POL00447843
POL00447843
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: DRAFT Internal Control Framework I Meeting Date: I 26'" September 2022
Anshu Mathur Interim Group
Compliance Director
Rebecca Barker, Deputy Head of
Risk
Author: Sponsor: Ben Foat, Group General Counsel
Input Sought: Discussion
This paper provides an overview of the work undertaken to develop a DRAFT POL Control
Framework. This has been presented and discussed at the Risk and Compliance
Committee on 13 September 2022, who agreed to the principles and concepts of the
Framework. This has also been distributed to the GE on 14 September 2022.
Given the cost challenges, this DRAFT framework was approved as a direction of travel,
against which POL can make incremental steps towards control maturity ie the
committee agreed not to associate this with any formal outcomes or timetable.
It was recognised that the principles of the DRAFT Control Framework are being applied
within the assurance approach for ‘Historical Matters’, Technology Change,
Whistleblowing and Investigations.
Executive Summary
A Control Framework provides the Business with a clearand consistent approach against
which its control environment can be maintained but more,importantly also measured,
monitored, and demonstrated.
The Draft POL Control Framework. provides this clarity and sets out the standards and
key building blocks of what constitutes a robust control environment, namely:
¢ Control Continuum -»A scale against which the business can self-assess their
control environment maturity and direction of travel (to be set by the Board).
e Three lines of defence - Clarifying the roles and responsibilities between the first
line, second line and third line of defence, so that no ambiguity exists and we have
a proportionate assurance model or target operating model that is doable for POL.
e Coverage / Adequacy of.controls to manage business risk - Clear guidance on
what and how a Business function environment should be created to ensure
adequate coverage and identification of business risks and related controls.
e Assurance of controls effectiveness - A defined model against which Controls will
be sampled for checking against evidence, to ensure POL has a continuous
assurance in place which the RCC, GE and ARC understand and can rely on.
More importantly, this should then be the genesis for the creation of integrated
assurance plans to ensure POL coverage of key risk (actual/emerging) and their
remediation is being assessed and monitored.
¢ POL Compliance Dashboard - A formalised dashboard to measure the state and
direction of travel of POL control environment.
Confidential
POL00447843
POL00447843
The DRAFT POL Control Framework has been developed in manner in which it provides
clear guidance, yet is not prescriptive, hence allowing the Business Functions the
sufficient flexibility to ensure they can adopt and or choose their approach to
demonstrate adherence to the standards. Given POL’s cost challenge this is imperative.
It also recognises and will leverage the risk and control work already performed and
being monitored via SNOW.
In creating this DRAFT Framework we have sought guidance and input from Finance,
LCG, Group Risks, and Technology. Their contributions and constructive challenges have
been invaluable.
Next steps
1. Continue to embed the principles with Tech Change, Whistleblowing and
Investigations.
2. Begin to apply the principles of the framework acrossthe organisation, where
capacity exists, in a light touch manner leveraging existing resources and
risk/control activities undertaken.
Confidential
DRAFT - POL Control Framework
1. Purpose
POL00447843
POL00447843
This document provides the minimum standards and associated guidance for POL to ensure an
appropriate control environment exists and is maintained. This Framework provides guidance
on the key building blocks of a control environment and clarifies the roles and responsibilities
across the three lines of defence. .
As risks and associated controls are a key underpin, this Control Framework is fully aligned to the
Group Risk policy, and is intended to support POL to operate within agreed risk appetites and
tolerances set by the Board.
Implementing the Control Framework will also facilitate the timely and proactive identification of
issues and or exceptions, risk trends, and themes to ensure these are appropriately monitored,
discussed and challenged at various governance forums such as the Risk Compliance Committee
and Audit & Risk Committee.
This framework is aligned with the COSO framework to ensure POL can develop a strong, effective
internal control system and will also ensure POL can comply with thelprovisions of UK Sox.
2. Authority and Responsibility
POL Control Framework is owned by the Group General Counsel under the delegated authority
of the Board. Executive Management (and their Functions) are responsible for working within
this framework and maintaining sufficient processes, systems and evidence to demonstrate
compliance. (Please refer to Appendix A for the GRC Framework)
3. Control Environment Maturity Continuum — Our desired end state
It is the strategic objective of the PO to operate under.a stable and appropriate control
environment to ensure key risks at an enterprise, intermediate and local levels are being
proactively managed and monitored. A standard control environment maturity continuum scale
is provided below:
Piecemeal and ad-
hoc control
environment with
limited assurance
and oversight.
Risk & Control,
Framework, Policies
and Procedures are
designed and in
place.
Risk and Control
Established risk and
A fully integrated
activities are controls universe _ control framework
designed and supported by with real time
embedded. periodic testing and monitoring by
assurance. management with
continuous
Driven byissues _Risk/ Control Risk and Control _Efficacy and
and incidents and _ universe not universe ismapped reporting of
or regulatory mapped to and maintained. controls driven by
Legislation. organisational first ine activity,
design and or Use of GRCtoolis __ with appropriate
activities. embedde oversight from 2%!
Confidential
Controls are not
adequately
documented;
controls mostly
dependent on
people
No formal training
or communication
of control activities
2.LoD exists in parts
and lacks
integration.
Formalised controls
training and
communication.
Line and 3” Line of
Defence.
Integrated
Assurance
providing objective
oversight on
Control
Environment.
Limited use of
automation.
improvement
embedded by
design
Whilst,
POL00447843
POL00447843
PO current control environment maturity varies, our strategic operating target for 2025
should be to able to demonstrate a control maturity between ‘Established/Standardised’ and
‘Monitored’.
For this to be achieved, every function within PO will need to be able to demonstrate in a
standardised and consistent manner the following:
Integrated Assurance - How and through what activities do Management gain assurance
that their control environment is mature, and coverage of key risks and their associated
controls remain effective to prevent significant issues / incidents that may cause
reputational, financial, commercial and or operational damage to the PO.
This Framework defines and explains the PO ‘Three lines of defence’ model to ensure the
business embeds a robust, efficient and integrated assurance approach within which the
roles and responsibilities of the first line, second line and third line are clear and
understood. Please refer to Section 4 below.
Adequate Coverage - A key requirement of a mature control environment is to be able
to demonstrate key risks and associated controls and how these provide adequate
coverage over all key activities, related, processes and proceduresie POL universe.
Please refer to Section 5 below, which provides guidance on how Management should
create, and then maintain theimuniverse, and associated risks and controls.
4. Three Lines of Defence Model
The IIA Three Lines of Defence (3LoD) model ensuresiclarity anda structured approach for the
overall management of risk and exercising control within an organisation, thus minimising gaps
in risk management and unnecessary duplication of risk coverage and or assurance activities.
The 3LoD.model is recognised as bestipractice for risk and control management, and accordingly
is the basis for POLControl Framework.
The Institute of Internal Auditors’ Three Lines Model is provided below:
GOVERNING BODY
First line of defence - Functions that
own and manage risks & controls
— Second line of defence - Functions that
monitor / oversee or who specialise in
compliance or the management of risk
‘* Third line of defence - Functions that
provide independent assurance
g
FI
I
FA
>
4
&
z
5
3
g
Fy
a
KEY: I) Accum epoing I J Oeeatondrcton, I ¢_> Algrmerconmuncaten
Confidential
resources, oversight ‘coceanaten,
POL00447843
POL00447843
The table below operationalises the above IIA model to how the three lines of defence should
operate and be embedded within POL. This clarifies the activities and roles/responsibi
between the first, second and third lines of defence.
Three Lines of Defence — Roles and Responsibilities
ities
First Line
Functions that own and manage risks
Business Process Operators: Functional Compliance Leads
© Accountable for executing * Responsible for embedding
business controls and POL Control Framework
embedding the POL Control within Functions
Framework # Ensure risk and control
* Maintain required evidence of I approach / methodology
control execution align with Group Risk Policies
* Develop and execute © Continue reassessing
mitigations for control failures I controls and processes on
© Support Compliance Review ongoing basis
and or Deep dives Perform and support control
testing, monitoring
Defined ownership for risk and I © Perform functional deep
controls. dives and RCA’s
Risk and Controls subject to I © Coordinate and monitor
regular review and monitoring I — mitigation plans for failures
at GE Leadership Team Identify emerging trends.
Operate within Board set risk Report to Group Compliance
appetite and tolerances to on CSA outcomes and
deliver strategic objectives progress against
‘© Escalate to Second line remediations plans
concerns for viability of * Report overall status via
existing risk appetite monthly Functional
© Up to date Risk and Control dashboards
Universe:
© Issues and incidents © Appointed Functional Risk &
* People, Process & system Compliance Leads.
changes © Maintain oversight of
CSA failures changes to people, process
© Adequate repository of risk, and systems to assure
and evidence of control efficacy of risk and control
execution, environment
© Support second and third line I # Support Functional or
assurance reviews and or Execute ‘Control Self
investigations Assessments’ (CSA):
© Inform Functional Compliance I © Ensure appropriate CSA
& Risk Leads of material coverage and frequency
changes to People, Process © CSA failures are tracked
and systems. and monitored till
remediation
Update Control Dashboard -
Key risk indicators, KPI's, CSA
results, Issues / incidents /
Root causes etc to
demonstrate state of control
environment and related
trends / themes or emerging
risks.
Perform investigations and
Reviews.
Confidential
POL00447843
POL00447843
The effective implementation of the above model would provide a sound basis for assuring the GE,
ARC and Board that POL is robustly managing their risk and maintaining an appropriate risk and control
environment.
5. Control U:
erse
A) Universe - key activities and or processes
Akey first step in assessing risks and controls is Management being able to demonstrate their
understanding and coverage of their ‘universe’ of key activities and processes. An illustrative
example of how management should document their universe and ensure adequate
coverage can be found in Appendix B.
As several methods can be adopted to create, evidence and maintain a ‘Universe’, this
framework does not prescribe how this should be doné, however Management should be
able to clearly demonstrate:
How or what basis has their universe been created - Particularly to ensure
appropriate coverage; a few examples of what an Universe can be based on are:
organisational structures/design (CEO minus -3 or 4), (business units and support
departments), service/product lines, customer journeys or touchpoints, regulatory or
legal requirements etc.
To what business activity and/or process level is the universe mapped to
For eg. The level of detail at which.a universe can be based on, can range from an
entity level (level 0 or 1) to\a key stroke view (level 4/5). Usually a mid-range is
preferable as this.provides a good balance between capturing key activities vs too
much detail.
How the universe is maintained
For eg. How arechanges inyprocess, activity and or org design managed and reflected
in the universe i.e. change control, continuing assessment of risks & control etc.
What assurance exists
What assurance activities are undertaken to provide Management a view that their
Universe is complete, and reflects business activities and the associated inherent /
residual risks profiles.
In a mature control environment an integrated assurance plan would be created
between the3 LoD’s.
Management's universe should also be the basis on which their Enterprise Risk Management
and the PO Risk Framework is applied to measure, monitor, and report against Board set risk
appetite/tolerance.
Identification of Controls
As mentioned above, Management are accountable for ensuring a robust control
environment exists within POL which operates within Board agreed risks appetites and
tolerance.
To discharge their accountability, Management should be able to demonstrate that their
controls are not only identifiable but are also being managed in a diligent, consistent
manner and can be mapped back to their risk.
Confidential
POL00447843
POL00447843
To ensure an appropriate universe of controls exists to manage risk the following key
principles should be applied in the identification of controls.
© Apply PO Risk management process in identifying, and measuring risks materiality.
Please refer to Appendix D where the risk management process has been illustrated.
e Assess risk identified at an ‘Inherent Level’ only ie assuming no controls exists.
¢ Document controls that manage the inherent risk.
Controls documented should be SMART and not a process or procedure.
Controls Identified and documented should be key controls (defined in
Section 6A)
¢ Control owners are clearly identified.
Processes and procedures capture the requirements to evidence and document
controls.
¢ Ensure controls continue to remain effective through regular assessment. (refer to 6
below)
Ensure controls are reflected in SNOW'and can be linked and mapped to risk.
6. Assessing control effectiveness
As mentioned above it is Management accountability to ensure an appropriate control
environment exists and is maintained. Whilst capturing key controls is an essential first step,
their regular assessment, monitoringyand embedding continuous learning from issues/incidents
are equally important.
A) Definition of key controls
The POL Control Framework should be balanced and proportionate. The goal is not to reach
absolute coverage or monitor or provide assurance on every activity or process within an
organisation, as this would be untenable, inefficient and very challenging to embed, maintain
and monitor.
Consequently, Management need to be aware of their key controls (derived from their
universe refer to Section 5 above). A control will be deemed key if it meets the following
criteria:
®) reduces or eliminates key risk or multiple risks
© ensures the delivery of key outcomes
e isappropriate to the risk appetite of the function
© protectsome area of the business/expose a potential area of failure
e they are regularly tested or audited for effectiveness
The definition of key risks summarised below has been extracted from the PO Risk Policy
‘Harm Table’ (Please refer to Appendix C). A risk will deemed key if meets the following
criteria:
© Impact delivery of strategic priorities
¢ Severely impact Commercial/Financial/Operational stability
Lead to Postmaster/customer detriment and/or severe Reputational Damage
In the identification, and subsequent monitoring of Key Controls, management should ensure
that the controls are designed in accordance to the principles stated in Section 5B above.
Confidential
POL00447843
POL00447843
What benefits will we gain from risk and control mapping?
Efficiency — one control can mitigate any number of risks. Mapping controls to risks will
identify duplication of effort across different teams, and allows new risks to be assessed
against an existing menu of controls so mitigation doesn’t start from scratch
Effectiveness — mapping risks to controls allows the business to understand the full impact
of a control changing or failing
Assurance - Enables aggregated assurance to be developed, resulting in more insightful MI
= better decision making at a higher level.
Completeness — all risks are connected to their mitigating control(s), giving clarity around
how they are managed, and enabling those charged with oversight to identify gaps or
weaknesses. Also, reduced or archived risks may mean thatthe associated controls can be
reduced or stopped, which might translate into resource savings for the business.
First Line - Management Control Self-Assessments/Self Attestations (CSA)
The CSA’s comprise periodic control testing, carried out by the Functional Teams under the
guidance and supervision of the Functional Compliance Leads to»ensure that controls are
designed adequately and operate as designed. It focusses on the key controls mitigating the
gross risks (inherent risks) to ensure POL compliance With its obligations rated significant,
major and significant in line with PO Risk Policy.
The frequency of CSA should be determined by a combination of the gross impact of the risk,
and the frequency of the controls operation. This will allow PO to deploy resources efficiently
and effectively. Inssummary management should consider:
¢ —Type.of control — Manual/ System driven
Frequency of control — daily, weekly, monthly, quarterly, etc
e Nature of risks being managed - PM.detriment, Regulatory, H&S etc
ee History of incidents and ofissues
Please refer to Appendix E CSA Test Methodology
Sufficient evidence should be retained by Functional Teams/ Functional Compliance leads to
substantiate the outcomes. The risks and key controls subject to CSA’s should be regularly
reviewed pat least quarterly, to ensure that all ‘inherent risks are captured.
Changes to CSA can be driven by new, emerging, or evolving regulatory obligations, risks or
control/processes. The Functional Compliance Leads will share the changes and rationale for
changes to key controls and SA with the Group Compliance Team.
Where possible and appropriate Functional Teams should consider the identification of E2E
controls and CSAs for risk that are cross functional.
Where control failures are identified, these should be appropriately reflected in SNOW (non-
compliant), and the root causes should be investigated and remediated through to
completion. The testing frequency of controls that fail a CSA should be increased to provide
assurance that the root cause(s) are sustainably addressed.
To assess and regularly monitor the state of controls a Functional dashboard should be
created, and shared with Group Compliance. The functional dashboard should comprise key
8
Confidential
POL00447843
POL00447843
risk indicators, KPI’s, CSA results, issues / incidents / root causes etc to demonstrate state of
control environment and related trends / themes or emerging risks. These Functional
dashboards will be a key underpin to the creation / collation of the POL Group Compliance
Dashboard (Please refer to Appendix F)
A CSA coverage plan should be prepared on an annual basis, and shared with Group
Compliance and Group Risks.
C) Second Line Assurance — Group Compliance Team and Group Risk
The central compliance team will periodically review and or test the output of the Functional
Compliance Teams to ensure quality of testing, and documentation is maintained.
The Group Compliance team can perform sample checks to objectively assure that
appropriate evidence exists to demonstrate execution of the control and that Management
are on plan to ensure adequate controls coverage for a period. This can also be achieved
through the Group compliance/risk assurance plan,
The Group Compliance and Group Risk Teams, should annually create, deliver an integrated
Compliance & Risk Coverage Programme. The programme should belcreated in consultation
with the first line functional compliance leads) and the third line to ensure the following:
e Integrated Assurance - activities are aligned between the LoD ie avoiding
duplication or significant gaps.
Adequate, timely and appropriate assurance maintained on high risk areas.
e Reviews performed with first line to proactively remediate risks and design
controls)if.any gaps identified
These Compliance Coverage Programme will be approved and monitored by ARC on an
annual basis.
The outputs ofthe compliance & risk coverage programme, along with the results of CSA’s
would be considered by Group Risk when assessing the management of associated.
The Group Compliance Team will aggregate functional Compliance Dashboards and report to
the GE ahd ARC on a monthly and quarterly basis respectively, to assess overall trends,
themes (current and emerging) to monitor the health of PO Control Environment (Please
refer to Appendix F).
g
Third Line Assurance — Group Internal Audit
The role of Internal Audit is to understand the key risks of the organisation and to
provide independent assurance to management and the Board over the adequacy and
effectiveness of the frameworks of risk management and internal control operated by
Post Office. This is done through an annual risk based audit programme as approved by the
ARC. The programme will include an appraisal of the effectiveness of Second Line activities
as well as in depth reviews of First Line activities.
Confidential
POL00447843
POL00447843
Appendices DRAFT
Appendix A —- Governance Risk & Compliance Framework ’
Good governance
practices, audit
reece initio Governance processes
practice
Business
operations, goals,
Internal and External . objectives,
risks, threats, Risk management policies,
Lak ceclgetcee procedures,
staffing,
technology.
Laws, regulations,
statutes, standards, c Li Pp
audit results, industry md ET NH Mcleod
practice
\ GRC Program J
10
Confidential
Appendix B - Control and Risk Universe
DRAFT
POL00447843
POL00447843
da
Company
(Post Office)
Business Unit
(GE)
Department
(GE -1)
Business Entity
(GE -2)
\ Control Universe )
Company
(Post Office)
Business Unit
(GE)
Department
(GE -1)
\ Risk Universe /
Confidential
1
Appendix C ~ Post Office Corporate Harm Table
IMPACT the impact oF THE RISK MATERIALISING COULD BE ONE (OR MORE) OF THE FOLLOWING ..
IMPACT SCAL
RATING
‘Scone
'STRATEGIC/ FINANCIAL IMPACT ON.
POST OFFICE GROUP.
"cROUr
DRAFT
REPUTATION/LEGAL IMPACT OM POST
“OFFicr GROUP
RATEGIC PARTNERS.
‘and prosecut
mie Hegatons ond reputony
Erica! long-term damage to Post Office
Brand
POL00447843
POL00447843
IMPACT ON OUR CUSTOMERS
+ Projected (>30%0) increase, over
+ Projected {>1m} of online customer
Sessions impacted by not being able to
‘Sccess our digital platform
me
ig
t
3
afr (it not cca) pact on Post
mason Otice Commercial proftabiity and/or
Gacy ‘bility to grow
+ Projected 13-190 decine Post omce
sical
(ut not a) Uk regions
+ fost Omice
‘Sporadic negative references in national
Bublcatons, socal media and externa!
‘Office's product(s) and/or service(s)
{uotty ts compromise cross the
‘market(s) and in majorty
‘activity attracts major levels of
Projected (21-90%) increase, over
Feed baseline inthe number of
‘access our digital platforms
‘Significant impact on Post Office abity to
‘achieve one/or more of ts strategic
Sbjectves
Significant (but not major) impact on Post I ,
‘rofitabulty and/or
‘biity to grow
+ Projected 10-149% deciine in Post ofice
+ rojected 2-396 loss in Post Office gross
tncome’
‘Negative references n regional
social media and
websites
Post Office's product(s) and/or service(s)
iatvely
to Post office Group's Brand
(Low)
(very tow)
Confidential
Negative references n local publications
Post office's product(s) ana/r service(s)
compromised ‘a
. (21-209) increase, over
‘greed baseline, nthe number of
Ustomer compiaints received over
UaNY of produce nor services
4 red [94-0690] cust
Staaten score secured over ver gusty of
+ Brojected (200K-60 300%) of ontine
‘customers impacted ‘able to
‘eteas ou digtalpatorms,
+ Projected (3-1090) increase, over
the number of
ins Tecaived over
Ssceess our digital platiorms
Lutte media coverage
No tssue with the quality of Post Office's
‘broduct (5) and/or service(s)
Projected (59% Dnrease, over agreed
of
Impacted by not being able to access our
‘digital platforms
12
Appendix C - Post Office Corporate Harm Table
Confidential
LIKELIHOOD: THELIKELIHOOD OF RISK
LIKELIHOOD SCALE
MATERIALISING ...
ALMOST
CERTAIN/VERY HIGH
LIKELY/HIGH
POSSIBLE/MODERATE
LIKELY/LOW
DRAFT
DESCRIPTION
Risk likely to materialise very frequently unless action taken
Risk could be expected to materialise almost 100% of the time
Risk likely to materialise frequently if events follow normal patterns and
mitigating action is not taken.
Risk could be expected to materialise say 51%-99% of the time
Risk unlikely to materialise but it is possible
Risk could be expected to materialise infrequently/irregularly/sporadically (say
26%-50% of the time)
Risk very unlikely to materialise
Risk could materialise intermittently (say 1%-25% of the time)
A remote likelihood that risk would materialise
Almost inconceivable that risk would occur
POL00447843
POL00447843
13
Appendix D - Risk Management Process
Appendix E
‘ontrol Se!
Establishing the Context
Risk Identification
and Review
Risk Treatment
ee «
sessment Sampling (CSA) Methodolo;
The table below provides the CSA frequency and sampling methodology:
Functional Compliance Team.
Control Testing Minimum Sample Sample Period
Frequency Frequency _I Size
Annual Annual 1 (Annually - 1) Prior 12 months
Quarterly 6 Monthly 1 (Annually - 2) Prior 6 months
Monthly Quarterly 1 (Annually - 3) Prior 3 months
Weekly Monthly 1 (Annually - 6) Prior Month
Daily Monthly 2 (Annually - 6) Prior Month
Automated* I Annually 1 (Annually - 1) Prior 12 Months
‘Ad-hoc Obtain guidance from the Group Compliance Team for minimum sample size and
frequency.
* Automated controls are those thatrequire no manual intervention and or monitoring.
Group Compliance and Group Risk can also perform sampling to ensure and assess Control
POL00447843
POL00447843
Framework Standards and principles are being adhered to. The sample size may vary depending on
issues/incidents ahd or breaches,
The direction of travel should be to reduce sampling checks by Group and replace with an integrated
second line assurance plan», This will be contingent on Functional Compliance Teams being able to
demonstrate that the POL CF has been embedded in a consistent manner. This transition would be
ratified by the RCC.
Confidential
14
Appendix F - Illustrative example of a POL Group Compliance Dashboard:
POL00447843
POL00447843
Area Measure Month rp. I Prior Year Target Explanation / Commentary
Tone from the top/Ways of
Working This would be sourced from the people engagement score
futures and behav (Are GE displaying the right >XX% or Score I Will need to agree with GE which Questions this would be based on
‘ultures and behaviours behaviours, values and (Consider Metrics of REMCO)
cultures)
Training Completion % = Sourced from L&D and metrics issued on a monthly basis
Highlighting functional exceptions
Negutstory Sreechae Reducing Trend) S0Urced from Functional Dashboards
Highlighting trends and thematic
Legal & Regulatory Issues and Incidents 2 -
Al Regulatory Issues and Incidents should be tracked in Functions in which they are
Remediations Overdue 0
‘owned and there should be a remediation plan
Sourced from Functional Dashboards
hn T
Issues and Incidents # Reducing Trend I jvahlighting trend and thematic
Repeats # o Focussing on RCA and efficacy of remediations (ifin place]
Operational Issues and incidents e ° B = {ifin place)
PM Detriment # ABaucing Trena I entifvingif any issues/incidents has ed to or could have led to PM detriment
Remediations Overdue 0 Sourced from Functional Dashboards
Policy Compliance and Breaches Level of Non-compliance Sourced from Issues and incidents (ie may be an overlap) and from policy reviews
Technology Releases/Changes PA /P2 incidents # Reducing Trend I _Summarising RCA for P1 and P2’s, and identifying RCA and trends/thematic
Overdue Internal Audit Management Actions Overdue Actions#> 3 months R On trend I Sourced from Internal Audit, with exceptions highlighted if represent material risks
Overdue Group Compliance Management Actions I Overdue Actions # > 3 months Reducing Trend _I _Ifand when Group Compliance have an integrated Assurance plan.
CSA due vs completed #/f 295% Sourced from Functional Dashboards
1 Self-A -F R
Control Self-Assessment = First Line Results Pass rate% 395% With failures summarised and tracked as exceptions
Control Self-Assessment — Group Compliance Pass rate % 100% This is the results of the Group Compliance sampling
Enterprise Risk - #OOT(# No PD) Reducing Trend I Tracked from the GE and sourced from Group Risk. Expect to have OOT risk but then
remediation plan) 8 we should have remediations unless OOT has been accepted by Board
Risk Management iipreriate Risk - # ONG NA Reducing Trend I Tracked from the GE and sourced from Group Risk
No remediation plan)
Local Wg OOT (# No NA Reducing Trend I Probably not for this dashboard but should be part of GE Functional Dashboards.
remediation plan)
Sata Menazernent Maturity mee Not sure but I think may be needed once we have a Data Management Committee
and aligned data maturity strategy and delivery plan
Sestusot Assumes an Histartesheraiere = ‘Again not sure but feel in the short term this may be needed to be monitored
separately.
NB: Once agreed, this dashboard will be submitted to the GE on a monthly basis. The measures will be RAGed to ease identification of exceptions. Also if
and when agreed we will need time to operationalise this to weed out any operational data issues and embed this efficiently across the functions and or
Group.
Confidential
15