POL00447944
POL00447944
Speak Up (‘Whistleblowing’)
function assessment
Post Office Limited (‘POL’)
Private and Confidential
26 April 2023
POL00447944
POL00447944
Ernst & Young LLP
y 1 More London Place 1
2 London ey.com
PPA SE1 2AF
Building a better
working world
Private and confidential 26 April 2023
Post Office Limited
Dear John,
Review of POL Speak Up Function (SUF)
We are pleased to attach our draft report (‘Report’) setting out our assessment of the POL SUF".
Scope of our work
Our scope of work, as set out in our engagement letter dated 10 February 2023, covered three
workstreams:
1. Policy Assessment —Assessment of relevant policy documents against best practice, using
SYSC 18 as an indicative model;
2. Implementation of process via Speak Up (SU) Investigation assessments - Assess a
sample of five investigation case files to establish whether the Post Office (POL) policies are
operating as designed and
3. Feedback Gathering - Interviews with a sample of up to six stakeholders of the SU process to
establish their views on the process and possible areas for future development.
Our Report provides our observations on the POL SUF and recommendations for improvements.
Caveats
Our sources and types of information we have used in our work are set out at Appendix A. Unless
specifically stated, we have not sought to confirm the accuracy of the information provided to us.
The receipt of further information may cause us to qualify or amend the observations reported herein. If,
for any reason, we subsequently consider that the Report requires further qualification or amendment,
we will notify you.
Our procedures did not intend, or seek, to express an audit opinion on the information and, therefore,
does not constitute an audit and should not be relied on as such.
Limitations of use and distribution of the report
Our Report was prepared in line with the agreed scope solely for the purpose of this engagement and
should not be relied upon for any other purpose. It should not be quoted, referred to or shown to any
other parties unless so required by court order or a regulatory authority, without our prior consent in
writing. We assume no responsibility whatsoever in respect of or arising out of, or in connection with, the
I Whistleblowing is commonly referred to as ‘Speak Up’ (SU) as the word whistleblowing has negative connotations attached to it.
POL refer to their function as ‘Speak Up’, therefore ‘Speak Up’ and ‘Whistleblowing’ can and will be used interchangeably,
EY Ii
The UK firn Emst & Young LLP is a limited labilty par
Global Limited. A ist of members’ names is availabe f
ed in England and Wales with «
jore London don S
01 and is a member frm of
place ofbu sine!
numb
2A; the firm!
POL00447944
POL00447944
contents of this report to any other parties. If others choose to rely in any way on the contents of this
report, they do so entirely at their own risk.
Structure of the Report
Section 1 is our executive summary. In Section 2 we set out the background to our work and summarise
our approach. Section 3 sets out our observations and detailed recommendations which we have
grouped into themes. Please note that the Report focuses on exceptions, rather than provide a detailed
summary of all ongoing and planned SUF activities.
We appreciate your team’s help in carrying out our work and look forward to providing our continued
assistance.
We shall be pleased to discuss the observations set out in this Report with you. If you have any queries
regarding our Report, please do not hesitate to contact me.
Yours sincerely
Spencer John
Partner
For and on behalf of Ernst & Young LLP
EY ii
Executive summary
Abbreviations
Abbreviation Definition
APPG All-Party Parliamentary Commission
ARC Audit and Risk Committee
CEO Chief Executive Officer
clu Central Investigation Unit
CMS Case Management System
FCA Financial Conduct Authority
GIP Group Investigations Policy
IM Investor's Manual
KPI Key Performance Indicator
NED Non-Executive Director
NFSP_ National Federation of Sub-Postmasters
PIDA Public Interest Disclosure Act 1998
POL Post Office Limited
POMS Post Office Management Services Limited
PRA Prudential Regulation Authority
SLA Service Level Agreement
su ‘Speak Up
uC ‘Speak Up Champion (i.e., WBC)
‘SUF ‘Speak Up Function
SUR ‘Speak Up Reporter
SUT Speak Up Team
SYSC 18 Senior Management Arrangements, Systems and Controls - Chapter 18
TCG Tactical Coordinated Group
TOR Terms of Reference
WBC Whistleblowers’ Champion
WPB v7 Whistleblowing Policy v7
Contents
Executive summary..
Background
1
2
3. EY Scope and Approach...
4. Observations and recommendations..
Appendix A Documents Received and Interviews...
Appendix B Interview agenda items..
Appendix C SU regulatory backdrop.
Appendix D Statement of Work (SOW)...
ey /3
POL00447944
POL00447944
4.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
POL00447944
POL00447944
Executive summary
Executive summary
The POL SUF has undergone significant change and investment in recent years, including significant
hiring activity, creating a bespoke Speak Up Team (SUT), and writing and refreshing policies and
procedures.
Benchmarking exercises were carried out in February and November 2021 by the POL on a self-
assessment basis (with Protect, the Whistleblowing charity) and POL has reported improvement
between these two touchpoints.
EY was asked to assess POL's SUF, to enable POL to gain an external viewpoint over their current
state and for EY to provide recommendations to further enhance the function.
We performed this work through a combination of:
> An assessment of policy and procedure documents
> Adesktop assessment of five completed cases
> Interviews with process stakeholders
Our work was performed on the current policies and procedures and has not sought to perform a
lookback exercise to comment on earlier teams or processes.
We would like to note that all staff members or stakeholders that we have interacted with during this
assessment have been open and proactive and have demonstrated a very constructive engagement
with the assessment and with proposed recommendations.
This Report sets out in more detail the work we have performed, and Section 3 contains the detail of
our observations, including observations and recommendations.
We have also noted overall themes to our work, set out below:
1) Tone from the top
The importance of engagement of senior leadership in a SU process cannot be overstated. We note
from conversations with stakeholders that the POL is in a period of cultural change, which presents
both opportunities and pressures for a SU process.
> Socialisation and messaging- the replacement of the whistleblowers’ champion (WBC)
presents an opportunity to re-engage with all staff messaging. Positive and supportive statements on
the process from senior leadership and stakeholders can help build confidence in the process
> Risk and data- the SU process can be an important data point for leadership to get a view of
organisational health and can point to areas of underlying risk. During this engagement we heard
varied messages about the prominence that SU is given in top level conversations about risk. To get
full value out of this data, the right level of management information needs to be presented to the right
committees (such as the Audit and Risk Committee (ARC) and the Group Executive Committee), and
those committees need to consider and discuss the data on a regular basis.
2) Documentation
> We raise a number of recommendations to enhance the SUF's policy and procedure
documents. A number of these changes were already in flight, with a refresh of the policy planned for
later in 2023. Our recommendations centre around the level of detail included in the documents,
clarity for the user of these documents and the need to formalise key decision points, such as triage
and risk assessments.
ey I4
POL00447944
POL00447944
Executive summary
> We also make some recommendations around documentation of the investigation process.
Our case sample testing did not highlight any major gaps in the investigation of these cases, but there
were points that we had to obtain details from the case investigator rather than the detail being
evidenced in the files.
3) Training
In addition to all person trainings, where a role has responsibilities for operating the firm’s internal
programme, specific guidance is needed to ensure that the role holder is aware of their
responsibilities and has the ability and resources to perform these responsibilities. This guidance
could be in the form of web-based learnings, intranet-based guidance or in person trainings.
Significant roles to consider are line managers, the WBC, and the Group Executive Members.
4) Case Volumes and Awareness
It was noted in interviews that the volumes received by the SU line were lower than expected. Low
reporting of cases could indicate that there are no issues to report but could also indicate that
potential reporters either are not aware of the SUF or do not want to raise issues to the SU line.
We have been informed that employee surveys have been performed and that further activity is
planned to socialise the SU line to employees and other stakeholders. The results of these activities
will be key to establishing whether all potential reports are being made.
5) Resourcing
Concerns have been raised to us on the resourcing of the SUT, as they are currently working on
improving their processes, managing current caseloads, and assisting other parts of the business with
their investigations. This could result in SU reports that are assessed as low risk being “parked” and
not investigated on a timely basis.
In our experience, periods of organisational change tend to result in an increase in the number of SU
reports. We have also seen cases increase when socialisation initiatives, such as roadshows and
Executive Committee statements are made.
The structure and resourcing of the SUT will be key to ensuring the future robustness of this process.
ey is
24
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
POL00447944
POL00447944
Background
POL SUF Structure
The Speak Up Team (SUT) was set up approximately 18 months ago and comprises a SU manager,
an analyst, and two full-time investigators.
The day-to-day management of SU is performed by the SU Manager - Claire Hamilton (CH), overseen
by the Head of the Central Investigations Unit (CIU) - John Bartlett (JB). This team, which includes the
SU Manager and nominated deputies, receive all reports raised, regardless of the channel used,
assess any concerns raised and perform a triage assessment to determine the best course of action,
if any. JB is also the Whistleblowing Policy Owner.
The SUT is part of POL’s CIU which oversees all (i.e., SU and non-SV) internal investigations. JB and
the Group Legal Director - Sarah Gray (SG) have overall accountability to the Board of Directors to
oversee that a positive SU culture is proactively encouraged throughout POL and the current
arrangements are challenged and assessed for areas of continuous improvement?.
The Whistleblowing Policy Sponsor (Group Compliance Director) and Owner (JB) are accountable for
the implementation of controls ensuring POL meets it SU obligations.
The Group General Counsel - Ben Foat (BF) has overall accountability to the Board of Directors for
the design and implementation of controls in relation to internal investigations, including SU
investigations. Following good market practice*, POL appointed an independent Non-Executive
Director (NED) as WBC on 26 November 2019. The WBC’s primary purpose is to be a point of
assurance for the integrity, objectivity, independence, effectiveness, and evolution of the SUF in
adherence with the Group SU Policy and associated procedures‘.
SU is an agenda item for the ARC and the POL Board is updated as required.
The SUT is governed by a few key policy and procedure files, notably the Whistleblowing Policy,
Group Investigations Policy, and Investigator’s manual.
Case load and reporting
Between 2022 and February 2023 there have been a total of 148 cases referred to the SUT, of which
18 are classified as ‘PIDA (Public Interest Disclosure Act) cases, i.e., reportable concerns made by
POL employees. The remaining 130 are classified as non-PIDA cases, i.e., reportable concerns made
by non-POL employees who are protected by POL policies rather than legislation®, such as
postmasters (POL franchise employees), or other cases investigated by the SUT.
Stakeholders such as employees are provided with several channels to raise SU concerns; including:
The POL SU mailbox (viewed by SUT members only);
Reporting via the SU web portal operated by Convercent (a third-party)
The Convercent hotling or
Internal reporting (e.g., a line manager)®
vvvy
2 Whistleblowing Policy v7 page 3
° Market practice observed at peer institutions and described in regulatory guidance such as SYSC18
“NED Speak Up Champion TOR page 2
Si,e., POL voluntarily extend these SU protections as an act of goodwill rather than legal duty
® Stakeholders would also be able to write a letter to POL (e.g., to PO Head Office) which would then be shared with the SUT.
This option is therefore not advertised as the preferred intake method is to use the SU web portal (which also allows for
anonymous reporting).
ey l6
POL00447944
POL00447944
When raising a concern, SU Reporters (SURs) can choose to share their identity (referred to as
making a ‘confidential report’) or remain anonymous (referred to as an ‘anonymous report’).
Maintaining the confidentiality of any SUR is considered a priority by the SUT and POL management.
We understand POL performed benchmarking exercises with Protect (SU charity)’ in February and
November 2021, observing improvements in scores for each exercise. We further understand that a
number of continuing improvement initiatives are underway or planned, such as an updated
whistleblowing policy and procedure documents. We have acknowledged in our observations and
recommendations where we are aware that changes are already being made.
7 Protect - Speak up stop harm - Protect - Speak up stop harm (protect-advice.ora.uk.
ey I7
3.1
3.2
3.3
3.4
3.5
3.6
3.7
POL00447944
POL00447944
‘ope and Approach
EY Scope and Approach
As set out in the SOW (see appendix E), our work was set out in three workstreams:
> Policy Assessment
> Sample Testing
> Stakeholder Interviews
Policy Assessment
We performed a desktop assessment of policy and procedure files (e.g., policy documents, relevant
reports, and management information), listed under Appendix A. These documents were assessed
against EY’s knowledge of whistleblowing and speak-up teams in comparable retail entities,
structured using the EY Speak-Up Methodology, and against SYSC 18 regulatory requirements.
We have incorporated our observations and recommendations in Section 3, below.
Sample Testing
We performed an assessment of a sample of five case files. These assessments were completed on
site at the Post Office and in the presence of the SU manager, to comply with POL data protection
requirements.
POL has received a total of 148 cases from the beginning of 2022 to February 2023 of which 18 are
PIDA cases. Our sample was selected from the total POL population of cases. We agreed the sample
with POL and selected cases selected to cover: PIDA and non-PIDA cases’, different intake methods
(e.g., emails to CIU, Information Security Team, social media), different themes (e.9.,
accounting/regulation violations, compliance violations, and theft) and different impact ratings (e.g.,
medium, and high). We also ensured that all cases in our sample were investigated by the SU team.
Following triage, some cases in the population were referred to other teams for investigation.
To assess the cases, we used documents listed in Appendix A (e.g., SU Policy) to form a list of
expectations and controls governing the investigation process. We then tested our sample of cases
against this list of controls through assessing case file data stored on Convercent and on the SUT.
SharePoint. In addition, we held follow-up discussions with either the SU Manager or investigator to
clarify our understanding of each case.
Due to confidentiality, we are not able to provide investigation details, however, please see the below
table for a high-level summary using non-identifiable data:
PIDA ornon- PIDA PIDA PIDA non-PIDA non-PIDA
PIDA
Reporter employee employee ex-employee Internal Audit Branch staff
Identity
Intake email (CIU/SUT) email (CIU/SUT) email (to Info internal meeting __social media
method Security)
Theme Accounting/Audit Compliance/ Compliance/ Theft ‘Compliance!
related regulation violation regulation violation regulation
violation
Original High Medium High High Medium?
Impact
Category
® The case sample contained three PIDA (Public Interest Disclosure Act 1998) and two non-PIDA cases
® Case 0714422 was inttially chosen as a non-PIDA case, however on further consideration it was uncovered that the case was
an investigation carried by the SU team which did not come from a SU concern. Therefore, it was replaced with case (130aa22)
ey is
3.8
3.9
POL00447944
POL00447944
We have incorporated our observations and recommendations in Section 3, below.
Stakeholder Interviews
We interviewed five senior stakeholders with roles related to the SUF, selected by POL. These
interviews are summarised in the below table.
Interviewees __ Title Date EY Attendees
Sarah Gray (Group Legal Director) Tue 7 Mar — 4pm Michelle Acton-Phillips (MAP), Tom Bendor-
Samuel (TBS)
Zarin Patel (Speak Up Champion) Thu 9 Mar - 3pm Spencer John (SJ), MAP
Ben Foat (Group General Counsel) Mon 13Mar-4pm MAP, TBS
Nick Read (Group Chief Executive Officer) Tue 14Mar-9am —_—_SJ, MAP, TBS
Ben Tidswell _(Investigation Champion) Wed 15Mar—11am MAP, TBS
The objective of these interviews was to establish the interviewees’ views on the current process,
possible areas for future development and any challenges that they see on the horizon. These
interviews also summarised our views on the process and emerging observations, discussion of
which helped to confirm our understanding of existing processes, inform EY observations, and form
additional recommendations. The standard agenda for the interviews is included as Appendix C, but
each interview was tailored to each individual and their role.
We have incorporated our observations and recommendations from these discussions in Section 3,
below.
Observation and recommendation themes
Our assessment has been guided by the EY Speak Up methodology which we use to assess SUFs.
Our recommendations are aligned to the methodology themes and areas.
The below table offers examples of indicators of well-established SUFs:
SU theme / SU sub- _ Examples of indicators for each theme / area
area theme / area
Monitor and Confidential _ integrity and compliance concems is part of operating culture
review reporting
= Staffare confident to report matters of concern to managers
culture
= Surveys conducted to measure awareness and confidence of systems in place to
report and resolve integrity concerns
Tone atthe Leaders at all levels are recognised as role models for integrity throughout the
top organisation
= Support for raising concems is reinforced through available media (e.g., webinars)
- Leaders showcase positive whistleblowing examples as leading practice.
Policy and The policy assures support for those who report concerns.
guidance
= Policy states that victimisation of anyone who raises a concern will be subject to
disciplinary action.
= The ways to report outside of line management is clearly described including to the
FCA’s own line.
Oversight and Compliance and integrity are embedded in the board's comprehensive risk-
reporting management, governance, and management-review processes
EY i
POL00447944
POL00447944
- Tested board procedures in place to conduct independent investigations and to
manage related business, legal and reputational issues.
Awareness and Awareness The importance of raising concerns is actively promoted to employees, its appointed
training and training representatives and tied agents.
- Compliance and integrity courses are delivered through a mandatory structured
learning system.
- Training is not solely web based and provides an opportunity for employees to ask
questions.
Implementation Accessibility/ 4 range of reporting options are provided, including phone, voicemail, web, email
of function _ease of use of
= The service is available 24/7 365
whistleblowing
process ~The systemis accessible to staff of key contractors, appointed representatives and
third parties outside the organisation
Triage and = Triage process provides robust data for management and the board.
case
management ~All disclosures, particularly those of a minor nature, are analysed to identify trends
and patterns.
- Processes are tested for effectiveness and potential improvement.
Investigation _ Core investigation team coordinates all investigations to ensure escalation in cases
where enhanced level of skill or experience or specialist external support is required
- Regular updates to SUR in accordance with policy.
Analysis of Effectiveness
- Regular reports, including significant issues, made from all parts of the organisation
reports
- Reports made via all available reporting methods.
- Independent assessments of function effectiveness and efficiency; organization's
processes for continuous improvement applied to SUF operations.
Throughout the process we have shared draft observations with the SUT to confirm factual accuracy
and gauge the proportionality of draft recommendations. This ongoing feedback has been
incorporated into the observations and recommendations in Section 3.
Addi
nal Consideration: Post Office Management Services Limited (POMS)
The entity within the scope of this Report is the POL, however we understand that the subsidiaries of
POL also rely on the POL SUF. Whilst POL is not regulated, one of the POL subsidiaries, POMS, is a
FCA regulated firm and therefore might be required to comply with SYSC 18. Amongst other factors,
our assessment has considered SYSC 18 for guidance purposes as it acts as a useful reference for
gauging the maturity of SUFs, but we have not performed a full gap analysis for regulatory purposes.
POL should consult with those charged with governance of POMS to establish POMS’ regulatory
requirements, the extent to which the POL policies and controls comply with these requirements, and
what additional policies and controls are in place at a POMS level to ensure regulatory compliance.
4.
Observations and recommendations
POL00447944
POL00447944
Observations and recommendations
1. Culture of speaking up
POL appears to be taking steps to build a culture of
speaking up. The SUT have and continue to hold
training roadshows with different POL stakeholder
groups to create further awareness of the SUF. The
interviewees reported receiving fewer reports than
expected for an entity of this size, and therefore
further awareness exercises are planned.
Overall awareness and culture
Surveys
EY understand that a staff survey was carried out in
2021 to gauge confidence and awareness in the
SUF. We did not obtain the results of this survey.
Case volumes
EY note through interviews that there is a perception
that case volumes are lower than expected for an
entity of this size. It is difficult to establish an
accurate expectation for case volume as this can be
impacted by multiple internal and external factors
such as culture, working environments or economic.
performance. According to the 2022 Navex Regional
Whistleblowing Hotline Benchmark Report (page 8)
the median report levels for European organisations
is 0.5 reports per 100 employees. if we consider only
direct employees, this is in line with POL reporting
metrics, as POL shows an average of 0.5 reports per
100 employees (18 PIDA cases across 14 months
for 3,380 "° headcount in 2022)
POL intranet homepage
EY understand the contact details relating to SU
available on the POL Homepage were out of date at
the time of our assessment.
Feedback to whistleblower
We note in the SU Policy (page 8) the five working
day deadline to confirm receipt of a concern with the
SUR.
SUR interactions
We understand communication with the SUR is
maintained on the SU SharePoint in the ‘Decisions.
and Actions’ log. Through case file testing, EY note
SURs are being engaged with, but these discussions
were not systematically summarised.
2. Protection of those raising concerns
EY note that POL consistently communicate that
protecting confidentiality of SURs is vital, and that
serious action will be taken against any individual
who threatens or retaliates against SURs in any way.
Culture of speaking up
Overall awareness and culture
Surveys
> Following good market practice, we a) recommend staff
surveys are carried out regularly to gauge confidence and
awareness in the SUF, b) that analysis and actions are
agreed and tracked to completion (e.g., ina SU
Communication Plan) to further improve scores; and c) that
results, and actions are shared with the board (e.g., in an
annual report) for their awareness and input.
Case volumes
» EY recommend that the SUT engage with their wider
stakeholders to establish why there is the perception that
volumes are too low, and whether these stakeholders have
specific concerns about areas of the business or
populations of potential reporters which could be
addressed
EY recommend including and tracking case volumes
against wider stakeholder groups (e.g., employees,
postmasters etc.), particularly as the SUT prepare and
share awareness campaigns with these audiences. EY
understand this data is available in recent MI packs.
> Ifthere is any expected increase in case volume, EY
recommend consideration of the resourcing of the SUT in.
response to this expectation
POL intranet homepage
» We recommend contact details are updated, including a
link to the SU intranet Site when it is available!’
Feedback to whistleblower
> Following the acknowledgement of receiving a concern
(made within 5 working days), itis good market practice
(based on the Whistleblowing EU Directive) that the SUR
be informed of any action taken within three months of
reporting their concer (where the Whistleblowing Team
have the necessary contract details).
SUR interactions
> We recommend a) including a section within the case
strategy document to ensure these SUR interactions are
‘summarised, or b) including a reference to the file (held on
SharePoint) in which communications are logged and
summarised
> b) Updating the ‘Decisions & Actions Log’ template to make
clear (e.g., through a tick-box) which parties have been
solicited during the investigations process such within POL
teams (SUT, CIU, or other POL teams or SMEs), or
discussions with external stakeholders (e.g., legal
counsel).
Protection of those raising concerns
Detrimental treatment
» We recommend including a detriment assessment section
within the case file to ensure systematic documentation at
each step of the investigation process including post-
‘© Headcount taken from the POL Annual Report & Consolidated Financial Statements 2021/22, page 12.
‘" BY have since received evidence that this recommendation has been completed by management.
Observations and recommendations
POL00447944
POL00447944
Detrimental treatment
EY note that detriment assessments are taking place
for cases, however it is not clearly documented that
the detriment assessments are occurring at a) initial
receipt of the case, b) during the investigation, c) at
case closure, and d) post-closure (e.g., one to six
months after closure).
EY have not been able to obtain evidence of a
bespoke guidance document or section within a
document relating to detriment assessments.
3. EY note through interviews with senior leadership
that efforts being made to instil a culture in which it is
safe to speak up, and that the importance of ‘tone
from the top’ is recognised as a key element of
developing trust in the SUF.
Board-level engagement
Messaging
EY have note that there is a message from the
current WBC (Zarin Patel) dating April 2021
available via public web browsers, and a short
message from Nick Read (CEO, Retail) on the SU
web portal. EY understand POL plan to use World
Whistleblowers Day (23 June) to promote
awareness SU reporting channels.
Roles and Responsibilities
We note the WBC (Whistleblowing Champion) TOR
(Terms of Reference) set out clear expectations for
their role and responsibilities, however the same
level of clarity is not in place with regards to
expectations of Line Managers, and other senior
staff members who have bespoke SU
responsibilities (e.g., Head of CIU).
Visibility
EY note that a WBC message (dated April 2021) is
available on public web browsers which creates
awareness not only for employees but for all POL
stakeholders. The message contains helpful
guidance, however there is a promise that reporters
will not suffer personal detriment for speaking up
(€.2:50' into the message).
4, Speak Up policies and guidance
EY note the existence of a mature SU Policy which
assures support for those who report concerns, and
states that victimisation of anyone who raises a
concern will be subject to disciplinary action. It also
presents options for raising concerns outside of line
management (e.g., external options such as
regulators). EY also note that the Policy and other
procedure files are to be updated following
consideration of this report.
Speak Up Policy
Language
The Policy title is referred to as the Whistleblowing
(WB) Policy, however the web-portal is referred to as
Speak Up (SU), as is the intranet site for SU
concerns. We understand that the policy is under
review and will be renamed ‘Speak Up Policy’.
closure
» Following good market practice, we recommend
management create a detriment assessment guidance
document / section which will inform how the SUT
(including investigators) or Internal Audit (if SUT is
conflicted) should assess detriment at each step of the
investigation, and document these ‘detriment assessments’
e.4g., in the investigation report or communications log.
Board-level engagement
Messaging
» We recommend regular messaging from senior leaders on
the importance of SU is shared with POL staff. Good
market practice is to have videos and messages by Senior
Leaders (e.g., CEO, board members, SU Team leaders) on
the SU intranet site communicate the importance of SU.
Roles and Responsibilities
» We recommend per good market practice that the SU
intranet site sets out clear expectations for Line Managers,
as well as for any other senior staff members who have
bespoke SU responsibilities (e.g., ARC Chairman).
Visibility
> We strongly recommend that the promise that SURs will
not suffer detriment be removed from the message, as this,
is not a guarantee that can be made. We also note the role
of WBC will soon be transferred, providing a good
opportunity to re-record a message/video.
Speak Up policies and guidance
Speak Up Policy
Language
» Based on good market practice, we recommend
consistency in language throughout all related Speak Up
artefacts (e.g., Policy, Investigations Manual, Speak Up
intranet site) to give clarity to the reader.
>» We recommend using the terms ‘Speak Up' rather than
‘Whistleblowing’ considering the negative connotations
attached to the latter.
» We recommend POL adapt wording in the SU Policy to the
effect of 'concems will be kept confidential and disclosed
only on a ‘need to know’ basis’.
Reporting options
» To enhance clarity for the reader, and based on good
market practice we would recommend
2) moving these team contact details to the bottom of
EY I 12
Observations and recommendations
POL00447944
POL00447944
Current language in the SU Policy states: ‘To
‘encourage the reporting of any concerns as soon as
possible in the knowledge that Post Office will take
all concerns raised seriously and investigate fully,
and that the confidentiality of all individuals will be
respected’. EY note it is not always possible to
maintain confidentiality of the Speak Up Reporter
(SUR).
Reporting options
We note in the SU Policy (page 4) team contact
details are provided for matters which may not relate
to Speak-Up concems- e.g., details for Grapevine,
BSC, Customer Complaints, and Exec
Correspondence Team.
We note in the SU Policy (page 8) Internal and
External Disclosure contact details are separated.
We note in the SU Policy pages 10 to 16 appears to
be too detailed to be applicable to all staff and would
sit more naturally in a Procedure / Standard
document rather than the Policy. Good market
practice observed is to have a short one- or two-
Page Policy file to which is easily digestible by staff.
This would include key high-level overviews of the
speak-up process, definitions, and contact details.
Fair treatment of the accused
EY also note that there is no explicit reference in
current policies and procedures relating to ensuring
fair treatment of any person accused of wrongdoing
by a whistleblower.
ARC chairman
We note in the SU Policy (page 11) if the SU
concern is defined as ‘serious’ (i.e., leading to a
failure to meet legal and regulatory requirements), it
should be escalated to the Chairman of the POL
Audit and Risk Committee (ARC). EY note a) it is not
documented on a systematic basis within reports
whether cases are classified as serious or not; and
b) itis not documented what the ARC Chairman's
role and responsibilities once they made aware of a
‘serious’ case.
Group Investigations Policy (GIP)
The GIP states:
- Not every concern, suspicion or issue that is
reported, identified, or otherwise arises will
require formal investigation (page 8)
Legal privilege
- Commissioning Manager should consider
whether the investigation should be conducted
under legal privilege (page 10). Through case
file testing, we have not been able to observe
that this consideration is documented on a
systematic basis within investigation reports.
Conflict of interest (CO!)
- There may be potential conficts of interest at
either the triage or investigation stage (page
10)
Representative or colleague in meetings
- _ SURs are given the option to be accompanied
by a trade union representative or colleague at
any meeting (page 30). Through case file
testing, EY we have not been able to observe
the document, under ‘other contacts’, or
b) moving the Customer Complaints details to the
bottom of the document under ‘other contacts’ and
removing all the other contract details (Grapevine,
BSC, and Exec Correspondence Team). This would
ensure the Speak Up channel would be the central
hub for concerns and could then be triaged out to the
relevant functions. This could also enhance risk
awareness within the POL through a greater ability to
perform trend analysis, leading to enhanced Mi and
reporting
» To enhance clarity for the reader, we recommend the
External Disclosure section follow section 1.7 How to
report Whistleblowing. The reader would therefore have all
available reporting options on one page.
» We recommend either POL a) create a short one of two-
page Policy file or b) move content which is not directly
relevant to all staff into another SU artefact.
Fair treatment of the accused
> As per good market practice (also set out in SYSC 18.3.4)
we recommend management include content in relevant
SU documentation regarding fair treatment of the accused.
ARC Chairman
» We recommend in relation to the SU Policy page 11:
4) _ include the assessment of whether a case is ‘serious’
as a new section in the investigation report template;
») clarify the ARC Chairman's role for ‘serious’ cases;
and
ensure their involvement is clearly documented
within the investigation report (e.g., within the new
reporting section suggested in recommendation a)
GIP
» We recommend management include a requirement to
inform the SUR if their concern is not being investigated.
We note good market practice is to inform the SUR of who
is investigating their concern, or to inform them if they need
to re-direct their concern to another function (e.g. re-direct
a grievance case to HR). We understand from
conversations with the SUT that there is regular contact
with the SUR.
Legal privilege
» We recommend management document the key
considerations for ‘legal privilege’ (e.g., if a case is
classified as ‘serious’ etc.) and considerations for
consulting legal counsel, and relevant escalation
processes
» Per good market practice, we recommend a) updating the
GIP, and b) include a new section in the investigation
report template to address the assessment of legal
privilege.
col
» EY recommend the conflicts of interest process is further
formalised. Good market practice is to have a separate
section in SU documentation, including flowcharts, roles
and responsibilities, systems and teams involved. For
example, if Internal Audit (IA) were requested to
investigate, the policy would make clear the
wholwhatiwhen/how questions such as where investigation
material is stored, how confidentiality is maintained
throughout the process (as IA do not have access to SU
SharePoint used by the SUT for storing investigation
materials), ensuring the IA investigator has the appropriate
skills, experience, and oversight to conduct the
investigation etc
EY I 13
POL00447944
POL00447944
Observations and recommendations
Observations Recommendations
that the communication of this option is
documented on a systematic basis within
investigation reports.
Law enforcement policy (LEP)
LEP page 12 refers to the previous WB service third
party provider (NAVEX / EthicsPoint). EY
understand this policy is under review.
Speak Up personnel structure
EY note the development of a dedicated SUT who.
have access to other investigative resources (CIU)
Representative or colleague in meetings
>
‘We recommend management ensure there is documented
evidence the SUR is given the option of being
accompanied to meetings. This could be achieved through
adding text to the automated response sent to SURs when
their case is received or included as templated language
for the SUT to use when contacting the SUR in the first
instance.
LeP
>
‘We recommend including the correct/proper contact details
of the WB provider (currently - Convercent). EY
understand management are reviewing this policy and are
making this change.
Speak Up personnel structure
Those responsible for operating the firm’s programme.
When required, We also note that ARC andthe POL Considering the nature of these roles, the workload and
Board are furnished with regular SU MI and packs. caseload, we would recommend: @) conducting a review
into the threat of self-review (i.e. one person creating
Those responsible for operating the firm's policies and standards against which investigations are
programme. assessed, being the point of contact with the SUR,
performing the investigation and assessing its
We note that as the SUT is a new team, the SU ‘completeness and accuracy) and the requirement for
Manger (CH) is responsible for a) oversight of the segregation of duties, documenting the conclusions of this
SUF, which includes triage of reports, overseeing review; and b) conducting a review on the expectations of
the SU Intranet site development, increasing ‘completing this volume of work by only one member of
awareness and confidence in the SUF through stat
training and awareness campaigns, developing Ml
and reporting to the Board, and enhancing SU
Policies and Procedure documentation, as wellas Oversight
responsible for b) acting as Commissioning Manager
for many investigations —i.e., has responsibilities for” We recommend management consider adding and
ansessing ard progressing investigations work documenting controls in place to ensure all qualifying
cases are added to Convercent e.g., spot checks by
Oversight another member of the SUT.
» We recommend POL produce a controls testing plan to
‘We: understand two SUT members tage cases sent ensure each control is reviewed timeously and by
fo the SU mailbox, however there are no individuals with the requisite experience. Good market
documented controls in place to ensure all qualifying practice would be to ensure controls testing is carried out
Teports are added to Gonvercent (system used for by SU Team and non-SU Team members (e.g.. internal
Yepotting and Mi): We Under an sestirance process, audit or compliance) for an independent assessment.
is set up until the new data system is put in place
(replacing current CMS provider: Convercent) Reporting
EY note a detailed list of minimum control standards» As per good market practice (e.g., SYSC 18.3.1 f) and with
are set out in the SU Policy (page 11). We requested
evidence of how control testing has been carried out,
however we were not able to obtain this evidence,
4., testing carried out either through internal (POL
employees) or external (e.g., SU specialist
organisations) parties.
Reporting
EY note Whistleblowing is an agenda item for the
Audit and Risk Committee (ARC) and the POL
Board who receive Mi on a monthly basis. We
understand GE are requested to read the Ml packs;
however, the content is not discussed in every
monthly meeting. EY understand the SUT have not
regularly received follow-on questions from these
forums which would have indicated critical
‘engagement with these updates. EY note that an
annual report has not been shared with either ARC
or the POL Board as the SUT has recently been
formed and therefore has not shared its first annual.
report to the Board.
regards to ARC and the Board, we recommend a) ensuring
MI packs contain trend and theme analysis to better
enable strategic decisions (e.g., sharing trends on
confidential vs anonymous reporting rates as an indirect
measure of trust in the SUF). This may be achieved
through sharing thematic quarterly as well as monthly
updates which may enable greater strategic engagement
with the data; and b) that preparation and issuance of
reports (e.g., quarterly to ARC and to the Board) is tracked,
eg., ina SU Communications Plan.
EY I 14
Observations and recommendations
POL00447944
POL00447944
6.
FCA/PRA regulations [POMS consideration]
EY note POL are not a regulated entity however
management have shown appetite to use best
market practice and guidance to improve the SUF,
such as the guidance in SYSC18.
EY note that it is not communicated in the POL
‘employee handbook or other equivalent document
(e.g., POL Code of Business Standards) that UK-
based employees may disclose reportable concerns
to the PRA or the FCA and the methods for doing so.
EY understand that POMS (POL Management
Services Ltd) rely on POL for its SUF, however as
POMS is out of scope, we did not obtain evidence
that additional policies and procedures are in place
to ensure POMS’ compliance with regulatory
requirements,
Whistleblowers’ Champion (WBC) role
Although not regulated, POL have considered best
practice and created a WBC role held by someone
of sufficient seniority to discharge duties of a WBC
as laid out in SYSC18 regulation, We note the
current WBC has a wealth of relevant SU experience
and demonstrated subject matter expertise during
our interview.
The WBC TOR states the WBC ‘will also be an
additional point of escalation for complaints or
feedback regarding the Speak Up function from
other parts of the organisation’; however, it is not
clear how staff would contact the WBC, and what
steps the WBC should take if this situation occurs.
Raising awareness
EY understand SUT perform roadshows to increase
SU awareness both for its employee and non-
employee (e.g., post masters) populations.
EY understand POL do not have a responsibility to
share SU materials with non-employees such as
postmasters, but that there are plans to present on
SU to the NFSP (National Federation of Sub-
Postmasters) and to create posters for postmasters
to use in their branches to raise awareness of SU.
Training
EY understand that POL provide training in multiple
formats, such as through roadshows (as previously
referred to in the above area #8 Raising
Awareness), which provide employees with
opportunities to raise questions and concerns but
also web-based training. Through interviews, EY
also understand POL provided its SUT with training
from external SU specialists.
All staff, Managers, and Employees responsible
for operating the firm’s internal programme
EY have been informed that SU training for POL
employees and line mangers is provided through an
e-training module.
EY have not been able to confirm how SU training is
accessed by the following groups: 1) employees
responsible for operating the firms’ internal
FCA/PRA regulations [POMS consideration}
» EY note POL is not FCA regulated however EY
recommend that the POL employee handbook or other
equivalent document (e.g., POL Code of Business
Standards) reflect that UK-based employees may disclose
reportable concerns to the PRA or the FCA and the
methods for doing so if the equivalent POMS document
does not contain such guidance (SYSC 18.3.6 R).
>
Whistleblowers’ Champion (WBC) role
>» We recommend a) Include guidance on how staff are able
to contact the WBC, as details are not included in the
Policy. Good market practice is to share WBC contact
details (e.g., on the SU intranet site) as another
‘communication route available to the reporter; and b)
provide guidance for what the WBC should do if such a
situation occurs.
Raising awareness
» We recommend such activity of increasing awareness with
non-employee groups be included in the SU
Communications Plan, and that a variety of communication
methods are explored such as posters, talks, messages
from leadership, option training programmes ete.
Training
All staff, Managers, and Employees responsible for
operating the firm's internal programme
> We recommend:
assessing whether relevant training is in place for
these groups and that access to this training is clearly
signposted. Good market practice is to maintain
training material in the SU intranet, we note this would
exclude non-employees such as postmasters from
accessing training therefore an alternative site would
be recommended for non-employees. We are also
aware that training is maintained in the POL LCG
academy.
) documenting that those with responsibility over SU
arrangements should review the WBC TOR and
clarify their responsibility to assist the WBC when.
asked to do so (SYSC18.3.4 G 3).
Tracking
EY
Observations and recommendations
POL00447944
POL00447944
10.
41.
12.
arrangements, and 2) Senior Leadership Team
EY note that non-employees (such as postmasters)
receive awareness guidance, such as through
roadshows rather than formal training
Tracking
EY understand the SUT provide awareness to POL
teams, however there is no process in place to
ensure that 1) all POL employees, 2) line managers;
and 3) employees responsible for operating the
firms’ internal arrangements have a) attended SU
training, and b) confirmed their understanding of
their responsibilities,
Accessibility
EY note a range of reporting options are provided,
including phone, voicemail, web, and email. EY note
the SU web portal service is available 24/7, all year.
EY note there are options available to the general
public (rather than solely for POL employees) which
is a positive step forward,
External — web browsers
EY note that the Code of Conduct (which includes a
link to the secure online SU web portal ) is shared
with third parties working with the POL, however the
web portal (which offers the option of anonymity) is
not available through the publicly available POL
website. Furthermore, EY note when using key
search terms ‘Post Office’ and ‘Speak Up’,
‘Whistleblower’ and ‘Whistle blowing’ on public
search engines (e.g., Google) that the first hits are
either not from the POL website (e.g., a link to an old
version of the POL SU Policy from a Freedom of
Information request) or contain links to articles which
do not include links to the POL SU Policy or SU web
portal
Internal — POL intranet
EY note the SU web portal is not one of the first hits
when using key SU search terms on the POL
SharePoint (intranet) search function.
We note the POL SU intranet site is undergoing
reconstruction.
Triage
EY note there is a dedicated role to manage the
speak up process and that all disclosures received,
regardless of source, are recorded and assessed.
EY note there is a triage process set out in guidance
documents, including flow charts, and that
documentation in this area is evolving.
Per the Investigators Manual (page 36) we note:
‘The Speak Up Manager and Intelligence Analyst
triage all information and reports received via the
reporting process.
Case management system (CMS)
EY note there is a CMS in place which is used to
track progression of all SU cases and can produce
Mi for analysis of the SUT and senior leadership
> Inline with good market practice (also set out in SYSC
18.3.4) we recommend a) management ensure a
mechanism is put in place to demonstrate all POL staff,
line mangers, and those responsible for the SUF, have
completed relevant SU training (e.g. create training log
showing completion rates); and b) that the population of
those responsible for operating the firms’ intemal
arrangements is clearly tracked, and that training is shared
with any personnel who may have to be involved in the SU
process due to a conflict of interest (e.g. Internal Audit)
Accessibility
External - web browsers
» Inline with good market practice (also set out in SYSC
18.3.1), we recommend updating existing search hits on
public search engines (e.g., Google) e.g., provide a link to
the current POL SU Policy and link to the POL SU web
portal when using key search terms ‘Speak Up’,
‘Whistleblower’ and ‘Whistleblowing’. This will enable non-
employees to understand the SU process and raise
‘concerns more easily.
Internal — POL intranet
» We recommend updating internal POL SharePoint search
hits to ensure employees are able to easily access SU
information (e.g., on the SU Intranet site) and have the
option of making anonymous reports.
» We recommend prioritising the completion of this
reconstruction as the intranet serves as a one-stop shop
for employees and is a key source of information and
giving employees confidence in using the system, as it
demonstrates the organisation is taking SU concerns
seriously.
Triage
» Inline with good market practice, we recommend: a)
documenting in the investigator's Manual that the SU
Manager has responsibility of 1) deciding whether a case
is a Speak Up case or not, and 2) informing the SUR of
this decision (i.e., confirm with the SUR whether the SUT
or another function will investigate the concern); b)
documenting in the Manual the decision tree process for
when a case is not considered a Speak Up case); and c)
documenting triage decisions (e.g. maintaining a triage
log).
Case management process
» EY recommend that SUT are informed (e.g., by
procurement or IT teams) if there are any regular service
level agreement (SLA) reviews are performed with new
Observations and recommendations
POL00447944
POL00447944
13.
44.
teams.
EY understand POL use Convercent — a third party
who manage the SU web portal (‘front-end’) and
(‘back-end’) case management system (CMS). EY
also understand POL are considering replacing
Convercent with new third parties.
EY note all disclosures are investigated in proportion
to risk by investigators with relevant experience. We
also note the existence of investigation templates.
Which are used to drive consistency in approach,
and that escalation points exist in ‘conflict of interest’
situations.
Investigation process
We understand SURs receive an automated
response from Conversant when logging a concern.
This is then followed up with by a personalised
communication from the SUT.
SUR feedback
We note the SUT provide SURs with an opportunity
to have a follow-up (e.g., email or call) with the SUT
to discuss wellbeing / detrimental treatment following
the closure of the investigation, however there is no
systematic process in place to evidence these
discussions.
Malicious claims
EY note SYSC 18.3.2 G stipulates a firm may wish
to clarify in its written procedures for the purposes of
SYSC18 that nothing prevents firms taking action
against those who have made false and malicious
disclosures.
Further to our case file testing, EY note SURs are
making confidential rather than only anonymous
claims, which demonstrates trust in the SUF. EY
note Mi shows that reports are made from a variety
of locations on a variety of topics (e.g. fraud, policy
violation and harassment),
Effectiveness of whistleblowing process
Investigation case files - Impact rating
EY note:
a) the Impact Grading Model suggests that all PIDA
cases (., Speak Up cases) are automatically rated
High Impact. Further to conversations with John
Bartlett (Head of CIU) and Claire Hamilton (SU
Manager) we understand that not all PIDA cases are
automatically classified as High Risk.
b) The Impact rating (High / Medium / Low) is not
consistently documented within investigation reports.
EY understand this section in the manual is currently
under review (e.g., updating terminology from ‘risk’
to ‘impact.
c) The manual does not detail what impact the
Impact rating has on procedure (e.g., how a High
Impact case should be treated differently to a Low
current and any new third parties to ensure the systems
are fit for purpose and that data security (e.g., tested
through penetration testing) and confidentiality measures
are maintained.
Investigation process
>
We recommend:
> A) adding complementary information in the initial
automated and/or personal response sent to the
SUR e.g., a) a brief introduction on investigation
process; b) informing them of the possibility of
having a trade union member, or colleague join them
in any discussio ns relating the concern; c) internal
and external mental health / wellbeing resources
(eg., Protect charity), and d) for employees — link to
the intranet site which includes more SU details.
» — B) Creating a script/template to be used when
informing the SUR of case closure. This will ensure
consistency of communication and ensuring the
SUR is aware of any further options
SUR feedback
>
Per good market practice we recommend SURs are given
the opportunity to complete a written feedback assessment
once the investigation is completed. In this assessment,
the SUR is offered the opportunity for a follow-up with the
SUT (e.g.0ne month following investigation completion), as
well as invited to feedback on the interactions with the SUT
(ie., quality assessment of the SUT's performance, e.g.,
‘Was the SUT responsive? Did you feel supported
throughout the process? etc.)
Malicious claims
EY recommend that the POL considers if they would like to
‘communicate to employees (e.g., in the SU Policy) that
nothing prevents the firm taking action against those who have
made false and malicious disclosures.
Effectiveness of whistleblowing process
Investigation case files - Impact rating
S
>
‘We recommend updating the Manual to rectify the
observations, e.g.
a) clarifying PIDA cases do not always sit in the High-
Impact category;
b) Include Impact Rating section in the Investigation report
template which will then ensure processes defined in b)
are followed; and
) clarifying what additional procedures are needed in an
escalated situation depending on the impact category;
Recommendation log
Recommendation: Creation of a ‘Recommendation log’
TOR setting out roles and responsibilities in the
compliance team. We also recommend that the TOR
clarifies how confidentiality of the subjects is maintained,
as recommendations are distributed to other teams.
ey 17
POL00447944
POL00447944
Observations and recommendations
Impact case), except for prioritisation purposes (i.e.,
High cases would take priority over Low cases).
Recommendation log
We understand that any recommendations following
investigation closure are shared with Compliance via
an Excel document (‘recommendations log’) which
lists all recommendations which need to be tracked
to completion. We understand it is Compliance's
responsibility to ensure a) recommendations are
distributed to the relevant teams (e.g., HR or Internal
Audit) and b) recommendations are closed out.
EY I 18
POL00447944
POL00447944
Documents Received and Interviews
Appendix A Documents Received and Interviews
Documents received
Document title Date received
10.3b_Law enforcement policy (Clean ver)_POL_Board_20200922 (final pdfv. Feb-23
2021-03-15 Group investigations policy v.1.2 - inc POL comments Feb-23
CIU MI DIVISIONAL REPORT December 2022 Feb-23
CIU MI REPORT December 2022 - Sensitive Feb-23
Code of Business Mar-23
Investigator's Manual Feb-23
NED Speak Up Champion Feb-23
P019 - Grievance Policy Mar-23
POL artefacts in response to EY queries #1-6 Mar-23
Whistleblowing Policy v.7 March 2022 Feb-23
CIU_SpeakUp - Mar-23
PO009 - Code of Business Standards Mar-23
Speak Up and CIU presentation to Audit and Support Advisor Team Mar-23
Screenshot (35) — list of POL teams where SU was provided via training roadshow Mar-23
‘Screenshot (38) — list of Convercent users Mar-23
Screenshot (39) — list of SUT ShareDrive member Mar-23
Stakeholder Interviews
In addition to the five interviews with senior leaders listed in Section 4. EY Scope and Approach, we spoke with
the following personnel:
Name Title
Claire Hamilton Speak Up Manager
John Bartlett Head of CIU
Mark Tress SUT Investigator
POL00447944
POL00447944
Appendix B___ Interview agenda items
The following agenda items were tailored according to the interviewee:
>
Awareness of EY engagement
Role at POL and main responsibilities with regards to SU
Ability to discharge your SU duties under the current framework, and if not, what areas would
you like to see enhancements to?
Referencing items such as: MI, Training, Culture, Confidence in current process,
Independence/conflicts, and Whistleblower protection
Understanding of the POL SUF, and what your SU responsibilities are (as you understand
them) under this framework
Confirm how they / an employee would raise a concern anonymously (how would they find’
the SU webpage)
Confirm understanding of POL/their SU responsibilities towards employees (including
providing protection to reporters) \
Confirm understanding of POL/their SU responsibilities towards non-employees \(e.g\,
franchise employees, and how they provide protection for these)
POL00447944
POL00447944
Appendix C SU regulatory backdrop
SU programmes are now an established component of an organisation's compliance framework and a
key risk management tool. Further, several recent high-profile media reports have shown a societal shift
against remaining silent in the face of inappropriate conduct. In response to this trend, countries across
the globe have introduced or strengthened whistleblowing related regulation and legislation.
In September 2016, the UK Financial Conduct Authority (FCA) and the Prudential Regulation Authority
(PRA) introduced rules that required specified regulated firms to have in place whistleblowing
programmes (referred to as “whistleblowing arrangements” by the FCA). The rules have evolved since
their inception in 2016 and are set out in SYSC 18 (Appendix B).
The FCA published the findings of its thematic review into Retail and Wholesale Banking Whistleblowing
Arrangements in November 20182, which for the first time set out the FCA’s expectations in this area”
which go beyond simple compliance with SYSC18.
In April 2019, the European Parliament adopted a Directive that required all member states to‘have
whistleblowing legislation in place by December 2021. By February 2023 only 19"° of the 28 members
had this whistleblowing legislation in place. As at the date of this Report the UK’s Whistléblowing Biff
advanced by the All-Party Parliamentary Commission (APPG">) for whistleblowing is undergoing
parliamentary scrutiny. Whilst we do not know how each individual EU state will interpretthe Directive \
or when the UK's Bill will obtain Royal Ascent, it is probable that they will-have implications’on what is
considered good industry practice, highlighting the need to have the flexibility to respond to the changes.
to come.
* https://www.fca.ora.uk/publications/multi-firm-reviews/retail-and-wholesale-banking-review-firms-whistleblowing-
arrangements
"3 EU Whistleblowing Monitor
4 Wwhistleblowing Bill - Parliamentary Bills - UK Parliament
‘5 APPG Whistleblowing I Home
n
POL00447944
POL00447944
Appendix D Statement of Work (SOW)
As per the Engagement Letter signed 10" February 2023, the following SOW was carried out:
1.
>
2.
>
3.
>
Policy Assessment
Assessment of relevant policy documents, specifically the Whistleblowing Policy v.7 March
2022 and the Speak Up Champion (also known as the Whistleblowing Champion (WBC))
Terms of Reference (ToR). This assessment will compare policies against SYSC 18
regulatory requirements and to best practice, based on EY’s knowledge of whistleblowing
and speak-up teams in comparable entities.
Implementation of process via SU Investigation reviews
Review of a sample of five investigation case files, performed since the Whistleblowing
Policy v.7 March 2022 was put in place, to establish whether the Post Office (PO) policies
are operating as intended. This sample is to be agreed between the EY and the POL teams,
and will include a representative view of the high/medium and low risk cases typically
encountered by the POL.
For each case, EY will follow the path of the case as it progressed from initial report
through to conclusion and will include considerations such as data capture, triage,
investigatory steps, communication with and protection of the whistleblower, reporting and
review.
Feedback Gathering
Interview with a sample of up to six key stakeholders of the ‘SU process to establish their “
views on the process and possible areas for future.development: The interviewees will be
agreed between EY and the POL team.
Based on the activities at 1) to 3) above, this written report provides:
>
>
>
>
An assessment of the current state of the PO’s whistleblowing policies, processes and
controls compared to SYSC 18 regulatory requirements and to best practice, based on
EY’s knowledge of whistleblowing and speak-up,.teams in\comparable entities
An assessment of the sample of five PO's whistléblowing investigations against the PO's
whistleblowing policies, processes, and controls,
Acomparison to financial services best practices, to include both whistleblowing and
information gathering
Recommendations as to possible areas of process improvements
In addition to the above scope, we will provide a briefing session to the Board and CEO of the Post
Office Limited to cover their speak-up responsibilities, best practice to establish an effective tone from
the top and highlighting key messages and learnings from this EY review.
EY I Assurance I Tax I Transactions I Advisory
Ernst & Young LLP
© Emst & Young LLP. Published in the UK.
Allrights reserved
‘The UK fm Eres & Young LLP isa trite tebity partnership registees In England
‘nd Wales
Wh epetered number OC300004 and is a member fm of Emst& Young Global
oe
mst & Young LLP, More Lendon Pisce, London, SE1 24F.
ey.com
POL00447944
POL00447944
EY I 23