POL00447853 - POL - Group Policy - Risk Management

Evidence on official site

POL00447853

POL00447853

Ge

GROUP POLICY

Risk Management

Version 1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

1. Overview.....

1.1. Introduction

1.2. Purpose ...

1.3. Core Principles

1.4. Application ...............
1.5. Industry Guidance
1.6. Policy Risks..

2. Risk Governance

2.1. Structure.......

2.2. Roles and Responsibilities
2.3. Risk Reporting
3. Risk Strategy...

3.1. Strategic Objectives
3.2. Risk Appetite
3.3. Policy Exceptions

4. Risk Management Framework ......

4.1. Post Office Risk Management Framework
4.2. Risk Articulation

4.3. Risk Hierarchy and Classification
4.4. Risk Ownership

4.5. Harm Table and Control Effectiveness

4.6. Governance, Risk & Compliance (GRC) tool
5. Policy Framework and Minimum Control Standards .

5.1. Policy Framework

5.2. Who must COMply? ..........:::eeeeeeeeeeeee
5.3. Minimum Control Standards ....
6. Where to go for help ...
6.1. Additional Policies

6.2. How to raise a concern.........

6.3. Who to contact for more information? .......

7. Governance ...........

INTERNAL Page 2 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

7.1. Governance Responsibilities .
7.2. Tools .
7.3. Definitions.

8. Document Control

8.1. Document Control Record
8.2. Oversight Committee................

8.3. Company Details.
8.4. Appendix A: Risk Appetite scale
8.5. Appendix B: HARM table

INTERNAL Page 3 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

1. Overview

1.1. Introduction
The Chief Finance Officer has overall accountability to the Board of Directors to ensure that the Post
Office actively monitors and strengthens its approach to risk management and promotes a consistent
risk-intelligent culture.

Post Office must balance the need to provide essential services to our customers whilst maintaining and
enhancing profitability, but also ensuring a strong commercial proposition for Postmasters within our
network. Post Office is, and will continue to be, exposed to many sources of risk as a result of its various
activities, external environment in which it operates and greater scrutiny from regulators, legislators and
Government.

Failure to effectively manage risks will adversely impact Post Office’s ability to deliver its business
strategy, will undermine the protection and preservation of its reputation and brand, and the delivery of
consistent, high-quality services.

In doing so, Post Office acknowledges that risk exists in everything it does. So, everyone in the
organisation has a duty of care to manage these risks. However, risk management is as much about
exploiting opportunities as it is about managing threats. Given this, Post Office will inevitably take a
certain amount of risk in order to achieve its strategic objectives.

This Policy (with its clear principles and mandatory minimum control standards) is an important
reference document in managing risks efficiently and effectively.

1.2. Purpose

The Policy has been established to set the minimum operating standards relating to enterprise risk
management throughout Post Office.’ It is one of a set of policies which provide a clear risk and
governance framework and an effective system of internal control for the management of risk across
Post Office. Compliance with these policies supports the Post Office in meeting its business objectives
and to balance the needs of shareholders, employees and other stakeholders.

This Policy is organised around three areas:

. Risk Governance: This focuses on how Post Office risk management activity is organised. It
describes (i) the relevant Committees (and their respective roles with regard to risk and how they
interact) and (ii) the ‘3 lines of defence’ risk management model (and where accountability and
responsibility are placed within it);

. Risk Strategy: This focuses on Post Office’s overall approach to risk management. It describes
how risk management activities are aligned to the Post Office’s strategic objectives, the level of
risk exposure (appetite) that is acceptable and policy exceptions; and,

. Risk Management Framework: This defines the risk management activities that must be
undertaken, how they will be undertaken and their frequency.

The Policy also outlines the minimum control standards that apply to each of these areas.

It is supported by a set of Guidelines which provides additional detail and practical guidance for the
business to support the consistent and robust identification and management of risk and opportunities
across the organisation. It is also underpinned by a corporate Governance, Risk and Compliance (GRC)
tool’.

This Policy, the Guidelines and the supporting material are accessible on Post Office's Central Risk
intranet site (https://poluk.sharepoint.com/sites/Risks).

' In this Policy “Post Office” means Post Office Limited and any wholly owned subsidiary.
? ServiceNow Advanced Risk Management and Policy & Compliance modules

INTERNAL Page 4 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

1.3. Core Principles

The Post Office Risk Policy principles are based on 1SO:31000 (Risk Management — Principles and

Guidelines).? They also have regard to the UK Corporate Governance Code (Guidance on Risk

Management, Internal Control and Related Financial and Business Reporting). There are 7 principles:

. Risk management is fundamental to how Post Office is directed, managed and controlled at all
levels;

. Risk management must be embedded in all Post Office activities. Its underlying risk culture and
approach is key to effective decision making;

. Risks identified must be recorded on the corporate GRC tool and should continually be assessed,
monitored, managed and reported at an individual and aggregate level;

. Risks will be considered for escalation to GE, RCC and ARC if they impact delivery of strategic
priorities;

. Risk management processes must be aligned and integrated with the delivery ofthe Post Office’s
strategy and in such a way that supports an enterprise wide approach;

. Risk management must follow a consistent, transparent and auditable methodology and
proactively recognise external factors, opportunities, and uncertainties;

. Risk reporting must allow for the effective review, challenge and monitoring of risk exposure
against Post Office’s approved risk appetite; and,

. Risk Governance must adhere to the industry standard ‘3 lines of defence’ model to ensure clear
accountability and appropriate segregation of duties.

1.4. Application

The Policy is applicable to areas within Post Office Ltd and its subsidiaries® and defines the minimum
standards to control financial loss, customer impact, regulatory breaches and reputational damage in
line with the various Risk Appetites.

Post Office Management Services Limited is required to have a separate risk governanceframework as
part of its FCA authorisation, but their policy and approach will be aligned to the risk requirements of
Post Office Limited and will continue to comply with the principles of this Group Risk Policy.

1.5. Industry Guidance
This Policy is aligned with the following industry standards and guidance:

The Committee of Sponsoring Organizations of the Treadway Commission (COSO): A joint
initiative of five professional organisations seeking to improve performance by developing leadership
that enhances internal control, risk management, governance and fraud deterrence.

COSO Enterprise Risk Management-Integrated Framework (2017): Addresses the evolution of
enterprise risk management and the need for organisations to improve their approach to managing risk
to meet the demands of an evolving business environment.

COSO Internal Control - Integrated Framework (2013): An Integrated Framework which helps
organisations design and implement internal control.

ISO 31000: A family of standards relating to risk management codified by the International Organization
for Standardization.

9180 31000 is a family of standards relating to risk management codified by the International Organization for Standardization .

+ The UK Corporate Governance code, (formerly known as the Combined Code) is part of UK company law with a set of prin ciples
of good corporate governance aimed at companies listed on the London Stock Exchange. It is overseen by the Financial
Reporting Council.

5 Post Office Limited is wholly owned by the Department for Business, Energy and Industrial Strategy (BEIS). Its business consists
of the core products and services provided by Post Office Group (mails, government services (including identity & licences)
and retail), as well as selling the services of Group Companies, Post Office Insurance and Payzone Bill Payments Limited.

INTERNAL Page 5 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

The UK Corporate Governance code (formerly known as the Combined Code): Part of UK company
law with a set of principles of good corporate governance aimed at companies listed on the London
Stock Exchange. It is overseen by the Financial Reporting Council.

1.6. Policy Risks

Risk Governance

e Due to the lack of engagement between the GE members and Central Risk Team, there is a risk
that the Group Executive (GE) is unable to fulfil its responsibility of having an understanding of risks
facing Post Office (including new and emerging risks), which may result in failure to achieve
strategic objectives, lead to reputational damage, regulatory breach, financial loss and/or customer
impact.

e Due to capacity and resourcing within the Central Risk Team, there is a risk that the RCC, ARC and
Board are unable to fulfil their responsibilities of providing oversight, challenge and approve the
direction of risks facing Post Office (including new and emerging risks), which may result in failure
to achieve strategic objectives, lead to reputational damage, regulatory breach, financial loss and/or
customer impact.

Risk Strategy

e Because the risk management knowedge and culture are not consistent across the business, there
is a risk that Post Office 1st line do not refer to the Post Office Risk Appetite, where approved, when
completing the risk assessments, which may result in failure to achieve strategic objectves, lead to
reputational damage, regulatory breach, financial loss and/or customer impact.

* Due to capacity and resourcing within the Central Risk Ream, there is a risk that the Risk Appetite
statements are not periodically reviewed and approved by ARC, which may result in failure to
achieve strategic objectives, lead to reputational damage, regulatory breach, financial loss and/or
customer impact.

* Because the risk management knowledge and culture are not consistent across the business, there
is risk that the risks outside Appetite are not periodically monitored by the GE, which may result in
failure to achieve strategic objectives, lead to reputational damage, regulatory breach, financial loss
and/or customer impact.

e Due to failure of the business to identify and mitigate risk at an early stage, there is a risk that the
business departs from an approved Policy, which may result in Post Office failing to achieve its
strategic objectives and leading to reputational damage, regulatory breach, financial loss and/or
customer impact.

e Because the knowledge and culture of the policy exception process is not consistent across the
business, there is a risk that the Post Office Policy Exceptions are not reviewed, updated and
managed to closure, which may result in failure to achieve strategic objectives, lead to reputational
damage, regulatory breach, financial loss and/or customer impact.

* Due to capacity and resourcing within the Central Risk Ream, there is a risk that the GE is unable
to fulfil its responsibility of having visibility on the open Post Office Policy Exceptions, which may
result in failure to achieve strategic objectives, lead to reputational damage, regulatory breach,
financial loss and/or customer impact.

Risk Management Framework

* Because the risk management knowledge and culture are not consistent across the business, there
is a risk that the GE and Post Office 1stline fail to proactively identify, assess, own and manage their
risks and/or maintain their associated internal control measures, which may result in failure to
achieve strategic objectives, lead to reputational damage, regulatory breach, financial loss and/or
customer impact.

« Because the risk management knowledge and culture are not consistent across the business, there
is arisk that Post Office 1st line fail to articulate their risks in terms of their cause(s), the risk event
itself and their impact, which may result in failure to achieve strategic objectives, lead to reputational
damage, regulatory breach, financial loss and/or customer impact.

e Because the risk management knowledge and culture are not consistent across the business, there
is a risk that Post Office 1st line fail to proactively monitor, action and update the treatment of risks,

INTERNAL Page 6 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

which may result in failure to achieve strategic objectives, lead to reputational damage, regulatory
breach, financial loss and/or customer impact.

e Because the risk management knowledge and culture are not consistent across the business, there
is a risk that Post Office 1st line overstate the effectiveness of controls, thereby understating the
residual risk likelihood and impact, which may result in failure to achieve strategic objectives, lead
to reputational damage, regulatory breach, financial loss and/or customer impact.

e Due to capacity and resourcing within the Central Risk Team, there is a risk that Post Office HARM
table and Group Risk Management Policy are not reviewed to ensure changes to Post Office
strategic objectives and the external risk landscape are reflected. This may result in Post Office
failing to achieve its strategic objectives and/or leading to reputational damage, regulatory breach,
financial loss and/or customer impact.

e Because the risk management knowledge and culture are not consistent across the business, there
is a risk that Post Office 1st line fail to score their risks in accordance with the Post Office HARM
table, which may result in failure to achieve strategic objectives, lead to reputational damage,
regulatory breach, financial loss and/or customer impact.

« Due to capacity within the Central risk team and business priorities, there is a risk that Post Office
1st line are insufficiently trained on risk management and operation of the corporate GRC tool, which
may result in failure to achieve strategic objectives, lead to reputational damage, regulatory breach,
financial loss and/or customer impact.

INTERNAL Page 7 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

2. Risk Governance

Post Office’s Risk Governance focuses on how Post Office risk management activity is organised.

2.1. Structure

The Post Office risk management structure consists of the:

*  Board®, informed and advised by the Audit, Risk & Compliance Committee (ARC). They have
overall accountability for the assessment and management of risk, taking a strategic view of the
risks faced by Post Office;

. ARC’: They support the Board in its assessment and management of risks. The ARC reviews
Post Office’s risk policy, risk appetite and attitude to risk to ensure these are appropriately defined
and communicated so that parameters and expectations are understood;

Group Executive (GE)*:The GE, led by the Chief Executive Officer, has operational responsibility
for Post Office risk management and systems of internal controt and,

. RCC*: They support the Group Executive in fulfilling its responsibilities for the effective oversight
of risk management, internal control and assurance, and compliance. The RCC reviews the
information, plans and recommendations that are subsequently presented to the ARC.

2.2. Roles and Responsibilities

Post Office follows the industry standard ‘3 lines of defence’ model with regard to risk management

governance, compliance and oversight. This means:

. The GE and their Business Units perform the 1* line function. They are accountable for
identifying, assessing, owning and manage their risks. They are also accountable for the design,
implementation and maintenance of the associated internal control measures;

. The Central Risk team perform the 2" line function. They oversee the corporate approach to
risk management. This involves defining and implementing risk standards, policies, procedures
and guidance. They also assist the 1* line function in the risk management activities in line with
good practice as well as monitor compliance and effectiveness. Furthermore, they are
accountable for reporting to the RCC, GE and ARC on Post Office risk performance, as well as
advising on emerging risks and changing risk scenarios; and,

. Internal Audit, who operate independently of 1° and 2° line functions, are the 3" line. They
provide an independent evaluation of the adequacy and effectiveness of Post Office’s control
framework. An independent evaluation of risk management framework, and governance is
undertaken by a 3° party to ensure independence is maintained.

2.3. Risk Reporting

All Post Office risks must be monitored, reviewed and recorded regularly to determine whether, or not,

the corporate risk profile has changed and to gain assurance that risks are managed effectively. Such

regular (and incremental) reporting has several benefits including:

. ensuring responses are effective and efficient;

. building up knowledge to improve risk identification and analysis;

. providing a better link between risks and objectives, key dependencies, core processes and
stakeholder expectations;

6 The Board is collectively responsible for setting Post Office's strategic direction and primary business objectives.
It establishes a robust governance framework and ensures that the Company has financial and human
resources required to achieve its agreed objectives. It is chaired by a non-Executive Director.

7 The ARC is a Committee of the Board from which it derives its authority. It provides oversight of Post Office’s
Group's risk management systems, operational controls and key systems, including monitoring exposures to
the Group Risk Appetite.

® The GE is a Committee of Post Office senior management responsible for day to day Post Office operational
management.

®The Risk and Compliance Committee (RCC) is a standing committee of the Group Executive (GE). Its authority
is subject to the powers and duties of the Company Board, as set out in the Articles of Association and the
Framework Document. The purpose of the RCC is to support the GE in fulfilling their responsibilities in the
effective oversight of risk management, internal control and assurance, and compliance in the Group.

INTERNAL Page 8 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853

POL00447853
Post Office Limited - Document Classification: INTERNAL
. detecting and preparing for changes and trends in existing risks, including the extent to which
risks are aligned with approved appetite;
. identifying and preparing for new and emerging risks; and,
. identifying good risk management practice, building on it and disseminating it to other parts of

the organisation.

Post Office has in place a reporting cycle for Enterprise, Intermediate and Local risks (see section 4.3).
Risk Dashboards are produced by the Central Risk team for each GE member. A Risk Update is
submitted to every RCC and ARC bi-monthly. These reports include the latest position of enterprise,
intermediate and local risks outside of appetite (including new and emerging risks). The data is taken
directly from the Post Office’s GRC tool’® which provides a ‘single source of truth’. Risks are escalated
to the GE members through these dashboards.

Arisk deep-dive occurs on a 6-monthly rotational cycle for each Business Area. It helps to identify and
improve specific areas of risk and focuses on areas of key risks. However, all risks that are considered
to have an impact on Post Office strategic objectives are also reported on a bi-monthly basis as per
above paragraph.

For the Inquiry Programme, risks are managed through the Inquiry Steering Committee which meets
fortnightly, and the papers include a risk and MI pack, with key risks called out for discussion at the start
of each meeting. The reason for needing a separate regime for tracking and managing the risks within
the Inquiry Programme is the confidentiality regime imposed by the Inquiry itself. This regime seeks to
protect the Inquiry’s confidential information by restricting access to that information to anyone that is
not signed up to the confidentiality regime.

‘9 For Post Office Insurance (POI), all risks at intermediate and local level are no longer recorded within the corporate GRC tool
and managed independently by POI. POI provides POL with all key risks that are reported to the PO! ARC, on a bi-monthly
basis, in line with the RCC and ARC reporting timeline.

INTERNAL Page 9 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

3. Risk Strategy

The Post Office’s Risk Strategy focuses on Post Office’s overall approach to risk management This
includes risk policy, guidelines, appetite and the techniques by which Post Office assess risks as well
as the key priorities.

3.1. Strategic Objectives

This Policy is focused on managing the risks and opportunities of Post Office associated with its strategic
purpose of ‘We're here, in person, for the people who rely on us’. Such focus increases the probability
of success of achieving the strategic objectives.

3.2. Risk Appetite'’

Post Office has in a place a series of risk appetite statements to:

. allow the Board, ARC, GE and RCC to understand the organisation’s aggregated levels of risk to
determine acceptability or not;

. provide further assurance that the strategic objectives will be secured and early warning where
these are under threat;

. allow the business to focus limited resource to manage risks outside of risk appetite thresholds;

. support management in making decisions with an understanding of the degree to which the
business is exposed to the consequences of a risk event;

. flex and adapt to the changing business environment; and,

. provide agreed tolerable risk levels, that Post office is willing to operate in given current funding
constraints. However, all risks should be managed within the agreed risk appetite.

The Post Office’s approach is based on industry-standard principles’ namely:

. Scope: Risk appetite are primarily articulated at the enterprise risk level and guide/shape the
management of linked intermediate and local risks;

. Complex: Risk appetites are complex given that excessive simplicity, while superficially
attractive, is counter-productive;

. Measurable: Risk appetites are measurable so are based on relevant, accurate and readily
available existing data;

. Flexible: Risk appetites are not single, fixed concepts. There will be different (and tailored)
appetites for different enterprise risks; and,

. Manageable: The approach considers Post Office’s risk management capability and the
organisation's willingness and capacity for taking risks and level of maturity in managing them.

The ARC will approve all Risk Appetite Statements. They may also request, as necessary, the GE to
support the articulation of additional Risk Appetite Statements as well as seek assurance Post Office is
adhering to the approved Risk Appetite Statement thresholds.

The Post Office's ‘3 lines of defence’ risk management oversee its Risk Appetite as follows:

* Effectively and clearly communicate goals and objectives, strategy, achievement
metrics, and relevant time periods for pursuing the objectives related to developing
risk appetite statements.

GE * Set the Risk Appetite levels that ensure enough risk is being taken to ensure Post
Office strategic objectives are met.

* Secure Group consensus on statements and approach.

+ __ Commission revisions of Risk Appetite Statements as needed.

Individual Business * Validate or raise concerns about the ongoing viability of existing Risk Appetite

Units and subsidiary Statements approved by the GE /Board.

Departments ‘+ Monitor adherence to Risk Appetite Statements that apply to the Group.

\" Risk Appetite is the amount of overall risk an organisation is willing to pursue (or retain) to achieve the relevant strategic
objective.

*? Institute of Risk Management: Risk Appetite & Tolerance Guidance paper - 9/2011. Gartner: Ignition Guide to Drafting and
Operationalizing Risk Appetite ~ 2/2020

INTERNAL Page 10 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853

POL00447853

Post Office Limited - Document Classification: INTERNAL

Central Risk

2° Line

Produce and implement Post Office Risk Management policy/standards procedures
and guidance.

Develop (in discussion with 1* Line) initial set of corporate Risk Appetite Statements.
Oversee the corporate approach to risk management.

Assist the 1" line function in the risk management activities in line with good practice
as well as monitor compliance and effectiveness.

Accountable for reporting to the GE, RCC, and ARC on Post Office risk performance,
as well as advising on emerging risks and changing risk scenarios.

Internal Audit

Developing an annual audit plan based on identified risks and priorities.

Conducting audits and reviews to examine and evaluate the adequacy and
effectiveness of the frameworks of 1" line risk management, internal controls,
processes and systems, and compliance with policies and regulations.

Ensuring that corrective actions are taken in response to audit findings and
monitoring their implementation.

Report to RCC and ARC on its findings, particularly around areas of non-compliance.

Post Office assess risk appetite against a 5-tiered scale (8.4).

3.3. Policy Exceptions

A Policy Exception is required when the business wishes to operate outside of agreed policy and

regulations.

Anyone in the business can request a Policy Exception. However, the Policy Exceptions should not be

considered a normal part of business and it should only be raised when all other alternative options

have been exhausted with discussions involving senior decision makers.

A Policy Exception Note (PEN) form needs to be completed by the Exception owner and approved by

the GE member (or delegate GE-1) of the Business Area and the GE Policy Owner. Once approved, a

copy of the PEN should be sent to the relevant Risk Business Partner (RBP).

For further information refer to the PEN form and "How to Guide" document here or contact your

Business Unit Risk Business Partner.

INTERNAL

Page 11 of 26

20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

4. Risk Management Framework

The Post Office Risk Management Framework provides the standard for the management of risk to the
organisation. This includes how risks are articulated, classified, evaluated as well as the risk
management tools used.

4.1. Post Office Risk Management Framework

Post Office's risk management framework is designed so that the material risks throughout the business
can be identified, assessed and effectively managed. This framework incorporates the following core
elements:

y
¥

Figure 1. Post Office Risk Management Framework

. Identify: Techniques by which Post Office identifies all the risks its faces be they existing, new or
emerging. The Board, and those setting strategy and policy, should use horizon scanning and
scenario planning collectively and collaboratively to identify and consider the nature of emerging
risks, threats and trends;

. Assess: Whereby each risk is assessed in terms of its potential impact and likelihood for the
inherent and residual risk score. A risk profile is produced providing a significance rating to each
risk and therefore a tool for prioritising treatment efforts Risk assessment also include assessing
the control effectiveness and ensuring control measures are in place;

. Respond: Implementation of actions to respond to risks including decisions on whether to
tolerate, treat, transfer or terminate; and

. Monitor: This is focused on (a) reacting to early warning indicators of the need to make
interventions, (b) reviewing emerging risks and opportunities, (c) reviewing whether risks owners
are implementing the responses for which they are accountable and, (d) reporting on the success
(or otherwise) of the interventions to date and whether additional activity is required.

4.2. Risk Articulation

All risks across the risk hierarchy must be expressed in terms of their cause(s), the risk event itself, and

their impact:

. Cause: A cause is an element which alone or in combination with other causes has the potential
to give rise to the risk. They are generally (but not exclusively) external;

. Event: An event is an articulation of the potential adverse or beneficial circumstances that could
result from the cause — in effect the risk itself. Post Office risks should be classified (see section
4.3) against the Event not the Cause or the Impact; and,

. Impact: Impact is the outcome of a risk event materialising. Outcomes can be positive or
negative. They can also be direct or indirect. It is also possible to express them qualitatively or
quantitatively. They should be assessed using Post Office HARM table (see Appendix 8.5).

INTERNAL Page 12 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

4.3. Risk Hierarchy and Classification

Post Office has a three-level risk hierarchy. These are:

. Enterprise Risks: The Post Office’s key business risks are grouped into fourteen enterprise-level
themes which mirror HM Government's approach to enterprise risk classification. These risks are
Post Office-wide and so are of corporate importance. Each enterprise risk is owned by a single
GE member. Central Risk provide an update on the management of these enterprise risks at each
RCC and ARC;

. Intermediate Risks: These are sub-categories of an enterprise risk to which they are linked. They
are often the key risks faced by individual business units; and,

. Local Risks: These are sub-categories of intermediate risks, to which they are linked. They are
often more specific, local risks faced by individual subsidiary departments.

The Post Office risks have been categorised in a manner consistent with those advocated by HM
Government's ‘Orange Book”.

4.4. Risk Ownership

Risks can be owned by any colleague within Post Office and its subsidiaries. Ownership of a risk is
determined by the risk event itself and where the risk is classified under the risk hierarchy (see section
4.3). The Risk Owner is responsible and accountable for the management of the risks they own and for
transferring ownership where the risk has:

. to be reallocated within the organisation due to internal restructure; or,
. has changed and it needs to be reassigned.

When a risk is transferred, the Risk Owner must provide the new owner with complete information about
the risk to enable them to manage the risk appropriately. Risk ownership can only be transferred when
a risk has been accepted by the new Risk Owner.

4.5. Harm Table and Control Effectiveness

Post Office assess each risk by demonstrating the relationship between the likelihood of the risk
materialising (on a standard 1-5 scale) and the impact of the event should the risk materialise (again on
a standard 1-5 scale) to provide an overall risk rating.

The Post Office corporate HARM table describes the impact/likelihood scales which must be applied.
This is provided at Section 8.5.

Each active risk should have 2 ratings namely:
. Inherent: the level of risk before any control activities are applied; and,
. Residual: the latest level of risk considering the effectiveness of the controls currently in place.

and, where applicable, Control Effectiveness (i.e. Effective, Partially Effective and Not Effective). Refer
to the Policy Guidelines for more details.

4.6. Governance, Risk & Compliance (GRC) tool

All Post Office risks (across all levels of the risks hierarchy) must be identified, analysed, evaluated,
managed and recorded using the corporate GRC tool'*. A SNOW Risk Management User Guide is
available here.

"8 HM Government: Management of Risk (Principles and Concepts) ~ May 2023,

INTERNAL Page 13 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

5. — Policy Framework and Minimum Control Standards

5.1. Policy Framework

Post Office has established a suite of other Policies and standards on a risk sensitive approach which
are subject to an annual review. These have been developed to comply with applicable legislation and
regulation. These include but are not limited to:

Anti-Bribery & Corruption Policy

Business Continuity Management Policy

Change Policy

Code of Business Standards

Financial Crime Policy

Health and Safety Policy

IT Disaster Recovery

Treasury Policy

Vulnerable Customer Policy

Whistleblowing

Internal Audit Charter

Cyber Security Policy

5.2. Who must comply?
Compliance with the Risk Policy is mandatory for all Post Office employees" subsidiaries and applies
wherever in the world the business is undertaken.

Where material non-compliance is identified the matter must be referred to the Policy Owner (the
Director of Internal Audit and Risk Management) and Sponsor (the Chief Finance Officer). Where
required, any investigations will be carried out in accordance with the Investigations Policy. Where is it
identified that an instance of non-compliance is caused through wilful disregard or negligence, this may
be treated as a disciplinary offence.

** In this policy “employee” and “staff” means all persons working for the Group or on our behalf in any capacity including
employees at all levels, directors, officers, agency workers, seconded workers, volunteers, interns, and contractors.

INTERNAL Page 14 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853
Post Office Limited - Document Classification: INTERNAL

5.3. Minimum Control Standards
A minimum control standard is an activity which must be in place in order to manage therisks, so they remain within the defined Risk Appetite statements. There
must be mechanisms in place within each business unit to demonstrate compliance. The minimum control standards can cover a range of control types (i.e.
preventative, detective and corrective) which are required to ensure risks are managed to an acceptable level and within the defined Risk Appetite.

The table below sets out the relationships between identified risk and the required minimum control standards:

Standards

Responsible

POL00447853
POL00447853

Because the risk management knowledge and culture
are not consistent across the business, there is a risk
that the GE and Post Office 1 “line fail to proactively
identify, assess, own and manage their risks and/or

Preventative control:
A periodic risk assessment is performed within the
corporate GRC tool by the Post Office Risk Owners,

maintain their associated internal control measures, __I to ensure Inherent/Residual score are assessed. For I "isk Owners Bi-annual /Ad hoc
which may result in failure to achieve strategic Post Office Insurance, risk assessments are
objectives, lead to reputational damage, regulatory managed independently via Powers Apps.
breach, financial loss and/or customer impact.
Because the risk management knowledge and culture
are not consistent across the business, there is a risk _ I Preventative control:
that Post Office 1" line fail to articulate their risks in Articulation of risks in terms of their cause(s), the risk
terms of their cause(s), the risk event itself and their _I event itself, their impact and classification of risks I Risk Owners Ad-hoc
impact, which may result in failure to achieve strategic I against the event is ensured by the Post Office Risk
objectives, lead to reputational damage, regulatory Owners, as reflected in the corporate GRC tool.
breach, financial loss and/or customer impact.
Risk Management
Framework Because the risk management knowledge and culture I Detective control:
(Risk Management are not consistent across the business, there is a risk _ I Post Office Risk Owners monitor that all risks have
Process) that Post Office 1" line fail to proactively monitor, an effective risk response (i.e. mitigate, accept,
action and update the treatment of risks, which may __I transfer or terminate). They must ensure the Risk Owners Ad hoc
result in failure to achieve strategic objectives, lead to I appropriate actions to treat the risk against the
reputational damage, regulatory breach, financial loss _I relevant risk response are reflected in the corporate
and/or customer impact. GRC tool.
Because the risk management knowledge and culture I Detective control:
are not consistent across the business, there is a risk I Central Risk Team through their a) 2° line assurance
that the GE and Post Office 1*'line fail to proactively _I activity, assess the effectiveness of risk description Bi-Annual (Risk
identify, assess own and manage their risks and/or (10% risk sample check across the portfolio) as.

1 ‘ Assurance Report)/Bi-
maintain their associated internal control measures, _I evidenced in the Risk Assurance Report; b) deep Central Risk monthly (GE Risk
which may result in failure to achieve strategic dive for enterprise and intermediate risks, assess the Dasha ards)
objectives, lead to reputational damage, regulatory effectiveness of the risk score and responses
breach, financial loss and/or customer impact. completed by the 1" line, as evidenced in the GE

Risk Dashboards
INTERNAL, Page 16 of 26 20231030 Group Risk Management Policy_v1.5
Post Office Limited - Document Classification: INTERNAL

isk Area

Risk Management
Framework

(Risk Management
Process)

Description of Risk

Because the risk management knowledge and culture
are not consistent across the business, there is a risk
that Post Office 1* line fail to articulate their risks in
terms of their cause(s), the risk event itself and their
impact, which may result in failure to achieve strategic
objectives, lead to reputational damage, regulatory
breach, financial loss and/or customer impact.

Because the risk management knowledge and culture
are not consistent across the business, there is a risk
that Post Office 1* line fail to proactively monitor,
action and update the treatment of risks, which may
result in failure to achieve strategic objectives, lead to
reputational damage, regulatory breach, financial loss
and/or customer impact.

Minimum Control Standards

When

POL00447853
POL00447853

Because the risk management knowledge and culture
are not consistent across the business, there is a risk
that Post Office 1* line overstate the effectiveness of

controls, thereby understating the residual risk

Detective contr
Internal Audit through their annual audit programme

may result in failure to achieve strategic objectives,
lead to reputational damage, regulatory breach,
financial loss and/or customer impact.

the Post Office Risk Owners against the Post Office
HARM table, as reflected in the corporate GRC tool.

likelinogd ard inact which vnay result in fallore to assess the effectiveness of controls and report Internal Audit Ad-hoc
mpact, wi y controls that are not designed or operating
achieve strategic objectives, lead to reputational effectively to mitigate the risk
damage, regulatory breach, financial loss and/or y 9
customer impact.
Due to capacity and resourcing within the Central Risk
Team, there is a risk that Post Office HARM table and
Group Risk Management Policy are not reviewed to i .
ensure changes to Post Office strategic objectives and _I Preventative control:
Post Office HARM Table and Group Risk
the external risk landscape are reflected. This may Central Risk
ce ° Management Policy are reviewed by Central Risk Annually
result in Post Office failing to achieve its strategic ARC
and submitted for approval to ARC.
Risk Management objectives and/or leading to reputational damage,
Framework regulatory breach, financial loss and/or customer
(Harm Table and Group _I_impact.
Risk Management Policy) I Because the risk management knowledge and culture
are not consistent across the business, there is a risk js
ere Preventative control:
that Post Office 1” line fail to score their risks in The inherent and residual risk rating are scored b}
accordance with the Post Office HARM table, which i Y I Risk Owners ‘Ad-hoc

INTERNAL

Page 17 of 26

20231030 Group Risk Management Policy_v1.5
Post Office Limited - Document Classification: INTERNAL

Who

POL00447853
POL00447853

Risk Area Description of imum Control Standards When
Responsible
Preventative control:
Due to capacity within the Central risk team and One to one training is undertaken by Central Risk
business priorities, there is a risk that Post Office 1" I Business Partners with all new Post Office Risk
Risk Management line are insufficiently trained on risk management and I Owners, following the allocation of corporate GRC I Gertral Risk
Framework operation of the corporate GRC tool, which may result I tool licences by the 1* line to ensure they are able to ‘Ad-hoc
3 s Business Partners
(Risk Training) in failure to achieve strategic objectives, lead to manage their risks within the tool
reputational damage, regulatory breach, financial loss _I Central Risk provide corporate GRC tool user guide
and/or customer impact. for all Risk Owners available in the Central Risk
Team intranet.
Detective control:
Due to the lack of engagement between the GE An Intermediate GE Risk Dashboard is provided on
members and Central Risk Team, there is a risk that I 21" Termeni’ © Ak oa nthe Central
the Group Executive (GE) is unable to fulfil its greed cycle wi y
4 Risk Business Partners. The GE Risk Dashboard
responsibility of having an understanding of risks ! ‘ ; Central Risk .
; provides an overview of the enterprise and Bi-monthly
facing Post Office (including new and emerging risks), I f an ov prise an Business Partners
. ‘ intermediate risks, their risk appetite position
which may result in failure to achieve strategic (whether eutside or inside Sopette) and agreement
objectives, lead to reputational damage, regulatory T hey ricke (with GE momben. which mayb
" h, financial loss and/or customer impact. of key risks (with GE member), which may be
Risk Governance Preach, " included within the RCC/ARC report.
(Risk Reporting)
Due to capacity and resourcing within the Central Risk
Team, there is a risk that the RCC, ARC and Board are I Detective control:
unable to fulfil their responsibilities of providing Head of Risk produces and submits to RCC and ARC
oversight, challenge and approve the direction of risks I a Risk Update showing the latest position of the 7
facing Post Office (including new and emerging risks), I group key enterprise and key intermediate risks Head of Risk Bi-monthly
which may result in failure to achieve strategic (including new and emerging risks), as reflected in
objectives, lead to reputational damage, regulatory the corporate GRC tool.
breach, financial loss and/or customer impact
Because the risk management knowledge and culture
are not consistent across the business, there is a risk _ I Preventative control:
that Post Office 1" line do not refer to the Post Office _I Risk appetite is assessed by the Post Office Risk
Risk Appetite, where approved, when completing the I Owners against a 5-tiered scale, including open, Risk Owners ‘Adchoo

risk assessments, which may result in failure to
achieve strategic objectives, lead to reputational
damage, regulatory breach, financial loss and/or

flexible, neutral, cautious and averse risk appetite
scale, as reflected in Post Office Risk Appetite
Statements.

Risk Strategy

(Risk Appetite) customer impact
Due to capacity and resourcing within the Central Risk
Ream, there is a risk that the Risk Appetite statements Detective control: Group Executive Bi-Annually or when
are not periodically reviewed and approved by ARC, _I Group Executive review Risk Appetite Statements Pp v

We vey " Central Risk changes to strategic
which may result in failure to achieve strategic supported by Central Risk. Board/ARC objectives are required
objectives, lead to reputational damage, regulatory Risk Appetite Statements are approved by ARC. " a
breach, financial loss and/or customer impact.
INTERNAL, Page 18 of 26 20231030 Group Risk Management Policy_v1.5
Post Office Limited - Document Classification: INTERNAL

POL00447853
POL00447853

Risk Area Description of Minimum Control Standards Responsible When
Because the risk management knowledge and culture I » stactive control:
are not consistent across the business, there is a risk :
that he risks outside Appetite ere not periodically Group Executive and Business Units monitor risks I Group Executive
monitored by the GE, which may result in failure to outside approved Risk Appetite Statements that and ‘Ad-hoc
achieve strategie objectives, lead to reputational apply to the Post Office Group within the GRC tool. _I Business Units
" ‘Areas of non-compliance to Group Executive and Central Risk
damage, regulatory breach, financial loss and/or Pr p
castor inepact. ry 7 Board/ARC are escalated by Central Risk.
Preventative control:
Due to failure of the business to identify and mitigate Sine Ucn tbe bunecet ie vet coorhaat with ie
risk at an early stage, there is a risk that the business
Risk Strategy departs from an approved Policy, which may result in Fo oer or dekerates een ieee mosineee free Risk Owners
(Policy Exceptions) Post Office failing to achieve its strategic objectives and GE Polio Ooner Once approved. a copy of the ‘Ad-hoc
and leading to reputational damage, regulatory breach, y - proved, a copy
Francia lous ancior cuetomerimecct PEN and the approval emails are attached to the risk
pact. record by the risk owner (risk lead/risk champion) in
ServiceNow GRC.
Because the knowledge and culture of the policy Preventative control:
exception process is not consistent across the Post Office Risk Owner is responsible to ensure that
business, there is a risk that the Post Office Policy the mitigation actions for the policy exception are
Exceptions are not reviewed, updated and managed to I achieved within the agreed timeline. This is Risk Owner ‘Ad-hoc
closure, which may result in failure to achieve strategic I completed for the duration of the open policy
objectives, lead to reputational damage, regulatory exception and evidenced in the activity journal or
Risk Strategy breach, financial loss and/or customer impact, mitigation plan within the corporate GRC tool.
(Policy Exceptions) Due to capacity and resourcing within the Central Risk
Ream, there is a risk that the GE is unable to fulfil its , .
responsibilty of having visibility on the open Post Cental ek Business Partners report on all Polic Central Risk
Office Policy Exceptions, which may result in failure to i y Bi-monthly

achieve strategic objectives, lead to reputational
damage, regulatory breach, financial loss and/or
customer impact.

Exception Notes to the GE, RCC and ARC, as
reflected in the “GE Risk Dashboard”.

Business Partners

INTERNAL

Page 19 of 26

20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

6. Where to go for help
6.1. Additional Policies

This Policy is one of a set of policies. The full set of policies can be found on the SharePoint Hub under
Policies.

6.2. How to raise a concern

Any Post Office employee who suspects that there is a breach in this Policy should report this without
any undue delay, staff may:

. Discuss the matter fully with their Line Manager; or,

. A senior member of the HR Team, or

. Direct to the Whistleblowing Manager ('
. Contacting the “Speak Up” line, a confidential reporting service which is run by an independent
“Y Secure orrline portal =)

company Convercent (Tel:

6.3. Who to contact for more information?
If you need further information about this policy or wish to report an issue in relation to this policy, please
contact the Director of Internal Audit and Risk Management.

INTERNAL Page 20 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

7. Governance

7.1. Governance Responsibilities
The Policy sponsor takes responsibility at GE level for policies covering their areas.

The Policy Owner is the Director of Internal Audit and Risk Management who is responsible for ensuring
that the content is up to date and is capable of being executed. As part of the reviewprocess, they need
to ensure that the minimum controls articulated in the policy are working or to identify any gaps and
provide an action plan for remediation.

Additionally, the Director of Internal Audit and Risk Management and the Central Risk team are
responsible for providing appropriate and timely reporting to the Risk and Compliance Committee and
the Audit, Risk & Compliance Committee as required.

The Audit, Risk & Compliance Committee are responsible for approving the Policy and overseeing
compliance.

7.2. Tools

ServiceNow GRC (Advanced Risk Management & Policy and Compliance modules).

GRC provides Post Office with a structured approach to managing its overall approach to governance,
enterprise risk management and regulatory compliance to secure achievement of its overall strategic
objectives:

. Governance and Compliance: This ensures the Post Office’s governance framework, including
policies, laws and regulations, and best practices are in one place in one system, and mapped to
associated controls. It provides for the identification of relevant business, risk and IT owners (and
systems).

. Risk Management: This identifies and manages existing risks in a single place as well as collect
information about emerging risks, and the accuracy of the associated controls.

. Implement real-time monitoring: This identifies non-compliant controls and monitors high-risk
areas.

. Vendor Assessment: This assesses vendor risk and provides the ability to manage and assess
vendors in a consolidated manner.

. Reporting: GRC supports the Post Office in providing both qualitative and quantitative assessment
scores, informed by service performance data allowing us to more accurately gauge our risk
exposure in real time.

7.3. Definitions

Appetite: This is the level of risk that the Group is prepared to accept or pursue or before action is
deemed necessary to reduce it.

Control: This is any action taken to reduce the likelihood and/or magnitude of a risk.

Policy Exception: There are on occasion exceptional situations where Post Office may need to operate
outside of policy. In these circumstances the business can choose to accept this risk and formally
request a policy exception.

Governance: This is the system by which organisations are directed and controlled. It defines
accountabilities, relationships and responsibilities in the organisation as well as determine the rules and

procedures and monitors performance.

Impact: This is the estimated result including financial, operational and reputational that would be
realised if a risk event would occur.

INTERNAL Page 21 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL
Likelihood: This is the evaluation or judgement regarding the chances of the risk materialising.
Likelihood is also called ‘probability’ or ‘frequency’.
Risk: Risk is defined as the effect of uncertainty on the Post Office achieving its strategic objectives.
That effect may be positive, negative or a deviation from the expected. Risks are described in terms of

causes, potential events and their consequences.

Risk Management: This is the co-ordinated activities designed and operated to manage risk and
exercise internal control within an organisation.

INTERNAL Page 22 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853

POL00447853
Post Office Limited - Document Classification: INTERNAL
8. Document Control
8.1. Document Control Record
SUMMARY
GE Policy Sponsor I Standard Owner I Standard Implementer Standard Approver

Johann Appel
(Direct of Internal

Al Cameron (CFO) ‘Audit and Risk Central Risk ARC/Board
Management)
Version I Bocen Boag I Policy - effective date Policy location
i Period
Group Policy
SharePoint Hub
ia Annual 1/2024 Central Risk Intranet
site
REVISION HISTORY
Version I Date Changes jpdated by
Reviewed and refreshed to reflect new Group
Head of Risk position and ensure Business hold
10 11/2019 accountabilities for identification and management Jenny Ellwood
of their risks
4.41 11/2020 Annual Review and minor amends Mark Baldock
42 41/2021 Annual Review and minor amends (incorporation Mark Baldock
into new Policy template
1.3 3/2022 Incorporation of revised HARM table (Section 7.5) Mark Baldock
Roberta Zavaglia
1.4 10/2022 Annual Review and amends Audrey Cahill
. Roberta Zavaglia
15 10/2023 Annual Review and amends ‘Audrey Cahill

8.2. Oversight Committee

Committee Date Approved
POL R&CC 10/11/23
POL ARC 27/11/23
Board 30/01/23

Next Policy Annual Review Date: RCC & ARC (November 2024), Board (November 2024)

8.3. Company Details
Post Office Limited and Post Office Management Services Limited are registered in England and Wales. Registered numbers 2154540 and 08459718
respectively. Registered Office: Finsbury Dials, 20 Finsbury Street, London EC2Y 9AQ.

Post Office Management Services Limited is authorised and regulated by the Financial Conduct Authority (FCA), FRN 630318. Its Information
Commissioners Office registration number is ZA090585.

Post Office Limited is authorised and regulated by Her Majesty's Revenue and Customs (HMRC), REF 12137104. Its Information Commissioners
Office registration number is 24866081.

Payzone Bill Payment Limited is a limited company registered in England and Wales under company number:11310918. VAT registration number
GB 172 6705 02. Registered office: Finsbury Dials, 20 Finsbury Street, London, England EC2Y 9A4Q

INTERNAL Page 23 of 26 20231030 Group Risk Management Policy_v1.5
POL00447853
POL00447853

Post Office Limited - Document Classification: INTERNAL

8.4. Appendix A: Risk Appetite scale

Prioritisation of Strategic

Appetite rating ImpactiLikelihood Ri Risk taking philosophy Tolerance for Uncertainty"*

Flexible

Will take risks and accept the
possibility of failure

Will accept the possibility of
failure

Will choose the option with the
highest return

Objective”
Will accept risks could
materialise and the
achievement of (some) strategic
objectives could be
compromised

Will choose the option which has
‘some degree of risk

Will accept risks materialising
subject to being able to
proactively manage their
adverse impact

Will accept (under certain
conditions) risks could
materialise the achievement of
(some) strategic objectives
could be compromised

aie eis Would prefer ideally not to
. accept risks materialising if this.
Prefers, on balance, safe Will accept, on balance, risks I materialise but only if adverse
Hevea! veg delivery to risk taking could materialise impact is limited and heavily I Teant he achievement of
Hain nel isp (some) strategic objectives
could be compromised
(aioe Would be somewhat reluctant
to accept risks materialising if
Caitious ae Will take a conservative Will accept some risks could I materialsing but only if activity is I {p orcent ras maleriaisng t
approach to risks materialise essential and the possibility (a ecco
and extent of failure is limited scans
would be compromised
Would be extremely reluctant
: ' ; ; to accept risks materialising if
aves ie Will avoid nearly all risks where I Has an extremely low appetite I Will alvays select the option with I 19.20cept risks materalising
at all possible for any risks to materialise the lowest risk
(some) strategic objectives
would be compromised

Tolerance for uncertainty: How willing is Post Office to accept uncertain outcomes? This illustrates the Board's appetite to trade off certainty to a chieve a given objective. A low rating demonstrates
the Board's need for certain outcomes, while a high rating shows the Board will pursue an objective even with an uncertain ou tcome.

” Decision choice: When faced with multiple decision options, how is Post Office willing to select a decision that puts a strategic objective at risk? This question assesses the Board's acceptan ce that
a given choice may lead to failure to meet a strategic objective. A Board who are averse will only choose options that pose a minimal threat to the strategic objective's achievement. A Board open to
this risk are willing to trade off the possibilty of failure for a high-risk, high-reward decision.

** Prioritisation of strategic objective: How willing is Post Office willing to trade off this specific objective against achievement of other objectives? This demonstrates the Board's willingness to pursu &
achievement of a given strategic objective over achievement of another. A Board who are averse to this would never trade off completing the objective in question for failure of other objectives. A
Board which is open would be willing to accept this trade-off.

20231030 Group Risk Management Policy_v1.5

INTERNAL Page 24 of 26
Post Office Limited - Document Classification: INTERNAL

8.5. Appendix B: HARM table
i) IMPACT SCALE
SCORE RATING

‘STRATEGIC/FINANCIAL IMPACT ON
POST OFFICE GROUP

Post Office unable to achieve one/or more
ofits strategic objectives

Critical weakening of Post Office
Ease ceionaiiny vias

CRITICAL
(VERY HIGH)

Impact to Revenue 265

OPERATIONAL IMPACT ON POST OFFICE
‘GROUP.

Post Office capacity to respond exceeded
Immediate Board/GE involvement required
Critical lack of people resources availability
and/or skills

Projected => 5 days total joss of front
office/back office corporate IT service
Projected =>10% reduction in
‘approved number of Branch locations
Projected =>20% reduction in profiled
levels of Branch footfall & transactions

REPUTATION/LEGAL IMPACT ON POST
OFFICE GROUP

Protracted negative references in
Parliament, national publications, social
media and websites
Post Office's product(s) and/or service(s)
quality is compromised across th
digital/physical market(s) and in all UK

Post Office activity attracts critical levels
of fines and prosecutions and/or or
multiple litigations and/or regulatory
censui

Critical long-term damage to Post Office
Brand

IMPACT ON OUR POSTMASTERS &
STRATEGIC PARTNERS

Critical weakening in relationship between
Post Office and Postmasters

Critical weakening of Postmaster
community's commercial profitability and
ability to grow

Projected

10% reduction in
remuneration or increase in costs impacting
=>50% of Network

Network service disruption of key branch
locations =>5 days and/or impacting
=>50% of Network

POL00447853
POL00447853

IMPACT ON OUR CUSTOMERS.

rojected (>30%) increase, over
agreed baseline, in number of customer
complaints received over quality of
products and/or services

Projected [<89%] customer
satisfaction score secured over quality of
products and/or services

Projected [>4m] of online customer
sessions impacted by not being able to
access our digital platform,

Major impact on Post Office ability to

achieve one/or more of its strategic

objectives

Major (but not critical) impact on Post

Office commercial profitability and/or

ability to grow

Impact to Revenue between £2M and
om

Post Office experience major adverse
impact throughout organisation

GE proactive involvement required

‘Major lack of people resources availability
and/or skills

Projected 3-4 days total loss of front
office/back office corporate IT

Projected 5-9% reduction in approved
‘number of Branch locations.

Projected 15-19% reduction in profiled
levels of Branch footfall & transactions

‘Sporadic negative references in national
Publications, social media and external
websites

Post Office's product(s) and/or service(s)
quality is compromised across th
digital/physical market(s) and in majority
(but not all) UK regions

Post Office activity attracts major levels of
fines and prosecutions and/or or multiple
litigations and/or regulatory censure
Major medium to long-term damage to
Post Office Brand

Major weakening in relationship between
Post Office and Postmasters

Major weakening of Postmaster
‘community's commercial profitability and
ability to grow

Projected =>5% reduction in
remuneration or increase in costs impacting
'=>50% of Network OR Projected
=510% reduction in remuneration or
Increase in costs impacting =>25% of
network

Network service disruption of key branch
locations between 3-4 days and/or
impacting between 25%- 49% of Network

Projected (21-30%) increase, over
agreed baseline, in the number of
customer complaints received over
quality of products and/or services
Projected [90-93%] customer
satisfaction score secured over quality of
products and/or services

Projected (600k-1m) of online
customers impacted by not being able to
‘access our digital platforms

‘Significant impact on Post Office ability to
achieve one/or more of its strategic

objectives

Significant (but not major) impact on Post

Office commercial profitability and/or

ability to grow

Impact to Revenue between £1M and

£1.9M

Post Office experience significant adverse
impact in multiple (but not all) parts of the
organisation

Substantial specific business/departmental
‘management intervention required
Significant lack of people resources
availability and/or skills

Projected 1-2 days total loss of front
office/back office corporate IT service
Projected 3-4% reduction in approved
‘number of Branch locations

Projected 11-14% reduction in profiled
levels of Branch footfall & transactions

Negative references in regional
Publications, social media and external
websites

Post Office’s product(s) and/or service(s)
is compromised but relatively restricted
‘across the digital/physical market(s)
and/or isolated to particular UK region
Post Office activities result in breach of
regulation which requires internal
investigation and/or regulatory disclosure
Significant medium to long-term damage
to Post Office Group's Brand

Significant weakening in the relationship
between Post Office and Postmasters
Significant weakening of Postmaster
‘community's commercial profitability and
ability to grow

Projected =>5% reduction in
remuneration or increase in costs impacting
'=>25% of network OR Projected
'=510% reduction in remuneration or
increase in costs impacting 15%-24% of
Network
Network service disruption of key branch
locations between 1-2 days and/or
impacting between 15%-25% of Network.

Projected (11-20%) increase, over
agreed baseline, in the number of
customer complaints received over
quality of products and/or services
Projected [94-96%] customer
satisfaction score secured over quality of
products and/or services

Projected (200k-600k) of online
‘customers Impacted by not being able to
access our digital platforms

‘+ Moderate impact on Post Office Group's,
ability to achieve one/or more of its

strategic objectives

Moderate (but not minor) impact on Post

Office commercial profitability and/or

ability to grow

‘+ Impact to Revenue between £500k and

£999k

MODERATE
(Low)

Post Office experience material adverse
impact in single area of the organisation
Departmental management intervention.
required

‘Moderate lack of people resources
availability and/or skills

Projected 1-day total loss of front
office/back office corporate IT service
Projected 1-2% reduction in approved
‘number of Branch locations

Projected 6-10% reduction in profiled
levels of Branch footfall & transactions

Negative references in local publications
Post Office's product(s) and/r service(s) is
compromised but not yet available across
the digital and/or physical market(s)

Post Office activities result in moderate
legal issue and relatively immaterial non-
compliance and/or regulatory breach
which is relatively easily resolved
internally

Moderate weakening in relationship
between Post Office and Postmasters
Moderate weakening of Postmaster
‘community's commercial profitability and
ability to grow

Projected =>5% reduction in
remuneration or increase in costs impacting
69%-9% of Network

Network service disruption of key branch
locations <=1 day and/or impacting
between 10%-14% of Network

Projected (5-10%) increase, over
agreed baseline, in the number of
customer complaints received over
quality of products and/or services
Projected [97-98%] customer
satisfaction score secured over quality of
products and/or services

Projected (100-200k) of online
customers impacted by not being able to
access our digital platforms

IMPACT: THE IMPACT OF THE RISK MATERIALISING COULD BE ONE (OR MORE) OF THE FOLLOWING

Little impact on Post Office ability to
achieve one/or more of its strategic
objectives

Insignificant impact on Post Office
commercial profitability and/or ability to

grow
Impact to Revenue <£500k

Post Office experience no measurable
adverse impact to the business

Local management/staff manage the
problem without escalation

‘Minor lack of people resources availability
and/or skills

Projected <1 day total loss of front
office/back office corporate IT service
Projected <1% reduction in approved
‘number of Branch locations.

Projected 1-5% reduction in profiled
levels of Branch footfall & transactions.

Little media coverage
No issue with the quality of Post Office’s
product (s) and/or service(s)

Post Office activities result in low-level
legal issue which is easily resolved
internally

Insignificant weakening in the relationship
between Post Office and Postmasters
Insignificant weakening of Postmaster
‘community's commercial profitability and
ability to grow

Projected =>5% reduction in
remuneration or increase in costs impacting
=<5% of Network.

Network service disruption of key branch
locations =<1 day and/or impacting
between 5%-99% of Network.

Projected (<5%) increase, over agreed
baseline, in the number of customer
complaints received over quality of
broducts and/or services

jected [=>99%] customer
eee eae ics,
products and/or services
Projected (<100K) of online customers
Impacted by not being able to access our
digital platforms

INTERNAL

Page 25 of 26

20231030 Group Risk Management Policy_v1.5
Post Office Limited - Document Classification: INTERNAL

ii) LIKELIHOOD SCALE

‘THE LIKELIHOOD OF RISK

MATERIALISING

LIKELIHOOD:

INTERNAL

RATING

ALMosT
CERTAIN/VERY HIGH

LIKELY/HIGH

POSSIBLE/MODERATE

UNLIKELY/LOW

RARE/VERY LOW

DESCRIPTION

Risk almost certain to materialise unless action taken
Risk could be expected to materialise

Risk likely to materialise frequently if events follow normal patterns and
mitigating action is not taken.
Risk could be expected to materialise

Risk unlikely to materialise but itis possible
Risk could be expected to materialise infrequently/irregularly/sporadically

Risk very unlikely to materialise
Risk could materialise intermittently

A remote likelihood that risk would materialise
Almost inconceivable that risk would occur

Page 26 of 26

POL00447853
POL00447853

20231030 Group Risk Management Policy_v1.5