage Security
Services.
The number of controls has slightly decreased from 215 in July to 193 in
August. This is due to consolidation and removal of several controls to better
match the control environment with the needs of the Post Office. We have
reviewed these controls with the Control Owners and Internal Audit, and
actioned their feedback.
Of the 193 controls, 108 are implemented, 64 are partially in place (i.e. they
address some but not all of the risk), and 21 are currently not in place. For all
the controls which are not implemented, we have identified and graded the
severity of gaps. This assessment has been refreshed to include likelihood (see
Appendix 1 for the new criteria).
Out of the 193 controls we have categorised 114 as Key Controls. These have
been assessed by the level of risk to the business i.e. “What is keeping us
awake at night?” The Key Controls will be remediated as a priority.
Following remediation workshops we have identified that the design of 108
controls is implemented. These controls have not been subject to detailed
testing and we may identify that the remediation activity is insufficient. Further
information on testing can be found below.
To enable ongoing monitoring of ITCF and controls self-assessment, we have
been developing test scripts for each individual process. This will include
sample testing and review of evidence retained as a result of ITCF controls
operation. The main purpose of test scripts is to enable testing of controls
found to be already in place and overall operating effectiveness of controls as
gaps are remediated.
We have discussed the requirements for the upload of the RACMs into TrAction
with Internal Audit. We have submitted 2 RACMs to the TrAction team, and we
are investigating the cost and timescale required to upload the 11 RACMs.
Incident Management, Business Continuity and Managed Security Services have
the highest number of controls not in place. This is because a number of the
controls are reliant on the implementation of the Security Operations Centre
(SOC), which is expected to be in place in Q4 and also the delay of the target
Strictly Confidential RCC 13 September 2017
32 of 227
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0031
3.4. IT Controls Framework and DR
POST OFFICE
operating model with our Service Integrator and staff resource within the
Service Delivery team.
POL00423693
POL00423693
PAGE 4 OF 9
What are the latest control/remediation results?
10. The results of August 2017 remediation activities are summarised in the table
below
Across 11 processes
[Design of Control Actuals (%' no of controlskctuals on key controls} key controls}
108I 49.12% 56
64 37.72%I 43
4
21 13.16%
193 114
Allcontrole
Per ACM wr i Pm MCAT S__w5 MSA Msp Mae MO me
r 5 Fy ° z 7 5 4 4 3 v7 z
2 2 s s 8 2 3 2 6 s 7 20
3 6 u 5 9 2 “ 4 2 5 2 4
1 1 1 1 ° 7 2 1 1 2 4
18 in a A Pa 2 2 ue 20
Ba as 52% [75% [30% 0% a
eax 5% 3% asx lam faa ise (aes [7m box
ex on sx low [23% 7% lax ime [7% 20%
key controls
Per RACM x im Pm MCAT___MS_wsS MSA MsP____MAC___MO me
r 2 o ° 2 3 3 2 3 ° 7 0
2 1 4 4 4 ° 3 ° 2 2 2 6
3 4 7 2 4 2 u 2 2 4 1 2
5 ° ° ° 1 5 6 1 1 1 1 5
Total 7 u 7 u 5 2 5 8 7 2 3
aa bee Sm Ss cox 30% om a a
se eax os 36% laox [30% lors a ca 2356
ox os on cs low [2a nor an ad aa
laprit__ [May tune [July [August _[September [october [NovembelDecembelanuary [February [March
Target (Key controls 45I 50] 55I 60] 5] 79I 75 20] 35] Fy 100]
‘Actuals
11. We are marginally below our forecasted target of controls being remediated,
because a number of controls owners have been on leave. The August actual
remains the same against the July Actual as a result of challenges back from
the project and remediation examples not being evident. We expect the actuals
to increase rapidly upon implementation of the Security Operations Centre and
also when the governance has been restructured to align to the Target
Operating Model with our service integrator.
How will the controls reduce our risk?
12. We have reviewed the Manage Security and Manage Security Services RACM
and identified a number of controls (see table below) that will reduce the
overall risk severity on the IT Risk Register; we are prioritising these.
Strictly Confidential
RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
33 of 227
POL-BSFF-0238511_0032
POL00423693
POL00423693
POST OFFICE PAGE 5 OF 9
° Effective Incident Management/Change Management controls would have
reduced the overall risk of a Severity 1 incident which occurred on the
30th April 2017 and resulted in lack of connectivity to the live service for
multiple branches. In this case, back-end maintenance was not managed
via the correct Change Management channels and this resulted in an
engineer accidently shutting down the system. If the correct controls had
been in place to ensure that all maintenance/ prerequisites/ benign
changes were visible to the Service Integrator and Post Office the impact
may have been reduced. Human error cannot be prevented but the
controls around Incident Management/Change Management would have
reduced the overall likelihood and impact.
e Effective Manage Change and Acceptance controls would have reduced the
overall risk of an incident which occurred in June which resulted in
customers being unable to make Metrobank cheque deposits. The issue
was the result of a change that had taken place within the clients’ domain
which had not been tested correctly. We have several controls with the
Manage Change and Acceptance process which will reduce this risk going
forward. One of the key controls to support this will be that a model test
environment is in place which is representative of current and future
production environments. The remediation is currently being identified.
Strictly Confidential
POL-BSFF-0238511_0033
POL00423693
POL00423693
POST OFFICE PAGE 6 OF 9
Tier 1 Controls from Manage Security Services RACM (part of
IT Controls Framework)
High
Risk Title Risk Description Control Remediation/Action Log and Remediation Action
tools have bean Installed on all equipment used for PO business,
Jand updates pertormed roguitarly
IRemaiation mss-c1.1
Malware conitol Is in place. The Gontro! Owner in Micke Ebsworth’ team needs the
Jsupport of CC to run thie report biannually,
lcontrot mss-c2.9
[panove BIOS Vulnerabllties R213: Lenovo, has come [Network fitering machaniams have been implemented, auch ag firewalls and intrusion
PS nr tat a hence nob eaete wit ihe Blog ot tne LenevoIaetection software, with appropriate policies to control inbound and outbound trafic.
Jdoviee. The BIOS ts bull in software that directs the Operating
Faure by Post Once to ensure there is adequate [System wnen starting up me devies. loop mss.ca.
secuny to prover attacks both onthe intesiucure I There ina oak unauthoriseu parties maght gain access to Post [There fs re monitoring of data centre tratic by PO, and no loge are store or any
‘Vulnerability Testing Jand ond pint across aii rvices that accept, process, ottice information by exploiting this the wuinerabiity that oxsat witn [MWusions or threats. to coordinated communication procedure of attacks
Store or anand poresral data maintains secure, I BIOS. Unsuanoreed {ests mgt lake conto! ot the mache anu [sess the multiple data centres hosting PO Information,
fenvironmont, may toad to legal and regulatory Intoct ino device with maiware, disable or bypass security controls
forencnes, Resuttng in tnestaanctions tinancial loss / [in place when the machine te rebooted. 4 showta be noted that ne [SABMES-C2.30
[Service Loss and reputational damage reiicious user would necd physical access to Ine device In order” [ ere fs No Visibilly over Now often vulnerability and intrusion scans ar
fo expat ie vanorabity: mich ail root In lowe of croaty the oulcomes of auch exercises, For example, ihe toga of security
fwitnin the Post Oftice both wih Es ‘tomers and ere kant by OS, hover thay are not reviewer of = parodia basle, ony Fi inokdert
JCovornmontal Departments as well ae financial consequences, [OCoUrs (CO). Additionally, Verizon note that no intrusion software has been
IM this time POLISAG aecapt the Flak. meat implamented currently and they are in discussions with PO regarding this
IMeS-c2.3a We get reports on a monthly basis but not In a timely manner. We also
ont nave a cloar visibly of the remediation thats taking place. "7° 8
forward, the control around tne process will be reviewed on 2 monthly basis.
fSniy sutrorscd devices (inciuding Laptops, desktops, Mobiles and Tablets) are givenI
Jeccees to corporate Information and the enterprise haiwork
leno mes-c2.10
a Sasson
‘Users Can only access Office 365 when connected to the PO
Rotwork external
Remediation MSS.c2.19
ps (excep! BYOD} must have a valid certificate and this process is already in
01 Owner in Mick Ebaworttra team in the process of arranging 1 receive a
monthiy report trom @C demonstrating compliance by a0 Oct 20
> INetwork Access Control solution
506 and supporting technology [Faire by POL IT to introduce a Secunty Operations [Network Access Centro! Solution I Seing forward, the contra! around ne process wil be reviewed on a monthly basis
‘controls (Provieion of Security” ICenire may lead to incrontod Cyber attacks, lack or [Hardware assets thal are not on the register on the EUG Atria [SONG ¥
‘Operations Contre ir security) [enmanoad visablity, tack of prompt detetion of treats, {Ot
FRowulting in tows Of worvion, finan lows ne
reputational damage Jcontrot mss-c7.1
Tho PO have configured systems and network devices to log suspicious or
Janomoious behaviour. such as Invalid logon attempts, out of hours failed access
fatempts, network penetration attompta and other secuty activity
[Currently no Service Organisation Gontrois (SOG) In place with third party suppliers.
I remediation mssc7.19
Fino sorvioos are curerly complotod by drd partis providers but not centralised Into
PO review monthly reports on activities and advise on any incidents and risks.
“nt work Ia In progress (0 centralise this into the SOC Service Organisation
ola by 21 Gee 2047 wiih moninly reviews to take piace after ts date
Strictly Confidential REC 13 September 2017
POL-BSFF-0238511_0034
3.4. IT Controls
36 of 227
POL00423693
POL00423693
POST OFFICE PAGE 7 OF 9
Next Steps
13.
14.
15.
16.
17.
18.
19.
20.
Continue to validate control designs and gaps with control owners and expand
control design to include defined control operators and audit trail. Walkthroughs
are scheduled to run over the next couple of weeks for the remaining 7 RACMs.
Test scripts will be finalised for all 11 processes by the end of September.
A workshop has been scheduled for 7th September to plan the operating model
for ongoing controls assessment. This will also determine if 3rd party off-shore
support is required.
Training with control owners will start in October. Following advice from the
Finance Controls Project this will be carried out in a staged approach and we
estimate will take 3 months to deliver.
Self-assessment will commence as the RACMs are rolled out and training is
completed with control owners.
As an awareness exercise and to provide support to the forthcoming EY Finance
Control Audit we will share the ITCF RACMS for Manage Change, Manage
Security Services and Manage Operations with EY.
Appendix 2 depicts the Tranche Priority processes for the ITCF programme.
Priority 2 process controls have not yet been started, these represent the
priorities for the remainder of the fiscal year in the following order: Manage
Assets; Manage Business Process Controls; Governance Framework; Enterprise
Architecture; Manage Configuration and Human Resources. Gap analysis and
remediation is expected to be complete by end January 2018.
In summary, we expect to have controls operating against all identified key
risks by fiscal year end, with every control having been through at least one
round of self-assessment and sample audit checks undertaken on each process.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0035
POL00423693
POL00423693
3.4. IT Controls Framework and DR
POST OFFICE PAGE 8 OF 9
Appendix 1
Contienaty(C) Imes vanabiny ay) eu
ae ‘Sap impacts Onornactighisk Siherenecewe nah
serine lew npn (epiencre na
Integy of data? ‘Seoetalines tam meds A
att ystems? Moves "OO as
‘Si (Ae ‘High reputational risk increases.
petri on stone [ates spon Touma nedim ict Seontalchiyeeon te hag,
oped araeact hme tirerint Ere sgt ptr ma eum Ep ined. ep ak
ig [gale or compo Somer medi oclow,thoimpactstae LH
= by the stays
aad [systems thesame.
Sal
asm: commciy sn: Sara_ Masan:ap due et PBR
Prats aaa "to corgton lnc cnc tone OMS ote opts mec cr MLD
Jeroen sense! mS neo rmayenure age men Cramp fon termgacteaye esone. LIM
‘see Ses bene cs ee ame
Catch
Low Noarage
lected
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 37 of 227
POL-BSFF-0238511_0036
POL00423693
POL00423693
3.4. IT Controls Framework and DR
POST OFFICE PAGE 9 OF 9
Appendix 2 — ITCF processes by Tranche Priority
a O) ee
Strictly Confidential RCC 13 September 2017
38 of 227 Risk & Compliance Committee meeting-13/09/17,
POL-BSFF-0238511_0037
3.4. IT Controls
POL00423693
POL00423693
POST OFFICE PAGE 1 OF 3
RISK & COMPLIANCE COMMITTEE ADVISORY PAPER
POL Disaster Recovery
Position
Authors: Mick Mitchell/Rebecca Barker Sponsor: Rob Houghton Meeting date: 13™ September 2017
Executive Summary
Context
In July 2017, the POL Disaster Recovery Position paper outlined the current
Disaster Recovery (DR) position within POL and the need to implement a strong
DR Policy and Framework which is regularly tested and improved. This paper
provides an update on the remedial actions to date.
Questions addressed in this report
1. What is the progress since the last update?
2. What are the next steps?
Conclusion
1. We have carried out a full review of the current state of key services to
understand what has been tested and the status of testing that has been
carried out to date. We developed a Disaster Recovery Framework and
assessed all DR services against it. 29 services are rated Gold, 10 services
are Silver and 13 Bronze, based on recovery times required. We are still
in the process of reviewing the Silver/ Bronze services but can confirm
that 4 are compliant with the DR framework with the rest still to be
determined. We have reviewed our DR plans with business and process
owners to ensure that these plans align to the needs of the business.
2. We are putting action plans in place to bring non-compliant services into
full compliance with the DR framework over the coming months, and will
assess the costs involved to support any required contract changes. We
will also review and refresh the framework, and further define Recovery
Time Objectives (RTO) and Recovery Point Objectives (RPO).
Input Sought
We are asking the RCC to endorse the actions outlined to date and support
further reviews of status at future RCC forums.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
39 of 227
POL-BSFF-0238511_0038
3.4. IT Controls
POST OFFICE PAGE 2 OF 6
The Report
What is the progress to date?
ia
1.2
1.3
1.4
1.5
1.6
1.7
We have carried out a full review of the current state of key services to
understand what has been tested and the status of testing that has
been carried out to date.
We have defined a robust DR framework for IT Services which provides
clear definition of testing and recovery required.
Services are categorised by recovery time as as Gold (recovery time 5
hours), Silver (recovery time 24 hours) or Bronze (recovery time 96
hours).
We have assessed all DR services against the framework and 29
services are rated Gold, from 8 different Suppliers (further detail in
Appendix A). Of the remainder, 10 DR services are rated Silver and 13
Bronze. We are still in the process of reviewing these remaining Silver/
Bronze services but can confirm that 4 are compliant with the DR
framework with the rest still to be determined. We will prioritise this
over the next few months. We have carried out a review with business
and process owners to ensure that our IT DR plans align to the
Business Continuity planning needs of POL.
We have implemented improved governance around the process of
periodic IT DR testing from our supplier base. In future, the
postponement of IT DR tests will only be permitted subject to active
challenge and subsequent sign off by IT and business owners.
We have reviewed the existing IT Service Recovery report that Atos
provide and made key amendments that will ensure that POL IT can
give more visibility across IT and our business areas.
We have updated our risk logs to align with the above status.
What are the next steps?
1.8
1.9
POL IT will now ensure that we have the actions in place to mitigate
any outstanding issues, assess the costs involved to support any
required contract changes and schedule tests that have not been
scheduled or aligned to contract specifications.
We will review and refresh the framework, including the need for
further definitions of Recovery Time Objectives (RTO) and Recovery
Point Objectives (RPO).
1.10 Gain agreement with the RCC to progress the actions specified above.
1.11 We propose to include a progress update at each RCC going forwards.
Strictly Confidential RCC 13 September 2017
40 of 227
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0039
POL00423693
POL00423693
POST OFFICE PAGE 3 OF 6
Appendix 1. DR Framework —- Gold Services Status
Provider Summary Service Test Status Comment
Fujitsu There has been no formal Data Network Banking Component test
8 Gold Services Centre DR test of the Fujitsu Service carried out in May
environment since May 2013 due to I (POCA/Vocalink 2016
Infrastructure Legacy issues. /Santander)
Network Component test
Component testing has been carried carried out in May
out on most of Fujitsu’s platforms. 2016
We will initiate a project in Autumn I Debit Card Last full test verified
2017 with the objective of having a in May 2013
full DR test of the Fujitsu Horizon (Online Last full test verified
environment in 2018. Processing) in May 2013
PODG Component test
carried out in June
2017
MDM Last full test verified I Credence & MDM
in May 2013. platforms will migrate
to a Cloud-based
service platform in
October 2017
Credence Component test See MDM note
carried out in June
2017
POLSAP Component test
carried out in June
2017
dential ember 2017
POL-BSFF-0238511_0040
POST OFFICE
PAGE 4 OF 6
POL00423693
POL00423693
BT/Verizon
1 Gold Service
The service is currently transferring
to Verizon from BT.
Core Branch
Network Services
Successful DR Data
Centre failover
carried out Feb
2017
Atos
1 Gold Service
Atos provide IT Service Desk
services to the Post Office from their
two locations in Manilla, Philippines,
and their Disaster Recovery Centre
in Kuala Lumpur, Malaysia.
IT Service Desk
We are awaiting
confirmation from
Atos on their last IT
Service Desk test
but an account DR
plan was
successfully carried
out in March 2017.
HP
2 Gold Services
HP provide the Post Office with
services for their card account
product, including two gold services.
Card Account
services - Cheque
printing
All services have a
DR test annually
(last known test was
July 2017).
Currently waiting for
a status update on
this test.
Card Account
services - Banking
Engine
As above
Gemalto
1 Gold Service
Gemalto provide Biometric
Application, Enrolment and
Identification (AEI) services to the
Post Office Branch Network.
Biometric
Application,
Enrolment and
Identification (AEI)
services
Last DR test May
2017. Some issues
identified and
actions being put in
place to resolve.
VocaLink
1 Gold Service
Vocalink provides a payment service
gateway and is protected as part of
the national infrastructure. Routers
Vocalink Payment
Services gateway
idential
ember 2017
POL-BSFF-0238511_0041
POL00423693
POL00423693
POST OFFICE PAGE 5 OF 6
are located in Fujitsu Datacentre.
Vocalink switch to alternative
datacentres every 3 months as they
have active/active Datacentres.
Accenture Gold Services are Credence Component testing Credence & MDM a
3 Gold Services (Software), POLSAP (Software), Credence of Credence platforms will migrate a
Common Digital Platform (CDP) (software) infrastructure to a Cloud-based
carried out by service platform in
The CDP service that supports Post Fujitsu June 2017 October 2017
Office.co.uk has been classified as a
Gold service with a RTO within 5 POLSAP (software) I Component testing
hours. This is not backed up in the of POLSAP
contract (RTO 21.4 hours), Business infrastructure
decision will be required to confirm carried out by
if this is acceptable and we except Fujitsu June 2017
this risk or potentially incur costs to I Common Digital CDP platform was See note in Summary
reduce the contractual RTO. Meeting I Platform (CDP) successfully tested column re RTO.
will be scheduled in September in October 2016.
2017 with the process, business and
service owners.
Computacenter A full disaster recovery test DHCP June 2017 - see
12 Gold Services occurred in June 2017. This Core Network note in Summary
exercise successfully recovered in- column
scope services however there were - .
issues during testing which resulted Active Directory As above
in some failures, these included Email As above
Office 365, Skype, SRM, “follow me”
printing, ADFS (Active Directory File OneDrive ‘As above
Strictly Confidential ember 2017
POL-BSFF-0238511_0042
POST OFFICE
PAGE 6 OF 6
POL00423693
POL00423693
System) and SMTP. All issues have
been resolved.
Meetings will be held with business
owners and Atos in September 2017
to ascertain a suitable date for re-
test. Atos recommendation is for a
re-test within 6 months.
The timing of the re-test should
allow Computacenter and all 3rd
parties reasonable time to
investigate and remediate the root
cause of issues identified during the
test and facilitate a successful re-
test in reasonable timescales.
SharePoint As above
Skype As above
Ricoh Printer As above
Server (“Follow Me
Printing”)
Admin LAN As above
Firewall and DDoS I As above
Core Network As above
Wi-Fi As above
VPN As above
idential
ember 2017
POL-BSFF-0238511_0043
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE PAGE 1 OF 10
RISK AND COMPLIANCE COMMITTEE ADVISORY PAPER
Financial Reporting Controls
Author: Danielle Goddard Sponsors: Amanda Radford, Al Cameron Date: 13 September 2017
Executive Summary
Context
The purpose of this paper is to update the RCC on the status of the Financial Reporting
Controls Framework (the FRC), the most recent control self-assessment results (July
2017), current areas of focus, and the progress made on the second phase of the
project.
Questions addressed in this report
What is the current status of the FRC?
What are the latest self-assessment results?
How are the current control gaps being addressed?
What were the results of the Merlin review and balance sheet review?
What progress has been made on the next phase of the FRC, and what are the
next steps?
vibwne
Conclusions
The existing framework has continued to expand (269 controls at end July 2017 from
262 at end May 2017) as we have introduced various new controls. Monthly self-
assessment is continuing in the TrAction online self-assessment tool and results are
being monitored.
Of the 269 controls at end July 2017, 191 (71%) were issued for self-assessment. 184
(96% of those issued for self-assessment) were operating effectively. Of the
remaining 7 controls, 3 were not performed in time but were subsequently confirmed
as effective, 1 was not performed effectively but mitigating procedures were
reviewed, 2 related to the change in the Fixed Assets control environment which is
under review, and 1 was not self-assessed but was later confirmed as effective.
Of the 78 controls not issued for self-assessment at the end of May, 55 were not due
to be operated in the period. 13 controls were in remediation, and 10 were yet to be
set to live. For the 13 controls in remediation, workaround controls are in place or
remediation is in progress. The 10 controls being made live for self-assessment relate
to the overall control environment and have been reviewed to ensure there were no
unaddressed risks which could affect the financial statements.
PwC testing is now complete excluding Spreadsheets for which we have draft results;
the results for the completed areas show that out of 80 controls tested, there were 12
amber exceptions and no red exceptions. The amber exceptions have now been
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 45 of 227
POL-BSFF-0238511_0044
POL00423693
POL00423693
3.5. Finance Controls
46 of 227
POST OFFICE Page 2 of 10
addressed. The draft results for Spreadsheets testing show that improvement is
required (rated as amber); work is already in progress to address this.
The Merlin investigation work is complete; the investigation has identified accounting
entries which could relate to missing cash. However, the cause of this potential cash
loss could not be confirmed to either be accounting errors following system outages, or
the theft of cash.
In response to the Merlin incident a new high risk gap was raised regarding POLSAP
journals, which has since been reduced to medium risk. An interim authorisation
policy has been implemented and user roles have been reduced to the minimum
required. Further work is still being performed to refine and monitor this. The FRC
team are working with the Back Office Transformation team to develop the longer-
term solution once POLSAP processes are migrated into CFS. A review is also
underway over HRSAP access and the control environment over its replacement
Success Factors.
The year-end review of Accounts receivable and Accounts payable is complete; testing
was performed over the material Receivables and Payables balances as at FY16/17
year end, with a focus on confirming balances had cleared (i.e. receipts or payments)
after the year end, and reviewing support for any uncleared items. The review
identified a number of adjustments, netting to a debit to the P&L of £65k. With the
exception of the Merlin cash centre balance, the adjustments mainly relate to aged
balances which are no longer required or supported, which are individually immaterial.
Further work is planned to complete balance sheet reconciliation training.
A Masterdata controls analyst and a Finance Service Centre controls analyst
(contractors) have now joined the FRC team. A permanent controls analyst has been
recruited to start in October 2017, who will perform monthly testing of controls.
Input Sought
The RCC is asked to note the progress made and comment on the priorities.
The Report
1. What is the current status of the FRC?
1.1 The controls within the 12 processes included in the original scope of the FRC are
being self-assessed by control owners on a monthly basis. Results are
monitored by the FRC Manager on a monthly basis. The results of the most
recent control self-assessment (July 2017) are summarised in section 2 below.
1.2 The controls framework is expanding and adapting each month. The total
number of controls at end July 2017 was 269, up from 262 at end May 2017.
The net increase of 7 controls related to the addition of 12 new controls, less 5
removed controls. The 12 new controls were one for each Process owner to
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0045
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE Page 3 of 10
submit periodic conformation that they have reviewed the risks and controls in
their process. Of the 5 controls removed, 3 were merged with similar or linked
controls, and 2 were no longer relevant (one relating to the closed DB pension
plan, and the other relating to an accrual which is no longer required). All
control removals are reviewed before being removed from the CSA tool.
1.1. PwC have completed their independent testing of controls (excluding
Spreadsheets for which we have draft results) and have provided a
consolidated report, showing that of the 80 controls tested there were 12
amber exceptions identified and no red exceptions identified. The amber
exceptions mainly related to ownership issues and wording changes. These
have since been resolved. An extract from the PwC report is shown in Appendix
2a
1.2. PwC have provided draft results of their testing over Spreadsheets controls. The
control has been rated as amber, with some improvement required in order to
refine the controls defined and apply them consistently. The main
improvements required relate to change management and approval of changes.
Work has already begun to address the detailed action points raised by PwC,
including the introduction of a front sheet for each spreadsheet which requires
evidence of change management and approval. This is currently being rolled
out across the in scope spreadsheets (starting with those that PwC identified as
requiring improvement from their sample testing). PwC are developing their
comments before providing a formal report on Spreadsheets controls.
1.3. A permanent controls analyst has now been recruited, who will perform monthly
cycle testing over all controls. The controls analyst is expected to join the FRC
team during October 2017.
1.4. There were 13 open control gaps remaining at end of July 2017 for which
workaround controls are in place or remediation is being completed. None are
considered high risk; 9 are considered medium risk and 4 low risk. This includes
the control gap that was raised in respect of POLSAP journals, which was
classified in June 2017 as high risk, but subsequently reduced to medium risk
after temporary controls have been implemented. This is further discussed in
section 3.
1.5. There were 10 controls to be set to live at end of July 2017, all had owners but
were awaiting final confirmation to go live. These all related to controls which
sit under the overall control environment. None of these are expected to have a
direct impact on the financial statements but work is being done to bring these
live and into self-assessment by end December 2017.
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 47 of 227
POL-BSFF-0238511_0046
POL00423693
POL00423693
3.5. Finance Controls
48 of 227
POST OFFICE Page 4 of 10
2. What are the latest self-assessment results?
2.1. The results of the July 2017 self-assessment are summarised in the table below.
See appendix 1 for further detail of the July self-assessment results by process.
July 2017 - Total controls 269
Less: Controls in remediation -13
Controls to be set to live -10
Controls not due to be operated due to frequency -55
Total population for self-assessment 191 I 71%
Self-assessed and operated effectively 184 I 96%
Self-assessed but not operated effectively 6 3%
No self-assessment submitted i 1%
2.2. 55 controls were not due to be self-assessed for July 2017, this is because the
controls are annual, bi-annual or quarterly controls and did not fall due in the
month.
2.3. 3% (6 controls) were initially assessed as not operating effectively; 3 of these
were performed late, 2 related to Fixed Asset controls which are being
transformed as a result of the recent Fixed Assets review, and 1 was not
performed but mitigating procedures were in place. Conversations have also
been held with control owners to ensure that the controls are performed
effectively and on time for the next self-assessment.
2.4. 1% (1 control) had no self-assessment submitted. We have confirmed with the
control owner that the control was performed effectively and there were no
issues.
2.5. The August self-assessment is currently being performed and results will be
assessed mid-September.
3. How are the current control gaps being addressed?
3.1. There were no high risk control gaps at end July 2017, 9 medium risk gaps, and
4 low risk gaps.
3.2. In June 2017 a high risk control gap was raised regarding lack of authorisation
over manual journals in POLSAP. Under the original scope of the FRC, an
authorisation process was implemented over CFS journals and it has since been
identified that this should be extended to cover POLSAP. Work has been
performed to mitigate the risk and the control gap has been reduced to
medium.
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0047
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE Page 5 of 10
3.3. Some POLSAP users require access to post manually in order to carry out various
transactions (manual file uploads, transaction corrections, cash receipts and
cash dispatches, treasury clearing account transactions, and client
settlements). There are various controls already in place to detect any errors or
issues as a result of these postings, for example; probity returns over POLSAP.
balance sheet GL accounts > £5k, independent authorisation of high value
transaction corrections, vendor reconciliations on client settlement vendors, and
bank reconciliations.
3.4. An authorisation process has now been implemented for POLSAP journals, this
was effective from 5 July 2017. The authorisation process covers manual
POLSAP entries which are > £250k in value, or > £30k for Transaction
Corrections and Supply Chain / Cash Centre postings which we expect to be
smaller.
3.5. Manual postings in scope for approval in July were sample checked to ensure
authorisation was provided by an appropriate authoriser; a 10% sample check
was performed (52 items). Out of the 52 items sampled, 34 items were agreed
to approvals sent into the POLSAP Approvals inbox, 17 items were agreed as
pre-approved through the normal payment approvals process which we agreed
would be out of scope for this separate approvals process. 1 item did not
receive approval; this was followed up and retrospective authorisation was
received. Sample testing will be extended to ensure there are no further
unauthorised journals.
3.6. Separate to this, a POLSAP user access review has been performed to remove
access from any users who do not have a critical requirement for access to post
manually into POLSAP. This resulted in 54 out of a total of 169 roles being
removed. A report is being obtained from Accenture to assess the last
transaction dates for these users. The reason for the high number of roles is
due to the size of the teams processing transaction corrections, settlements,
and cash receipting and despatching. Of the 54 roles removed, 7 were leavers
and 8 were Accenture support roles.
3.7. The Back Office Transformation (BOT) project is removing POLSAP and
transitioning the processes performed in POLSAP over to CFS. Access to post
manual journals in CFS is centralised and restricted to a small number of
individuals who have appropriate segregation of duties. The FRC team are
working with the BOT team to ensure that the CFS controls are applied to the
migrated POLSAP processes where appropriate.
3.8. After the transition into CFS, all manual journals which are not high volume or
time critical will be submitted centrally for processing and subject to the normal
CFS journal authorisation policy. However, there are some processes where
users require access to create a high volume of time critical manual
transactions (for example transaction corrections and cash receipting or
despatching). For these transactions, there are options which can be used in
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 49 of 227
POL-BSFF-0238511_0048
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE Page 6 of 10
CFS including value restrictions on the maximum value a user can transact, and
workflow approval based on defined approval limits. We will be defining
appropriate controls with the BOT team.
3.9. A review is underway over HRSAP access and the control environment in Success
Factors.
4. What were the results of the Merlin review and balance sheet
review?
4.1. In the last update to RCC, a review over the Merlin incident and a Balance Sheet
review over Debtors and Creditors were underway.
4.2. In response to the Merlin incident, the following investigation work has been
performed;
- An investigation was carried out over the financial records held and internal
controls in place, in order to identify the cause of the issue. A Deloitte Senior
Manager was seconded to the POL Accounting and Governance team to perform
this investigation.
- The investigation included review of the relevant debtor accounts, review of the
cash transactions carried out by the cash centre manager, walkthrough of cash
centre processes, review of cash transactions on the POLSAP outage dates, and
review of BACS payments to customers.
- Formal interviews were held with the former employee to understand the causes
of the unexplained balance.
4.3. The investigation performed has identified accounting entries which could relate
to missing cash. However, the cause of this potential cash loss could not be
confirmed to either be accounting errors following system outages, or the theft
of cash. The balance is not supported by any physical cash or asset, and has been
written off.
4.4. In response to the Merlin incident, the following controls have been implemented;
- An authorisation process over high value manual journals in POLSAP has been
implemented and sample tested; refer to sections 3.4 and 3.5 of this paper.
- POLSAP user access has been reviewed and 54 roles have been removed in order
to reduce risk; refer to section 3.6 of this paper.
- A control is being introduced to the framework for a bi-annual full cash count at
all cash centres. A full cash count was performed of all cash centres in July, the
results have been tied back to the relevant POLSAP GL accounts. Some cash in
despatch was not counted at the time of the count, but alternative procedures
Strictly Confidential
50 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0049
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE Page 7 of 10
were performed to trace each of these items in Horizon to the subsequent
acceptance by branches. No issues were noted.
4.5. The Balance Sheet review over Debtors and Creditors is now complete. Deloitte
secondees were engaged to assist with the review, which focused on testing the
material receivables and payables balances as at FY16/17 year end, with a
focus on testing the clearing of balances (i.e. receipts or payments) after the
year end, and reviewing support for any uncleared items.
4.6. The review identified a number of adjustments, netting to a debit to the P&L of
£65k. With the exception of the Merlin cash centre balance, the adjustments
mainly relate to aged balances which are no longer required or supported, which
are individually immaterial.
4.7. The review also identified a need for balance sheet training in some areas, which
we plan to carry out in October and November 2017.
5. What progress has been made on the next phase, and what are
the next steps?
5.1. We are currently re-assessing controls across Fixed Assets. The financial
reporting risk has changed within fixed assets due to the potential change from
full impairment to capitalise and depreciate and for this reason we are re-
assessing risks and controls in this area.
5.2. We are also re-assessing controls over Network Cash. As per section 4.4 of this
paper, a control is being added into the CSA tool for a full cash count to be
performed on the FY17/18 year end date, and bi-annually going forwards from
FY18/19. The FRC team are developing standard format procedures and
documentation for the cash counts.
5.3. Masterdata was added to the scope of the FRC after year end; 3 Masterdata
processes have been covered to date and 10 controls are now being self-
assessed on a monthly basis. Some control gaps were identified from the initial
3 processes covered, most being due to reliance on manual processes with a
lack of monitoring controls. None of the gaps indicate a risk of material
misstatement. A new Masterdata controls analyst has now joined the FRC team,
with initial priorities being over control gap remediation, Atos, and Payroll
(including review of Success Factors).
5.4. As noted previously, in reviewing the programme we have identified a further
four areas that we want to add to the FRC which were not considered high risk
for the original scope: agents’ debt; the branch correction process; agent
remuneration; and POMs. A business case has been approved to cover this, as
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 51 of 227
POL-BSFF-0238511_0050
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE Page 8 of 10
well as; the remaining Masterdata work to be performed, other Finance Service
Centre controls, and Cash Management and Forecasting controls. A new
controls analyst has now joined the FRC team and has started mapping risks
and controls over the Finance Service Centre controls including the branch
corrections process. Recruitment is underway for an additional controls analyst
who will work on the other areas in scope.
Strictly Confidential
52 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0051
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE Page 9 of 10
Appendix 1 - July 2017 CSA results by process
Controls Control Gaps Control Owners July 2017 CSA Results (submitted August 2017)
H/M/L Impact of GAPS Self-
sua I tamed owner INo owner I Controls I Noseir INEDPS=I4) assessment I Controls
Process pincce I oes Assined I secigneg I operated I assessment I £¥6 1 I submitted but Ito be set
wr ig! ig! effectively I submitted i control not I to live
frequency
operated
Bank & Cash
enact 32 0 2 ° 29 o 3 0 0
Bill To Cash 19 2 19 0 B o 4 0 0
[Control Environment at 1 at 0 6 o 4 0 10
Fixed Assets 20 3 20 0 15 0 0 2 0
Payroll 47 1 47 0 42 0 2 2 0
Procure To Pay 28 0 28 0 4 1 12 1 0
Project Accounting it 1 i 0 5 0 5 0 0
Record To Report 40 3 40 0 29 0 7 1 0
Settlement Process 14 0 14 0 9 0 5 0 0
Stock D 2 7 0 2 0 3 0 0
iTax 19 0 19 0 12 o 7 0 0
[Treasury fr 0 it 0 8 0 3 0 0
269 I 13 269 ° 184 1 55 6 10
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 53 of 227
POL-BSFF-0238511_0052
POL00423693
POL00423693
3.5. Finance Controls
POST OFFICE Page 10 of 10
Appendix 2 - PwC independent assurance results (excluding
Spreadsheets)
Figure 1 - Internal Audit’s assessment of performance against management's own self-assessment.
‘We have sample tested 43% of the total manual controls in the risk and control matrices (RACM) of in-scope processes. The table shows Internal Audit’s assessment of,
the sample of controls compared to management's CSA for the same sample.
+
Finding rating Assessment rationale
Control is not operating effectively.
Control is not designed effectively, but remediation plan is in place or the control operated partially.
Control is designed and operating effectively
Tnternal Audit Testing Results POL Management CSA results Total
‘Manual
In scope processes i =} a saa] contain I tested
Remediation Remediation RACM
No issues noted - - - 36 36 - - : 59 59
Design effectiveness 2 : 2 - 24 EY - - : at
effectiveness
Total 2 = 2 36 80 En = = Ey 80 387 43%
At the time of our testing we found that nine controls (5.4.a.1-fixed asset, C9.2,j-payroll, C9.2.¢-payroll, Cg.2.r.2-payroll, C9.4.c-payroll, D1.g,b.1-record to report,
D1.to.b.1-record to report, D1.11.e.1-record to report, Ds.12.d.1-record to report) “in remediation” had been implemented without an exception. From the walkthrough
performed of controls in remediation, we believed the risks are appropriately addressed by the remediation plan in place.
We did identify controls which required updating or further clarity. These have been listed in the Appendix.
Strictly Confidential
54 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0053
POL00423693
POL00423693
3.6. Business Continuity
POST OFFICE PAGE 1 OF 5
RISK & COMPLIANCE COMMITTEE GOVERNANCE UPDATE
3.6 Business Continuity & Crisis Management
update
Author: Tim Armit Sponsor: Jane MacLeod Meeting date: 13% Sept 2017
Executive Summary
Context
The level of awareness about continuity planning and crisis response continues to
increase. In line with ISO Standards methodology Post Office has a strong
Management System in place which meets our external requirements but gaps exist
across all areas in terms of implementing this system. Priority has been given to
customer facing operational areas, Chesterfield and Supply Chain with all other areas
within scope but of lower priority currently.
Questions this paper addresses
e How resilient are Post Offices’ current business processes, systems and
applications?
e What are the next priority areas to be addressed?
Input Sought
The Committee is requested to note the report.
Risk & Compliance Committee meeting-13/09/17 55 of 227
POL-BSFF-0238511_0054
POL00423693
POL00423693
3.6. Business Continuity
Conclusion
What is the status of business continuity?
1. The last RCC was presented with a high level road map of the status of business
continuity and crisis response. This has now been broken down into more detail
focussing on:
¢ Locations
¢ Business Functions
e IT Systems
2. There are 21 identified key sites, mainly Supply Chain CVIT locations. Each of
these is being visited and the site leaders worked with to agree crisis response
and contingency options. A summary of the sites visited so far, high level findings
and next steps is shown in the appendix below, this is ongoing work. Other keys
sites such as Chesterfield have undergone a relocation exercise which proved the
capability of teams to work in the recovery site successfully. On August 25th
Finsbury Dials tested its capability to work at home with no issues raised and
everyone able to work simultaneously remotely.
3. More detailed work on impacts and risks is required and this is ongoing. Until we
understand the impact of each business area, location and system not being
operational we cannot confirm if our recovery capabilities meet our needs.
Additionally if we do not clearly understand the risks inherent within our
operational environments we can’t confirm we are planning to mitigate for them.
Each site, system and business line will be analysed and reported on, this will be
complete by June 2018. To get to this position each business area and location
will be analysed for the impact it would suffer during an interruption to determine
at what point this impact becomes intolerable. Each location will have the risks
analysed and recovery strategies for all areas agreed. Priorities will be Supply
Chain, Chesterfield, IT systems. Then Banking Framework, Bolton, Finsbury
Dials. All other business areas will then follow.
4. IT Systems are being assessed for impact in conjunction with the IT Department.
IT are to report back to RCC on the impact of the loss of key operational systems
and business continuity are working with them to assess the impact of systems
failures across POL. Detail on this will be in the IT report.
5. Given the dependency on IT systems which is currently being addressed, the
review of each business function will be undertaken following the IT review. It is
planned to have plans for all business functions in place by June 2018. Banking
Framework and other key areas are being worked with but more focus on
business areas will be taken in 2018 in the priority order shown above.
56 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0055
POL00423693
POL00423693
3.6. Business Continuity
6. A spreadsheet listing all three key areas has been produced and every key point is
assessed against the key elements of the ISO standard to measure progress,
these are:
e Impact Analysis
. Risk Analysis
¢ — Recovery Strategies
¢ — Crisis Plans
. Business Continuity Plans
e Testing and Awareness
There are other components including supply chain analysis and plans for branches
that will be included once the basic levels are all in place.
Industrial Action
7. There is a risk that Royal Mail may have industrial action later in 2017. Business
Continuity have worked across Post Office to identify all the points of contact
between Royal Mail and Post Office. Business Continuity have met with a large
cross section of Royal Mail managers to discuss the risk of Industrial Action and
what mitigation and contingencies are in place and can be put in place. This is
ongoing with future meetings planned. It is thought unlikely that any industrial
action will happen before the end of October and it cannot legally happen for at
least 5 weeks.
Risk & Compliance Committee meeting-13/09/17 57 of 227
POL-BSFF-0238511_0056
a
&
Q,
N
N
POL00423693
POL00423693
S
2
Appendix 1 °
Status of progress
Action Update Owner Target
Date
Further training and education for the Business Initial changes made to invocation in place. Workshop Tim Armit 9/17
Protection Team including improvement of the planned for September
procedure to invoke the Business Protection Team
The IT DR capabilities and subsequent impact on Impact of system failure report first draft published for review I Mick Mitchell I 9/17
the business need defining and plans considered. Tim Armit
The Industrial Action plans needs to be reviewed in I Internal POL meeting held and two Royal Mail meetings held to I Mark Siviter I 10/17
light of current risks. determine needs and plans. POL requirements will feed to the 771m Armit
RM plans to ensure we know gaps and planned responses.
Development and implementation of a recovery Cost for Sungard solution agreed and budget, meeting with Joe Conor/ I 10/17
strategy for Bolton Bolton lead team to agree solution being planned for Tin Armit
September.
Home working as a mitigator for a potential failure I Test run in August. Complete success with no issues. Plan to I Tim Armit/ I 1/18
of Finsbury Dials needs to be tested and proved run this as an annual exercise going forward. Further work Mick Mitchell
with IT on security and skype.
Stay Calm manual needs to be simplified and Training across Supply Chain depots underway. Agreement to I Tim Armit/ I 12/17
training provided as to its use restructure in place with key users within Supply Chain. marcia
Review of documentation complete. Draft new approach out
for pilot now, once approach agreed new approach to be rolled
out in October. Restructured document in place by year end.
Resilience levels across all key locations and Chesterfield solution in place and approach to PC’s being Paula Jenner I 6/18
facilities needs to be tested, improvements
identified and implemented.
reviewed for improvement by IT. Finsbury Dial home working
proven in a controlled manner and more realistic exercises will
develop from this.
Supply Chain solutions being reviewed. The levels of
resilience will continue to be reviewed whilst plans and
strategies are developed across all areas led by Tim Armit but
owned by each business lead. This will take until June 2018
/ Tim Armit /
Russell
Hancock /
4
POL-BSFF-0238511_0057
a
9
9°
oy
3
LU6O/EL-
22730 6S
POL00423693
POL00423693
S
2
Action Update Owner Target 9
Date 2
Supply Chain Sites Visited: Key initial findings include: Russell 12/17 <
¢ No confirmed or tested continuity locations for depots Hancock /
im Armii
Aberdeen / Glasgow / Belfast /
Norwich / Sheffield / Birmingham /
Hemel Hempstead (at Norwich) /
Swansea (at Birmingham)
¢ No plans for large loss of vehicles
¢ Clarification on crisis escalation and central crisis
response needed
These and other initial findings have been reported to Supply
Chain leadership for them to resolve. Once all visits are
complete timescales for resolution will be agreed with Supply
Chain management and a method to track these implemented.
The reviews are also uncovering some opportunities to review
standard methods of operation. Once all issues identified are
resolved the sites will show as green with respect their
continuity capability. It is anticipated this will be complete by
March 2018.
POL-BSFF-0238511_0058
POL00423693
POL00423693
4.1, Executives’ Declaration and Risk Section for ARA
POST OFFICE
RISK AND COMPLIANCE COMMITTEE
Annual Report and Accounts 2016/17
Executive Declaration, Top Risks and Risk Section for ARA
PAGE 1 OF 7
Author: Richard Williams/Deana Herley Sponsor: Jane MacLeod Meeting date: 13 September 2017
Executive Summary
Context
The purpose of this paper is to share the updates to the top risks and Executive
Declaration results since the RCC in May, and to review the updated Executive
Declaration and risk statements in the Annual Report and Accounts (ARA).
The Top Risks (where red means a rating greater than 3:4 / 4:3) is a summary based
on feedback from all GE members and is a consolidated view across the POL business.
In a number of cases, the scoring is based on factual incidents which have occurred.
The Executive Declaration process enables Group Executive (GE) members to consider
(and attest twice yearly) as a part of year-end procedures, if any additional disclosures
are required to the principal risks to be included in our ARA. The approach to disclosure
as set out in appendices 2 and 3 was collectively agreed by RCC on 4 May 2017.
Our principal risks form a part of the Governance statement in the ARA (see Appendix
5). These are drafted based on the position of top risks agreed by Group Executive
members and are supported by the Executive Declaration process.
Questions this paper addresses
What is the current profile of our top risks?
Why have we re-run the Executive Declaration?
What are the results of the re-run?
Are the Principal Risks as mapped in Appendix 5 the correct risks for inclusion
in the ARA, with descriptions of those risks appropriate?
PYwNP
Conclusion
1. Since May 17, changes to the Top Risks (see Appendix 1) have included the
following;
e We have 13 ‘Top Risks’ (up from 11 in May). Overall our red risk profile has
remained stable due to the aggregated score parity in overall risk movement.
e There are 4 new risks (defined as red rated risks having a score >12) which
have been identified by Finance and Operations through the Placemat “top
down” exercise, 3 being impacting ability to trade covering a) POLSAP
replacement (5/3), b) Agents Pay IT (4/3) and c) Replacement of SAP HR
(4/3) and a further risk covering cash risk (3/4).
e 3 increasing risks relating to impacting ability to trade (5/4 from 4/4), retail
proposition (4/4 from 4/3) and industrial action (4/4 from 4/3).
Strictly Confidential RCC 13% Sept 2017
60 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0059
41
POL00423693
POL00423693
Executives’ Declaration and Risk Section for ARA
POST OFFICE PAGE 2 OF 7
1 risk, government funding, is no longer deemed a top risk due to agreement
with government to a Network Subsidy Payment to 2020/21 and continued
investment over the period.
1 risk, IT delivery capability has reduced from a 4/4 to a 3/3 due to recent
hires, including CTO and approved IT People Strategy. IT Demand
Management will be insourced from Atos as of 4 September, enabling POL to
better control the demand pipeline.
The people capability and capacity risk has been considered and its rating
deemed acceptable by management, following the challenge from May ARC,
regarding impact of cost reductions with an outcome. We had c.90 reported
vacancies as a result of OSOP and there are now 7 remaining, with steps
being taken to reduce these gaps.
All other risks have remained unchanged.
2. In May, we completed the Executive Declaration exercise to support GE members
in considering (and attesting), if any additional disclosures were required in our
Annual Report, as part of our year-end procedures (Appendices 2 and 3). This
exercise has been rerun in August / September to consider changes, due to delays
in ARA sign off. By doing this now, albeit slightly earlier than usual, we propose to
use the results to replace the half year exercise in September / October, which
would be the usual timeframe.
3. The results from May have been reviewed and updated with GE to give an updated
position (Appendix 4). Since May, changes to the Executive Declaration are as
follows:
4 items have been removed due to no longer being of material significance:
1. Card payment rules are evolving and the cost of processing is rising.
Lower than forecasted impact due fewer card sales.
2, £950m Working Capital Facility. Initiatives in place to ensure
efficient use of our working capital.
3. Net liabilities provision. Various reviews have been completed
considering how we increase net asset provision.
4. Uncertainty over future investment from HMG. Agreement with
government to a Network Subsidy Payment to 2020/21 and
continued investment over the period.
5 new items (3, 7, 8, 9 and 15), 3 relating to fraud losses, 1 relating to IT
Disaster Recovery and 1 relating to Teleco Amortisation.
1 item (11) New Money Laundering Regulations have increased in potential
materiality, with the outcome dependent on consultation with HMRC over
agent scope.
4 items (5, 10, 12 and 17) have decreased in materiality, due to actions
taken to reduce exposure.
7 items have (1, 2, 4, 6, 13, 14 and 16) have remained unchanged.
There are no items of material significance that require specific disclosure in
the ARA. 11 items will be disclosed generically in the risk section of the ARA,
as summarised in Appendix 5.
4. The draft principal risks set out in appendix 5 are those which will appear in the ARA
and have been drafted based on the position of top risks (Appendix 1) and are
supported by the Executive Declaration results (refer to Appendix 4).
Strictly Confidential RCC 13% Sept 2017
Risk & Compliance Committee meeting-13/09/17
61 of 227
POL-BSFF-0238511_0060
POL00423693
POL00423693
4.1. Executives’ Declaration and Risk Section for ARA
POST OFFICE PAGE 3 OF 7
Input Sought
The Committee is asked to review the information provided and:
a. Consider the proposed changes to our top risks;
b. Note the Executive Declaration results;
c. Agree draft principal risks as set out in Appendix 5, for inclusion in the ARA
2016/17; and
d. Consider whether there are any other matters that should be included and
reported against.
Strictly Confidential RCC 13" Sept 2017
62 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0061
POL00423693
POL00423693
4.1. Executives’ Declaration and Risk Section for ARA
POST OFFICE PAGE 4 OF 7
Appendix 2 — Materiality
« The items listed in the table below are possible “material” issues or concerns which
have been raised by Executive members for consideration for disclosure.
« Materiality has been defined for the purpose of this exercise as, "qualitatively and/
or quantitatively, as a cut-off point above which something takes on a greater
significance and may require a different course of action”.
e In deciding how to recognise an item as material, Group Executive members are
asked to assess whether it is something that is of a size or impact that would make
a difference to the Post Office or our stakeholders, e.g. influence our decision making,
cause us significant cost or reputational and/ or regulatory damage.
« Defined tipping points of materiality used to assess significance where defined, are
listed below:
Items Tipping Point
Risks See Harm Table
Frauds, irregularities £50k or above, which could attract media attention, are
or losses systemic/ multiples or have a Network wide impact.
Contracts over £5m or cause significant impact/ harm to
the business if they were to go wrong.
Size or impact would make a difference to Post Office or
stakeholders.
Material contracts
Events
POST OFFICE
HARM TABLE - MEAUREMENT CRITERIA
Version: 18th Feb 2016, post RCC & ARC
Impact on Likelihood of*
abe Probability
Critical I>20% ot sonal sere ution Fastharawal ofsakenoiser/customeny coleageey 3D Very Likely
(aie icant ocation/sorbusiness _Ipartysupport, or
jon/sfor>3 ays ‘ertenaive national mea coverage of
erica pact on reineis beams
prose formal regulatory intewvetion
4 [Significant [>10-20% a [Montene sinton/ pomenoee eacmaaeronney I [likely >50-80%
financial target or lisnction/s for <3 days some national medis coverage, oF
seritcane impact on formal regulatory investigation
financial anget Or Htunetion/s for <3 days extensive local media coverage. or
seriticant impact on Informal regulatory enauiry
at objectives
2 IModerate [>1-5%or ccarsenice asruption at several I moderate concern rom stakeholder] eustomers/ lUniikely >10-25%
ancl orgetor fxstonserbusness functions fora3 eolenqus/ 3d party suppor, or
fsovs Some local media coverage, oF
at objectives
Noctsewice dnrtion atsever I reaitle neve Tom athe asoreaT
Be [Mor 0-196 0 locations or business functions for<3 Icolleagues/ 3rd party support, or Remote 0-10%
lieve [no mecha coverage, or
no regulatory interes
‘nformal regulatory conversations
hinanciat target or
seniicant impact on
Strictly Confidential RCC 13% Sept 2017
Risk & Compliance Committee meeting-13/09/17 63 of 227
POL-BSFF-0238511_0062
4.1. Execul
64 of 227
POL00423693
POL00423693
ves’ Declaration and Risk §
ction for ARA
POST OFFICE PAGE 5 OF 7
Appendix 3: Executive Declaration
EXECUTIVES’ DECLARATION STATEME
2016/17
Twice annually for governance and reporting purposes each Executive is
required to attest to the ARC the items listed below
Declara
Based on my knowledge of the business, and particularly the areas that report to me,
and following due enquiries, I declare that for the period 1 April to 31 March 2017,
I have disclosed any known material items (if not already disclosed at the half-
year) and where I have not disclosed already, I have included details under the items
below:
1) material risks to Post Office that are not captured in the Group Risk Profile
2) material breakdowns of internal control, breaches or significant non-compliance
with internal and external guidelines, including of the General Control
Framework and policies that I am accountable for
3) material frauds, irregularities or losses that have come to light, whether
carried out by our staff, agents, contractors, suppliers or partners
4) complex or subjective accounting judgements, estimates and revenue
transactions*
5) changes to accounting policy*
6) _ provisions or exceptional items *
7) liabilities and contingencies, including those associated with guarantees*
8) legal action being taken by or against Post Office*
9) any legislative, regulatory (including any non-conformances with Money
Laundering Regulations) or contractual compliance issues that have come
to light*
Strictly Confidential RCC 13% Sept 2017
Risk & Co
Committee meeting-13/09/17
POL-BSFF-0238511_0063
POL00423693
POL00423693
4.1. Executives’ Declaration and Risk Section for ARA
POST OFFICE PAGE 6 OF 7
10) material new contracts or extensions entered into, direct awards and where
I have not followed the contract process
11) obligation breaches on contracts that I am sponsor for*
12) direct or indirect personal interest in any transaction, arrangement or related
agreements with parties entered into*
13
S
gifts and hospitality which have not been approved and registered in
accordance with policy*
14) material events that could crystallise before the end of the reporting period
above
15) any other information that could have a material impact on the period
(indicated above).
*a requirement to disclose all not just material
The information I have given above is true, complete and accurate to the best of my
knowledge, information and belief.
Name:
Role:
Signature:
Date:
Strictly Confidential RCC 13% Sept 2017
Risk & Compliance Committee meeting-13/09/17 65 of 227
POL-BSFF-0238511_0064
4.1. Executives’ Declaration and Risk Section for ARA
66 of 227
POST OFFICE
POL00423693
POL00423693
PAGE 7 OF 7
Appendix 5: Draft Principal Risks (Mapped)
Draft Principal Risks
Top Risks
Executives Declaration
Competitiveness
Post Office faces both opportunities for and
threats to income from our competitive market
place, These include:
Responding quickly to new entrants, and
current competitors with new products and
technologies, different strategies and
business models,
* Fulfilling customer expectations through
digital channels new products and improved
back office functions Successfully aligning
strategy with partners and managing
dependencies on third parties
[11/12] Market
Developments /
Competition (Retail,
Financial Services and
Telecoms)
[15] Digital
Competency
[16] Banking Framework
Retail Proposition
We may not be able to retain, or attract
sufficient retail partners to manage our new
network of over 11,500.
[13] Retail Proposition
Cyber threat
Post Office is dependent on the continued
availability of its information systems and
associated infrastructure. These could be
threatened, by - internal weaknesses, external
events or cyber-attack.
[5] Cyber Threat /
Information Protection
IT impacting ability to trade
The next phase of IT Transformation will have
increased dependencies and interconnectivities
as we replace legacy systems and implement a
new integrated service. This could impact
service delivery and continuity of IT services.
[1,2,3,6] IT Impacting
Ability to Trade
[2] National Stock Centre
Swindon
[3] ITDR
[4] Cyber Threat
[5] Telecoms cyber
attack
Industrial Action
There are a number of commercial process
dependencies supplied by and to Royal Mail
Group (RMG). The risk of industrial action
affecting such a key partner could lead to
material disruption to Post Office through loss of
service to customers, Postmasters, and business
partners. It may also cause Post Office to fail to
meet financial service regulatory requirements.
[14] Royal Mail
Industrial Action
Compliance
Post Office operates under an extensive
regulatory environment, covering areas such as
financial and postal services, telecoms,
procurement, competition law and data security.
This environment continues to evolve,
particularly in the financial services and
telecoms areas, and we need to ensure that the
changing requirements continue to be identified
and met. Changes to regulation could also
impact our ability to meet targets and goals.
[7] Conduct Risk
[8] Increase in
Regulation
[1] Non-compliance with
PCR
[10] AML regulatory
duties for POL
[11] Adherence to new
AML regulations
[12] Vetting
[13] HMRC fine on
registration of premises
[14] Commercial risk
from OFCOM intervention
* The following items are not reflected in the ARA Principal Risks for consideration;
Top Risks: [10] Cash Risk.
Exec Declaration: [6] Reconciliation issues between POL and MoneyGram, [7] P739 Fraud, [8] Parcelforce reversals,
[9] Losses, [15] Telecoms Amortisation, [17] IT Controls Framework.
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17
ROC 13" Sept 2017
POL-BSFF-0238511_0065
4.1. Executives’ Declaration and Risk Section for ARA
POL Top Risks as at 06/09/17
(OPERATIONAL
Tec
Legale
REGULATORY
FINANCIAL
STRATEGY
Tetley One
Compre
seer a
‘hehove vel OSAP ar shovels eng exe it
Theoret car ed pu ple whe pei i
ighens ort some ofthe nnctas camporrts et he ee
atom re moceme
Irene! ps rane ls nimple! er
\esreweg omaha ing gat nd chang reg
ut Oralogmanty Compton (ata
Unatlessreora ly enough new
enh, te ace ecstacy mpl pares
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
<0
<>
<b>
<>
<—_
<p>
67 of 227
POL-BSFF-0238511_0066
4.1. Executives’ Declaration and Risk Section for ARA
68 of 227
Executive Declaration as at 06/09/17
i
POL00423693
POL00423693
rowntamer tetanic a ey eee I <a
Se eee a eee
Pear dap hres earieha yal sa lepere ape nlp ered ll oe
paar lire irae pe omar <>
ware ete
ecient Sa Se eran
poteactanestonatinwresan <->
ie Satter eeyeniee noamoocasomtetnetoorecsemace I “at I V7
sneer —— reed aes
sotieees <->
Maem E ees STS sc tue, replies see tbat he Kook Giles
neem
eae tania ee
Seestesccecseesarncicenr mame ten
spt ———— ot
epee erga eerie alo
spots
se ca ltt te mn I A
“etch weld weet vty the Ft & Pope stats of he sa ects, beet owner, teh erst rugs ell
peg tect eeerry
——
eye py ceca
‘ere eho gh
online ce te,
“it! <p>
‘yas
‘tee dae agen hs Morya hare age a ene
Conner tn Oconee dae ce tpn ence Oeming eee tenet
surge cepa crnma late Te popes ee
ek tachar get er mathe te
idtoeet ap
ster
Sen aioe A
est cto ahi a esi, ee
i aed eeprom <>
‘Shc We ering heh poet eb ean
es ee
[ie pyeerde erent ecetien epee ch
pore le eet ef ner
pero mene neeneroeae moe
prada ncaa ered
spon eres
Preemie
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0067
5. Risk
POST OFFICE PAGE 1 OF 6
RISK AND COMPLIANCE COMMITTEE
5.0 Placemat
Author: Richard Williams/Deana Herley Sponsor: Jane MacLeod Meeting date: 13 September 2017
Executive Summary
Context
At the end of 2016 it was agreed that Post Office would pilot a self-assessment
methodology to understand management's view of the effectiveness of the internal
risk and control framework. Following the Supply Chain pilot in May, the methodology
(referred to as the ‘Placemat’) has been rolled out, initially, in Finance and Operations
(F&O) and then in Legal, Risk and Governance (LRG) as part of a wider roll out across
PO which is expected to complete by the end of the 2017-18 financial year.
The purpose of this paper is to update the RCC on the status of the Placemat roll out
to date, the results from the F&O and LRG business areas, as well as future plans for
the roll out.
Questions this paper addresses
1. How do you read the Placemat and what is it telling us?
2. How are we driving value from implementing the Placemat?
3. How have we engaged with the business?
4. What are the governance arrangements in “run state”?
5. What is the timing of the wider Placemat delivery?
Conclusion
1. The Placemat has been populated with the results from F&O business area
(Appendix 1). The overall RAG scores have been informed by a “top down” view
of the 34 risks (net) of high importance, mapped to Placemat principal risk types
which now exist for this area (Appendices 1 and 2). As a 2" line function, LRG
mostly oversees and advises on the management of risks that are owned by 1%
line. Without a holistic view of the wider portfolio, it is difficult to give a complete
/ scored “top down” position for LRG at this stage. LRG watchlist risks are set
out in Appendix 3. In the interim, the Placemat for LRG will remain in a position
of “too soon to rate”.
2. The Placemat gives us a single point of reference on risk matters, and a more
meaningful representation of our overall risk picture. The reporting is supported
by both a “top down” and “bottom up” comprehensive identification and
prioritisation of risk.
3. Following completion of the Supply Chain pilot in May, the Placemat approach
was applied to the rest of F&O (15 teams). We have also completed it with LRG
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
69 of 227
POL-BSFF-0238511_0068
5. Risk
70 of 227
(7 teams). We are joined up with the GDPR, Joiners Movers Leavers, and Legal
and Regulatory Framework project teams.
The Placemat approach helps to establish clearer accountabilities for risk
management across the 3 line of defence. As the roll out completes, operational
management (1st line) will take the lead on reassessment, with Risk and
Assurance (2 line) moving from enabling, to check and challenge. Internal and
External Audit (3° line) will provide independent assurance over the results and
will report as necessary.
During September, we expect to complete the rollout to Government and
Payments Services, the first area within Retail. In parallel, we are engaging with
Telecoms, which will also support their preparation for the ICO PECR audit
planned for January 2018. A full roll out in Retail is proposed by the end of
November. We aim to fully populate the Placemat by the end of the 2017-18
financial year to inform and support annual reporting.
Input Sought
6.
The Committee is asked to review this report and confirm its support for the
direction of the roll out.
The Report
How do you read the Placemat and what is it telling us?
De
Once fully completed, the Placemat will provide a view of how well the Post Office
as a whole and by each business area is managing the principal risks to the
business. The principal risks listed in the Placemat (Appendix 1) are the main
types of risks that a business is likely to face. The risks in each business area
are mapped to these principal risk types and the effectiveness of existing controls
is assessed. The harm table, which together with a risk matrix (Appendix 4),
underpin the Placemat’s overall RAG scores. The completed Placemat for the F&O
business area is shown in Appendix 1. A consolidated Placemat will be presented
at future meetings, reporting risks by exception in each business area.
So far, for the completed business areas, the Placemat is telling us;
F&O has identified 34 top down risks, converged into the 3 net risk RAG rating
categories and based on the average impact / likelihood (I/L) from the harm-
table scales,
POL00423693
POL00423693
Average
RAG mpact Likelihood — Risk Score
Red 18 4.0 3.5 14.0
Amber 64 2.7 3.8 10.3
Green 18 3.5 2.3 8.1
Weighted Average 100 3.1 3.5 10.5
2
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0069
10.
11.
12.
13.
Influencing Factors
Red: 4 (67% of the net red risks), relate to ‘Managing Change’ as a result of the
Back Office programme replacing a fragile PO SAP and HR SAP with CFS and
Success Factors. There are a number of Finance / HRSC processes in scope which
directly drive our numbers.
Amber: 11 (50% of the net amber risks) are assessed at I/L 2:5, with the
concentration of these in Network Operations and an alignment to a
corresponding project either planned or underway. All risks have amber rating
parity in their respective Placemat risk categories.
Green: 3 (50% of the net green risks) are assessed at I/L 5:1 and whilst a green
at PO level, at a local level, have been reflected in the Placemat as Amber.
Refer to Appendix 2 for further detail.
LRG has identified a “bottom up” view of risks and controls at a team level. The
risks identified would not exceed the materiality threshold at a PO wide level. An
effort has been made to build a “top down” view, in order to populate the
Placemat. As a 2° line function, LRG mostly oversees and advises on the
management of risks that are owned by 1° line. Without a holistic view of the
wider portfolio, it is difficult to give a complete / scored “top down” position at
this stage of the roll out. A watchlist of risks is set out in Appendix 3, including:
e Maturity of the culture in PO with regards legal, regulatory and contractual
compliance.
« Regulatory risk arising from increased visibility of PO and POMs to
regulators.
e Ensuring that the compliance framework imposed on us contractually is
viable and deliverable.
e Potential impact of Postmaster litigation on framework of our contractual
relationships with agents.
e Business engagement on GDPR.
« Poor contract management impacting PO financially and reputationally.
e Cyber Threat.
In the interim, the Placemat for LRG will remain in a position of “too soon to
rate”, however this will be reconsidered at each roll out and reassessment.
This is not a one-off exercise. The Placemat results will be reassessed by each
business area quarterly, which will involve the identification of any new risks and
review of current ones. It will also involve closing off risks that are no longer
relevant. This process will be fully scoped and piloted for F&O and LRG during
October, and presented back to the RCC and ARC in November.
At each meeting the paper will set out the movement of principal risks,
commentary on key controls, as well as any mitigating factors, informed by either
a roll out to a new business area or reassessment of an existing business area.
The Placemat process will also inform disclosures in our Annual Report for
2017/18 including: description of principal risks and uncertainties we face; any
concerns regarding going concern based on relevant accounting issues or
3
POL00423693
POL00423693
POL-BSFF-0238511_0070
POL00423693
POL00423693
5. Risk
material uncertainties; and commentary on our review of risk management and
systems of internal control.
How are we driving value from implementing the Placemat?
14. An effective risk framework helps drive a culture where the implications of
decisions can be discussed explicitly and openly, and employees at all levels
understand how much risk they can take in pursuit of objectives. Whilst some
aspects of the risk framework have been developed, overall it is currently
underdeveloped, delivered on a siloed basis and not enterprise wide in design or
scope.
15. The diagram below highlights, through a series of steps, how the Placemat
deliverables will strengthen our risk framework components. This also illustrates
how the Placemat will standardise and unify what already exists (including group
risk profile, top down risks, risk registers, executive declaration, incident and
assurance reporting) to deliver more value out of it. The focus of activity to date
has been on identifying, prioritising and assessing the severity of risk.
Risk and Control Matrix & “Top Down” Perspective KEY STAGES OF THE BUILD PROCESS
a
Placemat
Populated &
GE Signoff
aw)
RUN STATE
RISK AND CONTROL MATRIX’
Peer Review
Lead Review
(B) Oneight an sore
16. The key outputs delivered through the Placemat process are:
e Risk and Control Matrix (RACM) by team providing bottom up view of the risk
and control environment;
e Top down view by business area; and
e Placemat populated with overall results by business area.
17. The Placemat outputs are already being used by Internal Audit to inform
planning.
72 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0071
5. Risk
18.
The diagram below illustrates how the Placemat will strengthen the risk
framework. This will support the business to gain a clearer view of its overall
level of risk, respond in a considered way and ultimately, a more commercially
sustainable way. The components delivered will start to inform a portfolio view
of risk which will then allow for the value of “out of scope” components to be
POL00423693
POL00423693
considered for development.
Comm
\
ainable
/ Performance
VA
AL at covernance snd cure
OP oksuategranéObeciveSering
P) rnin traction
© sikreporing and communication
C) Oversight and Assurance
a
o
a
‘CORE COMPONENTS BEING DEL
Y Defines desired evel of overnight and
‘ecountabiy
Y._Exabinhes governance operating model
2 Defines denved oraniatonsi behaviour
considers risk and business context
Consider ritkwhen eating business
objectives (capabity model)
Ch Defines Risk Appetite and acceptable
toleranceto performance
OD evaluates aternatve strategies
LD identibas and sereses risk execution ofthe
Y Uses relevantinformation
Communicates rakinformation
Reports on ik culture and performance
OD Leverage intormation yeteme
“enterpterak management
OD Monitors substantial change scenario test)
19.
KEY
DELIVERED AS PART OF PLACEMAT!
ouror score
Examples of how the core deliverables of the Placemat are embedding the
principles of sound risk management include:
Risk Governance I + It is designed to provide the Board and ARC with greater confidence
and Culture when discharging accountability of risk taking.
+ Clearer accountabilities and responsibilities for each of the lines of
defence.
+ Will help risk community to be aware of/understand what is strategically
important to the business, and what to watch out for.
+ Pathway to upskilling 1° line of defence in proactively managing risks.
Risk Strategy + Will help risk community to be aware/understand what is strategically
and Objective important to the business, and what to watch out for.
Setting + Standardised tools and techniques have been developed to populate
risk registers which have improved the quality of outputs.
Risk in Execution I + A comprehensive identification and prioritisation of top down risks.
+ Helps to recognise how a lack of, or gaps in controls could be driving
incidents or near misses.
Gives a single point of reference. The insights will help to answer the
question, how broad are the risks we are considering?
Gives a way of aggregating proactively similar lower level risks, which
occur on multiple risk registers, e.g. conduct, BCP etc. at a consolidated
Risk Reporting I
and
Communication .
group level.
smpliance Committee meeting-13/09/17
73 of 227
POL-BSFF-0238511_0072
5. Risk
74 of 227
+ The reporting will help the business “join the dots” on risk matters. The
format has been created with the view that it will convey insights on
risks that truly shape our performance, by connecting management with
the rest of the organisation on risk matters.
Oversight and The grouping of key risks under the relevant principal risks will give a
Assurance meaningful representation of the risk picture.
+ Allows for more targeted stress testing and focused assurance activity.
How have we engaged with the business?
20.
21,
Following completion of the Supply Chain pilot, the Placemat approach was
applied to the rest of F&O. In parallel, we have also applied the Placemat
approach to LRG. This work has involved approximately 50 workshops and follow
up meetings across 22 teams. We have engaged with GE and Senior Management
to identify “top down” risks and outcomes ensuring that process and outcomes
are aligned. Introductory sessions have also been given to other parts of the
business to get wider feedback and support in preparation for future roll outs.
We are engaging with a number of project teams to remove duplication and
leverage outputs with GDPR, Joiners Movers Leavers and Legal and Regulatory
Framework.
What are the governance arrangements in “run state”?
22.
Accountabilities in the “run state” will be split between the 3 lines of defence. In
the “run state” 1* line will take the lead, with 2" line moving from enabling to
check and challenge. The 3" line will provide independent assurance on the
results.
What is the timing of the wider Placemat delivery?
23.
During September, we will complete the Placemat rollout with Government and
Payments Services, with a full delivery of Retail proposed by the end of
November. In parallel, we will complete with Telecoms, prioritised to support the
business’s preparedness for ICO PECR audit planned for January 2018. We aim
to fully populate the Placemat by the end of the 2017-18 financial year with PO-
wide reporting brought to the May RCC and ARC.
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0073
Lie0/e I-Buneew aenjwiwiog soueldwiog 9 ¥SIy
L2ZIOGL
APPENDIX I
Self-Assessment of the Internal Risk and Control Framework - Post Office Limited
As at 06092017
Bal
7)
=I
a
o
@
[o}
3
~
ro]
=
=
a
Principal Risks
qz17 I 317 I asis q2z17 I 9317 I asis
1 Manage process and deliver services TBC I Em
2 Product risk NK/KG
3 2 Make payments AC fo > I
4 Z _Records management TBC
5 g Procure and contracts AC
6 Managing change AC
7 Keep our people, customers and third parties safe AC
8 Physically secure AC
9 BCP IMac
10 Technology Ops
1] gles ner pton (TRY in . I
2 i IT Security
13 Dependence on IT 3rd Parties
14 & _Managing losses and Fraud AC Too em
15 Financial crime IMac soon to
16 2 __ Information Protection IMac rate Em
v7 § Brand Mark Davies
18 Record and pay taxes AC
8
19 Compliance with laws and regulations JMac
21 4 _ Reporting results and providing data accurately
22 F] Sufficient cash / headroom Ac
23 3 Ensuring sustainable profit
24 “Control activities
25 > Competitiveness
26 2 Strategic Risk meee
27 £ Market
28 Customer Relevance
29 8 ‘Communicate, inspire and align MK
&
Key See Risk Rating User Guide
POL00423693
POL00423693
4SIM “S
POL-BSFF-0238511_0074
POL00423693
POL00423693
12240 OL
SIH “S
APPENDIX 2
High Risks
‘1 [Retail proposition le not attractive, churn ls rising, rking 11,500 ‘Manage process and deliver I Mark Elie Tom Moran a a
2 _ [High levels of change will cause fragile systems to fall ‘Managing change Ben Cooke Tim White a 4
Projects to mitigate include: simplification, extension of automation to agency branches,
white space and new retain value proposition to multiple partners.
[There are a significant number of business and IT programs impacting applications and
processes. All of these programs must follow the IT change process when making technical
[changes, and each are supported by enterprise architecture, checking designs to ensure
Joverall coherence.
3__IWe have to replace POLSAP or shore it up, creating existential risks Managing change ‘Amanda Radford I Danielle Goddard/I 5 3
Ben Cooke
[The Back Office programme will migrate POL SAP to CFS, The scope covers a number of
processes which drive our financials eg. client settlements. A controls contractor is now
Jembedded within the Programme to oversee migration. POL SAP balances, access profiles
[baseline and process) and financial reporting controls will be formally signed off by the
Financial Controller and the Financial Accounting and Governance Manager before migration
If POL SAP is not replaced it will be out of support. The existential risks could result ina
misstatement of the numbers,
“_IWe have to deliver agents pay via CFS Managing change I AmandaRadford I Joe Connor] a 3
Ben Cooke
[The agent remuneration project willbe live by Feb 2018, Pre-prod dual running Nov and Dec.
Prod dual run in Jan Full calculation in the new model only by Feb 2018.
lWe have to deliver payroll via SF, bulding ona fragile HASC TWanaging change Toe Connor] 7 3
Bogerd Martyn Lewis,
[Success Factors Programme ls replacing a number of services currently provided through HR
POLSAP and the Back Office Transformation programme is working on the POLSAP Process
Migration, with a current view that this will be live by June 2018. This wil allow us to de-
[commission POLSAP by September 2018. Data archiving and residency of POLSAP is being
Investigated.
UWON soueIIdWoD g ¥SIe
© [Weare using too much cash, risking loss, funding costs and change ‘Sufficient cash headroom I Russell Hancock I Doug Brown 3 4
[A project team is reviewing cash management in its entirety focusing on forecast
lunding
Icompleteness and inaccuracies. The ‘cash declaration’ element of the project i critical as
Jwithout it being right the team will not know what should be in branch. Additional resource in
post will ook to improve the customer experience of getting cash out and will also be tackling]
Jexcess cath to reduce fraud / lostes. Separately the Forex experience is being reviewed.
Projects are scheduled to complete by year end,
Medium Risks
7 _ [Financial Reporting is inaccurate creating reputational damage Reporting results and I Amanda Radford I Danielle Goddard 5 2
providing data accurately
[Fhe Financial Controls Framework (FCF) has been extended to cover FCS processes, branch
Jcorrections, agent debt and POMs processes. This work has now started. FCF controls are
self-assessed by owners monthly.
ZW/e0/¢-Buyaew aen
@ _ [Safety outcomes are not world class and where they are notiniine with I Keep our people, customers I Angela Van-Den- I Martin Hopcroh 5 2
[Additional Person in Control training has been provided to DMB managers and colleagues andI
required legal and regulatory standards, may lead to serious injury and third parties safe Bogerd
Supply Chain Managers. Over the next 3 months additional training will be provided to all
ISupport teams, Work is ongoing to ensure contractors are clear on roles and responsibilities.
[The scope of agent activities and opportunity for Post Office to provide guidance is also underI
review. Additionally, to reduce overall Health & Safety risk, a deep dive review of Health &
[safety has been undertaken by the GE Safety Committee and action agreed to reduce each
Jarea of risk, reporting to the Committee on a monthly basis at the Operations Board with
[subsequent 6 monthly ‘deep dive’ reviews planned. To assess the robustness of the Safety
hanagement System and to identify improvement opportunities to meet World Class level,
Jan independent 3rd party audit is also being planned for 03.
POL-BSFF-0238511_0075
Z1/60/¢}-Bujsew sayuWog souRlIdwod ® ¥SI4
£2730 LL
POL00423693
POL00423693
[Our Mis Timited leading to poor decisions:
Reporting results and
providing data accurately
‘Amanda Radford
Somita You
[The Head of Management Information Is working with Amanda Radford (Financial Control)
Jand Ben Cooke (IT) to move forward with a business case which considers, what our current
Jconstraints are and how we should we move forward (implementing proper structure and
tooling to rectify). There are also plans to do a proof of concept for rolling out self-service
fool
Fr)
lWe appoint unsuitable applicants leading to performance issues and re
Iwork due to increased terminations through losses
Manage process and deliver
services
Mark Elis
Tohn Breedon
[A review of applications process has been complete and plan for implementing
recommendations is now being developed.
Fry
[Agents or other third parties steal from us and lose our money
Managing losses and fraud
Mark Elis
‘Mark Raymond
Kim Abbott
Paramount is the need to ensure the recruitment process and vetting attract lower risk
Individuals and that contracts are enforced robustly. The Fraud Analysis team aim to identify
losses early so early intervention via telephone or scheduling auclts can take place. In.
Jaddition a system for early intervention isto be introduced where activity wil include tasking
[security Operations to make visits to identified branches. External company review ~ EXLare
Jengaged ona piece of work to look to streamline and make more effective the Fraud Analysis
[Team's reports and analysis. Anew debt recovery and investigation process is going to be
Introduced to recover losses ina far more timely manner including partnership approach
reviewing live cases with Security Operations, legal team, contracts and agent debt teams to
Jestablish clear action plans to recover loss. Branch Communications including notifications of
[convictions are to be publicised as a deterrent. Moving forward test cases to prosecute will
be identified witha view to returning to a full Prosecution Policy where Proceeds of Crime
[Act can be utilised, making POL an unattractive business to steal from,
Fay
limited monitoring of and communication with agents, reducing
lconformance
‘Managing losses and fraud
Mark Elis
Kim Abbotts
[an annual call plan has been developed. Monthly calls to branch are made on a prioritised
basis. The Branch Standards team are unable to currently fulfil level of demand which has
been raised with GE. The benefits of re introducing post appointment visits are being
Iconsidered.
FEY
faranch opening hours are wrong, affecting customers
‘Manage process and deliver
‘Mark Elie
Tom Moran
[The Opening Hours Project is under way, with the fist batch of work focusing on cleansing
[data. 24 ‘business as usual’ activity is planned with the Branch Standards tear,
Fy
Debt recovery is slow and ineffective creating loss
‘Managing losses and fraud
‘Stuart Nesbit
‘Michelle Stevens
[A new faster debt path was designed at a recent workshop. Recovery lettersare been
redrafted with Legal and then issued, which initially will be a manual process to monitor their
effectiveness. We are currently looking to develop a more sophisticated debt management
system, which will enable the better integregation of management information.
rey
informal controls and compliance over Operations
Control activities
Various
Danielle Goddard
Refer to risk? comments,
16
JWe can't communicate effectively with all of our people
‘Communicate, inspire and
align
Russell Hancock
Mark Ellis,
n/a
7
JOur change is delivered late, risking costs and benefits or has unintended
lconsequences
Managing change
“Angela Van-Den-
Bogerd
Jenny Elwood
[Work is underway to assess the do-ablity of the integrated plan, Looking at this from an T,
Network, Network Operations, HASC and FSC perspective. The Gating process is also under
review and plans underway to re-educate and reinforce minimum standards with our change
Jzovernance and controls. The results of this will be presented to ECG in September.
[Addltionally, Stuart Nesbit (FSC) is leading on a review of the forecast and phasing of spend
Jand benefits with the FO's. Once the accuracy of thisis validated, variances will be tracked
J2nd the reason for those variances tracked for trends and concerns.
ysI4'S
POL-BSFF-0238511_0076
12230 BL
Z1/60/¢}-Bujsew sayuWog souRlIdwod ® ¥SI4
POL00423693
POL00423693
Fy
iianual processes mean we can't demonstrate compliance on agent
vetting and trai
Manage process and deliver
‘Angela Var-Den-
Bogerd / Mark Elis
Tohn Breedon
ysI4'S
[The Enhanced User Management Programme is looking to control access to Horizon which
[wil be subject to successful vetting and training. New starters will not be able to obtain
Horizon access until vetting and training is successfully completed, making it easier to control.
Existing staff will have access to Horizon removed ifthey do not pass the required compliance
training (access could be to a product set or to the ful system, depending upon which training
[they do not sit and pass). However, this Programme is under pressure and has only an
I2pproved plan to deploy to '500' branches, which if ll goes as planned will commence with
[50 branches on 11 September and be complete before the December change freeze.
Fry
[A lack of training and support for newer agents creates loss and churn
‘Manage process and deliver
services
Mark Elie
Pam Heap
[A structural review of the field teams (Network Ops) is under way. A full review of agent
raining material s to be completed with the Learning Team,
20
lWe report net lablities reducing confidence in Board and third parties
Procure and contracts
‘Amanda Radford
Danielle Goddard
[Various reviews have been completed considering how we increase net asset provision,
Fry
imited DR/BCP plans, largely untested Increase the Impact of systems
land site loss
er
Various
Tim Armit 7?
Mick Mitchell
[Ongoing enhancement of plans and strategies is being completed across Supply Chain,
Ichesterfield and Bolton. Chesterfield has a tested recovery solution with SunGard. Supply
[chain depots are all being taken through training and the Stay Calm manual rewritten. A
recovery solution for Bolton has been proposed and is being considered. Finsbury Dials work
Jat home exercise is planned in August 2017. Risks, impacts and strategies will be developed
Jacross all areas in 2017/18,
2
Toss of Swindon operation causes widespread product loss
BP
Russell Hancock
Rhys Davies
[With the closure of Merlin House the contingency for Swindon (albeit on a limited line basis)
there is currently, no alternative physical space to put it. A like for like alternative is being
[scoped at Swansea CViT ~ albeit with the same constraints,
B
We do not have sufficient funds to create a sustainable business
“Sulfcient cash / headroom
“Amanda Radford
Danielle Goddard
[A number of initiatives are in place to ensure effcient use of our working capital (particularly
Jour cash inventory - see 6 above) to ensure we create as much headroom under our facilities
Jas possible. in addition, we are formulating a negotiation strategy with Santander to reduce
[the constraint on headroom driven by their security arrangements and are in talks with banks
to arrange up to {=n lof standby facilities. Both these initiatives will create additional
headroom capacity under existing facilities.
POL-BSFF-0238511_0077
Z1/60/¢}-Bujsew sayuWog souRlIdwod ® ¥SI4
£2730 6L
POL00423693
POL00423693
24 [Limited cash data and forecasting leads to facility breach
‘Sufficient cash / headroom
‘Amanda Radford
Mark Dixon
[We primarily manage this risk by ensuring we have accurate cash forecasting processes in
place. This isa focus for us and there are a number of initiatives in place to improve cash
Jow forecasting, including the Cash Management project. We approach cash flow forecasting
irom 2 perspectives: (i) cash in / cash out for the short term view (Treasury); (i) projections
lof balance sheets for the medium / long-term view (FP&A),
[The short-term approach becomes less accurate the further out that you go and hence the
need to have two approaches and to align them.
Jwe have a dally 8-day rolling forecast in place making use of our TMS to consolidate cash
liows. The use of the TMS rather than a reliance on spreadsheets enhances controls. We
have putin place weekly and monthly reporting and variance analysis which we distribute to
[senior management as well as daily reporting and variance analysis which is distributed to theI
Head of Treasury. The Teams focus ie on improving our forecasting using this variance
Janalysic. As a resuit we have built a new model to forecast Note Circulation Scheme
balances, an area in which we clearly need to improve. As a result of OSOP changes in the
[Wholesale Cash Team, and hence reduced resource levels, there are delays in implementing
Ithe new model. We now need to focus on improvements around process and modelling of
the medium term and will be addressing this within the cash management project.
25__IWe cannot report, forecast or optimise branch cash
Ensuring sustainable profit
Russell Hancock
‘Doug Brown
[A new system is being implemented through Back Office (scheduled for March). The Supply
Ichain element of POL SAP will move to CWC. This will enable us to forecast more accurately,
for example the dates forecasted on will be system driven. This will give us the functionality
lo create, change events and cleanse data to better reflect normal trading. Branches will also
be able to order cash online which will improve the overall experience.
[Watch List
26_]We are not complianton tax attracting fines and censure
Record and pay taxes
‘Amanda Radford
Mark Dixon
[Although Tax will consist of one Individual going forward, there are a number of trained
Jaccountants involved with tax preparation at POL. Where specialist input is required
Iadcitional information is requested from external providers, which by nature of experts and
regulated in their chosen field, Its anticipated that the going forward, people other than the
new tax manager will be involved in the preparation, with the manager performing review.
[This wll ensure adequate segregation of duties, and also that a four-eyes' review has been
I2dopted. This process will take a number of months to be embedded
27_IWe procure badly, destroying value
Procure and contracts
Barbara Brannon
Willam Porter
[Sourcing Council will be embedded into change management cycles by the end of year
Icategory Managers will lead on providing clear content requirements. Business leads will be
required to attend meetings, with GE or SLT sponsor signing off the process agreed. Our
[ability to track spend against supplier will be improved in the short term through a monthly
Ispend report generated showing contract value and forecast by October. Work is nearing
Icompletion to review suppliers, where spend is over £5k and allocate owners. The longer
term solution will be a contract management system. A business case for this is currently
being reviewed. Our ability to manage procurement documentation willbe improved through
Ithe digital 365 project to SharePoint. A document standard for physical / electronic storage
[wil also be drafted. Bravo will be used by Category Managers to currently plug gaps. The
longer term fix for this will be the implementation of a Contract Manager system.
ysI4'S
POL-BSFF-0238511_0078
222 19 08
LU60/¢ I-Buneew sayiWWOD aouRlIdWioI 9 ¥sIYy
POL00423693
POL00423693
sre "S
[We procure legally attracting fines and censure
‘Compliance with laws and
regulations
Barbara Brannon
William Porter7
Jacqueline Scott
Ey
JWe do not Keep cash physically secure
Physically secure
Russell Hancock
‘Mark Raymond]
John Flood
[over the next couple of months the Procurement Policy will be refreshed, articulating how to
buy and communicated to colleagues / suppliers, This will include ano pay policy.
Procurement are also proposing the following:
1. SAP requisition workflow will be also adjusted to move Procurement to the start of the
process to help embed
2. A minimum requirement for all project works to have procurement provisional budget to
be introduced. Pipeline accuracy to be Procurement and
Icategory Manager KPI by October. Pipeline will be published to key stakeholders to support
business priortisation. Non-compliance continues to be logged, tracked and escalated to GE
Jand ace.
satnind} ener on the procenng Noor Ways, cage 7 taled covered by COW aa]
IF held in the operational val RELEVANT]Is held nthe bonded vou
30
Risk of kidnap in SC ete
Physically secure
Russell Hancock
Mark Raymond
[Tiger Kidnap training is delivered annually to all staff in Supply Chain. Winter safety awareness
[training also covers route changes etc.
Ey
Risk of poltieal/social volence in Northern Ireland
Keep our people, customers
and third parties safe
Russell Hancock
Mark Raymond
In terms of public order In Northern Ireland, to date, 2017 has been widely described as the
most peaceful for some years although there remain numerous social and political issues in
many communities across the province with some being subject to Violent criminal activity.
Dissident Republican Terrorist activity has increased significantly with the Police Service of
Northern ireland (PSNI) being the primary target. POL Security is updated by the PSNI on a
regular basis of all risks and potential risks to the business. The general risk to POL NI remains
Jat Moderate,
Ey
Financial forecasting is Imited
Ensuring sustainable profit
“Amanda Radford
Tan takin
[A new interim head of FP&A has been appointed who will review the current reporting and
[forecasting processes which will look to address the risk
EY
Purchase to pay process is complex leading to errors and delays
Make payments
Stuart Nesbit
Barbara Brannon
Procurement and FSC are working closely to Improve vendor and business conformance to
lensure payments are made within 30 days as per the Performance and Reporting
requirements due to come into effect in 2018/19,
Ey
IWe do not settle accurately and quickly with clients
‘Wake payments
‘Stuart Nesbit
Kay Wilson
[Due to the low probability no specific adeitional plans. In the event of system outage manual
Ivorkarounds are required which through human error could result in clients being paid
Incorrectly, despite additional checking. The Back Office programme is looking to remove the
manual nature,
POL-BSFF-0238511_0079
LU60/¢ I-Buneew sayiWWOD aouRlIdWioI 9 ¥sIYy
2273018
Legal, Risk & Gover
Risks
[Watch List
Principal Risk
SLT Accountability SME Accountability
Impact
Likelihood
Risk Score
POL00423693
POL00423693
sre "S
Comments
1
[Reputational damage and financial loss arising from poor contract
[management
Procure and let contracts
2 immature culture within POL as regards legal, regulatory and contractual _I Compliance with laws and
compliance (network) regulations
3 [Cyber risk - Failure to identify and Control the Insider threat and include TT Security
security controls in contracts with suppliers.
@ [Regulatory risk arising from increased visiblity of POL & POMS to ‘Compliance with laws and
regulators eg, ICO re GDPR, HMRC re AML/CTE, FCA re POMS expansion, regulations
IFCA via Banking Framework
5 [Whether Post Master litigation could result in material challenge to the ‘Compliance with laws and
framework of our contractual relationships with agents. regulations
6 _ [Whether once properly understood, the compliance framework imposed I _ Compliance with laws end
Jon us contractually is actually viable and deliverable across the network as, regulations
now structured.
7 _ IGDPR- lack of engagement by the business (eg around identifying data
architecture) has the ability to cause material delay to the programme
‘Compliance with laws and
regulations
POL-BSFF-0238511_0080
1223978
Z1/60/¢}-Bujsew sayuWog souRlIdwod ® ¥SI4
POL00423693
POL00423693
SIM'S
Risk Rating User Guide
‘The overall Risk Rating is calculated using a weighted average of risk that is considered appropriate, recognising that the applied rating is subjective,
and is based on the following
Impact - if risk exists, based on the harm table, what impact could this have on the business?
Likelihood - while risk by nature is inevitable, based on the harm table, what is the likelihood of this particular risk appearing in practice?
Combined score - takes the Impact Risk x Likelihood to calculate a combined score
Controls - weighting of controls to mitigate the perceived risk
Overall RAG - Residual Risk is the combined score divided by the mitigating controls
NB: Residual risk is the threat that remains after identified risks have not been eliminated by compensating controls. For each risk recorded, the Committee should determine and agree
whether to make plans to reduce it, avoid it, accept or transfer it.
Harm Table and RAG Rating Segmentation
Tetthoot
Impact] Rating(A) Lkelihood I Rating(B) I] RAG
Gross (Inherent) Risk Net (Residual) Risk
Overall RAG
(c)/(D)
a a ConwelspaI tow a
2 Medium 2 Laem Medium Medium
iat the
Medium I 3 Medium I 3 Heh Wich
wasn I wean Fak ot appeal
th [ns ‘ish [os Minimum sere
POST OFFICE
HARM TABLE - MEAUREMENT CRITERIA
Version: 18th Feb 2016, post RCC & ARC
Latest
Combined
Scoreisa
calculated
values =
Impact x
Ukelihood
3%
fee
a —— el I ae
= II on
POL-BSFF-0238511_0081
POL00423693
POL00423693
6.1. Regulatory Framwork
POST OFFICE PAGE 1 OF 29
RISK AND COMPLIANCE COMMITTEE DISCUSSION
PAPER
Post Office Legal and Regulatory
Framework
Author: Ben Foat Sponsor: Jane MacLeod Meeting date: 13 September 2017
Executive Summary
Context
Post Office Limited (Post Office) is a multiline business operating across numerous
sectors including Financial Services, Telecoms, Retail, Government Services, and Mails
with a significantly unionised work force and, as a result of its public ownership, is
also subject to additional public sector legal obligations such as public procurement
rules. The Post Office is also directly or indirectly subject to numerous regulators
including HMRC, FCA, CMA, ICO, and OFCOM. As a distributor of a vast array of
products and services, it manages over 1,700 commercial contracts, thousands of
employment contracts, property licences and instruments, and hundreds of disputes
and complaints, all of which are generally underpinned by legislation and regulation.
Consequently, the legal risk across the POL group is broad and complex.
The ARC is to receive training prior to the next ARC meeting on Post Office’s
legislative and regulatory framework.
This report sets out, in draft, the legal and regulatory framework under which Post
Office operates and suggests who, within the business, is responsible for managing
compliance with those pieces of legislation and regulation. It solely focuses on the
material and most frequently encountered laws and is by no means exhaustive. This
work will be incorporated into broader discussions around accountability within the
business.
Questions addressed in this report
1. What are the material and most frequently encountered laws?
2. Who is responsible for ensuring compliance with legislation and regulation?
3. How are new legal trends and developments applicable to Post Office managed?
4. What do we need to do next to progress?
Conclusion
1. Appendix 1 is an overview matrix which sets out the top 48 material and most
frequently encountered pieces of legislation and suggests which GE member is
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 83 of 227
POL-BSFF-0238511_0082
POL00423693
POL00423693
6.1. Regulatory Framwork
84 of 227
POST OFFICE PAGE 2 OF 29
accountable or responsible, from a first line of defence perspective, for ensuring
compliance with those laws.
2. Appendix 2 provides a more comprehensive outline of those laws which are rated
‘red’ or ‘amber’ in terms of materiality (see paragraph 6 below), as well as the
known controls and the evidence of such controls.
3. The Legal Team identifies new legal trends and developments through its
Regulatory Developments Tracker (Horizon Scanning). Any new or proposed
material changes to laws and regulation is communicated to the relevant parts of
the business as well as being communicated through the cross functional Law and
Trends Forum. Working groups are then set up to further assess the impact of the
new or material changes and implement those changes within the business.
4. Further refinements to Appendix 1 and 2 will be made incorporating the feedback
from the RCC specifically any clarifications over which parts of the business are
responsible or accountable from a first line of defence perspective.
Input Sought Input Received
1. The Committee is asked to discuss 2. This report has incorporated the
the responsibilities allocated to GE Finance & Operations compliance
or GE-1 and to make matrix together with the comments
recommendations as to further from Retail, IT, FS and HR.
refinement.
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0083
POL00423693
POL00423693
6.1. Regulatory Framwork
POST OFFICE PAGE 3 OF 29
The Report
What are the material and most frequently encountered laws?
5. There are hundreds of pieces of legislation and regulation that apply to Post Office.
Appendix 1 and 2 sets out the most material and most frequently encountered
laws at Post Office.
6. A RAG status has been adopted to differentiate materiality on the following basis:
« Red - where there is potential individual criminal sanctions and or personal
liability for Board / GE;
« Amber - where there is significant sanctions including corporate criminal offence
or significant penalty (without individual sanctions);
« Green - where there is typical sanctions (e.g fines)
Who is responsible for ensuring compliance with legislation and regulation?
7. As set out in the Appendices, we have allocated ‘Accountability’ for each piece of
legislation to key GE sponsors, and indicated who else is ‘responsible’ for
compliance at an operating level.
8. As Post Office’s risk management framework matures, we will be able to address
this more fully through the 3 lines of defence risk management model. In
summary:
¢ first line - functions that own and manage risk
« second line - functions that oversee or specialise in risk management,
compliance (ie Legal, Compliance, Risk, etc)
«third line - functions that provide independent assurance e.g internal audit.
15t Line of Defence Se _ I
9. Post Office’ second line capability is still relatively immature and the distinction
between first and second line responsibilities needs further articulation.
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 85 of 227
POL-BSFF-0238511_0084
POL00423693
POL00423693
6.1. Regulatory Framwork
POST OFFICE PAGE 4 OF 29
Nevertheless as the ‘placemat’ control effectiveness self-assessment work is rolled
out across Post Office, this will facilitate a greater awareness of first line
responsibilities, as well as enable the development of more mature 2" line
oversight capability.
10.Accordingly, Appendix 1 provides an overview matrix which seeks to delineate
accountability (ownership of risk) and responsibility (those who need to comply
with requirements or follow direction from the accountable owner within their area
of responsibility). For example, it is proposed that Jane MacLeod (Group Legal,
Risk & Governance Director) is accountable for the Bribery & Corruption Act (as the
Financial Crime team specify the controls to be operated to best prevent bribery).
However, all areas of the business are responsible for ensuring its compliance
through enforcing internal controls such as the Gifts & Entertainment Policy in
respect of their areas within the business).
.It is also proposed that, by way of example, Al Cameron (Chief Finance &
Operations Officer) is accountable for public procurement but all areas of the
business are responsible for ensuring that they comply with the internal controls
set out by him through the Procurement Director, Barbara Brannon. In the
overview matrix, R denotes responsibility and A denotes accountability.
12.Appendix 2 provides more detailed descriptions of those pieces of legislation rated
as ‘red’ or ‘amber’. Details of green rated legislation have also been prepared, and
are available from the legal team on request.
1
ne
How are new legal trends and developments relevant to Post Office managed?
13.The Legal Team is responsible for identifying new and emerging areas of legal risk.
On a monthly basis it identifies new legal trends and developments through its
Regulatory Developments Tracker (Horizon Scanning). Some areas of the business
also maintain horizon scanning specific to their area. Any new or proposed material
changes to laws and regulation is communicated to the relevant parts of the
business as well as being communicated through the Law and Trends Forum which
has representatives across the business. The Law and Trends Forum enables
alignment across the business. Working groups are then established in relation to
material new pieces of legislation, consisting of relevant stakeholder, to further
assess the impact and provide recommendations in respect of any changes to
existing internal or management controls.
What do we need to do next to progress?
14.Following the feedback from the RCC, Appendix 1 and 2 will be updated and be
sent to the Strategy Team who are working on the broader issues of
accountabilities within the organisation. These documents may also serve as a
useful tool for those involved in SMCR project.
Strictly Confidential
86 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0085
POL00423693
POL00423693
6.1. Regulatory Framwork
POST OFFICE PAGE 5 OF 29
Appendix
1. Material Legislations/Regulations - Overview Matrix
2. Material Legislations/Regulations - Detailed Framework
Strictly Confidential
Risk & Compliance Committee meeting-13/09/17 87 of 227
POL-BSFF-0238511_0086
222 19 88
LU6O/EI-Bujeew aayiwU0d aouerIdwog »g ¥SIY
POL00423693
POL00423693
Lod
2
&
POST OFFICE PAGE 6 OF 29 =
3
a
3B
Z
1. Overview Matrix - Proposed Responsibility and Accountability g
Material Legislation / Regulation Business Area I CEO FS& Retail Strategy I HR Tv LRG/CoSec Ops Comms, Brand I Board
(Paula Telco (Kevin (Martin I (Martin I (Rob (lane {al & Corporate Impact
Vennells) I (Nick Gilliland) I Edwards) I Kirke) I Houghton) I Macleod) Cameron) I Affairs
Kennett) (Mark Davies)
Bribery Act 2010 All
Business Rates Ops
Communications Act 2003 Telco, Retail
Companies Act 2006 CEO, LRG, Ops
‘Consumer Insurance (Disclosure and Fs, Retail
Representations) Act 2012
Corporate Manslaughter and Corporate I Ops
Homicide Act 2007
Criminal Finances Act 2017 All
Data Protection Act 1998 & GDPR: All
Digital Economy Act 2017 Retail, Ops,
FS, Brand
Employment Rights Act 1996 All
Energy Acts Directives and Regulations ‘Ops
(various)
Enterprise Act 2016 (competition) All
Enterprise Act 2016 (pay cap) All
Environmental Legislation and ‘Ops
Regulations
Environmental Protection Act 1990 Ops
Equality Act 2010 All
FCA Conduct of Business Sourcebook Fs, Retail
(COBS/ICOBS)
Financial Services and Markets Act FS, Retail
2000/FCA Handbook
Freedom of Information Act 2000 LRG
Gross Negligence Manslaughter ‘Ops, Retail
Health & Safety at Work Act 1974 Ops, HR, Retail oI
Insurance Act 2015, Fs, Retail
IMD & Insurance Distribution Directive Fs, Retail
Intellectual Property Laws (various) Brand
Strictly Confidential
POL-BSFF-0238511_0087
LU6O/EI-Bujeew aayiwU0d aouerIdwog »g ¥SIY
12240 68
POL00423693
Strictly Confidential
POL00423693
2
z
@
2
POST OFFICE PAGE 7 OF 29 a
<
a
‘Material Legislation / Regulation Business Area I CEO FS& Retaill__I Strategy I HR T IRG/CoSec I Ops Comms, Brand I Board a
(Paula Telco (Kevin (Martin I (Martin I (Rob Gane {al & Corporate Impact =
Vennells) I (Nick I Gilliland) I Edwards) I Kirke) I Houghton) I Macleod) —_I Cameron) I Affairs g
Kennett) (Mark Davies)
Landlord and Tenant Acts Ops
Law of Property Acts; Land Registration I Ops
‘Act 2002; 2003 Rules
Modern Slavery Act 2015 HR, Ops, Retail
MLR 2017 FS, Retail
(Ofcom's Conditions of Entitlement FS, Retail,
Brand
Payment Services Regulations 2017 Fs, Retail
Postal Services Act 2011 Retail, FS,
Strategy
Privacy and Electronic Communications I LRG, FS
Regulations 2003/Network and ISD
Public Contracts Regulations 2015 All
Public Interest Disclosure Act 1998 All
(whistleblowing)
Reforming the Intermediaries Legislation I HR.
(1R35)
Re-use of Public Sector Information LRG
I Regulations
5.3 Small Business, Enterprise and Ops, Brand
Employment Act 2015
‘Senior Managers & Certification Regime I HR, FS lh
The Consumer Rights Act 2015 Retail, FS
‘The Payment Card Industry Data Security I FS, Retail
Standard
‘The Welsh Language (Wales) Measure Retail, FS,
2011 and associated Regulations Brand
‘Town and Country Planning Act 1990 and I Ops
various others
Trade Unions and Labour Relations HR
(Consolidation) Act 1992 (TULRCA)
‘Transfer of Undertakings (Protection of I All
Employment) Regulations 2006
‘Treaty on the Functioning of the All
European Union; Competition Act 1998
POL-BSFF-0238511_0088
POL00423693
POL00423693
POST OFFICE PAGE 8 OF 29
Material Legislation / Regulation Business Area I CEO FS& Retail Strategy I HR Tv LRG/CoSec Ops Comms, Brand Board
(Paula Telco (Kevin (Martin I (Martin I (Rob (lane (al & Corporate Impact
Vennells) I (Nick Gilliland) I Edwards) I Kirke) Houghton) I Macleod) Cameron) I Affairs
Kennett) (Mark Davies)
‘Treaty on the Functioning of the Retail,
European Union - State Aid Strategy, Ops
Universal Postal Union Convention/CAA Retail
Value Added Tax Act 1994 Ops
s 2. Detailed Framework
= Legislation / I Description Obligations Busin I Responsi I Account I Controls / Evidence Board Impact
= Regulation ess bility ability Policies
Area
Bribery Act This Act deals POL and POMS must All Paula Jane ABC policy Policies and procedures
2010 with an offence of I comply with six principles Vennells MacLeod on Intranet and updated
offering, of adequate procedures to Annual risk annually.
promising or prevent bribery: Al assessments
giving a financial I - Proportionate procedures Cameron and review of Completed risk
or other ~ the procedures adopted residual risks assessments retained in
advantage for the I should be proportionate to Kevin and controls restricted access drive.
purpose of the risk faced. Gilliland
bringing an - Top-level commitment — Training to POL, Risk assessment progress
improper POL/POMS should adopt a Nick branches and reported to AML Steering
performance of a_ I culture of zero tolerance Kennett employees Group and R&CC.
function or through a commitment by
activity. senior management. Rob Gifts and HR maintain training
~ Risk assessment — Houghton Hospitality records for directly
Requires active POL/POMS should identify register employed staff.
measures to its bribery risks and Martin
prevent bribery. I prioritise its actions in high Kirke Guidelines and I Quarterly G&H records
risk areas. processes about I provided to each GE for
= Due diligence - Martin giving/receiving I their area.
POL/POMS should take Edwards gifts
appropriate care when Annual reporting re. G&H
entering into relationships Mark Risk and to R&CC and ARC.
or markets with a risk of Davies Compliance
bribery. Team including I Gifts and Hospitality
- Communication - Financial Crime I register
POL/POMS policy should be and Compliance
clearly communicated to all Teams
Strictly Confidential
POL-BSFF-0238511_0089
POL00423693
POL00423693
POST OFFICE PAGE 9 OF 29
relevant parties, supported 3
by appropriate training and Whistleblowing sf
“speak up” procedures. Policy
- Monitoring and review -
the procedures put in place Code of Conduct
should be reviewed and
updated as the company’s Agreement
risks change over time. clauses
Financial Crime
Policy
Communicati I This is the Under this Act POL, asan [I FS& I Kevin Nick Regulatory Regular external audits
2 ‘ons Act 2003 I primary source of I Electronic Communications I Teleco I Gilliland Kennett I Team (Jono Hill) I on billings. Other MI and
al telecoms and Services ("ECS") provider, I ms Info submitted to Ofcom
. broadcasting is generally authorised to Fujitsu assists I for published league
fo) regulation in the operate its Telecoms Retail POL on tables etc.
UK and sets out I business provided that it compliance to
7 the authorisation I complies with applicable technical
3 regime, conditions of Ofcom’s service
competition rules, I General Conditions of requirements as
access and Entitlement. POL has to act part of their
3 interconnection, I in accordance with managed
= numbering and consumer law in its service
universal service I telecoms and postal provision under
> obligations. business activities. the Telecoms
2 Ofcom is the MSA
a regulator.
7 Compliance
¢ programmes
Vulnerable
customer
approach and
Dunning ‘bad
debt relief’
approach
Companies I Contains Directors: Duty to act CEO Paula Company Regulatory Tracker and
Act 2006 statutory within powers; Duty to Vennells I Secretary monitoring of legislative
statement of promote the success of the I LRG developments.
directors’ duties I company; Duty to exercise Jane
with seven key independent judgment; Operat MacLeod
general duties. Duty to exercise ions
Directors’ duties I reasonable skill, care and Al
are owed to the _I diligence; Duty to avoid Cameron
Confidential
POL-BSFF-0238511_0090
POST OFFICE
PAGE 10 OF 29
company, but
directors must
also consider the
interests of the
company’s
employees and
creditors.
Also governs
consolidated
financial
statements/comp
any accounts and
auditing.
conflicts of interest; Duty
not to accept benefits from
third parties; and Duty to
declare interest in
proposed transaction or
arrangement.
Directors are responsible
for the preparation,
approval and filing of
company accounts.
Corporate
Manslaughte
rand
Creates the
offence of
corporate
manslaughter by
organisations. No
new duties
obligations under
the act, though it
is specifically
linked to Health &
Safety
requirements.
Breaches can
result in unlimited
fines.
Individuals within
organisations can
also face
prosecution for
Gross Negligence
Manslaughter.
Provided POL takes their
obligations under Health &
Safety law seriously, they
are not likely to be in
breach of this act.
POL should keep their
Health & Safety
management systems
under review in particular
the way in which their
activities are managed or
organised by senior
management.
POL needs to take into
account appropriate health
and safety guidance and
ensure there are no
attitudes, policies, systems
or accepted practices
within POL likely to
encourage serious
management failure or
produce a tolerance of it.
Operat
ions
Al
Cameron
See entry
"Health and
Safety at Work
Act 1974"
See entry "Health and
Safety at Work Act 1974".
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0091
POST OFFICE
PAGE 11 OF 29
Criminal In force from Focusing on point 1.): All Jane Al Financial Crime I Working Group:
Finances Act I September 2017. I A ‘failure to prevent’ MacLeod I Cameron I Policy
2017 corporate criminal offence Reasonable procedures
Creates a new is placed on a ‘relevant Kevin (defence)
corporate criminal I body’ (e.g. POL) where it Gilliland
offence for failure I fails to prevent an Meeting agendas and
to prevent ‘associated person’ (i.e. Nick minutes recorded - saved
criminal employees, contractors, Kennett in Legal team shared
facilitation of sub-contractors, agents, drive
criminal tax consultants or any other Rob
evasion persons providing a service Houghton
Unlimited fine for I for or on behalf of POL),
failure to prevent I from criminally facilitating Martin
(and no defence I criminal tax evasion (UK or Kirke
proven) equivalent offence under
foreign law). Martin
Amends POCA The only defence is to have Edwards
2002 to change ‘reasonable procedures’
the current SARs I put in place to prevent Mark
regime, provide _I facilitation by it ‘associated Davies
enhanced powers I persons’ (or that it was not
(including reasonable to have these).
disclosure
powers) re
proceeds of
crime/money
laundering and
new Unexplained
Wealth Orders
regime (granted
by High Court).
Data ‘Act requires data_I When POLis determining I All Al Jane Information GDPR Programme and
Protection I controller to the manner and purpose of Cameron I MacLeod I Protection & appointment of
Act 1998 & I process personal I the personal data it need Assurance Team I Programme Manager
GDPR data in to ensure the personal Kevin (Clare D'Netto) / Steering
accordance with 8 I data Gilliland DPA clauses in I Group - including review
principles. 1. processed fairly and contracts of POL material contracts
lawfully (cl 2 and 3) Nick and P-Suite.
Stricter regime _I 2. only used for the Kennett Data Protection
and penalties specified and lawful and Information I Data maps.
under GDPR purpose Rob Security Policies
(including fine up I 3. adequate, relevant and Houghton
to 4% of global
not excessive
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0092
POST OFFICE
PAGE 12 OF 29
turnover or 4, accurate and kept up to Martin Training to
EURE20m, data Kirke business areas
whichever 5. not kept for longer than
greater). UK Data I necessary Martin
Protection Bill in I 6. processed in accordance Edwards
progress - tbe with the data subject's
rights Mark
7. processed with Davies
adequate technical and
organisational measures
Not transferred to a
country that is outside the
EEA unless ensures
adequate level of
protection.
DSARs
The Act reflects I Marketing - comply with I Retail_I Kevin Nick GDPR Regulatory Tracker
Economy Act I the Government's I ICO’s code on Direct Gilliland Kennett I Programme (re
2017 modernisation of I Marketing (breach of which I Operat ICO's code on
communications _ I is not an offence but is ions I Al direct
services. Changes I admissible as evidence in Cameron marketing)
are made to the _I any proceedings).
law governing FS &
installation and I Property - to comply with I Telco I Mark
maintenance of —_I reform of the ICO’s Davies
telecoms Electronic Communication I Brand
infrastructure, Code regarding telecom
public sector data
sharing, direct
marketing
activities, IP
(copyright
infringement) and
provides powers
for Ofcom to
specific
requirements
regarding end-
users switching
communications
providers and
compensation for
operators and landlords;
amends the Landlord and
Tenant Act 1954.
Public sector personal data
sharing - question of
whether POL is a ‘public
authority’ (definition is the
same as under Equality Act
2010 and Immigration Act
2016 - which POL does not
consider itself to constitute
a ‘public function’), also
not listed as a ‘Specified
Person’ under the Act.
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0093
POST OFFICE
PAGE 13 OF 29
failure to meet
performance
standards.
Enterprise I Introduces a All Martin Nick Regulatory
Act 2016 criminal offence I POMS and POL must Edwards I Kennett I Governance
(competition I for taking part inI ensure that none of its Manual
law) cartel activity. directors is in breach of Martin Kevin
However, also competition law. POL and Kirke Gilliland I HR team
introduces other I POMS must also ensure leading on
important that it deals with any Rob apprenticeships
changes in questions or complaints Houghton Working Group
relation to merger I from the CMA. for payment cap
control, Jane set up and
disqualification of I FS (POMS): must ensure MacLeod includes
directors for that it has mechanisms representatives
breaches of and controls in place to Al from HR, legal
competition law, _I allow swift payout on Cameron and public
super-complaints I insurance claims. affairs
to the CMA by Mark
certain consumer Davies Training
bodies. provided to
Kevin Directors
Gilliland
Environment I There are POL has obligations under I Operat Al Persons In Environmental Tactical
al numerous other I most of these regulations. I ions Cameron I Charge Group has been set up.
Legislation I Environmental Land - waste collection for
and Regulations Example - The H&S Managers I non IT areas is managed
Regulations I arising from the I management of any via Servest contract and
above Acts for
example
governing the
following areas:
- Permits required
for the discharge
of waste
- Pollution
prevention
- Energy
efficiency
- Contamination
of land waterways
etc.
discharge of heating oil,
vehicle fuel at Supply
Chain depots. Energy
efficiency relates to gas
electricity fuel usage etc.
The waste concerned is
produced owing to the
supply by POL of
equipment or other items
to its administrative offices
etc. DMBs for use or sale
Property
Managers
CBRE/Servest
the service is monitored
through a formal service
review monthly. Our land
waste compliance is high
Rubbish collection
breaches on timings are
also monitored with
Servest to ensure any
Local Authority penalties
are addressed. Air - the
risk is low. CRC is a CBRE
service line and
monitored through formal
monthly service line
reviews and our carbon is
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0094
POST OFFICE
PAGE 14 OF 29
POL00423693
POL00423693
There are further
regulations made
under the
European
Communities Act
1972 Section
2(2)
- Management of
electrical and
electronic
equipment
(WEEE) waste
- Management of
waste batteries
and
accumulators.
~ Packaging
requirements.
reported yearly. Our data
accuracy (based on meter
reads) is very high. Water
~ this is a low risk for
property. CBRE monitor
our physical controls
(through interceptors)
and we have checked
these.
Environment I The Act applies to
al Protection I England, Wales
Act 1990 and Scotland. Its
application is
wide ranging.
Breaches of
Environmental
Law are often
criminal offences.
They can result
in:
- Fixed Penalty
Fines
- Prosecution of a
company or
individuals for
breach of health
and safety
- If convicted
companies can
face large fines,
potentially
unlimited if death
has occurred.
Tt imposes upon POL
general duties for waste
management and releasing
emissions into the
environment. It sets out a
regime for the regulation
and licensing of the
disposal of controlled
waste on land, imposes a
duty to remediate
contaminated land and
introduces the statutory
nuisance regime.
Impact on POL can be
serious. Brand damage can
occur as a result of the
incident.
Even more serious Fixed
Penalty Notices may have
to be revealed when POL is
tendering for business.
Operat
ions
Al Compliance with
Cameron I all relevant
obligations
under this Act
are managed by
the Property
Team (Property
Compliance
Manager) and
the particular
business areas.
Health Safety
Environment
and Wellbeing
team, external
Specialists e.g.
Servest who
manage the
collection,
transport and
disposal of our
waste and the
Legal Team.
The tactical group has set
targets for environmental
waste and has a plan to
reduce our waste. Our
record of progress against
landfill targets and CRC is
good and incidents are
very low.
Confidential
POL-BSFF-0238511_0095
POST OFFICE
PAGE 15 OF 29
Equality Act I The Equality Act I POL required to comply All Nick Martin I Legalteamto I Equality Act and
2010 2010 protects with provisions as an Kennett Kirke manage risks. I Accessibility Policy
people from employer. available on intranet and
discrimination inI POLis also a “service Kevin HR policies and I also provided to agents.
the workplace provider” (“concerned with Gilliland processes to
and in wider the provision of a service mitigate risk of
society. to the public or a section of Martin unlawful
It replaced the public”) in its DMB Edwards behaviour.
previous anti- (directly managed branch)
discrimination network and must Rob Network Team
laws with a single I therefore make reasonable Houghton have defined
Act, making the I adjustments to process to
law easier to accommodate the needs of Jane assess new
understand and I customers from various MacLeod branch
strengthening “protected groups” e.g. premises (both
protections. It elderly and disabled. Al DMBs and
sets out the Cameron agency) for
different ways in suitability and
which it's Mark accessibility.
unlawful to treat Davies Legal team
someone. engaged with
Network and HR
teams.
Financial POL: POL: FS Kevin Nick POL: Minutes of meetings, T&C
Services and I It is a framework I POL is under contractual Gilliland Kennett I contractual reports, Monitoring
Markets Act I for regulation of I obligations to comply with I Retail arrangements —_I reports e.g. VMS. Incident
2000 (FSMA) I financial services I the regulations in relation with POMS and_ I and breach reporting.
/ FCA within the UK. to financial services it BOI, Appointed I Reporting to RCC and
Handbook POL as an provides. As such, POL Representative I ARC.
appointed must observe and comply Agreements
representative for I with rules and regulations with both
the BOI and applying to the financial principals. Sales
POMS. POL must I services sector (otherwise Oversight
comply with it may be in breach of the Compliance
applicable rules _I appointed representative Forum,
and obligations
within FSMA. POL
meets with the
PRA as part of
BOI relationship.
Due to BOI
relationship, POL
is also subject to
agreements). Banking
Framework: SYSC 8
requirements.
Pos:
FSMA requires POMS to
have appropriate
protections for customers
Customer and
Conduct Risk
Committee for
BOI. Joint
Conduct and
Customer Risk
Committee.
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0096
POL00423693
POL00423693
POST OFFICE PAGE 16 OF 29
Funeral Planning] within the insurance POMS:
Authority policies. contractual
requirements. relationship
FCA Handbook: with POL;
POMS: POMS must ensure that Regulatory
FSMA will apply I marketing of the insurance Governance
to POMS as itis I policies is done within the Manual;
the regulated guidelines of the Compliance
insurance Handbook. review;
intermediary and I Principles 6 and 7 also Vulnerable
POL's principal. I apply: "pay due regard to Customers
the interests of its Policy; Training
a FCA Handbook: customers and treat them & Competence
fal Imposes fairly" and "pay due regard Policy; Financial
= principles and to the information needs of Promotions
rules on how its clients and Policy;
customers can be I communicate information Complaints
approached, to them in a way which is Handling &
3 marketing and clear, fair and not Review (BOI
suitability of misleading". undertakes);
products and Quality
customers. Monitoring;
Conduct
Note: compliance
Consumer Credit manual; Quality
Act 1974 (as of Sales MI;
amended) Staff Vetting
governs credit Policy - Martin
cards, loans and Kirke; Success
overdraft Factors and PO
products. POL is Money
an appointed Academy
representative of
BOI in this
respect and is
covered under
the AR
Agreement.
Freedom of I Provides public I As a public authority, POL I LRG Jane Information FOIA Procedures
Information I access to is directly affected by this MacLeod I Rights Manager I Guidance 2012 (needs
Act 2000 / I information held I legislation and must updating) for Freedom of
Environment I by public publish or disclose certain Case-by-case _I Information and
al authorities by information about its evaluation of Environmental
Strictly Confidential
POL-BSFF-0238511_0097
POST OFFICE
PAGE 17 OF 29
POL00423693
POL00423693
InformationI I obliging them to
Regulations I publish certain
information about
their activities
and entitles the
public to make
requests for
information from
public authorities.
activities and performance.
POMS is affected by the
virtue of being POL (100%
owned) subsidiary and
contractual relationships
with POL. When receiving
written requests for
information from member
of public, POL would have
to consider the application,
requests
received,
collation of
information and
preparation of
replies and
review of data
collated,
redaction where
required.
Information Regulations is
held on the FOIA
restricted drive. Includes
Guidance for the
Information Rights Team
and Information Law
Panel, for business areas
and for public-facing staff.
Numerous templates to
assist the management of
ICO is the tell the applicant whether the processes,
relevant regulator I the information is held and Management of I spreadsheets to monitor
and will provide it unless an cases needs to I and manage workloads
investigate exemption applies. take into and evidence compliance.
complaints made account DPA
against public A breach is committed 1998 and
authorities and —_I where: failure to respond ROPSI.
produce decision I adequately to requests for
notices - (can be I information; failure to
appealed) failure I adopt model public scheme
to comply is or do not publish correct
contempt of information and
court, punishable I deliberately destroying,
by fine. hiding or altering
requested information to
prevent its release.
An individual may I Provided the individual Operat I Kevin Al See entry See entry "Health and
Negligence I be prosecuted for I takes their obligations ions I Gilliland I Cameron I "Health and Safety at Work Act 1974",
Manslaughte I this crime where _I including those to be Safety at Work
r adeath results I exercised on behalf of POL I Retail Act 1974".
from their under Health & Safety law
unreasonable
significant gross
negligence. An
individual's
actions would
have to be more
than simply
careless or
negligent. There
actions would
need to be so
unreasonable as
seriously they are not
likely to be prosecuted for
Gross Negligence
Manslaughter.
Confidential
POL-BSFF-0238511_0098
POST OFFICE
PAGE 18 OF 29
to be grossly
negligent and
criminal.
Health &
Safety at
Work Act
1974 and
various
related
Regul
Section 37 H&SW
Act - where an
offence has been
committed by a
company
attributable to the
consent,
connivance or
neglect of any
director, manager
or other similar
officer of the
company that
person shall be
guilty of an
offence and liable
to criminal
prosecution and
punishment.
- Management of
Health and Safety
at Work
Regulations 1999
~ imposes a duty
to carry out
suitable and
sufficient risk
assessments
which are the
cornerstone of
health and safety
management
- Construction
(Design and
Management)
Regulations 2015
~ imposes
obligations on all
parties involved
in construction
General duty to ‘ensure so
far as is reasonably
practicable the health,
safety and welfare at work
of all their employees’.
Breaches often criminal
offences and large fines.
Provide and maintain
safety equipment and safe
systems of work; ensure
materials used are
properly stored, handled,
used and transported;
provide information,
training, instruction and
supervision - ensure staff
are aware of instructions
provided by manufacturers
and suppliers of
equipment; provide a safe
place of employment;
provide a safe working
environment; provide a
written safety policy/risk
assessment
look after the health and
safety of others, for
example the public; talk to
safety representatives. The
Act also imposes duties on
POL in relation to those
entering upon premises
that it controls, e.g.
contractors and visitors
and in a more limited way:
POL's wider undertaking.
Operat
ions
HR
Retail
Kevin
Gilliland
Al H&S Committee
Cameron I / Legal and
external law
Martin I firms / CBRE /
Kirke Servest
Property
Compliance
Managers,
Equipment
Managers and
Persons In
Charge, Health,
Safety &
Environment
team
Health & Safety
Policy
Risk
assessments,
safe systems at
work, training
and compliance
checks
undertaken and
evidence
capture
Various audits
(Asbestos)
Draft Asbestos
Management
Plan
‘Advice, guidance and
policies on H&S
sharepoint/intranet. H&S
Business Partners and
Head of Property
Compliance hold
documentary evidence of
compliance. Collation of
Certificates of
Compliance, issue and
monitoring of H&S
Activity Calendars.
Monthly Operations
Safety Board and Supply
Chain Risk Meeting,
Quarterly National and
Regional H&S
Consultation Meetings,
Road Risk Forum and 6
monthly Group Executive
H&S Committee ‘deep
dive’ meetings. Training
to GE, Lead teams and
across business teams as
required. Trade Union
H&S Reps Inspection
reports. Property
statutory compliance
surveys.
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0099
3
g
N
nv
&
POST OFFICE
PAGE 19 OF 29
works and
projects.
Other regulations
not arising out of
the Health and
Safety Act 1974:
Regulatory
Reform (Fire
Safety) Order
2005 imposes
obligations in
relation to fire
risk assessments,
management of
Fire Safety and
enforcement
sanctions
(including
prosecution) for
breach of the
Order and The
Control of
Asbestos
Regulations 2012
(CAR 2012).
Insurance I IMD: IMD: FS Kevin Nick Registration Project Athena currently
Mediation Removes the If POMS carried out an Gilliland Kennett I with the FCA managed by Christelle
Directive barriers to a insurance mediation Retail Losa (including weekly
(IMD) & single market for I activity it must: Regulatory updates) is in relation to
Insurance I insurance and - must be authorised by a Governance the revised guidance by
Distribution I reinsurance relevant competent Manual the FCA on compliance
Directive intermediation. I authority; with IDD. Project team
(1pb) Authorised firms I - are subject to certain POMS has been established and
must allocate obligations relating to Compliance we are on-track with
responsibility of I_I systems and controls, team adherence to the
the firm's
insurance
mediation activity
to a director or
senior manager.
IDD:
regulatory capital, client
assets and approved
persons; and
- are regulated with
respect to the way that
they communicate with
clients, issue financial
promotions (including
timescales required by
the FCA.
All policies are signed off
and reviewed by Steering
Committees within group
and are stored on
Sharepoint.
Strictly Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0100
> Z0L
POST OFFICE
PAGE 20 OF 29
Enhances
consumer
protection,
promotes
competition and
establishes pan-
European level
playing field by
harmonisation.
IDD will be
enacted via FSMA
and FCA rules in
the UK. Enters
into force in
February 2018.
content), handle claims
and advise on, sell and
cancel products.
Intellectual I Key legal rights I Protection of PO's IP rights I Brand Mark Standard PO Brand Guidelines
Property for PO: trade and brand - maintaining, Davies agreements:
Laws marks, domain enforcing and defending. e.g. PO Trade I Draft Brand Terms of
(various) names and Mark and Reference
goodwill. Key Copyright
legislation: Trade Licence Template
Marks Act 1994 Agreements agreements/schedules on
and Copyright, Legal team shared drive
Designs and
Patents Act 1988.
Modern This Act creates POL obligations: HR Al Martin Working Group I Modern Slavery
Slavery Act I an obligation on a Cameron I Kirke set up and led I Statement due to be
2015 business to Undertake due diligence of I Operat by HR signed off by the Board in
publish a supply chains. ions I Kevin representative I October 2017 - to publish
statement about Gilliland from on POL intranet.
the steps ithas I Prepare and publish an Retail Procurement, —_I Whistleblowing Policy
taken to ensure annual statement of Legal, HR and updated to include MS;
that slavery and I compliance within 6 Retail. Code of Business
human trafficking
are not taking
place in any part
of the business or
any part of the
supply chain.
months of year end.
Standards will do the
same. Assessed Post
Office procurement
process to ensure aligns
with MSA and reviewed
standard form
Strictly Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0101
POST OFFICE
PAGE 21 OF 29
POL00423693
POL00423693
Introduction of
three criminal
offences -
slavery, servitude
and forced or
compulsory
labour; human
trafficking; and
committing any
offence with the
intent to commit
human
trafficking. Failure
to prevent
modern slavery
can lead to
criminal and civil
prosecution
procurement contracts.
PQQ process amended to
take account of MSA.
Suppliers must now
confirm that they comply
with the MSA and provide
a copy of their statement.
Reviewed Postmaster
contracts and issued
Guidelines for
Postmasters to assist
them in complying with
MsA.
Money
Laundering,
Terro
Financing
and Transfer
of Funds
(Information
on the
2017 (MLR
2017)
Regulations that
govern Money
Service
Businesses, such
as POL, due to
the fact that it
provides currency
exchange and
money
transmitting
services.
A board member
or senior
management
member must be
appointed as
officer responsible
for compliance
with MLR 2017. A
nominated officer
must also be
appointed.
POL must maintain up to
date premises register with
HMRC of all premises
where regulated activity is
undertaken. Fit & Proper
tests must be undertaken.
POL must have adequate
mechanisms for receipt,
review, investigation and
disclosure to the NCA of
SARs. POL must undertake
risk assessments and carry
out ‘customer due
diligence’ measures to
check that your customers
are who they say they are
and that there is no
evidence of ML or TF.
It must also put in place
internal controls and
transactions monitoring
systems. The nature of
these controls will depend
FS
Retail
LRG
Kevin
Gilliland
Nick Anti-money
Kennett I laundering
provisions in
Jane contracts
MacLeod
ABC, AML/CTF,
Financial Crime
Policies
AML Steering
Group and
Financial Crime
Governance
Forum
Risk
assessments for
all new/changed
products and
services
Annual training,
awareness and
comms plan
Policies on Intranet and
updated annually.
Completed risk
assessments retained in
restricted access drive,
progress reported to AML
Steering Group and
R&CC.
HR maintain training
records for directly
employed staff. Branch
Standards Team maintain
records for Network
training.
SAR reports are
monitored monthly by
Head of Financial Crime
all records filed in
restricted access drive.
Confidential
POL-BSFF-0238511_0102
POST OFFICE
PAGE 22 OF 29
Extensive
provision for the
investigation of
breaches and ci
enforcement
action/criminal
prosecution
where breach
found. The FCA
prosecutes
criminal offences
under MLR.
Note: the
government has
also proposed a
new offence
making the
company
criminally liable
for failure to
prevent economic
crime, including
money
laundering. This
is likely to be a
strict liability
offence, with the
defence being
adequate
procedures put in
place - likely to
come into force in
late 2017.
on the size and complexity
of POL, including the
number of customers it
has and the number and
type of products and
services it provides.
Also contractual
commitments for MLRs
with MoneyGram, Partner
Banks, Gift Cards etc.
including
training to the
business via
Success Factors
Training to the
branches
Advice provided
by external
firms
Payment
Services
Regulations
2017
It is the key
payment-related
legislation setting
out the
framework for
standardisation of
the payment
institutions,
minimum
PO must ensure it is
compliant with the
following areas:
- Cash deposits and
withdrawals
- Payment card
transactions - e.g. travel
money and e-money
requirements
FS
Retail
Nick
Kennett
Kevin
Gilliland
PSD2 mapping
of products
Complaints data (regime
was complaints based
supervision until July
2017)
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0103
POST OFFICE
PAGE 23 OF 29
standards in the
payments area
and increased
transparency and
protection for
customers.
The FCA, using
regulatory
powers, deals
with enforcement
of PSR which may
impose public
sanctions
(penalties/censur
es) and can
instigate criminal
prosecutions on
firms authorised
under PSR for
breaches. Also
able to order
firms to provide
restitution to
customers and
cancel
authorisations.
~ Money remittance
- Payments sent through
the intermediary of a
telecom, IT system or
network operator
Privacy and
Electronic
Communicati
ons
Regulations
2003 (PECR)
/ Network
and
Information
Security
Directive
This Act gives
individuals
specific privacy
rights in relation
to electronic
communication.
The Act complements the I LRG
Data Protection Act and
contains rules on FS&
marketing calls, emails, Teleco
texts and faxes, cookies I ms
(and similar technologies),
keeping communications
services secure and
customer privacy regarding
traffic and location data,
itemised billing, line
identification and directory
listings.
Jane
MacLeod
Nick
Kennett
Information
Protection &
Assurance Team
(led by Jules
Harris) and
Telecoms team
(led by Meredith
Sharples).
PECR clauses in
relevant
contracts (e.g.
IT Towers
agreements).
1S027001 ISMS
Certification supports
objectives of PECR. ISO
compliant policies
regarding Information
Security/management of
information. Policies
located at the IPA
Intranet page e.g.:
Acceptable Use Policy,
Information Assurance
Policy, Cyber Information
Security Policy, PCI
Compliance Standard,
Information Classification
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0104
a
POST OFFICE
PAGE 24 OF 29
DPO role within
IPA provides
subject matter
expertise to the
business
regarding
compliance with
PECR.
Standard, Access Control
Standard.
PCIDSS Certification -
customer card payment
transactions.
Telecoms will be subject
of a PECR Audit in Q1
2018 conducted by the
ICO - management and
control of the contract
between POL and Fujitsu
will be assessed
Public
Interest
Disclosure
Act 1998 /
FCA SYSC
To protect
whistleblowers
from detrimental
treatment or
victimisation from
employers after
making a
qualifying
disclosure.
FCA SYSC -
(POMS)
protection of
whistleblowers
from being
victimised from
disclosing
‘reportable
concerns’
(including
protected
disclosure, breach
of firm's policies
and procedures
and behaviour
that harms or
likely to harm
reputation or
financial well
Qualifying disclosures are I All
disclosures of information
where the worker
reasonably believes (and it
is in the public interest)
that one or more of the
following matters is either
happening, has taken
place, or is likely to
happen in the future:
A criminal offence; breach
of a legal obligation; a
miscarriage of justice; a
danger to the health and
safety of any individual;
damage to the
environment; deliberate
attempt to conceal any of
the above.
New FCA rules in 2016 on
whistleblowing means
firms must have a
whistleblowers’ champion
in place - this should be a
non-executive director or
senior manager who will
need to report to the board
Nick
Kennett
Kevin
Gilliland
Martin
Edwards
Martin
Kirke
Rob
Houghton
Jane
MacLeod
Al
Cameron
Mark
Davies
Martin
Kirke
Whistleblowing
Policy
Whistleblowing Policy on
POL intranet, comms
issued to employees and
Postmasters.
Strictly Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0105
POST OFFICE
PAGE 25 OF 29
being of the on whistleblowing stats, at
firm). least on an annual basis.
's.3 Small Duty to report on I Currently, POL and FRES I Operat I Mark Al POL is piloting I Internal report
Business, payments must report from ions I Davies Cameron I the obligations I produced/circulated on
Enterprise I practices and September 2018. Possibly in advance of __I the impact of the duty to
and performances. POMS. Brand September all Post Office entities.
Employment I Rules require 2018
Act 2015 / I large companies I Failure to comply will be a Information held by the
The (meeting certain I criminal offence by the Finance is AP team in FSC on
Reporting on I thresholds) to company and every currently current performance and
Payment publish director of the company working with future reporting.
Practices information about I will be liable, punishable Accenture for
and their payment on summary conviction by system Working Group chaired by
Performance I practices and a fine not exceeding level developments _I Ben Foat - action points
Regulations I performance 5 on the standard scale. If that allow the I recorded
2017 regarding supplier I a company fails to publish reporting to be
invoices, twice a__I a report by the required delivered,
year ona deadline, a director will not
government web I be liable if the director has Working with
service. taken all reasonable steps internal
to ensure compliance. community to
ensure
procedures are
understood and
followed to
ensure prompt
payment.
Updating
vendor T&Cs to
ensure these
are followed to
ensure prompt
payment.
Senior Introduction of _ I POMS likely to be an HR Martin I Conduct Risk Project Atlas has been
Managers & I senior managers’ I ‘enhanced’ SM&CR firm. Kirke Policy commissioned and POMS
Certification I statutory duty of I Example of some FS has established its
Regime responsibility - to I core/enhanced regime Nick Regulatory internal team and
take reasonable requirements: Kennett I Governance governance structure and
steps to prevent I - ensure clear allocation of Manual has contracted with
regulatory
breaches in their
area of
responsibility (no
various designated senior
management
responsibilities.
Thistle Initiatives to
provide external support
and industry guidance.
Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0106
D8 4SIY
POST OFFICE
PAGE 26 OF 29
Tonger a
presumption of
responsibility).
The Regime
applies to staff in
roles that can
cause ‘significant
harm’ to either
the firm or its
customers. The
regime has been
extended to all
FSMA
authorised/FCA
regulated firms
includes POMS
(solo regulated),
to take effect in
2018 (most likely
end of 2018).
The Conduct
Rules (replaces
‘Approved
Persons' regime)
has been
extended to apply
to all directors,
including NEDs.
The FCA is able to
enforce these
directly against
directors, such as
where a NED fails
to act with
honesty and
integrity. If the
firm takes action
against the
individual for
breach of the
Rules, it must be
~ develop “Statements of
Responsibilities” to record
the allocation of
responsibility to individual
Senior Managers.
- “Responsibilities Map” to
be a single document
describing the POMS’
management and
governance arrangements
in order to demonstrate
that there are no gaps in
accountability.
~ Regulatory references
Possible extension to
appointed representatives
and Head of Legal
(awaiting further FCA
consultations) - tbc.
Project manager, Ben
Spencer White, is in place
and the project has
commenced. Final
consultation only just
issued by FCA in August
2017 with view to
implementation during
mid to late 2018.
Strictly Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0107
0 2 4SIe
POST OFFICE
PAGE 27 OF 29
Teported to the
FCA.
Burden of proof
to show senior
manager failed to
meet expected
standards in an
enforcement
action lies with
the FCA.
Trade Unions I TULRCA is a Key aspects of TULRCA HR Martin I IRSG Collective Agreements are
and Labour I complex piece of I include: Kirke located on Legal Shared
legislation that GEIRSG (where I drive and copies are also
consolidates the I Trade Union obligations legal is with external panel Firm
‘on) Act 1992 I law relating to Rights of trade union represented) Bond Dickinson.
(TULRCA) trade unions. It I members (including in
also covers relation to union All
industrial action. I membership and activities) communications
with the unions
Collective bargaining rules are sent to legal
for sign off
Redundancy and the duty
to consult collectively
Obligations for trade union
immunity for loss caused
by industrial action
Treaty on The Act provides I Ensure ongoing compliance I All Martin Kevin Assess Monitoring of legislative
the updated with European and Edwards I Gilliland I compliance on a I developments and
Functioning I framework for competition UK law. continuous Regulatory Tracker
of the identifying and Jane Nick basis taking into
European dealing with Examples of relevance: MacLeod I Kennett I account
Union restrictive Network / restrictions changes in
(TFEU) business practices I Public procurement Martin legislation and
articles 101 I and abuse of Kirke Brexit
and 102
Strictly Confidential
POL00423693
POL00423693
POL-BSFF-0238511_0108
POL00423693
POL00423693
POST OFFICE PAGE 28 OF 29
dominant market Rob Consider
Competition I position. Houghton competition law
Act 1998 European and UK implications in
competition law Al existing and
requirements Cameron new
agreements
Mark
Davies Training
employees/stak
eholders
Include
competition law
requirements in
code of conduct
Restrictions
Policy
Dawn Raid
Policy (draft)
Value Added I The legislation for I POL is obliged to comply _I Operat Al Monitoring of _ I Qualified tax professionals
Tax Act 1994 I the payment of I with HMRC’s requirements I ions Cameron I any undertake the indirect tax
vaT. regarding the payment and adjustments inI work on a day by day
accounting for VAT. VAT regime. basis. The firm
undertakes wider
Accurate development to ensure
calculation of _ I that the professionals are
VAT, filing of up to date with latest
VAT returns, legislative changes and
payment of have access to the latest
VAT. tax legislation and
working papers (e.g.
Tolleys library). POL also
have access to KPMG LLP,
Confidential
POL-BSFF-0238511_0109
ZLUG0/¢ }-Bunsew saniUiog soueldwod »g YS!
LEZIO LLL
POST OFFICE
PAGE 29 OF 29
to discuss any complex
indirect tax areas / seek
reassurance where
appropriate. VAT payment
dates have remained
consistent for a number
of years and in line with
the expectations of
trained tax professionals.
Direct debits are set up
for VAT payments to
reduce the risk of
omissions.
Strictly Confidential
POL00423693
POL00423693
spomues4 AuoyeinBexy “9
POL-BSFF-0238511_0110
POL00423693
POL00423693
6.2. Procurement Compliance Reporting
POST OFFICE Page 1 of 6
RISK & COMPLIANCE COMMITTEE
6.2 Procurement Compliance
Reporting
Author: Barbara Brannon Sponsor: Al Cameron Meeting Date: 13 September 2017
Executive Summary
Context
As a business in receipt of public funds POL is bound by the Public Contract
Regulations (2015). PCR 2015 oblige POL to behave in a fair, objective & transparent
way when contracting with 3™ party suppliers. Additionally, set procedures must be
followed for spend above £25k and £164,500k (total contract value).
Failure to abide by the legislation or “slicing and dicing” contracts exposes POL to risk,
both as far the commercial outcomes of the contracts as well as the reputational
damage, legal remedies, censure & fines that can follow the discovery of a breach.
Our compliance to PCR can be requested under a Freedom of Information request at
any time.
The PCR Compliance Register allows for the tracking of breaches to PCR regulations at
the Post Office and internal governance processes. One aim of collating this
information is to drive improvement in awareness and compliance behaviour across
the organisation. The second and primary aim is to work with GE and Business Units
to commence commercial reviews in a more timely way ensuring POL obtains value,
commercial and contractual flexibility fitting the requirements and business strategy
of the organisation.
Questions addressed in this paper
1. How many and what types of procurement non-compliance have occurred in the
past quarter?
Since January 2017 there have been a total of 28 non-compliant incidents, 23
of which are direct awards in breach of PCR regulations documented by the
Procurement Team. The remaining 5 are in breach of internal governance but
not of PCR regulations. Minor breaches are often captured after an external
commitment is made when invoices are presented for payment but in the main,
these tend to be of low value and risk and are reducing in frequency.
INTERNAL. Page 1 of 6 RCC 13 September 2017
112 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0111
6.2. Procurement Compliance Reporting
Value of Non-ComI
liant Spend by Function
IRRELEVANT
POL00423693
POL00423693
= Branch Equipment
= Corporate Comms
= Financial Services
= Government Services
= HR
aT
= Marketing
= NT Programme
™ Property
™ Research & Insight
= Retail
= Network
Volume of Non-Compliant Spend by Function
@
ap
Function
Sum of Value
Branch Equipment
Corporate Communications
Financial Services
Government Services
HR
IT
Marketing
IRRELEVANT
NT Programme
Property
Research & Insight
Retail
Network
Grand Total
INTERNAL
Page 2 of 6
Risk & Compliance Committee meeting-13/09/17
= Branch Equipment
= Corporate Comms
= Financial Services
= Government Services
= HR
alt
= Marketing
= NT Programme
= Property
= Research & Insight
= Retai
= Network
RCC 13 September 2017
113 of 227
POL-BSFF-0238511_0112
POL00423693
POL00423693
6.2. Procurement Compliance Reporting
One non-compliant incident in particular skews these numbers, jess! [revenue]
against a 12 month extension of the Global Payments contract.
Global Payments has become non-compliant on a technicality of PCR, in that
the value of the contract now exceeds that which was advertised during a fully
compliant process. A legal review has deemed the remaining 24 month contract
extension period to be low risk and Procurement and Retail are actively working
on the strategy for re-Procurement in due course. represents the
expected revenue for the next period and a furthe forecast for the
final period of the contract as we go through the award process for the new
contract.
2. What are the potential consequences?
a. Pre-contractual remedies overview: During a Procurement, an aggrieved
party can seek an interim injunction suspending the tender or the
implementation until the court decides on an outcome.
b. Post-contractual remedies: The court can order an ‘ineffectiveness order’
rendering the contract void &/or can award damages.
3. Why are these incidents occurring, and what can be done about it?
Non-compliant awards are made for a variety of reasons at the Post Office.
a) Low value, time constrained or highly sensitive/specialist engagements
are common. For example, the Board have requested a number of
expedited reviews since the New Year on a short turn-around time.
Large commercial arrangements cannot often be easily competed or
unravelled without operational impact, and re-procurement may be
subject to a pending evolution of a supporting Business Strategy.
c) The contractual arrangements may pre-date PCR 2015 regulations or the
contract novated during separation from RMG, automatically becoming
non-compliant at the renewal point. Non-compliant awards are frequently
made on a tactical basis to extend contractual services while public
tender processes are executed.
Delays to public sector panels of suppliers becoming available. The Post
office makes extensive use of this low cost route to market and
new/refreshed panels are subject to frequent delays from Crown
Commercial Services. Interim extensions [of periods under 12 months]
while tender processes are run are considered to be low risk legally.
Changes in scope or value over the term of a contract may render the
extension or renewal of services non-compliant. Material changes to the
scope of a contract may render the whole contract non-compliant.
f) Disregard for, or lack of understanding of the regulations.
b
d
e
INTERNAL. Page 3 of 6 RCC 13 September 2017
114 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0113
POL00423693
POL00423693
6.2. Procurement Compliance Reporting
4. Why are we receiving this report now?
A decision to collate this information into a single location was taken in the
Autumn of 2016. The aim is to track and improve our overall compliance and
commercial results as an organisation, while also ensuring perceptions are
accurate. However it should be noted that it will facilitate timely responses to
Freedom of Information requests which adds risk to the Post Office commercial
landscape.
Conclusion
Non-compliant awards of contracts are already subject to extensive internal
governance, legal and risk review, explicit GE and Board approval where value/risks
reach a minimum threshold.
The YTD non-compliance value is potentially very high at "I due to the Bank
of Ireland and the Global Payments.extensions. A more realistic figure illustrating a
typical run rate however is VANT:. Individually, all large value non-compliant
contracts have been reviewed by appropriate Post Office governance forums with
agreement on next steps and actions towards remediation allocated where appropriate.
Executive support towards moving POL towards a more compliant footing is very strong,
but equally as important there is extensive support towards the cultural change required
to ensure that Procurement activities and outcomes will support longer term business
strategies and we reduce commercial risk making our 3" party arrangements fit for
purpose.
Input Sought
Review and note content only. Please advise of any suggested improvements or
additional information required for the next quarter and whether this forum is an
appropriate one to receive a forward “look ahead” of 3" party contracts with pending
PCR issues.
INTERNAL. Page 4 of 6 RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 115 of 227
POL-BSFF-0238511_0114
POL00423693
POL00423693
6.2. Procurement Compliance Reporting
The Report
1. Are any of these breaches arguable on regulatory grounds or are they all
breaches?
A full explanation of the individual compliance breaches is attached in Appendix 1.
Each entry details the nature of, and the value of the breach.
The Procurement Compliance Register does not at present give an indicative risk
level attached to the award. This information is provided to the accountable
executives under internal governance processes in the form of a PCR risk note before
a contract above threshold is entered into, and if necessary under Legal Privilege.
In addition, all signatories to a contract have sight of the Risk note as part of the
Contract Authorisation Form [CAF].
All entries are compliance breaches. A period of challenge applies to each PCR breach
once an aggrieved party becomes aware or ought to have become aware. This risk
finally expires at 6 years from the date of breach. The defensibility of a legal
challenge is outlined within a Risk Note.
2. How many of the breaches were approved in advance and how many
retrospectively?
Nine contracts were entered into during this period without compliance to internal
governance processes on contract and commercial review. All were for awards of
between £0 and £50,000.
3. Why were the approvals given?
The rationale for approval is relevant to the individual service and is detailed within
Appendix 1.
4. What were the unapproved, material breaches?
There were no unapproved, material breaches during this period.
5. Describe the causes of non-compliance to PCR regulations
Non-compliant awards of contract are made for a variety of reasons at the Post
Office:
a) Low value, time constrained or highly sensitive/specialist engagements are
common. For example, the Board have requested a number of expedited
reviews since the New Year on a short turn-around time.
b) Large commercial arrangements cannot often be easily competed or
unravelled without operational impact, and re-procurement may be subject
to a pending evolution of a supporting Business Strategy.
c) The contractual arrangements may pre-date PCR 2015 regulations or the
contract novated during separation from RMG, automatically becoming non-
compliant at the renewal point. Non-compliant awards are frequently made
INTERNAL. Page 5 of 6 RCC 13 September 2017
116 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0115
POL00423693
POL00423693
6.2. Procurement Compliance Reporting
on a tactical basis to extend contractual services while public tender
processes are executed.
Delays to public sector panels of suppliers becoming available. The Post
office makes extensive use of this low cost route to market and
new/refreshed panels are subject to frequent delays from Crown
Commercial Services.
e) Changes in scope over the term of a contract may render the extension or
renewal of services non-compliant. Material changes to the scope of a
contract may render the whole contract non-compliant.
f) Disregard for, or lack of understanding of the regulations.
d
6. Describe what you are doing about the breaches. Where we are in breach, do we
have a plan to come back into compliance and over what time period will that
plan take effect?
a) A forward view of material contracts falling under each Business Unit is
currently prepared by the relevant Procurement Manager for discussions with
their key stakeholders. The maturity of this look ahead view does vary
currently and is a high priority activity within the team.
Sourcing options papers are prepared for review by contract managers and
key stakeholders [risk, legal, security] with routes to market agreed. In many
cases these are dependent on evolving business and operating model
strategies and the Procurement team are now actively involved with some
units helping to advise as thinking evolves.
c) Where a non-compliant award is proposed due to time pressure, Procurement
are actively working on long term mitigation with awards made on an interim
basis where possible.
Each RCC member will now receive a regular report on compliance within
their business unit[s].
A new Risk & Governance process requires a Risk Exception report to be
created for non-compliant direct awards with SLT or GE sign off.
f) All Professional Services engagements must be approved in writing in
advance by the COO. A compliant panel of preferred consulting partners has
been appointed and proposed engagements outside of this panel are subject
to additional review and challenge.
g) Procurement will now provide training as part of the revised Induction process
for new staff. Training packs are being updated for existing staff and made
available on the Intranet and ad hoc training sessions for interested Business
Units are being run.
h) A new Intranet site has been launched for Procurement to improve visibility of
process, regulation, and the panels of approved compliant suppliers available
to POL business units.
i) A revised POL Procurement Policy is being drafted giving more granular
guidance.
j) Panels of Preferred Suppliers are being refreshed and updated across a wide
range of spend categories to reduce time to market, improve compliance and
greatly improve commercial outcomes and legal risk.
k) A planned change to operational systems will, once Live, give Procurement
earlier visibility of potential compliance issues eg: contractual value
thresholds.
b
d
e
INTERNAL. Page 6 of 6 RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 117 of 227
POL-BSFF-0238511_0116
LUZ IO BLL
LU6O/EI-Bujeew aayiwU0d aouerIdwog »g ¥SIY
‘Aopen tract rom Procurement Complance Report
Treen
Inder et reach oe I 2
doe one I funcion I cemtomber I value I supptertiame [Breen]
Governance
ne Oa a JPeR-—JWocArntaleortract nares olor a roncomplant ender process (8 wih aeetes [ntl Conc awardee lowing an process an rot al PCR
lewees bercs sk Serv OCU)2 yas ae/Sev- wrk undertae tak 3D erg toma
wart POLuner he Goverment FWA {bine Ofer ent Asian] whieh
fs rt to become efecve at sgn fof he a OM Contra (27/0/35 fr 23
Iontsto 20/12/17 wth 312 mort optons texted Charge peri tr oral
swarasrow me bred aut ary extersionopton clea wnt new ime i
lorenatenge
Inretatingte a second Agreement fow down ational tems tom cabinet otce
{ne Term appearsto be Back dates to 21/08/13 or 24 mons tr he 3x42 orth
lenersion options to 20/0/18
bojoom Jar ware 2017 Jieearens Pou verer [pen ]Srored Joe ot Cantar vactng raed a prone mane Tor the bane Was To [wat Geloped at 3 pomace Wacker wa a Tarnewor ART
sat Jerca.sk [contact tea mean forte whole tusines but sow a mess rhe india Post e's [The spe thet rest and ths wrk war the ented
erhrmance tote ewertiy ett eng a ertormance measure POL cou
otstopan stato EU proce os we wud wae te date
ne wad ot eae teins and new ater trot uri
spate tracer, The anand nr sore requremetnstor
Jesen wad have ben pantie atten ent me
foi7aoie faa warenaai7 fiat [rev a [Pek Gonpiant— Toga vw eens 1) Mar ard Wome Ore were complan! [Re poaenen was panned Une narra Ba FoRa
peiss sk aware owing publ Pace, covering ora pera oS yeast 31/076, IPadigon deaye ts ures ta the re srecrement was
ney to be competes porto Contactsexsiy, 3/07,
IRRELEVANT
foavont faa werenaai7 fata [evn iin [pee oto Sone re Orga Goal ay areement wax comlartiv awarded undera pubic POR POL okng tower sono wo undenake he Wat math
erca.sk —fotcontact Iprocedre,comringa perocat'syas 1085/17 WithTWOx 1 manthoptonsto
len 5
NN The pend inches for 0% anwar payment by GPto Via & Masecae lesinated cnr wren wi exceed re ores range, wih WO
tne Ane otonst exter
por7oor—rware 2017 IGowenment fern ciara [Pek IExoved re orga S07POL ATW brecmant was rot tvaa Pole Pacrement faatan IThe Orga Agreement ela ng saad outa ata
ewes exer sk cont —_Itnere masa eriodutimplemertatonsoATMS stat flr ot of val contact [pic rumen hs ot ben sce a way ta ngs
terms between May 1? Maren 2. ne areca terms wth the na contract en at (Sr)
poazjoois fas waren zor” fa Ivarine nl ee oo e-ocg mean av inet equrement rot a conenated
eseask — foonact fecnitment
por7oorsfvapiaai7 [anetrg werent jpex pred [atest requiion s sch OU tress bu hee sre seve per mont suppon—[OPialy apparted colar ow an GH Peceth OT
ence sk _[conact__Imaiy rea care, oars and Margate rods. la eompit extensor row ex.s.
boi7ois fore air fe [Marine er [wor [Treen gaigt wih Towers Walon atnoogy Pangan
pease sk
ssn iheyto eBlog fer rum
jorroom Jor way mor7 — Franca Warten [pen Ieompiant arta af LCase year award Avan ogy [craretonal Wa tem, soaeire punto oe aay Tom
levees peice sk prover awatng CAM tty.
POL00423693
POL00423693
Bunoday soueljdwiog yUsUIEINOAd “Z'9
POL-BSFF-0238511_0117
ZU60/eI-Bunaeaw aayUW0g aouelIdWog ® YSIY
LEZIO BLL
‘Appendix xtra om Procurement Complance Report
[cular reterences nthe Government FWA, Cal OM
[contacts oer Fors, bec ateocuments, ae greet
lsccuments stored ina central ioation ena the same inthe
Digaertiy agreements has mace ascertaining the stat ané
les cates ot he agreements very compe.
[riswasturtner compounded by aeitonal terms being put
Jor POL by co whch neded tote owed down to Deny
Jane inthe eating te second Dignity Agrerent terms
have been inadvertent shortenev and appearsta nave been
bac testo 21/05/13 or21 mort akg the 3x12 monty
lestenson options to 20/6/18,
Pencig cretion trom Cabinet Otiee as to wnat their ntenton is for
lextenson of POLsurent CallOM Contact which rus to 13/04/17 (or NEW
\centives ae 1/07/18 to msintin those ser processed to 13/04/17), The
Jevtrwa ne to 23/09/38, wt the ality texte ora further ONE yar
perio to 23/03/19. n hecry CO could theretore place 2 new Cllof!
[contract on PO fora pevad of years (2 years NEW, 1 year maintenance)
Jon wore potentiiy to 2/03/22.
}>o. working wth exter ep (80nd Dickinson) oases thers of
Jestensonv e-procurement once we have test nation rom C0109
Jestenson ofthe erent cal Of
It'sparned for 2 Supplemental Aeement to correct the dates arto show
continuous Agreement from wand a cover forthe exterson option et
le agree (ceperaant on
Ponatran evans
compliant wating sttegy ane confrmatono equrements rom iT
lctore Procurement aproseh can be agree. Renews un Ap 2018
01770005 [due tothe acer sir welgan portant measure Torthe [OncePOLunaesands Faw i warisTo measure performance a review of uti Mayer
nivel post oie the suplers contract wil be Jeurent cs ramework that maybe appcabie oan ful OVE forthe
lextence. -axcngt equrement wil be condutee
[01770010 ro secure supple beyond 3707716, whist undeiainga re [POL ewewng Is OMS Watepy and coding options Torts Tear space [eth Mapes I Z0o4 200
procurement eerie, contract extensions wee paced for ftooptimse revere forthe edn branch network AGE pape” spanned
perio of9 montis to 30/4/17. As outs ote ovgnay fir 10/04/17 futsce formal month Ge, 20/04/17)
Isvertse OIE natice thee are noncompliant ares.
Jute to below rsk curing procurement exer for 2
lotion totter exter by secon periog of 9 mons ane
nis snow ang
Jurcert akentohthereatene ron compliant 31/0188.
[risisrequired asthe reprcirement exercise was
lances given te materal changes eingundertaten to
pots Da stratpy
]017/0014 IThe reason forthe overspend fas been a underTorecast of [legal sac nbeing ought on he procurement iaktobe presentedto GE, IWecSpcer Tapa
[courte transotons by POL together with an inerease in an-I20/04/17 POL wil te retening hsane wl stat the eprcurement
line transactions but in edition reguate changesto the Ioianning to aw forthe puble e-procurement together wth 12 month
nterenange ates nave inreaed cost to PO. ute of POL implementation me to award anew contact 08/05/18
konto)
foro [Stteay pope berg devopedasto POs approach Thre are aalionalJanerew Gooasre I 30704701]
eompextes, as ths be tected by interenange ats whieh scurenty
under revew by LINK members, the changing OMS statepy, Government
lunding vce SEs, the WP Poca Agreement and te reltonsip with 30
fo%7/0013 Ass temporary measure, a short term agreement wth IWaiirg forte release of the new CCS frown Conmereal Services) Isace ray apa]
[nds commercial terms nd fees hasbeen remeworkcuein March 2018. As fl procurement process to implement 2
implemented win approximate 50 suppliers The agreement IPs. would tate over 12 months tocompiete, we have been adsed to walt
Jerectve rm it iy 2017 iin pace ut 3st Maren 2018. Juni detaeate CS rameworkare aaiabe before we sree net steps
jth an oston to eter recesay I adate meeting wth Procurement an egal arranges tor anuary 2018,
[01770016 sex propom Fm Carat (Meda Agency for consoldation [Tpropesalsaccepabie Tom Carat Tren consoldatewtnThem evabingan louse Power 7a]
[wthin ther complarty et contract ntegrated approach to our full media investment
[01770079 I wasagreed to coe tne RMPP{DB eran sehen] 7OTEI[n ne wth te Board aatogy to Gera he RMP a4 Tt pow, PORES
lose required actuarial advice roma prove that krew —frequestec thatthe Trustee of MPP ook to by atthe bites of he
[ne nstoryanacompiexay ofthe AMP. twas necesaryto.IRMP? as Soon a possible whist not requiring rth money fm PO. The
kee Towers Wton fr ter experi. Jesriest this can happen 4 Ari 20%8. lt isantcipates thatthe majority ot
Jan ates wil be bought out by 1 Apr 2019 at the atest. Actua
sec wil ve required euing ths phase. aneted spend to 2019 wi be
omer} 9-0 occurs 2008 ser wil fans
for77o028 INon-complantenervonn pace [caw Patiorm to be we tender ae har previous been parchased non aco Vermeleun —U/I/2047
POL00423693
POL00423693
Bunoday soueljdwiog yUsUIEINOAd “Z'9
POL-BSFF-0238511_0118
POL00423693
POL00423693
6.3. Criminal Finances Act
POST OFFICE PAGE 1 OF 6
RISK AND COMPLIANCE COMMITTEE INFORMATION
PAPER
6.3 Criminal Finances Act
Update
Author: Ben Foat Sponsor: Jane MacLeod Meeting date: 13 September 2017
Executive Summary
Context
The Criminal Finances Act 2017 (Act) comes into force on 30 September 2017 and
introduces a new corporate offence of failing to prevent the facilitation of UK and
foreign criminal tax evasion. The penalty for non-compliance is a criminal corporate
offence and potentially unlimited fine.
Post Office Limited (Post Office) applies a zero tolerance policy to criminal tax evasion
and the criminal facilitation of criminal tax evasion as set out in its Financial Crime
Policy. It is committed to preventing such facilitation within all parts of the business.
This Act was identified by the Legal Team via the Regulatory Developments Tracker
and communicated to the business through the Law & Trends Forum. A cross
functional working group was consequently set up to manage the new obligations
imposed by the Act.
Questions addressed in this report
1. What does the Act stipulate and what are the consequences of non-compliance?
. How does it apply to Post Office?
. What have we done?
. Who is accountable?
. What do we need to do next to progress?
UBWN
Conclusion
1. The Act provides that it is a criminal offence where a relevant body, such as Post
Office, fails to prevent an associated person from criminally facilitating criminal tax
evasion of another. Consequently, Post Office must implement reasonable and
proportionate procedures to prevent its associated persons from criminally
facilitating criminal tax evasion of another person. The penalty of non-compliance
is a criminal corporate offence as well as a potentially unlimited fine.
2. It has a broad application to Post Office as the Act applies to all associated persons
including employees, postmasters/agents, suppliers, contractors and consultants.
Strictly Confidential RCC 13 September 2017
120 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0119
POL00423693
POL00423693
Criminal Finances Act
POST OFFICE PAGE 2 OF 6
3. A working group has been set up to advise the business of the enhancements
needed to existing systems and implementations necessary (to prevent criminal
tax evasion and its facilitation) to ensure that Post Office can avail itself of the
“reasonable procedures” defence. For example, Post Office has introduced new
obligations on our postmaster agents, contractors and suppliers to ensure that
they (and their associated persons) comply with the requirements of the Act.
4. The relevant business areas are responsible for implementing the recommended
reasonable precautions (from a first line of defence). Legal and Financial Crime
together with the working group are responsible for second line of defence risk
management.
5. The working group will continue to progress its implementation plan including
assessing due diligence processes, support with communication as well as
providing recommendations regarding ongoing monitoring and review to ensure
Post Office complies with the Act.
Input Sought Input Received
1. The Committee is asked to note the 2. Criminal Finances Act working group
paper. has provided input into this paper.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 121 of 227
POL-BSFF-0238511_0120
122 of 227
POL00423693
POL00423693
Criminal Finances Act
POST OFFICE PAGE 3 OF 6
The Report
What does the Act require?
Post Office applies a zero tolerance policy to criminal tax evasion and the criminal
facilitation of criminal tax evasion as set out in its Financial Crime Policy. It is
committed to preventing such facilitation within all parts of the business.
Purpose of the Act
The Act is intended to tackle money laundering and corruption, recover the proceeds
of crime and counter terrorist financing. The Act introduces two new corporate
offences of failure to prevent facilitation of tax evasion (criminal UK tax evasion and
foreign tax evasion) and amends the Proceeds of Crime Act 2002 and anti-terrorism
legislation. This Report focuses on the new “failure to prevent” offence.
Offence
In summary, a relevant body (Post Office) may be prosecuted for the “failure to
prevent” offence if an associated person (employees, postmasters/agents, suppliers,
contractors or any other person acting for or on behalf of Post Office) criminally
facilitates either a UK or foreign criminal tax evasion committed by another person.
The aim of these offences is to hold relevant bodies (companies and partnerships) to
account for its associated persons where criminal facilitation is committed in respect
of criminal tax evasion offence by another.
There must be both criminal tax evasion by a third party and criminal facilitation by
the associated person. If the associated person only accidentally, ignorantly or
negligently facilitated tax evasion, or tax evasion had only arisen accidentally,
ignorantly, negligently or there is no criminal tax evasion but instead tax avoidance,
then the “failure to prevent” offence is not committed by the relevant body.
Reasonable Procedures Defence
It will be a defence for Post Office to show that it had reasonable procedures in place
to prevent such facilitation, or that it was not reasonable to expect it to have such
procedures. The HMRC Draft Guidance of October 2016 notes that the Act does not
hold relevant bodies to account for their customers’ tax crimes or require the relevant
body to prevent customers from committing tax evasion. Its purpose is to encourage
businesses not to turn a blind eye to instances where their associated persons have
deliberately assisted another person to evade tax.
The question of reasonableness is to be determined by the context or surrounding
circumstances. The draft HMRC Guidance also recognises that the “reasonable
procedures” defence is both risk-based and proportionate and so the regime cannot
be a zero failure regime. It suggests that businesses follow a similar approach under
the Bribery Act:
1. Risk assessment
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0121
POL00423693
POL00423693
Sriminal Finances Act
POST OFFICE PAGE 4 OF 6
2. Proportionality of risk-based prevention procedures
3. Top-level commitment
4. Due Diligence
5. Communication (including training)
6. Monitoring and Review
Whilst there is no previous case law on this new offence, the tone of the Guidance and
the experience to date of prosecution and deferred prosecutions under the Bribery Act
underline that its aim is to target those who deliberately turn a blind eye to
wrongdoings and ignore what is happening within their businesses.
How does it apply to Post Office?
The working group identified 3 areas which present the highest risk to Post Office:
1. Agent/postmaster network
2. Contractors
3. Suppliers
Example -
If a postmaster deliberately and dishonestly facilitated (e.g. aided and abetted by
being actively involved) in deliberate and dishonest tax evasion of a UK tax by a UK
tax payer (e.g. postmaster assistants, staff, customer) and both are proven beyond
reasonable doubt where Post Office cannot show that it had put in place reasonable
procedures (or that these would not have been reasonable to have) to prevent such
facilitation by its agents/postmasters then Post Office will be liable and subject to a
criminal corporate offence with a financial penalty.
Employees, such as those in procurement, may also present a risk because of the
nature of their job and the pressures that will undoubtedly often arise on timing and
cost of procuring services.
What have we done?
A cross functional working group consisting of Legal, Financial Crime, HR, Finance &
Ops, Procurement and Retail is working through how Post Office can avoid failure to
prevent criminal facilitation of criminal tax evasion by ensuring that it implements
proportionate and reasonable procedures as follows:
Key Areas of Risk Reasonable Procedures
Agent/Postmaster Network 1. Existing postmasters will receive Guidance
(imposing contractual terms) into their
contracts to ensure that they comply with
requirements of the Act and Post Office’s
obligations regarding the prevention and
detection of tax evasion and preventing the
facilitation of tax evasion (including an
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 123 of 227
POL-BSFF-0238511_0122
POST OFFICE
POL00423693
POL00423693
PAGE 5 OF 6
obligation to report any suspicion of criminal
facilitation or criminal tax evasion).
. Standard postmaster contracts used for new
postmasters to be updated to reflect new
obligations.
. Payments Policy for all postmasters has been
revised to ensure ongoing checks of bank
accounts matching postmaster’s bank details in
the contract.
. Review of postmaster on-boarding process is
planned.
. Any failure to comply with the new contractual
terms and/or the Criminal Finances Act could
result in immediate termination of the contract.
Contractors
. Deed of Variation to the contract with Sopra
Steria (Post Office’s supplier of contractors) has
been drafted to ensure that they (and their
individual contractors) comply with the
requirements of the Act and Post Office’s
obligations regarding the prevention and
detection of tax evasion (including an obligation
to report any suspicion of criminal facilitation or
tax evasion to Post Office).
Suppliers
. Standard supplier contracts will be amended to
introduce the new obligations (as set out
above) for new suppliers.
. Existing suppliers will receive Guidance
(imposing contractual terms) into their
contracts (as set out above).
. Ongoing overhaul/review of supplier on-
boarding process by Procurement.
Employees
. Communication to all employees is planned.
Targeted communication to Finance, HR and
Procurement is also planned.
. Official Post Office’s statement of zero tolerance
to the criminal facilitation of criminal tax
evasion inserted in the Financial Crime Policy.
Strictly Confidential
POL-BSFF-0238511_0123
POL00423693
POL00423693
Criminal Finances Act
POST OFFICE PAGE 6 OF 6
Who is accountable?
All business areas are accountable for ensuring compliance with the Act in
respect of their own activities:
e Retail is responsible for ensuring compliance with the Act in
respect of the agent network.
e Finance & Ops is responsible for ensuring compliance with the Act
in respect of suppliers.
e HR is responsible for ensuring compliance with the Act in respect of
employee.
The Legal and Financial Crime Team together with the working group provide
2"4 line of defence risk management.
What do we need to do next?
The working group continues to progress the implementation plan, working with
different parts of the business to implement the recommended enhancements to
ensure Post Office can avail itself of the reasonable procedures defence.
This work will include:
1. further examination of the due diligence conducted within the organisation
(including the on-boarding of those that could be categorised as associated
persons);
2. implementation of reasonable procedures;
3. roll out of communication across the organisation (including the agency
network) and to targeted groups of Post Office’s zero tolerance approach to
criminal tax evasion and criminal facilitation; and
4. recommendations on how Post Office will conduct ongoing monitoring and
review of existing procedures and their effectiveness (so that it can avail itself
of the reasonable procedures defence).
A further report will be provided to the RCC at the next meeting in November.
Strictly Confidential Board Intelligence Hub template
Risk & Compliance Committee meeting-13/09/17 125 of 227
POL-BSFF-0238511_0124
POL00423693
POL00423693
7.1. Internal Audit Report
POST OFFICE PAGE 1 OF 7
RISK AND COMPLIANCE COMMITTEE
7.1 Internal Audit Report
Author: Johann Appel Sponsor: Jane MacLeod Meeting date: 13 September 2017
Executive Summary
Context
The purpose of this paper is to update the Committee on the PO Internal Audit activity
and key outcomes. This includes details of the work completed since the last Risk and
Compliance Committee (RCC) in July and progress on the 2017/18 Internal Audit Plan.
Questions this paper addresses
e Is the Internal Audit Plan on track? What progress has been made since the July
RCC meeting?
« What progress is being made with completion of audit actions?
« Have any significant issues arisen that the committee should be aware of?
Conclusion
1. Progress against plan:
Delivery of the 2017/18 audit plan is well underway. We have finalised two reviews,
with a further four currently in draft report stage and three audits in fieldwork.
Particular emphasis is placed on timely audit planning and as a consequence 12 reviews
are currently being scoped for delivery between September and January. Early
engagement with the business in the planning phase is proving to result in a more
effective audit process. Current progress against plan is as follows:
2017/18 Combined Plan Status -Total Audits = 29 “?
I = Completed
= Reporting
= Fieldwork
= Planning
Not started
(DaRC approved baseline plan for 2017/18 (16 internal control reviews & 13 change assurance reviews)
A full summary of the 2017/18 audit plan status is included in Appendix 1.
Confidential ROC 13 September 2017
126 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0125
POL00423693
POL00423693
7.1, Internal Audit Report
POST OFFICE PAGE 2
2. Open and Overdue Audit Actions (as at 31 August 2017):
Audit Action Status:
Open (not yet due) 41
Overdue (<30 days) 4
Overdue (>30 days) 3
Total 48
More detailed information is provided in paragraph 9 - 10, including commentary on
progress made with remediation of adverse audit reports.
3. Significant Issues:
There are no significant issues we believe the committee should be made aware of.
Input Sought
The Committee is asked to note and provide comment as necessary.
Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 127 of 227
POL-BSFF-0238511_0126
POL00423693
POL00423693
7.1, Internal Audit Report
128 of 227
POST OFFICE PAGE 3
The Report
4. Changes to Plan since July RCC meeting
We have made one change to the audit schedule. We have agreed with management
that it would be premature to review the Cyber Security controls given that the
Security Transformation project is still ongoing and there are still actions outstanding
from the 2016 Information Security review. The Cyber Security (Phase 1) review
planned for August was therefore replaced with a follow-up of the 2016 Information
Security review. An audit of Cyber Security will be considered in Q4.
The remainder of the 2017/18 plan will be refreshed during October to ensure that it
is aligned with Post Office’s changing risk profile and that the remaining audits on the
plan are still relevant. Information obtained from the ongoing work on the risk
‘placemat’ will be a key consideration during the refresh of the audit plan.
5. Internal Audit Reviews Completed
Since the May ARC meeting we have completed an audit of the VAT Process as well as
an advisory review of the IT Controls Framework. Our findings and observations are
summarised below:
Audit Key Messages
VAT Process & Controls
(Reported at July RCC, but still to be reported to ARC.)
(Ref. 2017/18-02)
This audit has found that generally POL manages its VAT affairs
effectively. The tax team are consulted on a regular basis and
are involved in the decision making process to ensure that VAT
is applied and managed correctly. VAT risk is managed
proactively and the controls in place operate effectively. POL
has a good relationship with HMRC as evidenced through
transparent communication and documentation.
The following control weaknesses were reported:
« There was no documented tax strategy, governance and
Audit actions: control framework. Incomplete documentation of tax
processes was identified by HMRC prior to this internal audit
La 3 - this was disclosed to the ARC and remedial actions are
P2 3 underway.
P3 4 « VAT processes and controls are not well documented and is
Total 7 to a large extent reliant on the knowledge and experience
of the two individuals in the VAT team, both who are
leaving the business imminently. The delay in finding a
suitable replacement may adversely impact the proper
handover of the process and transfer of knowledge.
Update: A replacement VAT manager was appointed and
handover has taken place.
* Some known system and process issues require ongoing
manual intervention to ensure compliant VAT treatment.
The manual adjustments are generally low in value,
however, makes for an inefficient process.
Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0127
7.1. Internal Audit Report
POST OFFICE
POL00423693
POL00423693
PAGE 4
TT Controls Framework
(Advisory)
(Ref, 2016/17-15)
Advisory —
Highlight Report
As agreed with the ARC and with management, Internal Audit
participated in the ITCF project in an advisory role, contributing
expertise of IT risk, IT controls and COBIT 5 knowledge to ensure
the outcome of the programme is fit for purpose.
Overall IA observed that for the 11 processes in scope, progress
has been made in benchmarking the processes against COBIT
and identifying controls and process steps which need to be in
place to ensure operational risks stay within the risk appetite.
However, there is some risk to the project and further work to
be done before the ITCF will be ready to be implemented and
rolled out for self-assessment:
« Based on the current status of the programme we believe the
original timeline will not be met. Phase 3 (remediation) is still
ongoing, having slipped from its June deadline. Management
need to revisit the overall project timeline.
« Further improvements have been suggested to ensure control
descriptions and remediation plans are clear and mitigate
identified risks.
Reviews In Reporting
Review
Status / Remarks
SAP SF Payroll Migration (Change)
Final Draft Report with GE Sponsor for sign-off.
Financial Spreadsheet Controls
Draft Report issued for management comment.
Mails Process
PwC branded report issued for internal use by
management. PO IA Draft Report being reviewed
by management.
Integrated Change Plan and
Dependencies (Change advisory)
Report being drafted by Deloitte.
Reviews In Progress
Review
Status / Remarks
IT Security Transformation
(Advisory)
Ongoing - providing challenge and input to the
project.
Lottery Pay-out Verification
Management request to review design effectiveness
of new validation controls over the Lottery Pay-out
process. Fieldwork nearing completion.
Compliance with Banking
Framework agreement
Fieldwork nearing completion.
8.
Reviews In Planning
We request management's continued cooperation in agreeing the scope and timing of
the following reviews that are being planned for delivery in Q2 to Q4:
Confidential
RCC 13
Risk & Compliance Committee meeting-13/09/17
eptember 2017
129 of 227
POL-BSFF-0238511_0128
POL00423693
POL00423693
7.1. Internal Audit Report
POST OFFICE PAGE 5
Review Timing (start of fieldwork)
1 I Customer Complaints November
2 I Branch Cash Forecasting & Management September
3 I MoneyGram: AML Compliance September
4 I FRES October
5 I Information Security (2016) Follow-up I September
6 I Business Continuity January
7 I Pension Scheme(s) November
8 I Branch Technology - EUC Transition September
9 I IT Networks October
10 EUM September
11 I Chameleon (Thin Client Solution) September
12 I Point to Point Encryption Implementation ("Pin Pad") January
9. Updates on Internal Audit Overdue Actions
Audit Action Status: BAU Change Total
Open (not yet due) 27 14 41
Overdue (<30 days) 4 0 4
Overdue (>30 days) 3 ie} 3
Total 34 14 48
Audit actions are generally being completed on time. Following is a summary of
overdue actions, estimated revised completion dates and latest status update:
Description of action Priertty Revised Date & Comment
& date
Branch Network Sales Training & Competence Review
Introduce a competency p2 31 October
matrix for the T&D 31/08/17 Completion delayed because of Project Finch. The
Framework, and Training and Competence team has planned to
subsequently develop a new include this element in the scheme by the end of
framework/scheme for September/beginning of October.
colleagues not currently
captured by the existing
scheme and framework.
Update section A14 (sales P2 30 November
process) to display _ 31/08/17 I The update of the document is in progress. Area
appropriate information Managers are reviewing changes to the 'What
under the correct headings good looks like’ statements. Expected to finalise
and focus on achieving fair it in the next couple of months. ( Jayshree,
customer outcomes. August 2017)
Update the T&D Framework I P2 30 November
to include a section on the 31/08/17 I The update of the framework is in progress.
training and oversight for Completion delayed because of Project Finch.
Senior Support Managers.
Confidential RCC 13 September 2017
130 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0129
POL00423693
POL00423693
7.1. Internal Audit Report
POST OFFICE PAGE 6
Financial Services - Branch Network Sales Quality Assurance
Review training materials P2 30 September
and provide updated 31/07/17 Action complete, pending evidence to close
training for Specialists. action.
Formalise the approach to I P2 30 September
levelling VMS gradings and I 31/07/17 Process is being documented and will be
minute all levelling completed in the next month.
meetings going forward.
VAT Process
Implement a tax strategy, I P2 30 November
tax risk and governance 31/08/17 This is still in progress and will be submitted for
policy. Review existing tax approval at the November ARC.
risk management and
controls framework to
identify gaps in the
documentation of controls
and formalising the process
documentation for VAT and
other taxes.
Reconfigure the tax code P2 30 September
allocation in CFS. 31/07/17 The request has not been actioned due to certain
individuals being on annual leave. We expect this
to be updated and reviewed by end of
September.
10. Progress with remediation of adverse audit reports
Following is a summary of progress with remediation of adverse audit reports issued
in the last 12 months (reports rated ‘Unacceptable’ or ‘Needs Significant
Improvement’):
Number of audit actions
Audit title Rating Total Closed Open Open
(Not due) I (Overdue)
Identify and Access 14 4 10 0
Management (IAM) “) (Apri7)
Information Security ‘?) 17 9 8 0
(Sept 2016)
IT Disaster Recovery &
8 8 0 ie}
Resilience (Dec 2016)
() We are involved in assisting management to define remedial actions following our review of
the IAM process. As more actions are agreed, these will be added to the database and tracked
to completion.
) We have begun a full review of the progress with the remediation plan for Information
Security. Our review will consider whether the actions previously agreed are still appropriate,
will evaluate evidence of closed actions and ensure related risks were mitigated, and will agree
revised completion dates for the remaining actions.
END OF REPORT
Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 131 of 227
POL-BSFF-0238511_0130
POL00423693
POL00423693
7.1. Internal Audit Repor
Appendix 1
2017/18 Internal Audit Plan - Status as at 6 September 2017
, 7 (Original 7 . 7
No. ITitle/Subject Sponsor laddition [Timing Status / Rating
Internal Control Reviews
1 [VAT Process A. Cameron _ [Addition May [Needs Improvement I
2 Lottery Payout Verification (Design Effectiveness) K. Gilliland Addition August Fieldwork
[3 __ [Financial Spreadsheet Controls A. Cameron [Addition August Draft Report
4 [IT Control Framework (Advisory) R.Hougton _IOriginal March-Aug _ [Highlight Report
IS [IT Security Transformation (Advisory) R. Hougton Original March-Dec Fieldwork
6 [Customer Complaints A.Cameron [Original November _ [Planning
7 Branch Cash Forecasting & Management IA. Cameron Original September Planning
8 Compliance with Banking Framework agreement IN. Kennett Original August Fieldwork
9 IMoneyGram: AML Compliance J. MacLeod Original September __IPlanning
10 IFRES N. Kennett Original October Planning
11 IMails Process K. Gilliland Original July Draft Report
12 _ [Financial Control Framework A. Cameron _ [Original a4 Not started
13 Telecoms control framework N. Kennett Original October Not started
14 _ [Business Continuity [Macleod _[Original January Planning
15a _ICyber Security (Ph 1- Follow-up of 2016 audit) IR.Hougton —_I Original September Planning
5b _ICyber Security (Ph 2) R.Hougton _ [Original a4 Not started
ig _ I Governance and IT Risk management -Hougton [original oy Nousared
(Operations)
17 _ [Data Protection (follow up) J. Macteod _[Original a4 Not started
18 [Client Settlements Process A. Cameron __ [Original a4 Not started
19 Pension Scheme(s) IA. Cameron Original November Planning
Change Assurance
20 _ Branch Technology - EUC Transition K. Gilliland Original September _IPlanning
21 [IT Networks R.Houghton _ [Original October Planning
22 Back Office Transformation IA. Cameron Original Oct/Nov Not started
23 SAP Success Factors - Payroll IA. Cameron Original June Final Draft with GE
24 IEUM N. Kennett (Original September Planning
25 _ [Agile Methodology and Governance Macleod _ [Original a4 Not started
26 _ [Chameleon (Thin Client Solution) K. Gilliland Original September _ [Planning
Integrated Change Plan and Dependencies
27 IA.vd Bogerd —_IOriginal July Draft Report
(Advisory)
128 IGating Process - Effectiveness A.vd Bogerd Original a4 Not started
Point to Point E1 ti iT i itati "Pi
29 He ‘© Point Encryption Implementation ("Pin I) vactegg original January Planning
[30 _ [Network Development PIR K. Gilliland Original a4 Not started
31 [Placeholder (contingency) Original Not started
[32 _ [Placeholder (contingency) Original Not started
Note: Target audit delivery per original approved plan is for 29 audits (16 internal control reviews and 13 change assurance reviews).
132 of
Risk & Compliance Committee meeting-13
POL-BSFF-0238511_0131
POL00423693
POL00423693
imelot Lessons Learned
POST OFFICE PAGE 1 OF 2
RCC Lessons learned
7.2 Camelot Audit Lessons Learned
Author: Keith Maple Sponsor: Kevin Gilliland Meeting date: 13 September 17
Overview
This describes the background to an issue identified with the reporting of the Lottery prize
audit, summarises lessons learnt and the actions taken to prevent reoccurrence.
Questions
1. What is the background?
2. What was the issue?
3. What lessons have we learnt?
4. What actions have been taken to prevent a repeat?
Conclusions
1. Background
As part of the Post Office/ Camelot National Lottery Retailer Agreement prize monies are
paid out by branches for winning tickets. POL hold a unique position in that outside of
Camelot they are the only entity that can pay out lottery winning prizes of up to £50,000.
The Gambling Commission have increased pressure on Camelot over the past 12 months
to improve compliance with the rules governing the payment of lottery prizes. Camelot
have in turn trialled a series of KPIs/Service measures focused on the accuracy of the
payment process, monitored via an audit process and with a view to eventually making
them contractual obligations. These audits were trialled over a 6 month period from the
final quarter of 2016.
Camelot randomly select 100 winning tickets a quarter for POL to check, ostensibly by
desk audit, that each element of the required payment process has been completed. The
audit covers various elements of the payment process including obtaining the name and
address of the winner, reconciliation of the payment to Horizon and whether the ticket
had been voided in line with Camelot requirements. Audit results are then given to
Camelot.
2. What was the issue?
After a change in the management of the Retail team and a review of the audit operation,
it was discovered that POL had been mis-declaring the ‘true’ results of the audits to
Camelot. This was immediately brought to the attention of the RCC.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 133 of 227
POL-BSFF-0238511_0132
134 of 227
POL00423693
POL00423693
Damelot Lessons Learned
POST OFFICE PAGE 2 OF 2
It must be emphasised that there was no contractual obligation to undertake these
audits or to report their results to Camelot.
The audit of the winning tickets reviews whether the prize values are recorded
accurately, that the claimant’s name and address are recorded in full and match the
Horizon receipt and that a signature has been obtained. There should also be evidence
of confirmation that the receiver was over 16, and that each winning ticket was
effectively voided, as paid, in the designated area.
The audit of February 2017 indicated that only 23% of the winning tickets met all of
the audit’s requirements. If the results of the audit excluded tickets that had only
failed by not being voided correctly, the success rate increased to 81%.
Members of the previous Retail team (who are no longer with the business) chose to
declare audit results that excluded tickets where the only criteria they failed on was a
failure to void. Camelot were never made aware of this omission and as such the
success rate of the audit was falsified.
3. What lessons have been learnt?
The audit of the winning tickets was carried out in the manner agreed by POL and
Camelot. The audit results were manipulated to inflate the level of success and an
express direction given to send them to Camelot. This occurred because of a possible
integrity issue rather than a failure of the controls that are in place. There was no
need for sign off at a higher level within POL before they were sent to Camelot. A
programme in branch to re-emphasise the process of winning ticket payments has
been introduced with visual aids, communications and a pending change to the
Horizon screen to promote the requirement to void winning tickets.
4. What action has been taken to prevent a repeat?
Two courses of action were immediately initiated. The current Retail team identified
the root cause/control failures and at same time the Internal Audit team were
engaged.
It was considered by the latter that the Retail team appeared to have established the
facts of the matter and identified the root cause / control failures. It was their belief
that Internal Audit would not add any more value by reviewing the facts pertinent to
this issue but will assess the design effectiveness of the remedial controls
implemented. The internal audit is currently in progress and results will be reported at
the November RCC and ARC meetings. Other actions:
1. The results of future quarterly audits will be signed off by the relevant Product
Manager and the Head of Retail propositions. An additional ‘independent’ sign
off will be undertaken by Finance or Internal Audit
2. Camelot also reserve the right to undertake their own audits of the POL audit
process/results and these will be reviewed on a quarterly basis.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0133
POL00423693
POL00423693
POST OFFICE Page 1 of 4
8.1 Anti-Money Laundering and
Counter Terrorist Financing
Policy
Executive Summary
Context
This paper sets out the updates and revisions to the Anti-Money Laundering and
Counter Terrorist Financing Policy as part of the annual review process for the Risk
and Compliance Committee to consider and approve.
Questions addressed in this paper
e What changes to the policy do we propose and why?
e What are the implications of these changes?
Conclusion
1. The Anti-Money Laundering and Counter Terrorist Financing Policy has been
amended to reflect new legislation and clarifies minimum control standards, roles
and responsibilities.
2. There are some minor changes to the requirements and minimum standards of
controls which will be communicated to relevant stakeholders, and monitored on a
business as usual basis by the Financial Crime team.
Input Sought
The R&CC is asked to approve the updated Anti-Money Laundering and Counter
Terrorist Financing Policy.
INTERNAL. Page 1 of 4 8.1.1 AML-CTF Policy Review RCC Sept
2017
Risk & Compliance Committee meeting-13/09/17 135 of 227
POL-BSFF-0238511_0134
POL00423693
POL00423693
8.1. AML & CTF
136 of 227
The Report
Why do we need to review this policy?
1. The policy was last reviewed and approved by the R&CC in July 2016. The terms
of the policy require it be reviewed annually
What changes to the policy do we propose and why?
What are the key features that we propose and why?
2. The policy template and format has been redesigned. This helps ensure that the
purpose, core principles and impacts are understood. It sets out clear minimum
control standards and responsibilities for application of those standards, and has
been updated to reflect the new money laundering regulations.
3. Key changes include:
« We have included updates to reflect recent changes in regulations and laws
that are applicable. We have also included the sources of industry guidance
available in order to provide greater clarity.
« We have updated the policy framework and the key linked and associated
policies to provide greater clarity to individuals and stakeholders.
« In line with regulatory requirements we have placed the completion and
maintenance of financial crime risk assessments at the heart of the policy.
« A new section has been included setting out the key offences under the
regulations and their potential consequences to both the group and members
of staff.
« The General Counsel is now responsible for oversight of the MLRO and the
group’s compliance with regulatory obligations.
« We have highlighted the regulatory requirements in relation to data retention.
4. Risk Assessment methodology and Product Information Packs that have been
developed over the last 12 months are now referenced for the first time.
5. A new section has been included clearly mapping minimum control standards,
responsibilities and timescales.
How did we develop these recommendations?
6. The policy has been developed by reviewing recent legislation changes including
the Criminal Finance Act 2017 and the Money Laundering, Terrorist Financing and
Transfer of Funds (Information on the Payer) Regulations 2017 and the Criminal
Finances Act 2017.
7. Policy queries and issues that have arisen over the previous 12 months have been
reviewed to ensure that these concerns are addressed, including risk assessment
work undertaken since July 2016 and the HMRC supervisory audit undertaken
since February 2016.
INTERNAL Page 2 of 4 8.1.1 AML-CTF Policy Review RCC Sept
2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0135
84
POL00423693
POL00423693
AML & CTF
What are the implications of these changes?
What will we need to do and by when, to implement and embed these policy changes?
8. Internal communications and training - once the policy has been approved, there
will be a One communication to advise all employees of the changes and provide a
link to the updated document on the Post Office Intranet.
9. Over the past few months the following communications have been issued to the
network provide further support and guidance on the following issues: Gift Card
Fraud (June), Completion of SARs (June), AML/CTF Training (July), recording ID
numbers correctly for bureau transactions (August). We are scheduled to issue
further guidance on the completion and submission of SARs in September. If any
instances of non-conformance are identified additional training or communications
will be issued on a risk sensitive basis.
10.Via EUM, the Financial Crime Team will be able to ensure that only those agents
and staff who have completed their initial or annual renewal training will be
allowed access to Horizon systems. Any customer facing or back office staff or
agents who fail to complete their training within the first 30 days of joining or at
annual renewal will be reported to relevant management for their review and
escalation as required. The Financial Crime Team will undertake periodic
compliance testing and report on conformance to the R&CC.
11.As part of the wider Product Manager training (being provided by Cranfield School
of Management), a series of workshops for product managers in Financial Services
& Telecoms and Retail will be run by the Financial Crime Team during the second
half of 2017/18 to provide training on ‘business as usual’ risk assessment
methodology and use of the Product Information Pack and Risk Assessment Tool.
12.The Risk Assessment Tool for new products and services currently available on the
Post Office Intranet is being enhanced, and when completed during Q3 2017/18, a
communication will be sent to product managers with revised guidelines. It is not
anticipated that any additional training will be required as this is an existing tool,
but will be offered if required.
13.The Financial Crime team will monitor adherence to the minimum control
standards set out in the policy on an on-going basis through their review of risk
assessments, project business readiness and incidents. Any control gaps identified
will be reported to the R&CC as required.
14.As part of our annual training obligations, AML/CTF training will be updated to
reflect the new policy and regulatory requirements.
What will the impact be on our wider business?
15.While significant progress has been made over the last 18 months, and a number
of high risk products and services have been formally assessed and documented,
the identification through documented risk assessment of potential or inherent and
residual Financial Crime risks is not yet mature across the business and more
needs to be done culturally to embed the methodology. The introduction of the
Product Manager workshops will enhance compliance with this area.
INTERNAL Page 3 of 4 8.1.1 AML-CTF Policy Review RCC Sept
2017
Risk & Compliance Committee meeting-13/09/17 137 of 227
POL-BSFF-0238511_0136
POL00423693
POL00423693
16.As part of the roll out of the ‘placemat’ control self-assessment methodology, all
business units will be required to ensure that they consider financial crime risks in
their area when developing their own Risk and Controls Matrix. It is expected that
the roll out of the ‘placemat’ methodology will be complete by end 2017/18.
What ¥ 1@ impact be of di a al?
17. Post Office Limited is required to maintain up to date policies to support
contractual requirements with clients and suppliers (e.g. MoneyGram and the
Partner Banking Framework) and failure to do so may result in a breach of
contract, and whilst not material, could have commercial and reputational impacts.
18.Post Office Limited is required to maintain up to date policies under its regulatory
obligations, and failure to do so may lead to regulatory sanctions or penalties.
19.Post Office Limited provides Post Office Management Services with its policies suite
in the form of “Group Policies”. POMS is required under its regulatory responsibility
to the Financial Conduct Authority to have up to date policies and failure to do so
may lead to regulatory sanctions or penalties.
INTERNAL. Page 4 of 4 8.1.1 AML-CTF Policy Review RCC Sept
2017
POL-BSFF-0238511_0137
POL00423693
POL00423693
8.1. AML & CTF
GROUP POLICIES
Anti-Money Laundering and
Counter Terrorist Financing
Policy
Version —- V3.1
Chief Executive’s Endorsement
The Post Office Group is committed to doing things correctly. Our Values
and Behaviours represent the conduct we expect. This policy supports these
to help us ensure that wherever possible use of Post Office systems and
products for money laundering or terrorist financing is prevented, and the
highest standards of financial crime prevention, detection and management
are maintained.
INTERNAL Page 1 of 19 Paper 8.1.2 AML CTF Policy v3.1
Risk & Compliance Committee meeting-13/09/17 139 of 227
POL-BSFF-0238511_0138
84
AML & CTF
140 of 227
POL00423693
POL00423693
1.
2.
1.1. Introduction by the Policy Ownei
1.2. Purpose ......
1.3. Core Principles ..........
1.4. Application... ana
1.5. The Risk of Money Laundering and Terrorist Financing...
1.6. Legislation... cece
1.7. Offences......
2.1. Risk Appetite ....
2.
2.3. Policy Framework
2.4, Who must comply?..........
2.5. Minimum Control Standards...
3.
Overview .....
Risk Appetite and Minimum Control Standards
. Risk Assessment.
2.6. Product and Service Risk Tools...... 16
Where to go for help... 17
3.1. Additional Policies... 17
3.2. How to raise a concern...
4.
4.1. Governance Responsi
5.
INTERNAL. Page 2 of 19
-3. Who to contact for more information
Governance..
Control.
5.1. Policy Version...
5.2. Policy Approval..........
Company Details......
Paper 8.1.2 AML CTF Policy v3.1
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0139
1. Overview
1.1. Introduction by the Policy Owner
The General Counsel has overall accountability to the Board of Directors for the design and
monitoring of controls to prevent or deter Financial Crime which includes Anti Money
Laundering (AML) and Counter Terrorist Financing (CTF). Financial Crime is an agenda
item for the Audit and Risk committees and the Post Office Board is updated as required.
1.2. Purpose
This Policy has been established to set the minimum operating standards relating to the
design and implementation of controls to prevent or deter Money Laundering and Terrorist
Financing throughout the Group!. It is one of a set of policies which provide a clear risk
and governance framework and an effective system of internal control for the mitigation
of risk across the Group. Compliance with these policies supports the Group in meeting
its business objectives and to balance the needs of shareholders, employees? and other
stakeholders.
1.3. Core Principles
Money Laundering and Terrorist Financing are criminal offences and everyone working in
the business has a personal obligation to prevent them taking place. The governance
arrangements described in this Policy are based upon the following core principles:
« Post Office has devised a robust Policy and associated procedures (set out in this
document) which are proportionate to the risks and complexity of the Group;
« The Group ensures that its policies reflect the principles of the AML and CTF
regulations and legislation;
* The Group's overall and ongoing risk management process includes a risk based
assessment of the financial crime risks to which the Group and its business are
exposed, and the quality of its AML and CTF controls and monitoring;
«The Group undertakes a training and awareness program to ensure employees are
aware of the risks of money laundering and terrorist financing, what they should
do if they are suspicious, and the consequences should they fail to comply with the
law;
« The Group promotes ethical and professional standards to prevent it from being
used, intentionally or unintentionally by criminals;
« Decisions taken by management are consistent with the Board’s approved strategic
objectives and Risk Appetite;
« Every member of staff is responsible for understanding and managing the risks
they take on behalf of the Group;
“In this policy “Post Office” and “Group” mean Post Office Limited and Post Office Management Services Ltd
In this policy “employee” means permanent staff, temporary including agency staf, contractors, consultants and anyone else
working for or on behalf of Post Office.
INTERNAL. Page 3 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-
POL00423693
POL00423693
144
0238511_0140
POL00423693
POL00423693
8.1. AML & CTF
e Clear accountabilities are delegated by management to staff who have the right
level of skill, competency and experience;
« All employees are required to comply with Group Policies.
1.4. Application
This Policy is applicable to all areas within the Group and defines the minimum standards
to control financial loss, customer impact, regulatory breaches and reputational damage
in line with the Group’s Risk Appetite.
In exceptional circumstances, where risk sits outside of the Group’s accepted Risk
Appetite, a Risk Exception can be granted. For further information in relation to the risk
exception process please see the Risk Exception process found here.
While Post Office does not tolerate events that are criminal in nature and which may give
rise to unacceptable and illegal behaviour, it recognises that despite its many endeavours,
it is not possible to eliminate all risk of Post Office being used to facilitate Money
Laundering or Terrorist Financing activities, and therefore takes a risk based approach.
Failure to comply with the requirements of this policy by any employee will be regarded
as a significant breach impacting on the Group’s risk and control environment and may
lead to disciplinary action up to and including dismissal and possible prosecution.
The risk to the Group in relation to Money Laundering and Terrorist Financing is reviewed
by the Board as part of its wider commitment to Financial Crime on a regular basis.
1.5. The Risk of Money Laundering and Terrorist Financing
Money Laundering
Money laundering is the process criminals use to hide, disguise and dispose of cash and
assets obtained from criminal activity. Criminals want to disguise the source of their money
and remove any link to the original crime. This allows them to avoid prosecution and
confiscation of funds.
Terrorist Financing
Terrorist financing involves dealing with money or property that may be used to fund
terrorism. The funds and property may be from legitimate sources (e.g. personal funds,
charities, sponsored trips, etc.) or criminal sources.
Failure to manage the these risks can result in financial loss, customer impact, terrorism,
regulatory breaches, fines, prosecution, prevention from selling a particular product, loss
of existing or future contracts/relationships and damage to reputation.
1.6. Legislation
There are a number of relevant UK legal and regulatory requirements which are applicable
including (but not limited to):
*® The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the
Payer) Regulations 2017 (known as Money Laundering Regulations 2017)
* The Proceeds of Crime Act 2002
* The Criminal Finances Act 2017
* Policing and Crime Act 2017
* The Terrorism Act 2000
« Counter-Terrorism Act 2008
INTERNAL. Page 4 of 19 Paper 8.1.2 AML CTF Policy v3.1
142 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0141
The Group monitors and takes into consideration guidance and other assistance offered
by regulatory, industry and other specialist bodies, for example the Joint Money
Laundering Steering Group (JMLSG), UK Finance (which incorporates BBA, UK Payments
and Financial Fraud Action UL), Link, etc. publish trends and analysis on current threats
and issues.
Oversight of compliance with the Money Laundering Regulations by the Group is
undertaken by HMRC in the case of Post Office Limited and the Financial Conduct Authority
(FCA) is the case of Post Office Management Services Limited (POMS).
Post Office Limited is an Appointed Representative of the Bank of Ireland and POMS and
is contractually required to comply with certain regulatory requirements. As such the
Group as a whole is obliged to ensure there are adequate systems and controls are in
place to mitigate risks.
1.7. Offences
The Money Laundering regulations set out five offences for which the Group or a member
of its staff can be prosecuted under:
1. Concealing - where an employee conceals, disguises, converts or transfers criminal
proceeds, or removes them from the UK
2. Arrangement - where an employee allows the Group to enter into or become involved
in an arrangement where an employee knows or suspects that it involves the proceeds
of crime.
3. Acquisition, use or possession - where an employee acquires, uses or takes
possession of criminal proceeds.
If found guilty of these offences an individual can be given an unlimited fine or up to
14 years in prison or both. The only defence is that an employee had completed and
submitted a Suspicious Activity Report to the Money Laundering Reporting Officer
(MLRO), apart from ‘acquisition’ where the Group or a relevant individual would need
to evidence that the proceeds had been acquired at fair market price and that they
were not aware that they were criminal proceeds.
4. Failure to disclose - where an employee fails to report to the MLRO their suspicions
or knowledge that someone is involved in Financial Crime.
If found guilty of this offence an individual can be given an unlimited fine or up to five
years in prison or both. There are two defences to this offence; training did not cover
how to complete a SAR or “a reasonable excuse” such as that an employee was rushed
to hospital just prior to completing the report. The reasonableness of the excuse will
be tested in court.
5. Tipping Off - an offence will be committed if information which prejudices an
investigation into Financial Crime is shared by an employee - for examples if an
employee informs a suspect that they are under investigation.
If found guilty of this offence an individual can be given an unlimited fine or up to two
years in prison or both. The only defence is if an employee did not know or suspect
that what was said would prejudice the investigation
INTERNAL. Page 5 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL00423693
POL00423693
POL-BSFF-0238511_0142
2. Risk Appetite and Minimum Control
Standards
2.1. Risk Appetite
A Risk Appetite is the extent to which the Group will accept that a risk might happen in
pursuit of day to day businesses transactions. It therefore defines the boundaries of
activity and levels of exposure that the Group is willing and able to tolerate.
The Group takes its legal and regulatory responsibilities seriously and consequently has?:
* Tolerant risk appetite for Legal and Regulatory risk in those limited circumstances
where there are significant conflicting imperatives between conformance and
commercial practicality
« Averse risk appetite for litigation in relation to high profile cases/issues
* Averse risk appetite for ligation in relation to Financial Services matters
« Averse risk appetite for not complying with law and regulations or deviation from
business’ conduct standards for financial crime to occur within any part of the
organisation
« Averse risk appetite in relation to unethical behaviour by our staff.
The Group acknowledges however, that in certain scenarios even after extensive controls
have been implemented, a product or transaction may still sit outside the agreed Risk
Appetite. In this situation, a risk exception waiver will be required (See section 1.4 for
further details).
2.2, Risk Assessment
The Money Laundering regulations require that Post Office completes Group wide risk
assessments with a clear rationale to prevent and detect money laundering and terrorist
financing.
Risk assessment must include:
e Identifying the inherent money laundering risks that are relevant to the Group,
product and/or service
« Assessing customer type, customer behaviour, normal product/service activity,
delivery channels, etc.
e Assessing controls to manage and reduce the impact of inherent risks
« Assessing how the Group will monitor controls and improve their efficiency
« Keeping records of key decisions
The Group requires risk assessments to be completed for individual products and services
to ensure that sufficient controls are in place to detect and prevent money laundering or
terrorist financing, and for these risk assessments to be refreshed annually.
5 The Risk appetite was agreed by the Groups Board January 2015
INTERNAL. Page 6 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL00423693
POL00423693
POL-BSFF-0238511_0143
2.3. Policy Framework
Post Office has established a suite of financial crime policies and procedures, on a risk
sensitive approach which are subject to annual review. The policy suite is designed to
combat money laundering, terrorist financing, bribery and corruption, fraud and ensure
adherence to relevant sanctions regimes.
The Anti-Money Laundering and Counter Terrorist Financing Policy is a key Policy under
the Financial Crime Policy framework and should be considered and read in conjunction
with the overarching Financial Crime Policy where relevant.
2.4, Who must comply?
Compliance with this Policy is mandatory for all Post Office employees and applies
wherever in the world the Group’s business is undertaken. All third parties who do business
with the Group, including consultants, suppliers and business and franchise partners, will
be required to agree contractually to this Policy or to have their own equivalent Policy.
Where non-compliance is identified the matter must be referred to the MLRO (currently
the Head of Financial Crime). Any investigations will be carried out in accordance with the
Investigations Policy. Where an instance of non-compliance is caused through wilful
disregard or negligence, this will be treated as a disciplinary offence.
2.5. Minimum Control Standards
A minimum control standard is an activity which must be in place in order to manage the
risks so they remain within the defined Risk Appetite statements. There must be
mechanisms in place within each business unit to demonstrate compliance. The minimum
control standards can cover a range of control types, i.e. directive, detective, corrective
and preventive which are required to ensure risks are managed to an acceptable level and
within the defined Risk Appetite.
The table below sets out the relationships between identified risk and the required
minimum control standards in consideration of the stated risk appetite. The subsequent
pages define the terms used in greater detail
INTERNAL. Page 7 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-
POL00423693
POL00423693
0238511_0144
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is When
responsible
Oversight Group does not Directive Control:
comply with its The General Counsel is appointed as the officer General Counsel Ongoing
AML/CTF regulatory responsible for overseeing compliance with regulations.
responsibilities.
Preventative Control:
The Group appoints an appropriate individual within the MLRO Ongoing
Risk & Compliance area as MLRO. With the assistance of
the Financial Crime Team, the MLRO‘s main
responsibilities include:
« To receive reports of suspected money laundering or
terrorist financing and to disclose to the NCA where
required
« Keep the Group up to date in relation to Financial
Crime legislation
« Putting in place and then monitoring compliance with
the AML/CTF regime
« Reporting to the ARC and R&CC all instances of non-
compliance and any regulatory concerns or issues
« Reporting to the regulators instances of non-
compliance, where required
« Annual MLRO reports for the Board (for Post Office MLRO Annual
Management Services Limited and for Post Office
Limited) covering: the governance framework;
operation and effectiveness of the control framework
(including documentation of policies and risk
assessments); external threats/ landscape; summary
of business issues and recommendations.
Corrective Control:
Risk assessments must be undertaken where an issue is MLRO Issue,
highlighted, an incident occurs or the regulations change. incident or
change
INTERNAL Page 8 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0145
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is When
responsible
Proposed Products, services or Preventative Control:
product or relationships with third I As part of the design of a new product or service: Product Manager During design
service parties may rely on « A Product Information Pack (see 2.6 below) must be phase
systems or processes completed.
where prevention or «Product or service risks must be considered and
detection of money documented using the Risk Assessment Tool (see 2.6
laundering or terrorist below).
financing has not been
considered in the Prior to launch the Product Information Pack and the Financial Crime Prior to
design, which may Product and Service Risk Assessment must be reviewed Team Launch
result in facilitation of I and approved by the Financial Crime Team.
laundering or terrorist
financing leading to
reputational damage
and/or regulatory
sanctions.
Existing Due to changes in law, I Preventative Control:
products and I regulation, incidents, Where the product or service has had an initial Risk Product Manager Annually, or
services threats or practices Assessment completed this must be reviewed and at any time
over time, there is a reassessed annually, or when there is a proposed change there isa
risk that the controls to the product or service. This reassessment must include change
to prevent and detect a review of the Product Information Pack, a review of the
money laundering or existing controls and a re-evaluation of residual risk.
terrorist financing are
no longer adequate. Where no initial risk assessment was undertaken, product I Product Manager Any time
management must agree a timescale with the Financial there isa
Crime Team to complete an assessment and a Product change
Information Pack.
Where the reassessed risk is considered by the Financial Product Manager Any time
Crime Team to rest outside of the Groups Risk Appetite, there is a
then the risk exception process must be followed. change
INTERNAL Page 9 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0146
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is When
responsible
Existing Corrective Control:
products and Additionally, risk assessment must be undertaken where Product Manager When there is
services an issue is highlighted by monitoring or an incident a material
(continued) occurs. issue or
incident
Financial Inadequate controls Preventative Controls:
settlement and audit trails Relevant business areas must assess and assure risks Chief Financial Ongoing
and relating to financial relating to financial settlement and reconciliation and are I Officer
reconciliation I settlement and responsible for maintaining documented processes and
reconciliation may procedures and deploying adequate monitoring and
result in facilitation of I control to prevent and detect money laundering or
laundering or terrorist I terrorist financing.
financing leading to
reputational damage Detective Control:
and/or regulatory Audit trails must be maintained so that system access can I Chief Information I Ongoing
sanctions. be monitored. Officer
To ensure that the Group’s controls remain effective, the I Internal Audit Ongoing
Group undertakes internal audits to test and assess their
effectiveness.
Monitoring The Group fails to Preventative Control:
undertake adequate Where the Group is directly regulated for products or Product Ongoing
transaction monitoring I services, sufficient transaction monitoring must be Manager/MLRO
and fails to prevent undertaken to ensure that suspicious activity, non-
and detect money conformance and breaches can be identified, and provide
laundering and assurance that customer data capture and due diligence
terrorist financing. thresholds have been set at a level commensurate with
the risk exposure and to ensure compliance with money
laundering regulations.
INTERNAL Page 10 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0147
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is responsible I When
Due Group fails to undertake I Preventative Control:
Diligence appropriate due diligence of a I The Group takes a risk based approach and I Financial Crime Annually, or at
customer and fails to identify I considers: Team/Product any time there
criminal activity. e The product or service Manager is a change
« Its intended customer market base and
normal transaction activity
e Any other risks relating to the product
Detective Control:
The extent to which the Group will gather due I Financial Crime As required
diligence information varies depending upon I Team/Product
the risk that the product or service poses I Manager
however must be considered when:
« a business relationship is established with
a customer
« money laundering or terrorist financing is
suspected
« there are doubts about a customer's
identification information obtained
previously
Politically Post Office fails to Preventative Control:
Exposed appropriately manage the risks I All products and services are required to Product Manager Ongoing
Persons associated with doing business I have in place identification procedures,
(PEP)* with PEPs. commensurate with the underlying risk to
ensure that it can identify where the product
and service is being used by a PEP.
Determine the level of identification and Product Manager Ongoing
assess if PEP checks are required.
4 PEPs are those who have or are seen to have access to public influence and/or public money and as such are seen as being at higher risk
of corruption. A PEP is someone who is: An individual who has or has been in a prominent public role in the UK or abroad such as Heads of
State, MPs, Heads of Armed Forces, etc. An immediate family member or a known close associate of such as person.
INTERNAL Page 11 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0148
POL00423693
POL00423693
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
Politically
Exposed
Persons
(PEP)
(continued)
Detective Control:
Ensure sufficient information is captured to
undertake PEPs screening where deemed
appropriate.
Enhanced Due Diligence is required on any
PEP relationship.
Corrective Control:
Where PEPs screening identifies PEPs, ensure
that sufficient due diligence is undertaken to
manage the risks.
Product Manager
Product Manager
Product Manager
Ongoing
Ongoing
Ongoing
Sanctions®
The Group transacts with a
customer who is sanctioned,
resulting in the Group
breaching international
sanctions, reputational damage
and/or regulatory sanctions.
Preventative Control:
All products and services are required to
have in place sufficient identification
procedures, commensurate with the
underlying risk to ensure that the product
and service is not used by a customer who is
sanctioned.
Detective Control:
Ensure sufficient information is captured to
undertake Sanctions screening where
deemed appropriate prior to a transaction
occurring.
Product Manager
Product Manager
Ongoing
Ongoing
5 Sanctions are restrictions put in place by a government or a multilateral organisation (such as the United Nations) that limit a person,
company or countries access to financial services or financial markets, funds or economic resources in order to achieve a specific foreign
policy or national security objective.
INTERNAL
Page 12 of 19
Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0149
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is responsible I When
Sanctions Corrective Control:
(continued) Where screening identifies Sanctions, ensure I Product Ongoing
that transactions are declined and the I Manager/MLRO
transaction is reported via SAR.
In the event that an employee become aware I All employees Ongoing
or suspects that a Sanctioned party is
conducting business within the Group this
must be reported immediately to the MLRO.
Premises The Group fails to maintain up I Directive Control:
Registration I to date premises registration Business rules must be agreed with HMRC in I MLRO Ongoing
leading to penalties and respect of the premises types that must be
sanctions. registered (e.g. Mobile Vans).
(The Group must maintain an I Preventative Control:
up to date register of premises I Premises registration business rules are Financial Crime Team I Ongoing
addresses that undertake I reviewed annually and any potential changes
directly regulated activity with I to premises type are discussed and agreed
HMRC - any changes must be I with HMRC.
registered and the relevant fees.
paid within 30 days) Branch premises data is reviewed fortnightly I Network Design & Fortnightly
and changes submitted to HMRC. Analysis Team and
Financial Crime Team
Training Through inadequate training, Preventative Control:
staff allow money laundering Post Office has a Group wide training Financial Crime Annual
or terrorist financing to take programme to ensure that all customer Team/HR
place, resulting in reputation facing staff, back office staff and contractors
damage and regulatory fines. receive adequate training tailored to business
risk areas.
Outsource providers, clients & suppliers must I Product Ongoing
maintain records to evidence that staff have Manager/MLRO
received adequate and regular training.
INTERNAL Page 13 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0150
NS
N
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is responsible I When
Training New branch staff are required to complete I HR Ongoing
(continued) AML/CTF training before they transact on
Horizon, and back office staff and contractors
within 30 days of joining.
Detective Controls:
Pass rate and number of test attempts is Financial Crime Team I Ongoing
monitored to identify risk areas and any
additional training or guidance required.
Fit and Due to inadequate screening, Preventative Control:
Proper there is a risk that key All Board members, GE and the MLRO must Financial Crime Team I Within 30 days
individuals are unfit to pass the HMRC Fit & Proper test to ensure of appointment
undertake a role. that the Group has employed individuals who
are suitable to perform their roles. A register
of completed and up to date Fit & Proper
tests is maintained.
Post Office completes pre-employment Director of Human Pre-
screening to ensure that an individual is fit Resources employment
and proper for their role. For further
information please see the employee vetting
policy.
Detective Control:
The Group completes ongoing screening to Director of Human Ongoing where
ensure that an individual continues to remain I Resources required
fit and proper for their role.
INTERNAL Page 14 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0151
ZV60/¢I-Bunsew say)WWIOD eouelIdWOD 9 ¥SIY
2@Z JO ESL
Risk Area_I Description of Risk Minimum Control Standards Who is responsible I When
Record Customer and transactional data I Preventative Control:
Keeping is not retained resulting in the For products and services where the Group is I Product Managers Ongoing
Group being unable to identify directly regulated, records must be kept of
suspicious or out of character all transaction data and data obtained for the
transactions, leading to the purpose of identification for a minimum of 5
Group being used to launder years from the date of creation/transaction.
money.
The MLRO also ensures that documents MLRO Ongoing
relating to money laundering topics (e.g. files
on suspicious activity reports and
investigations) are maintained for a
minimum of 5 years.
Suspicious I Failure to report suspicions to Preventative Control:
Activity the National Crime Agency® The Group provides training to all employees I All employees and Ongoing
Reports results in the Group being used I and postmasters and provides easily postmasters
("SAR") to fund terrorism. accessible methods to report a suspicion to
and the MLRO and the Financial Crime Team.
Reporting
Where there are suspicions or concerns, the I MLRO As required
MLRO can apply to the NCA for permission to
continue a transaction - seeking a defence.”
Corrective Control:
Where issues are identified additional Financial Crime Team I Ongoing
training and guidance is provided to increase
employee understanding of the SAR regime.
® The NCA receives all SARs reported in the UK and their role is to investigate in conjunction with other intelligence. Where appropriate the NCA may provide copies of SARs to other intelligence
bodies and investigation services (Law Enforcement, HMRC, etc.),
7 Where defence is requested, this can take up to seven working days for the NCA to review and during this time customers must not be advised that defence is being applied for as this would
constitute ‘tipping off.
INTERNAL
Page 15 of 19
Paper 8.1.2 AML CTF Policy v3.1
POL00423693
POL00423693
ALO? WY 1's
POL-BSFF-0238511_0152
2@Z 30 vSL
ZU60/eI-Bunaeaw aayUW0g aouelIdWog ® YSIY
Risk Area_I Description of Risk Minimum Control Standards Who is responsible I When
Suspicious Appropriate mechanisms are in place to Financial Crime Team I Ongoing
Activity protect Post Office and de-risk where
Reports concerns are identified relating to a specific
("SAR") individual or Group undertaking transactions
and in the Post Office network.
Reporting
(continued) Detective Control:
Where a SAR is not disclosed to NCA, it is Financial Crime Team I Ongoing
reviewed and assessed by a senior manager,
and the subject matter of the report is
monitored for a minimum of three months to
ensure that the appropriate decision was
taken. Audit trails are maintained so that
reports made can be monitored.
2.6. Product and Service Risk Tools
Risk Assessment Tool
The Risk Assessment Tool has been created by the Financial Crime Team to assist Product Managers to determine the level of risk exposure
and engagement required for new products and services. The Risk Assessment Tool takes into account inherent risks (e.g. payment method,
channel, customer demographic etc.), UK regulations and legislation and industry best practice.
The Risk Assessment Tool can be found here.
Product Information Pack
The purpose of the Product Information Pack (PIP) is to provide an overview of the product or service, including customer/transactional
journey, parties involved, any contractual responsibilities, monitoring and control requirements. It should consider the inherent risks the
product is exposed to from a Group and customer perspective and the framework for the effective risk mitigation of the product.
The existence of detailed operating policies, procedures and processes may be referred to throughout this document and is to be used to
illustrate how the risks associated with the product are reduced.
The Product Information Pack can be found here.
INTERNAL, Page 16 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL00423693
POL00423693
ALO? WY 1's
POL-BSFF-0238511_0153
POL00423693
POL00423693
8.1. AML & CTF
3. Where to go for help
3.1. Additional Policies
This policy is one of a set of policies. The full set of policies can be found at:
https://poluk.sharepoint.com/sites/postoffice/Pages/policies.aspx
3.2. How to raise a concern
Any Post Office employee who suspects that Post Offices products, services or processes
have been used to facilitate money laundering, terrorist financing, or dishonest or
fraudulent activity has a duty to:
Discuss the matter fully with their Line Manager; or,
Report their suspicions by telephoning Grapevine on {+
Report the matter directly to the Money Laundering Reporting Oificer (MLRO)
Staff can contact the Post Office’s General Counsel, who can be. sontaciad bi
email at: whistleblowing rr by telephone on:
Alternatively staff can use the Speak Up service available on
or via a secure on-line web portal: http://www. intouchfeedback.com/postoffice
eeee
3.3. Who to contact for more information
If you need further information about this policy or wish to Feport an issue in relation to
this policy, please contact financial.crime
INTERNAL Page 17 of 19 Paper 8.1.2 AML CTF Policy v3.1
Risk & Compliance Committee meeting-13/09/17 155 of 227
POL-BSFF-0238511_0154
POL00423693
POL00423693
4, Governance
4,1, Governance Responsibilities
The policy sponsor, responsible for overseeing this policy is the General Counsel of Post
Office Limited.
The policy owner is the Director of Risk and Compliance who is responsible for ensuring
that the Financial Crime Team conducts an annual review of this policy and tests
compliance across the Group. Additionally the Director of Risk and Compliance and the
Financial Crime Team are responsible for providing appropriate and timely reporting to the
Risk and Compliance Committee and the Audit and Risk Committee.
The Audit and Risk Committee are responsible for approving the policy and overseeing
compliance.
The Board is responsible for setting the Groups risk appetite.
INTERNAL Page 18 of 19 Paper 8.1.2 AML CTF Policy v3.1
POL-BSFF-0238511_0155
POL00423693
POL00423693
8.1. AML & CTF
5. Control
5.1. Policy Version
Date Version I Updated by Change Details
November 2016 3 Georgina Blair Final Version approved by ARC.
August 2017 3.1 Thomas Richmond Version updated to reflect legislation
changes
5.2. Policy Approval
Group Oversight Committee: Risk and Compliance Committee and Audit and Risk Committee
Committee Date Approved
POL R&CC
POMS R&CC
POL ARC
POMS ARC
Policy Sponsor: General Counsel/Group Director of Legal, Risk & Governance
Head of Financial Crime
Policy Author: Head of Financial Crime
Next review: August 2018
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers
2154540 and 08459718 respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its
Information Commissioners Office registration number is ZA0S0585.
Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104, Its Information
Commissioners Office registration number is 24866081.
INTERNAL Page 19 of 19 Paper 8.1.2 AML CTF Policy v3.1
Risk & Compliance Committee meeting-13/09/17 157 of 227
POL-BSFF-0238511_0156
POL00423693
8.2. Whistleblowing
158 of 227
POL00423693
POST OFFICE Page 1 of 2
RISK & COMPLIANCE COMMITTEE POLICY REVIEW
8.2 Whistleblowing Policy
Author: Sally Smith Sponsor: Jane MacLeod Meeting Date: 13" September 2017
Executive Summary
Context
This paper sets out the updates and revisions to the Whistleblowing Policy as part of
the annual review process for the Risk and Compliance Committee to consider and
approve.
Questions addressed in this paper
« What changes to the Policy do we propose and why?
e What are the implications of these changes?
Conclusion
1. The Whistleblowing Policy has been amended to clarify the minimum control
standards, roles and responsibilities
2. There are some minor changes to the requirements and minimum standards of
controls which will be communicated to relevant stakeholders
Input Sought
The R&CC is asked to approve the updated Whistleblowing Policy.
INTERNAL Page 4 of 2 Paper 8.2.1 Whistleblowing Policy Review Sept
2017 vi
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0157
POL00423693
POL00423693
8.2. Whistleblowing
The Report
Why do we need to review this Policy?
1. The Policy was last reviewed and approved by the R&CC in July 2016. The terms of
the Policy require it be reviewed annually.
What changes to the Policy do we propose and why?
What are the key features that we propose and why?
2. We have redesigned the Policy template and format but the substance and
obligations have not changed. The new format helps ensure that the purpose, core
principles and impacts are understood. It sets out clear minimum control standards
and responsibilities for application of those standards.
3. Key changes include:
e Updating contact details and help line numbers
e Ensuring that all teams across the business that may receive whistleblowing
reports ensure that these are passed onto the Whistleblowing Officer and handled
confidentially
e A new section has been included clearly mapping minimum control standards,
responsibilities and timescales.
How did we develop these recommendations?
4. Policy queries and issues that have arisen over the previous 12 months have been
reviewed to ensure that these concerns are addressed.
What are the implications of these changes?
What will we need to do and by when, to implement and embed these Policy changes?
5. No material changes are required to comply with this updated Policy.
6. Internal communications and training - once the Policy has been approved, there
will be a One communication to advise all employees of the changes and provide a
link to the updated document on the Post Office Intranet.
What will the impact be on our wider business?
7. Transparency of Post Office’s adherence and commitment to the Employment Rights
Act 1996 and the Public Interest Disclosure Act 1998
What would the impact be of delaying approval?
8. Risk that the group breaches the Employment Rights Act 1996 and the Public
Interest Disclosure Act 1998 by not having up to date policies and procedures to
provide protections to whistleblowers.
9. Post Office Limited is required to maintain up to date policies to support contractual
requirements with clients and suppliers (e.g. MoneyGram and the Partner Banking
Framework) and failure to do so may result in a breach of contract, and whilst not
material, could have commercial and reputational impacts.
10.Post Office Limited provides Post Office Management Services (POMS) with its
policies suite in the form of “Group Policies”. POMS is required under its regulatory
responsibility to the Financial Conduct Authority to have up to date policies and
failure to do so may lead to regulatory sanctions or penalties.
INTERNAL Page 2 of 2 Paper 8.2.1 Whistleblowing Policy Review Sept
2017 vi
Risk & Compliance Committee meeting-13/09/17 159 of 227
POL-BSFF-0238511_0158
POL00423693
POL00423693
8.2. Whistleblowing
GROUP POLICIES
Whistleblowing Policy
Version - V1.5
Chief Executive’s Endorsement
The Post Office Group is committed to doing things correctly. Our Values
and Behaviours represent the conduct we expect. This Policy supports these
to help us ensure that colleagues know how to report concerns regarding
wrongdoing or dangerous practices and that they can do so without fear of
recrimination.
Internal Page 1 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
160 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0159
8.2. Whistleblowing
1. Overview... ates
1.1. Introduction by the Policy Ownei
. Purpose
1.3. Core Principles .
1.4. Application ....
. Legislation..
. What is Whistleblowing
. Protecting the whistleblower
. Whistleblowing Officer and ‘Speak Up’
1.9. External Disclosures.
2. Risk Appetite and Minimum Control Standards
2.1. Risk Appetite ....
2.2. Policy Framework
2.3. Who Must Comply?...
2.4. Minimum Control Standards...
3. Definitions...
3.1. Definitions...
4. Where to go for help .
4.1. Additional Policies...
4.2. How to raise a concern...
4.3. Who to contact for more information
5. Governance.
5.1. Governance Responsi
6. Control...
6.1. Policy Version...
6.2. Policy Approval.
Company Details..
Internal Page 2 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
161 of 227
POL-BSFF-0238511_0160
1 « Overview
1.1. Introduction by the Policy Owner
The General Counsel has overall accountability to the Board of Directors for the
implementation of controls ensuring Post Office meets it Whistleblowing obligations.
Whistleblowing is an agenda item for the Audit and Risk Committee and the Post Office
board is updated as required.
1.2. Purpose
This Policy has been established to set the minimum operating standards relating to the
management of Whistleblowing throughout the Group!. It is one of a set of policies which
provide a clear risk and governance framework and an effective system of internal control
for the management of risk across the Group. Compliance with these policies supports the
Group in meeting its business objectives and to balance the needs of shareholders,
employees? and other stakeholders.
1.3. Core Principles
Whistleblowing is the reporting of suspected wrongdoing and/or dangerous practices
within Post Office. This would include serious accidents, fraud, regulatory breaches,
financial impropriety and/or reputational damage.
In order to encourage Whistleblowing and provide appropriate protections to
whistleblowers, the governance arrangements described in this Policy are based upon the
following core principles:
* To encourage the reporting of any concerns as soon as possible in the knowledge that
all concerns will be taken seriously and investigated, and that confidentiality will be
respected;
« To provide guidance as to how to raise those concerns;
« To provide whistleblowers reassurance that all concerns are raised without fear of
reprisals, even if they turn out to be mistaken;
« Post Office is committed to and oversees the implementation of a Policy in line with
the Group’s risk appetite. The Policy and associated procedures (set out or referred to
in this document) are proportionate to the risks and complexity of the Group;
« Post Office undertakes a training and awareness program to ensure employees are
aware of the Whistleblowing policy and procedure.
1.4. Application
This Policy is applicable to all employees within the Group and outlines the protections
provided for whistleblowers by law. In order to encourage reporting of wrongdoing, Post
Office will, where appropriate, extend equivalent protection to Postmasters, Agent
Assistants, and members of the public.
“In this Policy "Post Office” and “Group” mean Post Office Limited and Post Office Management Services Limited,
? In this Policy “employee” means permanent staff, temporary including agency staff, contractors, consultants and anyone else
working for or on behalf of Post Office.
Internal Page 3 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL00423693
POL00423693
POL-BSFF-0238511_0161
POL00423693
POL00423693
1.5. Legislation
The Group seeks to comply with all relevant UK legal and regulatory requirements
including (but not limited to) the following legislation as amended or supplemented from
time to time:
« Employment Rights Act 1996
« Public Interest Disclosure Act 1998
1.6. What is Whistleblowing
“Whistleblowing” refers to the act of exposing potential or actual wrongdoing and/or
dangerous practices by reporting it either internally within an organisation, or to an
external party. A whistleblower is a person who raises a genuine concern in relation to any
wrongdoing, this includes criminal activity, miscarriages of justice, dangers to health and
safety and the deliberate attempt to conceal it.
Individuals? should raise a concern if they are aware of, or suspect, wrongdoing which
affects others (e.g. customers, members of the public, colleagues or the Post Office). The
following lists some examples (this is a non-exhaustive list) of situations where an
individual may raise a concern:
e Financial Crime including Fraud, Money Laundering and financing of terrorism,
Giving, offering or taking of bribes,
Financial mismanagement,
Misreporting,
Practices that could put individuals or the environment at risk,
Breach of Post Office internal policies and procedures (including the Code of
Business Standards),
Concerns about slavery or human trafficking, and
Any conduct likely to damage Post Office’s reputation
eee ee
Grievances and matters such as bullying and harassment are addressed under Post Office’s
HR policies and concerns in relation to such matters should be raised in accordance with
the procedures set out in the appropriate HR policy.
If an individual is uncertain about whether something is within the scope of this Policy they
should seek advice from the Whistleblowing Officer, whose contact details are set out in
this Policy.
1.7. Protecting the whistleblower
Post Office has a statutory obligation to protect whistleblowers and will support any
individual who raises genuine concerns under this Policy, even if they turn out to be
mistaken. Post Office are committed to respecting the confidentiality of all
whistleblowers, and including those who wish to remain anonymous.
Post Office will make every effort to protect the whistleblower’s identity, however, it may
be necessary in the course of an investigation to share this information with a relevant
stakeholder (e.g. an investigator). There is no requirement for a whistleblower to provide
personal contact information. However, not providing this information may reduce Post
Office's ability to undertake a thorough investigation into the concerns raised.
+ In this Policy “individuals” means Postmasters, Agent Assistants, members of the public and employees (permanent staf,
temporary including agency staff, contractors, consultants and anyone else working for or on behalf of Post Office). The
statutory protections offered under the Public Interest Disclosure Act 1998 only apply to employees, however Post Office
Limited will consider extending these protections to other individuals where they have acted in good faith in raising concerns.
Internal Page 4 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0162
164 of 227
Post Office will take all reasonable steps to ensure that whistleblowers do not suffer any
detrimental treatment as a result of raising a concern. Detrimental treatment includes
disciplinary action, dismissal, threats or other unfavourable treatment connected with
raising a concern. Serious action will be taken against any individual who threatens or
retaliates against whistleblowers in any way.
If an individual believes that they have suffered any such treatment, they should inform
the Whistleblowing Officer immediately. The Whistleblowing Officer should take steps to
address any victimisation, which may include working with the HR team to put
appropriate measures in place. If the matter is not addressed the whistleblower should
raise it formally using Post Office’s Grievance procedure.
In all cases the individual’s concerns will be treated sensitively and in confidence.
1.8. Whistleblowing Officer and ‘Speak Up’
Post Office has a appointed the General Counsel as the Whistleblowing Officer who can
be contacted on whistleblowing 7
The Whistleblowing Officer will review concerns raised and determine the best course of
action, if any. They may ask for further information in order to make this decision.
It is recognised that sometimes raising a concern directly with the business may not be
possible. In such instances individuals should contact the “Speak Up” line, a confidential
reporting service which is run by an independent company InTouch MCS Ltd.
Contact details for the
.f
° = fttp:
Speak Up line are:
WWW. intouchfeedback.com/postoffice which is a secure on-line web portal:
All reports to the Speak Up line will be acknowledged within five working days and will
be passed to the Whistleblowing Officer.
It is also possible that individuals may whistleblow via a complaint to a front line team,
e.g. Customer complaints, NBSC and Grapevine. These may be verbal or written
communications.
In all instances any whistleblowing reports, regardless of reporting method, will be
passed onto the Whistleblowing Officer. The whistleblower may be kept informed of any
action taken, however, this information may be limited if it is required to keep the
confidence of other people.
1.9. External Disclosures
The aim of this Policy is to provide an internal mechanism for reporting, investigating
and remedying any wrongdoing in the workplace. In most cases individuals should not
find it necessary to alert anyone externally.
However, the law recognises that in some circumstances it may be appropriate for
individuals to report their concerns to an external body such as a regulator. The
independent Whistleblowing charity, Public Concern at Work have a list of prescribed
regulators for reporting certain types of concerns. Their contact details are as follows:
Helpline:/
Internal Page 5 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0163
POL00423693
POL00423693
E-mail
Website: www.pcaw.co.uk
Public Concern at Work operates free, confidential advice to people concerned about
crime, danger or wrongdoing in the workplace. Post Office strongly encourages advice is
sought out from Public Concern at Work before reporting any concern to an external
party.
Post Office Money Services (POMS) is directly regulated by the Financial Conduct
Authority (FCA). Individuals may decide to whistleblow directly to the FCA, and can do so
by using one of the following channels.
Helpline:
E-mail _
Website: www.fca.org.uk/site-info/contact/whistleblowing
Address: Intelligence Department (Ref IDA), Financial Conduct Authority, 25 the North
Colonnade, London E14 5HS
Internal Page 6 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0164
2 « Risk Appetite and Minimum Control
Standards
2.1. Risk Appetite
Risk Appetite is the extent to which the Group will accept that a risk might happen in
pursuit of day to day businesses transactions. It therefore defines the boundaries of
activity and levels of exposure that the Group are willing and able to tolerate.
The Group takes its legal and regulatory responsibilities seriously and consequently has*:
« Tolerant risk appetite for Legal and Regulatory risk in those limited circumstances
where there are significant conflicting imperatives between conformance and
commercial practicality
« Averse risk appetite for litigation in relation to high profile cases/issues
« Averse risk appetite for ligation in relation to Financial Services matters
« Averse risk appetite for not complying with law and regulations or deviation from
business’ conduct standards for financial crime to occur within any part of the
organisation
« Averse Risk Appetite in relation to unethical behaviour by our staff.
The Group acknowledges however that in certain scenarios even after extensive controls
have been implemented an action may still sit outside the agreed Risk Appetite.
2.2, Policy Framework
Post Office has established a suite of policies and procedures, on a risk sensitive approach
which are subject to an annual review. The policy suite is designed to comply with
applicable legislation and regulation. The Whistleblowing Policy should be considered and
read in conjunction with other policies where relevant. These may include the Financial
Crime Policy, the Anti-Bribery & Corruption Policy, Health & Safety Policies and HR Policies
where relevant.
2.3. Who Must Comply?
All third parties who do business with the Group, including consultants, suppliers and
business and franchise partners, will be required to agree contractually to this policy or
have their own equivalent policy.
Any investigations will be carried out in accordance with the Investigations Policy which is
available on the Post Office Intranet
“The Risk appetite was agreed by the Groups Board January 2015
Internal Page 7 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL00423693
POL00423693
POL-BSFF-0238511_0165
POL00423693
POL00423693
2.4. Minimum Control Standards
A minimum control standard is an activity which must be in place in order to manage the risks so they remain within the defined Risk
Appetite statements. There must be mechanisms in place within each business unit to demonstrate compliance. The minimum control
standards can cover a range of control types, i.e. directive, detective, corrective and preventive which are required to ensure risks are
managed to an acceptable level and within the defined Risk Appetite.
The table below sets out the relationships between identified risk and the required minimum control standards in consideration of the stated
risk appetite. The subsequent pages define the terms used in greater detail:
Risk Area Description of Risk Minimum Control Standards Who is responsible When
Receipt and Failure to meet legal and Directive Control: Post Office CEO and Board I Ongoing
investigation of regulatory requirements Post Office must nominate a
whistleblowing reports Whistleblowing Officer to receive
reports, ensure that all reports
are fully investigated and that
any appropriate corrective
action is undertaken.
The whistleblowing officer must I Whistleblowing Officer Annually
provide a whistleblowing report
to the R&CC and ARC at least
annually.
Any serious whistleblowing Whistleblowing Officer Ongoing
concerns must be promptly
escalated to the Chairman of the
Post Office Audit and Risk
Committee.
Preventative Control: Whistleblowing Officer Training must
All employees are trained and be provided at
the policy is available to them least annually
Internal Page 8 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0166
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is responsible When
The Whistleblowing Officer must I Whistleblowing Officer Ongoing
ensure that appropriate
arrangements are in place to
ensure that whistleblowing
reports are addressed promptly
including during absences
Breach of Failure to ensure Preventative Control: Whistleblowing Officer Ongoing
confidentiality confidentiality for the Whistleblowing Policy
whistleblower
Confidential Speak Up line Whistleblowing Officer Ongoing
reports are shared only with the
Whistleblowing Officer
Whistleblowing email inbox with I Whistleblowing Officer Ongoing
restricted access
Whistleblowing Officer must put I Whistleblowing Officer Ongoing
arrangement in place to protect
the confidentiality of the
whistleblower during
investigations
Corrective Control: Whistleblowing Officer Ongoing
All incidents of breaches are
escalated to the Whistleblowing
Officer to review and take
necessary actions.
Incorrect handling of An individual may raise a Preventative Control: Whistleblowing Officer Annually
whistleblowing report whistleblowing report with Training provided to contact
other individuals in the teams to identify potential
Group. Details may then be_ I whistleblowing reports and
shared with various ensure these are correctly
stakeholders before being handled, e.g.:
« Grapevine,
Internal Page 9 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0167
POL00423693
POL00423693
Risk Area Description of Risk Minimum Control Standards Who is responsible When
passed onto the « NBSC,
Whistleblowing Officer « Customer Support, and
« Executive Complaints.
Communications and awareness I Head of Financial Crime Annually
provided to all employees and
Policy document published on
the Intranet.
Corrective Control: Whistleblowing Officer Ongoing
All incidents of breaches are be
escalated to the Whistleblowing
Officer to investigate and take
appropriate actions.
Insufficient Failure to capture/report Directive Control: Whistleblowing Officer Ongoing
Information sufficient information about I Employees are encouraged to
the issue may mean that report issues and provide full
the underlying issue cannot I information and their contact
be properly investigated and I details, where they feel able to
resolved do so
Corrective Control:
All reports, including those Whistleblowing Officer Ongoing
where insufficient information
has been provided and no
further action was taken are
recorded on the Whistleblowing
database, which is reviewed for
trends and issues.
The ‘Speak Up’ Service I Failure to effectively record I Preventative Control:
whistleblowing reports and The Whistleblowing Officer must I Whistleblowing Officer Annually
pass onto the review the effectiveness of the
Whistleblowing Officer, due I service provided by InTouch Ltd
at least annually
Internal Page 10 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0168
NS
N
POL00423693
POL00423693
Risk Area
Description of Risk
Minimum Control Standards
Who is responsible
When
to factors such as resource
or IT failure.
The Whistleblowing Officer must
review the effectiveness of the
processes operated by each of
Grapevine, NBSC, Customer
Support, and The Executive
Complaints Team at least
annually to ensure that
whistleblowing reports are
identified and communicated
promptly.
Whistleblowing Officer
Annually
Treatment of
Whistleblowers
Breach of whistleblowing
guidelines such that a
whistleblower suffers
prejudice as a result of
making a report
Preventative Control
Training must be provided to all
people managers as part of their
induction process as a manager
and on appointment to Post
Office
Annual training must be
provided to all Post Office staff
to remind them of the
protections available to
whistleblowers and the
importance of identifying and
reporting wrongdoing
The Code of Business Standards
must refer to the whistleblowing
policy and must be provided to
all new joiners as part of their
induction programme.
Whistleblowing Officer and
HR Training Manager
Whistleblowing Officer and
HR Training Manager
Whistleblowing Officer and
HR Training Manager
Ongoing
Ongoing
Ongoing
Internal
Page 11 of 15
Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0169
POL00423693
POL00423693
8.2. Whistleblowing
3 s Definitions
3.1. Definitions
Grapevine
24/7 Security Support Centre provided by Kings Ltd. Grapevine provide security advice
and record all security incidents across the business, this includes burglaries, robberies
and the reporting of suspicious activity.
Telephone Number:
E-mail
NBSC
Network Business Support Centre (NBSC) is a helpline and the first port of call for Post
Office branches if they have any operational query or require assistance.
Customer Support Team
Complaints handling team based in Chesterfield. The team address complaints reported
into Post Office via various channels, including post and telephone.
Executive Complaints Team
This team handles all complaints addressed directly to the Group Executives. The team
liaise with various stakeholders within the business in order to resolve complaints.
Internal Page 12 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
Risk & Compliance Committee meeting-13/09/17 171 of 227
POL-BSFF-0238511_0170
8.2. Whistleblowing
172 of 227
4.
POL00423693
POL00423693
Where to go for help
4.1. Additional Policies
This Pol
https:
licy is one of a set of policies. The full set of policies can be found at:
poluk.sharepoint.com/sites/postoffice/Pages/policies.aspx
4.2. How to raise a concern
Any Post Office employee who suspects that there is a breach in this Policy should report
this without any undue delay. Whistleblowing can be reported via the following channels:
Their line manager,
A senior member of the HR Team, or
If either or both are not available, staff can contact the Post Office’s Whistleblowing
Officer, who ca by email at: whistleblowing@postoffice.co.uk or by
telephone on:
Alternatively staff can use the Speak Up service available on 0800 0484531 or via
the secure on-line web portal: http://www. intouchfeedback.com/postoffice
In some instances it may be appropriate for the individual to report in the form of a
compla
int to Grapevine, the Customer Support Team or the Executive Complaints Team.
4.3. Who to contact for more information
If you
this Pol
Internal
need further information about this Policy or wish to report an issue in relation to
licy, please contact the Policy sponsor or Policy owner.
Page 13 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0171
POL00423693
POL00423693
5 » Governance
5.1. Governance Responsibilities
As at the date of approval of this Policy, the General Counsel is both the Policy Sponsor
and Policy Owner, responsible for oversight of the Policy.
The Audit and Risk Committee are responsible for approving the Policy and overseeing
compliance.
The Board is responsible for setting the Group’s risk appetite.
Internal Page 14 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0172
POL00423693
POL00423693
6. Control
6.1. Policy Version
Date Version I Updated by Change Details
27" April 2016 1.4 Jane MacLeod Sponsors review and sing-off
21% August 2017 1.5 Vitor Camara Annual Review and update.
6.2. Policy Approval
Group Oversight Committee: — Risk and Compliance Committee and Audit and Risk Committee
Committee Date Approved
POL RCC
POMS RCC.
POL ARC
POMS ARC
Policy Sponsor: — Group Director of Legal, Risk & Governance
Policy Owner: Whistleblowing Officer
Policy Author: Head of Financial Crime
Next review: August 2018
Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers
2154540 and 08459718 respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its
Information Commissioners Office registration number is ZA090585.
Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104, Its Information
Commissioners Office registration number is 24866081.
Internal Page 15 of 15 Paper 8.2.2 Whistleblowing Policy v.1.5
POL-BSFF-0238511_0173
POL00423693
POL00423693
8.3. Data Protection
POST OFFICE Page 1 of 2
RISK & COMPLIANCE COMMITTEE POLICY REVIEW
Protecting Personal Data Policy
Author: Chris Russell Sponsor: Jane MacLeod Meeting date: 13 September 2017
Executive Summary
Context
This paper sets out the introduction of the Protecting Personal Data Policy for the Risk
and Compliance Committee to consider and approve.
Questions addressed in this paper
e What is the need for a Protecting Personal Data Policy and why now?
e What are the implications of these changes?
Conclusion
1. The Protecting Personal Data Policy has been created to bestride our obligations
under the current Data Protection Act 1998, and the General Data Protection
Regulation (GDPR) which will come into force in May 2018.
2. The Policy introduces the mandate needed to meet the Group’s legal requirements.
3. The Policy sets out minimum standards of controls which will be communicated to
relevant stakeholders, and monitored on a business as usual basis by the Data
Protection Function.
Input Sought
The R&CC is asked to approve the Protection Personal Data Policy.
INTERNAL. Page 1 of 2 RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 175 of 227
POL-BSFF-0238511_0174
POL00423693
POL00423693
176 of 227
The Report
Why do we need to review this policy?
4. This is a new business Policy and the terms of the policy require it be reviewed by
the R&CC.
What is the need for a Protecting Personal Data Policy?
5. The policy has been created to ensure the Group meets its obligations under Data
Protection Laws.
6. The regulatory landscape is changing, in May 2018 the GDPR comes into force and
will put further obligations on the Group. The Policy has been designed in a manner
to ensure compliance with current regulation, but to begin to embed our obligations
under the GDPR, and meet the deliverables of the GDPR Programme.
How did we develop these recommendations?
7. The policy has been developed by reviewing current legislation (Data Protection
Act 1998) against the incoming legislation changes General Data Protection
Regulation).
What will be the impact of the Policy and will there be a need to implement further
business processes to meet the Policy requirements?
8. A number of Standard Operating Procedures, as mandated by the Policy, will be
created in order document operating procedures to allow the exercise of individual
rights.
9. Membership of the Data Breach Emergency Response Team, as mandated by the
Policy, will need to be scoped.
10.Data Retention Schedules will need to be reviewed and updated.
How will the Policy be communicated and implemented?
11.Internal communications and training - once the policy has been approved, the
GDPR programme Steerco will be engaged, and a multi-channel communication
plan developed, in order to meet the programme deliverables against education,
awareness and accountability.
12.The revised Data Protection Impact Assessment Tool, is being embedded into the
business with the Gating Community, and further by introduction into the
Information Security and Data Protection Corporate Training, and multi-channel
communications piece.
13.The Data Protection Function will monitor adherence to the minimum control
standards set out in the policy on an on-going basis through their review of risk
assessments, project business readiness and incidents. Any control gaps identified
will be reported to the R&CC as required.
INTERNAL. Page 2 of 2 RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0175
POL00423693
POL00423693
8.3. Data Protection
GROUP POLICIES
Protecting Personal Data
Policy
Version — V1.2
Chief Executive’s Endorsement
Post Office is committed to conducting its business in accordance with all applicable Data Protection
laws and regulations and in line with the highest standards of ethical conduct.
INTERNAL Page 1 of 14 Protecting Personal Data Policy V1.1
Risk & Compliance Committee meeting-13/09/17 177 of 227
POL-BSFF-0238511_0176
8.3. Data Protection
178 of 227
1. Overview oe 3
1.1. Introduction by the Policy Owner. Be}
1.2. Purpose. a3
1.3. Core Principles iB
1.4. Application... 4
1.5. Data Privacy Risk.
1.6. Legislation
2. Risk Appetite and Minimum Control Standards
2.1. Risk Appetite
2.2. Policy Framework .
2.3. Who must comply?
2.4. Minimum Control Standards
3.1. Data Protection Impact Assessment
4. Where to go for help.
4.1. Additional Policies...
4.2. How to raise a concern
4.3. Who to contact for more information
5. Control
5.1. Policy Version
5.2. Policy Approval
INTERNAL Page 2 of 14 Protecting Personal Data Policy V1.1
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0177
1. Overview
1.1. Introduction by the Policy Owner
The General Counsel has overall accountability to the Board of Directors for ensuring that
the requirements of this Policy are maintained, for introducing any change programs that
may be required as a result of this Policy and ensuring ongoing compliance programs are
managed appropriately.
1.2. Purpose
Trust is at the heart of the Post Office brand and protecting the Personal Data we use is
fundamental to maintaining that reputation. Data Protection legislation protects the
fundamental rights and freedoms of individuals, in relation to the use of their Personal
Data.
As such, this Policy sets out the expected behavior of Post Office Employees and Third
Parties in relation to the collection, use, retention, transfer, disclosure and destruction of
Personal Data.
1.3. Core Principles
Post Office has adopted the following principles to govern its collection, use, retention,
transfer, disclosure and destruction of Personal Data:
1. Lawfulness, Fairness and Transparency
Post Office must Process Personal Data lawfully, fairly and in a transparent manner.
« Post Office must tell the Data Subject what Processing will occur (transparency),
« Processing must match the description given to the Data Subject (fairness), and
« Processing must be for one of the purposes specified in the applicable Data
Protection regulation and associated legislation (lawfulness).
2. Purpose Limitation
Post Office can only use Personal Data for the purpose that it was originally collected and
limit any further Processing of that Personal Data according to the purposes notified to the
Data Subject.
3. Data Minimisation
The Personal Data Post Office collects must be adequate, relevant, and limited to what is
necessary in relation to the purposes for which they are Processed.
This means Post Office must not collect or store any Personal Data beyond what is strictly
required.
INTERNAL. Page 3 of 14 Protecting Personal Data Policy V1.1
POL00423693
POL00423693
POL-BSFF-0238511_0178
4. Accuracy
The Personal Data Post Office collects must be accurate and, kept up to date.
Post Office must ensure that processes for identifying and addressing out-of-date,
incorrect and redundant Personal Data are introduced and maintained. This will ultimately
have a business benefit by removing contacts that are no longer using Post Office products
or services.
5. Storage Limitation
Personal Data shall be kept in a form which permits identification of Data Subjects for no
longer than is necessary for the purposes for which the Personal Data is Processed.
Post Office must, wherever possible, introduce mechanisms and procedures into their
systems and processes that limits or prevents identification of the Data Subject (eg
Anonymisation).
6. Integrity & Confidentiality
Post Office must Process Personal Data in a manner that ensures appropriate security
including:
« Protection against unauthorised or unlawful Processing,
« Protection against accidental loss, destruction or damage.
We must use appropriate technical and organisational measures to ensure the integrity
and confidentiality of Personal Data is maintained at all times.
7. Accountability
Post Office must demonstrate these Data Protection Principles are met for all Personal
Data for which it is responsible.
It shall be the responsibility of the GE to ensure that all processes for which they are
responsible, are conducted in a manner which can be subject to either internal audit or
external regulatory scrutiny, and can demonstrate their compliance with this Policy, its
corresponding standards and guidance and legal requirements.
1.4. Application
This Policy is applicable to all areas within the Group and defines the minimum standards
to control the risks associated with non-compliance of Data Protection regulations.
All Third Parties engaged to process Personal Data on behalf of Post Office (Data
Processors) must be aware of and comply with the contents of this policy. Assurance of
such compliance must be obtained from all Third Parties, prior to granting them access to
Personal Data controlled by Post Office.
The risk to the Group in relation to breaches of Data Protection regulations are reviewed
by the board on a regular basis.
Any non-compliance may expose Post Office to complaints, regulatory action, fines and/or
reputational damage. Therefore any breach of this policy will be taken seriously and may
result in disciplinary action or business sanctions being applied.
INTERNAL. Page 4 of 14 Protecting Personal Data Policy V1.1
POL00423693
POL00423693
POL-BSFF-0238511_0179
1.5. Data Protection Risk
Failure to appropriately manage risks and incidents relating to Data Protection could result
in punitive penalties, regulatory breaches, fines, prosecution, and prevention from
processing personal data and damage to reputation.
The GE must ensure that all Data Protection risks are identified and addressed when
designing new systems or processes and/or when reviewing or expanding existing systems
or processes.
A Data Protection Impact Assessment (DPIA) must be conducted, in cooperation with the
Data Protection Function for all new, and/or revised systems or processes.
Where applicable, Information Protection and Assurance (IPA) and IT Security, will
cooperate with the Data Protection Function to assess the impact of any new technology
uses on the security of Personal Data.
All investigations into breaches of this Policy, will be managed and controlled by the Data
Protection Function. All investigations will be conducted in conjunction with the Security
Operations Centre.
1.6. Legislation
The Group seeks to comply with all relevant UK legal and regulatory requirements
including (but not limited to):
« Data Protection Act 1998
« Privacy & Electronic Communications Regulations 2003
* Regulation of Investigatory Powers Act 2000
* Human Rights Act 1998
INTERNAL. Page 5 of 14 Protecting Personal Data Policy V1.1
POL-BSFF-
POL00423693
POL00423693
0238511_0180
182 of 2
2. Risk Appetite and Minimum Control
Standards
2.1. Risk Appetite
A Risk Appetite is the extent to which the Group will accept that a risk might happen in
pursuit of day to day businesses transactions. It therefore defines the boundaries of
activity and levels of exposure that the Group are willing and able to tolerate.
The Group takes its legal and regulatory responsivities seriously and consequently has:
«¢ Tolerant risk appetite for Legal and Regulatory risk in those limited circumstances
where there are significant conflicting imperatives between conformance and
commercial practicality
* Adverse risk appetite for litigation in relation to high profile cases/issues
« Adverse risk appetite for not complying with law and regulations or deviation from
business conduct standards
« Adverse risk appetite for data loss/leakage that can lead to customer, commercial
or reputational damage
e Adverse risk appetite for inaccurate and unreliable processing of data
The Group acknowledges however that in certain scenarios even after extensive controls
have been implemented a product or transaction may still sit outside the agreed Risk
Appetite. In this situation, a risk exception waiver will be required.
. Policy Framework
Post Office will establish and maintain a suite of Data Protection policies and standard
operating procedures (SoPs) and guidance, which are subject to annual review. The policy
suite is designed to set out how the business aims to comply with Data Protection
regulations.
The suite of documents mandated by this Policy covers the following:
e The identification through documented risk assessment of potential or inherent
Data Protection risks and mitigating actions (Data Privacy Impact Assessments)
« Documentation of operating procedures to allow the exercise of individual rights,
including:
© Information access.
© Objection to Processing.
© Objection to automated decision-making and profiling.
c Restriction of Processing.
c Data portability.
o Data rectification.
o Data erasure.
e On arisk sensitive basis, performing due diligence upon our employees, agents and
third parties,
« Data Breach escalation and management plans
INTERNAL. Page 6 of 14 Protecting Personal Data Policy V1.1
POL00423693
POL00423693
POL-BSFF-0238511_0181
POL00423693
POL00423693
2.3. Who must comply?
Compliance with this policy is mandatory for all Post Office Employees. All third parties
who do business with the Group, including consultants, suppliers and business will be
required to agree contractually to this policy or have their own equivalent policy.
Where non-compliance is identified the matter must be referred to the Policy Owner and
the Data Protection Function. Where is it identified that an instance of non-compliance is
caused through wilful disregard or negligence, this will be treated as a disciplinary offence.
INTERNAL. Page 7 of 14 Protecting Personal Data Policy V1.1
POL-BSFF-0238511_0182
£2250 98
2.4. Minimum Control Standards
A minimum control standard is an activity which must be in place in order to manage the risks within the defined Risk Appetite statements
contained within the table below. To comply with this, mechanisms must be in place within each business unit or product to demonstrate
compliance. The minimum control standards can cover a range of control types, i.e. directive, detective, corrective and preventive which
are required to ensure risks are managed to an acceptable level and within the defined Risk Appetite.
POL00423693
POL00423693
The table below sets out the relationships between identified risk, the considered Risk Appetite, and the required minimum control
standards. The subsequent page defines in greater detail terms used:
Description of Risk
Minimum Control Standards
Who is responsible
When
Risk Area
Proposed
Product or
service
Existing
Products and
services
A new system uses Personal
Data, however potential
privacy risks have not been
considered in the design, which
results in a Personal Data
Breach, accompanied by
punitive penalties, reputational
damage and a loss of licence to
process personal data.
Due to changes in regulation
there is a risk that current
controls will no longer be
adequate to meet our Data
Protection obligations
Preventive Control:
As part of the design of a new product or
service, or where a product or service is
being updated:
* Product or service risks must be
considered, mitigated and documented
using the DPIA before completion of the
design phase.
¢ Prior to launch the DPIA must be
reviewed and approved by the Data
Protection Function.
Preventative Control:
Where a product or service has undergone a
DPIA, it must be reviewed annually, or when
there is a proposed change to the product or
service affecting Personal Data.
If it is found that no DPIA has been agreed,
one must be undertaken, in an agreed
timescale, with the Data Protection Function.
Product Manager
Data Protection
Function
Product Manager
Product Manager
During design
phase
Annually, or at
any time there
is a change
Annually, or at
any time there
is a change
INTERNAL
Page 8 of 14
Protecting Personal Data Policy V1.1
POL-BSFF-0238511_0183
POL00423693
POL00423693
Corrective Control:
DPIAs must be carried out where an issue is_ I Product Manager When there is
highlighted or incident occurs. a material
issue or
incident
Employees Due to inadequate training, Preventative Control: Data Protection Annually, and
there is a risk of unintentional I All staff must undertake annual Data Function when a need is
misuse of Personal Data, Protection training. Employees who operate identified
resulting in punitive penalties, I in areas with high exposure to Personal Data I All employees
reputational damage and a loss I will, in addition to this, on a regular basis,
of licence to process personal receive bespoke training to reflect their on-
data. going needs.
Data Personal Data is Processed in a I Preventative Control:
Processing way that is incompatible with Assessment of Processing activities through Data Protection Ongoing
the reason it was collected, DPIAs. Function
resulting in customer
complaints due to unsolicited Governance of Processing activities through All business functions I Ongoing
marketing, resulting in ICO Processing registers
investigations, enforcement
action including, punitive Internal auditing and review of Processing Data Protection Ongoing
penalties, loss of licence to activities and qualifying legitimate purposes Function
Process Personal Data. for Processing; including marketing
permissions.
Breach Due to malicious behaviour, Preventative Control:
Management I customer or employee records I The Group has an Information Security Policy
are accessed resulting in which sets out the minimum technical Information Security I Ongoing
punitive penalties, reputational I security measures the Post Office employs to
damage and a loss of licence to I protect the Business against malicious
process personal data behaviour.
The Group has a breach management plan
with an Emergency Response Team, to Data Protection Ongoing
Function
INTERNAL Page 9 of 14 Protecting Personal Data Policy V1.1
POL-BSFF-0238511_0184
POL00423693
POL00423693
investigate and manage the potential
impacts from a Personal Data Breach
To ensure that the board and senior
managers are aware of issues and concerns
a Weekly GE Incident Reporting process is in
place.
Data Protection
Function
Third Parties
Failure to follow due process
Preventative Control:
set out in contractual clauses, I Third Parties must adhere to the processing Legal and Data Ongoing
statements of work and arrangements as specified in the data Protection Function
operating procedures by the processing contractual provisions.
Third Parties may incur a data
breach affecting PO customer Processing Provisions and liability
data arrangements are in place to ensure Post Legal and Data Ongoing
Office has a remedy against Third Parties Protection
who are in breach of contract and Data
Protection Laws.
Contract Owners must ensure that there is
appropriate oversight of Processing activities
undertaken by the contracting third party.
Information Inadequate access controls Preventive Controls: All employees Ongoing
Security may lead to unauthorised Business areas must assess and assure risks I I.T.
access, deletion, loss, damage I relating to employee access to systems and
or unauthorised alteration of files containing Personal Data.
Personal Data.
Data Customer Data is retained Preventative Control: Data Protection Ongoing
Retention when there is no longer a Function
legitimate purpose for doing The Group has a Data Retention Policy which
so, which may lead to sets out appropriate procedures for the
customer complaints resulting
INTERNAL Page 10 of 14 Protecting Personal Data Policy V1.1
POL-BSFF-0238511_0185
POL00423693
POL00423693
in punitive penalties,
reputational damage and a loss
of licence to process personal
data
retention and destruction of Personal Data.
(Under review)
INTERNAL
Page 11 of 14
Protecting Personal Data Policy V1.1
POL-BSFF-0238511_0186
POL00423693
POL00423693
3. Tools
3.1. Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) must be conducted, in cooperation with the
Data Protection Function for all new, and/or revised systems or processes.
The DPIA Template can be found here (link)
INTERNAL. Page 12 of 14 Protecting Personal Data Policy V1.1
POL-BSFF-0238511_0187
POL00423693
POL00423693
8.3. Data Protection
4. Where to go for help
4.1. Additional Policies
This policy is one of a set of policies and standard operating procedures, which can be
found:
insert link
4.2. How to raise a concern
Any Post Office employee who wishes to raise a concern can:
« Discuss the matter fully with their Line Manager; o!
¢ Email the Data Protection Function- data. protection:
« Report the matter directly to the Data Protection Officer.
4.3. Who to contact for more information
If you need further information about this
report an issue in relation to
this policy, please contact data.protection¢
INTERNAL Page 13 of 14 Protecting Personal Data Policy V1.1
Risk & Compliance Committee meeting-13/09/17 189 of 227
POL-BSFF-0238511_0188
POL00423693
POL00423693
5. Control
5.1. Policy Version
Date Version Updated by Change Details
May 2017 I 1 Sophie Dalby
July 2017] 4.4 Sophie Dalby Updated in line with comments from stakeholders
5.2, Policy Approval
Group Oversight Committee: Risk and Compliance Committee (RCC) and Audit and Risk Committee (ARC)
Committee Date Approved
POL RCC
POMS RCC.
POL ARC
POMS ARC.
Policy Sponsor: Group Director of Legal, Risk & Governance
Policy Owner: Director of Risk and Compliance
Policy Author: Data Protection Officer & Senior Data Protection Manager
Next review: September 2018
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered
numbers 2154540 and 08459718 respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London
EC2Y 9AQ.
Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA),
FRN 630318. Its Information Commissioners Office registration number is ZAQ90585.
Post Office Limited is authorised and regulated by Her Majesty’s Revenue and Customs (HMRC), REF 12137104.
Its Information Commissioners Office registration number is 24866081.
INTERNAL. Page 14 of 14 Protecting Personal Data Policy V1.1
mitiee meet
POL-BSFF-0238511_0189
POL00423693
POL00423693
8.4. Code of Business Standards
Post Office
Code of Business Standards
1
Risk & Compliance Committee meeting-13/09/17 191 of 227
POL-BSFF-0238511_0190
POL00423693
POL00423693
8.4. Code of Business Standards
Contents
Forward by our Chief Executive 3
Our Heritage and Values 4
Introducing the Code 4
Observing the Code 4
Our Brand 5
Customer Excellence 5
Our People 6
Business Behaviours 6
Personal Behaviours 7
Valuing Diversity and Inclusion 7
Creating and Maintaining a Safe and Healthy Place of Work 8
Health and Wellbeing 9
Protecting the Environment 9
Use of Alcohol, Tobacco and Illegal Drugs 9
Use of Computers, Internet, Phones and Email 10
Social Media 10
Engaging with the Media ai
Political Activity 11
Conflicts of Interest 11
Gifts and Sponsorship 12
Hospitality and Entertainment 12
Fraud and Financial Crime 13
Risk Management 13
Modern Slavery 13
Consequences of Non-Compliance for the Code of Business Standards 14
Making Proper Decisions and Seeking Help 14
192 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0191
POL00423693
POL00423693
8.4. Code of Business Standards
Forward by our Chief Executive
Dear Post Office Colleagues,
Post Office is unique - a commercial business delivering an important social purpose. We
believe in the importance of connecting communities and enhancing the powerful role
they play in all our lives. We stay true to this commitment by meeting customer needs
through carefully designed, high quality products, and maintaining an unrivalled local
presence across the UK.
Generations of hard work and honest achievement have made Post Office a name that
elicits trust. This is due in no small part to an unwavering commitment to ethical
behaviour and doing the right things in the right way. This commitment and integrity is
critical to achieving great business performance.
Our Code of Business Standards sets out our enduring commitment to ethical behaviour
and ensures our policies and processes are relevant and appropriate to today’s dynamic
operating and regulatory environment. Regardless of the challenges that arise in
achieving our ambitions, our commitment to how we do business is unwavering.
I expect everyone at Post Office to read this document carefully and to think about how
it applies to their work. Consider how your behaviours, actions and decisions may affect
others, including customers and colleagues.
The way that we conduct business has never been more important.
Thank you for your trust in the Post Office. And, most importantly, thank you for your
commitment to ensure our customers and the communities we serve, continue to place
their trust in us.
Paula Vennells
3
Risk & Compliance Committee meeting-13/09/17 193 of 227
POL-BSFF-0238511_0192
8.4. Code of Business Standards
194 of 227
Our Heritage and Values
The Post Office has thrived at the heart of communities across the UK for over 370
years. We are one of the country’s most trusted brands and we take our commitment
to provide essential services very seriously. We are the UK’s largest retail network and
provide unrivalled access to banking and financial services, with more branches than all
the UK’s banks and building societies put together.
We are committed to doing business the right way. That means we act lawfully. It also
means that how we conduct ourselves is more than just a matter of policy and law; it’s
a reflection of our core values: Care, Challenge and Commit. By aligning our
behaviours to our core values, we help maintain the trust and support of our
customers, shareholders, communities and others with whom we work.
Introducing the Code
Our Code of Business Standards defines how we operate.
In developing the Code of Business Standards, we have drawn inspiration from our
heritage and values as well as the law. It is intended to guide the way we behave and
give us standards to measure ourselves. It sets out what people can expect when
working for and with the Post Office. It is designed to provide guidance and support in
making decisions and carrying out work in a way that is compatible with our values,
policies and processes and the law. As the legal and regulatory environments evolve,
the Code will adapt to accommodate such changes.
By consistently adhering to this Code we will continue to foster and strengthen a
culture that will help us to continue to be a business to be proud of - a ‘Great place to
work’ that is ‘Simpler to run’ and ‘Better for customers’.
Observing the Code
Everyone employed by, acting on behalf of, or representing, Post Office (including
contractors, consultants, and other service providers) is required to adhere to the Code;
they are expected to operate in line with it and the corresponding Group Policies.
As a Post Office colleague, you are required to:
- Read and understand the Code of Business Standards and work-related policies and
incorporate them into your work and behaviours;
- Complete all mandatory training on time;
- Report potential unlawful behaviour or breaches of the Code or company policies;
- Cooperate fully with company investigations;
- Never victimise colleagues for ‘calling it out’;
- Ask questions when you’re unsure.
If you are a manager, you have additional responsibilities to:
« Promote the Code of Business Standards and work-related policies, incorporating
them into the work of your direct reports;
« Set a fitting example for others though your own behaviour;
e Ensure that your team members know they can come to you with questions or
concerns and that you'll listen to them and respond appropriately;
« Never make promises or make commitments to partners, suppliers or your direct
4
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0193
POL00423693
POL00423693
8.4. Code of Business Standards
reports beyond your authority;
« Not create policies, rules or guidelines that are less restrictive than the Code or
any other company polices;
« Maintain up to date job descriptions including the access to systems required for
the job
« Complete performance management requirements including conducting one to
one meetings, objective setting, PDRs and performance ratings. See Performance
Development Reviews.
e Ensure that bullying and harassment is not tolerated in our workplace. See
Bullying and Harassment Policy and Grievance Policy and Procedure.
« Deal promptly and effectively with conduct, performance and attendance issues.
View Conduct Policy, Performance, Attendance and Behaviour (see separate
guidance for managers, colleagues and CSCs performance) and Managing Sick
Absence Policy.
«Hold, at a minimum, monthly team meetings which should be supported by the
monthly Team Talk briefing materials which can be found on the intranet.
« Complete all mandatory compliance training on time and ensure your teams do
the same. More information can be found on the intranet.
e Ensure that new colleagues are appropriately welcomed and inducted during their
trial period. See Induction Policy and Trial Policy and Procedure.
All line managers have access to the My HR Help service which supports managers with
team management queries. Visit www.myhrhelp.co.uk.
Our Brand
Our brand experience, for employees, customers, partners and stakeholders is shaped
by our core values of Care, Challenge and Commit.
We make that happen by having a set of straightforward business behaviours which
inform the way we do things, and we use them as a guide to improve our people
processes including recruitment, learning and development, talent and performance
management.
In short, it’s how we do things to deliver our brand commitment to customers.
Customer Excellence
Our customers are at the heart of everything we do.
We all know what it feels like to experience good and poor customer service. We need to
ensure that we deliver great service for all customers, every time they interact with us.
The more we understand our customers and their expectations, and put ourselves in
their shoes, the easier it will be to provide consistently great service.
How do we demonstrate our commitment to customer excellence?
«by listening to them and understanding their needs and expectations
* by communicating respectfully, leaving out the jargon, providing them with the
best service and products that meets their needs
« by always thinking about them and not the process
« by keeping it simple and straightforward to reach us - in branch, online, mobile
5
Risk & Compliance Committee meeting-13/09/17 195 of 227
POL-BSFF-0238511_0194
8.4. Code of Business Standards
196 of 227
Our People
With a diverse range of backgrounds, talents and perspectives, Post Office is in a unique
position to understand our customer needs.
At Post Office, we differentiate ourselves through the dedication of our people. Our rich
and diverse cultures and experiences help us make connections with our customers and
sustains the continued success of our brand. To maintain this, we treat each other with
respect, even when our differences may set us apart.
We aspire to provide a positive work environment. This means that regardless of our
differences, we can work without fear of discrimination, harassment or victimisation.
Employment decisions - whether they be related to hiring, promotions, transfers or
terminations - are based on merit, equity and fairness.
Post Office operates a zero tolerance to any form of discrimination, including based on:
— Race
— Colour
- Religion or Faith
- Age
- Sexual orientation, gender, or gender identity expression
- National origin, geographical or demographic background
- Pregnancy or Maternity
- Any other classification protected by UK law
We do not tolerate any form of bullying or harassment, whether written, verbal, visual or
physical, including:
- Sexually suggestive statements or actions
- Inappropriate or offensive comments or ‘jokes’
- Inappropriate conduct or contact
— Threats
If you have a concern about bullying and harassment, you can speak to your line
manager or refer to the Bullying and Harassment policy or managers can contact My HR
Help. There is also the HELP employee assistance programme, which you can find out
more about here.
Business behaviours
Our behaviours are based on our core values of Care, Challenge and Commit.
We care by always thinking customer
Care is the cornerstone of our business. It means valuing people and their time; and
putting our customers first. It means making it personal; listening and understanding;
being guided by our conscience and expertise; and keeping our word. In short, it means
doing right by people. This is what sets us apart.
We strive to make things ever better through honest challenge
Challenge conventions, challenge complexity, challenge competitors, challenge on behalf
of our customers, challenge each other, challenge yourself. We've been passed the baton
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0195
POL00423693
POL00423693
8.4. Code of Business Standards
of this great institution. It's up to every one of us to drive it forward and create change
for a successful future.
We don’t just work for the Post Office, we are the Post Office and we’re all responsible
for its commercial success. The road ahead is exciting, but not easy. If each and every
one of us invests all our energy, creativity and passion we can achieve amazing things.
You can find out more about these behaviours and what they mean, in Our Post Office.
Personal Behaviours
We expect high standards of personal behaviour at work
Behaviour which damages service to customers, or the reputation or efficiency of Post
Office, is unacceptable. This extends to poor attendance, lateness, dishonesty,
drunkenness, use of illegal substances, and violent or disorderly behaviour or abusive
language.
Maintaining our standards means we:
- Conduct ourselves appropriately and professionally
- Act as an ambassador for the company
- Operate within the law
- Do not bring Post Office into disrepute
- Do not claim money for hours you did not work, a journey you did not make or an
expense you did not incur
- Do not use inside information about a company transaction for personal profit
We should all demonstrate:
- Honesty and integrity
- Efficiency and reliability
- Punctuality and good attendance
- Asmart and clean appearance - and where uniform is provided by Post Office, it
should be worn as intended
- Acredible image to the public
Valuing Diversity and Inclusion
We want our people to reflect the diversity of the communities in which we live and
work, and the customers we serve.
We celebrate the diversity of our workforce and the communities we serve by embracing
diversity and inclusion and creating policies which actively promote working without fear
of discrimination.
Everyone working for Post Office has a responsibility to:
* Promote a professional and positive work environment
+ Promote a culture of inclusivity where differences are accepted, valued and
celebrated
« Inform their line manager of any instances of apparent discrimination or any
Risk & Compliance Committee meeting-13/09/17 197 of 227
POL-BSFF-0238511_0196
POL00423693
POL00423693
8.4. Code of Business Standards
perceived problem in relation to employment
« Comply with, and promote Post Office policy and procedures with regard to
diversity and inclusion. You can view our Valuing Diversity Policy, here.
We actively support:
- Flexible working practices, which you can read more about here
- Women in Leadership Programme to support and nurture female talent.
- Post Office Prism: a network of lesbian, gay, bisexual and transgender (LGBT)
colleagues and their allies. The group supports and celebrates Post Office’s LGBT
community and provides advice and guidance to our business on inclusivity and
diversity.
- Disability Confident Group: a network of Post Office colleagues with disabilities
and colleagues who want to support them. The group provides, support, advice
and helps the business to do the very best it can for employees with disabilities.
Language:
The common language of business should be English (English or Welsh in Wales). However,
so long as it doesn’t jeopardise the job or health and safety of colleagues or members of
the public and doesn’t deliberately exclude people, colleagues should be able to
communicate in their own language within reason.
Creating and Maintaining a Safe and Healthy Place of Work
We strive to work as safely as possible.
Everybody has the right to work in a safe and healthy environment. We will fulfil our
promises without compromising the safety of our customers, colleagues, suppliers and
all those affected by our activities.
Pursuing this aim reflects the high value we place on our employees and all those
touched by our business activities:
- We comply fully with relevant legislation
- Weensure that the health and safety responsibilities of our employees, including
managers, are clearly defined, allocated and understood
- We encourage and help all managers and employees to carry out their
responsibilities through effective health and safety management systems, with
safe premises, equipment and processes
— We improve our employees’ capability to manage and work safely, through
coaching and training
- Wesupport and encourage our people and unions to get involved in the health and
safety performance of our business
— We support and encourage our people and unions to get involved in pursuing a
healthy and safe way of living and working
- We monitor and review how well we put our health and safety policies into
practice
We are all responsible for health and safety. Every manager is accountable for the health
and safety of their people. A full copy of the Health and Safety policy, and all associated
policies, can be found on the Health and Safety intranet site.
198 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0197
POL00423693
POL00423693
8.4. Code of Business Standards
Health & Wellbeing
We seek to enable colleagues to achieve a positive balance between their work and their
lives outside of work.
We take health and wellbeing seriously. That’s why we work hard to promote a positive
wellbeing culture and provide a range of services such as flexible working to help all our
people stay mentally and physically healthy.
What we offer:
- Lifestyle online for colleagues and their families - to support our people to stay fit
and healthy
- Monthly health and wellbeing campaigns, helping to raise awareness of what we
offer and how our people can stay healthy
- Health checks - a rolling programme using kiosks and mobile kit
- HELP employee assistance programme for colleagues, partners and managers
can provide advice and guidance on a variety of topics in full confidence.
- OH Assist Managers Porta! provides advice and guidance for managing health and
wellbeing
- Occupational Health Referral Portal for managers to request support for their
teams during challenging times
- Training for colleagues to raise awareness on specific issues relating to health,
safety and wellbeing
— My HR provides expert advice and guidance for all managers on any HR related
issue. Visit www.myHRhelp.co.uk for more information.
- Speak Up Whistleblowing hotline where our colleagues can raise concerns
internally in confidence. See Whistleblowing Policy for more information.
Protecting the Environment
Everyone has a part to play in reducing our environmental impact.
Post Office aims to comply with all relevant environmental legislation, and to promote
initiatives that save on the resources we use. We recognise that our business activities
and policies have an impact on the environment and we are committed to taking account
of the environmental and ethical effects of our policies in our planning and operations.
In standards of design and cleanliness, we recognise our responsibility to ensure that our
premises are a credit to the communities in which they are situated.
We aim to reduce our environmental impact through:
— Reduction in the use of water
Efficient use of energy and a reduction in our CO2 emissions
— Reduction in waste to landfill and maximising recycling opportunities
— The use of sustainable materials.
Use of Alcohol, Tobacco and Illegal Drugs
Possession or use of alcohol or illegal drugs while on Post Office premises or while
conducting company business is prohibited. The exception is that during business
dinners and events, or in designated areas, we may provide and drink alcohol in
moderation, where permitted by law.
Smoking (including vaping and e-cigarettes) is not allowed on company premises.
9
Risk & Compliance Committee meeting-13/09/17 199 of 227
POL-BSFF-0238511_0198
POL00423693
POL00423693
8.4. Code of Business Standards
Use of computers, internet, phones and email
The security of our information and IT systems is critical.
Many colleagues will have access to Post Office systems, information and devices such as
laptops and mobile phones. It’s really important that anyone who accesses them knows
how to keep them secure by following the requirements in the ‘Acceptable Use policy’.
For example, these devices must not be left unattended in public areas, screens must
always be locked when not in use and the use of privacy screens should be adopted
when working in public areas.
To help protect our systems and information, you should:
- Classify information in line with our classification standard, as set out in our
Information Security Handbook.
- Use complex passwords to protect your access, as set out in our Information
Security Handbook.
- Only open emails when you know who they are from and don’t click on unknown
links or open unexpected attachments.
- Don’t use your Post Office email address or password for accessing 3 party
services such as LinkedIn. Use a different password.
- Only use approved data storage areas, such as onedrive. Don’t sign up for
cloud storage services such as Dropbox.
- Never click on links to go to a website where you expect to log on - always
go to the website directly.
- Don’t store Post Office data directly onto your personal devices
- Don’t become a victim: if you think an offer is too good, it probably is!
If you become aware of any information security issue or incident you should always
report it to the IT Helpdesk ot r email postofficeservicedeski
Failure to comply with the Acceptable Use policy can carry profound consequences for
Post Office and individuals. Breaches of the policy or the law may lead to disciplinary
action up to and including dismissal.
Social Media
Digital and social media is a key part of modern life.
New digital technologies can help us engage actively with our customers. We can
promote what we do and draw on innovative ideas. However, with these benefits comes
greater responsibility.
As more colleagues can access the internet at work both on personal and official devices,
it is important that we maintain the highest levels of propriety at all times. We must
always act in a way that does not compromise the trust and confidence of our customers
or the standards of behaviour expected of us.
Colleagues are free to use social and other digital media in their own time. Social media
is a public forum and the boundaries between professional and personal can become
blurred — so it’s important that we exercise particular care to ensure:
- Post Office brands or logos are not used or altered without prior permission
10
200 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0199
POL00423693
POL00423693
8.4. Code of Business Standards
- Copyright and fair usage laws and restrictions are respected and observed
= Social media is not used to offend, harass or bully people
- We must not disclose official information relating to clients, partners or suppliers
without the prior authority of the business
- You must not appear to be endorsing any product or service (including retweeting
comments)
The simple rule to remember is that the principles covering the use of social and other
digital media in both work and in a personal capacity are the same as those contained in
this Code of Business Standards and company policies that apply for any other activity.
Engaging with the Media
Where a colleague is asked to make a comment about Post Office in a published form
external to the business, such as a newspaper, magazine, journal, radio, television or a
ite, they must direct thi Press Office. They can be contacted oni.
GRO} or pressofficef
Political Activity
Colleagues have the right to participate as an individual in political activities.
However, these activities are conducted as an individual and not as a representative of
Post Office. The Post Office is a politically neutral organisation and our reputation must
not be compromised by your interest, affiliation or activities to political party’s pressure
groups or other causes.
No matter what your own political beliefs are, you must not act or behave at work ina
way that is determined by party political considerations, or use Post Office resources for
party political purposes; or allow your personal political views to determine any advice
you give or your actions.
Conflicts of Interest
We ensure that information received during our business dealings is not used
inappropriately for corporate or personal gain or any other purpose except that for which
it is given.
If you feel that you might have a potential conflict of interest, inform your line manager
and seek their advice if you are unsure. Be open and frank about any outside activity or
business you are involved in which may conflict with Post Office or your duties as an
employee.
The essential principles are:
« You must not do anything which conflicts with your duty as an employee or
agent of the company, or use your official position for private advantage
* You must declare any outside employment, directorship or material shareholding
and these must not be contrary to the company’s commercial interest or bring it
into disrepute
« Your actions as an employee or agent at work must not be improperly influenced by
any relationship (e.g. with relatives, friends, marriage, partners or membership of
any social, religious or political association) or by any personal or financial
consideration
11
Risk & Compliance Committee meeting-13/09/17 201 of 227
POL-BSFF-0238511_0200
8.4. Code of Business Standards
202 of 227
* No one should exploit their personal or family relationship with any colleague for any
gain including to themselves or others
e If you receive a fee from an outside source for performing a service which forms
part of your official duties or takes place in business time, e.g. giving an interview
or lecture, you must report it to your manager. You will normally be expected to
pay the money to Post Office or to a charity connected with it.
e If the service arises from your work but is not directly connected with it and is
given in your own time, you must still report it to your manager
Gifts and Sponsorship
In general, the giving and receiving of gifts is not permitted except for low value
promotional items, such as pens, calendars, diaries, notepads and paperweights. You
can find out more by reading the Anti-Bribery and Anti-Corruption policy.
« You must not accept any gift, payment or inducement that might influence (or
seek to influence) your action as a Post Office employee. If any such offer is made
to you, you must report it to your manager.
e Equally, you must not offer any bribe or inducement to anyone else.
« You must not ask for or accept sporting or charitable sponsorship from an
organisation that has (or is seeking) a contract to supply the company, or is in
competition with it. You must declare to your manager any plan to accept
sponsorship and ask if there is any conflict.
The Risk and Compliance team maintain a Register of all gifts given and received.
Hospitality and Entertainment
Hospitality may only be given and accepted where it has a clear and demonstrable link
with a legitimate business purpose, e.g. an organised event or a meal at which business
is to be discussed. In relation to offers of hospitality, numbers on both sides should be
limited to those whose presence is necessary to progress the business in hand.
Maintaining our standards means the giving and receiving of hospitality and
entertainment is subject to the following rules
« You must obtain prior permission from your line manager before accepting or giving
hospitality
«The hospitality must be reasonable (not lavish or extravagant), proportionate to its
purpose and must ordinarily be below £100 per person in value
« You must send details of all hospitality offered and accepted, along with written
approval from your line manager, to the Risk and Compliance team at
rm so they can maintain a Register of all
“Hospitality given and received.
You should be aware of the risk that accepting any hospitality and entertainment could
compromise your performance of official business, or might reasonably appear to have
improperly influenced a business decision.
Use sound judgement and exercise restraint. If you are still unsure about the standards
required of you consult your manager or view the Anti-Bribery and Anti-Corruption policy.
Fraud and Financial Crime
We seek to comply fully with relevant legislation.
12
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0201
POL00423693
POL00423693
8.4. Code of Business Standards
We take protecting our customers and their information extremely seriously. We invest
significantly in activities to detect, deter and prevent all aspects of financial crime, either
committed on Post Office, or where Post Office might be used unknowingly to facilitate
such action.
« We aim to protect our customers, maintain value for our shareholder and assist
society in combating crime by preventing criminals from benefiting from their
activities and proceeds.
«We promote high ethical standards and have a zero tolerance for circumvention of
our fraud and financial crime policies.
« Our colleagues are supported by mandatory training to develop their
understanding of financial crime risks including Anti-money laundering, Politically
Exposed Persons and Anti-Bribery & Corruption regulation.
We operate systems and controls designed to ensure that our products and services are
not abused for the purposes of laundering the proceeds of crime. Full details are
available at
Risk Management
Effective risk management is integral to the management of our business.
Our risk management processes and practices are intended to help you make better
informed decisions; increase the likelihood of meeting our strategic objectives, achieve
customer excellence and safeguard our business interests.
Effective risk management is demonstrated by how we behave - considering risk in
everything we do - from decision making, to operational management. We encourage
people to consider and assess risks, manage them and be transparent throughout.
Modern Slavery
Modern slavery is a crime and a violation of fundamental human rights. It takes various
forms, such as slavery, servitude, forced and compulsory labour and human trafficking,
all of which have in common the deprivation of a person's liberty in order to exploit them
for personal or commercial gain.
« Post Office is committed to acting ethically and with integrity in all our business
dealings and relationships and to implementing and enforcing the systems and
controls set out in our Modern Slavery Statement with the aim of ensuring that
modern slavery is not taking place anywhere in our own business or in any of our
supply chains.
« The prevention, detection and reporting of modern slavery in any part of our
business or supply chains is the responsibility of all Post Office employees at all
levels, as well as of its directors and officers. Our Modern Slavery statement can
be found on our website, here.
If you witness any signs of modern slavery within our business or supply chains, you
should raise your concerns via our Speak Up line on 0800 048 4531.
13
Risk & Compliance Committee meeting-13/09/17 203 of 227
POL-BSFF-0238511_0202
8.4. Code of Business Standards
204 of 227
Consequences of Non-Compliance for the Code of Business Standards
Compliance to Post Office Code and policies is not optional.
It is everyone’s responsibility to follow our Code of Business Standards and the various
related policies.
«Failure to comply with company policies and the law can carry profound
consequences for Post Office and potentially for you.
* Where non-compliance with the Code, company policies or the law has been identified in
accordance with established company investigatory procedures, we will take swift and
decisive action against an offending party, up to and including, the termination of individual
and or third party contracts as appropriate.
Post Office does not tolerate any form of retaliation against colleagues or third parties
who have made reports, in good faith, of threatened, ongoing, past or suspected
breaches of this Code of Business Standards.
Making Proper Decisions and Seeking Help
At Post Office, we set ourselves exacting standards. All our stakeholders, and others with
whom we work, have an expectation that they will be treated professionally.
We all have a responsibility to promote the Code of Business Standards and managers
should help and encourage their teams to understand and observe it.
Even with good judgement and the best intentions, we may not always know the most.
appropriate course of action to take. The Code, along with our other company policies, is
designed to help us make proper decisions.
If you are faced with a dilemma, after reviewing the relevant parts of the Code, ask
yourself a few questions to help make the right decision:
« Am I adhering to the Code, other policies and procedures?
Am I being honest?
What would others think of my actions?
How might my decision affect others?
Would I feel comfortable if my actions were reported in the media?
How would my decision impact on Post Office reputation?
If you are still unsure as to the right thing to do, you should talk with your manager and
discuss your questions and concerns.
We all share a responsibility to report concerns of actual or potential breaches of the
Code of Business Standards, company policies and the law.
If you witness or otherwise learn about the company’s standards and reputation being
put at risk by unethical or even criminal behaviour, you must immediately, and without
investigating, report it.
If you feel you can’t talk to your own manager and want 1
confidentially, please contact the Speak Up line on I GRO
be fe ‘he Whistleblowing Policy. You can also email
4 More information
Please be aware that any breach of this Code may be dealt with under our Conduct Code,
14
Risk & Compliance Committee meeting-13/09/17
POL00423693
POL00423693
POL-BSFF-0238511_0203
POL00423693
POL00423693
and that gross misconduct could result in your dismissal.
15
POL-BSFF-0238511_0204
9.1. Horizon
206 of 227
POST OFFICE PAGE 1 OF 2
RCC Noting Paper
9.1 Corporate Governance Reforms
Author: Natasha Wilson Sponsor: Martin Kirke Meeting date: 13 September
Context
This paper is to note a recent publication by the Government on Executive
Remuneration and Corporate Governance intended to raise the public’s trust in
business.
In November 2016, BEIS issued a Green Paper on Corporate Governance and
Executive Pay. The Green Paper recommended reform in the following areas:
« Executive pay;
« Strengthening the employee, customer and wider stakeholder voice; and
* Corporate governance in large privately held businesses.
The document published on 29 August contains the Government’s response to the
Green Paper consultation and a number of firm proposals.
Questions
1. What is the timing of the proposals?
2. What are the key proposals affecting Post Office?
Conclusions
POL00423693
POL00423693
17
1. Implementing the reform proposals will require a combination of changes to the
UK Corporate Governance Code, voluntary industry action and secondary
legislation.
2. The FRC intends to consult on amendments to the Code in late Autumn; the
Government intends to lay draft legislation before Parliament before March 2018.
3. The Government's current intention is to bring the reforms into effect by June
2018 to apply to company reporting years commencing on or after that date.
4. The key proposals affecting Post Office:
a. CEO: Employee pay ratio - the Government response confirms that the
disclosure regulations will be amended to improve transparency with
regard to directors’ remuneration. The requirement will be to disclose the
ratio of CEO pay to the average pay of a company’s UK workforce, along
with a narrative explaining changes to that ratio from year to year and
how the ratio relates to pay and conditions across the wider workforce.
This work is currently being looked at and will be discussed by the GE and
Remuneration Committee.
b. Strengthening of the employee, customer and wider stakeholder voice -
the response states that the Government will introduce secondary
legislation to require all companies of a significant size (private as well
public) to explain how their directors comply with the requirements
as
of
section 172 (Companies Act 2006) to have regard to employee interests
and to fostering relationships with suppliers, customers and others.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0205
94
Horizon
POL00423693
POL00423693
POST OFFICE PAGE 2 OF 2
This work is currently being looked at by members of the GE and other
senior leaders to understand how we can incorporate this proposal within
our current and future forums.
c. Other proposals relating to Remuneration Committees and pay will be
discussed by the Remuneration Committee.
Input Sought
The Committee is asked to note the contents of this paper.
The Report
On 29 August, the government published a package of corporate governance reforms
intended to raise the public’s trust in business. Whilst executive remuneration forms
much of the response, it does extend beyond pay and into broader considerations
around wider stakeholder involvement and corporate governance in large private
businesses.
The press and TUC have criticised the government of what they see as a watered-
down set of proposals, however, I believe this a good opportunity for Post Office and
we can address the requirements in a positive and pragmatic way.
In summary:
« Disclosure of the ratio of CEO pay to the average pay of the company’s worker,
along with a narrative explaining the changes to the ratio from year to year and
how the ratio relates to pay and conditions across the wider workforce.
Whilst the Government will give further consideration to the methodology for
calculating the ratio, at present, it proposes that it should be calculated based
on the CEO’s total annual remuneration (ie as we disclose in the ARA) relative
to the average total remuneration of the UK workforce.
« Strengthening the employee and wider stakeholder voice — the initial proposal
back in April to require an employee representative on the Remuneration
Committee or Board is not being taken forward. The FRC is to consult upon on
different mechanisms (NED representation, employee advisory councils...).
« Corporate governance: The FRC will work with IoD and others to develop a
voluntary set of corporate government principles which is likely to apply to
companies with more than 2,000 employees.
« Boardroom diversity — the FRC is expected to take forward the BEIS Select
Committee recommendations that from May 2020, at least half of all new
appointments to senior and executive managements positions in the FTSE 350
and all listed companies are women.
There are other proposals that are specifically related to pay and these will be discussed
by the Remuneration Committee.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
207 of 227
POL-BSFF-0238511_0206
POL00423693
9.2. POMS RCC Minutes
208 of 227
POL00423693
Company no. 8459718 — Strictly Confidential
RCC 17/50 - 17/59
POST OFFICE MANAGEMENT SERVICES LIMITED (Company)
RISK, COMPLIANCE AND CONDUCT COMMITTEE (RCCC)
(A committee of the Executive)
Minutes of an RCCC meeting held at
Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ
On 26 June 2017 at 9.30 am
Present: Susie Hayward (SH) Head of Risk and Compliance (Chairman)
Stephen Gaines (SG) POMS Compliance Manager
Russell Tavener (RT) Head of Commercial Operations
Michael Brown (MB) Deputy for Head of Commercial
Ryan Griffin (RG) Head of Protection
Sanjeeve Thakrar (ST) Risk Manager
Francisco Couto (FC) Head of FS Legal
Elizabeth McMenemy (EMM) Compliance Advisor
Beverley Turner (BT) Senior Product Manager
Alberto Zanatta (AZ) Audit Manager
In Attendance Ann Young (AY) Compliance Advisor
Apologies: Gerry Barrett (GB) Head of General Insurance
Gill Craig (GC) Deputy for Head of Travel
RCC17/50 WELCOME, QUORUM AND CONFLICTS OF INTEREST
The Chairman declared the meeting quorate and open.
RCC17/51 MINUTES OF THE MEETING HELD ON 22 May 2017
(a) The minutes of the meeting held on 22 May 2017 were approved and the
Chairman was authorised to sign them as a true record of the meeting.
RCC17/52 RISK MANAGEMENT
Action ST (a) ST confirmed that a risk workshop has been undertaken with the Senior
Lead Team to discuss the emerging risks, new risks and risk appetite. ST
confirmed that a list of the emerging risks would be circulated for
discussion prior to the next workshop which is scheduled for 9 August.
Action ST (b) ST confirmed that the Risk Appetite statements will need revision before
they are presented to the Board. ST also confirmed that a workshop to
discuss risk appetite further is to be arranged. Date to be confirmed.
Action ST (c) ST advised the meeting that the Xactium system is due to go live this week
and reports will be ready for the next RCC in July.
(d) ST confirmed that there had been a session with the Senior Lead team to
discuss the implications of Brexit and the risks faced by POMS. There are
to be further sessions as possible risks emerge.
Action ST (e) ST discussed the new risks facing POMS including concentration risk,
investment curve, aggregators, Management information, shareholder
POMS RCCC minutes, 26 June 2017 Final Page 1 of 4
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0207
9.2. POMS RCC Minutes
RCC 17/53
Action ST
Action ST
RCC17/54
Action MB
Action MB
(a)
(b)
(a)
(b)
(c)
(d)
(e)
(f)
POL00423693
POL00423693
Company no, 8459718 ~ Strictly Confidential
funding and staff. ST will enter the new risks on the Risk Register and
communicate to RCCC.
INCIDENT MANAGEMENT
The ghost policy issue was discussed and RT confirmed that the root
issue is being investigated, in the meantime the scale has reduced and
fixes are being put in place. ST to obtain an update to the actions from the
team and update the Incident Register.
An incident relating to the Junction renewal letters following the new FCA
requirements has been entered on the Incident Register. ST to
investigate full details and check if Junction have now resolved the issue.
1% LINE COMPLIANCE REPORT
RT discussed the operational issues encountered in Webhelp. The QA
results for May were reported at 40% and so far for June at 42%. There
are issues with the volume of new agents, level of competence and
oversight. The error are also shown in the 2" line compliance and the
complaints handling. It had been decided to implement Project Calibre to
deal with the issues. This project will be overseen by Head of Operations
Nichola Hazard. Actions include looking at recruitment processes and
training programmes and taking significant steps to step in to the
management of WH and control of the QA/Complaints team. Need to
understand and improve operations quickly. This will mean a focus for
the POMS team based in Glasgow to ensure solutions are imbedded
quickly. RT is now receiving a data feed from WH as there were concerns
over the transparency of the MI provided.
BT reported that the CLUK claims project for Home is now live however
only with one insurer so far and only one claim. More information will be
provided at the next meeting.
Travel claims are reporting higher in number due to seasonality but levels
of repudiations are consistent
Complaints — It was noted that no MI had been received from WH this
month for complaints and concerns were mounting over the handling and
reporting of complaints as discussed earlier.
MB discussed the emerging trend in the Collinsons complaints relating to
errors and customer services in branch. MB confirmed that the complaints
are consistent with branch feedback in complaints. MB agreed to monitor
and discuss with CISL
MB noted that there had been a disparity in the POMS lapsed curve and
the RL dashboard. There appears to be a significant gap in cancellations
report. MB also noted that the dashboard appears to be more consistent
with the cancellation data from Royal London. MB will discuss with David
Williamson which MI to use.
POMS RCCC minutes, 26 June 2017 Final Page 2 of 4
Committee meeting-13/09/17
209 of 227
POL-BSFF-0238511_0208
9.2. POMS RCC Minutes
210 of 227
RCC 17/55
(9)
(a)
(b)
RCC 17/56
(a)
RCC 17/57
(a)
(b)
POL00423693
POL00423693
Company no, 8459718 ~ Strictly Confidential
Cancellation reasons were showing 38 conduct cancellations due to
branch processes. No cancellation reasons had been provided by RL, SH
to chase.
RT presented a report on the Upheld Complaint Deep Dive. Currently the
business upheld rate is 20%. However, this has not been achieved and
the rate has been 32% on a 12 month average with travel being the
highest in volume and upheld rate. It was also noted that POMS as a
business is performing within average industry levels. It was agreed in
the meeting to increase the upheld rate tolerance level in the scorecard to
35% with a 10% tolerance for Amber.
2" Line Compliance Monitoring
EMM provided a report on the 2" line compliance monitoring undertaken
at Webhelp. There were 87 variances for Travel and 36 for Life with 4
instances of potential detriment. These are reflective of the new QA
agents and the lack of training and guidance, this will be picked up as part
of Project Calibre. EMM also confirmed that she had undertaken training
and calibration session with the new QA personnel. EMM noted that the
new agents are undertaking their training in Falkirk and losing valuable
hours in traveling with no compliance included in the training.
AY provided an update on the 2 line compliance monitoring undertaken
in the branches and noted that there had been an increase in calls
available for review. Subsequently, the number of calls reviewed for the
2™ line compliance monitoring had also been increased SH noted that
the VMS process is currently out for tender and advised that the amount
VMS calls for insurance should be representative of the business written.
It was also noted that due to the tendering process there had been no
Non-Video VMS visits to review during April or May.
SG confirmed that the financial promotions approved first time continues
to improve with the remainder achieving approval on the second attempt.
SG also advised that there had been a review of the Financial Promotions
process and confirmed a decision to remove the withdrawal forms had
been undertaken.
ISAG REPORT
There was no ISAG report provided this month. It was noted that a new
starter was due to join the IPA team who will attend the RCC from August
onwards
POL REPORT
SH confirmed that the scope of the monitoring team will be widening and
will be looking at other areas, including Mortgage Specialists, training,
ASPM and BDM spans of control and sales behaviours (including the
behaviours during customer offer days).
SH advised that the final draft PWC report had been discussed and
responses prepared and was now ready to go to EXCO.
POMS RCCC minutes, 26 June 2017 Final Page 3 of 4
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0209
9.2. POMS RCC Minutes
RCC 17/58
RCC 17/59
(c)
(d)
(e)
(a)
(b)
(c)
(d)
(a)
(b)
POL00423693
POL00423693
Company no, 8459718 ~ Strictly Confidential
SH advised that Thistle has also completed two reviews, Anti money
Laundering and Anti bribery and corruption. There were a few minor
issues to address but both reported low risk.
SH discussed the issue with the JCC and the unwillingness of the POL
management to address the items raised during the monitoring reviews.
Progress will be made by tackling issues and putting action plans in place.
SH discussed the EUM project. The roll-out had been scheduled for June,
but due to operational issues, including issues with access to Success
Factors. The pilot is now scheduled for 26 July. This will involve 25
branches over a period of 3 weeks. Full rollout of 500 branches selected
by POMS will commence 11 September for 6 weeks. A further rollout of
another 500 branches is expected by February 2018. These rollouts will
cover 75% of the top performing branches within the network. SH also
advised that Michelle Downs will now look after the EUM project.
MATTERS ARISING AND ACTIONS LIST
16/45© PCI Compliance — RT seeking to understand POMS requirements
in line with the new Globalpay contract. Defer to September meeting.
16/92 (b) Risk Management — Produce for control self-assessment and
share with the owners — September meeting.
17/26 (f) Cancellation reason- SH to check with Royal London for more
information on cancellation reasons. Ongoing
17/37 (a) EMM To investigate bank details visible when calls paused.
Ongoing
ANY OTHER BUSINESS
MB thanked SH on behalf of the attendees for her continuing help during
her time as chairman of the RCC and wished her success in the future.
There was no other business raised. There being no further business the
meeting was closed.
The next meeting of the RCC will be held on 27July 2017 at 15.00 pm.
GIANNA se ces sss «ae see ase se # eee uns Date sacs sess sns vee ss
POMS RCCC minutes, 26 June 2017 Final Page 4 of 4
Risk & Compliance Committee meeting-13/09/17
211 of 227
POL-BSFF-0238511_0210
POL00423693
POL00423693
9.2. POMS RCC Minutes
Company no, 8459718 ~ Strictly Confidential
RCC 17/59 — 17/68
POST OFFICE MANAGEMENT SERVICES LIMITED (Company)
RISK, COMPLIANCE AND CONDUCT COMMITTEE (RCCC)
(A committee of the Executive)
Minutes of an RCCC meeting held at
Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ
On 31 July 2017 at 12.00pm — 1.30pm
Present: Stephen Gaines (SG) POMS Compliance Manager (Chair)
Russell Tavener (RT) Head of Commercial Operations
Michael Brown (MB) Deputy for Head of Commercial
Ryan Griffin (RG) Head of Protection
Sanjeeve Thakrar (ST) Risk Manager
Francisco Couto (FC) Head of FS Legal
Mike Lowe (ML) Project Manager
James Dingwall (JD) Interim Head of Compliance
Alberto Zanatta (AZ) Audit Manager
In Attendance
Apologies: Gerry Barrett (GB) Head of General Insurance
Gill Craig (GC) Deputy for Head of Travel
Elizabeth McMenemy (EMM) Compliance Advisor
Ann Young (AY) Compliance Advisor
RCC17/59 WELCOME, QUORUM AND CONFLICTS OF INTEREST
The Chairman declared the meeting quorate and open.
RCC17/60 MINUTES OF THE MEETING HELD ON 26 June 2017
(a) The minutes of the meeting held on 26 June 2017 were approved and
the Chairman was authorised to sign them as a true record of the
meeting.
RCC17/61 RISK MANAGEMENT
(a) POMS ExCo Dashboard — ST discussed the five risks which remain
outside of risk appetite.
(b) JD highlighted the potential risks and liability faced by POMS in reference
to the Product Distribution risk. Specific concerns centred on what actions
were being taken to mitigate customer detriment for identified challenges
within WebHelp.
Action RT (c) RT agreed to check the Professional Indemnity (PI) policy.
(d) SG confirmed that a sample (17) upheld complaints closed by WebHelp
had been subject to 2™ line checks which showed complaints were being
closed down correctly.
POMS RCCC minutes, 31 July 2017 Final Page 1 of 3
212 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0211
POL00423693
POL00423693
9.2. POMS RCC Minutes
Company no, 8459718 ~ Strictly Confidential
Action RT/SG (e) It was agreed by all that the need to review the process for tracking FOS
complaints was required. RT/SG to review and agreed process.
(f) I FC asked whether the risk rating for the Appointed Representative (AR)
was likely to change once the EUM project concluded in September
2017.
(g) JD stated that the most likely outcome at best would be an ‘Amber’ rating.
However, the impact of EUM would see an improvement in 1% line
defence from a POL perspective in terms of T&C and improved
monitoring in branches. JD concluded that a Risk Acceptance Note may
be required.
RCC 17/62 INCIDENT MANAGEMENT
Action (a) ST confirmed that the incident management definition and process is
ST/RT/MB scheduled to be reviewed in August with the assistance of the
Operations team.
RCC17/63 41% LINE COMPLIANCE REPORT
(a) QA results for Travel reported at 42. Actions are already underway to
address identified issues. These are being addressed as part of Project
Calibre.
(b) I The increase in reported Travel claims and repudiation was attributed to
seasonality.
(c) Cancellation reasons — identified trend highlighted issues of conduct
relating to the sale of Travel Insurance both within branch and the
contact centre due to errors. Volumes remain relatively low compared to
the number of policies sold within the month.
(d) Complaints showed an increase in overall dissatisfaction in June
(13.5%) and complaints volumes also increased by 13.3%. % of upheld
complaints rose from 34.0% reported in May to 50.6% in June. Sharp
rise attributed to the increase in closed complaints reported for Travel
Insurance.
(e) Complaints trends identified continued issues in relation to the travel
refund process, non-receipt of policy documentation and
incorrect/insufficient information in branch.
Action RT/MB
(f) I RT/MB to facilitate the process for reviewing the refund process and
issues associated with the non-receipt of policy documentation for Travel
Insurance.
RCC 17/64 2”4 LINE COMPLIANCE REPORTING
(a) SG informed the RCC that 2™ line monitoring of calls have ceased
temporarily while issues in WebHelp are being resolved. EMM will
continue to support the delivery of Project Calibre.
(b) POMS Monitoring team — overall generic branch visits have ceased.
POMS RCCC minutes, 31 July 2017 Final Page 2 of 3
Risk & Compliance Committee meeting-13/09/17 213 of 227
POL-BSFF-0238511_0212
POL00423693
POL00423693
9.2. POMS RCC Minutes
Company no. 8459718 — Strictly Confidential
Decision to cease monitoring was taken as a result of the same issues
being identified to which findings have already been shared and
discussed with POL.
(c) SG stated the POMS Monitoring team with now focus on carrying out
focused and targeted thematic reviews within the POL branch network.
RCC 17/65 ASSURANCE ACTIVITY
Action RT/MB (a) RT advised that two complaints audits have been carried out by the
Operations team. The audit rating for Cardif Pinnacle recorded a
‘satisfactory’ rating. The audit for BISL Ltd (Junction) recorded an
‘unsatisfactory’ rating. Copies of both reports to be circulated once
signed off.
(b) Collinson audit on POMS is nearing its conclusion. SG informed that
actions relating to venerable customers was the only outstanding issue.
However he did envisage that Collinson may return in October 2017 to
carry out a further audit.
Action JD
(c) JD to review the T&C requirement for Collinson.
(d) JD stated that the PWC audit report was ‘acceptable’ and very
achievable.
RCC 17/66 POLICIES AND PROCEDURES
(a) JD - Senior Management Certificate (SMR) first draft is ready for review
to which a draft training presentation will set out the program of
embedding into POMS. A project manager has been assigned to
manage the timings for rollout and relevant communications.
RCC 17/67 MATTERS ARISING AND ACTIONS LIST
(a) Agreed by all that Action Log will be circulated with required responses
actioned.
RCC 17/68 ANY OTHER BUSINESS
(a) I Ehtsham Ali, Senior Compliance Manager, ISAG to be invited to attend
the next RCC meeting in August 2017.
(b) I There was no other business raised. There being no further business the
meeting was closed.
(c) The next meeting of the RCC will be held on 31 August 2017 at
10.30am.
Chairman. ..............:..0:ccceeceeeeeeeeeeeeeee Date 20.0...
POMS RCCC minutes, 31 July 2017 Final Page 3 of 3
214 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0213
POL00423693
POL00423693
9.3. Insurance Renewal
POST OFFICE PAGE 1 OF 6
RISK AND COMPLIANCE COMMITTEE DECISION PAPER
9.3 Post Office Insurance
renewal
Author: Mark Dixon Sponsor: Alisdair Cameron Meeting date: 13 Sept 2017
Executive Summary
Context
The business has a series of insurance policies due for renewal on 1 October 2017.
Question addressed in this report
1. What level of cover is proposed and how has this changed from last year?
2. Are RCC members aware of any claims bought in respect of risks under our
Professional Indemnity or Directors & Officers Liability insurance or of regulatory
investigations that should be disclosed to insurers?
Conclusion
A summary of the policies and cover can be found in the Broker’s Pre-renewal Update
Report, attached.
Insurances to be purchased are the same as last year. No significant changes are
proposed. Coverage levels, with the exception of the extension to the Cyber policy
coverage, have been kept in line with last year and all policy limits and deductibles for
the current renewal are as per expiry.
These cover the business for most major risks albeit with high deductibles. We
consider these levels of insurance to be reasonable and appropriate for the POL
business.
POL has not made any claims against its insurers over the last year largely due to the
significant levels of self-insurance (via deductibles).
The annual cost of insurance in 2016/17 was circa £1,230k, excluding IPT. We are
finalising the cost for 2017/18 and expect small cost savings to be achieved, reflecting
the reduction in size of our vehicle fleet and workforce, resulting in a total spend of
IRRELEVANT ;, excluding IPT. It should be noted though that the rate of IPT has
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 215 of 227
POL-BSFF-0238511_0214
POL00423693
POL00423693
9.3. Insurance Renewal
216 of 227
POST OFFICE PAGE 2 OF 6
verall net savings, after taking account of the IPT
increased from 10% to 12%. TI ve
increase, are estimated at; IRRELEVANT! We propose using this saving to extend our
Cyber insurance from the current coverage in relation to two specific contracts to
cover the whole business.
Input Sought
The RCC is asked to approve the renewal as set out in the Brokers’ report,
for submission to the ARC and Board for approval.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0215
POL00423693
POL00423693
9.3. Insurance Renewal
POST OFFICE PAGE 3 OF 6
The Report
What level of cover is proposed and how has this changed from last year?
ere appointed as insurance broker to the Post Office in 2015 and have
now worked with POL on its 2015, 2016 and 2017 renewals. They have helped
achieve premium reductions of! in in 2016 as well as various
improvements to our policies.
During 2016/17 we have re-aligned all expiry dates to ensure that all policies renew
on 1 October.
2. POL purchases insurances expected for a business of its size and complexity. These
comprise cover for: Crime; Motor; Combined Liability (Employers Liability and
Public/Products Liability); Property Damage and Business Interruption; Directors and
Officers Liability; Terrorism; Personal Accident/Business Travel; Professional
Indemnity; and Cyber.
POL seeks to manage the cost of its insurance premiums through the size of the
deductibles it takes (i.e. the amount that POL must pay before a claim can be made
against the insurance provider). This effectively means that POL is “self-insured” for a
portion of its risk. For example, under our Crime policy, which provides protection for
POL against theft, fraud, and dishonesty committed by employees and third parties, in
particular in relation to risks related to our cash centres, i is set at
This implies that any individual loss would need to be i before a
can be made against our insurers. The level of deductibles varies according to the
class of insurance purchased. POL takes advice from its broker when deciding the
level of these deductibles.
A summary of the policies and cover proposed for renewal, including details of
deductibles and sums insured, can be found in the Broker’s Pre-renewal Update
Report, attached. A full Renewal Report will be provided by the Broker after renewal
is concluded.
3. Insurances purchased are the same as last year. No significant changes are
proposed. Coverage levels, with the exception of our Cyber insurance (see 7. below),
have been kept in line with last year and all policy deductibles for the current renewal
are as per expiry.
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 217 of 227
POL-BSFF-0238511_0216
POL00423693
POL00423693
POST OFFICE PAGE 4 OF 6
These cover the business for most major risks albeit with high deductibles. We
consider these levels of insurance to be reasonable and appropriate for the POL
business.
4, POL has not made any claims against its insurers over the last year largely due to
the significant levels of self-insurance (via deductibles).
Cyber insurance from the current coverage in relation to two specific contracts to
cover the whole business (see 7. below).
6. Motor, Combined Liability and Property Damage cover are all on multi-year
agreements put in place last year to achieve cost savings.
In connection with the; ender we explored extending coverage to a third
contract. It was concluded that this was not possible in the market and that to satisfy
the tender requirements we would need to extend coverage from the existing two
contracts to the whole business.
Given that the need for Cyber insurance is increasingly likely to become a requirement
under future tender processes, this seems a sensible approach.
POL-BSFF-0238511_0217
POL00423693
POL00423693
9.3. Insurance Renewal
POST OFFICE PAGE 5 OF 6
We therefore propose that for the 2017 renewal we extend coverage to the whole POL
business. We estimate that the additional cost of the Cyber coverage will be met from
savings under other policies (see 5. above). We are obtaining quotes on this basis.
Are RCC members aware of any claims in respect of risks under our
Professional Indemnity or Directors & Officers Liability insurance or of
regulatory investigations that should be disclosed to insurers?
8. In connection with the renewal of POL’s Professional Indemnity insurance we must
make the following statement to insurers:
Following enquiry, we are not aware of any claims in respect of the risks to which this
insurance relates ever been made against the business or any of the Principals,
Partners or Directors. Furthermore, the Principals Partners or Directors, after full
enquiry, are not aware of any circumstance which might give raise to any such claims.
The cover
From our enquiries we do not believe that there is anything that is required to be
disclosed to insurers. RCC members are asked to consider whether or not they are
aware of anything that POL needs to disclose to the insurers as part of this process.
9. In connection with the renewal of POL’s Directors & Officers Liability insurance we
must make the following statement to insurers:
During the last 12 months, have any claims been bought against any insured persons
or have there been any regulatory investigations into the company where an insured
person has been required to attend?
Directors & Officers Liability insurance covers the cost of compensation made against
POL’s directors and key managers for alleged wrongful acts. Wrongful acts include:
breach of trust; breach of duty; neglect; error; misleading statements; and wrongful
trading.
We have already identified the following regulatory investigations:
¢ HMRC - VAT Audit
¢ HMRC - Anti-Money Laundering/Counter Terrorism Finance
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17 219 of 227
POL-BSFF-0238511_0218
POL00423693
POL00423693
9.3. Insurance Renewal
220 of 227
POST OFFICE PAGE 6 OF 6
¢ Proposed audit of Telecoms under Privacy and Electronic Communications
Regulations (due in January 2018)
From our enquiries, other than the items set out above, we do not believe that there
is anything that is required to be disclosed to insurers. RCC members are asked to
consider whether or not they are aware of any additional claims or regulatory
investigations that POL needs to disclose to the insurers as part of this process.
Appendix 1: Brokers Pre-renewal Update Report
Strictly Confidential RCC 13 September 2017
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0219
POL00423693
POL00423693
9.3. Insurance Renewal
Post Office
2017/18 Insurance Renewal
Pre-renewal Update Report
LOCKTON
Broking done differently
tisk & Compliance Committee meeting-13/09/17 221 of 227
POL-BSFF-0238511_0220
POL00423693
POL00423693
9.3. Insurance Renewal
222 of 227
Executive Summary
Background
This paper sets out a high level summary of outcome of the renewal of the Post Office
insurances due for renewal on October 1% 2017. The key points to note include:
* This year we currently estimate to achieve like for like premium
isexeva, adjusted to reflect reductions in the size of your business, again with some
vements to your policies.
«All policy cover, limits and deductibles remain unchanged from 2016/17.
«Post Office has not made any claims against its insurances in the past year, largely due to the
significant levels of self-insurance (via deductibles) that you take*.
* Claims Commentary — Post Office has not had a claim that has breached the policy deductibles
in recent years. You have relatively high deductibles which help the reduce premium spend -
but you also have a low frequency of incidents below the deductibles for a company of your
size. This might be regarded as a reflection on the quality of your risk management. Full
details of your claims experience are available if required.
Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0221
Fy
®
a
8
>
8
un}
£2710 €
Programme structure chart
The chart below shows the various insurances Post Office currently purchase (details as proposed for renewal at 01/10/2017).
IRRELEVANT
Crime Motor Combined Property Directors _Post Office Post Sabotage Personal Cyber
(Third Liability Damage & _& Officers. Ltd Office & Accident
Party Business Professional = Managem Terrorism & Business
Only) Interruption Indemnity ent Travel
Services
POL00423693
POL00423693
POL-BSFF-0238511_0222
POL00423693
POL00423693
9.3. Insurance Renewal
ne,
Summary of policy cover
Crime
This insurance is made up of a primary!_ IRRELEVANT .
overall limit of r 1 The key risks are yot
this policy also i sks you face.
Motor Liability
I IRRELEVANT
IRRELEVANT
Property Damage and Business Interruption
‘IRRELEVANT :
eee ee
Professional Indemnity
Professional Liability arising out of certain specific activities - you have C
which I IRRELEVANT.
IRRELEVANT
a . Both Policies were originally
IRRELEVANT — aa)
224 of 227 Risk & Compliance Committee meeting-13/09/17
POL-BSFF-0238511_0223
POL00423693
POL00423693
9.3. Insurance Renewal
Cyber
“Applies. .
IRR
Special Contingency
Details of this are not widely circulated.
Risk & Compliance Committee meeting-13/09/17 225 of 227
POL-BSFF-0238511_0224
1% 30 92%
ZU/60/¢I-Bujsaw aeywuwoy aouelIdwios »g Shy
POL00423693
POL00423693
Premium summary
Policy 2016/17 2017/18 Percentage 2017/18 Premium Comments
Premium Premium Premium
Saving 2016/17
2017/18
Crime
Motor
Combined Hi
Liability
PI = POL
PI - POMS
-« IRRELEVANT I
D&O
Terrorism
Contingency i
PA & Travel i {
Total
Total inc. IPT
Since I appointment in 2015 “overall premium speni las decreased by circa 50% (é ‘), not allowing for ret luctions in the size of your
business. Whilst at the same time enhanced policy coverage including lower deductibles on certain policies have been achieved.
POL-BSFF-0238511_0225
Location:
Post Office Ltd
Risk & Compliance Committee meeting
13 September 2017
POL00423693
POL00423693
Boardroom 1.19 Wakefield , Finsbury Dials, 20 Finsbury Street, London, EC2Y 9AQ, United Kingdom.
ATTENDANCE LIST
ATTENDEES
SIGNATURE
MacLeod, Jane
Cameron, Alisdair
Houghton, Rob
Kevin, Gilliland
Kirke, Martin
Mark, Davies
Martin, Edwards
Nick, Kennett
Paula, Vennells
Also in attendance
CoSec
Additional access
Regan, Avene
Smith, Debbie
POL-BSFF-0238511_0226