POL00447909
POL00447909
Risk Champion Framework
April 2024
INTERNAL
POL00447909
POL00447909
Central Risk Team &
Rebecca Audry Cahill Roberta Michelle
Barker Zavaglia Embrey
Head of Risk Risk Business Risk Manager Risk Business
Partner Partner
The Central Risk Team supports the Post Office to:
Effectively manage its risks that will impact its ability to deliver its business objectives and
strategy
Actively monitor and strengthen the approach to risk management
Adopt a comprehensive, consistent and collaborative approach to risk
Promote a consistent risk-intelligent culture
©)
Post Office”
CONFIDENTIAL
POL00447909
POL00447909
Risk Champions @
Calum Ellison Sophia Palin Rehan Zaidi Jade Beech Duncan Hughes I Chloe Davies
Technology Retail & Retail & Finance Retail Payment
Franchise Franchise Services
The risk champion role encompasses the following elements:
* Attend training sessions
* Be an active member of the risk champion forum
* Supporting your area with:
* risk identification
* Use of Service Now
* Reporting
* identifying blockers
* Be the subject matter expert for your area
* Support your area on the control framework
* Support the central risk team to build a risk-aware culture
Benefits of becoming a Risk Champion:
¢ Improving risk management knowledge
* Training opportunities
* Ways of Working
* Networking opportunities
¢ Supporting your development
Post Office” CONFIDENTIAL
©)
POL00447909
POL00447909
Post Office Limited - Document Classification: INTERNAL
Risk Management ee)
Post Office risk management framework is based on ISO 31000.
The purpose of risk management is the creation and protection of value. It improves,
encourages innovation and supports the achievement of objectives
Advantages include:
¢ Managing risk is iterative and assists organisations in setting strategy, achieving
objectives and making informed decisions.
¢ Managing risk is part of governance and leadership and is fundamental to how the
organisation is managed at all levels. It contributes to the improvement of
management systems.
¢)
Post Office”
>t Office Limited - Document Classification: INTERNA\
Elements of Risk Management
POL00447909
POL00447909
Understand Consider Define and Assess and
emerging risks I extreme events I understand risk I aggregate all risks
appetite**
Ensure sound judgement
Foster a risk
culture in the
organisation
Gather Consider Provide key risk Assess correlations
intelligence on unexpectedly indicators to and more general
far off threats. large deviations ensure that risk interactions within
(i.e. black remains within the set of an
swans*) that the determined organisations
could have thresholds. exposures;
catastrophic implement a
impacts. “portfolio
approach” to the
aggregation of
risk.
* Black Swan — An event which can have high impacts but whose probability of occurrence is low
** Risk Appetite — The level of risk the organization is willing to accept
While data and quantifying
tools are important, they also
have their limitations. Data
reflect past events and in
order to predict future events,
we must rely on hypothesis
and interpretation. Therefore,
sound judgement and
qualifying tools should be part
of risk management.
Have the upper,
middle and
lower
management
manage
operational and
tactical risks.
Post Office”
©)
POL00447909
POL00447909
What is a Risk &
Definition
EFFECT of UNCERTAINTY on IOBJECTIVES
An effect is a deviation from Uncertainty is the lack of An activity is only undertaken for
what was expected, which can information or knowledge the purpose of reaching a
be either positive or negative concerning an event, its certain goal. Objectives may be
consequences or its likelihood finan cial, environmental, health
and safety goals etc.
Risk is the effect of uncertainty on objectives and can have positive or negative impacts on the business.
©)
Post Office”
POL00447909
POL00447909
Post Office Limited - Document Classification: INTERNAL
What is a Risk
Opportunity Threat
* An opportunity is a positive situation in which gain is likely. Potential source of danger, harm or another undesirable
* Taking or not taking an opportunity are both sources of risk outcome
+ An opportunity may pose a threat to another A threat is a negative situation which loss is likely
A threat could pose an opportunity to another
Event Effect
* Anevent can be referred to as an incident or accident An event can lead to a range of consequences that can be certain
* NA event with no consequence can be called a near miss or or uncertain, positive or negative. They can also escalate through
close call knock on effects examples include:
* Examples of events are: * Reputational damage
Natural events * Missed objectives / targets
Natural disasters —_— * Legal or regulatory issues
Accidents * Negatively impact our Post Masters
Pandemics * Financial impacts
Crime * Going viral
Political unrest * Improved processes / methodologies
Economic events — recession, trade wars, bankruptcy
Post Office”
Office Limited - Document Classificatio
INTERNA
Risk Assessment
POL00447909
POL00447909
Inherent Risk Assessment
* The Inherent score is the levelofrisk *
before any control activities are
applied.
* The Inherent score is determined
when you assign likelihood and
impact rating (between 1 and 5) to
the risk. Ensure that it is either the
same or higher than the residual
score (not lower).
* For new risks with no controls or
remediation activity in place, the
inherent score may be equal to a
residual score.
Controls Assessment
A Control is any action taken to
reduce the likelihood and/or
magnitude of a risk
Residual Risk
The residual score can remain the same as
previous assessment if the likelihood /
impact has not changed, be increased or
decreased if the likelihood / impact has
changed.
Add comments in the comment box with
bullet points to provide the reason for
residual score being unchanged or changed
after previous assessment.
To help you decide you can refer to the
Harm Table
Check the risk appetite
Post Office”
©)
Office Limited - Document Classification: INTERNA\
Risk Treatment Options
POL00447909
POL00447909
Risk Mitigation
Risk Acceptance
Risk Avoidance / Transfer
* Assign a Remediation plan owner
* The Plan should contain all the actions
to mitigate the likelihood of the risk.
* Anend date is required for each activity
of the Plan (if they are different)
* A mitigation plan can be closed if the
risk is either in an (i) Accept state or (ii)
no longer exists.
* Anacceptance date is required
* Aplan with the event that is driving the
acceptance end date (e.g. Our Strategic plan
will be finalized by the xx/xx/xx which may
impact on this risk).
* The Plan must be relevant to the risk
* There should be a justification for acceptance
completed
Avoiding the risk by deciding not to start or
continue with the activity that is the source
of risk.
Transferring or sharing the risk via contracts
or insurance (Transferring in this context does
not mean from one department to another).
Post Office”
©)
POL00447909
POL00447909
Post Office Limited - Document Classification: INTERNAL
Post Office Harm Table
Post Office HARM Table (2023)
HARM tableIMPACT SCALETMPACT: THE PACT OF THE RISK MATERIALISING COULD RE OME (OR MORE) OF THE FOLLOWING ..
©)
Post Office”
Post Office Limited - Document Classification: INTERNAL
Tolerance and Appetite
POL00447909
POL00447909
Risk Universe
Risk Tolerance
SS)
All risks that can impact the achievement of long-
term objectives
Risks that the business can put up with and the
boundaries beyond which the business is prepared
to take risks
Risks that the business can put up with and the
boundaries beyond which the business is prepared
to take risks
Post Office”
@)
POL00447909
POL00447909
Risk Hierarchy &
Enterprise Risk
Intermediate Risks Intermediate Risks
Local Risks
@)
Post Office”
POL00447909
POL00447909
Risk Tool — Service Now &
Benefits:
¢ Faster risk-based decision-making: Prioritize activities based on automated risk scores to work on the most
critical risks first.
* Increased performance: Risk management embedded in automated cross-functional activities eliminates
work interruptions.
* Effectively communicate risk: Real-time insights and role-based dashboards make reporting at all levels easier
and faster.
* Stay on top of risks: Interfaces provide the information you need to do your job anytime and anywhere.
Benefits of Risk Management for Post Office 1st line of defense:
* The SEG, Business and Department Heads are able to see all the risks owned by their respective teams/staff,
the current status and the extent to which the mitigations are being managed proactively and line with the
Group Policy.
* Risk Owners able to identify assess and respond effectively to the risks they own; all of this will provide full
visibility to their respective Business Unit/Department Heads.
@
Post Office”