POL00447836
POL00447836
@
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Audit, Risk and Compliance Meetin
Title: (ARC) Committee Evaluation Date: 9 16 May 2023
2022/23 .
. I Marie Molloy, Senior Assistant . . A
Author: Company Secretary Sponsor: Simon Jeffreys, ARC Chair
Input Sought: Noting, Discussion & Decision
The Committee is asked to:
e« NOTE and DISCUSS the ARC Committee Evaluation for 2022/23 (Appendix 1).
« APPROVE the recommended areas and actions to address points raised for improvement.
Previous Governance Oversight
« The Nominations Committee approved the 2022/23 ARC evaluation questionnaire at its
meeting on 6th December 2022.
« An externally facilitated evaluation was conducted of the Board and its Committees for
2020/21 and will be undertaken again in 2023/24'.
Executive Summary
The 2022/23 ARC evaluation questionnaire mirrored that of 2021/22 to allow like for like
comparison. The ARC Members as at February 2023 and the Group CFO, General Counsel,
Director of Compliance, Head of Risk, Director of Internal Audit and Risk Management and
Head of External Audit were invited to complete the questionnaire’.
Across all evaluation areas the effectiveness of ARC was rated? as ‘very good’ which is
broadly in line with prior year ratings:
e Skills, experience, diversity, knowledge Average score 4.6 (LY 4.4)
e Leadership, ways of working, time management Average score 4.4 (LY 4.5)
¢ Information and Support Average score 4.0 (LY 3.8)
The evaluation feedback was that the Committee continues to remain effective, despite the
headwinds and challenges faced by the Post Office. Positive comments were made regarding
the interaction and engagement with the external auditors and the internal audit function.
The approach of the committee in relation to providing an effective challenge to management
and holding them to account, whilst still being supportive was remarked upon.
The two areas which may require further focus and improvement are:
e Assuring that compliance with the regulatory landscape is adequately managed and
reported (score 3.6 (LY 3.8)); and
« Quality of papers and presentations received by the Committee (score 3.9 (LY3.5)).
* The UK Corporate Governance Code and the Corporate Governance Code for Central Government Departments both stipulate that there should be an annual evaluation of the Board
and its Committees which should be externally facilitated at least once every third year.
Recently appointed ARC Chair and a non-executive Director were therefore excluded,
S key 5 = Excellent 4 = Very good 3 = good/ at required standard 2 = Requires development 1 = Requires significant development
Strictly Confidential
POL00447836
POL00447836
@
The actions arising from the 2021/22 ARC evaluations have all been addressed.
Report
How do the responses of 2022/23 compare with 2021/22?
The overall average evaluation scores at ‘very good’ were broadly in line with prior years, and
all scores were of or above 3.6 (3 = “good/ at required standard”).
The Membership of the Committee and the executive contributors had been stable during the
period in which the evaluation questionnaires were undertaken in, so the pool of
questionnaire participants was very similar.
The higher scoring questions are summarised below:
Sections Question 22/2 I 21/2
3 2
B Leadership, ways I How would you assess the Chair’s encouragement of 4.8 5.0
of working, time debate within the Committee, including ensuring that all
management members are able to contribute to the discussion?
How would you rate the Committee’s understanding of the
following areas of the Business:
A Skills, experience, i. Financial reporting and management 4.8 4.3
diversity, knowledge . . 4.7 4.3
iv. Internal Audit 4.7 43
v. External Audit . .
How appropriate is the composition of the Committee for 4.7 4.5
the requirements of the business?
The lower scoring questions are summarised below:
Sections Question 22/2 21/2
3 2
. How comfortable are you that compliance with the 3.6 3.8
C Information and °
Ss regulatory landscape is adequately managed and
upport
reported?
How would you rate the quality of papers and 3.9 3.5
presentations received by the Committee?
The lower scoring questions and comments in our opinion reflect the challenge of addressing
the range and breadth of ARC topics across Post Office and should be read in conjunction with
the positive approach adopted by the Committee in providing an effective challenge to
management and holding them to account, whilst still being supportive.
The timing of the December 2022 and January 2023 ARC were commented upon as being too
close together. The proposed re-scheduling of the ARC dates to 27 November 2023 and 29
January 2024 will allow a sufficient gap to facilitate branch support, contractor furlough and
leave during this period.
Strictly Confidential
POL00447836
POL00447836
@
Proposed actions
Whilst acknowledging the ARC has been evaluated as ‘very good’, we have proposed the
following actions to address the areas of relative lower scores and constructive feedback:
i. ARC coverage to ensure all key risk areas are reviewed to provide a holistic view of
the control and operational risk environments within POL, particularly those
exposed legal and regulatory environments;
ii. Strict enforcement of templates and ensuring papers in the reading room are
appropriately cross referenced and or summarised in the main pack.
In addition, to continuously improve the effectiveness of ARC, the following changes are to be
considered:
i. Enhance coverage of lines of defence to ensure this is adequate to provide early
warning/lead indicators;
ii. whether a balanced scorecard regarding Postmaster detriment should be
developed;
iii. The Committee formally review the ‘ Forward Plan’ on a 6 monthly basis to ensure
this remains in line with the risk profile of POL.
Actions and status from the Committee Evaluation 2021/22
The actions from the Committee Evaluation 2021/22 and their status are as follows:
1. Deep dives on key areas are continued to ensure the Committee is appropriately
sighted, with the Committee to consider whether Deep dives are attended by the first
line as well as the second line to widen the perspective.
Status: Completed - Deep Dives completed on an annual basis. Head of Internal Audit
and Interim Group Compliance Director attend ARC to widen the perspective.
2. The Committee Members engage in an annual dialogue to agree where the Committee’s
focus areas for the coming year should be.
Status: Completed - ARC ‘Forward Plan’ is created and presented to ARC in every
meeting.
3. The Committee review the calibre of materials provided by management and consider
requesting management to provide revised reporting templates.
Status: Completed - Updated paper template and guidance provided. The materials are
also reviewed by the RCC to assess quality.
4. The Committee review their Annual Work Plan to assess for any areas of refinement
Status: Completed - The Company Secretariat continues to utilise and develop the
forward plan, which is included as an item for noting at each ARC meeting.
Next Steps
If the Committee accepts the recommendations in the report, it will be asked to consider
incorporating the recommendations into the forward plan for the Committee at its next
scheduled periodic meeting on 10 July 2023.
Strictly Confidential
POL00447836
POL00447836
Appendix 1 - ARC Evaluation Questionnaire
2022/23
key: /
(_s=excellent I 4=Very good I 3~=good/ at required standard I 2=Requires development I 1 = Requires significant development,
Question 2021/22 2022/23
Average Average
A. Skills, experience, diversity, knowledge
1. How appropriate is the composition of the Committee for the I 4.5 4.7
requirements of the business?
2. How would you rate the Committee’s understanding of the
following areas of the Business:
Financial reporting and management 4.3 4.8
Operational and Financial Risk Management 4.3 4.2
Compliance 4.5 4.2
. Internal Audit 4.3 4.7
v. External Audit 4.3 4.7
Leadership, ways of working, time management
3. How would you assess the Chair’s encouragement of debate I 5.0 4.8
within the Committee, including ensuring that all members I 1 - N/A
are able to contribute to the discussion?
4. How effective is the Committee at focussing on the right 4.2 4.3
issues?
5. How effective is the Committee at providing both challenge I 4.3 4.0
and support to management?
Information and Support
6. How effective is the Committee at testing the information 3.8 4.1
provided by management and external advisers? 1-N/A
7. How would you rate the quality of papers and presentations I 3.5 3.9
received by the Committee?
8. How comfortable are you that compliance with the 3.8 3.6
regulatory landscape is adequately managed and reported?
9. How would you rate the management information received 3.2 4.0
by the ARC and its timeliness (i.e. is it the right information 1-N/A
at the right time to provide you with the assurance you need
and the understanding of the business you need)?
10. How would you rate the access you have to any additional 4.2 4.4
information and support you need to fulfil the requirements I 1 - N/A
of your role (i.e. from management, secretariat or from
4
Strictly Confidential
POL00447836
POL00447836
@
external advisers, where required)?
11.
Are the frequency and length of ARC meetings appropriate?
12.
Are issues brought to the ARC at an appropriate time?
13.
Are there any issues or topics that are not discussed that
should be considered at the Board?
14,
Does the ARC have sufficient time in private to discuss
matters of concern?
Additional Comments
It is a really well chaired and run committee.
ARC agendas are very full. And the papers are voluminous. This places significant
demands on members of the ARC to read and digest the papers.
I think the frequency of the ARC meetings is too frequent, in particular the timing of
the december and january ARC, December is a very busy period with focus on time
away from the office to provide branch support, christmas break and the reports are
required immediately following the Christmas break, it places a lot of pressure on
colleagues to respond to actions, progression of actions can be slow at this time of the
year, factoring in change freeze, contractor furlough
This year we have had issues with regulatory compliance staffing (now sorted) which
appeared to come as a surprise and I think resulted in weaker oversight from ARC. We
had a similar issue with cyber controls being de-prioritised. Under the new head of
compliance I can see better reporting starting but I worry that ARC do not have an
effective line of sight when control frameworks aren’t working as designed.
Compliance rating reflects that fact that we do not have adequate 2nd line of defence
and are having to make compromises due to funding
ARC has a large agenda and has to deal with a wide array of risks. Some risk areas
seem to fall outside of ARC and go to the Board which might perhaps get more focus at
ARC - examples include IDG (CIJ/HIJ compliance), major projects. Both are areas of
significant ongoing concern. It is also noteworthy that data management, which seems
to have been under-invested in for years, has now become a focus for the organisation
perhaps as a result of the Inquiry - should this issue have been a bigger focus for ARC?
While the frequency and length of ARC meetings are appropriate for the complexity of
the business, I think that some topics / agenda items could be presented less
frequently to allow for deep dives into other matters. For example, the risk update,
internal audit update and compliance update could be reduced to alternative meetings
or with shorter exception reporting only at alternative meetings.
Carla has been an outstanding Chair and Board director. Zarin provides insightful
observations. I am concerned about the capability and expertise once both of those
directors leave the business.
15.
Please comment on the effectiveness of the interaction with Internal Audit.
From our perspective the IA interactions are effective, and they highlight the key
issues through their papers.
Good. Cannot comment in any detail.
Excellent
good interaction and clear reporting providing transparency of audit reports/actions
Good - reports and recommendations are much more clearly articulated and combining
risk with JA has strengthened the team.
"Always open, honest and clear. iA are independent and it is a solid function that adds
Strictly Confidential
5
POL00447836
POL00447836
@
value to the organisation and the committee. They are trusted and respected
The co source operations is effective "
The interaction is good. I wonder however whether JA calls out loudly or persistently
enough the issues it finds.
I believe that the committee has unrestricted, open and honest interaction with
Internal Audit. The Head of Internal Audit has unrestricted access to all members of
the committee and regular private sessions with the chair (every second month) and
with the full committee (every 6 months).
Excellent. ARC takes considerable interest and reviews Internal Audit at every meeting
without fail.
16. I Please comment on the effectiveness of the interaction with External Audit.
e They attend the sessions and are always happy to provide their opinions on wider
control issues.
e There are regular sessions with the ARC Chair and the PwC partner/ director ahead of
every ARC meeting. This ensures that the ARC Chair is well briefed on all external audit
related issues - and has the opportunity to challenge / ask questions. This works well.
e Excellent
* good interaction and engagement with regards to External auditors
e PwC provide a thorough audit and they provide a good and detailed audit report on the
key estimates and judgements. The team at PwC have been very supportive in what
has been a tricky year for the annual accounts.
e¢ Open and honest dialogue with clear decision points and transparent communications.
Expectations of both organisations are well managed and EA make a full contribution at
committee meetings. The team are strong
© Overall good
« From what I have observed, the interaction with External Audit is unrestricted and
effective. The committee also holds private sessions with the external auditors at least
every 6 months.
e Very effective particularly PWC. ARC should encourage the use of more external audits
particularly on NBIT, IDG operational and cultural improvements, HMU... those areas
where parties outside of POL are unlikely to just accept a POL position given the
historical issues.
17. Please include any thoughts you have about the operation of the Committee and any
ideas for its future operation.
I know this may be in process, but areas of concerns (operational risk, regulatory risk
and inquiry related risk) should be subject to regular deep dives.
The retirement from the Board of the current AC Chair means that the ARC is losing a
highly diligent, thoughtful and effective ARC Chair. Given the breadth and depth of the
current ARC remit - finding someone to continue this significant and detailed work will
not be easy.
With Carla and Zarin leaving we have a massive understanding gap on financial
matters with no one who know how to run a business of the size of POL
The frequency to be reviewed, consideration of financial year end, summer break and
Christmas period
As I said last year the ARC has a very extensive agenda and I would recommend that
we think about developing a forward agenda that prioritises discussion time on the
biggest issues and does the rest through shorter papers or by exception only. The big
topics coming at us are NBIT governance and assurance which is weaker than it should
be, regulatory compliance, cyber controls and effective operational controls around PM
policies
Strictly Confidential
POL00447836
POL00447836
@
The committee will need to respond to the fact that the company is operating outside
of risk tolerance due to the funding. There are also fewer resources internally to
provide oversight.
See above
The operation of the committee continues to be effective, despite the headwinds and
challenges faced by Post Office. The committee has adjusted its focus and appetite in
line with changing circumstances and risk profile of the business. The committee (and
in particular the new members of the committee) will benefit from having deep dive
presentations at the ARC meetings by key areas of the business on a rotational basis.
With so many challenges being faced by the business, I think the committee has
managed to adopt an approach that is effective in challenging management and
holding them to account, whilst still being supporting and understanding.
More of Carla, Zarin and Ben....
Strictly Confidential