POL00447964
POL00447964
POST OFFICE LTD.
Title: Speak Up Assurance Review Report Date: 05/07/2023
Author: Nazrana Patel/Reena Chohan Sponsor: Ben Foat
Executive Summary
Background
Group Assurance have performed a review of Post Office’s Speak Up function’s (previously known as
Whistleblowing) processes and procedures to assess the robustness of their control environment. The Speak
Up Policy Sponsor (Group General Counsel) and Owner (Head of CIU with the support of Group Legal
Director) are accountable for the implementation of controls ensuring POL meets its Speak Up obligations.
The Speak Up team was established approximately 18 months ago and comprises a Speak Up manager, an
analyst, and two full-time investigators. During this period, the team have invested heavily in reviewing and
updating their processes and procedures. The team have also introduced monitoring dashboards for Speak
Up which is reported to Group Executives and Board members on a monthly basis. The Speak up function is
governed by two key policies - the Speak up Policy and Group Investigations Policy and processes are
documented in the Investigations manual.
Scope & Approach
The core objective of the review was to assess the level of Speak Up process compliance, especially when
dealing with Speak Up cases, to ensure that these cases are not only being dealt with in a consistent and fair
manner, but that this can also be evidenced.
We selected a sample of 10 Speak Up cases (raised between April 2022 — January 2023) and our scope
included the objective assessment of:
The Speak Up policies and procedures, and levels of compliance
Security and access of ‘Speak Up’ data — especially maintaining confidentiality/anonymity
Effectiveness of Speak Up communications
Speak Up monitoring and governance
Effectiveness of Speak Up training
This review was performed during April and June 2023, and therefore our opinions and comments reflect the
state of the control environment during this period.
Please refer to Appendix 1 for a breakdown and status of the cases selected.
Scope exclusions —
A review of processes and controls at Convercent (external provider of Speak Up)
Assessment of POL wider controls for data access and security
Assessment of how Speak cases, if triaged, to the wider business functions
Assessment of Speak Up and its take up or perception within the Postmaster community.
The effectiveness and monitoring of any Speak Up or CIU related actions/recommendations
Assurance Opinion
The Speak Up Team constructively engaged and supported the Assurance Team throughout this review. It
was overtly evident that the behaviours and culture embedded within this team is that of transparency and
Page 1 of 6
Final Assurance Report —- Speak Up Strictly Confidential
POL-BSFF-107-0000048
POL00447964
POL00447964
ensuring they deliver the right outcomes in the right way. Whilst being a relatively new team, they are
embedding robust processes and procedures, and have a culture of continuous improvement.
Whilst we have identified six improvement opportunities predominantly within Speak Up processes and
procedures, which the team are in the process of remediating, the overall control environment is fit for
purpose, and we have rated this review as:
The framework of governance, risk management and
control is adequate and effective.
Page 2 of 6
Final Assurance Report —- Speak Up Strictly Confidential
POL-BSFF-107-0000048_0001
POL00447964
POL00447964
Detailed observations
1. Speak Up Process and procedures - Some improvement needed
The Speak Up team have demonstrated a very high level of compliance with the current Speak Up procedures
and processes, some key areas are summarised below:
a) Anonymity and communication between the reporter and investigator were maintained throughout
the investigations, where applicable.
b)
For cases that were passed to other areas of the business, there was a clear handover process
between the Speak Up team and the relevant business area.
[)
All Speak Up data is managed, stored, and accessed via Convercent and the Speak Up SharePoint
site, and access is managed by the Central Investigations Unit (CIU). Access is approved and
authorised through the Head of Central Investigations Unit and restricted to purposes such as
assurance or audits.
d
The cases which have been closed were documented consistently and where there were cases of a
high severity nature these had a planned investigation approach in place, maintained with high
anonymity and closed with recommendations.
e
All employees including Postmasters are provided with several channels to raise Speak up concerns
this includes:
e The POL Speak Up mailbox (viewed only by Speak Up team)
« Reporting via the Speak Up web portal operated by Convercent (a third-party)
* The Convercent hotline
* Internal reporting (e.g., a line manager)
f) The triage process flow map for Speak Up is documented in the investigations manual and this
provides a structured approach to assessing what type of investigation is required and who should
the case be investigated.
g) The Speak Up team have now implemented after the external assurance work done by EY a process
where they send a feedback form asking the reporter for feedback on how their case was handled,
this is done via the route the report was originally made from. To date no feedback has been received.
Some improvement opportunities were identified, and these are summarised below:
The head of CIU should monitor on a regular I John Bartlett - Head of CIU 14! July
4 I basis who has access to Convercent and 2023
SharePoint site/data.
A separate Speak Up process flow map to be Claire Hamilton - Speak Up and 31% August
2 I created and included into the Investigations Intelligence Manager 2023
Manual.
The Speak Up process flows need to document: I Claire Hamilton - Speak up and 31* August
the hand off processes for cases referred to I Intelligence Manager 2023
3 . f
other parts of the business for instance to
employee relations and People tearm.
The Speak Up process flows need to document I Claire Hamilton - Speak up and 31s August
4 I and clarify the ‘when and how’ the Head of CIU I Intelligence Manager 2023
intervenes and the sign off process.
Page 3 of 6
Final Assurance Report —- Speak Up Strictly Confidential
POL-BSFF-107-0000048_0002
POL00447964
POL00447964
2. Speak Up communications - No material exceptions noted
a) POL internal intranet (SharePoint)
There have been 392 views on the Speak Up Intranet site as of 5th June 2023, and the Speak Up and
intelligence Manager is progressing, at the time of fieldwork, a communications plan where regular
reminders will be sent across POL using the ‘One’ email platform.
b) POL external Speak Up website
This is in the process of being changed and updated by the Speak Up and Intelligence Manager and
should be completed by end of July 2023.
c) POL internal Communication
Speak Up is communicated across the business through the Intranet Hub, Annual Compliance training
and One comms emails. There is also continuous awareness of Speak Up to our postmasters such as
the event held through the NFSP and is also included into postmasters' induction training.
Some improvement opportunities were identified, and these are summarised below:
Whilst the SharePoint site has been updated the I Claire Hamilton - Speak up and Completed
link to the new Speak Up policy (approved by I Intelligence Manager on 13" June
5 the ARC during fieldwork) needs to be updated 2023
and reference to Whistlebliowing Policy
removed.
POL external Speak Up website - is in the I Claire Hamilton - Speak up and Within 4
6 I process of being changed and updated Intelligence Manager months
from 6"
June 2023
Page 4 of 6
Final Assurance Report —- Speak Up Strictly Confidential
POL-BSFF-107-0000048_0003
POL00447964
POL00447964
3. Speak Up ~ Governance and first line assurance ~ No exceptions noted
a) There are monthly MI reports on Speak Up, and since February 2023 the MI reports also include the
Quality Review outcomes. The MI reports are distributed to GE, Board members, Group General
Counsel and Legal (Non sensitive - GE and Board members; and sensitive - Group General Counsel
and Legal Director). When a Speak Up NED has been appointed, they will have oversight of all MI
reports produced.
The GE Dashboard is circulated monthly and incorporates speak up cases which shows a summary
of all cases reported, channels they were reported through, the severity, and their status
(open/closed).
b) The current Speak up policy was approved by ARC on 16" May 2023 and is reviewed, updated, and
approved annually by RCC and ARC.
c) The Senior Investigation Managers within CIU Team also perform a Quality Assurance review to
ensure that the Speak Up team are complying with policies and procedures.
d) External firms such as EY have also conducted a review of the Speak Up function. EY’s observation
documented that each area of Speak Up is based on well-established processes and procedures but
have made observations and recommendations to enhance these further. These have been either
adopted already or are planned to be incorporated.
4. Speak Up training ~ No exceptions identified
Speak Up training, at induction and then annually, is compulsory for all employees and Postmasters. The last
Speak Up training was rolled out on 7" March 2022 and the current refresher training is scheduled for 1*
September 2023. As of 22°4 May 2023, the completion rate for Speak up refresher training for 2022 was
99.2%,
Page 5 of 6
Final Assurance Report —- Speak Up Strictly Confidential
POL-BSFF-107-0000048_0004
POL00447964
POL00447964
Appendix 1 - 10 Speak Up sample
All 10 Speak Up reviewed were identified as ‘PIDA’ (Public Interest Disclosure Act) cases, i.e., reportable
concerns made by POL employees.
The status of these cases, at the time of fieldwork, are summarised below:
- 4 Cases - Closed due to no further information or contact from the reporter
- 1 Case - Closed with intervention from industrial relations and union
- 3 Cases - Passed to Employee Relations
- 1Case - Passed to People Team
- 1Case - Investigated by Speak up team and closed with recommendations
Appendix 2 - Opinion Definitions
The framework of governance, risk management and control is adequate and effective.
Some improvements are required to enhance the adequacy and effectiveness of the framework of
governance, risk management and control.
There are significant weaknesses in the framework of governance, risk management and control such
that it could be or could become inadequate and ineffective.
There are fundamental weaknesses in the framework of governance, risk management and control such
that it is inadequate and ineffective or is likely to fail.
Page 6 of 6
Final Assurance Report —- Speak Up Strictly Confidential
POL-BSFF-107-0000048_0005