POL00423697
POL00423697
kbuG'
CECT BI
URAF I
Review of POL current investigation process
Post Office Limited
13 August 2021
This report is provided pursuant to the terms of our contract with Post Office Limited (POL). The report is intended solely for
intemal purposes by the management of POL and should not be used by or distributed to others, without our prior written
consent. To the fullest extent permitted by law, KPMG LLP does not assume any responsibility and will not accept any
liability in respect of this Report to any party other than the Beneficiaries
POL-BSFF-0238515
Important notice
lations and confident
ity
This report is strictly private and confidential and has been prepared by KPMG.
LLP (‘KPMG’) solely for the use and benefit of Post Office Limited (“POL”) in
accordance with the terms of our contract and change request agreed by POL
with KPMG dated 30 June 2021.
This report has been prepared by KPMG in accordance with specific terms of
reference (‘terms of reference”) agreed between POL and KPMG. KPMG wishes
all parties to be aware that KPMG's work for POL was performed to meet these
specific terms of reference.
‘The report should not therefore be regarded as suitable to be used or relied upon
by any other person for any purpose, including any court or other investigatory
proceedings. The report is issued to all parties on the basis that itis for
information and discussion purposes only. Should any party choose to rely on this
report, they do so at their own risk. KPMG will accordingly accept no responsibility
or liability in respect of this report to any party other than POL.
Any redistribution of this report requires the prior written approval of KPMG and in
any event is to be a complete and unaltered version of the report. Such consent, if
given, may be on conditions including without limitation, an indemnity against any
claims by third parties arising from release of any part of our report.
KPMG does not accept or assume responsibility to any readers other than POL in
respect of its work, this report, or any judgements, conclusions, opinions or
findings that KPMG may have formed or made, to the fullest extent permitted by
law. KPMG will accept no lability in respect of any such matters to readers other
than POL.
kee! © 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Should any readers other than POL choose to rely on this report, they will do so at
their own risk.
KPMG does not provide any assurance on the appropriateness or accuracy of
sources of information relied upon and KPMG does not accept any responsibility for
the underlying data used in this report. Should the information provided be inaccurate
or incomplete, or if any further information becomes available, KPMG may need to
revise its findings.
In preparing this report KPMG have not conducted an audit and accordingly the scope
of work is different from that of an audit and does not provide the same level of
assurance as an audit.
This document does not give rise to a client relationship between KPMG and any
other person (other than POL) for any purpose or in any context. Any party that
obtains access to this report or a copy under the Freedom of Information Act 2000,
the Freedom of Information (Scotland) Act 2002, or otherwise and chooses to rely on
this report (or any part of it) does so at its own risk. To the fullest extent permitted by
law, KPMG LLP does not assume any responsibility and will not accept any liability in
respect of this report to any party other than POL.
This report is DRAFT and our findings to date are subject to factual accuracy
checking with the relevant teams within POL.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0001
POL00423697
POL00423697
Background
Executive summary
Current state overall assessment
Current state assessment by incident type
Future state target operating model
Road to implementation
Details of activities performed by each team ef
Future state target operating model detailed design he
Documentlists ]
\,
Stakeholder engagement lists
SO aT EA iit ,
(© 2020 KPMG International Cooperative (°PMG Interationa), a Swiss ently. Member frms of the KPMG network of independent frms are afliated with KPMG Inlerhationdl. KPMG Injetnational provides nb setyices 1 clients
Nomember firm has any authority to obligate or bind KPMG International or any other member fim vis-8-vs third parties, nor does KPMG International have ary such authority to obliga or bind any member frm. Ags reserved.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0002
Context
Whilst Post Office Limited (POL) no longer bring private prosecutions it continues to
perform a variety of investigations as required, across its business.
POL's vision is that these investigations be conducted to the appropriate standard
by appropriately qualified individuals and adhere to market practice with the
necessary records created, maintained and retained so POL can discharge all its
obligations, now and in the future, including those required by statute.
POL’s vision is to ensure that when investigations are undertaken, they do not pre-
judge an outcome, are fair and objective, properly planned, resourced and
executed; recommendations and outcomes must be actioned and reported to the
appropriate executive and board forums, with decisions made in accordance with
delegated authorities.
POL investigations should be conducted in accordance with the Group
Investigations Policy (‘GIP') and where there is a potential or suspected criminal
misconduct the Cooperation with Law Enforcement Agencies and Addressing
Suspected Criminal Misconduct Policy (‘CLEP’).
POL engaged KPMG to undertake a review of its current investigations process as
set out in our terms of engagement dated 30 June 2021.
The investigations within the scope of the review are conducted by the following
teams:
* Service and Support Optimisation;
* Franchise Partnering;
* Compliance;
+ Human Resources; and
* Cyber.
© 2021 KPMG LLP, a UK limited iaility partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited, a private English company linited by quarartee. Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Scope of work
KPMG has undertaken a review of POLs current investigation process to establish whether
its current decentralised model is effective, especially in relation to high-risk cases
(suspected criminal misconduct, those with a regulatory nexus, and cases requiring
privilege) and to consider the best model for investigations going forward.
We did not review historical investigations or any conducted in relation to the Historical
Shortfall Scheme.
Our work included
+ Accurrent state assessment of the investigations process for teams performing
investigations, taking into consideration governance, process, people and infrastructure
+ Developing a future state target operating model (‘TOM’) for the investigations process
including the consideration of a Central Investigations Unit (‘CIU’).
Our work has relied on discussions with relevant POL staff, reviewing relevant policies
and process documents and reviewing a sample of closed investigations from each team.
Structure of our report
Section 1 sets out the background to POLs current investigations process.
Section 2 summarises our overall findings for the current state, identifies key areas of
change and gives an overview of the future state TOM.
Section 3 provides detailed findings over the current state with section 4 providing detail by
incident type, we have also provided recommendations for improvement.
Section 5 sets out our proposal for the future state TOM and section 6 sets out the
potential roadmap to implementation.
Appendix 1 summarises the investigatory activities undertaken across POL. Appendices 2
to 6 provide detailed design over certain aspect of the future state TOM. Appendices 7 and
8 detail the documents and stakeholder engagement that we have relied upon in
completing our review.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0003
POL00423697
POL00423697
Key aoreviations
cu Central investigation Unit
POL Post Office Limited
Daw Dignity at Work
Tom Target Operating Model
GP Group Investigations Policy
cLeP opera iyi iaaliniontae Gpaneean kenny) Sapemt enka Wena?
icy
LEAs Law Enforcement Agencies
‘SME Subject Matter Expert
DPA request Subject access request for disclosure of information required under the Data Protection Act
MSA Modern Slavery Act
SAR Suspicious Activity Report
RACI Responsible, Accountable, Consulted, informed
NCA National Crime Agency
Ico Information Commission's Office
ST notice Section 7(1) of the Crime and Courts Act 2013 request for disclosure to the NCA
rN Internal audit
MLRO Money Laundering Reporting Officer
Document Classification: KPMG Confidential
POL-BSFF-0238515_0004
POL00423697
POL00423697
Background
kebab! © 2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms alate with KPMG International Limited, a private English company limited by guarartee, Al igh 6
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0005
BaCkOrOUunc
Over
w of POL investigatory ac
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
deal with errors or discrepancies or undertake information gathering activities.
as agreed with POL and included on slide 8. Details of the work undertaken by each teamis summarised at Appendix 1.
We have identified there is no clear definition of what constitutes an investigation within POL. The term ‘investigation’ is used loosely across the business to cover a mix of
investigatory activities, many of which would not typically be categorised as investigations but rather identify areas where Postmasters require more assistance, help Postmasters
Each of the teams listed below conduct investigatory activities. We have reviewed the activities of each team to determine whether they fall within the definition of an ‘investigation’
Although the Legal department has not been specifically included within the review, it is a key department as the Group Legal Director is the policy owner for the GIP and the CLEP,
it also provides the wrapper of privilege and determines whether cases should be passed to the Law Enforcement Agencies (“LEAs”) in instances of criminal misconduct.
Legal
Network Code of Conduct Cyber Retail liaison
monitoring
Security HR liaison
Postmaster dispute GLO liaison
resolution
Postmaster
complaints
bua! © 2021 KPMG LLP, aUX limited lati partnership anda member fim ct the KPMG gba orgarisaton of independent member rms flat with KPMG International Linited, a rvale English comparylinitedby quarartee lights f7
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0006
BaCKGFOUNd (CONT
POL investigatory activities categorised
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
From our review of the work undertaken by each
im, it is apparent there are areas that would not typically be categorised as investigations. We have categorised the different
investigatory activities undertaken across POL in the table below. Our current state assessment and future state TOM has focused on those activities categorised as investigation.
Investigations
Cash, stock and foreign
currency balance
monitoring verification
Postmaster support
Information gathering
Compliance and
assurance
2021 Kt
We have used the following criteria to define a POL investigation:
+ Where it is mandated by law or regulatory requirements such as allegations of bribery and corruption, modern
slavery, money laundering, or data protection breaches;
+ Where there is a suspicion or allegation of misconduct or wrongdoing;
+ Where an investigation is required to establish the facts and an outcome specificto POL is generated e.g.
follow ing up a whistleblow ingincident, employee disciplinary action, civil proceedings, Postmaster termination
POL receive complaints and allegations of misconduct or wrongdoing from numerous sources. Teams who
receive complaints/allegations of wrongdoing often do not undertake the investigation themselves but refer them
to Area Managers, Operational Line Managers or independent senior Managers.
POL monitor branch activity to help ensure the accuracy of branch accounting records relating to cash, stock and
foreign currency and to assure the integrity of cash, stock and foreign currency is maintained. Monitoring is
designed to identify risks and help the branch resolve associated issues. These teams do not conduct
investigations but identify potential issues which are then flagged to the relevant teams.
fa Postmaster identifies a discrepancy within their branch accounting, they can raise the issue with POL who will
seek to resolve these accounting discrepancies.
POL respond to a number of external information requests including requests fromLEA’s, s.7 notices and DPA
requests. In addition, internal information gathering is undertaken by the Data Protection team in response to
internal investigations.
Compliance reviews are undertaken on the sale of financial services products, and risk assessments are
undertaken with product managers to identify and remediate potential financial crime risks. These are not
investigations but compliance and assurance reviews.
1G LLP, a UK limited lability partnership and a member fim othe KPMG global orga
Document Classification: KPMG Corfidential
allon of independent member firms aflted with KPMG Inernatonal Limited, a pe
Contracts - contract breaches
Whistleblow ing - Whistleblow ing incidents
Issue Resolution - Postmaster corplaints
Customer Support - Customer complaints
Customer Experience - Modern Slavery incidents
Financial Crime - SARs investigating and reporting”
Cyber - Cyber breaches
Data Protection — Data incidents and suspected
breaches
Human Resources - Grievances, breaches of
Dignity at Work (DaW) and Code of Conduct
Netw ork Monitoring — Branch monitoring
Audit Support — Branch monitoring
Financial Crime - Bureau monitoring
Postmaster Dispute Resolution — Postmaster
disputes
Security — responding to information requests
Financial Crime - s.7 notices and DPA requests
Data Protection - email review and data collection)
Conduct Compliance — assurance reviews
Financial Crime -product risk assessment &
assurance
*Financial Crime investigate allegations of money launderingin orderto determine whether a SARsreport should be submitted to the NCA. We were
informed any furtherinvestigation isundertaken via the Whistleblowing team, we have thereforerestricted ourassessment to that team.
vate English company limited by guarartee. Al rights
POL-BSFF-0238515_0007
POL00423697
POL00423697
Executive summary
kebab! © 2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms alate with KPMG International Limited, a private English company limited by guarartee, Al igh 9
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0008
EX@CUIVe SUMIMary
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
In addition, there is no overall central monitoring of the investigations process and no
visibility over the overall investigations population. As a result, POL have no
comprehensive analysis over the number or type of investigations it undertakes including
those that are high-risk.
Introduction
Our review has focused on identifying whether the current decentralised
investigations model adopted by POL is effective, especially in relation to high-risk
cases and to consider the best model for investigations going forward. Our key
findings are summarised below.
Current state assessment
POLs decentralised model provides individual business teams with
the independence to develop and deliver their own investigations framework,
however there is limited central oversight over these frameworks and the policies
During our review we identified a number of areas where the current POL investigations
process falls short of market practice. We have categorised our findings against the
framework of governance and process, people and infrastructure and identified the
following key themes:
Governance and process
and processes that have been adopted by individual business teams. @ - Investigations are not conducted consistently across POL: As noted above, the
Whilst this model utilises the experience and expertise of staff within the business ouyent Gpencizaliond fureueck reson there i & lank -ofaunaiaecey menue the,
i f gedalcar eis Pant ago ra fe hy 2 ‘overall POL investigations process. Work on embedding the GIP across all business
SANIGITL MSaNS Ana STARS ETE:IS: NOLEYETEIETINIG CONSISTENDY OME: teams was paused whilst we undertook our review, however, we were informed by the
+ how investigations are undertaken; business teams that certain elements of the GIP are too onerous if applied to high
+ the experience and qualifications of the investigators; volume low risk investigations.
+ the application of investigation minimum standards especially in relation to high- Whilst the majority of business teams have documented policies and processes in
risk cases; and place, there is inconsistency in how these are documented. Some business teams
+ the recording and reporting of investigation data. ee ae Fe naa thease Lathe ee Lei whilst sade a
‘ , policies at a high level with details being inc! in specific process guides. As a
pehanseclneolineatnnqeman.Sireyenl ve serps einninayatpenennninape. result, there are different levels of oversight and inconsistencies in the level of Board
currently there is no process to provide any central oversight or governance over sign off for policies and processes.
whether the business teams adhere to the standards set out in the GIP. °
Srocaimed ae Whilst business teams often have standard templates setting out reporting
el ips neal os often lobe a fromia peated : requirements, we understand there is no clear guidance given to investigators on how
Ir ment Bdombeal ah ei N= alg lteter A Sart“ ld these should be completed which we were informed results in varying standards.
whether it could potentially result in criminal, civil or disciplinary proceedings. Early
engagement with POL Legal would enable proper consideration of criminal or civil There is also a lack of consistency across POL in terms of the use of Legal and other
standards or consideration of when to liaise with LEA's. subject matter experts (SMEs). Consultation requirements are not formalised over
when to liaise with Legal and other SMEs. There is therefore a risk that Legal are not
consulted on cases that could result in litigation.
2021 KPMG LLP, a UK timid abity pernership anda member fim fhe KPMG gba organisation of independent member firms lated with KPMG Iternaional Limited, private English company lined by quatartee. Al ih 10
kpme!
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0009
EX@CuIve Summary (CONC
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Governance and process (cont'd)
@ «Lack of overarching governance and oversight over high-risk
investigations: Currently, there is no overarching governance or central
oversight over high-risk cases and the majority of business teams do not
differentiate between high-risk and other cases when conducting an
investigation. In addition, business teams have no specific mechanism for
collating and reporting details of high-risk cases meaning there is an overall lack
of central visibility over these cases.
As aconsequence, there is a risk that high-risk investigations are not being
conducted with the appropriate level of rigour to withstand public scrutiny and
that outcomes may not be in line with POL's risk appetite.
There is no clear consistent triage process in place across POL: There is
no consistent approach to triage across POL, whilst some business teams triage
cases on receipt this is largely based on product type and case age rather than
the risk profile of the incident or its potential outcome. In other business teams.
there is no formal triage process in place. Across POL there is no consistent
definition as to what constitutes a high-risk case.
Lack of consistent monitoring and reporting over all investigations: There
is a lack of consistency in the availability and reporting of MI by the various
business teams. HR in particular, due to the use of MyHRHelp, have limited
ability to extract MI and there is a risk that not all HR investigations are logged
and recorded.
There are also inconsistencies in the reporting of MI to senior leadership, whilst
some teams have clear reporting lines, others do not formally report outside of
their teams.
2021 KPMG
kpme!
, aUK limited lability partnership and a member fim of the KPMG global organisation of independent member firms afiited with KPMG International Limited, a private Eng)
There are also inconsistencies in the use of KPIs/SLAs across POL. Whilst some
business teams have KPIs/ SLAs that are monitored each month, others have a less
formal approach
Where investigations touch multiple business teams there is no formal handover or
process to monitor which business team currently holds the investigation, next steps
or who has accountability for the outcome. As a result, there is a risk that cases will
get delayed, lost or the appropriate next steps will not be actioned
There isno consistent approach to quality assurance across the business
teams: Business teams have developed their own individual approach to quality
assurance. Whilst some business teams undertake formal monthly quality assurance
reviews on a sample of cases and feedback findings to the individual investigators
others have a more ad hoc approach.
Specifically, where business teams tend to rely on Area Managers and/or Line
Managers to conduct investigations the lack of periodic quality assurance reviews
increases the risk that investigations are not being conducted to the required standard.
Wealso understand, in these instances, there are no requirements for the quality of
investigations to be considered as part of the investigator's performance review, and
as a result underperformance would not be assessed and actions for rectification of
any deficiencies put in place.
In addition, there is no independent quality assurance reviews undertaken across POL
to ensure that business teams adhere to standards set out in the GIP.
There is limited evidence of “lessons learnt” and continuous improvement
arising from investigations across POL: Whilst some business teams do monitor
investigations in order to identify trends or business improvements this is not
consistent across all business teams.
Where issues are identified the process for feedback within the business is informal
and relies upon conversations and emails. There is no formal process for collating
lessons leamt and no follow up to ensure continuous improvement has been actioned.
ish company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0010
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
EX@CuIve Summary (CONC
People Whilst Dynamics is used by the majority of teams there is inconsistency over the use
© * Business teams often use Area Managers and Line Managers to conduct of its functionality and there appears to be little understanding of its full capabilities.
investigations: Teams with specific areas of focus such as Contracts and Area Managers do not have access to Dynamics and record investigation findings on
Cyber ensure investigations are undertaken by staff within their function. In these Qualtrics, these must be manually uploaded by business teams.
instances, there are clearly defined roles and responsibilities and clear
accountability for outcomes. Other teams such as HR and Whistleblowing use
on Area Managers / Line Managers to conduct investigations on their behalf, in We have mapped our findings by theme for the overall current investigations process and
these instances there is a lack of clarity over roles and responsibilities and who for each of the incident types on the next slide using the following ratings:
is accountable for outcomes.
Current state assessment rating
Rating Description
Where Area Managers and Line Managers undertake investigations, these may
be in to their direct reports and there is a potential risk that investigators will not
be independent or there will be a perceived conflict of interest.
Limitedorno evidenceof established martet practice
‘Some evidence of established market practice
‘Area Managers and Line Managers may have limited investigations experience
and there is a risk they are not appropriately qualified to undertake high-risk F — aa .
investigations. Our overall grading for the current POL investigation process from a holistic perspective
based on our assessment is red. We would expect an average organisation of POL’s size
to operate with a mix of amber and green ratings across the identified themes in order to
In line with established market practice
@ - There isa lack of training in respect of investigations across POL: There is
no specialist investigations training provided to any of the business teams or otiiais Goat/Berient maximisation!
individuals conducting investigations, in addition, there is no training provided . . —_ .
‘over the standards set out in the GIP. Our detailed current state assessment ofthe POL investigations process with
recommendations for improvements is summarised in section3 Our detailed current
Relevant business teams using Area Managers and Line Manages to conduct state assessment for each incident type along with recommendations for improvements
investigations do not provide training on the use of templates and checklists. is set out in section 4.
Infrastructure Key areas of change
@ * There isno consistent use of an investigations case management tool Based on our current state assessment we have identified a number of key areas of
across POL: Currently business teams use a mixture of Excel. Dynamics, change that are required in order to improve POLs current investigation process and
ServiceNow, MyHRHelp and OneTrust to log cases and record investigations. bring it in line with market practice. These are discussed in slides 14 to 17 and form the
basis of the future state TOM that we have developed, an overview of which is set out on
slide 18. Our detailed analysis of the future state TOM is set out in section 5 and a road
map to implementation is set out in section 6.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0011
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Current State assessment By incident tyoe
Findings by theme @ [e) @) @
Theme s Lack of consistent h to I Limited Use eaM ) Lack of
monitoring and ality nce of I Line Managers to ec training in
g
and o\
Finding Policies and) Legal O ni jon Performance I Lessons Capability I Ind
processes I involvement c management I __ learnt Epabiy 9b
Overall
inva tans e e e e e e e e e e e e
Postmaster
complaints e e nla e e e e @ e e
Contracts e e nla e e e e e e e e e e
Customer
complaints e = ma e e e e ° e e e e e
Data protection e e n/a e e e e e e e e e e
Whistleblow ing e e nla e e e e e e e e e e
Human ResourcesI) @ e nla e e e e e e e @ e e
Cyber e e na e e e e e e e e e e
Modern Stavery e e na e e e e e e t) e e e
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0012
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Current State key afeas of change
Based on our ci
state assessment we have ide!
ied the following areas of change that woul
PTocscrpton ng S~=*d
1
To provide a consistent approach to +
investigations by introducing
minimum standards and providing
clarity over the application ofthe
GIP
Introduce a centralised approach to +
high-risk investigations, including
whistleblowing,
and implement a consistent .
investigations workflow
Remove from the scope of the GIP all investigatory +
activities conducted across Post Office which do not
meet the agreed definition of an investigation.
Review and refine the GIP and determine .
minimum standards and principles for all
investigations and identify those that only applyto +
high-risk cases.
Amend business teams’ current policies overwho +
conducts investigations to provide increased .
independence.
Clarify the roles and responsibilities of staff
conducting investigations and accountability for
outcomes.
Introduce formal requirements over when to liaise
with Legal and other SMEs.
Introduce a CIU with a Head of Investigations anda +
dedicated investigation team to assist/perform high
risk investigations. .
Incorporate the Whistleblowing processes and team +
into the CIU. *
Introduce a consistent approach to high-risk .
investigations that follow a specific process flow .
including scoping, planning and executing
investigations but provides flexibility to adaptto the *
needs of specific cases.
2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights
Provides clarity to business teams and third parties (e.g., MyHRHelp) over
minimum standards, alignment to the GIP and which standards and principles
need to be followed by which teams.
Provides increased assurance of independent investigations and avoids
perceived conflicts of interest.
Provides clarity over the roles and responsibilities of staff
conducting investigations and the accountability for outcomes.
Provides clarity over when to use Legal and other SMEs.
Provides a clear audit trail over interaction with SMEs and required outputs.
Provides a dedicated investigations lead with relevant experience to increase
effectiveness of investigation process.
Provides a dedicated team who will instil market practice over high-risk cases.
Gives clear accountability for high risk and whistleblowing investigations.
Provides assured independence of investigators and Whistleblowing process.
Ensures appropriate skill set and use of protocols for high-risk cases.
Provides an intelligence gathering capability to undertake initial investigation
and assess allegations.
Ensures clearly defined objectives and work to be undertaken is set out at the
start of the investigation.
Provides standardised evidence gathering and document handling to ensure
integrity of evidence that could be admissible in Court.
Ensures centralised view of all touchpoints with LEAs.
Provides increased efficiency of investigations resources.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0013
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Current State key afeas of change (contd
Based on our current state assessm:
3 Introduce a centralised approach to +
high risk and whistleblowing
investigation outcomes
4 Implement consistent triage over all +
investigations to identify high risk +
cases
5 Introduce consistent monitoring and. +
reporting over all investigations
kha! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 15
As part of the CIU introduce a robust govemance
process over investigation outcomes including
defined levels of delegated authority and a review
decision forum to determine outcomes of critical
cases.
Reference the requirement to triage in the GIP.
Incorporate agreed high risk case criteria within
business teams.
Business teams to instigate method of triage to
evaluate the allegation and determine if meets high
risk criteria.
Set mechanism to escalate high risk cases to CIU.
Business teams (including the CIU) to develop
appropriate KPIs and CIU to introduce centralised
review, monitoring and reporting.
Business teams (including CIU) to implementa
mechanism for extraction and collation of MI and
CIU to introduce centralised review, monitoring and
reporting.
Where investigations pass between business
teams, introduce a formal handover process with
agreed actions and next steps and an escalation
process to the CIU for cases where next steps are
not being actioned.
we have identified the following areas of change that would improve POLs investigations process in market pra
Pyoccsipton Change pn
Ensures robust consistent outcomes for high risk and whistleblowing cases
based on facts with quality assured decision making.
Identifies investigations that are high risk so that appropriate standards and
governance can be applied to potentially contentious cases.
Provides a set process for determining how these cases should be dealt with
and who has accountability and responsibility for the investigation and
‘outcomes.
Ensures high risk cases receive more focus driving faster and more efficient
resolution of cases.
Provides visibility centrally across the business of all investigations undertaken.
Provides consistency over reporting, setting clear reporting lines.
Ensures more consistent approach to MI and KPI monitoring and reporting.
Improves standard and completeness of MI.
Ensures cases that cover multiple teams are not lost, delayed or next steps not
actioned.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0014
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Current State key afeas of change (contd
Based on our current state assessm:
Pos
6 Introduce consistent quality
assurance
7 Introduce lessons leamt and .
continuous improvement
8 Develop training over investigations +
standards and processes
Set mechanism for undertaking quality assurance
reviews across teams by CIU to ensure adherence
to minimum standards.
Business teams to introduce periodic quality
assurance reviews over outcomes of investigations
done by their teams.
Introduce process for identifying lessons leamt after
high-risk investigations and incorporate into
continuous improvement cycle.
CIU is to establish root cause analysis and lessons
learnt from high-risk investigations and feedback to
business
Business teams to introduce ‘lessons learnt’ over
outcomes of investigations done by their teams and
incorporate into continuous improvement cycle.
Introduce process to provide general investigations
training to staff undertaking investigations.
Business teams to introduce specific training on
how to use standard templates and checklists.
Relevant training should be provided by the CIU to
investigators on how to use the minimum standards.
2021 KPMG LLP, a UK limited liability partnership and a member fir of the KPMG gabal organisation of independent member firms afited with KPMG
Drives a consistent and standard approach to investigations across business
teams.
Ensures feedback can be acted upon and process improvements identified.
Provides assurance over quality of outcomes.
Provides a mechanism to encourage positive change across all areas of the
business by identifying issues and providing proactive recommendations to
avoid similar issues arising in the future.
Identifies issues and how existing processes need to change to enhance
continuous improvement.
Professionalises investigations across POL.
Drives a consistent approach to all aspects of an investigation.
Ensures investigators understand processes relevant to specific business
teams.
Improves POLs confidence in the quality of investigations across the
organisation.
Ensures consistency in investigation documentation and audit trail.
International Limited, a prvate English company limited by quarartee, Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0015
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Current State key afeas of change (contd
Based on our current state assessm:
we have identified the following areas of change that would improve POLs investigations process in
e with market practice
LY
9 Understand and improve the + Introduce a consistent Case Management tool for + Allows for cases to be logged and tracked, across multiple teams ensuring
functionality of the case high-risk investigations and Whistleblowing teams. cases are not lost or delayed
management systems used across _in the CIU. + Provides detailed MI
the business teams + Review the current case management tooling + Ensures documents, data sources and case outcomes are recorded and stored
approach and architecture to assess whether the appropriately providing a clear audit trail of investigations and decisions.
application across all business teams can be + Allows for an auditable and consistent approach.
improved to encourage greater use of the
functionality that is available and to reduce the
reliance on spreadsheets and storing documents on
Sharepoint.
* Consider where the use of Qualtrics is appropriate
for investigations and determine whether any
alternative is feasible that provides greater
functionality for Area Managers including the ability
to upload relevant documents.
* Consider whether the use of MyHRHelp is
appropriate or whether the case management of HR
investigations should be brought in house.
* Introduce additional training around data protection
and strengthen the confidentiality policy for the
investigation teams.
bua! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts fa
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0016
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
POL Investigations process: proposed future State TOM
I Internal I Oversight / governance
1 . (oo-->
Audit _
Internal Audit (IA) to
undertake a wholesale
audit of policies and
procedures 18 months
after set up
Ongoing close links
between IA and CIU to
ensure consistent
approach and
alignment of objectives
clay parte
High risk
investigations
Whistleblowing
team
Intelligence
ClU
outside CIU
‘and a member fim of the KPA
Cyber
Customer complaints
Postmaster
complaints SAR
Contract breaches reporting
Data protection team
Modern slavery
Financial crime
independent member firms affliated with KPMG International Limited, a private English company limited by a
(2) While the CIU is accountable
for high risk cases, the
investigation may be
conducted by the CIU,
business teams or a
combination of the two
(6,
The Data Protection team
will retain responsibility for
investigating data protection
breaches and reporting to
the ICO.
MLRO function and all
responsibilities for
investigating and reporting
SARs to NCA sits outside
the CIU.
o
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0017
POL00423697
POL00423697
Current state assessment
An assessment of the current state of the investigations with
observations and recommendations for improvement.
kebab! © 2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms alate with KPMG International Limited, a private English company limited by guarartee, Al igh 19
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0018
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Findings and recommendations have been captured in the following areas: governance and process, people and infrastructure
We have set out our detailed findings from our current state assessment on the following slides along with recommendations for improvements.
We have categorised our findings against the framework of governance and process, people and infrastructure and mapped to the themes identified in the Executive Summary
Area Theme Sub theme (where I Observations Recommendations
appropriate)
Governance & I Investigations are not I NA + POL currently has a decentralised model for undertaking Introduce a CIU to deal with high-risk
process conducted investigations where teams have independence to develop and investigations and implement a consistent
consistently across deliver their investigations framew ork with limited central oversight. investigations w orkflow for these cases
POL includir jing, planning and
+ This model utilises the experience and expertise of staff within the te tpt bi ng fiery sora
Lack of overarching business teams to undertake investigations, How ever, there is no Terneedscf'specth ones.
ooeneceend overall consistency across the investigations framew orks the teams
‘oversight over high have developed especially in regard to high-risk cases. The CIU to introduce appropriate centralised
hak a , ‘oversight to high risk and
risk investigations + Asa result, there is not a consistent approach as to how Whistleblow ing investigation outcomes
investigations are undertaken across POL, there is a lack of P m . .
consistency in the experience and qualifications of the pany ae Neripiee rien We re
investigators and no consistent application of investigation puabriisenct Grllitvel cee
standards. 7
m - id Include whistleblow ing in the CIU to create an
+ There is no overarching governance or oversight over high-risk CGHIGierk, HBSS. capSndarl livselgalit
cases including centralised decision making over outcomes and no aan? Rhomppieer ela iri lacie aril
specific mechanism for collating and reporting details of high-risk ection bri ciarndos Highs
cases centrally meaning there is no overall visibility of high-risk pyhtoblon kncenas
cases across POL. si
+ Asaconsequence, POL risk a lack of consistent outcomes Tey Bp ase beaehel aia
; sighs : assurance of processes across all
especially over high-risk cases that potentially w ould not stand up to ire ticeticns =n cael mecca rerio,
public, Regulatory and/or Court scrutiny. satelf Gesainar ca Teale cl
kee! 2021 KPMG LLP, a UK limited lability partnership and a member fim of the KPMG global organisation of independent member fms flat with KPMG Iteration Limited, a rvate English company lined by quaartee. Al righis
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0019
Findings and recommendations have been captured in the following areas: governance and process, people and infrastructure
Area
Governance &
process
Theme
Investigations are
not conducted
consistently across
POL
Sub theme (where
appropriate)
The GIP is not yet
consistently
‘embedded across the
business
Observations
Work on embedding the GIP was paused whilstw e undertook our
review , currently there is no clarity over which investigatory activities the
GP applies to and there is no process to provide any central oversight
or governance over whether the business teams adhere to the
standards set out in the GIP
There is a view within the business that the GIP is not compatible with
the large volume of low-risk cases that exist in certain teams and
concerns it has the potential to cause a mismatch between the
investigation standards and the case requirements for low-riskcases.
Additional standards over areas such as independence of investigators,
requirement to triage cases, clarity over investigators roles,
responsibilities and accountability for outcomes are not included in the
GP.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Recommendations
+ The CIU to incorporate the agreed definition of
investigations into the GIP and remove all other
activities from its scope.
+ The CIU to review and refine the GIP and
determine rrinimum standards and principles
forall investigations and identify those that only
apply to high- risk cases.
There is no clear
consistent triage
process in place
across POL
NA
There are no consistent triage processes in place across business
teams to identify and escalate the most high-risk or high-profile cases.
At present, where triage is in place, itis largely based on product type
and case age rather than the risk profile of the incident or its potential
outcome.
There is no consistent definition as to what constitutes a high-risk case
across the business tears.
High-risk cases should be more aligned to the standards set out in the
GP and a failure to triage and consistently identify high risk cases
means there is an increased risk that high risk investigations are not
conducted to the required standards or in the appropriate order.
+ The CU to lmplement the requirement for
consistent triage over all investigations in order
to identity high risk cases and reference as a
minimum standard in the GIP.
+ The CIU to introduce a defined criteria for high-
risk cases across POL,
+ Business teams to instigate a method of triage
to evaluate the allegation and determine if it
meets high risk criteria.
+ The CIU to introduce a formal mechanism to
escalate high risk cases to CI.
kpinI
© 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0020
Findings and recommendations have been captured in the following areas: governance and process, people and infrastructure
Recommendations
Area
Governance &
process
Theme
Lack of consistent
monitoring and
reporting over all
investigations
Sub theme (where
appropriate)
‘There is no overarching
governance or
consistent monitoring of
KP\s for business
teams, particularly over
high-risk cases
Observations
While certain business teams monitor KPis, these appear to be
monitored on an individual unit basis, rather than centrally.
Without appropriate KPIs, it is difficult to understand
which investigation teams are performing to a required standard,
and w here the focus for budget spend and process
improverrents should be.
Consistent monitoring of KP's is crucial in order to ensure
business teams are meeting objectives and process
improverrents are identified and actioned.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Business teams to develop appropriate KPSs.
CIU to introduce centralised review , monitoring
and reporting.
Business teams to develop feedback
mechanism and ensure identified issues are
appropriately actioned.
There is a lack of
consistency in the
availability of data and
the reporting of M by
the business teams.
HR in particular due to the use of MyHRHelp have limited ability
to extract Ml and there is a risk that not all cases are logged and
recorded as the system is reliant on Line Managers calling
MyHRHelp to log cases.
There are inconsistencies betw een business teams in the
reporting of cases and outcomes to senior leadership. Whilst
some teams have clear lines of reporting on a monthly basis,
others do not report outcomes outside of their team.
Business teams to implement a mechanism for
extraction and collation of Mi
CU to introduce centralised review , monitoring
and reporting.
There is no overarching
governance or
consistent tracking of
cases which touch
multiple business
teams
Where an investigation touches multiple business teams there is
no formal handover or process to track the investigation or
identify, where the investigation is currently sitting, next steps, or
which team has accountability for the outcome. Asa result, there
is a risk that cases willget lost, resolution willbe delayed, or
next steps will not be actioned.
Business teams to develop a formal handover
process with agreed actions and next steps
AU to introduce an escalation process for
cases where next steps are not being actioned.
kpinI
© 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0021
Findings and recommendations have been captured in the following areas: governance and process, people and infrastructure
Area
Governance &
process
Theme
Sub theme (where
appropriate)
Observations
Recommendat
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
‘There is no consistent I NA There is no consistent approach to quality assurance reviews across I + Introduce appropriate centralised oversight
approach to quality the business teams. to high risk and whistleblow ing investigation
assurance across the pean 4 ‘ outcomes (see earlier recommendation).
Bisieee Mane There is no independent quality assurance to ensure business
teams adhere to minimum standards. + QIU to introduce mechanism to undertake quality
, oly in vote assurance reviews across business teams to
There is no consistent qualty assurance especially in relation to Senge Saat iic heen cian
high-tisk cases either in terms of outcomes or process requirements.
+ Introduce independent assurance from
Internal Audit over CIU processes and controls.
+ Business teams to introduce periodic quality
assurance reviews over investigations done
by/on behalf of their teams. and provide
feedback to individual investigators.
There is lirrited NA The process for feedback on identified issues across the business is I + CIU to introduce lessons learnt’ for high risk
evidence of “lessons
learnt” and continuous
improvement arising
from investigations
across POL
informal and relies on email and conversations. There is no formal
mechanism for follow up to identify whether the recipient team has
actioned any lessons learnt.
Without ‘lessons leamt’it is very difficult to understand the variety of
cases, report on them and identify improvements.
Post-incident activity helps drive development of more efficient
investigations.
cases which should be, documented, shared and
tracked to ensure that identified changes are
instigated.
Business teams to introduce ‘lessons learnt’ over
outcomes of investigations done by their teams.
These should be, documented, shared and
tracked to ensure that identified changes are
instigated.
kpinI
© 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0022
CuITe
it Stale Overall assessment (cont
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Findings and recommendations have been captured in the following areas: governance and process, people and infrastructure
Recommendations
Area
Governance &
process
Theme
Investigations are
not conducted
consistently
across POL
Sub theme (where
appropriate)
Documentation of
policies, processes
and methodologies
used by business
teams is inconsistent
across POL
Observations
+ Teams adopt differentapproaches to documenting policies and
processes, some policies include detailed step by step investigation
methodologies whilstothers are high level with the details being
included in specific process guides. As a result, there are different
levels of oversight and inconsistencies in the level of Board sign off.
+ The majority of teams use standard templates setting out the
reporting requirement, how ever itis left to the investigator to
determine how these are completed which we were informed results
in varying standards. In addition, some teams follow checklists setting
out the investigation steps, how ever these steps may not be
applicable to all investigations, and it is left to the investigator to
determine which steps are required.
+ There is lirrited communication over the preservation and recording of
documentation including evidence handling protocols within policies
and process guides.
CIV to provide clarity over the level of detail
required in policies and the required level of sign
offand include requirement in the GP.
Business teams should provide specific
investigations training in conjunction with the CIU
‘over completion of standard templates and use of
checklists.
CW to draft minimum standards over
preservation of data and evidence handling and
include within GP.
Consultation with
‘SMEs including Legal
is inconsistent, not
documented and not
Monitored.
+ Consultation between tears is on an informal basis and depends on
the circumstances of the individual investigation.
+ There is a risk that Legal are not consulted on cases that could result
in Itigation and therefore the wrapper of privilege may not aWw ays be
applied especially to high-risk cases and cases may not withstand
public, Regulatory and/or Court scrutiny due to the quality of
investigations.
CIV to introduce formal requirements over when
toliaise with Legal and other SMES and a formal
process for identifying when consultation is
required on an investigation.
Business teams to update policies and
procedures to highlight use of SMES.
Business teams to introduce a process to
document and monitor consultations and outputs.
kpinI
2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0023
Current state overall assessment (Cont
Findings and recommenda
ns have been captured
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Area
People
kpinI
Theme
Business teams
often use Area
Managers and Line
Managers to
conduct
investigations
Sub theme (where
appropriate)
Where investigators
are not from the
business team there
is a lack of clarity
over roles,
responsibilities and
accountability of
Observations
Teams with specific areas of focus such as Contracts, and Cyber
ensure investigations are undertaken by staff within their functions.
In these instances, there are clearly defined roles and
responsibilities, staff are trained and experienced at undertaking
investigations in their specific area and there is accountabilty for
investigation outcomes by the Business leads.
Other teams such as Whistleblow ing, Customer and Postmaster
Recommendations
Business teams whouse Line Managers and
Area Managers to conduct investigations should
ensure there are clearly defined roles and
responsibilities and that the accountability for the
outcome is set at the start of the investigation.
The CIU to reference the need to set
expectations over roles and responsibilities and
seein Complaints, Data Protection and HR rely on Area Managers and the accountability of outcomes at the start of an
Line Managers to conduct investigations on their behalf. In these investigation as a minimum standard in the GIP.
instances, there is a lack of clarity over roles and responsibilities,
and accountability for the outcome of the investigation is not clear.
Lack of + Area Managers and Line Managers who conduct investigations on Business teams to amend current policies so that
independence by behalf of teams have a good understanding of branches, their where appropriate, investigations are conducted
investigators respective departments and/or direct reports. How ever, there is a by an independent team with separation between
potential risk that investigators will not be independent or there will the investigator and the subject of the
be a perceived conflict of interest. investigation. market practice would be to have
either fully independent investigators or a robust
formal process to confirm independence by the
investigating manager.
The CIU to reference the importance of
confirming investigator independence as a
minimum standard in the GIP.
Lack of specific + Area and Line Managers may have limited/ infrequent investigation QIU to have appropriately experienced and
investigations ‘experience meaning they do not have the requisite skill set to qualified investigators to undertake high-risk
‘experience and conduct high risk investigations. investigations.
appropriate
qualifications
© 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0024
Current state overall assessment (Cont
Findings and recommenda
ns have been captured
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Area
People
Theme
There is a lack of
training in respect of
Sub theme (where
appropriate)
Lack of specific
investigations
Observations
‘There is no specific investigations training covering areas such as
evidence gathering, document handling or interview ing provided to
Recommendations
CU to introduce investigations training to staff
undertaking investigations.
investigations training across all the business tearms/individuals conducting investigations. I I ”
pimartn = Hla Business teams should provide specific
+ No specific training is given over the use of business team policies investigations training over completion of
and methodologies where investigations are undertaken by staff standard templates and use of checklists.
Lm Benches Teletiant sam AU to provide relevant training to investigators
+ No spectfic training is given over the standards set out in the GIP. on how to use the minimum. standards.
High risk cases to be escalated to the CU so
that investigations are conducted by
appropriately qualified, and experienced
investigators.
There is no ‘Area Managers and I + Area Managers and Line Managers undertake investigations fora
consistent approach
to quality assurance
across the business
teams
Line Managers who
conduct
investigations are
not measured on
the quality of their
investigations
variety of business teams, with Line Managers conducting employee
related investigations and Area Managers conducting investigations
related to branches.
Asfaras weare aware, there are no requirements for the quality of
investigations to be considered as part of their performance
appraisal, meaning that underperformance w ould not be assessed
and actions for rectfication of any deficiencies put in place.
The investigation role should be included in
job descriptions and therefore part of the
performance management. framework.
Business teams to introduce periodic quality
assurance reviews over investigations done
by/on behalf of their teams and provide feedback
to individual investigators
kpinI
© 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0025
Current state overall assessment (Cont
Findings and recommenda
ns have been captured
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Area
Infrastructure
Theme
There is no
consistent use of an
investigations case
management tool
across POL
Sub theme (where
appropriate)
NA
Observations
‘There is no consistent use of a case management tool. Across POL,
teams use a mixture of Dynarrics, Service Now and One Trust. In
certain teams incidents are logged onto excel spreadsheets and
documentation/evidence is stored on SharePoint,
‘Area Managers do not have access to Dynamics and cases are
passed to them using Qualtrics. This provides block text only and
does not allow any document uploads.
HR data is maintained by MyHRHelp and POL rely on MyHRHelp
advisors to flag high risk cases, upload and store data, how ever the
system is not designed to produce relevant ML
Dynarrics is used by a number of teams how ever, there is
inconsistency across the business over Dynamics functionality. Some
teams use Dynamics to flag cases and classify investigations for
trend monitoring whilst other simply use it to log cases, store
documents and record outcomes. There appears to be little
understanding of full functionality of existing tools such as Dynamics.
‘There appears to be lirited coordination in regards to case
managerrent tooling / ttle consideration for case management
tooling architecture.
Recommendations
Review the current case management tooling
approach and architecture to assess whether the
application across all business teams can be
improved to encourage greater use of the
functionality that is available and to reduce the
reliance on spreadsheets and storing documents
on Sharepoint.
Introduce additional training around the
functionality of Dynamics.
Consider where the use of Qualtries is
appropriate for investigations and determine
whether any alternative is feasible that provides
greater functionality for Area Managers including
the ability to upload relevant documents.
Consider whether the use of MyHRHelp is
appropriate or whether the case management of
HR investigations should be brought in house.
Introduce additional training around data
protection and strengthen the confidentiality
Policy for the investigation teams...
kpinI
© 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0026
POL00423697
POL00423697
Current state assessment by
incident type vate
An assessment of the current state of the investigations by incident
type with observations and recommendations for improvement.
kebab! © 2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms alate with KPMG International Limited, a private English company limited by guarartee, Al igh 28
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0027
POL00423697
POL00423697
ype
We have set out our detailed findings from our current state assessment by incident type in the following section
Our findings are categorised against the framework of governance and process, people and infrastructure and we
have included an overall assessment for each area. We have also provided recommendations for improvements
which we have mapped against our key themes.
A. Postmaster complaints
Contracts Investigations are not conducted
B.
I consistently across POL
C. Customer complaints Lack of overarching governance and a
D. Data Protection oversight over high-risk investigations
. . No clear consistent triage process in
E. Whistleblowing place e
F. Himan'Rescurees Lack of consistent monitoring
. and reporting e
G. Cyber No consistent approach to quality
assurance e
H. Modern Slavery
Lirrited evidence of “lessons learnt’
Use of Area Managers and Line e
Managers to conduct investigations
Lack of training in respect e
of investigation
No consistent use of e
an investigations CMT across POL
Document Classification: KPMG Confidential
Number of incidents by type
The table
Type Number
Postmaster complaints 600
Contracts 208
Customer complaints 33,666
Data protection 136
Whistleblowing 51
Human Resources 165
Cyber 1,000
Modern Slavery 1
Period
Since Feb 2021
July 2020 to June 2021
January 2020 to
December 2020
January 2020 to
December 2020
May 2020 to April 2021
October 2019 to
November 2020
Approx. per month
April 2020 to March
2021
Document Classification: KPMG Confidential
POL00423697
POL00423697
POL00423697
POL00423697
Postmaster complaints
An assessment of the current state of the Postmaster complaints
investigation process with observations and recommendations.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0030
ants
The Issue Resolution team is a new team, convened in February 2021. Their remit is
to investigate Postmaster complaints, which are received via three main channels:
Postmaster comp
Overview of current investigation process
+ Through the Branch Hub —an email alert is received by the team, which gives
details of the complaint;
* Calls to the Branch Support Centre, which are then referred onwards to the Issue
Resolution team;
* Directly via Area Managers. In these cases, the complaint will either be resolved
by the Area Manager directly or referred to the Issue Resolution team for further
input.
Across all channels, the team has dealt with c.600 Postmaster complaints since
February 2021.
Governance and process
The Issue Resolution team is made up of nine advisors and is led by the Issue
Resolution Manager.
Complaints are received via email into the Postmaster complaints/ issue resolution
mailbox or directly as a Dynamics referral. These are reviewed by the Issue
Resolution team and categorised, complaints relating to suppliers (Royal Mail,
Parcel Force etc), IT digital service desk (ITDSD) or customers are passed to the
relevant teams who then take ownership of the investigation. Other complaints are
investigated by the Issue Resolution team using the relevant business area as
required.
All complaints are logged in Dynamics where they are queued, the Issue Resolution
team select cases for resolution based on date order.
Cases are not formally triaged or prioritised although cases identified as relating to
whistleblowing are classified separately and referred directly to the Whistleblowing
team.
kon! 2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
The team has detailed policies over how Postmaster complaints should be handled,
and a list of appropriate contacts from each business area that they can contact if
more information is required.
When a complaint is sent for further information, the relevant business team/Area
Manager reports findings back to the Issue Resolution team who have a 48 hour
chase cycle if the information has not been received . The Issue Resolution team
makes the decision on the case and prepares the response to the Postmaster. If the
case relates to a compliant about an Area Manager the response is referred to the
Regional Manager for review.
The Issue Resolution team communicates the outcome to the Postmaster, which can
be via email, letter or telephone. All documents relevant to the handling of the
complaint are uploaded on Dynamics. A Postmaster can appeal the outcome; all
appeals are reviewed by the Issue Resolution Manager and escalated complaints
will go through the investigation process again under the supervision of the Issue
Resolution Manager.
Classification of complaints and outcomes has been set up on Dynamics for trend
monitoring and the Issue Resolution Manager performs a weekly review to identify
common themes and feed back findings to the team. This MI is also reviewed
formally by the Service & Support Director on a periodic basis, with further formal
review being performed by the Voice of the Postmaster (“VoPM") team monthly
which includes a number of senior POL stakeholders.
There are SLAs in place of 3 days for initial assessment and 10 days for full case
resolution. A trigger in Dynamics flags cases that have exceeded the SLA; this is
monitored and acted upon by the Issue Resolution Manager. We were informed that
the 10 day SLA is sometimes missed because the Issue Resolution team are waiting
for information from the relevant business areas.
The Issue Resolution team request feedback on the resolution of complaints via the
Area Managers; they have access to SharePoint, where the Area Manager will
record any Postmaster comments.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0031
Postmaster complaints
Overview of current investigation process (cont’d)
Quality assurance is undertaken by the Issues Resolution Manager who reviews a
sample of complaints handled by each member of the Issue Resolution team every
month.
Individual specific feedback is provided to each team member and details of general
lessons leamt are circulated for common or recurring issues.
People
The team are provided with regular on-the-job training by the Issue Resolution
Manager. It is acknowledged that this is more difficult to implement in a remote
working environment. The team have clearly defined roles and responsibilities and
are provided with guidance on how to conduct their roles.
The team are provided regular on-the-job training by the Issue Resolution Manager.
However, it is acknowledged that this is more difficult to implement in a remote
working environment. In addition, individuals receive regular specific feedback on
their performance.
We understand there is no formal training plan and there is no specific investigation
training provided to the teams.
Infrastructure
The team log all cases in Dynamics and details of the investigation are logged and
stored in Dynamics as the case progresses. The response to the Postmaster is
automatically recorded in Dynamics ifit is made via email; telephone responses are
manually logged.
Complaints which are escalated are set up as a new case in Dynamics, to ensure
they are appropriately managed. The Issue Resolution Manager can view escalated
cases and ensures that any further investigation is not conducted by the original
complaint handler.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
The team use the functionality in Dynamics to classify cases and monitor trends and
to monitor case completion times and identify potential SLA breaches.
Assessment of current process
Postmaster complaints have a strong govermance framework with detailed policies
and processes that clearly set out the investigation requirements including the
Postmaster complaints response process and the steps to be followed for each
case.
There are clear guidelines setting out contact details for relevant business areas,
however this could be further strengthened by providing clarity over when it would be
appropriate for Legal to be involved.
All cases are logged on Dynamics and allocated for investigation based on date.
There is no formal method of triage to identify high risk or priority cases although
cases are tracked to ensure that progress is maintained
Where additional information is required the Issue Resolution team are reliant on
information provided by the relevant business teams or Area Managers, however
responses are tracked and a chased to ensure SLAs are adhered to.
There is appropriate oversight of case outcomes, complaints relating to Area
Managers are reviewed by Regional Managers and the Issue Resolution Manager
performs monthly quality assurance checks over individual team members.
Dynamics is used tolog cases, record the investigation process and outcome and
store all relevant supporting documentation. In addition, Dynamics is used for
monitoring trends and case progress, and the trend insights are reviewed by senior
POL stakeholders as part of the monthly VoPM meetings.
Staff have clear roles and responsibilities and periodic on the job training, however
there is no formal training plan and no specific investigations training is undertaken
Recommendations
As part of our review we have identified a number of areas for improvement, these
ku! 2021 KPMG LLP, aUK imtedabltyparverstp ara member fmotte KPMG deal rgariston inert BERLE REL MLS AA RELAIS: vce Ech company ined oa. Al ris
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0032
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Postmaster complaints - areas for Improvement
a _
Governance and * The Issue Resolution team have no formal triage process and no set criteria to identify + A formal triage process should be put in place.
process high risk or priority cases. * Formal documentation of criteria for triaging would allow
consistent interpretation of what should be categorised e
as low or high risk.
+ The categories should allow for flexibility and be updated
as Cases are reviewed and individual decisions differ.
* The policies and process documents do not give a clear indication of when Legal input + Formal communication lines for specific types of case
is required. where privilege / legal consultation is considered to be
* Assuch, most cases do not have the advantage of privilege during the investigation beneficial should be developed.
meaning that investigation documentation would be available on request prior to the * The ability to consult with other departments and e
point of Legal involvement in cases where there is a likelihood of legal action. examples of when this might be appropriate could be
formalised and provided to those undertaking
investigations.
People + Area Managers / other POL departments can be investigators for Postmaster + Market practice would be to have either fully
complaints. Although this provides a good understanding of the branch/relevant independent investigators or a robust formal process to
business area, it does mean that there could be a lack of (or perceived lack of) confirm independence by the investigating manager and e
independence between the investigator and the subject of the investigation. certain types of case performed by independent
+ There is no formal requirement for an investigating manager to confirm that they believe investigators of the appropriate grade.
themselves to be sufficiently independent to undertake the investigation.
Key
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage @ = monitoring @ approach to @ = evidence of @ Managers to conduct © investigation @ ofan
consistently process and reporting QA lessons learnt investigations training investigations CMT
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0033
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Postmaster complaints - areas for Improvement
a
People * The team do not have a formal training plan. They are provided with ad-hoc trainingby = * A training plan should be developed including specific
team leads and the Commercial Contact Centre Manager. investigations training for all individuals responsible for
conducting investigations.
Infrastructure + Dynamics is used to log cases, record outcomes and upload and store documents * Consideration should be given as to whether Area e
where the investigation is performed by the Issue Resolution Team Managers can record findings directly into Dynamics, to
+ When an investigation is undertaken by an Area Manager they record their findings in ensure investigations are consistently documented.
Qualtrics, and the text has to be manually uploaded by the Issue Resolution team into
Dynamics as a ‘note’ or ‘activity’ to ensure that the full detail of the case is recorded in
Dynamics.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0034
POL00423697
POL00423697
Contracts
An assessment of the current state of the Contracts investigation
process with observations and recommendations.
kp!
POL-BSFF-0238515_0035
Contracts
Overview of current
vestigation process
The Contracts team investigate allegations of breaches of contract conditions by
Postmasters in order to determine the action POL should take.
Contracts consider three types of breaches: contract performance, contract suspensions
and, where appropriate, contract terminations. In the 12 months to June 2021, the
contracts team have undertaken the following:
+ 139 contract performance reviews
+ 11 contract suspensions
+ 27 non-suspensions (suspension reviews undertaken, where the decision was made
not to suspend the Postmaster).
* 11 1re-instatements following suspension
* 20contract terminations
As noted above, the majority of cases reviewed by Contracts were low risk performance
breaches.
Governance and process
The Contracts team is made up of four Contract Advisors who are aligned to the nine
regional areas and deal with issues that arise in that area. The Team is led by the Head of
Contract Management and Deployment.
On receipt, cases are logged in Dynamics, although we are informed that the Head of
Contract Management and Deployment also maintains a spreadsheet log of cases,
outcomes and status. Cases are not formally triaged but are allocated to Contract
Advisors based on geographic location and sometimes on capacity.
The team has detailed policies over the three types of breaches, which include process
maps setting out the steps to be taken for each investigation. Contract Advisors complete
standard rationale templates for each type of breach, which capture the relevant facts and
rationale for next steps. All documents relevant to the investigation are uploaded,
password protected and stored on Dynamics.
kpme!
2021 KPMG
, aUK limited lability partnership and a member fim of the KPMG global organisation of independent member firms afiited with KPMG International Limited, a private Eng)
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
The Head of Contract Management and Deployment reviews all outcomes with the
Contract Advisors and determines the appropriate next steps. For suspensions,
additional oversight is provided by POL Legal. For terminations, all decisions are signed
off by the Contract Termination Decision Review Group which comprises members of
Contracts, POL Legal and the relevant Regional Manager.
During the investigation Contract Advisors also identify and record any business
improvement opportunities on the rationale document. These are reviewed by the Head
of Contract Management and Deployment and passed on to the relevant teams within
POL if required. We understand this is an informal process using emails and
conversations and there is no follow up to see if these improvements are actioned.
Mlon cases and outcomes can be pulled from Dynamics. At present, the Contracts
team do not formally report on cases or outcomes, but we understand that cases are
discussed with the Franchise Partnering Director on an informal basis.
Quality assurance on cases is undertaken by the Head of Contract Management and
Deployment who undertakes quarterly process reviews and provides feedback to the
Contract Advisors.
The Franchise Partnering Director also reviews decisions on suspensions and
terminations on a quarterly basis to ensure consistency of decision-making.
People
Contract Advisors are provided with training on contractual matters relevant to the
investigations they are undertaking and the team have acquired significant experience.
We were informed that there is no specific training on how to conduct an investigation.
There is no formal RACI document; however the team have clear roles and
responsibilities, with the Head of Contract Management and Deployment being
accountable for outcomes and decisions. The requirement to consult with Legal and
other POL teams on suspensions and terminations is clearly set out in the process
maps.
ish company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0036
Contracts
Overview of current
vestigation process
Infrastructure
The team log all cases onto Dynamics, which they can use to see previous investigations
undertaken at the branch by other POL teams. Data required for the investigation is pulled
from Horizon using Horice.
Sample cases
As part of our review we have discussed a sample of three recent cases with Contract
Advisors, being a termination, a reinstatement following suspension and an ongoing
suspension case.
We were unable to review completed rationale documents due to the sensitive nature and
identifying characteristics therein, therefore the review was discussion-based only. We
were also provided with the template rationale documents to gain an understanding of the
details which would be captured on each type of case.
Following discussion of these cases with two Contracts Advisors, we identified:
* The team works independently and objectively, and is keen to maintain a dialogue with
branches who are being investigated for potential contractual breaches. This is done
through both regular telephone calls and letters.
+ The process appears thorough and is aimed at supporting Postmasters if they find
themselves in difficult circumstances. It was noted that a referral to Contracts is usually
allast resort if Area Managers are unable to resolve issues through altemative routes.
Assessment of current process
Contracts have a strong govemance framework with detailed policies and processes that
clearly set out investigation requirements. The requirement to consult with Legal and
other POL teams on suspensions and terminations is clearly set out in the process maps,
however POL should consider whether Legal input earlier in the process would be more
appropriate especially for cases that have a higher potential risk of future litigation or
where there is actual suspected criminal activity.
kpme!
2021 KPMG
, aUK limited lability partnership and a member fim of the KPMG global organisation of independent member firms afiited with KPMG International Limited, a private Eng)
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Investigations are consistently documented using a standard template, relevant
documents are stored securely on Dynamics and outcomes are appropriately reviewed
by the Head of Contract Management and Deployment. The introduction of the Contract
Termination Decision Review Group for termination cases has enhanced the
governance further.
All cases are logged on Dynamics and allocated for investigation; whilst there is no
formal method of triage, the team is small and regular team meetings mean that case
loads are discussed and capacity issues sorted. Cases are tracked to ensure that
progress is maintained.
The contracts team do not provide any formal MI across the business but we understand
that discussions are held with the Franchise Partnering Director on an informal basis
and that there are already plans in place to formalise this upward reporting.
Business improvement opportunities recorded by the Contract Advisors on the rationale
document are reviewed by the Head of Contract Management and Deployment and
passed on to the relevant teams, however this is currently an informal process with no
feedback mechanism to ensure findings have been actioned.
Quality assurance is undertaken by the Head of Contract Management and Deployment
quarterly, and findings are fed back to the team. The Franchise Partnering Director
reviews suspensions and terminations on a quarterly basis to ensure consistency of
decision-making, which is in line with best practice.
Staff have clear roles and responsibilities and are appropriately trained on contractual
aspects of their roles. However, they do not receive any specific investigations training.
Recommendations
As part of our review we have identified a number of areas for improvement, which are
detailed on the following slides.
ish company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0037
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Contracts - afeas for improvement
a
Governance and * The Contracts team have no formal triage process and no set criteria to identify + A formal triage process should be instigated with set criteria
process high risk cases. for what constitutes a high risk case.
* Suspension and termination decisions could result in legal action by the + POL should consider whether all suspension and termination
Postmaster. POL should consider whether Legal input earlier in the process would cases should be conducted in partnership with POL Legal to
be more appropriate especially for cases that have a higher potential risk of future facilitate privilege. e
litigation, to facilitate privilege and consider whether reporting to LEA's is required
under CLEP.
+ The Contracts team do not formally report on cases or outcomes but discuss cases + The Head of Contract Management and Deployment is e
with the Franchise Partnering Director on an informal basis. working on building case data into a monthly Franchise
Partnering Scorecard for more comprehensive upward
reporting.
* Contract Advisors identify and record business improvement opportunities which * The process over lessons leamt should be formalised to
are informally communicated to the relevant teams using emails and ensure that the valuable insights gained by the team are
conversations. treated appropriately. e
+ There is no follow up mechanism to see if these improvements are actioned. + A feedback mechanism should be introduced so that the
Customer Complaints team can check issues have been
addressed by Area Managers.
* Contract Termination Decision Review Committee meetings are not minuted or * Confirmation of termination decisions and the rationale for e
documented and there is nothing uploaded onto Dynamics confirming the decision. these should be recorded in Dynamics after being discussed
with POL Legal so there is a full record of the decision.
Key
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage @ = monitoring @ = approach to @ = evidence of @ Managers to conduct @ investigation © ofan
consistently process and reporting QA lessons learnt investigations training investigations CMT
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0038
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Contracts - afeas for improvement
a
People + Whilst the team receive training on the contractual aspects of their role there is no —*_— Investigations training should be conducted on a regular, ie
‘specific Investigations training, especially in relation to evidence gathering and periodic basis and include all of those individuals responsible
document handling, and financial crime and tipping off. for conducting investigations.
Infrastructure * The use of Dynamics is limited to logging cases, recording outcomes and + Understand the additional functionality of Dynamics toensure @
uploading and storing documents. it is being used to its full potential.
kon! 2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights 40
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0039
POL00423697
POL00423697
Customer complaints
An assessment of the current state of the Customer complaints
investigation process with observations and recommendations.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0040
Customer complants
Overview of current
vestigation process
The Customer Support team investigate customer complaints relevant to POL. These
broadly fall into the following categories:
+ Post Office branch services (excessive queuing, staff attitude, staff knowledge, staff
behaviour, errors made by branch); and
+ Post Office products / services (unpaid bill payments, missing cheques, faulty or lost
items, product mis-selling).
In 2020, the Customer Support team closed 33,666 customer complaints.
The team have informed us they are working on a number of process improvements
some of which are likely to be reflected in our recommendations.
Governance and process
The Customer Support team is made up of 19 advisors, six of which handle customer
complaints. The team is led by the Commercial Contact Centre Manager and there are
2.5 Team Leaders who manage the advisor population across three teams.
Currently, there is no Customer Complaint policy. However, a detailed process
document sets out the ways of working and high-level standards to follow.
All customer communication from letters, emails, contact forms and feedback surveys
and customer complaint communication from social media and webchat are logged on
Dynamics (either auto generated or manually) and categorised as either general enquiry,
customer complaint or third party referral. Customer complaints are assigned to the
Customer Complaint Advisors and triaged based on a set criteria from P1 to P3, with P1
being the most urgent/high risk and P3 being the lowest.
P1 and P2 cases are assigned to experienced Complaint Advisors via the case
management team. Complaint Advisors determine whether the branch needs to be
contacted, more information is required from the relevant POL product team (e.g. lottery
or bill payments) or if the issue needs to be raised with the Area Manager.
kpme!
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
We were informed that there is only guidance available for when an issue needs to be
raised with the Area Manager in terms of case type/severity/value, but that Complaint
Advisors know from experience when to contact the other teams.
Complaint Advisors will review branch complaint history on an ad hoc basis to see if
there is a pattern of complaints at a branch as this may affect the decision on whether to
undertake further investigation. However there is no formal guidance over what is
considered a repeat/recurring issue.
P3 complaints are normally dealt with either by a Complaint Advisor (if they have
capacity) or an Admin Advisor, as they relate to complaints that are straightforward and
no intervention is required.
All complaints regardless of priority have a common approach that is set out in a detailed
process document.
When a complaint is sent for further information, the relevant product team/Area
Manager reports findings back to the Complaint Advisor. We were informed there are no
set guidelines or reporting templates for the relevant team/Area Managers to complete
and that the quality of responses received is varied.
We were also informed there is no formalised commitment for what can and will be
actioned by the Area Managers so there is no guarantee that specific concems will be
addressed.
The Complaint Advisor makes the decision on the case and prepares the final customer
response and any compensation calculations. Team Leaders are regularly asked by
Compliant Advisors to input into (or take ownership of) outcomes where the issue is
complex, the claimis high value or the customer is challenging.
The Complaint Advisor subsequently communicates the outcome to the customer using
a standard template that they amend and build upon. They then close the case on
Dynamics.
All documents relevant to the handling of the complaint are uploaded on Dynamics.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0041
Customer complants
Overview of current
vestigation process
Governance and process (cont'd)
A customer can appeal the outcome. This will involve the complaint being allocated to a
different Complaint Advisor and going through the process again. All appeals are
reviewed by the Team Leader.
When a customer is issued a final response they are informed that they will need to take
their own independent action should they wish to pursue the complaint further and are
signposted to the Citizens Advice Bureau.
There is a soft SLA in place that requires 95% of customer complaints to be resolved
within 10 working days.
If a customer threatens any form of legal action, the Customer Support team will contact
Legal; if other suspicious activity is identified the team report to the Whistleblowing team.
Any complaints containing data / subject access requests or data incident notifications
are shared with the Information Rights or Data Protection Team.
Mlon complaints and outcomes is produced on a monthly basis by the Business
Transformation Unit and the Workforce Management Team and on an ad hoc basis by
the Commercial Contact Centre Manager. This includes the number of complaints
opened, the number of complaints closed and the average complaint tumaround time.
Mlis reviewed by the Commercial Contact Centre Manager and the Service Delivery &
Contact Centres Director.
Quality assurance should be undertaken by Team Leaders on a monthly basis who
review a sample of complaints handled by each Compliant Advisor and provide specific
feedback. However, we understand this has not been taking place over the past few
months due to capacity constraints.
kpme!
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Customer complaints are manually monitored for each branch to identify any issues that
need to be fed back to Area Managers. However, there is no formal guidance on what
constitutes an issue and there is no mechanism in place to check whether the issues are
addressed by the Area Managers.
We were informed that the team are trying to improve the MI so that this process can be
automated.
People
The team have clearly defined responsibilities and are provided with guidance on how to
conduct their roles.
The team are provided with ad-hoc training by Team Leads, the Commercial Contact
Centre Manager and other POL teams (such as Whistleblowing and Legal).
In addition, process changes or pain points (such as certain fields not being completed
accurately on Dynamics) are identified and shared via email or at team meetings.
However, there is no formal training plan and there is no access to the shared training
resource that was previously shared with the Branch Support teams.
Infrastructure
All customer complaint cases are logged on Dynamics — emails and web forms are
automatically recorded and all other communications are manually recorded.
Complaints are raised to Area Managers via Quatrics, as they do not have access to
Dynamics. Qualltrics only allows blocks of text to be shared and the Complaint Advisor
must manually record the Area Managers response on Dynamics
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0042
Customer complants
w of current
Over
vestigation process (cont’d)
Assessment of current process
Customer complaints are in the process of developing their governance framework,
whilst there is no overarching Customer Complaint policy, they have developed a
high-level ways of working guide that sets out the customer complaints response
process and the steps to be followed for each priority of case. Standard templates
are used for communicating outcomes to customers.
All customer complaint cases are logged on Dynamics, triaged and prioritised
against a set criteria, higher risk cases are allocated to more experienced Complaint
Advisors via the case management team. Cases are tracked to ensure that progress
is maintained and SLA's are met.
Where additional information is required the Complaint Advisors are reliant on
information provided by the relevant product teams or Area Managers, these
responses are not standardised and can vary in quality.
Relevant documents relating to the complaint are stored securely on Dynamics and
outcomes of complex cases or cases over a compensation threshold are
appropriately reviewed by the Team Leader.
Whilst formal monthly MI is produced, we understand improvements are being made
to Ml in order to automate areas suchas issues identification and trend monitoring to
make them more effective and efficient.
A process is in place for Team Leaders to undertake monthly quality assurance
checks on compliant outcomes and feedback findings to individual Complaint
Advisors, however we understand this is not currently occurring due to capacity
constraints.
Where issues/lessons learnt are currently identified, these are flagged to the relevant
teams within POL, however there is no formal feedback process to identify whether
issues have been addressed
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Staff have clear roles and responsibilities assigned to them, however training is ad hoc
and there is no formal training plan.
Recommendations
As part of our review we have identified a number of areas for improvement, these are
detailed on the following slides.
We understand that a number of these have already been identified by the customer
complaints teams who are working to resolve these issues.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0043
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Customer complants - areas for improvement
A
Governance and + There is limited guidance on when additional information is required * The process document should be updated to clarify when and where
process from the product teams, but rather the process relies on Complaint additional information should be obtained. e
Advisors experience. * The process document should also be updated to clarify instances when
* There is no guidance on when other teams such as Legal should be Legal consultation would be appropriate.
advised of issues.
* There is no guidance provided to Area Managers over reporting + Guidance on reporting requirements should be provided to the relevant
requirements and there are inconsistencies in the quality received. product teams and Area Managers setting out the information and
* There is no formalised commitment for what can and will be actioned by supporting documentation requirements of the Complaint Advisors. @
the Area Managers so there is no guarantee that specific concerns will + A formalised commitment should be agreed with the Franchise
be addressed. Partnering Director setting out the concerns that Area Managers are
expected to address.
+ Quality assurance reviews over the complaint outcomes are usually + Robust quality assurance is crucial in ensuring consistency and quality e
undertaken monthly by the Team Leaders who provide feedback to the of investigations and this process should be reinstated as soon as
individual Compliant Advisors. However, due to capacity constraints this possible.
has not occurred for the last few months.
* The team monitor complaints for each branch to identify any issues or * The process for monitoring issues and trends should be automated and
lessons learnt that need to be fed back to Area Managers. However, clarity provided over what constitutes an issue.
there is no guidance on what constitutes an issue and there is no + A feedback mechanism should be introduced so that the Customer e
feedback mechanism in place to check whether the issues are Support team can check Issues have been addressed by Area
addressed by the branches. Managers.
Key
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage @ = monitoring @ approach to @ evidence of @ Managers to conduct © investigation @ ofan
consistently process and reporting QA lessons learnt investigations training investigations CMT
kon! 2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
FS
&
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0044
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Customer complants - areas for improvement
a
+ Area Managers / other departments can be investigators for customer
complaints. Although this provides a good understanding of the relevant
business area/ branch, it does mean that there could be a lack of (or
perceived lack of) independence between the investigator and the
subject of the investigation.
* There is no formal requirement for an investigating manager to confirm
that they believe themselves to be sufficiently independent to undertake
the investigation.
People
* The team do not have a formal training plan. They are provided with ad-
hoc training by team leads and the Commercial Contact Centre
Manager.
Infrastructure + When an investigation is undertaken by an Area Manager they record
their findings in Qualtrics, and the text has to be manually uploaded by
the Issue Resolution team into Dynamics as a ‘note’ or ‘activty’ to
ensure that the full detail of the case is recorded in Dynamics.
2021 KPMG
kpme!
, aUK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms flat with KPMG International Limited, a prvate Engl!
+ Market practice would be to have either fully independent investigators @
or a robust formal process to confirm independence by the investigating
manager and certain types of case performed by independent
investigators of the appropriate grade.
+ A formal training plan should be created. In particular, this should
provide more detail on the Customer Complaints handling process, e
guidance on reviewing information provided by product teams and Area
Managers and general investigations training
* Consideration should be given as to whether Area Managers can record
findings directly into Dynamics, to ensure investigations are consistently
documented. e
company limited by guarantee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0045
POL00423697
POL00423697
Data Protection
An assessment of the current state of the Data Protection
investigation process with observations and recommendations.
kp!
POL-BSFF-0238515_0046
Vata Protection
Overview of current
vestigation process
The Data Protection (DP) team investigate personal data incidents and breaches in
order to mitigate the immediate data loss, determine changes to processes to prevent
similar incidents in the future and decide if incidents should be reported to the ICO.
in 2020, the DP team received 136 reports of non-cyber data incidents. The majority of
data incident reports received were recorded as low risk cases. Any cyber related data
incidents are dealt with by the Cyber team who then involve the DP team in the
investigation and work together soa decision on reporting to the ICO can be made.
Governance and process
The DP team is made up of three senior data protection managers, one data protection
analyst, one data protection assistant, one information rights manager, one information
rights assistant and one administrative support resource. The teamis led by the Head of
Data Protection, Information Rights & Data who is also the nominated Data Protection
Officer (DP).
Data Protection activities are governed by the Protecting Personal Data group policy and
by the Incident and Breach Management Procedure. These include detailed investigation
process flows.
Anon-cyber data incident report form is completed by the reporter which captures the
relevant information. On receipt of an incident, a triage assessment is carried out by the
Data Protection Analyst and cases are assigned colour coded risk categories ranging
from low to high risk, however the risk category definitions are not documented.
in most instances, low risk cases do not require investigating as the facts are already
determined, for example an employee sending out an email to the wrong recipient. An
investigation would not be required but corrective actions are taken by the reporter
following consultation with the DP team and any preventative actions are identified.
Branch based incidents are investigated by Area Managers. Medium and high-risk cases
could be referred to internal teams such as Security or IT depending on the subject
matter for further information gathering.
kon! 2021 KPMG LLP, @ UK limited liability partnership and a member fim ofthe KPMG global organisation of independent member firms allt with KPMG International Limited, aprvate English company limited by quarartee, Al rights 48
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Once an investigation has taken place, the investigating manager documents the
findings on the form and has accountability for the outcome. They will decide what
action needs to be taken in consultation with the DP team such as further training for the
branch. The DP team then completes the lessons learnt section and decides whether the
case can be closed.
Legal are not consulted in relation to data incidents unless the team believe it is
necessary.
DP incidents where there is a cyber element are investigated by the Cyber team with
support from the DP team.
The DP team may also be asked to support an investigation by performing email
reviews. However, this is regarded as evidence gathering rather than conducting an
investigation.
The DPO reviews each investigation in relation to the outcome, however the DPO is
currently on long term absence and as such there is a backlog in reviewing cases.
Basic MI on cases can be extracted from an Excel based log, but there is no formal MI
reporting. Insights from incident reporting are used to drive content on the annual Data
Protection training provided to POL employees, Postmasters and their assistants.
People
Area Managers undertaking branch investigations are not provided with specific training
The DP team holds data protection and Freedom of Information Act qualifications, which
includes specific training on undertaking a data protection investigation.
The DP team struggled with resourcing in the past year, partially due to Covid-19, and
have open positions for a senior Data Protection manager, an administrative assistant
and a Legal specialist (although their role will not include data incident investigations).
Infrastructure
The team log alll incidents on the Excel spreadsheet saved in the dedicated area on
POL's SharePoint. The DP team are in the process of moving to OneTrust. Incident
reports are saved in the dedicated area on POL's SharePoint without password
protection.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0047
Vata Protection
Overview of current
vestigation process (cont’d)
Sampling
A random sample of three non-cyber data incidents occurring in the last year was
selected. Due to their confidential nature, the DP team talked us through the forms
‘on screen.
All three cases related to low-risk cases since there has not been a medium or high-
risk category case in the past year.
We were informed that the sample reflects the majority of the cases which the DP
team deals with on a daily basis. The samples included an email sent to the wrong
recipient, a Home Office permit being lost in branch, and a Postmaster sharing
customer's personal data on social media due to a personal dispute.
Although each of the cases were triaged and a relevant investigator appointed, two
out of three forms were not completed in full with only the fact-finding part of the fom
being filled in.
The investigators are given two weeks to complete the investigation, however in the
cases we reviewed, there were delays and the cases will still open three to four
months after their initiation.
The DP team explained that the DPO is usually responsible for revewing each of the
cases but since he has been absent, there is currently a backlog.
The DP team is aware of a number of areas of improvement that need to be
addressed and are intending to enhance processes in regard to formalising quality
assurance reviews, building an MI dashboard and moving the infrastructure system
to OneTrust.
Assessment of current investigation process
The DP team has clearly defined, and documented investigation process flows within
their policy and procedure documents which articulate the ways incidents can be
collated via several channels.
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
An informal triage takes place when an incident comes in, however there is no
documented definition as to what constitutes each risk category.
There is no formal consideration as to whether Legal should be involved which would
provide the protection of privilege to the investigation.
Investigations for branch related incidents are conducted by Area Managers.
However, these are not provided with specific investigation training and the quality of
the investigation is not evaluated as part of the annual performance management
review.
Incidents are logged on an excel spreadsheet, however there is no trend analysis or
dashboards created for reporting outside the DP team.
Lessons learnt are captured within the incident report form and insights are used in
the Data Protection training, however we understand that no further actionis taken
regarding this analysis.
Quality assurance review is currently informal and on an ad hoc basis whichis an
area the DP team is planning to improve in the future.
Although the DP team has a restricted Sharepoint access for storing investigation
data and reports, these are not password protected. The team is planning on moving
to OneTrust which will aid in the production of MI dashboards.
Recommendations
As part of our review, we have identified a number of areas for improvement, these
are detailed on the following slides.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0048
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Vala Protection - areas for improvement
Fieve [observation TD Rcommaniaton
Governance + The DP team triage cases when they are received them based on experience. * Formal documentation of criteria for triaging would allow consistent
andprocess . There is no documented criteria over each of the risk categories from low to high interpretation of what should be categorised as low or high risk. e
to ensure a consistent approach is taken and identify where cases may be high * The categories should allow for flexibility and be updated as cases are
tisk. reviewed and individual decisions differ.
+ Legal are not formally involved although it is possible for an investigator to + Formal communication lines for specific types of case / risk profiles.
request a legal opinion. where privilege / legal consultation is considered to be beneficial should
+ As such, most cases do not have the advantage of privilege during the be developed. e
investigation meaning that investigation documentation would be available on * Guidelines should also be developed in conjunction with Legal to identify
request prior to the point of Legal involvement in cases where there is a when consultation is required.
likelihood of legal action.
+ Area Managers / other departments can be investigators for data incidents. + If Area Managers are the most effective means of investigating then
Although this provides a good understanding of the individual concerned and the market practice would be to include a robust formal process to confirm
department / branch in which they work, it does mean that there could be a lack independence by the investigating manager and certain types of case
of (or perceived lack of) independence between the investigator and the subject performed by independent investigators of the appropriate grade.
of the investigation. + Independent investigators would also mitigate other issues identified in e
+ There is no formal requirement for an investigating manager to confirm that they this report such as:
believe themselves to be sufficiently independent to undertake the investigation. * Consistency of investigations
+ Experience of investigating managers;
+ Performance management; and
+ Training.
Key
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage @ = monitoring @ approach to @ = evidence of @ = Managers to conduct @ investigation © ofan
consistently process and reporting QA lessons learnt investigations training investigations CMT
kon! 2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights 50
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0049
Vala Protection - areas for improvement
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
a
Governance and
process
People
kpme!
2021 KPMG
There are currently no standard MI produced which summarises the number of data
incidents or investigations that is then reported to stakeholders.
There is no trend analysis of incidents or their outcomes although lessons leamt are
established for each incident and used to inform the mandatory annual Data Protection
training.
No formal quality assurance review is currently taking place. We reviewed 3 cases and
identified that closed incident report forms were not completed for 2 cases although these
were low risk ones.
We understand that when the DPO retums, there will be a more formal review of the
outcomes of cases but not into the investigations themselves.
There has not been the resource or budget to provide training to those undertaking data
incident investigations
Although there is standard reporting, Area Managers may only undertake a small number of
investigations a year, if any, resulting in a wide range of experience and ability and there
could be a lack of consistency in how investigations are undertaken, documented and
reported to POL and the employee.
Document Classification: KPMG Corfidential
, aUK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms flat with KPMG International Limited, a prvate Engl!
A reporting structure should be implemented to
ensure that the MI and associated trend analysis is
appropriately reviewed and actioned.
Lessons leamt should also be formally reported to
the relevant departments to allow actions to be
taken as a result of any identified deficiencies.
Robust quality assurance is crucial in ensuring
consistency and quality of investigations.
Market practice would be to have periodic formal
quality assurance with a defined output and
reporting structure.
Investigation training should be conducted on a
regular, periodic basis and include all of those
individuals responsible for conducting
investigations.
More formal guidance on undertaking investigations
and how documentation should be gathered and
collated could be developed to ensure consistency
and provide guidance for less experienced Area
Managers
company limited by guarantee. Al rights 5
POL-BSFF-0238515_0050
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Vala Protection - areas for improvement
a
People + As far as we are aware, there is no requirement for the quality of an investigation to be * The investigation role should be included in job e
considered as part of their performance appraisal, meaning that underperformance would descriptions and therefore part of the performance
not be assessed and actions for rectification of any deficiencies put in place. management framework.
* This will require assessment of the investigation
activities to determine the quality of the work
undertaken by the investigator.
Infrastructure * The team plans to move from Excel spreadsheet in POL’s SharePoint to OneTrust tolog * The ability to produce robust MI from the new e
cases and record outcomes and corrective actions and provide a more secure platform for system should be a key aspect of the change to
holding confidential information. OneTrust.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0051
POL00423697
POL00423697
Whistleblowing
An assessment of the current state of the Whistleblowing
investigation process with observations and recommendations.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0052
Whistledlowing
Overview of current
vestigation process
The Whistleblowing team receive whistleblowing reports across a number of
channels and organise an appropriate investigation into each allegation.
In the 12 months up to the end of April 2021, 51 Whistleblowing reports were made,
however this number is expected to rise given the recent work to raise the profile of
the Whistleblowing process. Of the 51 reports received:
* 23 reports that came directly to the Whistleblowing team;
* 11 reports that came through the Speak Up line;
* 16 reports that came through other channels including Grapevine (3), Customer
Support (3) and other (10) .
Governance and process
The Whistleblowing team is currently made up of one Whistleblowing manager who
reports into the Senior Financial Crime Officer who reports to the Head of Financial
Crime.
The Whistleblowing Champion who is a POL non-executive director whose role is
set out in the Whistleblowing policy.
Whistleblowing is governed by the Whistleblowing group policy and the
Whistleblowing process document; these documents will be updated following
changes to the team and implementation of a new case management system. The
documents do not contain detailed guidance on the investigation process itself, but a
pro-forma template has been developed and is now in use.
On receipt of a whistleblowing report, the Whistleblowing team triage the report to
identify whether the case requires investigation and, if so, which manager within POL
should be asked to undertake the investigation. External investigation can be
commissioned if deemed to be required.
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
As the Whistleblowing team sits within Financial Crime, the case may be discussed with
the Senior Financial Crime Officer or the Head of Financial Crime (who is also the
MLRO) to decide on the appropriate action.
The case can also be escalated to the Whistleblowing NED if the case is deemed to be
particularly complex or serious.
Where a case is deemed to be high risk, then the Head of Compliance is involved in
deciding on the appropriate investigating team. Legal advice is also sought, if
appropriate, although guidance on when this may be needed is not formally documented.
Investigators complete a standard template setting out how the investigation was
undertaken and the outcome. The Whistleblowing manager reviews the relevant
documentation and the outcome and will push back or escalate concerns about the
investigation and/or the outcome if they feel it is not robust.
Investigations are reviewed for lessons leamt prior to the closure of the case. These are
also included within the MI dashboard, which is shared with GE members and
summaries provided at each RCC and ARC. The team work with the relevant teams
across the business as matters arise to embed appropriate actions.
Whistleblowing MI is anonymised and reported monthly in full to the GE and the
Whistleblowing Champion. This covers reporting channel, category of reports, affected
areas, investigation outcomes, corrective actions and anonymised details of cases
raised in the last month.
Summarised whistleblowing MI is provided to the Financial Crime team and is included
in the Financial Crime & Supply Chain Monthly MI pack.
A Whistleblowing report is presented to the RCC and ARC twice a year.
Formal minuted meetings are held every quarter with the Whistleblowing Champion and
ad-hoc meetings and correspondence in between if issues arise. Currently monthly
meetings are also held with the Group General Counsel.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0053
Whistledlowing
Overview of current
vestigation process (cont’d)
People
Investigating managers are not provided with training on how to conduct an investigation,
however the team is led by an experienced Whistleblowing Manager.
The Whistleblowing team assign cases based on their assessment of the appropriate
individual looking at the relevant policies and the subject matter / individual referred to in
the report. This could include line managers, area managers or independent senior
managers within specific departments as applicable.
Infrastructure
All whistleblowing reports are logged on a spreadsheet within the Whistleblowing Teams.
site in a restricted access Sharepoint site. The site is marked as private with access
rights limited to the current Whistleblowing team members. The document is not
password protected.
Sampling
Due to the confidential nature of the Whistleblowing team activities, we were unable to
review completed Whistleblowing reports.
The Whistleblowing team discussed a recent example with us and we were provided
with an example of the template report to gain an understanding of the details which
would be captured on each type of case.
Assessment of current investigation process
The recent appointment of a dedicated Whistleblowing manager with strong experience
in whistleblowing functions has allowed there to be a greater focus on whistleblowing
reports. Alongside the additional resource making it possible to more effectively monitor
the whistleblowing log and to challenge investigations before formally closing them,
recent changes to the process include a standardised template for reporting to try to
improve consistency in reportins
uality.
2021 KPMG
kpme!
, aUK limited lability partnership and a member fim of the KPMG global organisation of independent member firms afiited with KPMG International Limited, a private Eng)
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Although the Whistleblowing policy details the whistleblowing process, it does not
describe the investigation process to be undertaken by the investigating manager. We
understand that the policy and process will be updated following changes in the team
structure.
Cases are triaged by the experienced Whistleblowing Manager; however, this is not
based on documented criteria meaning there is a risk that cases will not be classified
consistently.
Currently, investigators can be selected from a wide range of POL employees depending
on the subject matter of the investigation. As a result, there is a risk that investigations
are carried out inconsistently and rely on the expertise and capability of each individual.
Although using Line Managers to undertake employee related whistleblowing allegations
provides a good understanding of the individual concemed and the department in which
they work, it does mean that there could be a lack of (or perceived lack of) independence
between the investigator and the subject of the investigation.
Due to resource and budgetary constraints, we understand that investigators are not
provided with training on how to conduct an investigation.
We understand that independent investigators sitting within the Whistleblowing team will
be recruited to address the independence, capability and training concerns.
Mlis collated regularly, and a dashboard is reported to a number of committees and
stakeholders. The Whistleblowing team is in the process of expanding the dashboards to
produce trend analysis.
Lessons learnt data is collated when the case is closed, and key themes/trends are
shared with the ARC and RCC. The team also engage across the business on
corrective actions to be taken as a result of lessons leamt analysis.
We were informed the Whistleblowing team have agreed action plans to address
identified issues of a lack of formal triage and improve MI reporting through enhanced
technology solutions.
ish company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0054
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Whistledlowing
vestigation process (cont’d)
Overview of current
Assessment of current investigation process (cont'd)
Currently the Whistleblowing team can challenge and escalate concerns over decisions
made by the investigators but not override them.
We were informed that the Whistleblowing team, as part of the Compliance function, act
as an independent review function who identify and raise concems about the
investigations and outcomes made in relation to whistleblowing reports. As they review
all whistleblowing investigations, they provide a robust quality assurance function.
We are unclear as to how the team will continue to perform this role once they move the
investigation process into their team.
The Whistleblowing manager monitors the excel log saved on Teams which is restricted
to the Whistleblowing team.
We understand that the Whistleblowing team is planning on moving to a new case
management tool in the future which will allow for a more robust MI reporting, triage and
handling of cases.
Recommendations
As part of our review, we have identified a number of areas for improvement, these are
detailed on the following slides and are based on the current state at the date of review.
ku! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0055
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Whistledlowing - areas for Improvement
Five Tooseraton TT ecormencaton
Governance and * The Whistleblowing Manager triages cases when they are received based on her + Formal documentation of criteria for triaging would allow e
process experience. consistent interpretation of what should be categorised as
+ There is no documented criteria over each of the risk categories from low to high to low or high risk.
ensure a consistent approach is taken and identify where cases may be high risk. + The categories should allow for flexibility and be updated as
cases are reviewed and individual decisions differ.
+ We understand that the Whistleblowing team is currently in
the process of updating processes which will include a formal
triage and documented criteria.
+ The current Whistleblowing policy and process documents do not provide detailed * More formal guidance on undertaking investigations and how e
guidance on how to undertake an investigation. Given the number of POL employees documentation should be gathered and collated (for example
who could be asked to undertake an investigation, there is a risk that: the use of timelines, indexes and summary papers) could be
+ Investigating managers only undertake a small number of investigations a developed to ensure consistency and provide guidance for
year, if any, resulting in a wide range of experience and ability; and less experienced Line Managers
+ There could be a lack of consistency in how investigations are undertaken, + We understand that the Whistleblowing team is currently in
documented and reported to POL. the process of updating all processes and procedures and
have a pro-forma template to fill in.
+ The recruitment of independent investigators will also reduce
the requirement to use the wide range of Line/Area manages.
who currently undertake investigations.
Key
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage @ monitoring @ approachto @ evidenceof © Managerstoconduct @ investigation @ ofan
consistently process and reporting QA lessons learnt investigations training investigations CMT
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0056
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Whistledlowing - areas for Improvement
Fisve Tomseraton TT Tiacommensaton
Governance and
Process
People
kpme!
+ We understand that the Whistleblowing team will involve the Legal team at the beginning
of an investigation if this is considered appropriate however this is not formally
documented within the policy.
* Certain high risk cases may also benefit from consultation with Legal in order to ensure
that all communication is protected under privilege.
+ We understand that although corrective actions and lessons learnt are shared with the
ARC and RCC as part of the regular reporting, and the team liaise with the relevant
business team to embed the necessary changes.
+ We understand that the lessons learnt process is not formally documented or the
outcomes collated into a lessons leamt report rather reported on an ad hoc basis as
identified.
+ Actions are not documented or formally followed up and closed out.
+ There has not been the resource or budget to provide training to those undertaking
whistleblowing investigations
+ As asignificant number of POL employees could potentially be asked to undertake an
investigation, this training would need to be available online and mandatory to complete
before commencing an investigation.
2021 KPMG
Document Classification: KPMG Corfidential
, aUK limited lability partnership and a member fim of the KPMG global organisation of independent member firms afilated with KPMG
International Limited, pevate Engl!
Formal communication lines for specific types of case e
where privilege / legal consultation is considered to be
beneficial should be developed.
We understand that the Whistleblowing team is currently in
the process of updating all processes and procedures which
will include formal documentation of when it may be
appropriate to consult with Legal...
A formal root cause analysis and lessons learnt structure e
requiring actions to be agreed and followed up would
provide a continuous improvement process which would be
beneficial to POL.
Investigation training should be conducted on a regular, e
periodic basis and include all of those individuals
responsible for conducting investigations.
This training should be mandatory for all new investigators
prior to conducting an investigation and completion of full
and updates to training monitored and followed up.
We understand that the Whistleblowing team is currently in
the process of recruiting experienced investigators to
conduct investigations who will be provided with regular
training and support.
company limited by guarantee. Al rights
a
@
POL-BSFF-0238515_0057
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Whistledlowing - areas for Improvement
Fisve Tomseraton TD scommensaton I
People + Line Managers and Area Managers are the primary investigators for whistleblowing matters. * The benefits of having an independent
Although this provides a good understanding of the individual concemed and the department / investigation need to be weighed against the work e
branch in which they work, it does mean that there could be a lack of (or perceived lack of) required to amend the collective agreement with
independence between the investigator and the subject of the investigation. the unions (in relation to employee investigations)
+ There is no formal requirement for an investigating manager to confirm that they believe and the resourcing available for investigations.
themselves to be sufficiently independent to undertake the investigation. + Market practice would be to have either fully
independent investigators or a robust formal
process to confirm independence by the
investigating manager and certain types of case
performed by independent investigators of the
appropriate grade.
+ We understand that the Whistleblowing team are
recruiting two independent investigators who would
undertake the majority of the whistleblowing
investigations and address this observation.
+ Investigations are performed in addition to an investigator's normal roles and responsibilities + Consideration should be given to the availability
which could lead to investigations not being fulfilled to the required standard due to time and experience of the investigating manager being e
constraints or an unacceptable workload placed on the investigator. allocated the investigation to ensure that they have
the appropriate capacity to take on the
investigation to the required standard
+ We understand that the Whistleblowing team is
currently in the process of recruiting experienced
investigators to conduct investigations as their full
time role.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0058
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Whistleblowing - areas for improvement
a I
People * As faras we are aware, there is no requirement for the quality ofan investigation tobe + The investigation role should be included in job descriptions @
considered as part of the investigators performance appraisal, meaning that and therefore part of the performance management
underperformance would not be assessed and actions for rectification of any framework. This will require assessment of the investigation
deficiencies put in place. activities to determine the quality of the work undertaken by
the investigator.
+ We understand that the Whistleblowing team is currently in
the process of recruiting experienced investigators to
conduct investigations who will be appraised on the quality
of their investigations.
Infrastructure * Currently the team uses the Whistleblowing Teams site to hold the excel spreadsheet + We understand that the Whistleblowing team are currently
used to log cases, record the outcome and upload and to store evidence. implementing a bespoke case management tool which will e
be going live at the beginning of August 2021
Whistleblowing MI is manually derived which can take significant time and effort to
collate and gives rise to risk of human error.
Document Classification: KPMG Corfidential
kha! 2021 KPMG
POL-BSFF-0238515_0059
POL00423697
POL00423697
Human Resources
An assessment of the current state of the Human Resources
investigation process with observations and recommendations.
kp!
POL-BSFF-0238515_0060
HUMAN RESOUICES
Overview of current
vestigation process
The Employee Relations (ER) team set policies and operational procedures for
investigations related to grievances, Dignity at Work (“DaW”) incidents and code of
conduct breaches in consultation with the relevant unions. These policies are collective
agreements that have been agreed with the Unions and cannot easily be changed.
Each policy has its own detailed toolkit and guidance/template documents.
HR use an outsourced service provider called Advisor Plus referred to as MyHRHelp
who assist and advise those undertaking investigations on employee relations matters.
In the 12 months up to 30 November 2020, MyHRHelp recorded:
* 139 code of conduct breaches
* 28 grievances
+ 8DaW cases
Governance and process
The Employee Relations team is made up of the Head of Employee Relations and
another team member who is currently on secondment. Investigator advice, guidance
and case management services are outsourced to MyHRHelp who have a detailed
understanding of the policies and process.
MyHRHelp will log and categorise cases as low, intermediate or high risk in line with
the risk profile advised by the ER team. High category cases will include cases that
may potentially result in a dismissal (gross misconduct), cases where there is a
complaint against senior management and discrimination complaints.
Cases are categorised by MyHRHelp based on their experience and the defined
criteria set by the ER team. MyHRHelp will escalate any high risk cases to the ER team
which require additional support or awareness by more senior people in POL
The Head of Employee Relations reviews the ongoing cases on a regular basis.
The majority of investigations are undertaken by an employee's immediate or second
Line Manager in addition to their normal job roles.
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Code of conduct investigations
Line Managers would generally identify conduct issues and manage them accordingly.
Line Managers may also be contacted by other teams such as Whistleblowing or Cyber
to ask them to undertake an investigation. Line Managers are responsible for managing
the conduct (disciplinary) investigation process and for making a decision as to whether
there has been a breach of the policy and what the outcome should be.
The process documents include a step-by-step guide on how to conduct an investigation.
The Code of Conduct policy states that the Line Manager of the employee who is the
subject of the allegation is the appropriate person to undertake the investigation unless
there is a clear conflict of interest.
If the Line Manager requests MyHRHelp then the case will be logged within their case
management system and case documents uploaded; if not, then the investigation would
not be recorded.
If the Line Manager contacts MyHRHelp to receive guidance and support on the
investigation, then MyHRHelp will follow up if the relevant documentation is not
uploaded.
Per the policy, Line Managers should consult MyHRHelp before any disciplinary action is
taken.
The Employee Relations team will become involved in investigations in a number of
ways:
* Referral by MyHRHelp on high-risk cases;
+ Referral by the People Business Partners engaged by MyHRHelp on high-risk cases
* Through their review of cases on the case management system; or
* Referral by the investigating Line Manager
MyHRHelp will also email / call the Employee Relations team if they are concerned
about the progress of a case and will flag the case within the case management system.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0061
HUMAN RESOUICES
Overview of current investigation process (cont’d)
Code of conduct investigations (cont'd)
If the employee is subject to a formal disciplinary hearing the case will be sent tothe
second Line Manager for review.
Prior to a tribunal claim being received, in most cases, the Employee Relations team
will be contacted by ACAS for early conciliation. If a tribunal claim is submitted, the
tribunal would submit notification into Legal who would engage with the Employee
Relations team in order to manage the claim through to a resolution.
Dignity at work (DaW) investigations
A formal complaint is raised by an employee completing a Dignity at Work Complaint
Form (either manually or in SuccessFactors). These are submitted to the People
Shared Service Centre (‘PSSC’”) who with the support of the People Business Partner
will assign the complaint to an investigating Line Manager (usually the employee's Line
Manager but could be an independent Line Manager depending on who the subject of
the allegation is).
The investigating Line Manager completes the investigation following the DaW policy.
There is a manager toolkit available which provides guidance on undertaking the
investigation.
The Line Manager then prepares an investigation report and determines the outcome
of the case. The investigation report and any relevant documentation is sent tothe
PSSC.
The investigating Line Manager updates the outcome of the case on SuccessFactors
and informs the employee of the outcome.
‘The employee can appeal the outcome. This will involve the PSSC selecting an
investigator from a list of managers who only handle appeals. As per conduct
investigations, the investigating Line Manager is responsible for contacting MyHRHelp
if they require support. if MyHRHelp are contacted, then the case will be logged onto
their case management system and they will request that the supporting documentation
and investigation report is uploaded.
2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms afllated with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
We were informed there are capacity constraints over staff within POL who have the
relevant expertise or time to undertake appeals.
We were informed in the last 3 years there have been 7 or 8 cases that have gone to
tribunal. One was lost due to poor investigation processes and as a result, the manager
guidance toolkit was updated to be more prescriptive on what needs to be covered
during the investigation. None of tribunal cases were won as the remainder were either
settled or withdrawn.
Grievance investigations
A formal complaint is raised by an employee manually completing a formal Grievance
Form. The employee can either send this complaint directly to the second Line Manager
(of the party being reported on) or send it to the PSSC who will send it to the second line
manager for review who would investigate the complaint following the Grievance policy.
There is a manager toolkit available which provides guidance on undertaking the
investigation.
Grievance forms can also be sent to the PSSC mailbox who would follow the same route
as DaW reports and assign the case with the support of the People Business Partner.
The investigating Line Manager completes the investigation and prepares an
investigation report, determines the outcome of the case and informs the subject of the
investigation. The employee can appeal the outcome. This will involve the complaint
being escalated to PSSC who will select an independent manager from the appeal
manager pool.
The investigation report and any documentation is sent to the PSSC to be put into the
employee's personal file. However there is no facility to record the outcome of formal
grievances other than the information collated on MyHRHelp.
As per conduct investigations, the investigating Line Manager is responsible for
contacting MyHRHelp if they require support. If MyHRHelp are contacted, then the case
will be logged onto their case management system, and they will request that the
supporting documentation and investigation report is uploaded.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0062
HUMAN RESOUICES
Overview of current
vestigation process (cont’d)
Quality assurance and MI reporting
There is no formal quality assurance undertaken across any of the different types of
investigations, however the Employee Relations team has access to the MyHRHelp
case management system and can use this to review all cases including those flagged
by MyHRHelp as high risk.
There is no formal review of investigation outcomes and actions once they have been
decided by Line Managers or second Line Managers. There is also no formal lessons
leamt process except where the investigation results in litigation.
Due to the use of MyHRHelp HR have limited ability to extract MI and there is a risk
that not all cases are logged and recorded as the system is reliant on Line Managers
calling MyHRHelp to log cases.
MyHRHelp provide MI on investigations on a quarterly basis however this from a
MyHRHelp perspective and requires significant time and effort to allow effective
analysis by POL. The ER team also have access to the MyHRHelp dashboards. Ml is
not reported within or outside HR.
Although cases which come through the PSSC are recorded on SuccessFactors, no MI
is produced.
People
Although Line Managers undertaking investigations have access to support from
MyHRHelp advisors and there is detailed guidance in the Code of Conduct policy, they
are not provided with specific training on how to conduct an investigation. The Code of
Conduct policy states that it is recommended that Line Managers undertake employee
relations training however we were informed this does not happen.
While there is no formal RACI document, the policies place responsibility and
accountability for investigations on the Line Managers (for DaW and Conduct code
cases) and second Line Managers (for grievances).
There is no requirement for investigating Line Managers to consult with Legal or other
POL teams.
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Infrastructure
MyHRHelp maintain the HR case management system onto which cases are logged and
relevant documentation is uploaded and stored if MyHRHelp are informed of an
investigation. This is on a cloud-based application.
When a case is raised there is a facility within the case management system to record
emails between the investigating Line Manager and the MyHRHelp advisor. Summaries
of phone discussions are also logged.
Only MyHRHelp and members of the Employee Relations team have access to this case
management system.
The PSSC logs the outcome of DaW cases on SuccessFactors however we understand
there is no facility within SuccessFactors to record a formal grievance or its outcome.
Sampling
As part of our review, we discussed a sample of three recent cases with investigating
Line Managers:
+ — two conduct cases; and
* one grievance.
We were provided with supporting documentation including witness statements,
investigation minutes, letters to the reporter and CCTV logs.
The key points we note are:
+ Allinvestigators were experienced in their role, and they are usually selected by
People Business Partners as appropriate individuals to conduct an investigation.
+ Based on the documentation we reviewed, all sample investigations were performed
to a good standard; and
+ We were informed that MyHRHelp was supportive and provided them with guidance
but also chased them when there was a delay in the investigators’ response.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0063
HUMAN RESOUICES
Overview of current
vestigation process (cont’d)
Sampling (cont'd)
However, they all noted that investigations are time consuming given they are conducted
in addition to their normal work. For example, one of the cases included eight witness
statements and a significant amount of documentation to be reviewed in order for the
investigator to reach a decision.
One of the investigators noted that it would be possible for investigations to be run by an
independent individual who does not understand the business but has read the policies.
Assessment of current investigation process
There are clear policies in place covering the types of investigations undertaken in
relation to POL employees. The majority of investigations are performed by Line
Managers who determine whether reported allegations breach the relevant policy and
decide on the outcome.
The use of Line Managers is mandated in the policies, however there is a risk that there
is a lack of (or perceived lack of) independence in the investigation where close
colleagues are involved in assessing the allegation. Investigations are undertaken in
addition to their normal role and may require a significant investment of time.
Cases are triaged by the experienced MyHRHelp team, using a documented criteria list
agreed with the Employee Relations team.
There is no formal quality assurance over the investigations undertaken by Line
Managers, although MyHRHelp will highlight to the Employee Relations Team where
they have concems over an investigation and high-risk cases are flagged within the
system for the Head of Employee Relations to review.
Mlis provided by MyHRHelp, however this is not in a format that can reported for
internal purposes without significant time and resource to adjust the analysis. As a result,
root cause or trend analysis is not undertaken.
kpme!
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Consultation with Legal is not required prior to a Tribunal meaning that certain cases do
not have the benefit of privilege or the oversight of the Legal department, both of which
could be beneficial.
Despite training being referred to in the Code of Conduct policy, there has not been the
resource or budget to provide this to POL employees who may be asked to undertake
investigations or appeals.
Itis unlikely that the quality of investigations is taken into account when undertaking
performance management of the line managers.
There is a risk that not all investigations will be recorded within MyHRHelp meaning that
there is not a complete population of employee investigations.
Recommendations
As part of our review we have identified a number of areas for improvement, these are
detailed on the following slides.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0064
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Human RESOUICES- areas fOr improvement
Fieve [opsenaton T neconmeniaton
Governance + Line Managers are the primary investigators for employee related issues * The benefits of having an independent investigation need to be weighed
and process which is specifically codified in the Code of Conduct collective agreement against the work required to amend the collective agreement with the e
policy. Although this provides a good understanding of the individual unions and the resourcing available to staff investigations.
concerned and the department in which they work, it does mean that there + Market practice would be to have either fully independent investigators or a
could be a lack of (or perceived lack of) independence between the robust formal process to confirm independence by the investigating Line
investigator and the subject of the investigation. Manager and certain types of case excluded from the Line Manager
* There is no formal requirement for a Line Manager to confirm that they allocation and performed by independent investigators of the appropriate
believe themselves to be sufficiently independent to undertake the grade.
investigation. + Independent investigators would also mitigate other issues identified in this
report such as:
+ Consistency of investigations
+ Experience of investigating Line Managers;
+ Performance management; and
* Training.
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage @ monitoring @ approachto © evidenceof ® Managers toconduct @ investigation @ ofan
consistently process and reporting QA lessons learnt investigations training investigations CMT
ku! 2021 KPMG LLP, a UK timid abilty partnership anda member fim fhe KPMG gba organisation of independent member firms lated with KPMG Iternaional Limited private English company lined by quatartee. Al ih
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0065
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Human RESOLICES - AAS Tor TEEN
Fie Dopsenaton TD Recommencaton
Governance * The accountability for the decision in relation to a case lies with the
and process investigating Line Manager with limited oversight from other POL
departments (such as the Employee Relations team).
+ Legal are only formally involved when a case is taken to an employment
tribunal although there is a dedicated Legal business partner for HR and
where a case has been flagged as high risk the ER team and People Partner
will be involved. If a case has not been flagged as high risk then it would be
up to the investigator to ask MyHRHelp about legal advice.
+ Assuch, most cases do not have the advantage of privilege during the
investigation meaning that investigation documentation / communication
would be available on request prior to the point of Legal involvement in
cases where there is a likelihood of legal action.
+ MyHRHelp will review cases which have been logged with them to provide
‘support to the investigators and also engage the People Partner team if
there are any deficiencies with documentation or delays in the investigations
progress. They do not provide any assurance over the outcome of the
investigation.
* The Head of Employee Relations will periodically review the investigations
log and familiarise herself with any cases flagged as high risk.
+ However, there is no formal quality assurance over employee investigations.
2021 KPMG LLP, a UK limited lability partnership and a member fim of the KPMG global organisation of independent member frms flied with KPMG International Lmted,a private Engh
Formal communication lines for specific types of case where privilege / legal
consultation is considered to be beneficial should be developed.
The ability to consult with other departments and examples of when this
might be appropriate could be formalised and provided to those undertaking
investigations and MyHRHelp so that it is clear how this should be
undertaken (whether directly or via MyHRHelp).
Robust quality assurance is crucial in ensuring consistency and quality of @
investigations.
Market practice would be to have periodic formal quality assurance with a
defined output and reporting structure.
ish company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0066
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Human RESOUICES - areas for Improvement
a
Govemance
and process
People
MyHRHelp record an investigation when they are contacted for support by the Line
Manager undertaking the investigation. The PSSC record a DaW or grievance
complaint when it comes through their mailbox.
The manager guidance toolkit requests that all investigating Line managers log their
investigations with MyHRHelp, however there is currently no way of monitoring that
this happens. As a result there is no complete record of all investigation undertaken
within POL.
It is possible to obtain MI data from MyHRHelp’s case management tool, however
this is not in a format which could be reported to internal stakeholders. Therefore a
MI dashboard is not produced and reported.
Without a complete population or MI dashboards, it is not possible to produce
detailed reporting, trend or lessons leamt analysis and/or monitor cases.
Despite the Code of Conduct policy recommending that investigators have regular
training in undertaking investigations, there has not been the resource or budget to
provide this to Line Managers
As all Line Managers could potentially be asked to undertake an investigation, this
training would need to be available online and mandatory to complete before
commencing an investigation.
Investigations are performed in addition to a Line Manager's normal roles and
responsibilities which could lead to investigations not being fulfilled to the required
standard due to time constraints or an unacceptable workload placed on the
investigating Line Manager.
2021 KPMG
Document Classification: KPMG Corfidential
, aUK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms flat with KPMG International Limited, a prvate Engl!
It is crucial that a complete population of employee related e
investigations can be identified. In regard to DaW and misconduct
cases, the PSSC could perform a reconciliation between the cases
logged on their spreadsheet and the cases logged with MyHRHelp
to ensure that there is a complete population of cases. The People
Partner team could also send reminders to managers to ensure that
investigations with MyHRHelp are logged.
The ER team should develop a MI dashboard with the help of
MyHRHelp which will allow them to report to the appropriate forum
for review and monitoring.
Reporting should include trend analysis and root case and lessons
learnt analysis.
Investigation training should be conducted on a regular, periodic e
basis and include all of those individuals responsible for conducting
investigations.
This training should be mandatory for all new investigators prior to
conducting an investigation and completion of full and updates to e
training monitored and followed up.
Consideration should be given to the availability and experience of
the Line Manager being allocated the investigation to ensure that e
they have the appropriate capacity to take on the investigation to
the required standard.
company limited by guarantee. Al rights
POL-BSFF-0238515_0067
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Human RESOUICES - areas for Improvement
Fieve J obseraton Tecormencaton I
People
Infrastructure
kpme!
+ There are over 550 Line Managers currently employed within POL. Although there is strong
support provided by MyHRHelp and template reporting developed by the Employee Relations
team, the number of potential investigators gives rise to the following possible issues:
+ Line Managers may only undertake a small number of investigations a year, if any,
resulting in a wide range of experience and ability;
* There could be a lack of consistency in how investigations are undertaken,
documented and reported to POL and the employee.
+ Although there is standard reporting, we have been informed that the supporting
documentation can lack formal structure and is often not indexed and requires significant time
‘to review especially when being reviewed for an appeal.
+ As far as we are aware, there is no requirement for the quality of a Line Managers
investigations to be considered as part of their performance appraisal, meaning that
underperformance would not be assessed and actions for rectification of any deficiencies put in
place.
* POLrely on the case management tool operated by MyHRHelp whichis used to log cases,
track progress and upload and store documents.
+ Although we understand that MyHRHelp use a fully backed up clous based application, there is
arisk attached to outsourcing data retention.
+ Mlheld by the PSSC team is not reviewed or reported. Ml on MyHRHelp’s case management
tool is available however this does not link with the PSSC MI meaning there is no one facility
that records data on employee investigations.
+ Ifan investigator does not seek support from MyHRHelp or the report does not come through
the PSSC mailbox then there will be no record of the investigation.
2021 KPMG LLP, a UK limited liability partnership and a member fim of the KPMG gbal organisation of independent member frm flied with KPMG International Limited, a private Enis!
Document Classification: KPMG Corfidential
More formal guidance on undertaking investigations
and how documentation should be gathered and
collated (for example the use of timelines, indexes
and summary papers) could be developed to ensure
consistency and provide guidance for less
experienced Line Managers.
The investigation role should be included in job
descriptions and therefore part of the performance
management framework.
This will require assessment of the investigation
activities to determine the quality of the work
undertaken by the investigator.
A dedicated case management system is not
necessarily required however there must be the
ability to collect, collate and report a total population
of employee investigations.
The current contract with MyHRHelp lapses in
September 2022. if the service were to be brought in
house then a dedicated case management system
would be required.
company limited by guarantee. Al rights
POL-BSFF-0238515_0068
POL00423697
POL00423697
Cyber
An assessment of the current state of the Cyber investigation
process with observations and recommendations.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0069
vestigation process
The Cyber Security Incident team (CSIT) investigate potential breaches of data policies
and attacks on POL software (excluding retail).
The team monitor data feeds in order to identify unusual activity, specifically in relation to
malicious behaviour or misconduct.
999 incidents were raised in May 2021.These can be split as follows:
* 43% - system generated incidents such as employees changing their passwords and
subsequently forgetting them;
* 27% - phishing attacks;
* 25% - security email enquiries; and
+ 5% - incidents escalated by the General IT Service Team.
The team reviewed the details of each incident however, only a few cases lead to a full
investigation where additional evidence is gathered.
Governance and process
The CSIT consists of four cyber analysts, a Security Operations Centre Lead (SOC
Lead), and a Group Head of Cyber Operations. The team reports to the Chief Security
Information Officer (CISO).
Incidents are auto generated as a result of proactive monitoring. The CSIT uses Office
365 and Splunk data feeds which monitor employees’ behaviour. These automatically
generate alerts when events are triggered which feed through to ServiceNow to generate
an investigation workflow. Depending on the nature of the incident, information may be
limited on ServiceNow in order to retain confidentiality.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
If required, incidents are assigned for investigation to a senior cyber analyst.
Sensitive investigations are managed by the Group Head of Cyber Operations or the
SOC Lead.
The CSIT liaise with HR when an investigation breaches POL policy or when they need
to deactivate the employee's account e.g. as a result of sharing POL data outside POL
or downloading inappropriate data. HR are responsible for determining whether or not
an employee's action should lead to disciplinary action.
If an investigation involves a cyber data breach which involves personal data, the CSIT
undertakes the investigation with support from the DP team.
Although CSIT does not perform specific quality assurance review on investigations,
they are audited by Deloitte on an annual basis, as well as internal audit on a regular
basis.
Cyber training for Postmasters and employees is updated based on the lessons learnt
from the incidents. The CSIT produce KPI reports which are presented to the IT
Leadership Board and an internal MI dashboard for the CISO on a monthly basis. A
paper is also produced for the ARC on a quarterly basis.
People
The CSIT undertake investigation based analysis training, however they do not hold
specific investigation qualifications.
Infrastructure
All incidents are logged onto ServiceNow. Documents cannot be uploaded onto
ServiceNow and are maintained on a restricted SharePoint site with password
Cyber investigations are governed by the Cyber Security Incident Response framework protection.
policy. A triage matrix is detailed within the policy which identifies the severity of the
incident and removes any false positives.
2021 KPMG LLP, a UK limited lability partnership anda member fim tthe KPMG glabal organisation of independent member fms flat with KPMG Inleratonal Limited, a private English company lnedby quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0070
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Lye
w of current
vestigation process
Assessment of current investigation process
The CSIT team has developed their procedures to ensure a clear end to end
investigation process including a clear triage process, a complete incident population,
identification of lessons learnt and MI reporting.
The policy and procedure documents allow analysts and the SOC Lead to identify which
cases need to be escalated to the CISO. However there is no requirement to involve
Legal for high risk investigations.
When instances of POL employees breaching the data policies are reported to HR, there
is no requirement for HR to provide a formal response to the breach, therefore breaches
may not be recorded as part of the HR investigation MI and no action taken on the
breach of policy.
The team produces MI dashboards both for internal purposes and reportingit to IT
Leadership Board. This allows for trend analysis and lessons learnt insights to be
developed however we are not aware of specific actions being put in place to mitigate
trends other than updating the annual Data training.
There is no independent quality assurance in relation to outcomes or the investigation
process, however external firms and internal audit reviews the Cyber investigation
process on a regular basis.
The CSIT have investigation based analysis training.
CSIT uses ServiceNow to log findings and a restricted Sharepoint site to document
findings
Recommendations
As part of our review we have identified a number of areas for improvement, these are
detailed on the following slides.
ku! 2021 KPMG LLP, a UK timid abilty partnership anda member fim fhe KPMG gba organisation of independent member firms lated with KPMG Iternaional Limited private English company lined by quatartee. Al ih P72]
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0071
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Cyber - areas for improvement
a
Governance and + Legal are not formally involved although it is possible for an investigator to request a legal * Formal communication lines for specific types
process opinion. of case/ risk profiles where privilege / legal e
+ As-such, most cases do not have the advantage of privilege during the investigation meaning consultation is considered to be beneficial
that investigation documentation would be available on request prior to the point of Legal should be developed.
involvement in cases where there is a likelihood of legal action.
* The Group Head of Cyber operations will liaise with HR when they are made aware of an + There should be an agreed action plan for HR
employee breaching policy. However, we understand that there is no formal process for HR to to take responsibility for deciding on the
action these reports meaning that they may not be appropriately assessed and recorded. appropriate outcome of a breach of policy and
document their decision and the rationale
behind this. e
+ This should be reported as part of their MI and
reporting structure to ensure that themes or
trends can be identified and addressed.
+ We understand there is no formal quality assurance in relation to the detail of the investigation or +* Robust quality assurance is crucial in ensuring
the appropriateness of the outcome, however the investigation process is audited by Deloitte and consistency and quality of investigations.
intemal audit on a regular basis. + Market practice would be to have periodic e
formal quality assurance with a defined output
and reporting structure specifically over the
investigation and outcome.
Key
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage © monitoring @ approachto @ evidenceof ® Managers to conduct @ investigation @ ofan
consistently process and reporting QA lessons learnt investigations training investigations CMT
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0072
POL00423697
POL00423697
Modern Slavery
An assessment of the current state of the Modern Slavery
investigation process with observations and recommendations.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0073
Mocern slavery
Overview of current
vestigation process
POL's approach to the prevention of and investigation into reports of modern slavery
within the branch network has undergone significant change and has been an area
of focus in recent years.
POL publish an annual Modern Slavery Act ("MSA") statement on their website in
line with the Act.
Investigations are governed by the Modem Slavery policy and steps have been
taken to ensure that it aligns to the GIP as far as possible.
Governance and process
The modern slavery team is led by the Head of Customer Experience, with support
from one additional colleague.
A five stage investigation process has recently been developed (and is still
undergoing further development).
+ Stage 0: Area Managers and Business Support Managers are required to
complete a questionnaire (‘Modem Slavery Observations Survey”) for each
branch at least once a week
* Stage 1: The Modern Slavery team review the questionnaire data on a weekly
basis and forward any “yes” observations to the relevant Regional Manager for an
initial review.
* Stage 2: If ‘yes” observations remain after the initial review, the Regional
Manager is required to complete a more comprehensive fact finding report.
+ Stage 3: If yes” observations remain after the comprehensive review, the
Contracts team are asked to complete a risk indicator report. This includes details
of past performance or compliance issues.
ku! 2021 KPMG LLP, aUK limited arneship ana member fmf the KPMG gba xgrisaon of independent ROSY, MELAS, AARY, COMMUNE FOL INE COMING YEA, carte Al its
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
+ Stage 4: The Modern Slavery Response Group (membership is being reviewed, but is
likely to include representation from Legal) is convened to discuss the report
produced by the Regional Manager and the Contracts team. The Group supports the
Regional Manager in making a decision on whether the matter should be referred to
the First Responder (Unseen UK) organisation.
* Stage 5: Ifa decision is made to refer to the First Responder organisation, the
Regional Manager will make the referral.
Unseen UK are one of a number of organisations designated by the Government as
authorised to investigate modern slavery reports.
Last financial year, 432 observation surveys were completed. These included six “yes’
observations, none of which reached stage 5. In the first four months of this financial
year, 2,272 observation surveys were completed. These included 46 “yes” observations
and only one of these has reached stage 5. The numbers have increased significantly as
the survey process is now fully operational and increased training to Area Managers
mean they are now more aware of what to look out for.
In the previous financial year, the Modern Slavery team introduced a new supplier
evaluation audit, which was deployed proactively on a sample of 10 suppliers, selected
onarisk basis. This will be an ongoing process within POL’s supply chain.
Mlon modern slavery observations is available and is monitored weekly by one of the
two team members. There is a bespoke page in the Power BI dashboard tool that
highlights any observations requiring action. This is reviewed at the start of each week
and sent to Regional Managers, and their responses are tracked in an excel file
accessible only to the Modem Slavery team. Mlis not provided to anyone outside of the
Modern Slavery Response Group. It is our understanding that there is currently no QA.
process in place around how each modem slavery observation is addressed after it is
passed to an Area Manager for further assessment.
At present, the team do not report on investigations or outcomes to anyone within POL.
The need for a framework for appropriate upward reporting has been identified by the
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0074
MOcern slavery
Overview of current
vestigation process (cont’d)
People
Training has been rolled out to all POL employees this year and has been completed
by over 99% of staff. The aim of the training is to enable all POL staff to identify the
signs of modem slavery/forced labour. It is POL’s intention that this will be refreshed
annually.
There is no formal training on how to investigate modem slavery allegations,
however further technical training for the Modern Slavery Response Group has been
identified as a key area of development for the coming financial year.
Infrastructure
The observations are fed back to the Modern Slavery team using Microsoft Forms,
and the data is exported and visualised in the Microsoft Power BI dashboard.
Modem Slavery Response Group decisions are recorded on an Excel action log file
within the Modern Slavery Teams site that is maintained throughout the year.
Assessment of current process
The recent focus on POL’s approach to the prevention and investigation of modern
slavery within the branch network has led to improved processes being
implemented. The team's planned actions are likely to improve the process further in
the next 12 months.
The Modern Slavery Response Group currently includes Legal, and other teams with
prior experience of modern slavery reporting, such as Procurement and Supply
Chain, meaning the team utilises the expertise within the organisation, however the
membership is being streamlined to ensure effective review.
Observation surveys completed by the field team do not undergo formal triage due to
the low number of “yes” observations.
2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
if the volume of reviews increases, it may be necessary to classify investigations
as low to high risk however this is not currently considered necessary.
As required, modem slavery concerns are escalated to the First Responder
organisation (Unseen UK) who have the expertise and authority to investigate.
Mlis available and is monitored weekly and responses from Regional and Area
managers tracked and chased, however the Ml is not reviewed by anyone outside
the team.
All POL employees are required to undertake annual modern slavery training and
there has been very high uptake. This leads to awareness of the impact of modem
slavery and the ability to spot red flags and report them appropriately for further
review. There is currently no training on how to investigate suspicions of modem
slavery however the Modem Slavery Response Group will receive additional
technical training in this area to ensure they can appropriately assess the most
complex cases.
Mlis maintained used Excel and Microsoft Teams. The completed Microsoft Forms
documents (the ‘observations’) are also held in the secure Teams site which is only
accessible to the Modern Slavery team. Given the current small number of
investigations / observations considered by the Modern Slavery Response Group,
this currently appears to be appropriate.
Allobseration surveys with a “yes” observation are reviewed by Regional
Managers and all subsequent reports are reviewed by the Modem Slavery
Response Group. We have been informed that the surveys and reports would be
pushed back if they did not contain the correct level of detail. However, there is no
QA process over observation surveys that do not contain a “yes” response.
Recommendations
As part of our review we have identified a number of areas for improvement, these
are detailed on the following slide.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0075
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
MOCem slavery - areas for Improvement
a
Governance and * Currently, there is no formal triage process in place to identify the high risk ‘observations’ findings + Should the volume of cases increase,
process due to the low volume of yes findings identified meaning all cases are reviewed in a timely consideration should be given as to whether a e
manner. triage system of classifying some reviews as
more high risk than others is needed.
+ Any cases identified as requiring a more detailed review are referred to the Modem Slavery + The capability of the investigator, their
Response Group who meet monthly, detailed investigation is carried out by the Regional independence and how their performance can e
Manager. be assessed should be considered in relation to
+ Investigating managers may only undertake a small number of investigations a year, if any, Regional Managers undertaking investigations.
resulting in a wide range of experience and ability.
* There could therefore be a lack of consistency in how investigations are undertaken,
documented and reported to the Moder Slavery Response Group.
+ Currently, although MI is produced it is not revewed outside of the Modem Slavery Response * The policy should determine who has oversight
Group meaning there is no oversight of the level of modern slavery observations being reviewed of and responsibility for the outcomes of the
and the outcomes. Modem Slavery Response Group’ decisions
+ The process is very reliant on the field teams being able to identify the signs of modern slavery + Field teams and Area Managers should receive s
and escalate them accordingly. regular reminders of red flags to look out for, in
addition to completion of the mandatory annual
training.
Key
Investigations are No consistent No consistent No consistent Limited Use of Area / Line Lack of No consistent use
@ not conducted @ triage @ = monitoring @ approach to @ evidence of @ Managers to conduct @ investigation @ ofan
consistently process and reporting Qa lessons learnt investigations training investigations CMT
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0076
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
MOCem slavery - areas for Improvement
a
Governance and * There is currently no QA process over observation surveys that do not contain a “yes” response, + Once the process is more established, the e
process and ‘lessons leamt’ materials are not shared regularly. Moder Slavery team should perform a QA (on
a sample basis) over observation surveys that
doe not contain a “yes” response, and share
lessons leamt on a periodic basis.
People + Although general modem slavery training has been rolled out to all POL staff this year, we + Additional technical training could be provided e
understand that there is limited technical knowledge of how allegations of modern slavery should to the Modern Slavery Response Group;
be managed within POL outside of the Procurement and Supply Chain teams. however, it is important to identify who would
+ We understand there are no modern slavery specialists within POL who would be able to undertake a complex investigation and ensure
perform a more complex investigation (i.e. beyond initial fact-finding) if required. they have sufficient training / expertise.
+ There is a risk that Area Managers are not independent as they may have a close relationship + The independence of those highlightingissues ©
with the Postmaster. should be considered and Area Managers
* Regional Managers and the Modem Slavery Response Group are also aware of any highlighted asked to confirm that they are independent.
issues. e
Infrastructure * The weekly ‘observations’ Ml is sent to Regional Managers, and the responses from them are * Consideration should be given as to whether
tracked in an Excel file accessible only to the modem slavery team. the Area Manager responses and the Modern
* Modern Slavery Response Group decisions are recorded on an action log file in Excel that is Slavery Response Group decisions should be
maintained throughout the year. held in an alternative format to an Excel file.
kon! 2021 KPMG LLP, @ UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms alate with KPMG International Limited, a prvate English company limited by quarartee, Al rights 78
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0077
POL00423697
POL00423697
Future state TOM
The details of what is needed to develop the CIU.
kebab! © 2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms alate with KPMG International Limited, a private English company limited by guarartee, Al igh 79
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0078
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
What Is an operating model?
An opera strategy. By considering six key components, we ensure
that a hol
ease
— Measurement framework _ pees a
— KPIs, MI & dashboards MONITORING & SERVICES, — Process framewor
i" PROCESSES & — Interaction between functions
— Reporting processes REPORTING
CAPABILITIES — Capabilities
[@) Organisation & Governance
— Organisational structure
— Governance structure
— Escalation paths
chnology
— Supporting tools
— Technology infrastructure
People and Skills (e)
— People management
— Skills & capability planning &
development
— Roles & responsibility
PEOPLE & ORG &
SKILLS Investigations OVERNANCE
Operating Model
STANDARDS &
PROTOCOLS
Standards and protocols (es)
— Evidence gathering
— Document handling protocols
— Retention and storage
— Interviews
kha! 021 KPMG LP, aUK limited atlty pat and.a member fimof the KPMG global ot independent member firms afilated with KPMG International Limited, a pevate E ampary limited ee, Al 80
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0079
POL00423697
: POL00423697
DuIGING DIOCKs
We have identified the following key building blocks which are required to develop our target operatin:
model over POLs investigations.
A. Services
* Outlines the scope of the CIU and the services to be provided.
B. Processes
* Outlines proposed core processes delivered as part of the services provided.
C. Investigations processes RACI
* Outlines proposed RACI framework for the CIU processes. Detailed design slides and process
maps can be found at appendix 2 to 4.
C. Capabilities and organisational structure
+ Captures capabilities required to consistently and reliably manage investigations within the CIU and
describes the CIU team structure and roles.
E. Interfaces
* Details proposed interfaces for the ClUwith business teams and SMEs within POL.
F. Governance
* Details proposed govemance framework over investigations.
G. Monitoring and reporting
* Details MI, reporting and quality assurance requirements over investigations.
H. Standards and protocols
* Details proposed standards and protocols for high risk and whistleblowing investigations.
I. Technology and data
+ Summarises technology needed for the CIU and the requirements of a case management tool.
kpme!
Document Classification: KPMG Confidential
POL-BSFF-0238515_0080
POL00423697
POL00423697
Services
Outlines proposed scope of CIU and the services to be provided.
kp!
POL-BSFF-0238515_0081
U Ser
CoS lal JL Stdlé
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
The table below sets out the six core services that the CIU will deliver, these are aligned to the areas of change that the current state assessment identified (as set out
in the Exec Summary). The processes supporting each service are outlined in the following process sections.
Services
Service Objective
Description
1 Set investigation standards + To ensure all investigations are delivered in line + ‘The minimum standards determine how investigations are conducted and will ensure
witha set of minimum standards and protocols, consistency of approach and independence of the investigator. The process will also
by an independent investigator using subject ensure that investigators understand their roles, responsibilities and accountability for
matter experts as required. outcomes and that SMEs across POL are engaged on investigations at the
+ To develop a strategy and approach for appropriate time. Minimum standards to be incorporated in the GIP.
identifying and conducting high risk and + The CIU determines how high risk and w histleblow ing investigations are identified,
whistleblow ing investigations across POL. conducted and resolved from end to end including what capabilities need to be
developed within the CIU and what standards and processes are required in order to
meet cririnal and/or civil requirements.
2 Execute high risk and w histleblow ing + To ensure that high risk and w histleblow ing + The process inclides specific steps that the CIU needs to undertake to investigate
investigations investigations are fair and objective, properly high risk and whistleblow ing cases and to adhere to market practice. This includes
planned, resourced and executed in line w ith set
standards and procedures.
logging, scoping and allocating the investigation to an appropriately qualified
investigator, and ensuring factfinding and evidence gathering is undertaken,
recorded and maintained in accordance with relevant standards.
3 Provide appropriate oversight to review and +
ratify outcomes for high risk and
whistleblow ing investigations and case
closure
To ensure that investigation outcomes are fair
and appropriate based on the evidence
gathered and that outcomes are ratified in
accordance with delegated authority.
To ensure that recommendations and outcomes
are appropriate and actioned.
+ The review process willdetermine how the CIU ensures fair, objective and robust
outcomes for all high risk and w histleblow ing investigations. Levels of delegated
authority will be established for high risk cases (including whistleblow ing) to
deterrrine accountability for outcomes. A decision review forum will be established to
ratify outcomes for critical or sensitive cases to ensure they are evidence based and
made by those with appropriate seniority and independence within the CIWPOL.
+ The review process willalso provide a method for escalating significant or priority
cases that need raising with GE, Board or Whistleblow ing NED.
4 Consistent monitoring and reporting over all +
investigations
To develop and monitor investigation KPs and
Mand report to the appropriate executive and
board forums.
To provide an escalation route for cases with
multiple touchpoints.
To monitor and identify trends and root cause of
whistleblow ing and high-risk investigations so
that feedback can be provided to the business.
+ The CIU needs to be able to provide credible Mi to the appropriate lines of reporting
so that there is visibilty of investigations at a senior level within POL. whilst
maintaining confidentiality requirements over high risk and w histleblow ing cases
+ Cases which are passed between multiple business teams may require an escalation
route if next steps are not being actioned appropriately.
+ By monitoring and identifying trends and root cause of incidents the CIU can help
POL address issues proactively and feedback findings to the relevant business teams
kpme!
2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights
to drive improvements.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0082
ces- target Stale (cont
U Ser
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
The table below sets out the six core services that the CIU will deliver, these are aligned to the areas of change that the current state assessment identified (as set out
in the Exec Summary). The processes supporting each service are outlined in the following process sections.
Services Service Objective
5 Assure investigations quality + To assess the quality of completed low risk
investigations to ensure adherence to minimum
standards.
+ To ensure the CIU operates in line with agreed
polices and processes.
Description
Periodically the CIU will undertake quality assurance checks over low risk
investigations conducted by business teams to check adherence to minimum
standards, identify gaps and feedback findings.
Internal Audit to undertake periodic quality assurance review s over the CIU
processes to check adherence to standards and agreed processes.
6 Develop investigation capabilities + To identify gaps in investigations training of CIU
staff or any relevant professional qualification
requirements on a regular basis across the CIU.
+ To identify CIU capability deficiencies, develop
resourcing strategies and remediate as required.
+ To train business teams on rrinimum
investigation standards and protocols.
+ To provide business teams with general
investigations training.
identify additional training requirements and updates resulting from changes to
investigation standards, regulatory requirements or investigations technology to
ensure that CIU staff knowledge remains current and that continued professional
development (CPD) requirements are met.
Continually assess and review capability requirements across the CU to ensure the
team have the required capabilities to meet their objectives,
Provide training to all business teams on rrinimum standards and protocols to
improve consistency and professionalise the investigations undertaken across POL.
kpinI
2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 84
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0083
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Mapping findings to Key areas oF a [OGIU Services
The table below maps
current state assessment key themes (section 3) to the key areas of change (slides 14-17) ) to the CIU se: es (slide 33 and 34)
Current state assessment key findings Key areas of change
Investigations are not conducted consistently across POL * Introduce minimum standards over investigations + Set investigation standards
and clarity over application of the GIP
+ Business teams often use Area Managers and Line
Managers to conduct investigations
* There is no clear consistent triage process in place + Implement consistent triage over all investigations + Execute high risk and whistleblowing investigations
across POL to identify high risk cases
+ Lack of overarching governance and oversight over high + Introduce centralised approach to high-risk and
tisk investigations whistleblowing investigations and implement a
consistent investigations workflow
+ Introduce consistent case management system
+ Introduce a centralised approach to highrisk and + Provide appropriate oversight to review and ratify
whistleblowing investigation outcomes outcomes for high risk and whistleblowing investigations
+ Lack of consistent monitoring and reporting over all * Consistent monitoring and reporting over all * Monitor investigations and report
investigations investigations
* There is limited evidence of lessons learnt’ and * Introduce lessons learnt and continuous
continuous improvement arising from investigations improvement
across POL
+ There is no consistent approach to quality assurance + Introduce independent quality assurance + Assure investigations quality
across the business teams
* There is a lack of training in respect of investigations * Develop training over investigations standards and + Develop investigation capabilities
across POL processes
* There is no consistent use of an investigations case + Understand and improve the functionality ofthe I + Part ofimplementation road map to set up a CIU case
management tool across POL case management systems used across the management tool
business teams
kei! 2021 KPMG LLP, a UK limited liability partnership and a member fimo the KPMG global organisation of independent member firms fliated with KPMG International Limited, a private English company limited by quarartee, Al rights
&
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0084
POL00423697
POL00423697
Processes
Outlines proposed processes for the CIU.
kp!
POL-BSFF-0238515_0085
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
IU investigation processes - target state
2. Execute high risk and
whistleblowing
investigations
Services
5. Assure
investigation quality
1. Set investigation
standards
3. Provide oversight to
review high risk and
whistleblowing
investigation outcomes
4, Monitor investigations
and report
6. Develop investigation
capabilities
4.4: Set minimum 2.1: Triage cases 3.1: Ratify high risk and 4.4: Develop KPI and MI 5.1: Provide QA on a 6.1: To identify gaps in
standards across all escalated to CU by whistleblow ing data for whistleblowing and I sarrple of business investigations training or any
investigations forthe I business teams, investigation outcomes high-risk cases team low risk relevant professional qualification
business teams investigations on a Tequirements on a regular basis
Processes regular basis across the CL teams
1.2: Set criteria for 2.2: Triage whistleblow ing I 3.2: Monitor recommended I 4.2: Collate investigations I 5.2: Independent 6.2: To identify CU capability
use of SMEs cases actions and outcomes to I Mi and KPfs frombusiness I assurance from Internal I deficiencies, develop resourcing
closure for high risk and teams and reportto ARC I Audit over CIU strategies and remediate as
whistleblow ing cases. processes and controls. I required.
1.3: Set criteria for 2.3: Scope whistleblow ing I 3.3: Develop escalation of I 4.3: Report to the ARC on 6.3: Train business teams on
escalation of cases to
CU by the business
teams
and high-risk cases
significant high risk and
whistleblow ing cases
all MI and KPfs in relation
to whistleblow ing and high-
risk cases
minimum investigation standards
and protocols.
1.4: Develop CIU
investigation strategy
2.4: investigate
whistleblow ing cases
44: Provide an escalation
route for cases with
multiple touchpoints
6.4: To provide business teams
with general investigations
training,
1.5: Develop CIU
policies and
processes
2.5: Investigate / support
the investigation of high-
risk cases
4.5: Provide lessons learnt
analysis in relation to high
risk and w histleblow ing
cases for business teams
to ensure continuous
improverrent
1.6: Plan CIU capacity
© 2021 KPMG LLP, a UK limited iailty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited, private English company linited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0086
GIU investiga
ON DIG
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
U
The table below sets out the target state L1 processes for the six services the CIU will deliver
Services Processes Processes
1.Set 4.4: Set minimum standards across all + Develop minimum. standards and protocols for all investigations. The rrinimum. standards willinclude but not limited to evidence
investigation investigations for the business teams and gathering, document handling, reporting and decision making. The minimum standards wil also define investigator
standards third parties (e.g. MyHRHelp) independence requirements and wil clearly set out investigators roles, responsibilties and accountabiity for outcomes.
Standards are reflected in the GIP
1.2; Set criteria for use of SMEs. + Set criteria for when business teams need to involve SME's including Legal, Cyber, Data Protection, Security and HR.
Formalise communication channels and recording of SME involvement. Referring business team remains accountable for
investigations. Set criteria for when investigations may require Legal privilege.
1.3: Set criteria for escalation of cases to + Based on set criteria Business teams identify whether a case is high risk and requires escalation to CU using an agreed
CU by the business teams. mechanism (e.g. CIU mailbox).
1.4: Develop CIU investigation strategy. + Develop strategy and framew ork for high risk and w histleblow ing investigations including setting risk appetite.
1.5: Develop CIU policies and processes. + Set investigations standards for high risk and w histleblow inginvestigations. Consider requirement for additional protocols
around collation and securing evidence, document handling and preserving the integrity of evidence. Review whistleblow ing
standards for confidentiality requirements
1.6: Plan CU capacity. + Assess demand for high risk and whistleblow ing investigations and relevant time requirements forcompletion. Determine staff
capacity in order to plan resource requirements,
2. Execute 2.1: Triage cases escalated to CIU by + High level review of cases to understand allegation and check criteria for high risk is met and case should be accepted.
high risk and business teams. Includes initial inteligence gathering, discussion with escalating business team, prioritisation and allocation to relevant team
whistleblow ing (either CIU, business team or combination).
investigations
2.2: Triage whistleblow ing cases.
High level review of cases to understand allegation, gather initial intelligence, prioritise and allocate to the relevant team.
2.3: Scope whistleblow ing and high-risk
cases.
Investigation scoping to follow standard investigations workflow including identifying potential sources of information,
interview ees and documentation. Timelines should be set, and the objectives of the investigation clearly identified. Key
stakeholders should also be identified. Set criteria for consulting SME's including Legal and formalise communication channels.
2.4: Investigate whistleblow ing cases.
Investigation should be conducted in line w ith relevant whistleblow ing and high risk standards and protocols. Set process for
recording findings, maintaining integrity of evidence and determining outcomes. Set process forrevised scoping if direction of
investigation changes.
2.5: Investigate / support the investigation of
high-risk cases.
Investigation should be conducted in line with relevant standards and protocols. Set process for recording findings, maintaining
integrity of evidence and deterrrining outcomes. Set process for revised scoping if direction of investigation changes.
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0087
GIU investiga
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
On processes - target State (CONT
The table below sets out the target state L1 processes for the six services the CIU will deliver
Services Processes ‘ocesses
3. Review high I 3.1: Ratify high risk and w histleblow ing + Set up levels of delegated authority for high risk cases (including w histleblow ing) to determine accountability for outcomes
risk and outcomes. + Set up Decision Review Forums where outcomes of the most high risk POL investigations can be ratified by Head of CIU and if
whistleblow ing appropriate whistleblow ing NED in consultation with the relevant business teams and Legal in accordance with delegated
investigation authorities.
outcomes
3.2: Monitor actions and outcomes to + Monitor investigations to ensure outcomes and recommendations are actioned and the investigation is closed. Process should
closure for high risk & w histleblow ing cases. include checking actions have been recorded and all relevant documentation has been saved and stored.
3.3: Develop escalation route for significant I + Set criteria and mechanism for fast-trackescalation of significant risk cases to the RCC and the ARC.
high risk or w histleblow ing cases.
4. Monitor 4.1: Develop KPI and Mi data for + Set KPIs and produce MI ona weekly/monthly basis for high risk and w histleblow ing investigations. Need to ensure confidentiality
investigations I whistleblow ing and high-risk cases. requirements upheld for all high risk and w histleblow ing cases.
and report
io 4.2: Collate investigations Mi and KPfs from I + Identify lines of reporting and develop process for business teams to submit M and KPI information to CIU on weekly/monthly
business teams and report to ARC basis. Develop process for collating and submitting data along reporting lines including accuracy and completeness checks.
4.3: Report to the ARC on all Mi and KPIs + Identify lines of reporting and produce appropriate dashboards that provide required information whilst maintaining confidentiality
in relation to whistleblow ing and high-risk requirements. Consider requirements of GE, Board and whistleblow ing NED
cases.
4.4: Provide an escalation route for cases + Develop an escalation process for cases where business teams can raise issues over next steps not being actioned.
with multiple touchpoints
4.5: Provide lessons learnt analysis for high I + dentify root cause analysis and trends from monitoring high risk and w histleblow ing cases, capture findings and lessons learnt
risk and whistleblow ing cases to ensure and feedback to relevant business teams to ensure continuous improvement.
continuous improvement
5. Assure 5.1: Provide QA over a sample of business I + Assess the quality of completed investigation sample against set minimum standards, identify gaps in investigation standards and
investigation _ team investigations on a regular basis. report findings with recommendations for improvement.
ali
-_ 5.2: Independent assurance from Internal + Set timescale for independent assurance by Internal Audit over new processes and set up of CIU (potentially 18-24 months after
Audit over CIU processes ‘set up) and periodic monitoring thereafter.
kpinI
© 2021 KPMG LLP, a UK limite liatilty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited a private English company linited by guarantee. All rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0088
GIU investiga
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
On processes - target State (CONT
The table below sets out the target state L1 processes for the six services the CIU will deliver
Services
6. Develop
investigations
capabilities
6.1: To identify gaps in CIU investigations
training or any relevant professional
qualification requirements
‘ocesses
Understand ongoing training requirements and updates. Kdentify relevant investigations courses and any CPD requirements forthe
team, provide updates on changes to regulatory requirements and standards. Consider relevant training platform.
6.2: To identify CIU capability deficiencies,
develop resourcing strategies and
remediate as required.
Continually assess and review the capability requirements of the CIU and identify areas where additional capabilities are required.
Consider whether these are an ongoing requirement requiring additional staffing or technology or whether they could be
outsourced for specific investigations
6.3: Train business teams on minimum
investigation standards and protocols.
Develop/update training programs and materials in relation to rrinimum standards and any investigation updates. Develop process
for training business teams on a rotational basis. Consider new joiners and updates to minimum standards and any feedback from
quality assurance/lessons learnt.
6.4: To provide business teams with general
investigations training.
Develop general investigations training programme including details over document handling, evidence gathering and
interviewing.
kpinI
2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0089
POL00423697
POL00423697
POL investigations processes RACI
Outlines proposed RACI framework for the CIU processes
Document Classification: KPMG Confidential
POL-BSFF-0238515_0090
POL investigations process RA
Gl- target State
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
The table below sets out responsibilities and accountabilities for the POL investigations process
Services Processes clu Business teams Other Comment
1.Set 4.1: Set minimum standards across all investigations forthe business teams. © AR I Cl Audit & Risk Committee -1
investigation
standaréte 1.2: Set criteria for use of SMES. AR Cl
1.3: Set criteria for escalation to CIU by the business teams. AR I Cl
1.4: Develop CIU investigation strategy. AR I
1.5: Develop CIU policies and processes. AR I Audit & Risk Committee -1
1.6: Plan CU capacity. AR Cl
Develop investigation strategy for low-risk cases. a AR Audit & Risk Committee -1
2. Execute 2.1: Triage high risk cases escalated to CU by business teams. AR
high risk and
whistleblowing I 2.2: Ttlage whistleblow ing cases. AR
investigations I 9.3: Scope w histleblow ing and high-risk cases. AR Legal - Cl
2.4: Investigate whistleblow ing cases. AR OR Business teams may get asked to get
involved based on required expertise
2.5: Investigate / support the investigation of high-risk cases. AR RC Legal -Cl
Triage cases. a I aR
Escalate high-risk cases. a AR
Scope and investigate low-risk cases. a AR
3. Review high I 3.1: Ratify high risk and whistleblow ing outcomes. AR RC as Legal -Cl Involvement based on risk profile
risk and appropriate Whistleblow ing NED — RCI
whistleblow ing 7 —— - -
investigation 3.2: Monitor actions and outcomes to closure for high risk & w histleblow ing AR Key:
watitel cases. R-— Responsible
3.3: Develop escalation route for significant high risk or whistleblow ing cases. AR Cl A—Accountable
C— Consulted
Ratify outcomes of low risk cases. AR I- Informed
Pin!
Document Classification: KPMG Corfidential
© 2021 KPMG LLP, aUK limited abit partnership anda member fmol the KPMG glbelorgarisatonofindependent member rms fisted with KPMG Inlenatonl nied a rvale English company limiledby guararee, Al righs fo
POL-BSFF-0238515_0091
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
POL investigations process RAGI- target State
The table below sets out responsibilities and accountabilities for the POL investigations process
Services Processes LO clu Business teams Other Comment
4, Monitor 4.1: Develop KP and M data for whistleblow ing and high-risk cases. AR
investigations
and report 4.2: Collate Mand KP! information from business teams on investigations. I AR I R
4,3: Report to the ARC on all Mi and KPIs jin relation to whistleblowing and AR Legal -1
high-risk cases,
4.4: Provide an escalation route for cases with multiple touchpoints. - AR RC
4.5: Provide lessons learnt analysis for high risk and whistleblowing cases. I AR I I
Produce KP! and M on low-risk cases. 1 AR
5. Assure 5.1: Provide QA over a sample of business team investigations ona regular. =I AR Cl
investigation I basis.
quality
5.2: Independent assurance from Internal Audit over CIU processes. 1 Internal Audit AR
Provide QA on low-risk cases. 1 AR
6. Develop 6:1: To identify gaps in investigations training or any relevant professional AR RCI
investigations I qualification requirements.
capabilities 7 r Read e r
6.2: To identify capabilty deficiencies, develop resourcing strategies and AR RCI
remediate as required.
6.3: Train business teams on minimum investigation standards and protocols. I AR RCI
Train on subject specific processes. ! AR
identify trends, root causes and lessons learnt on low-riskcases. 1 AR
Key:
R-— Responsible
A-Accountable
C— Consulted
I - Informed
kei! © 2021 KPMG LLP, a UK limited iailty partnership and a member fim of the KPMG global organisation of independent member firms aflated with KPMG International Limited, a private English company linited by guarantee. Al righis
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0092
POL00423697
POL00423697
Capabilities and organisational
structure
Captures capabilities required to consistently and reliably manage
investigations within the CIU and describes the CIU team structure
and roles
Document Classification: KPMG Confidential
POL-BSFF-0238515_0093
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
GU capability requirements
Based on the scope of services and processes to be undertaken by the CIU the following capability requirements have been proposed. Further details of capabilities
are included at Appendix 5
Purpose of CIU
To provide assurance that investigations conducted by
POL are of an appropriate standard, conducted by
appropriately qualified individuals and adhere to market
practice with the necessary records created, maintained
and retained in order for POL to discharge its obligations
including those required by statute
To ensure high risk and Whistleblowing investigations are
fair, objective, properly planned, resourced and executed
and that recommendations and outcomes are actioned and
reported to appropriate executive and board forums with
decisions made in accordance with delegated authorities.
Required competencies and experience Required technical capabi
certifications
Investigation expertise
Whistleblowing
Intelligence gathering
Strong report writing and
communication skills
Understanding of criminal and civil procedure
Professional scepticism requitements
Access to forens ‘ounting experience
Ability to liaise with LEA and other regulatory
b
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0094
U proposed team structure
The proposed CIU team structure is as follows. The indicative cost of the teamisin
ttis proposed that the Head of CIU reports into the Group
Legal Director to:
‘Align with ownership of the GIP and the CLEP
To separate of 1st and 2nd lines of defence
To apply legal privilege for high risk investigations
To demonstrate the importance and focus that POL have
given to this area.
Group Legal Director a
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Internal Transfers
New roles
Head of CIU
Band 4
l
I l
Whistle blowing and Reporting Investigations manager
manager Band 3A/B x 2
Band 3A/B
+ Draft changes to investigations policies and standards
+ Triage whistleblow ing reports to identify whether + Collate lessons learnt
investigation is required and, if so, commission + Investigate high profile cases
investigations + Provide oversight on QA and training activities
+ Provide oversight over intelligence gathering performed by Investigators
and reporting activities + Perform QA on high risk investigations
+ Liaise with LEAs and/or regulatory bodies
i Investigators
Intelligence analyst Band 2A/B x 2
Band 2A/B
+ Monitor the w histleblow ing reporting line and high-risk cases triage
+ Produce Mand Reporting for CIU and performs trends analysis
+ Consolidate MI provided by business teams
Perform both w histleblow ing and high-risk investigations (support and perform) w ith
a reporting line to both the Whistleblow ing manager and Investigations manager.
Line managed by Investigations manager
Kdentify training requirements, develop training content and deliver training on
minimum investigation standards
Conduct QA on low risk cases
Note: The SLC criminal and SLC disputes also report to the Group Legal Director
ku! 2021 KPMG LLP, a UK timid abilty partnership anda member fim fhe KPMG gba organisation of independent member firms lated with KPMG Iternaional Limited private English company lined by quatartee. Al ih fos
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0095
GIU investigation roles
The Investigations Team’s work will involve five key areas
I Key area
Govemance
Investigations
Training
QA
MI
The CIU team will have responsibility for driving change in relation to the minimum standards
and protocols for business teams undertaking investigations.
The CIU team will develop communication channels for use of SMEs and the routes of
escalations up to the CIU.
Development of CIU strategy and operational activity will also be undertaken by the CIU
team.
The CIU team will lead the most complex, sensitive or high profile high risk investigations
bringing in SME expertise as appropriate. Where a high risk investigation is run by a
business team, the CIU team will provide advice and support
Whistleblowing cases will be undertaken by the CIU team unless it is more appropriate to
involve a business partner in which case the whistleblowing manager will have oversight to
ensure independence.
The CIU team will have accountability for high risk investigation case outcomes.
The CIU will develop training for business teams undertaking investigations and roll this out
as part of the POL continuous development programme.
The CIU team will undertake periodic QA of low risk investigations undertaken by the
business teams and provide feedback to help continuous development.
The business teams will provide MI and KPI data to the CIU team who will collate the data to
allow comprehensive reporting of investigation data.
The CIU team will also provide detailed Ml and KPI data over whistleblowing and high risk
cases including trend analysis, lessons leamt and root cause analysis
The CIU will provide lessons leamt analysis in relation to high risk and whistleblowing cases
for business teams to embed into processes as required.
Document Classification: KPMG Confidential
POL00423697
POL00423697
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
GIU key investigation team roles
The key investigation roles proposed are as follows
pre High level description What issues does this address?
Head of Investigations + Leads the CIU, reporting into Group Legal Director. Represents the team whendealing withhigh © + Clear reporting lines to board level / leadership
Band 4 file investigations, includi iding evidence in court. at n
i ia ig Ral i a lie + More centralised monitoring of key KP&s for investigation
+ Provides oversight of the team’s w orkand provides challenge and feedback to the investigations teams.
paervin other business areas (including defining and monitoring key KP for investigation vimae/praeanior evamugatone) atancante nibarTient,
+ Improved oversight and challenge of investigation
+ Raises awareness of the importance of investigations standards internally.
processes across POL.
Whistleblowing Manager + Line managed by the Head of CIU but witha direct reporting line to the Whistleblowing NED + Confidentiality and independence of management of
Band ee + Triage whistleblow ing reports to identify whether investigation is required and, if so, comrrission twihigtiebiew Ing raporte:
investigations
Investigations manager + First line decision making + Independence of investigations of high profile cases
Pee NE! + Investigate high profile cases. + Provides assurance over low risk cases.
+ Monitor recommended actions and outcomes to closure for high risk and whistleblow ing cases.
+ Provide lessons learnt analysis in relation to high risk and whistleblow ing cases for business
teams to embed into processes as required.
+ Provide oversight on QA and training activities performed by Investigators.
+ Perform QA on high risk investigations performed by investigators.
+ Liaise with LEAs and/or regulatory bodies.
bua! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0097
IU key investigation team roles (cont
The key investigation roles proposed are as follows.
pre High level description What issues does this address?
Investigators + Experienced investigators
Band 2A x 2
+ Perform both w histleblow ing and high-tisk investigations (support and perform) and liaises with
SMES as required.
+ Reporting line to both the Whistleblowing manager and investigations manager. Line managed
by Investigations manager.
+ Plans, scopes and executes factfinding investigations including interview s, document review
and evidence gathering.
+ Qlarly documented, evidence based findings for discussion with Head of CIU to determine and
agree outcomes and next steps.
+ Periodically undertake QA over low risk investigations and feedback findings.
+ Annually, develop, plan and deliver training to business teams on investigation standards.
+ Logs and accepts high risk cases from business teams and monitors. w histleblow ing reporting
Band 2A line,
+ hrtial intelligence gathering to assess allegations and prioritise and allocate cases.
+ Discusses allocation of cases with Whistleblow ing manager an/or Investigations manager.
+ Produces KP! and Mi data for whistleblow ing and high-risk cases.
+ Collates Ml information from business teams on investigations undertaken.
kei! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights
Document Classification: KPMG Corfidential
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Professionalises high risk and w histleblow ing investigations.
Appropriately qualified and investigation adheres to relevant
standards and protocols.
Independent approach.
Glearly documented audit trail,
Evidence based outcomes.
Provides assurance over low risk cases.
Provides investigations training to business teams.
Lack of capacity to conduct high risk cases.
+ thas been estimated that 2 FTEs are needed to
lead investigations on 51 whistleblow ing cases.
+ There were 31 high risk employee related cases in
the last 12 months. Going forward those might be
at least partially conducted by the CIU.
Confirms escalation of high risk investigations.
Cases logged and tracked.
Increased visibility across POL of investigations through Ml.
POL-BSFF-0238515_0098
POL00423697
POL00423697
Interfaces
Details proposed interfaces between the CIU, the business teams
and other SMEs within POL
kp!
POL-BSFF-0238515_0099
POL00423697
POL00423697
U interface wilh business teams
ith POL business teams and other POL SM
terfaces for the CIU
This slide outlines key
conducting low risk
investigations
guidance and
requirements
jide quality
ssuran erC Internal Audit
MLRO
(Financial crime)
kha! 2021 KPMG LLP, a UK limited liability
Document Classification: KPMG Corfidential
DRAFT FOR DISCUSSION PURPOSES ONLY
POL-BSFF-0238515_0100
POL00423697
POL00423697
Governance
Details proposed governance framework over investigations
kp!
POL-BSFF-0238515_0101
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
GLU governance over Outcomes of high isk and whistieblowing cases
Strategic Audit, Risk and Compliance Committee
Risk and Compliance Committee ]
CIU Steerco/ review decision forum
Steering § § aaa Relevant g
B Head of CIU ee business g
8 team lead 2
a 3
w&
%
2 Whistle blowing decision forum High risk decision forum i
& 8
= z
g Relevant business Relevant business s
& bee a ator investigator if bison ad ator investigator if FA
ane! applicable ag applicable
Initial decision forum
Operational
Relevant business
ICIU investigator] investigator if
applicable
Business teams
york of independent firms are afiiated with KPMG International. KPMG International provides clients
‘parties, nor does KPMG Infernatonal have any such aulhorty to obligate or bind any member frm. Al oh reserved,
entity. Member frms ofthe Ki
I Cooperative (°KPMIG Internatio
ny ther member fim vis-&
audit to bl gate or bind KF
2021 KPMG Inte
Nomember frm ha
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0102
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
CU governance over investigation standards and policies
Strategic
Steering
Operational
kpme!
sed on the scope of services and processes to be undertaken by
Reporting & Escalation
cl
e following governance over investigation policies is proposed
Audit, Risk and Compliance Committee
Risk and Compliance Committee
POL investigation standards oversight forum CIU strategy and policies
oversight forum
aes Franchising
Head of CIU ee i Partnering cso
“2
Compliance ER & Policy
Director Director oe
Standards oversight
working groups for specific
business areas
Whistle blowing strategy
and policies oversight
forum
oup L
Head of CIU Deeater
NED
Whistleblow
g manager
Member of LegalCIU
Business teams
'd member
2021 KPMG Inte
No member firm has &
tional Cooperative ("KPMG Internationa"), a Swiss enlily. Memb
Y auth to obligate or bind KPMG Internatio
‘any other member fim
{work of independent firms are afliated with KP
third partes, nor does KPMG Internation
rat
‘authority o obligate o
fers of
Document Classification: KPMG Corfidential
wl, KPMG International prov
idany member frm
POL-BSFF-0238515_0103
POL00423697
POL00423697
Monitoring and reporting
Details MI, reporting and quality assurance requirements over
investigations.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0104
GIU MI reporting and quality assurance
Management information (MI)
Whistle blowing
investigations
The CIU intelligence analyst will log and analyse
whistleblowing cases in order to produce
monthly MI.
The MI will contain details in relation to:
+ New cases (already reported);
+ Area of the business affected (already
reported);
+ Cases closed in the period (not reported
as of July 2021).
Reporting
The Whistleblowing manager, Group Legal
Director and Head of CIU will meet with the
Whistleblowing NED once a month to discuss
the ongoing cases and cases closed since the
previous meeting.
Monthly reporting on whistleblowing cases will
be included within the Investigations monthly
report provided to the relevant reporting line.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Quality assurance
QA is provided informally by the Head
of the CIU who will sample test the
closed whistleblowing cases and
discuss outcomes with the
Whistleblowing manager
Formal QA is provided by an Internal
Audit review as part of their ongoing
review plan
High risk
investigations
The CIU intelligence officer will log and analyse
high risk cases in order to produce monthly MI.
. The MI will contain details in relation to:
+ Newcases;
* Cases closed in the period;
+ Area of the business affected; and
* Actions undertaken as a result.
Monthly reporting on high risk cases will be
included within the Investigations monthly
report provided to the relevant reporting line
QA is provided informally by the Head
of the CIU who will sample test the
closed high risk cases and discuss
outcomes with the Whistleblowing
manager
Formal QA is provided by an Internal
Audit review as part of their ongoing
review plan
Low risk
investigations
High level MI will be provided by any business
teams undertaking investigations on a monthly
basis.
This will be collated by the CIU intelligence
Officer to provide high level MI over the total
population of investigations undertaken by POL.
Reporting over the total population of
investigations undertaken by POL will be
produced monthly providing a high level
overview.
This will not supersede any detailed reporting
performed by local business teams.
Periodically the CIU will undertake
quality assurance checks over low risk
investigations conducted by business
teams to check adherence to the
minimum standards, identify gaps and
feedback findings.
Feedback on findings will be provided
to the relevant department and themes
included in the relevant reporting.
kpinI
2021 KPMG
LP, aUK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms afllated with KPMG International Limited, a private English company limited by quarartee, Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0105
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
GU performance metrics
Following metrics are recommended to be adopted by the CIU
Governance + Number of tribunals in the period where POL lost due to discrepancies within the investigation process
* % of closed cases where next steps have been agreed and actioned.
+ % of cases closed where next steps have not been agreed and actioned.
+ #of process changes made based on lessons leamt to future proof the business
Investigations + Number of open cases at a pointin time split by between high risk and whistleblowing cases
+ Number of anonymous cases raised
+ Average time taken to close a low-risk whistleblowing case
+ Average time taken to close high-risk cases (whistleblowing and other)
* Average time taken to respond to the Whistleblower's initial report
+ Average time taken to respond to the Whistleblower on actions taken / final report
+ %cases closed within [90] days
+ Number of cases not investigated
+ Number of appeal cases where the outcomes are upheld or overturned
Training * Professional qualifications / CPD points earned by the CIU team in the period
+ % ofthe business where training has been rolled out and completed (number of employees completing over
total number invited to training)
QA + Number of QAs undertaken in the period / % against number of investigations undertaken
+ Rating from Internal Audit and number of improvement observations
+ Feedback score from the business
MI + #of months where reporting information not received from relevant business team
bua! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0106
POL00423697
POL00423697
Standards and protocols
Details proposed standards and protocols for high risk
investigations.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0107
standards & protocols
All high risk investigations and whistleblowing undertaken by POL shoul
standards to ensure consistent and robust evidence
follow clearly defined
The aim of the GIP is to set “the minimum standards required to ensure that intemal investigations,
regardless of the scope, are prompt, effective and professionally managed, and that findings are
responsibly addressed.”
High risk investigations, must be conducted following strict criteria to ensure credible evidence is
gathered fairly and accurately, in a timely fashion. The below pillars of investigations are explored in
detail in Appendix 3.
Evidence gathering
Well-coordinated evidence gathering is the cornerstone of a successful investigation. Evidence is
needed to enable an investigations function to identify the facts, assess any associated risks, losses
and potential liability, protect POL's reputation and uphold the organisation's values.
Document handling protocols
Professional document handling and strict access controls are critical to ensure integrity of evidence.
Retention and storage
Evidence should be stored securely and managed carefully to ensure it is not destroyed due to
document retention policies.
Interviews
Interviews should be carefully considered and conducted by appropriately experienced individuals.
Further details on standards and protocols is in Appendix 4.
kpme!
Document Classification: KPMG Confidential
POL00423697
: POL00423697
POL00423697
POL00423697
Technology and Data
Summarises technology requirements in regards to case
management tooling for the investigations processes across POL.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0109
POL00423697
POL00423697
Case Management tool requirements
The CIU will need to
‘oduce a case management tool for high ri
The following slides describe high level functional and non-functional requirements for the CIU
case management tool. Those need to be developed further as part of implementation phase.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0110
(I
10
11
12
Core functional
Core functional
Core functional
Core functional
Core functional
Core functional
Core functional
Core functional
Core functional
Reporting
Reporting
Reporting
kpme!
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
IU case management tool - functional requirements
1 ES
Ability to quickly record all case details however they come in (email, letter, web, phone)
Solution should include the ability to triage cases (assign priority based on defined criteria) with ability to configure triage
criteria
Permit allocation (and re-allocation) of cases and tasks to be generated manually and/or by system at key workflow stages
Support the implementation of an investigations workflow (including routing, re-assignment and escalation of cases)
configurable to policies
Support adherence to correct processes by mandating validation rules (e.g. mandatory information that needs to be
entered)
Display unallocated cases (e.g. by length of time since opened) and include visible prompts ensuring timescales and
processes are adhered to
Case investigator can provide updates on investigations
Ability to upload and store documents and other (external) evidence related to the investigation (e.g. Word, Excel etc.).
Microsoft Word and Outlook integration
Ability to generate email and letter templates auto-populated with case data to save time and ensure consistency
All case records should be searchable, down to document level, with flexible filtering. Linked or precedent cases are
tagged
Ability to measure, monitor and manage casework using comprehensive dashboards, case and task views with any issues
highlighted
Provide customisable management information e.g. SLA management, caseload allocation, standard KPIs
Document Classification: KPMG Corfidential
M
=
= =
ao
o
112
POL-BSFF-0238515_0111
14
15
16
17
18
3 Security
Data
Performance
Performance
Security
Security
Usability
Usability
Security
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
OU CdSe rranagement (ool-nor-functionalrequirements
eS
Access to the solution and the underlying data should be govemed by user-based security access controls
Case data should be available immediately within the tool and related cases should be allowed to be ‘linked’.
Solution should support concurrent users with no degradation of performance
Solution should suffer no more data loss in the event of a system failure and recovery from backup
Maintain a robust audit trail of activities carried out as part of the investigation (unalterable, personal, timestamp etc.)
Solution should retain an audit trail of all changes made to case information, who by and when
The solution should enable regular communications to designated roles to inform status of cases by stage of the process (to
provide a more joined up investigations experience)
Allow analysis across cases, for example to determine trends and identify common causes
File management and GDPR compliance tools support data protection policies.
PMG LLP, a UK limited lability prt and.a member fimof the KPMG global ot independent member firms affliated with KPMG Internat
Document Classification: KPMG Corfidential
= = Bo
= B=
POL-BSFF-0238515_0112
POL00423697
POL00423697
Road to implementation
An implementation roadmap to affect the change blueprinted in this
TOM.
kebab! © 2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms alate with KPMG International Limited, a private English company limited by guarartee, Al igh 114
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0113
POL00423697
POL00423697
Moving forwarc
plementation roadmap has been created for esta
gthe CIU
We have identified the following key initiatives that are required in order to establish the CIU:
* Define & implement CIU org structure
* Define & implement CIU strategy, policies and processes
* Set minimum investigation standards
* Set criteria for engaging wth SMEs
* Define and embed high-risk triage framework
* Introduce quality assurance
* Deep dive in specific investigations areas
* Strengthen knowedge management & capability developmentfor investigators
Consistent MI and reporting
* Introduce case management tool for ClU investigations
We have mapped these into an indicative roadmap. The following slides outline the proposed
implementation roadmap for each initiative and provide a high level scope of activities.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0114
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Initiative coMpIexIty anc Impact
ality assurance
9. Introduce consistent MI and
reporting
Requires proce
5. (Re-) Set criteria for engaging 2. Strengthen knowledg establis
MEs 10. Introduc: management & capabili
development for investigator
implement CIU org ; aig :
Impact 8. Deep dive in specific
stigations area:
3. Define anc
Low
Low Complexity High
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0115
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Implementation roadmap
areas have been identified as having immediate priorities based on levels of complexity, impact and risk
ust_and September $$ ___._______4
1. Define & implement CIU org
Process
7. Introduce quality
Technology nent tool for CIU
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0116
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
scope of initiatives
. * Recruit a Head of CIU to implement operating model and set up CIU. "
1. Define & implement CIU org - ail a . . —_ * Buy-in from
structure + Introduce a CIU with clear reporting lines to board level, to improve governance and oversight of investigations processes POL GE
across POL and as a specialised unit to lead whistleblowing and high-tisk investigations.
+ Identify population of business teams that require training and understand ongoing training requirements and updates.
2. Strengthen knowledge Consider new joiners and updates to minimum standards and any feedback from quality assurance/lessons learnt. Consider * BUT ine
management & capability relevant training platform. fe
development for investigators + Develop/update training programs and materials in relation to minimum standards and any investigation updates. Develop * ClU in place
process for training business teams on a rotational basis.
+ Develop CIU strategy and policies.
i Dede iipietrenien + Design investigation processes for high risk and whistleblowing cases. * Boe goem
strategy, policies and processes a . . . . POL GE
+ Introduce consistent investigations workflow over high risk and whistleblowing cases.
* Develop minimum standards and protocols for all investigations. The minimum standards will include but not limited to
evidence gathering, document handling, reporting and decision making. Minimum requirements will also cover collation of MI
and training for all investigators. + Buy-in from
4, (Re-) Set minimum standards + Update and refine GIP and clarify which standards relate to low-risk investigations so that Business teams understand how the POL GE
GIP aligns with their policies and processes. * ClU in place
+ Set process for updating busines team policies and processes to embed minimum standards into investigations approach and
ensure consistency.
* Identify criteria for when business teams need to involve SMEs including Legal, Cyber, Data Protection, Security and HR.. * Buyin 4
5. (Re-) Set criteria for engaging Formalise communication channels and recording of SME involvement. Referring business team remains accountable for from business
with SMEs investigations. Set criteria for when investigations may require Legal privilege. a and
+ Set process for updating busines team policies and processes to embed use of SMEs into investigations approach. . sit in place
kei! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 118
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0117
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
scope of initiatives
6. (Re-) Define and embed triage
framework
7. Introduce quality assurance
8. Deep dive in specific
investigations areas
9. Introduce consistent MI and
reporting
10. Introduce case management
tool for CIU investigations
kpinI
Set process for business teams to triage cases for investigations including initial review of allegations to understand context
and potential implications/outcomes.
Use criteria set by CIU to identify whether case is high risk, flag any high-risk cases and escalate to CIU.
Set process for business teams to escalate high-risk cases to CIU through mechanism such as CIU mailbox. Communicate
process to business teams to embed in relevant policy and process guides. °
Periodic review to ensure that all high-risk cases have been treated appropriately.
Develop a process for sampling low-risk investigations across business teams on a periodic basis. .
Develop a process for sampling high-risk and whistleblowing investigations on a periodic basis.
Set timescale for independent assurance by Internal Audit over new processes and set up of CIU (potentially 18-24 months
after set up) and periodic monitoring thereafter. .
Perform detailed operating model design to address findings from current state assessment in areas such as HR.
Develop mechanism to identify and record all completed and ongoing investigations for each business team. Validate
methodology to ensure completeness of population.
Develop method of extracting MI for all ongoing and completed investigations. Agree reporting dashboards which are likely to .
include number and status of investigations, category of investigation, trend analysis, timelines and any unusual activity.
Identify lines of reporting and develop process for business teams to submit MI to CIU on weekly/monthly basis. Develop
process for CIU to collate and submit MI along reporting lines including accuracy and completeness checks.
Develop detailed requirements for case management tool for each teams conducting investigations.
Explore tool options to select the one that meets requirements.
2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights
Document Classification: KPMG Corfidential
Buy-in
from business
teams
CIU in place
Buy-in
from business
teams and
Internal Audit
CIU in place
Buy-in from
budget owners
Buy-in from
business
teams
CIU in place
POL-BSFF-0238515_0118
POL00423697
POL00423697
Appendices
kebab! © 2021 KPMG LLP, @ UK limited lability partnership and a member fim ofthe KPMG global organisation of independent member firms alate with KPMG International Limited, a private English company limited by guarartee, Al igh 120
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0119
POL00423697
POL00423697
Detail of investigatory activities
undertaken by POL
POL-BSFF-0238515_0120
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Al Teams under aking Investigatory activities
Introduction
As noted on slide 7, POL has a number of teams that undertake investigatory
activities supported by policies setting out how this work should be undertaken.
Our review has focused on the investigatory activities undertaken by the following
departments:
* Service and Support Optimisation;
* Franchising Partnering;
+ Compliance;
+ Human Resources; and
* Cyber.
Details of the work undertaken by each team within the relevant department are
summarised below:
Service and Support Optimisation
* Security: the Security team undertake information gathering activities for Law
Enforcement Agencies (LEAs) and for other teams within POL such as the
Whistleblowing team. They also act as police liaison for ongoing criminal cases.
We were informed that Security no longer undertake any investigations for POL.
Security are also used to assess the physical security at branches.
2021 KPMG LLP, a UK limited lability partnership and a member fim of the KPMG global organisation of independent member frms flied with KPMG International Lmted,a private Engh
Network Monitoring: the Network Monitoring team undertake proactive risk based
monitoring of branch data relating to cash and stock to identify potential discrepancies
or any indication that a Postmaster may require additional support. Where an issue is.
identified the Network Monitoring team will either contact the branch directly, request
a SPEAR callAisit or announced branch audit, or refer the issue to the Area Manager.
The Network Monitoring team also undertake reactive monitoring of branch data
following internal referrals from teams such as Contracts or Financial Crime. We were
informed all issues identified by Network Monitoring are logged on Dynamics, where
there is a standard template that the team follow and all relevant documents are
stored in Dynamics in the case file. We understand the team produce monthly MI
showing the number of branches reviewed, SPEAR visits/branch audits and referrals.
Postmaster Dispute Resolution: the Postmaster Dispute Resolution team has
evolved as a result of the GLO and supports Postmasters in resolving branch
accounting discrepancies in order to identify whether or not there are established
gains or losses. Postmasters may dispute a discrepancy or a transaction correction
and the Postmaster Dispute Resolution team will look to resolve the dispute using a
tiering system. Tier 1 provides quick resolution on straightforward single contact
enquiries. Tier 2 is for more complex cases or those not resolved at Tier 1. Cases
that fail to be resolved at Tier 2 are discussed at a weekly review meeting with the
Head of Network Support and Resolution and cases where further investigation is
possible are escalated to Tier 3.
We were informed that Monthly Review Committee meetings are held to discuss.
cases assessed as high risk with Legal and Contracts. We understand all cases are
recorded on Dynamics including relevant case notes and relevant documents and
reporting dashboards are produced monthly.
We were informed that if during the course of their work, the team identify any
potential suspicious activity or deliberate wrong doing by a Postmaster they would
escalate the issue to Financial Crime and/or alert the Whistleblowing t« so that an
investigation can be undertaken.
ish company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0121
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Al Teams under aking Investigatory activities
+ Postmaster Complaints: postmaster complaints can be received by Area
Managers, the Branch Support Centre or the Branch Hub. Complaints that cannot
be easily resolved by the recipient are referred to the Issue Resolution team who
log the complaint onto Dynamics (by type) and queue for resolution. If the team
identify a complaint which relates to a whistleblowing disclosure this is passed
to the Whistleblowing team. Complaints relating to suppliers (Royal Mail, Parcel
Force etc), IT digital service desk (ITDSD) training and onboarding are passed to
the relevant teams who then take ownership of the investigation. Other
complaints are investigated by the Issue Resolution team using specialist teams
as required. All investigations are done via Dynamics which records any
responses and emails from specialist teams. The team also use Dynamics to
record the resolution of the complaint. Ifa case cannot be resolved it is escalated.
Escalated cases are reviewed by the Issue Resolution Manager who also
completes quality assurance reviews over a sample of cases for each complaint
handler every month. Trend monitoring is conducted over the classification of
complaints and results are fed back to the relevant teams.
The Issue Resolution team will liaise with Legal if the complaint has a legal
implication, for example the Postmaster wants to ban a customer from the
branch,
Franchising Partnership
+ Audit Support: the Audit Support team conduct SPEAR (informal Postmaster
support) calls/isits and branch cash, stock and foreign currency verification
audits. These audits identify differences between physical stock and cash held at
branch and the volume and value recorded on Horizon. If an issue is identified at
branch this is escalated to Contracts or Area Managers.
The Audit Support team verify that a discrepancy exists but do not investigate
how that discrepancy has arisen.
kon! 2021 KPMG LLP, a UK limited lability partnership and a member fim of the KPMG global organisation of independent member frms flied with KPMG International Lmted,a private Engh
Contracts: the Contracts team investigate alleged breaches of contract conditions by
Postmasters. Potential breaches are referred to the Contracts team by other areas of
POL including Area Managers, Network Monitoring, Audit Support, Postmaster
Dispute Resolution, Security and Financial Crime. The Contracts team only
investigate whether Postmasters’ contractual terms have been breached, they do not
investigate the underlying issue. The Contracts team consider three types of contract
issue: performance, suspensions and terminations.
Outcome decisions are made by the Head of Contract Management and Deployment.
For suspensions, additional oversight is provided by POL Legal. For terminations, all
decisions are signed off by the Contract Termination Decision Revew Group which
comprises members of Contracts, POL Legal and the relevant Regional Manager. All
contract cases are recorded on Dynamics using a standard template (rationale
document), all of which are password-protected. Whilst MI can be pulled from
Dynamics, we were informed that this only shows a record of cases with a very high
level narrative. There is no formal reporting of Contract investigation outcomes across
the business.
Customer complaints: the Customer Support team receive customer complaints
relating to POL and third parties. Complaints are logged in Dynamics and
reviewed, and third-party complaints are forwarded to the relevant third party. POL.
complaints are triaged based on a set criteria to determine whether an investigation is
required. Low risk cases are allocated to case handlers who will respond to the
complaint. Complaints requiring investigation are uploaded onto Qualtrix and referred
to Area Managers for investigation with the relevant branch. The Area Managers
report the outcome of their investigation via Qualtrix to Customer Support who will
manually update Dynamics and respond to the customer.
fa customer threatens any form of legal action, the Customer Support team contact
Legal; if other suspicious activity is identified the team report to the Whistleblowing
team. Monthly MI is produced identifying the number of complaints, the resolution
times and details of amounts paid out.
ish company limited by quarartee. Al rights 123
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0122
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Al. Teams uncer aking Ivestigatory activities
Overview of POL investigatory ac!
Compliance
+ Financial Crime: the Financial Crime team receive intemal SARs and reports of
suspicious activity that may indicate financial crime. They investigate these
reports using a variety of investigation tools and information gathering sources.
Outcomes are decided on a case-by-case basis and may result in the submission
of a SAR to the NCA and/or cases being referred to Contracts or Security. The
Financial Crime team also respond to Section 7 and DPA information requests, to
requests from the NCA/regulator for further details relating to SARs which have
been raised by POL, and they also provide data in response toa SAR raised by
another agency when the SAR names an individual linked to POL. All cases are
logged and recorded on Dynamics using a standard reporting template and
relevant documentation is uploaded. Monthly Ml is produced showing the number
of SARs raised and the number of investigations undertaken.
The team also monitors and investigates foreign currency (bureau) transactions
to identify suspicious activity and undertakes financial crime risk assessment and
assurance reviews, working with POL product managers.
+ Conduct Compliance: the Conduct Compliance team undertake compliance
reviews on the sale of financial service products provided by a Principal and sold
through the branch network. These include PO insurance, Capital One credit
cards and Bank of Ireland savings. The compliance standards are agreed with the
Principals and the team coordinate proactive compliance monitoring. Proactive
monitoring is undertaken via the use of mystery shoppers. The mystery shopper
is provided with standards as to what the Postmaster should and should not do
and they report against these using met /not met criteria. Mystery shopper results
are sent to Area Managers each month and they address non-conformance with
the relevant branch. The team also deal with information requests from Principals
responding to customer complaints and the outcome of any Principal
investigations where branch non-conformance was identified as an issue.
2021 KPMG LLP, a UK limited lability partnership and a member fi of the KPMG gbal organisation of independent member frms aflited with KPMG International Lmted, a private Engh
+ Whistleblowing team: the Whistleblowing manager receives information via the
Whistleblowing mailbox, Speak Up and Grapevine. Cases are logged onto an excel
spreadsheet on the Whistleblowing Teams site and initial fact finding is undertaken to
identify whether the case requires investigation. Ifa case is classified as serious or
sensitive, Whistleblowing can consult with internal or external legal counsel. ifan
investigation is required, the Whistleblowing manager assigns the case toan
investigator. Investigators are Area or Line Managers within the area of business that
the incident has occurred or independent senior Managers. The investigators use an
investigations template to conduct the investigation and gather evidence which is
stored on the Whistleblowing Teams site. The Whistleblowing manager receives and
reviews the completed report from the investigator which includes details of remedial
actions or recommendations and updates the tracker to show the case is closed. The
Whistleblowing manager also liaises with other business areas to follow through on
remedial actions. The Whistleblowing team is looking to recruit two investigators to
undertake all whistleblowing investigations going forward. MI reports are generated
monthly.
+ Data Protection team: the Data Protection team investigate potential data protection
breaches, in order to assess whether the incident needs to be reported to the ICO.
The Data Protection team receive referrals via the DP mailbox from a variety of
sources. The Data Protection team only investigate the data protection element of a
case. If the incident relates toa cyber incident, the Data Protection team works with
Cyber to jointly investigate and report on the incident. Non-Cyber related incidents
tend to be branch related and the team ask the relevant Area Manager to investigate
the incident with the branch using a standard template that takes them through the
investigation process. If an incident is serious, the team report it to the ICO within 72
hours. Data protection incidents are currently logged onto an excel spreadsheet that
is kept on SharePoint; however, they are planning to move to OneTrust.
The DP team undertake root cause analysis and feedback to the business as
required. The team also provide information to and/or respond to incidents identified
by POL product providers such as DVLA or MoneyGram. The team also assist other
POL investigations by gathering electronic information including email data.
ish company limited by quarartee. Al rights 1
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0123
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Al Teams under aking Investigatory activities
Human Resources
The Employee Relations team own a number of HR policies including Code of
Conduct, Dignity at Work and Grievances. These policies are collective agreements
that have been agreed with the Unions and cannot easily be changed. Each policy
has its own detailed toolkit and guidance/template documents.
HR use an outsourced service provider called Advisor Plus referred to as MyHRHelp
who assist and advise Line Managers undertaking investigations and have a detailed
understanding of the policies and process. MyHRHelp maintain the HR case
management system onto which cases are logged and documentation relating to an
investigation is uploaded and stored. MyHRHelp will log and categorise the case as
low, intermediate or high risk in line with the risk profile advised by the Employee
Relations team. High category cases will include cases that may potentially result in
a dismissal (gross misconduct), cases where there is a complaint against senior
management and discrimination complaints.
MyHRHelp will engage a People Business Partner for high risk cases, giving them
full access to the case. The Employee Relations team has access to the case
management system and can use this to review all cases including those flagged by
MyHRHelp as high risk. The Head of Employee Relations reviews the ongoing cases
on a regular basis. Cases are flagged by MyHRHelp based on their experience and
regular discussions with the Employee Relations team.
* Code of conduct issues: Line Managers would generally identify conduct issues
and manage them accordingly. Line Managers may also be contacted by other
teams such as Whistleblowing or Cyber to ask them to undertake an
investigation. Line Managers are responsible for managing the conduct
(disciplinary) investigation process. The Code of Conduct policy states that the
Line Manager of the employee who is the subject of the allegation is the
appropriate person to investigate unless there is a clear conflict of interest.
kha! 2021 KPMG LLP, a UK limited liability partnership and a member fim ofthe KPMG global organisation of independent member firms afi mterattoral Led, 2 Company Tinted by quarartee
Where there is an allegation of misconduct, the Line Manager can contact MyHRHelp
to gain advice and support throughout the investigation. Per the policy, Line
Managers should consult before any disciplinary action is taken. ifthe Line Manager
requests MyHRHelp then the case will be logged within their case management
system and case documents uploaded; if not, then the investigation would not be
recorded.
The Employee Relations team will be engaged on high-risk cases, by MyHRHelp, the
People Business Partners, their review of cases on the case management system or
in some circumstances the investigating Line Manager. My HR Help will email / call
the Employee Relations team if they are concerned about the progress of a case and
flag the case within the case management system.
When a case is raised there is a facility within the case management system to
record messages between the Line Manager and the MyHRHelp advisor. Summaries
of phone discussions are also logged.
The Line Manager will conduct the investigation using the Manager Guidance Toolkit
which provides a step-by-step guide to conducting the investigation. The Line
Manager will complete the investigation and is responsible for determining whether a
case would be referred to a formal disciplinary meeting. Relevant documents and the
investigation report are uploaded and stored in MyHRHelp
If the case is referred to a formal disciplinary hearing the case will be sent to the
second Line Manager for review. Prior to a tribunal claim being received in most
cases the Employee Relations team will be contacted by ACAS for early conciliation.
Ifa tribunal claim is submitted, the tribunal would submit notification into Legal who
would engage with the Employee Relations team in order to manage the claim
through to a resolution.
MyHRHelp do not routinely provide formal MI on investigations and Mlis not reported
within or outside HR.
The policy states that it is recommended that Line Managers undertake employee
relations training I however we were I informed this does not happen.
nights 25
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0124
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Al Teams under aking Investigatory activities
* Dignity at Work complaints: A formal complaint is raised by an employee
completing a Dignity at Work Complaint Form (either manually or in SuccessFactors).
These are submitted to the People Shared Service Centre who with the support of the
People Business Partner will assign the complaint to an investigating Line Manager
(usually the employee's line manager but could be an independent Line Manager
depending on who the respondent is). The investigating Line Manager completes the
investigation prepares an investigation report and determines the outcome of the
case. The investigation report and any documentation is sent to the People Shared
Service Centre. The investigating Line Manager updates the outcome of the case on
SuccessFactors and informs the employee of the outcome.
If the investigating Line Manager requests MyHRHelp then the case will be logged
within their case management system; if not then the case not be recorded on
MyHRHelp.
+ Grievance complaints: A formal complaint is raised by an employee completing a
formal Grievance Form (manual). The employee would send this complaint directly to
the second Line Manager (of the party being reported on) who would investigate the
complaint. The second Line Manager completes the investigation and prepares an
investigation report and determines the outcome of the case. The investigation report
and any documentation is sent to the People Shared Service Centre for the
documents to be filed on the personal file.
There is no facility in SuccessFactors to record a formal grievance or the outcome.
The second Line Manager informs the employee of the outcome.
- If the second Line Manager requests MyHRHelp then the case will be logged within
their case management system and all case documents uploaded; if not then the
case would not be recorded on MyHRHelp.
2021 KPMG LLP, a UK limited lability partnership and a member fim of the KPMG global organisation of independent member frms flied with KPMG International Lmted,a private Engh
Cyber
+ Cyber Security Incident team: the Cyber team investigates potential breaches
of data policies and attacks on POL software (excluding retail). The team moritor
data feeds using Splunk in order to identify unusual activity specifically in relation
to malicious behaviour or misconduct. Alllincidents are raised within Service Now
either being auto generated or manually entered. Depending on the nature of the
incident, information may be limited on Service Now in order to retain
confidentiality.
Incidents are triaged in order to identify the severity of the incident and remove
any false positives, If required, incidents are assigned for investigation. If the
investigation involves a data or legal breach the team liaise with the Data
Protection team and/or Legal. In these instances Cyber provide technical support
to the relevant team who then complete the investigation.
Documents relating to Cyber investigations cannot be uploaded onto Service Now
but are maintained on independent part of SharePoint.
ish company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0125
POL00423697
POL00423697
Detailed design — processes
POL-BSFF-0238515_0126
POL00423697
POL00423697
A2 Detallecl design - processes
Over the following slides, we have included additional materials to illustrate proposed target states for
investigations processes.
Level 1 investigation process — target state
* Sets out the target state for the high-risk and whistleblowing investigations process
Accountabilities by type and stage of investigations
* Outlines target state accountabilities for the various investigation types
Document Classification: KPMG Confidential
POL-BSFF-0238515_0127
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A2. Level IESIGAION processes - target State
This slide maps out the tat ation process.
pu I P Conduct investigation, an Produce MI
Receive I} ae ci High “ recommend outcomes & wigs and perform
inputs iil risk?, actions, identify root cause endedtions: trend
UCU a and lessons leamt analysis
Conduct investigation,
Escolatete recommend outcomes & I_
clu actions, identify root cause
T and lessons leamt
clu Triage escalated
cases
No Provide QA Consolidate
and provide Mland
te feedback to report to
Yes investigating GE and
Recelve teams Board
whistleblowing Triage reports Scope
investigations
reports Cc
Conduct investigation, Ratify Produce MI
recommend outcomes & and perform
b outcomes
Yes actions, identify root cause anciactane trend
and lessons leamt analysis
a UK limited lability partnership and a member fimo the KPMG global organisation of independent member firms filed wit
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0128
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
This slide outlines target state acc may involve
business teams to support inve:
ase type IWhistleblowingI Data breach I Cyber security Employee Contract Postmaster Customer Modern slavery} SARs incidents
Activity reports incidents incidents related cases breaches complaints complaints reports
Set standards clu clu clu clu clu clu clu clu Financial
Crime
Manage inputs clu Data Protection Cyber Line managers I _ Contracts Issue Customer Customer Financial
and triage team via MyHRHelp team Resolution I Supportteam I Experience Crime
team (* team
Investigate — clu” clue) clu clue clue clu”) clue clue Financial
high risk cases Crime
Investigate — clu Area managers Cyber Line managers Contracts Various Area Area Financial
other cases / business lead team managers / managers Crime
Product leads
Provide QA clu clu clu clu clu clu clu clu Financial
Crime
Liaise with CIUtoLEAs I Data Protection I CIU toLEAs CIU to LEAs CIU to LEAs CIU to LEAs CIU to LEAs CIU to LEAs / Financial
regulatory over criminal I teamtoICO I overcriminal I over criminal I over criminal I over criminal I over criminal regulatory I Crime toNCA
bodies and LEAs misconduct misconduct misconduct misconduct misconduct misconduct body
where applicable cases cases cases cases cases cases
Notes: (a) If the complaint is classed as whistleblowing, the complaint will be treated as whistleblowing report and CIU will be accountable for the investigation.
(b) While accountability is with the CIU, the CIU might involve business teams to gather evidence where SME expertise is required.
(c) The Data Protection team retain responsibility for investigating data breaches, other aspects of high-risk cases are passed to the CIU to investigate.
(d) The Financial Crime team will sit outside the C/U as the scope of investigations is limited to gathering evidence to form opinion on whether a case should be disclosed to NCA.
ku! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0129
POL00423697
POL00423697
Detailed design — case triage
POL-BSFF-0238515_0130
POL00423697
POL00423697
Ad, Mage
At present, POL do not have a documented process to identi
vestigations in order to priot or escalate these cases.
We have set out a triage process over the following slides, where cases are reviewed by the business
teams based on a set criteria in order to identify high risk cases that will be escalated to the CIU.
Case triage
+ Explains at what stage case triage should take place, what it would involve, who would be involved,
what criteria would be used to assess cases, and when cases would be escalated to the CIU.
Case triage criteria
* Sets out criteria by which cases will be assessed.
Document Classification: KPMG Confidential
POL-BSFF-0238515_0131
Ag. britera for traging
Possible criteria for BAU Potential to be high risk if several Possible criteria for high risk
aypsichneren
Financial impact
Re putational damage
Seniority of those being
investigated
Postmaster or employee
theft or misappropriation of
assets
Regulatory breaches by
Postmaster or employee
Misconduct by employee
Privilege required
Postmaster detriment
Referral from business
Financial impact under e.g. £50,000
Unlikely to be reputational damage
Below Band 4
N/A - No allegation of theft or
misappropriation of assets
N/A - No regulatory involvement
Allegation of misconduct
No suggestion of litigation
N/A — No Postmaster detriment
N/A
Financial impact between e.g. £50,000 and £1m
Potential for reputational damage
Band 4 and above
Suspicion of theft or misappropriation of assets
Potential for regulatory notification
Potential to be gross misconduct
Possibility of litigation
Potential for individual Postmaster detriment.
N/A
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Financial impacte.g. > £1m
Capable of significant reputational damage
to the business / significant media coverage
Concerns a member of Board / GE / certified
role
Serious allegation of theft
or misappropriation of assets
Relates to a identified breach or issue
Relates to gross misconduct
Likely to result in litigation
Potential to lead to pervasive Postmaster
detriment
Requested by a Director level or above
These criteria are designed to allow flexibility and interpretation, rather than provide a prescriptive approach to ensure that all investigations are given the appropriate consideration
in relation to risk.
kon! 2021 KPMG LLP, a UK limited liability partnership and a member fim of the KPMG gbal organisation of independent member frm flied with KPMG International Limited, a private Enis!
Document Classification: KPMG Corfidential
-ompany limited by guarentee. ll right
POL-BSFF-0238515_0132
POL00423697
POL00423697
Detailed design — standards
and protocols
POL-BSFF-0238515_0133
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Ad. Standards & protocols
The key standards & protocols to be followed in all high risk investigations are as bel
Standard/protocol igh level description What issues doesthis address?
Evidence gathering - Planning Itis vital to plan evidence requirements, to avoid rristakes being made when under + This ensures that evidential integrity is considered upfront
pressure and trying to move quickly. Before commencing an investigation, itis important and throughout the process, to achieve the highest possible
to consider the provenance, integrity and continuity of the evidence, and ways toachieve evidence standards.
this include:
+ Seeking appropriate authorisation internally prior to proceeding;
+ Preparing a road map of the evidence landscape, which considers key matters such
as the number of suspects involved, location of the search (and whether this involves
multiple locations), how many areas are to be searched, how many staff are needed to
conduct the search, whether searches need to be conducted outside of working hours.
Evidence gathering — considering the Persons conducting investigations must be sufficiently competent (having had adequate + ‘This nitigates the risk that an investigation willnot be
purpose and likely outcome of training and experience of conducting investigations) and should be aware of the different performed in ine withthe appropriate legislation, and
an investigation legal requirements and standards of evidence needed for different purposes: evidence willbe inadequate or inadmrissable in Court.
+ Givil - ‘balance of probabilities’
+ Criminal - ‘beyond reasonable doubt’
+ Itis often best to aim forthe highest possible evidence standards (i.e. criminal as
standard), as it is difficult to predict the outcome of an investigation at the outset.
Five core principles of evidence handling:
“Provenance: Keep a log of the placeof origin, when the evidence wasreceived, by what authority, andby whom;
“Continuity: Record the full audit trai, including who, why and when each document or artefact hasbeen accessed
*Security: Documentsand other evidential itemsshould be kept secure at all times
“Integrity: Evidence should be sequentially tagged and sealed in a secure evidence bag.
“Inventory: A complete record of all original itemsand working papers should be maintained.
kee! 2021 KPMG LLP, aUK limited liablty partnership and a member fim of the KPMG global organisation of independent member firms fiiated with KPMG International Linited, a private English company limited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0134
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Ad. Standards & protocols
The key standards & protocols to be followed in all high risk investigations are as belo
Standard/protocol High level description What issues does this address?
Evidence gathering — securing + Ensure swiftactionif evidence is at risk of being destroyed. + This reduces the risk of key evidence being destroyed by
evidence the subject of the investigation.
Evidence gathering — search + itis important to take contemporaneous notes at each stage of a search. + This addresses the risk that failure to keep an audit trail of
om + itis helpful to make a sketch plan, take photographs or video the search location (both EASIER S Deaee, Bisietieven Bites ieneyeceesaes 8
before and after the search). The plan should include the address & location of the criminal trial and can undermine civil proceedings.
search.
+ The investigators should keep a detailed list of where items w ere found and cross-
reference them to the sketch plan withnotes of the item found, who by, the date and
time, a description and the seal number of the evidence bag. The total number of
evidence bags should also be recorded, prior to confirming that no evidence of the
search has been left behind.
+ Investigators should make notes of all conversations with individuals encountered
during the search, including any whoare suspects. They should also note any
attempts to disrupt the collection or to prevent items being taken.
bua! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0135
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Ad. Standards & protocols
The key standards & protocols to be followed in all high risk investigations are as bel
Standard/protocol High level description What issues does this address?
Document handling - Collection Itis important to consider the need to retain the integrity of documents and the audit trail, + This ensures evidence is not tampered with.
including preserving key original documents. All evidence items should be bagged and
tagged, and a conpleted exhibit label should be attached to display the integrity of the
evidence.
+ This also ensures evidence cannot be lost, damaged or put
at risk.
The overriding concept of document collections is to identify relevant documents and then
subsequently maintain the security and integrity of the documentation. It is imperative
that the follow ing details are recorded during this process:
* custodian name/source name;
+ source location where found/collected from,
+ date and time of the collection/w hen received:
+ description of the documentation or media;
+ details of where the documentation or media was foun
+ details of the person finding the documentation or medi
+ unique identifier for each item or media.
Document handling - accessing Each time an evidence bag is removed fromthe secure location to be opened, the + This ensures evidence is not tampered with
eens beh hig. Gotats nls tibe: Heteortiods + This also ensures evidence cannot be lost, damaged or
+ The date and time of the movement; put at risk.
+ The name of the person opening the bag;
+ The signature of the person opening the bag; and
+ The reason for“taking out the item’ from the bag should also be recorded.
bua! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0136
Ad. Standards & protocols
The key standards & protocols to be followed in all high risk investigations are as belo
Standard/protocol High level description What issues does this address?
Assessment should be given to how evidence is stored once ithas been gathered, and
the follow ing considerations are particularly important:
Storage
Retention
kpinI
The need for security measures, for example locks on data rooms /cabinets, logging
system fordocuments removed from evidence storage location.
‘Where back-ups of evidence are stored, and how any items which have not been
backed up i.e. external hard-drives, mobile devices, USB sticks should be securely
stored to prevent loss.
‘The relevant time-period in relation to the matter being investigated, to ensure
documents (including emails and electronic documents) are not being destroyed as
part of a standard document destruction policy.
The follow ing should be considered:
Any specific legal requirements in respect of the type of document (some statutes
require retention of certain classes of documents for set periods.
The liritation periods in respect of potential legal actions against Post Office.
General compliance with ethical standards in the industry.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
The risk of the suspect(s) being able to gain access to
evidence and destroy it.
The risk of key electronic evidence being lost through IT
failure.
‘The risk of key evidence being unknowingly destroyed
by another team following their standard document
retention policies.
The risk of key evidence being destroyed prematurely.
2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 138
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0137
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Ad. Standards & protocols
The key standards & protocols to be followed in all high risk investigations are as belo
Standard/protocol High level description What issues does this address?
Interviews — prior to the interview The following should be considered: + This ensures that the interview is considered upfront to
‘ensure appropriate evidence is gathered in the correctway.
+ Which individuals should be interview ed.
+ Whether it is appropriate to meet witha witness without advance notice or formally
invite a witness to an interview with reasonable notice.
+ Whether a witness should be permitted to be accompanied by a companion (normally
a fellow employee or trade union representative).
+ Whether a witness should have independent legal representation (particularly wherea
person is suspected of potential criminal conduct).
+ Introductory language in respect of privilege and confidentiality. Advice should be
sought from the Legal team.
+ How to record the content of the meeting or any statement from the witness. Issues
concerning privilege will need to be considered in relation to the creation and use of
any notes taken.
+ Whether a possible outcome of the investigation right be to recommend a formal
disciplinary procedure against the witness and the principles surrounding
investigations set out within the Disciplinary Policy need to be followed.
Interviews — during the interview + Witnesses should be asked for their recollection of events with only limited + The risk of influencing what the witness says.
information.
+ Witnesses should be reminded that the investigation remains confidential and that
they should not discuss it other than with the Investigator, HR support or any
companion supporting them. it should also be made clear to the witness that their
statements may be used within the investigation.
+ Witnesses should be encouraged to suggest other witnesses to whom the Investigator
should speak or avenues of enquiry they should explore.
+ The risk of confidential information being shared.
bua! 2021 KPMG LLP, a UK timid abity pertrersip anda member fim fhe KPMG gba rgenisaton of independent member firms fled with KPMG Iterrtional Limited private English company lined by guarrtee. Al ihts
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0138
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Ad. Standards & protocols
The key standards & protocols to be followed in all high risk investigations are as belo
Standard/protocol High level description What issues does this address?
Interviews — after the interview + Ifissues are identified during the interview which are not directly relevant to the issues + This ensures evidence outside of the scope of the
being investigated, but which may themselves warrantinvestigation, the Investigator investigation is dealt within the correct way.
should refer these back to the Commissioning Manager forconsideration about
whether the Terms of Reference should be expanded or whether a separate
investigation should be commenced.
+ Witnesses must not be retaliated against or subjected to any detriment for having
acted as witnesses. The Commissioning Manager is responsible for ensuring there are
safeguards to protect witnesses.
+ This ensures the protection of the witness.
Interviews — criminal misconduct + In addition to the other standards: + The risk of non-compliance with legislation.
+ It may be appropriate to give specific warnings or cautions to witnesses before the
interview to maxirise the prospects of evidence being admissible in any crirrinal
proceedings brought by law enforcement agencies.
Interview s — Whistleblow ers + In addition to the other standards: + The tisk of non-compliance with the Public Interest
+ It may be appropriate to protect their anonymity in accordance with the Whistleblow ing Disclosure Act(PIDA) 1998 on the protection of
Policy and to put steps in place to protect them from detriment. Whistleblowers.
kei! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 140
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0139
POL00423697
POL00423697
Investigator qualifications
POL-BSFF-0238515_0140
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Ao: Investigator qualifications
Following qualifications are desirable from investigator candidates:
Standardiprotocol High level description
Skits and Competencies + Thoroughness; attention to detail
+ Tact and discretion; ability to handle sensitive information
+ Good judgement of and respect for others
+ Knowledge of the principles of procedural faimess
+ Analytical; able to identify key issues and facts
+ Knowledge and ability to identify, lawfully collect, preserve and examine evidence
+ Effective communication: abilty to write clear, concise and complete reports
Education and Experience I + University- or college-level program in Law, Security Management or Risk Management, Accounting/Auditing, etc., w here “investigations” is a specific component
of the curriculum
+ Private Investigator certification from recognized police academy
+ Human Resources program w here “misconduct investigations” is a specific component of the curriculum
+ Ihvestigative experience in roles for which in-house training was also provided
Certifications + ACFS — Accredited Counter Fraud Specialist
+ CFE — Certified Fraud Examiner
+ PCI - Professional Certified Investigator
bua! © 2021 KPMG LLP, aUX limited lati partnership anda member fim ct the KPMG gba orgarisaton of independent member rms flat with KPMG International Linited, a rvale English comparylinitedby quarartee lights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0141
POL00423697
POL00423697
Indicative cost of the CIU team
kp!
POL-BSFF-0238515_0142
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A6.Incicative cost of the GU organisation
Total cost of the CIU organisation is £365-495k, out of whi is additional. As there isa pote s currently performed by the Security team
nto the CIU, there isa potential to use some of the Security budget for new roles
Head of Investigations 80-120
Band 4
Whistle blow ing Manager 1 Existing 55-75 + Transfer from Financial Crime team
Band 3A/B
Investigations Manager 2 New 55-75 + Potential transfer from Security team
Band 3A/B x2
Investigators 2 Existing, (to 40-50 + The budget is indicatively signed off for 2 additional roles in the
Band 2A x 2 be recruited) Whistleblow ing team
Intelligence analyst 1 New 40-50 + Potential transfer from Security team
Band 2A
TOTAL cost per annum 7 365-495
TOTAL New roles 4 230-320
The CIU should also be allocated budget for outsourced/external spend for instances where completely independent investigations are required. We
would estimate this spend to be £100k per annum
kei! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 144
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0143
POL00423697
POL00423697
Document list
kp!
POL-BSFF-0238515_0144
A7. Documents
In the course of this work we reviewed the following documents.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Title
Group Investigation Policy
Description
The minimum operating standards forthe management of internal investigations
throughout the Group.
Date received
2105/2021
Cooperation with Law Enforcement Agencies and Addressing
Suspected Crirrinal Misconduct
The minimum operating standards relating to cooperation with Law Enforcement Agencies
and the manner in which POL will address suspected criminal misconduct.
26/05/2021
Anti-Bribery and Corruption Policy
The rrinimum operating standards relating to the management of Bribery and Corruption
risks through the Group.
26/05/2021
Anti-Money Laundering and Counter Terrorist Financing Policy
The minimum operating standards relating to the design and implementation of controls to
prevent or deter Money Laundering and Terrorist Financing throughout the Group.
26/05/2021
Financial Crime Policy
The minimum operating standards relating to the design and implementation of controls to
prevent or deter Financial Crime throughout the Group.
26/05/2021
Whistleblow ing Policy
The minimum operating standards relating to the management of Whistleblow ing
throughout the Group.
26/05/2021
Postmaster Contract Performance Policy
‘The purpose of this policy is to identify the circumstances wherea postmaster is not
meeting the obligations set out in their contract, the investigation process and to outline
the procedures to be follow ed to ensure performance of the contract, while supporting the
postmaster in this process.
26/05/2021
Postmaster Contract Suspension Policy
The purpose of this policy is to identify the circumstances in which suspension should be
considered and the criteria which must be met before a decision to suspend is made. t
also outlines the procedures to be follow ed in the case of suspension.
26/05/2021
Postmaster Contract Termination Policy
The purpose of this policy is to identify the circumstances in whichterrrination should be
considered and the criteria which must be met before a decision to terrrinate is made. It
also outlines the procedures to be follow edin the case of termination.
26/05/2021
Postmaster Termination Decision Review Policy
The purpose of this policy is to set out the procedures to be follow ed should a postmaster
wishto challenge the decision to terminate the agreement, and to clarify whowillbe
involved in the process.
26/05/2021
2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0145
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A7. Documents
In the course of this work we reviewed the following documents.
Title Description Date received
Code of Business Standards Everyone employed by POL is required to adhere to the Code and the corresponding 26105/2021
Group Policies.
Conduct Code Policy and Procedure The policy aims to help employees to achieve and maintain POL standards of conduct and I 26/05/2021
behaviour, while making sure employees are treated in the right way.
Dignity at Work Policy and Procedure The policy aims to help employees create a positive workenvironment in whicheveryone I 26/05/2021
is treated with dignity and respect.
Grievance Policy and Procedure The policy aims to help employees and managers resolve work-related concerns in a 26/05/2021
positive, constructive and timely way, by providing a robust process for managers to deal
with these concerns.
Harassment by Customers Policy The Post Office willnot tolerate any abusive or antisocial behaviour directed tow ards its 26/05/2021
enployees.
Netw ork Monitoring and Audit Support Policy The policy explains how branches willbe supported with any potential issues identified 26/05/2021
through netw ork monitoring and how Post Office w ill help those branches maintain
accurate records of cash and stock through their branch accounting.
Postmaster Accounting Dispute Resolution Policy The purpose of this policy is to clarify the nature of the dispute(s), set out the standards 26/05/2021
expected in dealing with any dispute resoltuon and the procedures that need to be
follow edin bringing any dispute to a conclusion.
Postmaster Complaint Handling Policy The Policy lays out the formal Complaints procedure whichis intended to ensure that Post I 26/05/2021
Office handle all Postmaster Complaints consistently, fairly and within agreed timescales.
Area Manager Postmaster Complaint Process Guide Process in use 11/06/2021
Customer Service Team Postmaster Complaint Process Guide Process complete, awaiting final sign off 11/08/2021
bua! © 2021 KPMG LLP, aUX limited lati partnership anda member fim ct the KPMG gba orgarisaton of independent member rms flat with KPMG International Linited, a rvale English comparylinitedby quarartee lights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0146
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A7. Documents
In the course of this work we reviewed the following documents.
Title Description Date received
Social Media Postmaster Complaint Process Guide Process complete, awaiting final sign off 11/06/2021
Issue Resolution Team Complaint Process Guide - WIP Process workin progress, nearing final sign off 11/06/2021
‘Supply Chain Complaint Process Guide - WIP Process in use 11/06/2021
Branch Audit Process Map This process describes the activity undertaken within the Audit teams in Netw ork 11/06/2021
Monitoring to complete a branch audit.
Branch Investigation Process Map This process describes the activity undertaken by the Network Monitoring team to review a I 11/06/2021
branch's activity and performance to ascertain whether any support or remedial activity
may be required e.g. call from Netw ork Monitoring advisor, SPEAR. visit or Audit,
additional training.
SPEAR Call / Visit Casew ork Process Map This process describes the activity undertaken by the Network Monitoring Casework team I 11/06/2021
to schedule and oversee SPEAR and audit calls / visits. The Casew ork team are
responsible for maintaining a full record of every SPEAR / Audit undertaken by capturing
al information relating to the case on the Dynarrics case record created.
Transaction Correction Disputes Process Map This process describes the activity undertaken by the Disputes team wherea branchhas I 11/06/2021
disputed a Transaction Correction (TC) and the item has been escalated to the BRT
Disputes team.
Contract Performance Rationale Document Blank template of Contract Performance Rationale Document 14/08/2021
Contract Suspension Rationale Document Blank template of Contract Suspension Rationale Document 14/08/2021
Contract Termination Rationale Document Blank template of Contract Termination Rationale Document 14/06/2021
Investigations Process Map This process describes the activity undertaken when a Postmaster / internal team identity I 16/06/2021
a discrepancy or a Postmaster does not agree witha TC.
kei! © 2021 KPMG LLP, a UK limited iailty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited, private English company linited by quarartee. Al rights 148
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0147
A7. DocumentLis
In the course of this work we reviewed the following documents.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Title Description Date received
Financial Crime Investigations Process This process describes how suspicious incidents that suggest financial crime activity are I 14/06/2021
investigated.
Whistleblow ing Process This process describes how a whistleblow ing report is investigated. 14/06/2021
Bureau de Change Monitoring Process This process describes how the Bureau de Change team meet regulatory requirements 14/06/2021
and reduce the risk of financial crime (including Money Laundering, Terrorist Financing
and Fraud).
Financial Crime Compliance and Supply Chain Compliance Management information dashboard. 14/06/2021
Dashboard
Responses on Group investigation Policy by Sally Smith Document recording Sally Srrith responses on whether existing policies comply withGIP. I 14/06/2021
Whistleblow ing Investigation Report Whistleblow ing investigation template. 16/06/2021
Audit Deployment Process Map This process describes the deployment of the Audit team to complete a branch audit. 16/06/2021
Conduct Investigation Action Plan Conduct investigation Action Plan template. 18/06/2021
Conduct investigation Report Conduct investigation Report template, 18/06/2021
Conduct Employee Fact Sheet Guidance on the principles and processes of the Conduct Code. 18/06/2021
Conduct Manager Fact Sheet Guidance on how managers should use the Conduct Code effectively. 18/06/2021
Conduct investigation Manager Guidance / Checklist A guide to support managers through the conduct investigation process. 18/08/2021
Conduct Witness Guidelines A guide to support witnesses. 18/06/2021
Advisor Plus Scope of Service provided by Advisor Plus. 21/06/2021
© 2021 KPMG LLP, aUX limited lati partnership anda member fim ct the KPMG gba orgarisaton of independent member rms flat with KPMG International Linited, a rvale English comparylinitedby quarartee lights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0148
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A7. Documents
In the course of this work we reviewed the following documents.
Title Description Date received
Conduct Investigation Letter Templates Templates include: Investigation meeting invitation; investigation outcome — no formal 18/06/2021
action; Confirmation of precautionary suspension from duty; Referral to a second line
manager; Further allegation(s) arising frominvestigation meeting; Disciplinary
investigation — further allegation(s) arising; Invite to investigation meeting — witness;
Notification of temporary reassignment to alternative duties; Review of suspension and
Request fora written witness statement.
Cyber Security Incident Response Framew ork This document describes the overall structure for responding to cyber security incidents. I 24/06/2021
tt assists the organisation withestablishing incident handling and incident response
capabilities and deterrrining the appropriate response for common security incidents that
willarise.
Cyber Security Incident Management Process This document describes the overall structure for responding to cyber security incidents. t_ I 24/06/2021
supports the expected standard and processes forthe management of cyber security
incidents. it outines escalation paths and high level detail of the incident management
tools available.
Cyber Security Incidents ML Cyber security incidents by severity from Jan 2021 — June 2021. 24/06/2021
Cyber Incident Response Playbook - Ransomw are The playbook provides a defined and repeatable framework to guide the CSIRT when 24/08/2021
responding to ransomware incidents.
ronscales SOP This document guides SOC analysts through activities on Ionscales. This includes the 24/06/2021
creation of scenarios, simulated phishing web pages, the process of running a campaign
and auditing the licenses for enabled mailboxes.
Incident and Breach Management Procedure V2.0 (1) This process describes recognising, investigating and reporting a personal data incident or I 28/06/2021
breach.
Non-Cyber Data incident Report Form Blank template of Data Protection Incident Report Form 28/06/2021
kei! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 150
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0149
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A7. Documents
In the course of this work we reviewed the following documents.
Title Description Date received
Investigation 1 - Conduct HR Investigation sample where we were provided with supporting documentation in 07/07/2021
relation to the investigation. This included: conduct case referredto second line manager,
conduct referral to a second line manager, investigation meeting invite letter,
precautionary suspension letter, minutes, witness statement 1 and witness statement 2
Investigation 2 - Conduct HR Investigation sample where w ew ere provided with supporting documentation in 25/08/2021
relation to the investigation. This included: evidence collated (loading 2, loading 16 and
17.09.2020, Post Office 1, Post Office 2, Post Office 3, Post Office 4, Post Office 5, Post
Office 6, Post Office 7, Post Office 8, Post Office 9, Post Office 10, Post Office 11, Post
Office 12, Post Office 13, Post Office 14, Post Office 15, Post Office 16, Post Office 17,
Post Office 18, Post Office 19, Unloading 21.09.2020, Vehicle Audit log 18.09.2020,
Vehicle Audit log), letters (Case referredto second line manager, investigation meeting
invitation letter, precautionary suspension letter, referral toa second line manager),
minutes (investigation meeting minutes and redundancy letter).
Investigation 3 - Grievance HR Investigation sample where w ew ere provided with supporting documentation in 25/06/2021
relation to the investigation. This included: evidence collated (1% consultation meeting
record, 2" consultation meeting record, 3'¢ consultation record form, email, employee
consuttation questions 2020, formal grievance, half year PDR 2019, Note 4 -5. Re-
organisation information Employee Guide, Redundancy Letter 2, Redundancy letter,
Redundancy Team Brief, Support Role Job Advert), letters (Grievance Outcome and
Grievance Investigation Report), rrinutes (complainant rrinutes, Witness 1, Witness 2,
Witness 3, Witness 4, Witness 5, Witness 6, Witness 7, Witness 8).
Protecting Personal Data Policy v3.0 The minimum operating standards relating to the managerrent of Data Protection risks. 28/08/2021
2021 05 17- GIP - Responses Group policy ow ner responses on whether existing policies comply with GIP. 21/08/2021
kei! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights 151
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0150
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
In the course of this work we reviewed the following documents.
Title Description Date received
Post Office— Financial Crime Investigation example Example of Financial Crime team investigation 05/07/2021
Post Office— Financial Crime Summary Report. Internal SAR Example of Financial Crime team investigation 05/07/2021
example
Resolver Matrix Final v2 Triage Matrix used by Major Incidents team 08/07/2021
kei! 2021 KPMG LLP, a UK limited liability parteship and a member fim the KPMG glbal organisation of independent member firms fllated with KPMG International Limited, a private English company limited by quarartee, Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0151
POL00423697
POL00423697
Stakeholder engagement list
POL-BSFF-0238515_0152
A8, Stakeholder Is
In the course of this work we spoke to the following stakeholders.
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
Name Title Nature of discussion Date
Tim Perkins Service and Support Director Initial discussion in regard to service and support team 08/08/2021
Andy Kingham Franchise Partnering Director Initial discussion in regard to franchise partnering team 08/08/2021
Jonathan Hill Compliance Director Initial discussion in regard to compliance team og/o8/2021
Steve OReilly HR Director Initial discussion in regard to HR team o9/o6/2021
David Southall Head of Contract Management and Development Contract team investigation process and procedures 10/06/2021
Jayshree Patel Head of Conduct Compliance Conduct compliance investigation process and procedures 14/06/2021
Sally Srrith Head of Financial Crime Financial crime team investigation process and procedures 14/06/2021,
24/06/2021 and 02/07/2021
Clare Hammond
Data Protection Manager
Data Protection Investigation process and procedures
15/06/2021 and 02/07/2021
Alison Clarke
Senior Network Monitoring and Support Manager
15/06/2021
lain Robertson
Head of Netw ork Operations
Regional Manager involvement in investigations
15/06/2021
Jenny Brady
Whistleblow ing Manager
Whistleblow ing Investigation process and procedures
16/06/2021 and 05/07/2021
Russell Tavener Head of Commercial Customer complaints process 16/06/2021
Mark Raymond Security Team Security team activities in regard to investigations 16/06/2021
Nayan Navik Area Audit and Support Manager Initial discussion regarding audit team investigations activity 16/06/2021
Janene Mellor Head of Employee Relations HR Investigation process 17/06/2021
Simon Worboys Head of Netw ork Support and Resolution Postmaster financial dispute resolution process 18/06/2021
Neil Davey Previous Head of Network Support and Resolution Postmaster financial dispute resolution process 18/06/2021
kpinI
© 2021 KPMG LLP, a UK limited iailty partnership and a member fim ofthe KPMG global organisation of independent member firms aflated with KPMG International Limited, private English company linited by quarartee. Al rights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0153
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A8, Stakeholder Is
In the course of this work we spoke to the following stakeholders.
Name Title Nature of discussion Date
James Scutt Head of Customer Experience Modern slavery statement and investigations process 2108/2021
Tony Hogg Group Head of Cyber Operations Cyber investigation process and procedures 23/06/2021
Stuart Lill Legal — Historical Matters Unit Involvement of Legal in investigations 23/06/2021
Paul Blackmore Senior Financial Crime Manager Further clarifications in regard to Financial Crime team activities 14/06/2021,
24/06/2021 and
02/07/2021
Lynne Schofield Strategic Partner Manager Whether investigations in strategic partners are different to 25/06/2021
independent branches
Laurence O'Neill Legal - Employment Rights Involvement of Legal within HR investigations 30/06/2021
Lex Tansley Legal - Secondee to Retail team (Zoe Involvement of Legal within investigations into financial 30/06/2021
Brauer's delegate) discrepancies in branches
Mathew Thorley Issue Resolution Team Manager Postmaster complaint investigation and resolution 29/06/2021
Michael Shields Contracts Advisor Review of two-sample cases, being a reinstatement follow ing 30/06/2021
suspension, and a suspension
Paul Sawyer Customer Complaints Customer complaint investigation and resolution 01/07/2021
Kathleen Griffin Head of DVP Programme Investigator for HR grievance sample 01/07/2021
Leander Fitzharris Contracts Advisor Review of a sample contract termination case 02/07/2021
Chris Thorpe Regional Operations Performance Manager South I investigator for HR conduct sample no.2 02/07/2021
bua! © 2021 KPMG LLP, aUX limited lati partnership anda member fim ct the KPMG gba orgarisaton of independent member rms flat with KPMG International Linited, a rvale English comparylinitedby quarartee lights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0154
POL00423697
POL00423697
DRAFT FOR DISCUSSION PURPOSES ONLY
A8, Stakeholder Is
In the course of this work we spoke to the following stakeholders.
Name Title Nature of discussion Date
Robert Shipp Branch manager in DVB Investigator for HR conduct sample no.1 o7/07/2021
Helen Rhodes People Shared Services Director People Shared Service activities in regard to HR investigations 08/07/2021
Carla Moulds Major Incident & Problem Management Lead Mejor Incidents Investigation process and procedures 08/07/2021
George Syrichas IT Service Transition Manager Mejor Incidents Investigation process and procedures 08/07/2021
Lee Kelly Employee Relations and Policy Director Employee code of conduct investigations process 30/06/2021
bua! © 2021 KPMG LLP, aUX limited lati partnership anda member fim ct the KPMG gba orgarisaton of independent member rms flat with KPMG International Linited, a rvale English comparylinitedby quarartee lights
Document Classification: KPMG Corfidential
POL-BSFF-0238515_0155
POL00423697
POL00423697
home.kpmg/socialmedia
hnod
© 2020 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with
KPMG International Limited, a private English company limited by guarantee. All rights reserved.
This report is provided pursuant to the terms of our contract with Post Office Limited (POL). The report is intended solely for intemal purposes by the
management of POL and should not be used by or distributed to others, without our prior written consent. To the fullest extent permitted by law, KPMG
LLP does not assume any responsibility and will not accept any liability in respect of this report to any party other than the Beneficiaries
The KPMG name and logo are registered trademarks or trademarks of KPMG International.
POL-BSFF-0238515_0156