POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
ServiceNow
Risk Management User Guide
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
1 RISK MANAGEMENT OVERVIEW
1.1 ENTITIES....
1,2 UPSTREAM AND DOWNSTREAM RISKS...
1,3 RISK STATEMENTS...
1.4 RISK OWNER...
1.5 RISK DESCRIPTION ....
1.6 POST OFFICE HARM TABLI
1.7 CONTROL ASSESSMENT SCORE .....
1.8 RISK RESPONSE TYPE ....
2 HOW TO USE GRC SNOW...
2.1 REQUEST ACCESS TO GRC SNOW .....
2.2 LOGIN INTO SNOW.....
2.3 DEFAULT HOMEPAGE.
2.4 CREATE A NEW RIS!
2.4.1 How to create a risk...
2.4.2 Complete a risk record ...
2.4.3 Risk Appetite..
2.5 LOCATE RISKS...
2.6 ASSESS A RISK..
2.6.1 Notification:
2.6.2 Initiate a risk assessment.
2.6.3 Start risk assessment process.....
2.6.4 Inherent Assessment.
2.6.5 Control Assessment...
2.6.6 Residual Assessment.
2.6.7 Risk Response
2.7 COMPLETE A RISK RESPONSE TASK...
2.7.1 Risk Mitigation Task...
2.7.2 Risk Acceptance Task ...
2.7.3 Risk Avoidance Task...
2.7.4 Risk Transfer Task
2.7.5 Activity Journal...
2.8 RETIRE / CLOSE A RISK ..
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
1 RISK MANAGEMENT OVERVIEW.
1.1 ENTITIES
© Post Office has a three-level risk hierarchy: Enterprise Risks (the Post Office’s key business risks),
Intermediate Risks (sub-categories of an enterprise risk to which they are linked) andLocal Risks (sub-
categories of intermediate risks, to which they are linked).
© Entities in ServiceNow (SNOW) mirror the Post Office three level risk hierarchy.
Entity field is visible in the Risk record (refer to paragraph 2.4.2 for details on how to complete a risk
record).
New exo vanced ew, OS me ston
ety ekstterert @
‘ninnce
Seta cis News
Hadise Pasos
Post Office Entity
* Post Office Entity refers to Enterprise Risks. These risks are Post Office wide and so are of corporate
importance. Each enterprise risk is owned by a relevant GE member. It is unlikely that Risk Users will need
to select this Entity. Central Risk provide an update on the management of these enterprise risks at each
RCC and ARC.
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
oR = im
ced raced ke
2 tame
ming rp a teeny
omer a nhc om statement
//postoffcetet service-now.com!
J Mnome>pot co
QQ Shame a
ustmase Dstt
oamater atone
‘uct Ponto arog mens lanaconal Sees
Group Level Entity
* Entities that contain ‘Group’ refers to Intermediate Risks. They are often the key risks faced by individual
business areas and they are often owned by GE/GE-1 member. Select these Entities only if the risk is
relevant at GE /GE-1 member level (e.g. Group Commercial, Group Information, Group Finance etc).
2 ae
umber ei same }
ming up a cory
1: postofficetestservice-now.com/sn. gr. profil parm. target!
a ws
J Merona pour
Trmml] Ona a
All other Entities
* Allother Entities are related to Local Risks (Department level). They are often more specific, local risks
faced by individual department and often owned by Department heads. Select these Entities only if risks
are relevant at Department level.
20240510 SNOW Risk Management User Guide_v1.0
Post Office Limited - Document Classification: INTERNAL
‘a
(ecard Ae ke
owning eup
i
_hntps//postfficetestservce-now.com/sn.g
Tae thaesnae
racha Dina togmer
od
cals
0
} enmecut tance
Risk oom tale Panne
I Sanya
catasny
ukstement
5
5
POL00447891
POL00447891
* _ Ifyou are an Entity owner, you can see the entities you own under your GE Dashboard.
Management Summary RkDetals Controls
wedi Bo Minees
Name a
© Branchs Dietal Engineering
@ we
© stow inormaion
© Honen it
© rrciowtsen
@ seve Manweenenta feos!
Be GE Dashboard -Group Information ¥
clas
Department
ecartment
‘Business Unt
Decartment
Department
Department
‘owned by
Bencooke
Tonvtowett
setts
‘Simon oldnall
ob vain
Sanewalles
Inherent sore
onto efectiveness sore
1.2. UPSTREAM AND DOWNSTREAM RISKS
* Risk hierarchy is managed by Central Risk Team linking Local risks to their related Intermediate risks and
then to the related Enterprise risk, within the same Entity only. In SNOW this can be done linking your risk
to Upstream and Downstream risks, depending on the risk level (e.g. if you have an intermediate risk, its
upstream risk will be an Enterprise risk and downstream risk a Local risk).
— If you wish to change the risk hierarchy by adding/removing Upstream or Downstream risks, contact your
Central Risk Business Partner (RBP) by ServiceNow chatbox message/email.
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
1.3. RISK STATEMENTS
* Risk Statements in SNOW are the Risk categories. Risk Statements can only be assigned by Central Risk
Team.
* Each risk needs to be associated to a Risk Statement. There are more than5S Risk Statements 2 (sub-
categories) across the 14 Risk Statement 1 (main categories).
1 I Strategy 6 Financial 11 ‘I Security
2 I Governance 7 Commercial 12 I Change
3 I Operational 8 People 13 _ I Reputational
4 I Legal 9 Technology 14 _ I Marketplace & Brands
5 I Health & Safety 10 I information
* Risks should be classified against the Event not the Cause or theImpact.
© ServiceNow risks management has enabled the Central Risk Team to view the risks not only by Group Entity
(the verticals) but risk management across risk functions (technology, security, information) to address risk
domains.
1.4 RISK OWNER
‘© ISO Guide 73 defines risk owner as a ‘person with authority and accountability to make the decision to
treat, or not to treat a risk’.
* Under the “first line of defence”, management have primary ownership, responsibility and accountability
for identifying, assessing and managing risks. The first line ‘own’ the risks and are responsible for execution
of the organisation’s response to those risks through executing internal controls on a dayto-day basis and
for implementing corrective actions to address deficiencies.
1.5. RISK DESCRIPTION
‘* Risks must be expressed in terms of their cause(s), the risk event itself, and their impact:
© Cause: A cause is an element which alone or in combination with other causes has the potential to give
rise to the risk.
© Event: An event is an articulation of the potential adverse or beneficial circumstances that could result
from the cause — in effect the risk itself.
co Consequences/Impact: Consequences are the outcome of a risk event materialising. Outcomes can be
positive or negative.
A good example of risk description is as follows:
Cause Event Impact
Because of the lack of there is a risk the Post Office resulting loss in revenue,
engagement, approach and experiences prolonged industrial I client/customer detriment and
transparency with the CWU _I action which adversely impacts its I reputational damage.
members, ability to deliver its short,
medium or long-term strategic
objectives,
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
1.6 POST OFFICE HARM TABLE
* Arisk is assessed on both the likelihood of it occurring and the impact if it were to occur.
* The Post Office corporate HARM table (see table below) describes the likelihood/impact scales which must
be applied, as per below:
co likelihood score (between 1 and 5) indicates how probable it is that your risk is going to occur.
© expected impact score (between 1 and 5): impact of your risk in any relevant impact category (i.e.
Strategic/Financial, Operational, Reputational/Legal, Postmasters and Customers). The highest number
(between 1 and 5) out ofall the categories is the impact score for your risk and the category in which
this occurs is the ‘leading risk impact’.
© Impact and likelihood are multiplied together to give the risk score (a minimum of 1 and a maximum of
25).
Hap = ULES lee
Soe See I ee
FM ecemccenmmcre I. Rai tammnemeinn I aeataaalnee nen
ran ate doton nmoses I zn apes canoe e
IMPACT: re neacroF te RISK HATRIALSING COULD AE ONE (OR MORE) OF THE FOLLOWING
Seccous- I. ees. I See
etree we comes I+ Sree source simront I Scr'cceus csuanes™
Peretti I
Soom... Recap aeyeussartee Ie RS Sie name
‘ea ene <0 + Prmad ieeeactan nutes I wa
DESCRIPTION
ALMOST Risk almost certain to materialise unless action taken
CERTAIN/VERY HIGH Risk could be expected to materialise
+ Risk likely to materialise frequently if events follow
LIKELY/HIGH normal patterns and mitigating action is not taken.
«Risk could be expected to materialise
+ _ Risk unlikely to materialise but it is possible
POSSIBLE/MODERATE [J Risk could be expected to materialise
infrequently /irregularly/sporadically
* Risk very unlikely to materialise
* Risk could materialise intermittently
* Aremote likelihood that risk would materialise
+ Almost inconceivable that risk would occur
UNLIKELY/LOW
LIKELIHOOD: THE
LIKELIHOOD OF RISK
RARE/VERY LOW
© Each active risk has 2 ratings namely:
© Inherent: the level of risk before any control activities are applied.
© Residual: the latest level of risk considering the effectiveness of the controls currently in place.
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
* The residual score cannot be higher (and will almost certainly be lower than) the nherent score. It may be
equal to the inherent score on a new risk with no controls or remediation activity in place, but you would
expect to see the residual score gradually reduce over time as the risk is managed.
1.7. CONTROL ASSESSMENT SCORE
© Control is any action taken to reduce the likelihood and/or magnitude of a risk.
* You can use the following guidance when assessing your controls:
‘ontrol Effectiveness Performance
he control(s) significantly reduces the risk, bringing the residual risk
jithin appetite
he control(s) has some impact on reducing the risk
he control(s) does not adequately address the risk
1.8 RISK RESPONSE TYPE
* You have the option for responding to risk, identified as the 4Ts: Accept (Tolerate), Mitigate (Treat),
Transfer and Avoid (Terminate). Brief description of each of the 4Ts is provided below:
The risk exposure may be tolerable without any further action being taken.
Croterate Retain) The ability to do anything about some risks may be limited, or the costs of
taking any action may be disproportionate to thepotential benefit gained.
By far the greater number of risks will be addressed in this way. The purpose
Mitigate of treatment is that, whilst continuing within Post Office with the activity
(Treat/Control/Reduce) I giving rise to the risk, mitigation plan is taken to constrain the risk within
appetite
Transfer Transferring a risk by means of an insurance policy (e.g. a cyber risk might be
transferred because we have an insurance policy)
Some risks will only be treatable or containable to acceptable levels, by
terminating the activity. In these circumstances, appropriate responses will
be elimination of the risk by stopping the process or activity, substituting an
Avoid alternative process or outsourcing the activity that is associated with the risk
(Terminate/Eliminate) (e.g., you can decide to ban the usage of laptops outside of the company
premises if the risk of unauthorized access to those laptops is too high-
because, e.g., such hacks could halt the complete IT infrastructure you are
using)
2 HOW TO USE GRC SNOW
2.1 REQUEST ACCESS TO GRC SNOW
* Ifyou require access to SNOW, you should fill a “Request access to GRC” form from SNOW Colleague Portal:
Service Catalog - Colleague Portal (service-now.com)
* Contact your RBP if you have any issues or questions.
20240510 SNOW Risk Management User Guide_v1.0
Post Office Limited - Document Classification: INTERNAL
Request access to GRC
Request access to GRC
Request access to GRC
Requested for details
* Requested for
I Roberta Zavaglia x Ie
First name
I Roberta I
Last name
* Which area of GRC do you require access to?
Select ‘Risk’ under ‘Which area of GRC do you require access to?”
Request access to GRC
ReYyveoteu ror ean
* Requested for
Roberta Zavaglia x
First name
--None--
Control
Vendor Risk Management
I None = —
.
Select your Risk Group:
© ‘Risk Owner’: if you own risks but you do not own anyDepartment or Business Unit (i.e. Entity);
© ‘Risk Entity Owner’: if you are a risk owner and you own a Department or a Business Unit (i.e.
Entity). You should be a GE or GE-1 member to request this Risk Group;
© ‘Central Risk Admin’ and ‘Central Risk User’ are Risk groups for Central Risk Team only;
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
POL00447891
POL00447891
© If you are not a risk owner but you need a read-only access to SNOW, speak to your RBP and ask
how you can have ‘Risk Reader’ role. This Role cannot be requested through the Request access to
GRC form.
* — Each Risk Group is associate to a Risk Role and has the following abilities:
Risk Groups
©
Risk Owner
+ Can create, manage risks + Inherits the Risk owner I + Inherits risk owner + Inherits Central Risk I
© Willbe assigned rks permissions with addition II” permissions ‘Team permissions
+ Completes sk Sf enty/GE dashboards. I. Manage risk statements + Can delete risks and risk I
sssessments + Reviewrisksfortheir I + itates Assessments, Statements I
+ Own iskresponsetasks II _ entities II + Provides risk review rik + Create, delete risks and I
2 Canupdate activity + Reviewrisk profi oftheir” surance riskstoiements I
journals on risks owned rae frisk II © Retires risks + Do not manage risks. I
by other risk owners + sibility of ri 1 ponot manage risks + Can create reports /
aggregationfortheie I I Co Oh temas dashboards to be
entity, I assessments on behalf of tallored to the risk
+ Visibility to all risks within athe community
the Business unit Ie caret are risk dashboards
departments they work I” Sa aes ad Sk
Central Risk Admin Risk Reader
+ Users outside the Central
Risk team
+ Read-only access to the
Risk application
+ Will not be assigned
risks as Risk User
Risk Roles
Request access to GRC
* Which Risk group do you require access to? @
Central Risk Admin: inherits the permissions of Central Risk Team. They can create,
delete risks and risk statements. They do not manage risks.
Central Risk User (risk manager): inherits the permissions of risk owners and entity owners
classified as risk users. Can initiate risk assessments, manage risk statements and retire
risks Oversees the corporate approach to risk management.
Risk Entity Owner (risk user): the Entity owner will have the ability to review the risks
associated to their entities using the dashboard. Will also maintain the risk profile for
their entities by keeping track of overdue assessments and mitigation tasks for those risks.
Can create, manage and retire their own risks.
Risk Owner (risk user): the risk owner will create risks. be assigned risks, complete risk
assessments, and risk response tasks.
I None ~
i
* — Select either ‘Risk Owner’ or ‘Risk Entity Owner’ as ‘Central Risk Admin’ and ‘Central Risk User’ are for
Central Risk Team only.
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
Request access to GRC
* Which Risk group do you require access to? @
Central Risk Admin: inherits the permissions of Central Risk Team. They can create, x
delete risks and risk statements. They do not manage risks.
Central Risk User (risk manager): inherits the permissions of risk owners and entity owners
classified as risk users. Can initiate risk assessments, manage risk statements and retire
risks Oversees the corporate approach to risk management.
Central Risk Admin
Central Risk User
Risk Entity Owner
Risk Owner
I =None~ ls I
* Your request of access will have to approved by your RBP.
2.2 LOGIN INTO SNOW.
* Once you have received access to SNOW, login into the system (you will login with your Post Office
credentials)
* Ifyou see the following screen select “Click here for Head Office, Admin and Supply Chain colleague log in”
‘Smart iD / User name
Forgot Password ?
click here for Head office, Admin and
Supply Chain colleague log in
Login
© Insert your email and you will login into SNOW
20240510 SNOW Risk Management User Guide_v1.0
11
Post Office Limited - Document Classification: INTERNAL
External login
User ID
2.3. DEFAULT HOMEPAGE
POL00447891
POL00447891
© The first time you login you should see your Homepage set as Dashboards, as per screenshot below:
fecent Ownedby Me SharedvthMe A tops as 7
28 ‘Compliance Users. ‘mmm mum Continuous Risk Monitoring Over. Risk Overview:
GS ommettyonnmine soos 3S
In tn ° bh 5
wo brector Dashboard Communes Dashboard incident Management
In The ee ~
we nerdont Viewer RE ccc sewer ME ncice vewer
o Ifnot, click on the Dashboard overview icon as per belowand you will be redirected to the interface
above.
Risk Asessment Methodologies
Entity
anogement Summary I Reet I Conaoie GE eho rope. New aba
eo
© Select ‘All’ and type the Dashboard that you want to set up as a defaultin the Search Box:
* “Risks Users” Dashboard: if you are a risk owner and you do not own any Department or Business
Unit. This will give you visibility of the risks that you own;
* “Entity Heads/Leads” Dashboard: if you are a risk ownerand you own a Department or a Business
Unit (i.e, Entity Owner), you can also select this dashboard, This will give you visibility of your
Entities risks;
= “GE Group” Dashboard (i.e. GE Group Commercial, Finance, Information, People etc.): if you are a
risk owner and you own a Department or a Business Unit (i.e. Entity Owner), select the GE Group
dashboard related to your Business Unit. This will give you visibility of your Business Unit Risk
profile, Entity risks, outstanding risk assessments mitigation tasks, etc.
20240510 SNOW Risk Management User Guide_v1.0
12
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
Dashboards
Recent Ownedby Me Shared withMe Al Group fiterI Acoups 1 Seacch dashboard [Oskar
Dashboards
Recent Owned by Me sharedwithMe Alt Group iter I AtGoups 1 Seatch dashboard [Q eoyhacs )
Dashboards
icont Owaed bye shared ihe Al Group iter Meow: + Searchdashboard [ge aztoaed
GEDsshBe Group information GED sshboAr Group People
(EDIE Group Commerciat
GEDEEHBEa Group Operations:sPO
© You will be redirected to the ‘Risk Users’ or your selected Dashboard. When you login ServiceNow and
when you click on the top left corner (i.e. HomePage icon) you should always be redirected to the’Risk
Users’ Dashboard or your selected Dashboard.
20240510 SNOW Risk Management User Guide_v1.0
13
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
=F ——e
si
ne
eee iain sii
2.4 CREATE A NEW RISK
2.4.1 Howto create a risk
* Risks are created by risk owners directly in the Risk application. There are several ways to do this:
OPTION 4: RISK USERS DASHBOARD
* The preferred method to create a new Risk is through yourRisk User Dashboard by clicking ‘Create a new
Risk’ button.
= BB RiskUsers ¥
Create anew Risk
create a new Risk
+ 7C&®
Number Name a Entity Category —Inherentrisk —Controteffectiveness.—Residualrisk Risk response
No records to display
My Risks by inherent Risk Rating My Risks by Control Effectiveness My Risks by Residual Risk Rating
20240510 SNOW Risk Management User Guide_v1.0
14
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
You will be redirected to the following page, where you can fill out and save the details of therisk (refer to
.
paragraph 2.4.2 for details).
OPTION 2: USING THE RISK APPLICATION
* Write ‘My Risks’ on the Filter navigator on the top left, click on ‘My Risks’ under Risk Register to display a
list of all risks where you are a risk owner and click“New” button to create a new risk record:
= nos Search Nam
SY All> Owner is F
ECs Q, = Name
Risk
Search
Y Risk Register
@ Operational
My Risks
@ Oversight
20240510 SNOW Risk Management User Guide_v1.0
15
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
2.4.2
Complete a risk record
The following fields must be completed when you create a newrisk:
°
°
Name (mandatory) - short description of the risk.
Risk Owner (mandatory) - person with authority and accountability to make the decision to treat, or
not to treat a risk (refer to paragraph 1.4 for definition).
Entity (mandatory) - mirrors the Post Office three-level risk hierarchy (Post Office/Enterprise risks,
Group level/Intermediate risks, Department level/Local risks) - (refer to paragraph 1.1 for details).
Description (mandatory) - risks must be expressed in terms of their cause(s), the risk event itself, and
their impact (refer to paragraph 1.5 for guidance).
Owning group field is not in use.
Risk Statements are the Risk categories and can only be assigned by Central Risk Team (refer to
paragraph 1.3 for details).
Additional Information (not mandatory) can be used to add additional comments on your risk (e.g.
comments on the reason why this risk has materialised, if this is because of a change of regulation or
from an incident that occurred, what policies apply, Internal Audit findings, etc).
Select ‘Submit’ button on the top right to save the record and return to the previous screen.
<
Newrecord
=i 4
Number I RK0O22302 active “Y
‘Owning group Q Category
Qa 0 Inherit from risk
statement
Q
Risk Statement Q
2.4.3
The Central Risk Team then reviews the risk and associates the risk to the appropriate risk statement,
before releasing the risk assessment.
Risk Appetite
There is a Risk appetite tab under your risk record and risk assessment record showing the Risk Appetite
and Tolerance levels linked to the Risk Statement of your risk (see screenshot below). POL has approved risk
appetite and tolerance levels for the following areas: Technology, People, Commercial, Legal, Operational,
Governance and Finance. If there is not an approved risk appetite statement, therisk appetite tab will be
empty.
Within the same tab, you can also see the risk appetite status, if the risk has been assessed before (the field
will be empty if the risk has not been assessed yet). This shows if the risk is “inside appetite”, “outside
appetite” or “outside tolerance”. You have to consider the risk appetite and tolerance when assessing your
risk and completing the risk response (please see sections 2.6.6 and 2.6.7).
20240510 SNOW Risk Management User Guide_v1.0
16
2.5
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
‘AescinensimenstyRokapoette I Mopharing ach uma
‘vsinebelon ties date ak ape ad twins ky bul the appv nd lance las cop om th soe ik ate
quiere specs SRO ® outertverserace Guts 0)
Risk appetite status
_ Teh ape ucla ed on liek appl heres om eit sex of hina isesnet ahodlay The pee a lia ito rk nd
<tr fret costo ng te isk tte pote
uate appt tts
LOCATE RISKS
* The preferred method to locate your risks through ‘My Risks’ section on your Risk Users Dashboard:
= 88 RiskUsers ¥
My Risks
Number Name & Entity Category i
@ __ Rk0022302 Failure to identify loans to the post of... Central Risk (empty)
@ RKO021727 Operational Post Office Operational
@ RKOO21765 Oversight Group GeneralCounsel Governance
* Alternatively, you can select “risks’ under Risk on the left panel, which shows all active risks of which you
are the risk owner:
‘ate te tent ‘sober ‘Accounting ervors can
© leamatbenad conta MAN AMNEETENCAN nga
Em
D ‘Saba oboiuignane tig ‘High (Score: 12)
@DSoentonal— ancien mtn Pcererment* — poeatuns ate en see 12)
) mien «Sen Sata Seewgne Gomme pte cium (eo 6)
© Secon Saunt avai “ Siow “
* If you own a Business Unit or Department, you can also locate your Business Area risks from your GE
Dashboard by clicking on to ‘Alll active risks’ chart or ‘Risk Details’ tab.
20240510 SNOW Risk Management User Guide_v1.0
17
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
(©) & ce vashboard Group Information + oR 8
onogerent Summary I Rsk I contol
isk Asessment Methodologies
a ’
Entity
a .
Active risks Group Information A active ss by isk rating - Group Information A active risks by category - Group information
J
veh
eo 8 ¢
lemoty=44 fikcout
2.6 ASSESS A RISK
2.6.1 Notifications
¢ You will receive a notification at important points in the life cycle of the riskassessment:
o When the risk assessment has been initiated. You will receive an email with a link to the assessment,
asking you to perform a risk assessment before the due date.
© When the risk assessment has been re-assigned to you from the risk owner.
o When risk assessment is due.
© When risk assessment is overdue (the Due date has passed).
© Whena risk response task is assigned to you.
o When arisk mitigation is overdue.
jate a risk assessment
* You as a Risk Owner cannot initiate an assessment.
* Allrisks in a ‘Mitigate’ state will be released for assessment by the Central Risk Team driven by the dates
aligned to RCC. SNOW Risk Assessment Schedule (including Risk assessment release dates and due dates for
risk assessments to be completed) can be foundin the Central Risk Team intranet page Governance, Risk &
Compliance Tool (sharepoint.com).
© Allrisks in ‘Accept’ state will be automatically released for assessment by the system on the ‘acceptance
due date’ (refer to paragraph 2.7.2 Risk Acceptance Task for more details).
You can make ad hoc requests for risks that require assessments. In this case request to initiate an
assessment to your RBP or Central Risk via risk chat or email:
o Ifthe risk in a Mitigate state has increased or decreased and you would urgently like to reflect this
within the risk before the risk assessment release dates;
© Ifyou need to change a risk score before the acceptance due date;
o Ifyou have a new risk that has not been initiated;
© Ifyou wish to retire a risk (refer to paragraph 2.8)
20240510 SNOW Risk Management User Guide_v1.0
18
Post Office Limited - Document Classification: INTERNAL
.
POL00447891
POL00447891
If you do not wish to change the scores before the risk assessment release dates, you add can detail to the
activity journey to note for when you do assess the risk.
2.6.3 Start risk assessment process
You should have received an email asking you to perform risk assessment, containing the link to the risk
assessment to be performed:
4,
You have been assigned a risk assessment for Risk: Rsk owners overstate mitigation (RKOO2O482). Please select 'Asess to start the risk assessment
process and then perform inherent/Contrl/Residual Assessment. Select Respond’ and “Mark as complet’ to move tothe next stage.
lease update this risk assessment by the due date: 15/06/2022 10:23:03 6S.
‘The risk assessment canbe accessed by the folowing
Refer to user guides fr further guidance or reach out to your Rsk Business Partner.
Thanks,
Central Risk Team
Unsubscribe I Notification Preferences
efasces40733
Log into ServiceNow, load your Risk User dashboard and locate your risk assessments in “My Risk
Assessments (Ready to Assess)” list in the middle of your dashboard. Working through one by one, click on
the RASMT number (not the words).
My Risk Assessments (Ready to Assess)
Risk Assessable entity Due date
(XXX) Cyber risk and data security Central Risk 25/01/2021 21:22:53
(a
.
Click ‘Assess’ to start the risk assessment process to the inherent risk assessment. Always follow the green
buttons at the top right hand of the page as these will move you through each stage of the risk assessment
process.
<= Stone tS -
Computed values when overridden
Assessor and Approver
20240510 SNOW Risk Management User Guide_v1.0
19
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
* If the risk was previously assessed, you will be asked if you want to bring forward the previous assessment.
The preferred choice is ‘Yes’.
Confirmation x
Do you want to copy the previous risk assessment results?
No [RCy
* You can click ‘Reassign’ in title bar to reassign assessment to another member of your team in exceptional
circumstances (e.g. long term sick):
2.6.4 Inherent Assessment
e The 1* stage of the risk assessment process is the ‘Inherent Assessment.
* The Inherent score is the level of risk before any control acti
ies are applied.
* The Inherent score is determined when you assign likelihood and impact rating (between 1 and 5) to the
risk. The Post Office corporate HARM table describes the impact/likelihood scales which must be applied
and it can be viewed by clicking Open from the Guidance next to Impact/Likelihood(refer to paragraph 1.6
for details);
Assessment Summary Inherent Assessment Control Assessment Residual Assessment Risk Response Activity Journal
I To modify your responses to factors, click the Back to inherent assessment button.
Factor Response Qualitative Qualitative
Weight. ‘Score
ok Impact Choose here @®_ 100% ~
Guidance
3 Likelihood
For assistance on how to respond to this factor, click Open.
* For existing risks, the inherent score should not be amended, unless something material about the nature
of the risk has changed. Ensure that the inherent score is either the same or higher than the residual score
(not lower). For new risks with no controls or remediation activity in place, the inherent score may be equal
toa residual score. If you make any changes to the inherent score, add your rationale in the comments box.
20240510 SNOW Risk Management User Guide_v1.0
20
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
Enter responses for the factors that need manual responses and save the form to view the computed inherent risk. For automated factors, the responses ate automaticaly calculated,
Factor Response Qualitative Weight Qualitative Score Quantitative Scare Comments
ok LUkeinood Possible 3 100% na Add Com
ok Impact Moderate-2 100%
© Click ‘Save and calculate’ at the top right hand of the page to calculate the risk score:
Factor Response Qualitative Weight Qualitative Score Quantitative Score
3K Likelihood Possible-3 ¥) ® 100% 3.00 na
2K Impact Moderate -2 vl @ 100% 2.00 we
Results
* Click ‘Perform control assessment’:
Save and calculate
Perform control assessment
2.6.5 Control Assessment
* The 2nd stage of the risk assessment process is the ‘Control assessment’.
* — Select (tick) ‘no mitigating controls to asses’ if you are NOT live on the Controls Framework. Add your
controls in the comment box.
‘Assessment Summary Inherent Assessment ‘Activity Journal
‘No mitigating controtsto
Enter responses forthe factors that need manual responses and save the form to view the computed contol effectiveness For automated factors, the responses are automaticaly calculated.
Response QuaitativeWeight Qualitative Score Quantitative Score Comments
Control Eeciveness Choose here ¥@) 00% - oa dé Comments
v Ineffective
Partially Effective
7 Effective
20240510 SNOW Risk Management User Guide_v1.0
21
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
* Ifyou are ‘live’ on the Controls Framework assess your controls. Check the Related Controls tab for any
controls and consider if the controls would reduce your inherent risk score. You may need to uncheck the
no mitigating controls to assess before you can select the Control Effectiveness from the dropdown menu.
Control assessment guidance can be viewed by clicking guidance next to Control Effectiveness (refer to
paragraph 1.7 for guidance details). If there is any change, add your rationale in the comments box. Select
either ‘Ineffective’, ‘Partially effective’, or ‘Effective’ from the drop-down list on the Response field of the
Control Assessment tab.
* — Ifthere are no controls linked to your risk under the Related Controls tab and they are managed offline for
example via excel/SharePoint etc, add a comment in the comment box saying that controls are managed
offline and possibly include control numbers (if you have them) or processes you are using. Once you have
added your comments, you will need to complete the control effectiveness by clicking the scroll down
menu.
What if you don’t have any controls implemented to mitigate the risk? Tick “no mitigating controls to
assess’.
copes wees
Cond etienest tice 24{@} 100% 00 ' conmects
Previous Asesmets 2) ‘Open sues I Risk Response Ts 2)
ane Omer Mayen) Catenion itm umpt_—— Pamala —_Fallelenos
we Ny te 1 °
feta
erty ee Ee ec
ter poze
‘aeons oles enor it ty pry eer th bl ee
coe ooo ‘usatve uate hatte Comets
wee Se an
20240510 SNOW Risk Management User Guide_v1.0
22
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
.
If there is any change add your rationale in the comments box
Comments
Once completed, dick ‘Save and calculate’ at the top right hand of the page to calculate Control
Effectiveness score.
Results
Reassign
Factor Response Qualitative Weight Qualitative Score
A Control ffectvenes effective ¥) ® 100% 3.00 wa
ore cts es
effectiveness
Click ‘Perform residual assessment’.
Perform residual assessment Save and calculate
2.6.6 Residual Assessment
The 3rd stage of the risk assessment process is the ‘Residual Assessment’.
Check to ensure that the residual risk not applicable box is not ticked to allow for the risk scores to be
completed.
Before assessing your residual score, check the risk appetite and tolerance under the risk appetite tab. All
risks should be managed within the agreed risk appetite.
The residual risk is the latest level of risk considering the effectivenessof the controls currently in place. To
complete the residual risk, navigate to the Residual Assessment tab and use the drop-down Response fields
for Likelihood and Impact to score the risk, on a 1:5 scale. The residual score can remain the same as
previous assessment if the likelihood / impact has not changed, be increased or decreased if the likelihood /
impact has changed. Add comments in the comment box with bullet points to provide the reason for the
residual score being unchanged or changed after previous assessment. To help you decide you can refer to
the Harm Table, which can be viewed by clicking Open from the Guidance next to Impact/Likelihood (refer
to paragraph 1.6 for details).
Click ‘Save and calculate’ at the top right hand of the page.
femameimeny wiueAseuen Gnthimnes, [psc my ina
Residual risk nat applicable
Enter responses forthe factors that need manual responses and save the form fo view the computed residual risk. For automated factors, the responses are automatically calculated.
Quantitative comments
Score
3k Impact Minor 1
> Likelihood Unlikely -2 100% nia Add Comments
20240510 SNOW Risk Management User Guide_v1.0
23
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
Save and calculate I Reassign
Impact Minor -1 ~ ® 100% 100 a
2 Ukelihood Unikely-2 ¥® 100% 200 wa
Results
© The risk appetite status is populated under the Risk appetite tab to show if the risk is within appetite
(green), outside appetite (orange) or outside tolerance (red).
Oe we Ups back canl snot
Sveandcalcuste Rossin
Assesment Summary] Rekkgpote I brent Assesiment Control AssestmetResdoalAsennment Aetvy Journal
uatnaweappetne Ayes) © uate werance Cautions (10)
Appetite status
qusttave aopette situs Bit appetite
Update Sackeoconrolasiesiment Respond Saveandealeulate Resign
E dines) Rated Contos Opealses Bob Beeps Ta
* Complete the risk assessment by clicking ‘Respond’.
Back to control assessment
* The risk assessment result is automatically reflected in the risk record and can be located on the
‘Assessment Summary’ tab:
Assessment Summary ff Inherent Assessment ControlAssessment Residual Assessment
Inherent risk
Control effectiveness
20240510 SNOW Risk Management User Guide_v1.0
24
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
2.6.7 Risk Response
* Risks automatically move to the respond state once assessment is complete, and the ‘Risk Response’ tab
becomes active. Select this tab and a Risk Response to the risk assessment — Mitigate (Treat), Accept
(Tolerate), Avoid (Terminate) or Transfer.
© Check the risk appetite status under the Risk appetite tab. All risks outside of appetite and/or tolerance
must have a mitigation plan in place to ensure the risk is brought within these levels and may be presented
to the relevant governance forums for escalation/agreement of the risk position. If your risk is outside
appetite or tolerance, select Mitigate or Transfer or Avoid.
Risk appetite status Risk Response
Within appetite Accept or Mitigate or Transfer or Avoid
Outside appetite Mitigate or Transfer or Avoid
Outside tolerance Mitigate or Transfer or Avoid
* Forall the above responses, a risk response task is created for you to action (refer toparagraph 2.7 on how
to complete these tasks and 1.8 for risk response type).
Assessment Summary —InherentAssessment Control Assessment Residual Assessment
>K Risk response
Comments
Accept (Tolerate)
Avoid (Terminate)
Mitigate (Treat)
Transfer
Update —Backtoresidualassessment Markascomplete —Reassign
* Once done, click ‘Request approval’ button
20240510 SNOW Risk Management User Guide_v1.0
25
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
E Risk Assessment- RASMTOOIOSSSS @ Ve ce Update Backtoresidual assessment [ES ‘Reassign
Risk Test Risk ATF user [o}
sunt [zon }
Risk description test
‘Assessment Summary Risk Appetite Inherent Assessment Control Assessment Residual Assessment Risk Response Activity Journal
2k Risktesponse Mitigate (Treat) .
Comments
© = Click ‘Submit’. The risk assessment moves to a ‘Monitor’ state and the previous risk assessment moves to
‘Closed’ state. A response record is created and will be visible on your Risk Response tab.
Comments
Comments
skassssments(2) Rikteponsetacs 2} Controls indeatos Rskevems Ssues Pali xceptons Tasks Upsveam sks Downsveamlsks _Cantnt elerences
SE Rekseesaments Seach Surtdate. Search 44 <1 wil & pe
J Rake Tat tring 2
AsMTunioso02 Groupe Very Seore20)_ Patil EMectv (Seore:2} Madham (Score.6)_Miipate (Te le Lang
@ — asTgoiosi03 Group People ‘ery High (Score: 20) Partially Effective (Score: 2) Medium (Score: 6} Mitigate Treat) let Lang, *OOOO9
20240510 SNOW Risk Management User Guide_v1.0
26
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
HS Rekinpomee Tats Search umber seach ‘ 1 bie > bh
© Once you have completed all risk assessments the ‘My risks assessments ready to assess’ in the Risk User
dashboard will now be empty.
* Ifyou have not fully completed an assessment to the end state(i.e. ‘Request Approval’ and ‘Submit’), the
assessment will be listed in the middle section of your Risk User dashboard - ‘My Risk Assessments (in
Progress)’ list.
* Complete your risk assessments in progress and go back to your Risk User dashboard to check that the
section ‘My Risks Assessments (in Progress)’ is now empty.
2.7 COMPLETE A RISK RESPONSE TASK
* Depending on the response selected on the Risk Assessment the system will automatically create and
assign to the Risk Assessor one of the following:
2.7.1 Risk Mitigation Task
* Scroll down and click Risk Response Task tab, select the new riskmitigation record created (identified by
Active is true or the latest number or a Work in progress state for mitigation task).You can also locate your
new risk acceptance task in your Risk User Dashboard - My Open Risk Mitigation Task.
Riskassessments(3) I Riskresporse asks (3) I Contols(T) I Incatos I Riskevents I lsues I PolicyExeptions I Tasks I Upstream sks I Downstream Risks I Content References
State earch @ — I Aetionconselectesrons., ©!
Risk Testrikre
Number —RiskAssessmentinstance «Name ~—=—«Asinedto.-—=«Created=—=Updated = itateI=—Prorty—Tatktype © Active
a Hest sano. 0977024 py Rk .
ote Ss6aaissraa Aeccotane ‘(MF
Sr Fate Robern 2eOKROA ONSEN Crea fe fave
10:23:28 11:02:39 a Mitigation
© Ifthere is already a mitigation task for your risk, the system automatically cancels your previous open risk
response task (i.e. ‘Work in progress’, ‘Awating Approval’ or ‘Review’ state). Risk mitigations in “Closed
Complete” state will not be cancelled and remain in closed state.
* You can see your cancelled mitigation task (if applicable) under the “Risk Response Tasks” of your Risk
Assessement record.
20240510 SNOW Risk Management User Guide_v1.0
27
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
mskmspomee teks Search Numb + Seach 44 wie c
FJ keto
gate ako Test Wein
© warwosen sultLang ‘Aton mp to
earng Progress
Click the empty MGT number (not the words).
—
Proteases I led Coto Opesues I wat espns Tsk I
@ 2 ae haignte Stake Sima tehpaon) —Acapaneenddt Rk Acepance) Ate Sate
note mcot Test beta Zaaelaskitgaton empty we Workin Progress
Rekewpome tate Seach Humber + Sem i bio > be S
Complete the ‘Estimated start date’, ‘end date’ (what is the next key milestone of the remediation or the
date you expect the mitigation plan to be completed by).
Now complete the “Plan”. You will have to copy and paste your Plan into the new one ifyour cancelled
mitigation was still open (i.e. ‘Work in progress’, ‘Awaiting Approval’, ‘Review’) or complete the new
mitigation task with new details if the previous onewas ‘Closed Complete’. List bullet points of key actions
that will be in place or key projects that will remediate this risk. This is information that will be used to
produce risk reports to your GE member and to the Risk and Compliance Committee, so be as clear as
possible. This is a good example:
2 pn nae eS a
ame Pes conte
fag [Ptbecroncersrstutaneotrosracer spor hanes hers unceipnnedy mapped praceersed aang ene pote Pesach
2 The Postmaster Sere proven Prganane 7 lense that al processes Sere and Sport Opisaton hae ce mapped and ase
1. perional alaieseneet contre re teed pero y manages aco Ser nd Sepport ptt,
4 ther ate Weck cce eve ers mol Dipateeskon Reve Cones sd eth nent Oxon Reve Poel n place to are
compl th th GO digs decisions made on pues
5 ly 221 A prove plan for migrating the operatonl sl eee conto ont the rk and cons ae ot ercstow ha ben ten andi de
tobesubmated othe oto dew Bad
Once updated click “Update”, your risk response will remain in Work in progress state. You have now
reviewed and update your new plan.
20240510 SNOW Risk Management User Guide_v1.0
28
Post Office Limited
Document Classification: INTERNAL
POL00447891
POL00447891
mbar wero0o3202
Ateneo
State Workin Progpes
Gstmatedstart oy sauna unr
+ Estimatedind yore unars
Name tigate of test ick RB 08
eet ~- =
sk tet B02 108 ©
Aetuat art s
sk assessment methodoloty Departmen lk Assessment o
coxa
If you mitigation is in ‘Work in progress’, You can update your risk mitigation plan at any time. You do not
need to wait for a risk assessment to be released.
Ask your RBP if you need any help.
Risk mitigation closure
2.7.2
20240510 SNOW Risk Management User Guide_v1.0
You can close a mitigation plan, if the risk is either in an (i) Accept state or (ii) no longer exists. If itis point
(i) Contact your RBP who will release an assessment for you to complete which will enable you to rescore
the risk and enter Accept in the respond section (see acceptance response task section below). If it is point
(ii), refer to paragraph 2.8 for how to retire a risk.
Once your mitigation is ‘Closed Complete’, the risk record will move to ‘Monitor’ state and it will be in read-
‘only, so you will not be able to edit any risk details (including risk name, description, statement etc.). Your
risk record will be editable again as soon as a new risk assessment is released. Your risk mitigation task will
be also not editable. Please DO NOT close your mitigation if you wish to edit your risk record or your
mitigation record until your next risk assessment release.
Risk Acceptance Task
Scroll down and click Risk Response Task tab, select the new riskacceptance record created (identified by
Active is true or the latest number or a Work in progress state for mitigation task).You can also locate your
new risk acceptance task in your Risk User Dashboard - My Open Risk Acceptance Task.
Click on the APT number (not the words} If the risk has been accepted before there will bemore than one
risk acceptance tasks showing.
Pri Aono I Ratoni I Opies [i
y [State 7 ISearch
Risk Response Tasks
Number -Name_———Assignedto.——Tasktype
cent
Riskot Risk
Test Rick — POPES Z-980 Acceptance
ain
© — I Actnsonselectedrows. wv
Estimated End[RiskMitigation} _Acceptanceenddate[Risk Acceptance] ActiveState =
Workin
tue Progress
The system will automatically cancel your previous open risk response task (i.e. ‘Work in progress’, ‘Awating
Approval’ or ‘Review’ state). Risk acceptances in ‘Accepted’/’Closed’ state will not be cancelled
29
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
= Risk Acceptance @ ¥ % ~ I Discuss I} Follow II Update I} Cancel II Rec review II Delete
= APTOOO3116 is = a ee ee LS L ::
State Workin Progress
Approvers
Name [Accept isk of Test Rsk Admin
Plan
Justification for acceptance
Customer update I Post
Enter the ‘Acceptance end date’. This is how long you are prepared to accept the risk for without reviewing
.
it, and we would recommend that this is no more than 12 months. When the ‘Acceptance end date’ passes
the system will automatically release a Risk Assessment to the Risk Owner.
* Complete the ‘Plan’ with the event that is driving the acceptance end date(e.g. Our Strategic plan will be
finalized by the xx/xx/xx which may impact on this risk). The Plan must be relevant to the risk
¢ Complete the ‘Justification for acceptance’ section. This is a short confirmation as to why you have agreed
to accept this risk for the agreed period of time This would usually be because the risk is within the
business’s risk appetite. This is an example of justfication for acceptance:
SS Poy eva ee ee
oat Wokinergess 7 ang opal seven v ont
reomnetto I Rha? Thomse ety
sceptameenddate olen state Recep
ume aac fr Unable suport ull branches case flocs aston
user pdt
.
Click the ‘Review’ button and then ‘Close’ button. Do not click any other buttons as this will prevent the
task being completed to the Accepted state. This is very important as if this is notcompleted correctly, a
risk assessment will not be released in the future
Review Close Update
20240510 SNOW Risk Management User Guide_v1.0
30
Post Office Limited - Document Classification: INTERNAL
* You have now fully completed the Acceptance task.
* Once your acceptance is ‘Accepted’, the risk record will move to ‘Monitor’ state and it will be in readonly,
so you will not be able to edit any risk details (including risk name, description, statement etc.).Your risk
record will be editable again as soon as a new risk assessment is rdeased. Your risk acceptance task will be
also not editable.
* Go back to your Risk User dashboard and the section ‘My open Acceptance Tasks’ should now be empty.
* If your assessment of the risk (or its controls, or your risk appetite) changes and you no lmger want to
accept the risk before the acceptance end date is reached contact your Risk Business Partner who can
release the risk for assessment.
ACCEPTANCE TASK DELEGATED.
POL00447891
POL00447891
* When the risk assessment is delegated to someone other than the risk owner, the delegated person should
request approval by clicking the ‘Request Approval’ button on the top right The risk response acceptance
task is moved to the ‘Awaiting Approval’ state.
CE Bihan
born
ora
1 desenedto
2 Acopance end date
“4 ssieton or sceptnce
ev
ato opr
Mt
ome Update ance
site Workindrogess
Werks
4
oe
20240510 SNOW Risk Management User Guide_v1.0
34
Post Office Limited - Document Classification: INTERNAL
POL00447891
POL00447891
cy I ~ ees
= hoprone = comments
Mckead
< & rae Oe SS wee Update eetoretfomaton I cancel feet
* Risk owners should not request approval of their tasks.
* Delegates can view approvers on the risk acceptance task record under ‘Approvers’.
< 5 pot OP BS we pine Cnet oe
x 1 wrote 8
Risk Avoidance Task
* Scroll down and click Risk Response Task tab if you are still perforning your risk assessment orlog into
ServiceNow and load your Risk User dashboard — My Open Risk Avoidance Tasks.
* Select the new risk avoidance record created (identified by Active is true or the latest number or a Work in
progress state for mitigation task)
© Click on the AVT number (not the words).
20240510 SNOW Risk Management User Guide_v1.0
32
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
Previous Assessments I Related Controls I Opentssves I Rsk Respor
= ¥ [State ° Adionsonselectedrows...¥.
Number Name Assienedto__Tasktype “Estimated End Risk Mitigation] Acceptance enddate [Risk Acceptance] ActiveState *
Workin
Progress
© The system will automatically cancel your previous open risk response task, as mentioned in paragraph
2.7.1and 2.7.2.
* Enter Plan and Steps to implement the plan
© Click ‘Update’, ‘Review’ and ‘Close’ button, when you are satisfied with the plan. Your task will be in Closed
state.
© Once your avoidance is ‘Closed’, the risk record will move to ‘Monitor’ state andboth risk and response
task records will be in read-only, as mentioned in paragraph 2.7.1 and 2.7.2.
‘sate “Waki Popes
ame oi Rk ftet vance 2
steps
20240510 SNOW Risk Management User Guide_v1.0
33
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
ee OMB trie ectnne co PL
vey a woe it
ame hood ako Fe?
2.7.4 Risk Transfer Task
* Scroll down and click Risk Response Task tab if you are still perfoming your risk assessment or bg into
ServiceNow and load your Risk User dashboard — My Open Risk Transfer Tasks.
* Select the new risk transfer record created (identified by Active is true or the latest number or a Work in
progress state for mitigation task)
© Click on the TFT number (not the words).
© The system will automatically cancel your previous open risk response task, as mentioned in paragraph
2.7.1 and 2.7.2.
Previous Assessments(4) I Related Controls Open issues I Risk Response Ts
2 ¥ (Stae Search e Actionsonselectedrows..._v!
Risk Response Tasks
Number Name Assigned to. -—=«“Tasktype -—EstimatedEndIRisk Mitigation] __—Acceptanceenddate(Risk Acceptance] Active = State &
Work
Risk Transfer empty) true veer
© Enter the ‘Plan’ details.
* Click ‘Update’, ‘Review’ and ‘Close’ button, when you are satisfied with the plan. Your task will be in Closed
state.
© Once your transfer is ‘Closed’, the risk record will move to ‘Monitor’ state and both risk and response task
records will be in read-only, as mentioned in paragraph 2.7.1 and 2.7.2.
20240510 SNOW Risk Management User Guide_v1.0
34
POL00447891
POL00447891
Post Office Limited - Document Classification: INTERNAL
ov Canet Peete
umber YFTOIOIOKL fk I teh 04
2 hosed ® Poety None ¥
Vendor
Name —_Transter k fest ik 8.021304 vis
< S Monon Ph BS om Ute cktoorat—Canert dete
Dak v Workin Progress see Closed
mbar TerOOniON® ie
veador
Name I aster Rk et 107
Customer update —_Cstomer update a
Workeates Post
2.7.5 Activity Journal
Your RBP will use the ‘Additional comments’ box of the Activity Journal tab to communicate with you
tagging you in.
You can add notes/communication in the ‘Additional comments’ box and interact with your RBP or other
risk users using the tagging functionality @ and then entering the name of the person you want to mention.
You can click ‘Post’ to move additional comment to Activities stream.
20240510 SNOW Risk Management User Guide_v1.0
35
Post Office Limit
‘ed - Document Classification: INTERNAL.
POL00447891
POL00447891
‘Assessment Summary Inherent Assessment I Activity Journal
Additionalcomments Gathering documentation to make assessment Ey
Work notes
Activities: 4
——
Gatheringdocumentationtomate assesment x a a aa a
< isk- THC Penetration Test recorded Security Vuinrabities. @ Ve 200 Follow Update tre Delete Ny
Medi
‘HP Vaid usernames can be detecmined by repented entering incoec passwords to uesid user count names he apltion
Mie advsed to deploy ener er messager eery pf log re
This an apptaton tation we cn tse cst eor menage rg oe resposela SAP JAVAsysemsTshastobe tleated. =
‘Assessment summary H person you want to
Addtionalcomments ff @
ek tatrent tec ye Secanty
(, obeccaarae
You will receive email notifications in your Outlook if you have been tagged in anycommunication.
You have been mentioned in Financial Statements are materially mistated
servicenow
you would he lo sop receiving these ems you can disable “A
ream @Menton Ea in your N
.
In the Activity Journal you can also see changes to your risks related to to Category, Description, Entity,
Name, Owner, Risk Statement and State.
20240510 SNOW Risk Management User Guide_v1.0
36
Post Office Limited - Document Classification: INTERNAL
Additonal comments Additonal comments
Actives?
Pitered) I) camscot wees
esergton
Erery
Assessmentsummary Monitoring Actvtyjournal
‘< B isk-Unauthorsed matching rule changes are made
autored matching nde change ae made
authored matching nde changes re made
attested Fnac Stamens
Oyen
Follow Update etue Delete
Post
e You can use the ‘Filter Activity’ functionality to choose the kind of communication thatyou want to se:
POL00447891
POL00447891
ein
your Activity journal (i.e. Additional comments only, risk changes related to Category, Description, Entity,
Name, Owner, Risk Statement and State).
ne
(iS) = Sabha Ver enc
Activities: 8
‘Assessmentsummary I Rskappetite I Monitoring [Activity journal
‘Additional comments I Aédiionalconvnents
Fotow I
Update II Retire
1B Aaiitional comments
3 Category
1 Descristion
G Rise Statement
By Sidebar discussion
2 Sidebar posted message
state
Con
You can use the functionality “Follow” to follow updates on oneparticular risk;
20240510 SNOW Risk Management User Guide_v1.0
37
Post Office Limited - Document Classification: INTERNAL
Rick &
Testriskez View: Advances risk ers
© Youare nolonger folowing Testeiske2
© You ae now olloning Test sk You vl be noted of any new comments or work notes according your naifation settings
Name [ Testeisrz
Number RKD022206 ative
Owning group Category Legal 6 Regulatory
+ Owner fo Inert trom ekstatement
- Entity I Central Risk RiskStatement I Nom compliance with Statutory
Detcrotion{ Rss that Post Offic son complant witht Statutory and Regulatory requirements which isis abit to delivers Strategic
Priorities of rebuilaing tras i Wanslomig teehraogy il mpcevingtranch peta.
Adsitonslnfraton
Tesessmenteurmary I Riksppetite I Monitoring I Activity joumal
“The scores of thei csesment methodology selected a primary are displayed in he Rik Scoring scion
Riskassesment methodology Department Risk Assessment
Risk Scoring
You will receive notifications on your Outlook if there are any updates onyour risk or if you have been
tagged in any communication.
2.8 RETIRE / CLOSE A RISK
If the risk no longer exists and therefore does not require further assessment or monitoring and you wish to
Retire or ‘Close’ the risk, contact your RBP.
20240510 SNOW Risk Management User Guide_v1.0
POL00447891
POL00447891
38