Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 26" JANUARY 2021 AT 20 FINSBURY
STREET, LONDON EC2Y 9AQ AT 08.30AM (VIA CONFERENCE CALL)!
Present:
Invited Attendees:
Carla Stent (Chair)
Ken McCall (SID) (KM)
Sam Banks (Analyst Independent Audit): Observer
Richard Sheath (Partner, Independent Audit):
Observer
Tom Cooper (NED, UKGI) (TC)
Sally Smith (Money Laundering Reporting Officer &
Head of Financial Crime): Item 5 (SS)
Zarin Patel (NED) (ZP) (to 10:00am only)
Regular Attendees:
Ian Holloway (Director of Risk & Compliance, Post
Office Insurance): Item 6 (IH)
Tom Lee (Head of Finance Financial Accounting and
Controls): Item 7 (TL)
Tim Parker (Chairman, POL) (TP)
Christine Kirby (Financial Controls Manager): Item
7 (CK)
Nick Read (Group Chief Executive Officer) (NR)
Alisdair Cameron (Group CFO) (AC)
Andy Jamieson (Head of Tax): Item 8
Amanda Jones (Retail & Franchise Network
Director): Items 9 & 10 (AJ)
Ben Foat (Group General Counsel) (BF)
Andrew Paynter (Audit Partner, PwC) (AP)
Tim Perkins (Service and Support Optimisation
Director): Item 9 & 10 (TP)
Declan Salter (GLO Director): Item 11 (DS)
Sarah Allen (Senior Manager, PwC) (SA)
Graham Hemingway (Historical Matters Portfolio
Lead): Item 11 (GH)
Rosie Clifton (Senior Manager, PwC) (RC)
Tony Jowett (Chief Information Security Officer):
Item 12 (TJ)
Johann Appel (Head of Internal Audit) (JA)
Mark Baldock (Head of Risk) (MB)
Jonathan Hill (Compliance Director) (JH)
Rebecca Whibley (Senior Assistant Company
Secretary) (RW)
Hugo Sharp (Deloitte Partner) (HS)
Apologies:
Zarin Patel (from 10:00 onwards)
Action
1. Welcome and Conflicts of Interest
1.1
Government guidance on
A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call
home working.
requirements of the Company’s Articles of Association, the location of
the meeting was agreed to be the Company’s Registered Office.
given the current
However, given the
1.2
The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
1 Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company’s Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
1 of 30
POL-BSFF-107-0000013
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
2 of 30
requirements of section 177 of the Companies Act 2006 and the
Company's Articles of Association.
Policies: Investigations Policy
Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. The following points were discussed:
- The existing policy had not been used for some time and as such,
the policy has been completely overhauled, following an industry
approach.
- The policy sets out minimum standards for how Post Office will
conduct investigations wherever they might take place in the
business to ensure a consistent approach, building on comments
in Fraser J‘s judgment.
- The Chair noted that an issue that was made clear from the
Group Litigation Order (GLO) was the attitude of the investigator.
Whilst issues like the duty of good faith would only apply in the
Post Office/Postmaster __ relationship (not commercial
relationships), it was agreed that the attitude of the investigator
should be addressed in the policy.
- It was also noted that matters such as the independence of the
investigator and the level of expertise needed should also be
clear in the policy. It was explained that the policy was simply a
framework and other policies were still relevant such as Conflicts
of Interest. Nonetheless, it was agreed that these matters should
be made clear in the policy, including references to other policies
as appropriate.
- Ken McCall questioned whether the policy considers service level
agreements (SLAs) with Postmasters and Board/Committee
review of the relevant metrics in this regard. Ben Foat explained
that such matters were for specific Postmaster polices and this
policy was very much a minimum standards framework.
- Ken McCall was also concerned about the accessibility of the
policy, particularly for Postmasters, and how the policy would be
rolled out. It was explained that this was an internal policy, rather
than Postmaster facing. Nonetheless Compliance was developing
a one to two page summary to make the policy more accessible
as well as engaging with relevant Policy Owners to ensure they
understand the requirements and can evidence compliance.
- Tom Cooper requested that the policy also be externally
reviewed.
Accordingly, the Committee APPROVED the Investigations Policy,
subject to:
i. The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent
and have the appropriate expertise and appropriate
references to other relevant policies; and
ACTION:
BF
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
POL-BSFF-107-0000013_0001
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
ii. The policy being externally reviewed, and the results of this
review being considered and included as appropriate.
Previous Meetings
The minutes of the meeting of the Audit and Risk Committee held on
24 November 2020 were APPROVED and AUTHORISED for signature
by the Chair.
a2
Progress against the completion of actions as shown on the action log
was NOTED.
Action 1 from 27 July 2020 (para 4) Pensions Assurance: See update
to action 5 from 22 September 2020 below. Quantification to be known
in March 2021 and an update to be provided to the Audit, Risk &
Compliance Committee (ARC) or Board as required at this point. An
update paper was also presented to the Committee for noting (see para
14 below). The action remained open.
Action 2 from 27 July 2020 (para 6) Update from Subsidiaries: The
Master Services Agreement and Master Distribution Agreement
amendments were executed by both parties on 5 January 2021 via
Web3. The action was closed.
Action 3 from 22 September 2020 (para 4.1) Risk Appetite Statements:
Legal and Compliance Risk Appetite Statement paper was presented to
the Committee for noting (to be approved at a later date) (see para
4.2). Further statements were in train including IT (with Jeff Smyth,
Group Chief Information Officer) and Operations (Postmasters) (with
Amanda Jones, Retail and Franchise Network Director). There was
further discussion regarding prioritisation during the meeting, see para
4.2 below. The action remained open.
Action 4 from 22 September 2020 (para 5.5) SuccessFactors: This
action was address by a noting paper presented to the Committee (see
para 14). The action was closed.
Action 5 from 22 September 2020 (para 6.4) Pension Assurance: The
quantum is likely to be known in March 2021 following analysis and
review by the Trustee. The approach to correcting the members
benefits including any proposed clawback will be discussed by the
Trustee and Post Office following the Trustee Board meeting on 23
March 2021. The intention was to engage early with the Trustee to
ensure Post Office’s preferred approach was known. A further update
was to be provided to the ARC or Board as required in March 2021. An
update paper was also presented to the Committee for noting (see para
14 below). The action remained open.
Action 6 from 22 September 2020 (para 7.3) Suspense Accounts: An
update paper was provided to the Committee (see para 9). The action
was closed.
Note: Action 7 in the papers was a duplicate of Action 2 above (due to
copy and paste error).
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
POL-BSFF-107-0000013_0002
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
Action 8 from 24 November 2020 (para 3.1) Risk Dashboard: At this
point the Risk team was not in position to provide system-aggregated
Dashboards as it was finalising the risk management transition from
RSA Archer to ServiceNow (IRMPro). This had just been completed. A
refreshed set of GRC risk reports in line with ARC requirements was to
be presented to ARC in March 2021. The action remained open.
Action 9 from _24 November 2020 (para 3.2) Risk Policy (Legal &
Compliance Risk Appetite): The Legal & Compliance Risk Appetite paper
has been developed and has been shared with the Chair. However, this
is still a work in progress and as such, the Committee was not asked to
approve the Risk Appetite statement at its January meeting.
Accordingly, the Committee may discuss and feedback as required in
the meeting. The further iteration was to be shared with the Committee
prior to its next meeting if so required. (See para 4.2 below). The action
remained open.
Action 10 from 24 November 2020 (para _3.2) Risk Policy (Risk
Management Responsibilities): See para 4.1 where the ARC has
approved the division of risk management responsibility between the
ARC and Board. The action was closed.
Action 11 from 24 November 2020 (para 3.2) Risk Policy (Approval
subject to amendments): Risk Policy scope was amended as required
and the Board approved the final policy in January 2021. The action
was closed.
Action 12 from 24 November 2020 (para 3.2) Risk Policy (Page
Numbers and Policy Paper): Page numbers were viewable on the tabs
created by Diligent Boardbooks, this included the page range for each
section. The policies before the Committee in January 2021 are to be
approved by parallel Written Resolution included as either a track
changes version (where changes are minor) or the existing policy
(where the changes are more substantial i.e. a complete re-write). The
action was closed.
Action 13 from 24 November 2020 (para 3.4) Internal Audit (Data
Privacy (Document Retention)): A revised action was agreed, and the
completion date re-stated to 31 March 2021. This was to be tracked
through the usual process and reported back to the ARC. The action
was closed.
Action 14 from 24 November 2020 (para 3.4) Internal Audit (Deep
Dives): Deep dive audits to be added to IA plan as follows: Financial
Crime Q4 FY21, Loss Prevention FY22 tbc, Compliance Function FY22
tbc and Risk Management Framework FY22 tbc. The action was closed.
Action 15 from 24 November 2020 (para 4.3) Suspense Accounts: All
elements have been completed and the report was approved by the
Board for publication. The action was closed.
Action 16 from 24 November 2020 (para 7.1) Post Office Insurance
Travel Refund Complaints: A memo in response to this action was
STRICTLY CONFIDENTIAL
4 of 30
ARC Minutes for Signature-01/04/21
POL-BSFF-107-0000013_0003
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
provided to the Committee via email on 4 January 2021. The memo
was also available in the Reading Room. The action was closed.
Action 17 from 24 November 2020 (para 9.1) Historical Matters Unit
(RACI Matrix): Discussions concerning UK Government Investments
(UKGI)/Department of Business, Energy & Industrial Strategy (BEIS)
involvement in Historical Shortfall Scheme (HSS) approvals, which
directly affects the operation of the schemes, have continued during
December and were expected to be finalised during January. A verbal
update was provided to the ARC (see para 11 below). Further update
will be provided in March 2021. The action remained open.
Action 18 from 24 November 2020 (para 9.2) Historical Matters Unit
Fraudulent Claims Controls): Fraud risks were being actively managed
by Herbert Smith Freehills (HSF) and the Project team covering 21
separate fraud risks - see Appendix 1 in the paper as per para 11 below.
The action was closed.
Action 19 from _24 November 2020 (para 9.2) Historical Matters Unit
(Live data in CCRC Pack): Management Information (MI) showing latest
eligibility results (values and volumes) from HSS is already distributed
as part of a MI pack that HSF share with Board members on a weekly
basis. (Eligibility extract attached in Appendix 1 of the paper as per para
11 below). Information relating to identification of fraudulent claims has
been shared as part of the Criminal Cases Review Commission (CCRC)
Board packs from 14th January 2021. The action was closed.
Action 20 from 24 November 2020 (para 10.1) Payzone Risk Report:
Capita have confirmed to PipIT that they need to stop using Post Office
branches and find another method. PipIT have asked if they can have
two weeks to sort out a new provider which Post Office/Payzone has
agreed to and the proposal was for PipIT to stop using Post Office by
31 January 2021. (Note: PipIT is the gateway for Zeepay, Glow remit
etc. If PipIT stop using Post Office branches, then the others will also
be stopped). A further update will be provided when it is confirmed
PipIT have stopped using Post Office. The action remained open.
Action 21 from _24 November 2020 (para 12.1) Deep dive:
Transformation Office Change Update 2020: Dan Zinner and Saira
Burwood met with Tom Cooper on 15 January 2021 to discuss the action
regarding metrics on Change controls. Mark Baldock also joined the
meeting as he was transitioning all the controls into a new tool
(ServiceNow) which would then be able to provide a suite of reports on
the controls. These reports and dashboards would be provided to ARC
on a regular basis once ServiceNow transition was complete and Mark
agreed to give Tom early sight of these when available. The action was
closed.
3.3 The draft minutes of the Risk and Compliance Committee held on 12
January 2021 were NOTED.
4. Risk, Compliance and Internal Audit Updates
STRICTLY CONFIDENTIAL 5
ARC Minutes for Signature-01/04/21 5 of 30
POL-BSFF-107-0000013_0004
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
6 of 30
4.1
Risk Update
Mark Baldock introduced the paper, which had been circulated
previously and was taken as read. The key points were summarised as
follows:
- Governance, Risk & Compliance (GRC) tool (move from Archer
to Service Now): Phase 1 was now complete with 520 risks
moved, with the system was now live in the central risk team
and Archer has been decommissioned. Work had now started on
phase 2 which was rolling out the risk capability to the business
and migration of controls for IT, Finance and the Portfolio Office,
which would allow formal links of the controls to the risks.
IRRELEVANT
but further work was to be carried out, as well as
considering whether other risks had an impact on
Postmasters. The Chair noted a discussion in the Internal
Audit meeting that morning about how to implement
controls around Postmaster risks and how to validate GLO
initiatives. Mark Baldock was asked to pick this up with
Jonathan Hill with an update to be provided at the March
meeting. Multiple partner fragility was also noted as a key
operational risk due to the economic threats to the high
street.
o People: There were long standing risks about work life
balance and work pressures on colleagues, which had been
exacerbated recently given the greater degree of
uncertainty about easing of lockdowns. Much was being
done by management, however there was a concern that
some colleagues may suffer from burnout. Zarin Patel
questioned how this might affect work being done in the
risk and control environment. Nick Read explained that the
risk and need for improved engagement in the current
lockdown was recognised and Lisa Cherry (Group Chief
People Officer) and Richard Taylor (Group Corporate
Affairs, Brand and Communications Director) were
working through the engagement strategy.
- Risk management by the Board & ARC: Recognising that there
was a need to clearly differentiate where risk was managed, it
was recommended that:
o the Board should provide oversight of (and direction on)
ACTION:
MB
management of the key strategic business risks that could
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
POL-BSFF-107-0000013_0005
@
POST OFFICE LIMITED
POL00447929
POL00447929
threaten the delivery of the Post Office’s strategic
objectives, including setting the risk appetite and focus on
key risks.
o ARC should support the Board and consider what needs to
be referred to the Board. Otherwise, it should focus on
audit and compliance risks and controls.
The Committee made it clear that the ARC should get an overall
picture of risks, with material commercial, strategic and
reputational risks escalated for Board consideration.
Ken McCall requested that the following be reviewed:
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about
funding;
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of
material long term industrial action; and
- Paragraph 27 relating to adverse external economic factors,
noting that much of this was outside Post Office’s control and
that, some elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with
Ken McCall and provide an update for the next Committee meeting.
The Committee NOTED the current status of key risks and GRC
implementation and APPROVED the proposals on the role of the Board
and ARC with respect to oversight of Post Office risk management as
set out in paragraph 31 of the paper.
ACTION:
MB
4.2
Risk Appetite Statement: Legal & Compliance
Ben Foat introduced the paper, which had been circulated previously
and wi ki A fol Al
The paper was a living document and would change over time.
The next steps were to ensure there were Key Risk Indicators
(KRIs) in place and then operationalise, with engagement with
the 1* line of defence.
The
STRICTLY CONFIDENTIAL
POL-BSFF-107-0000013_0006
POL00447929
POL00447929
POST OFFICE LIMITED
ACTION:
BF
ACTION:
BF
ACTION:
BF
The Chair noted the extensive work that had gone into the paper and
questioned whether, given the resourcing pressures, it was better to
work on KRIs to trigger a red/amber/green rating. The Committee
agreed but noted that Legal and Compliance and Postmaster related
activity were important areas in which to have risk appetite statements.
There was also a suggestion that areas that were less under pressure
in the short term could also be considered (such as finance). As such,
Mark Baldock was asked to look at identifying the KRIs for Postmasters I ACTION:
with the Network team and consider working on statements for one or I MB
two other areas for update at the March Committee meeting (in the
usual Risk Paper).
Otherwise, the Committee NOTED the draft corporate Legal &
Compliance Risk Appetite Statements which will be shared with the
Senior Leadership Team so that these can be further refined and
assessed within the business in commercial decision making.
STRICTLY CONFIDENTIAL 8
POL-BSFF-107-0000013_0007
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
4.3 Compliance Update
Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. It was summarised as follows:
- Controls Framework: Work was being undertaken with the
Historical Matters Unit (HMU) to ensure the correct controls were
embedded into the relevant areas, so as to meet obligations
arising from the Common Issue Judgment (CIJ), Horizon Issue
Judgment (HIJ) and the stamps review. There was an existing
controls framework in Finance and IT (although the latter was
being overhauled), but there was no consistent approach across
the rest of the business. This was what the Framework was to
provide, such that the business could self-assess controls with
assurance provided by Compliance. Ken McCall noted that the
report outlined that there had been changes to the Postmaster
Onboarding process and questioned whether this meant the I ACTION:
onboarding process was quicker. Jonathan Hill was asked to I JH
confirm this point for update at the next meeting. This area was
ultimately owned by Dan Zinner, Group Chief Operating Officer,
but supported by Amanda Jones (Retail and Franchise Network
Director), Finance and Legal. Nick Read highlighted that
recruitment of the Postmaster Director and the Customer
Experience Director was critical but would require careful
recruitment criteria.
In response to questions from Ken McCall raising concerns about
the wording of this section in the report (paragraph 11), it was
confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than
the controls themselves. Key was evidence of controls and a
consistency of approach. The HMU team was working with the
relevant business areas to address this. However, the Chair I ACTION:
asked Jonathan Hill to further consider before the next meeting I JH
any underlying issues (not just related to mapping), what
controls were in place and whether or not they were appropriate.
Zarin Patel also requested that the Committee have sight of the I ACTION:
KMPG review of the HIJ when this was ready, noting that there I JH
were a lot of papers regarding Postmasters before the Committee
and the Board and therefore questioned whether the issue was
under control. Al Cameron explained that much work had been
done to ensure legal compliance with the judgment, but work
was on-going and KMPG and Deloitte were likely to raise issues
that had not yet been considered. As such the controls
framework was very important and must be sustainable.
- Data: The site review was now coming to an end and the main
focus was now on disclosures required for 5 February 2021. So
STRICTLY CONFIDENTIAL 9
ARC Minutes for Signature-01/04/21 9 of 30
POL-BSFF-107-0000013_0008
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
10 of 30
far, nothing had been found in the reviews that had not already
been disclosed. However, work was on-going.
- Cookies: Previous direction was that Post Office should look to
be in the “middle of the pack” when it comes to cookies. The
recent decision in France against Google and Amazon Europe was
noted and it was explained that typically (pre-Brexit), the
Information Commissioner's Office (ICO) aligned with Europe. As
such, the Digital and Compliance teams were looking at the
commercial impact of tightening the approach to cookies, with a
view to still remaining in the “middle of the pack.” The Chair
requested that the team carefully consider appropriate
benchmarking in a post Brexit world.
- Fire Risk Assessments: The Committee requested to be kept up
to date regarding the outstanding actions in respect of fire risk
assessments undertaken in June and July which are currently
being investigated by the Head of Health & Safety. This was to
be included in the Compliance report for the March meeting.
The Committee NOTED the Compliance update, in particular:
- The Controls Framework update;
- The Data Management activities; and
- Post Office’s approach to cookies.
ACTION:
JH
4.4
Internal Audit (IA) Update
Johann Appel introduced the paper which had been circulated
previously and was taken as read. The following points were discussed:
- The team continued to make good progress and have finalised a
further five audits since November 2020 and issued one interim
report.
- IT Controls Framework (ITCF): This was continuing to improve
but the report highlighted that the operation of the ITCF had been
interrupted by the absence of key personnel and no second line
assurance. This was further discussed in paragraph 12 below.
- Mails and Parcels: The audit highlighted several issues
concerning worsening performance with respect to compliance
with Prohibited and Restricted Items (Dangerous Goods)
requirements. Segregation of parcels and accuracy of Mail
Redirection forms were similarly underperforming. Unless
segregation performance improved, there was a risk that Post
Office could be liable for increased service credits under the new
agreement with Royal Mail. Tom Cooper and Ken McCall were
concerned that this was an on-going issue that did not seem to
be being addressed. Johann Appel was asked to send Tom
Cooper a summary of the audit actions from the report and a
detailed review of this issue, including what could be done at
ACTION:
JA
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
10
POL-BSFF-107-0000013_0009
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
source and what other carriers were doing in this area. An update I ACTION:
was requested for the next meeting in March 2021 I} RW
(accountability sitting with Amanda Jones (Retail and Network I (agenda,
Franchise Director) and Mark Siviter (Product Portfolio Director - I inform)
Mails, PUDO, Retail and Branch Identity Services)).
- Interim Report on Historic Matters - CIJ Operations Improvement
Programme: It was noted that the chart in the report was
outdated and there were now 23 green actions, 10 amber and 1
red. The key finding was that there was no formal handover
process between the HMU and Operations. Nick Read highlighted
that in this area, the business was legally compliant, but not
necessarily fit for purpose. This was a key focus for the next six
months to ensure Operations, IT and culture were all fit for
purpose. A GLO Dashboard would be presented to the Board on I ACTION:
a monthly basis to give an overview of progress. NR
- Belfast Exit Follow-Up and PCI Compliance: These were both
follow up reviews. Governance and day-to-day management
have improved since previous reviews, but there were still
significant risks that were largely outside the control of
programme teams and this reduced confidence that objectives
will be achieved as planned. Nick Read was requested to re- I ACTION:
establish the regular dialogue with the Ingenico CEO. NR
- There was one outstanding audit action (Health & Safety
Response to COVID-19) and this was on track for completion by
the end of January 2021.
- It was noted that the planned audits on GLO Historical Shortfall
Scheme - Claims and Payments and Strategic Platform
Modernisation were due to be deferred from March 2021 to the
next audit year as evidence was not yet available.
Otherwise, the Committee NOTED the Internal Audit update,
specifically progress being made with delivery of the Internal Audit
programme and completion of audit actions.
Zarin Patel left the meeting.
Money Laundering Annual Report
BL Sally Smith introduced the paper, which had been circulated previously
and was taken a read. The following points were discussed:
- Theconclusion was that the framework of Anti-Money Laundering
(AML) / Counter Terrorist Financing (CTF) controls were generally
effective and Post Office was complying with its regulatory
requirements under the Money Laundering Regulations (MLRs).
- However, the challenges were: the increase in scams, increasing
regulatory scrutiny and the potential introduction of the
Economic Crime Levy. A particular challenge was the increasing
volume of Suspicious Activity Reports (SARs) due to increased
cash deposits. Furthermore, the additional SARs were causing a
STRICTLY CONFIDENTIAL 11
ARC Minutes for Signature-01/04/21 1 of 30
POL-BSFF-107-0000013_0010
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
resourcing issue within the central team. Roles and
responsibilities changing across the business was making Fit &
Proper a challenge, but this was being managed.
There were some on-going data issues impacting premises and
agent data with manual work arounds in some areas.
The Financial Conduct Authority (FCA) has written to all banks
requesting updates on their controls regarding cash deposits. The
team was working closing with the Banking Framework 3 (BF3)
team to ensure the AML accountability requirements were clearly
assigned in the Framework. Ultimately, accountability was with
banks and Post Office cannot replicate a Know Your Customer
(KYC) process for all banking customers in the UK. Ken McCall
noted that with increasing bank closures, the pressure on Post
Office would only increase and questioned whether there could
be cost recovery under BF3. Nick Read explained commercial
discussions with the banks were on-going with the role of Post
Office, regulation and costs all being live issues.
Tom Cooper questioned what key change was required to resolve
the AML and BF3 issue. Sally Smith explained that there were
existing controls that the banks have at their disposal that can
be deployed, but each bank has different infrastructures and
customer needs. Some banks used chip and pin for deposits
which made setting limits on volume and value easier. Other
banks still use paper deposits, and others were made up of
smaller institutions with different processes and levels of
sophistication. In addition, the pace of change in the banks is
slow. However, pressure from the National Economic Crime
Centre (NECC) Project Admiralty and the 2020 National Risk
Assessment would likely bring the issue further onto the banks’
radar, together with work through the Banking Framework
Agreement (BFA) AML Sub Group. The problem arose as the
banks had fully considered the challenges when depositing
through Post Office. The Chair advised that whilst conversations
regarding the banks’ responsibilities should continue, Post Office
could not rely on banks entirely and investment in analytics was
also important. It was noted that the fundamental challenge is
not having real time data or analytical capability at point of
deposit in the branches. This linked to loss prevention and
honouring the CIJ (see paragraph 9 below).
In response to questions from Ken McCall, it was explained that
MoneyGram can block transfers to certain countries and change
limits at a branch level. This was an on-going daily contact with
the MoneyGram.
On technology, Sally Smith explained that she was discussing
this area with Jeff Smyth (Group Chief Information Officer) to see
if there was anything that could assist the team, noting that Post
Office did not currently actively monitor cash and MoneyGram
(as this is the responsibility of the Banks and Moneygram,
respectively and would be a significant task for Post Office to
STRICTLY CONFIDENTIAL
12 of 30
ARC Minutes for Signature-01/04/21
12
POL-BSFF-107-0000013_0011
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
replicate). Post Office could demonstrate that enough was being
done internally to augment the bank / Moneygram controls. The
Chair highlighted that additional resources/technology must be
part of the BF3 commercial negotiations.
- On resourcing, more was required but this should be in the
business and banking team (1° line of defence), rather than the
central team (2"¢ line of defence).
Accordingly, the Committee APPROVED the recommendations within
paragraphs 9 - 12 of the report (including the table on pages 3-7),
noting that all actions must have due dates, and paragraph F of the
Annual Report of the Money Laundering Reporting Officer, prior to the
Annual Report being issued to the regulator, Her Majesty’s Revenue and
Customs (HMRC).
Update from Subsidiaries: verbal update
Post Office Management Services (ARC)
6.1
The Committee NOTED the update from the Post Office Insurance (POI)
ARC.
Annual Report & Accounts Update
Al Cameron introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Work was actively progressing to complete the Annual Report
and Accounts (ARA) for the financial year end 29 March 2020.
The ARA was largely drafted but needed some considerable
updates given the events over the last six to eight months.
Outstanding issues included:
1. A provision for Post Group Litigation Order and the
calculation of the accounting estimate in respect of the HSS,
as well as disclosure updates in respect of this scheme, the
contingent liability for Starling litigation and subsequent
events disclosure for the historical criminal cases.
2. Impairment on in: usiness investment which was
likely to be around:
3. A.provision for hard to place branches, which might be up to
although there was a question as to whether this was
a past event or a new decision for inclusion in accounts to the
financial year end 29 March 2020. (Tom Cooper noted that
this was a joint reputational issue for Post Office and the
Government and needed to be discussed at the Board). Note:
This was subsequently discussed at the Board meeting later
on the same day.
4. The wording regarding contingent liabilities needed to be
discussed.
5. The Committee would need to agree that the CCRC issue was
included as a subsequent event (as it was in the future as at
29 March 2020).
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
13
POL-BSFF-107-0000013_0012
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
14 of 30
- Adetailed going concern assessment then needs to be completed
for a period of 18 months (rather than 12 months) from accounts
submission. Therefore, forecasts were being examined. PWC
have made it clear that unless a viability statement covers a
period of 18 months, they would likely include an emphasis of
matter paragraph in their opinion. Tom Cooper remarked that his
team were discussing this disclosure with BEIS Finance.
- The intention was for the Committee to review the accounts for
approval (for onward submission to the Board) on 26 February
2021.
- The sections relating to Risk and Remuneration would largely be
unchanged but the CEO and Chairman's report were being
completely redrafted.
The Committee NOTED:
i. the status of the Post Office Limited Group Annual Report and
Accounts for the year ended 29 March 2020
ii. the key items required for completion and signing of the ARA;
and
iii, the plan for completion and signing.
Tax Update & Tax Strategy
Andy Jamieson introduced the paper, which had been circulated
previously and was taken as read. The key points were highlighted as:
- VAT: This was complex to manage on a day-to-day basis and this
year has seen some additional challenges, namely Brexit (with
new reporting requirements for goods to Northern Ireland),
making tax digital, changes of income and introduction of Web3
which has allowed automation of tax coding. COVID has meant
no “in person” HMRC audits, but an online audit had been
completed.
- Corporation tax: As performance was improving, Post Office
would likely be in a position to pay this tax in 2022/23.
- Employment taxes: Historically, Post Office has not had any
expertise in this area and HMRC have expressed concerns.
However, an expert has now been recruited to review HR
processes and build in improvements.
- Feedback was to be provided by HMRC on the IR35
implementation in their March report.
The Committee NOTED the Tax Update and APPROVED the annual
review of the Tax Strategy.
Update on branch losses and balances on Postmaster accounts
Tim Perkins introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Performance has continued to be positive. Average loss per
i per trading period per
er trading period per branch. This has been
branch to
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
14
POL-BSFF-107-0000013_0013
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
driven by proactive intervention, less cash in network, timeliness
of corrections and improved training.
- Next steps were to continue with these interventions and see
what can be done to improve the speed of corrections and
improvement in stock. Work was being done with HMU to remove
the “settled centrally” terminology from Horizon and add a
dispute button at the point of settling.
- Tom Cooper queried when the minimum value that can be settled
centrally would be changed from £150 to £0, noting he thought
this had been removed previously. Tim Perkins explained that
Accenture had just quoted to do this, and it was requested that I ACTION:
Tim Perkins provide the date as to when this would happen to I TP
the Committee once he is advised of it.
- In response to further questions about branches being able to be
‘rolled’ into the next trading period and how disputed items were
dealt with, Tim Perkins explained that balances are moved to a
Postmaster account to allow an investigation to take place to
establish the cause of the loss. A button would also be added to
Horizon to allow immediate dispute.
- Age of the transaction error was the crucial, rather than the
number of errors. At present, measurements were based on
transactions over two months old. A measurement of 45 to 60
days (depending on the type of transaction) was being
considered to take into account how long client reconciliation
takes.
- At the request of Ken McCall more detail was provided on the
process where a cash declaration had not been done for 10 days
or for trading period roll overs (where not done for 60 days).
First, the Postmaster would be called by the team (bearing in
mind any branch closure) and the issue would be escalated to
the Area Manager. Where repeated contact has to be made, the
branch will also be visited to ensure they understand the
requirement and to understand the barrier(s) to completion.
There would also be a conversation with the contract advisor
team about contract performance.
- It was confirmed that branches with high cash holdings or highest
levels of cash deposits have excellent compliance with the branch
accounting requirements. However, for branches with high levels
of cash deposits, more transaction errors were seen, and this was
an area of focus, particularly as to whether better equipment
could be provided. Additional support from Area Managers and
Security Managers was being provided with a visit every month.
The Committee commented that key was to tackle this issue at
source. Al Cameron explained that any proposed changes had
been postponed given ongoing process reviews in this area.
- The Chair noted that it was good to see the figures decreasing
but that it would be useful to see a dashboard of branch balances
and transaction corrections, possibly as an addition to the
STRICTLY CONFIDENTIAL 15
ARC Minutes for Signature-01/04/21 5 of 30
POL-BSFF-107-0000013_0014
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
reporting on post GLO remediation. (Tim Perkins and Amanda
Jones to action for the next Committee meeting).
- Via email outside the meeting, Zarin Patel also suggested that
route cause analysis should be undertaken into the gross
losses/gains and net balances as these seemed very high
(paragraph 8 of the paper). (Tim Perkins and Amanda Jones to
consider for update at the next Committee meeting).
The Committee NOTED the update on balances posted to Postmaster
customer accounts following a request at the Committee in September
2020.
ACTION:
TP/AJ
ACTION:
TP/AJ
10.
Postmaster Policies
10.1
Amanda Jones introduced the paper, which had been circulated
previously and was taken as read. It was explained that these three
policies were being proposed to formalise the improvements made to a
number of processes in response to the CIJ. Each policy was taken in
turn:
- Network Monitoring and Audit Support Policy: Norton Rose
Fulbright (NRF) (external lawyers) have reviewed the Postmaster
process changes which this policy covers. The Chair questioned
why the Risk Appetite section was missing. It was confirmed that
the risk appetite was averse, but that this linked back to the
earlier discussion regarding the risk appetite statement for
Postmasters and the need for clear KRIs, which were particularly
required to judge if the policy was being embedded and enforced.
This section should be added into the policy in line with the work
to be completed on KRIs for Postmasters (see action above in
paragraph 4.2).
There was also an action to carefully consider references to
“employee” throughout the document.
It was also confirmed that this was an internal policy (not
Postmaster facing), but a similar version would be created as
part of the Postmaster manual. It was explained there would be
an overarching document demonstrating how the policies fit
together and it was agreed this would be presented to the
Committee in March 2021 with the Chair requesting that it be
clear in this document who was the audience of which policy.
- Postmaster Account Support Policy: This policy had been
reviewed by NRF. A different approach was being taken by the
former loss recovery team, which was to be supportive and
understanding of discrepancies.
It was explained that the three policies interfaced to provide
support to Postmasters. The Network Monitoring policy related to
STRICTLY CONFIDENTIAL
16 of 30
ARC Minutes for Signature-01/04/21
ACTION:
TP/AI/
MB
ACTION:
TP/AJ
ACTION:
TP/AJ
16
POL-BSFF-107-0000013_0015
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
investigation, Account Support was for proactive support and
Dispute Resolution sets out the tiers of support provided in the
event of a discrepancy (section 4 of the policy).
ACTION:
The Chair questioned the wording of the risk appetite section and I TP/AJ/
it was requested that this was reviewed before the policy was I MB
published/implemented.
With respect to the writing off of discrepancies, it was explained
that the team were working hard to reduce the number and size
of discrepancies. There were no caps on amounts that could be
written off over a period of time as the controls to approve the
write offs ultimately formed part of the finance processes.
- Postmaster Accounting Dispute Resolution Policy: NRF have
reviewed the Postmaster process changes which this policy
covers.
Tom Cooper questioned whether after the Tier 3 support level
(section 4 of the policy) litigation was the only option,
considering that the amount could be small. Tim Perkins
explained that the account support processes were used to
consider how the discrepancy should be dealt with and whether
it should be written off, with a lot of engagement with the
Postmaster. Where there were persistent losses or carelessness,
then this would be dealt with from a contractual performance
perspective i.e. termination on notice.
The Committee requested that the following elements were
included in the policy:
1. A suggested timetable for decision-making;
2. Who would be involved in making decisions under Tier 3
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records, I ACTION:
Horizon data etc.); TP/AJ
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
Zarin Patel (by email outside of the meeting) also raised the following
points:
i. Both the Postmaster Account Support Policy (para 2.5 and
4.1) and the Network Monitoring and Audit Support Policy
(para 2.5) referred to “reasonable and fair investigations”
without adequately defining this; and
ii. The Network Monitoring and Audit Support Policy should
address skill set and attitude of lead auditors and how the I ACTION:
TP/AJ
STRICTLY CONFIDENTIAL 17
ARC Minutes for Signature-01/04/21 7 of 30
POL-BSFF-107-0000013_0016
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
18 of 30
new culture would be embedded so they did not approach the
audit with preconceived biases.
Accordingly, the following policies were APPROVED by the Committee:
e Postmaster Account Support Policy (subject to a review of the
wording of the risk appetite section and addition of a definition
of a “reasonable and fair investigation”); and
« Network Monitoring and Audit Support Policy (subject to the
addition of a risk appetite section and a definition of a
“reasonable and fair investigation” as well as the skill set and
attitude of the lead auditors and how the new culture would be
embedded).
The Postmaster Accounting Dispute Resolution Policy was to be revised
in line with the Committee's discussions (including a review of all risk
appetite references) and approved by written resolution after the
meeting.
11.
Historical Matters Unit: Fraudulent Claims Controls & Delegation
of Authority
Declan Salter and Graham Hemingway introduced the paper which had
been circulated previously and taken as read. The key points were
highlighted as:
- Responsibilities, accountabilities and decision-making
authorities: Work was being done to produce an operating
charter and a RACI, including delegated authorities and
accountabilities. This has taken longer due to engagement with
BEIS and UK Government Investments (UKGI). A ways of
working document has been agreed, but a decision-making flow
chart was still being updated. Once complete, it was to be
circulated to the Board at its CCRC meeting. Further discussions
were being held on reporting to BEIS/UKGI.
- Mitigations against risk of fraudulent claims: Fraud risks were
being actively managed by Herbert Smith Freehills (HSF) and the
Project team covering 21 separate fraud risks as set out in
appendix 1 of the report. By way of email outside the meeting,
Zarin Patel suggested that the team consider best practice for
fraudulent claim controls, such as those used for Payment
Protection Insurance (PPI) claims. Graham Hemmingway
provided the following response: the mitigations have been
compiled and reviewed by his team, which included programme
and project managers as well as business analysts with
experience of managing PPlI-type claim schemes at Lloyds
Banking Group, Barclays, Nationwide, RBS and Co-op Bank.
Further Declan Salter’s experience has also fed into the ongoing
risk management activities, particularly around risk of
interception of emails. Internal Audit or an external team could
review the mitigations as part of their planned reviews.
ACTION:
GH/DS
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
18
POL-BSFF-107-0000013_0017
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
- Data relating to fraudulent claims and eligibility to be appended
to_ the CCRC Board pack: MI showing latest eligibility results
(values and volumes) from HSS was already being distributed as
part of an MI pack that HSF share with Board members on a
weekly basis. Information relating to identification of fraudulent
claims has been shared as part of the CCRC Board packs since
14 January 2021. In response to questions from the Committee,
Graham Hemingway further explained that eligibility checks were
a standard under the Terms of Reference of the HSS. Work was
still being done to work through the data and evidence available
on each claim, which was difficult due to the age of some claims.
It was also confirmed that the team was looking to instruct legal
counsel to understand rules around deceased estates and
bankruptcy in other jurisdictions (mainly Scotland and Northern
Ireland), which was necessary for a small sub-set of claims.
Otherwise, the Committee NOTED how risks relating to fraudulent
claims are being managed in the Historical Shortfall Scheme (and the
Stamps Scheme) and that controls were in place to confirm the
eligibility of claims.
12. IT Controls Assessment
12.4, Tony Jowett introduced the paper, which had been circulated previously
and was taken as read. The main focus of work in the IT Controls was
the Internal Audit Report actions and focus of the improvement effort
was on the controls of greatest risk, namely those areas connected with
the management of the third-party estate through the lens of Post
Office’s crown jewel systems. The Committee requested that there be
a detailed review of this, and this review would be reported to the I ACTION:
Committee, targeting the next meeting. TJ
On resource constraints flagged by the Internal Audit report, Tony
Jowett further explained that the size of the team had been doubled
and someone had been appointed to the business continuity role but
was not yet in post.
The Committee NOTED the status and plans regarding the reduction of
risk associated with IT Controls.
13. AOB
13.1 There being no further business, the meeting was closed at 11:27.
14. Items for Noting
14.1 The following papers were circulated to the Committee prior to the
meeting, but were not discussed at its meeting and NOTED by the
Committee:
- Pensions Controls
- Success Factors
- Cyber Security
- Joiners, Movers, Leavers (JML)
STRICTLY CONFIDENTIAL 19
ARC Minutes for Signature-01/04/21 19 of 30
POL-BSFF-107-0000013_0018
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
20 of 30
- Law & Trends
- Accountable Person*
- Mails Fraud Update**
*Outside of the meeting, Tom Cooper requested that paragraph 18
needed to be amended to remove the following line: “There is a UKGI
representative on the POL Board, who have oversight of the Group
Executive ("GE”) and are able to challenge and review relevant
decisions made by the AP and the GE team" as his role on the Board
was not linked to the role of the Accountable Person.
** Subsequent to the meeting, Tom Cooper questioned whether power
outages (affecting label printing) had implications for the integrity of
branch accounting and accuracy of postmaster balances. Declan Salter
has confirmed that, absent fraudulent activity, there would be no
financial loss. Furthermore, that, in this regard, there are no system
related integrity issues.
Chair
I CARLA STENT }
Meeting Actions:
Para
No.
Action Detail
Action
2.1
Investigations Policy: Accordingly, the Committee APPROVED the
Investigations Policy, subject to:
i. The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent and
have the appropriate expertise and appropriate references to
other relevant policies; and
The policy being externally reviewed, and the results of this review being
considered and included as appropriate.
Ben
Foat
4.1
Risk Update: The Chair noted a discussion in the Internal Audit meeting
that morning about how to implement controls around Postmaster risks
and how to validate GLO initiatives. Mark Baldock was asked to pick this
up with Jonathan Hill with an update to be provided at the March meeting.
Multiple partner fragility was also noted as a key operational risk due to
the economic threats to the high street.
Mark
Baldock
4.1
Risk Update: Ken McCall requested that the following be reviewed:
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about funding;
Mark
Baldock
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
20
POL-BSFF-107-0000013_0019
@
POST OFFICE LIMITED
POL00447929
POL00447929
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of material
long term industrial action; and
- Paragraph 27 relating to adverse external economic factors, noting
that much of this was outside Post Office’s control and that, some
elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with Ken
McCall and provide an update for the next Committee meeting
Risk Appetite Statement: Legal & Compliance: As such, Mark Baldock
was asked to look at identifying the KRIs for Postmasters with the Network
team and consider working on statements for one or two other areas for
update at the March Committee meeting (in the usual Risk Paper).
Mark
Baldock
4.3
Compliance Update: Ken McCall noted that the report outlined that there
had been changes to the Postmaster Onboarding process and questioned
whether this meant the onboarding process was quicker. Jonathan Hill was
asked to confirm this point for update at the next meeting.
Jonatha
n Hill
4.3
Compliance Update: In response to questions from Ken McCall raising
concerns about the wording of this section in the report (paragraph 11),
it was confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than the
controls themselves. Key was evidence of controls and a consistency of
approach. The HMU team was working with the relevant business areas to
address this. However, the Chair asked Jonathan Hill to further consider
before the next meeting any underlying issues (not just related to
mapping), what controls were in place and whether or not they were
appropriate.
Jonatha
n Hill
4.3
Compliance Update: Zarin Patel also requested that the Committee have
sight of the KMPG review of the HIJ when this was ready, noting that there
were a lot of papers regarding Postmasters before the Committee and the
Board and therefore questioned whether the issue was under control.
Jonatha
n Hill
4.3
Compliance Update: Fire Risk Assessments: The Committee requested
to be kept up to date regarding the outstanding actions in respect of fire
risk assessments undertaken in June and July which are currently being
Jonatha
n Hill
STRICTLY CONFIDENTIAL
21
POL-BSFF-107-0000013_0020
Tab 1 January Minutes
@
POST OFFICE LIMITED
POL00447929
POL00447929
22 of 30
investigated by the Head of Health & Safety. This was to be included in
the Compliance report for the March meeting.
4.4
Internal Audit Update: Johann Appel was asked to send Tom Cooper a
summary of the audit actions from the [Mails & Parcels] report.
Johann
Appel
44
Internal Audit Update: a detailed review of [the Dangerous Goods]
issue, including what could be done at source and what other carriers were
doing in this area. An update was requested for the next meeting in March
2021 (accountability sitting with Amanda Jones (Retail and Network
Franchise Director) and Mark Siviter (Product Portfolio Director - Mails,
PUDO, Retail and Branch Identity Services)).
Rebecc
a
Whibley
44
Internal Audit Update: Nick Read highlighted that in this area, the
business was legally compliant, but not necessarily fit for purpose. This
was a key focus for the next six months to ensure Operations, IT and
culture were all fit for purpose. A GLO Dashboard would be presented to
the Board on a monthly basis to give an overview of progress.
Nick
Read
4.4
Internal Audit Update: Belfast Exit Follow-Up and PCI Compliance:
These were both follow up reviews. Governance and day-to-day
management have improved since previous reviews, but there were still
significant risks that were largely outside the control of programme teams
and this reduced confidence that objectives will be achieved as planned.
Nick Read was requested to re-establish the regular dialogue with the
Ingenico CEO.
Nick
Read
9.1
Update on branch losses and balances on Postmaster accounts:
Tom Cooper queried when the minimum value that can be settled centrally
would be changed from £150 to £0, noting he thought this had been
removed previously. Tim Perkins explained that Accenture had just quoted
to do this, and it was requested that Tim Perkins provide the date as to
when this would happen to the Committee once he is advised of it.
Tim
Perkins
91
9.1
Update on branch losses and balances on Postmaster accounts:
The Chair noted that it was good to see the figures decreasing but that it
would be useful to see a dashboard of branch balances and transaction
corrections, possibly as an addition to the reporting on post GLO
remediation. (Tim Perkins and Amanda Jones to action for the next
Committee meeting).
Update on branch losses and balances on Postmaster accounts: Via
email outside the meeting, Zarin Patel also suggested that route cause
analysis should be undertaken into the gross losses/gains and net
balances as these seemed very high (paragraph 8 of the paper). (Tim
Perkins and Amanda Jones to consider for update at the next Committee
meeting)
Tim
Perkins
/
Amanda
Jones
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: It was confirmed that the risk appetite was averse,
but that this linked back to the earlier discussion regarding the risk
appetite statement for Postmasters and the need for clear KRIs, which
were particularly required to judge if the policy was being embedded and
enforced. This section should be added into the policy in line with the work
Tim
Perkins
/
Amanda
Jones /
STRICTLY CONFIDENTIAL
ARC Minutes for Signature-01/04/21
22
POL-BSFF-107-0000013_0021
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
to be completed on KRIs for Postmasters (see action above in paragraph I Mark
4.2). Baldock
10.1 Postmaster Policies: There was also an action to carefully consider I Tim
references to “employee” throughout the document. perkins
Amanda
Jones
10.1 Postmaster Policies: It was explained there would be an overarching I Tim
document demonstrating how the policies fit together and it was agreed I Perkins
this would be presented to the Committee in March 2021 with the Chair I /
requesting that it be clear in this document who was the audience of which I Amanda
policy. Jones
10.1 Postmaster Policies: The Chair questioned the wording of the risk I Tim
appetite section and it was requested that this was reviewed before the I Perkins
policy was published/implemented. /
Amanda
Jones /
Mark
Baldock
10.1 Postmaster Policies: The Committee requested that the following I Tim
elements were included in the policy: Perkins
1. A suggested timetable for decision-making; manda
2. Who would be involved in making decisions under Tier 3 I Jones
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records, Horizon
data etc.);
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
10.1 Postmaster Policies: Zarin Patel (by email outside of the meeting) also I Tim
raised the following points: Perkins
A . /
i. Both the Postmaster Account Support Policy (para 2.5 and 4.1) I amanda
and the Network Monitoring and Audit Support Policy (para 2.5) I Jones
referred to “reasonable and fair investigations” without
adequately defining this; and
ii. The Network Monitoring and Audit Support Policy should address
skill set and attitude of lead auditors and how the new culture
would be embedded so they did not approach the audit with
preconceived biases.
11.1 Historical Matters Unit: Fraudulent Claims Controls & Delegation I Graham
of Authority: A ways of working document has been agreed, but a I Heming
decision-making flow chart was still being updated. Once complete, it was I way /
STRICTLY CONFIDENTIAL 23
ARC Minutes for Signature-01/04/21 23 of 30
POL-BSFF-107-0000013_0022
POL00447929
POL00447929
Tab 1 January Minutes
@
POST OFFICE LIMITED
to be circulated to the Board at its CCRC meeting. Further discussions I Declan
were being held on reporting to BEIS/UKGI. Salter
12.1 IT Controls: The main focus of work in the IT Controls was the Internal I Tony
Audit Report actions and focus of the improvement effort was on the I Jowett
controls of greatest risk, namely those areas connected with the
management of the third-party estate through the lens of Post Office’s
crown jewel systems. The Committee requested that there be a detailed
review of this, and this review would be reported to the Committee,
targeting the next meeting.
STRICTLY CONFIDENTIAL 24
24 of 30 ARC Minutes for Signature-01/04/21
POL-BSFF-107-0000013_0023
POL00447929
POL00447929
Voting Results for January Minutes
The signature vote has been passed. 1 votes are required to pass the vote, of which 0 must be independent.
Vote Response Count (%)
For 1 (100%)
Against 0 (0%)
Abstained 0 (0%)
Not Cast 0 (0%)
Voter Status
Name Vote Voted On
Stent, Carla For 01/04/2021 21:01
POL-BSFF-107-0000013_0024