POL00448008
POL00448008
Tab 1 May Minutes for Signature
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 19" MAY2020 AT 20 FINSBURY STREET,
LONDON EC2Y 9AQ AT 09.30 AM (VIA CONFERENCE CALL)!
Present: Invited Attendees:
Carla Stent (Chair) Caroline Scott (Portfolio Director - Organisational
Effectiveness): Item 2 (CS)
Ken McCall (SID) (KM) Martin Hopcroft (Head of Health & Safety): Item 2
(MH)
Tom Cooper (NED, UKGI) (TC) Rod Williams (Head of Legal - Dispute Resolution)
- item 4 (RWi)
Zarin Patel (NED) (ZP) Amanda Bowe (Post Office Insurance ARC Chair) —
items 6 & 7 (AB)
Regular Attendees: Tan Holloway (POI Director, Risk & Compliance) -
item 7 (IH)
Tim Parker (Chairman, POL) (TP) Tom Lee (Head of Finance Financial Accounting
and Controls): Item 9 (TL)
Alisdair Cameron (Group CFO) (AC) Jeff Smyth (Interim Group Chief Information
Officer): Item 10.1 (3S)
Ben Foat (Group General Counsel) (BF) Tony Jowett (Chief Information Security Officer) :
- — ee Item 10.2 (TJ) _ —
Andrew Paynter (Audit Partner, PwC) (AP) Sherrill Taggart (Interim Legal Director) - items
11 & 12 (ST)
Sarah Allen (Senior Audit Manager, PwC) (SA) Barbara Brannon (Procurement Director) - item 13
(BB)
Johann Appel (Head of Internal Audit) (JA)
Mark Baldock (Head of Risk) (MB)
Jonathan Hill (Compliance Director) (JH)
Rebecca Whibley (Assistant Company
Secretary) (RW)
Apologies:
Nick Read (Group Chief Executive Officer) (NR)
Action
1. Welcome and Conflicts of Interest
11 A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call given the current Government
guidance on home working. However, given the requirements of the
Company’s Articles of Association, the location of the meeting was agreed
to be the Company's Registered Office.
1,2 The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
requirements of section 177 of the Companies Act 2006 and the
Company's Articles of Association.
1 Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL, 1
ARC Minutes for signature-21/09/20 1 of 39
POL-BSFF-107-0000092
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
POL00448008
POL00448008
2 of 39
COVID-19 Response Update
Action
Caroline Scott and Martin Hopcroft joined the meeting.
Mark Baldock introduced the paper, which was taken as read. He noted
that a COVID-19 response programme team had been set up under
Caroline Scott. Over the last couple of months, the scope of the work had
grown with significant implications for network coverage and financial and
trading patterns. Therefore the implications were far wider than purely
health and safety and the response programme reflected this. The risk
work had paralleled the response programmes’ phases: phase I (crisis),
phase II (resilience), phase III (recover), and phase IV (Neo/Reimagine).
The risk work has been two stage process: team looked at industry risks
and then tested these with the business to ensure they were appropriate
and all encompassing. This led to the identification of around 50 risks
which have been grouped into short, medium and long term, largely
mirroring the phases of the response programme. Thankfully, no areas of
risk were identified by the team that were not already being picked up by
the response programme team.
2.2
Mark Baldock further highlighted the achievements of the response
programme:
- Decisions can be taken quickly, for example, the business moved
quickly and effectively to home working for all support staff
including call centres and payroll.
- Network coverage has been a reduction of around 10% and the
branch closure figure was now stable and reducing, allowing the
Network team to focus on branches closed for a number of days.
- There have been patches of absence among colleagues and
Postmasters, but the figure has largely stabilised. The COVID-19
related absence for colleagues stood at around 190 (which included
those who were caring for a vulnerable individual or had COVID-19
symptoms themselves).
- Project Neo has been set up, led by Owen Woodley. This project
was to look at the longer term operational structure, target
operating model and the future products and services offer. The risk
team were also feeding into this work to ensure the mitigation of
longer term risk.
2.3
Caroline Scott explained that the governance around the COVID-19
response programme had ensured its efficiency. Initially, there were daily
Rapid Response Team (RRT) and SteerCo meetings with all actions,
decisions and risks being documented. Dashboards were used to ensure
that data was the driver of decisions. A review was undertaken shortly
after Easter and it was decided to move to three meetings a week for RRT
and SteerCo in light of feedback from the RRT, SteerCo and GE with a
focus on an integrated plan concentrating on risks. For example, much
focus has been given to frontline colleague risk and extensive work has
been done to identify appropriate personal protection equipment (PPE),
taking into account feedback from colleagues. There has also been a focus
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
POL-BSFF-107-0000092_0001
POL00448008
POL00448008
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
on the product offering and the Drop & Go product launch was accelerated I Action
in response to customers having to queue for long periods of time as
branch opening hours had been curtailed and increasing social media
pressure. It was also a pain point for Postmasters who felt that some
customers were not posting essential items. Furthermore, the response
programme team identified that opening hours information was a vital
thing to get right for customers, Royal Mail (for mail collection) and Supply
Chain (for cash delivery and collection). Branch Hub therefore went live
as a way to communicate with branches and functionality was added to
enable them to communicate their opening hours which would
automatically update the branch finder tool on the customer website.
Confirmation of opening hours was added as a condition of payment of top
up remuneration for Postmasters in June to further drive conformance.
This has driven significant adoption of the tool. 50% of Postmasters were
now registered on Branch Hub and the goal was to achieve 100% by the
end of the month. Such rapid adoption has been enabled by the crisis
response. The Chair congratulated the team on their hard work and asked
the Committee for comment.
2.4 Tom Cooper noted that the work seemed to be all positive, and therefore
queried why the reaction from the National Federation of Sub-Postmasters
(NFSP) had been less than positive. Al Cameron explained that the NFSP
had had an emotional reaction to the idea of linking remuneration to
behaviour, however they had been talked down. He explained that
conformance and, particularly cash declarations (which were another
condition of remuneration payment) were a key part of our strategy and
ultimately, if branches consistently did not complete cash declarations,
they would be stopped from trading. It was noted that more recently, cash
declarations from open branches had been slightly better than before the
COVID-19 crisis. Work was also being done to consider how to support
those Postmasters who cannot register on Branch Hub without creating an
exception which could be used by those who can register on the system.
Tom Cooper further noted that the code name of Project Neo was already
known to the Minister as it had been mentioned by a contact from the
Communication Workers’ Union (CWU). In response, Al Cameron
explained that he did not see this as an issue as it was to be expected that
any business would be considering its future strategy and operating model
in light of the current crisis, plus it was something that was looked at in
the ordinary course of business. However, it was agreed that Al Cameron
would flag this to Nick Read and Owen Woodley (Group Chief Commercial AC
Officer).
2.5 At the request of the chair, Martin Hopcroft explained that there was also
a team looking at how colleagues could return to the workplace and risk
assessments were being undertaken. Agency branches had been supplied
with risk assessment proformas to enable them to undertake their own
assessments where they have five or more employees. Post Office has
undertaken risk assessments for Directly Managed Branches (DMBs). It
was further noted that the Committee should be aware that as additional
testing becomes available, there may be more positive tests and the
STRICTLY CONFIDENTIAL, 3
ARC Minutes for signature-21/09/20 3 of 39
POL-BSFF-107-0000092_0002
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
POL00448008
POL00448008
4 of 39
business would need to react to this. Al Cameron explained that a
colleague in the Glasgow cash centre had tested positive for COVID-19
over the weekend. The response had been swift with the centre being
closed for a deep clean on Monday 18 May and reopening the next day.
Those who had been in contact with the colleague were traced, advised to
isolate and were to be tested. In response to a question from Zarin Patel,
Martin Hopcroft confirmed that the CWU had raised issues surrounding
health and safety, mainly round DMB managers working on the public side
of the counter. However, this was being managed with daily calls with the
CWU health and safety representatives. It was recognised that this could
be a further challenge as the lockdown eases.
Action
2.6
The Chair thanked Caroline Scott, Mark Baldock and Martin Hopcroft for
their work on the COVID-19 response and noted that the Post Office
needed to be pragmatic in its response over the next couple of months.
Accordingly, the Committee NOTED the update on Post Office’s response
to the COVID-19 crisis.
Caroline Scott and Martin Hopcroft left the meeting.
Governance
Internal Audit Plan 2020/21
The Chair reminded the Committee that the plan had been considered at
its March meeting, but that it had been requested that the plan be revised
to consider the COVID-19 crisis and particularly, identify the top five
priorities. Johann Appel introduced the revised Internal Audit Plan
2020/21 paper, which was taken as read. He explained that the top five
priorities had now been designed and built around Post Office being able
to continue to operate safely and compliantly in the current crisis. Audit
proposed to examine new processes developed for the crisis response
which may have relaxed controls or developed work arounds. The plan
also brought forward audits that the Audit team considered to be high
priority. The top five priority audits were outlined as:
- COVID-19 Programme Assurance: This audit was being done in
phases. A review has been done on set up and the governance of
the programme, with the first interim report issued last week (this
was rated green).
- Maintain Minimum Control Standards: This audit has kicked off and
phase 1 was to end this week. It was to ensure that any relaxed
controls have been signed off appropriately and any new processes
were being properly controlled. The audit had first considered cash
controls and was now moving to financial and IT controls.
- Cyber Security Maturity: This was to look at where the business has
increased vulnerability (particularly from phishing attacks and
hacking). This was to be done in short rapid phases with an interim
report being issued.
- Health and Safety: This review was in the planning stage to
understand where the focus should lie.
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
POL-BSFF-107-0000092_0003
POL00448008
POL00448008
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
- Effectiveness of the Second Line during COVID-19: This audit was I Action
to ensure that where we have redeployed second line employees
into first line roles, we have not been weakening second line and
this was still working as expected.
Johann Appel noted that the plan brought priority elements so there was
an element of duplication in places.
3.1.1 Zarin Patel questioned whether the Belfast Exit and PCI Compliance
Programmes should be higher up on the priority list. Johann Appel agreed
that they should be, but that these programmes were running slowly so
had not been included in the top priorities at present. When the time was
right, these would be brought forward. Zarin Patel further noted that rules
had been relaxed around passwords and access and questioned what was
being done to guard against branch losses to ensure there would not be
future issues. Johann Appel explained that this was part of the Cyber
Security Maturity review but that any changes to password rules and
access had been signed off at the appropriate levels. A review of financial
controls was also being undertaken. Al Cameron confirmed that his team
were very active in monitoring losses and these were being tracked
carefully. In response to a question from Ken McCall, it was further
explained that as yet, there was no comparative data to ascertain whether
branch losses were better or worse during the COVID-19 crisis. The team
est risk profile. At the start of
itting in closed branches that
was not being returned to Post Office. However, since branches have
started to reopen, this figure was down to i! iThere has been a
reduction in burglaries and robberies. The Committee asked to see the AC
team’s list of high-risk branches and this was to be circulated by Al
Cameron.
3.1.2 I The Chair highlighted that this was clearly a plan that may require ongoing
adaption. As such, the Committee NOTED the internal audit priorities
during the COVID-19 crisis and APPROVED the re-prioritised internal
audit plan for 2020/21.
3.2 Internal Audit Charter Review
Johann Appel introduced the revised Internal Audit Charter paper, which
was taken as read. He explained that the Charter was reviewed bi-annually
and as it was last approved in March 2018, it was due for review. There
had been minor changes to the Charter reflecting a change in reporting
lines within the Audit team. It was also confirmed that the Charter was
shared with Deloitte, the internal audit co-source, who also complied with
it.
S22 Ken McCall highlighted that a track changed version would be useful in
future and that he felt that the plan should specifically call out cyber
security and cash in the Role and Scope paragraph as these were
particularly important at the moment. Johann Appel explained that
arguably these could be read into the operational, financial and
management controls as listed. He further explained that the Charter just
STRICTLY CONFIDENTIAL, 5
ARC Minutes for signature-21/09/20 5 of 39
POL-BSFF-107-0000092_0004
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
POL00448008
POL00448008
6 of 39
3.2.3
gave Internal Audit a mandate and that its remit can ultimately be as wide
as necessary with the Committee’s approval. However, the Committee
agreed that the elements of cash and cyber security should be specifically
called out by example within the Charter. Johann Appel was asked to
update this in the Charter and circulate to the Committee. In response to
a question from Zarin Patel, Johann Appel also confirmed that the new
Internal Audit Code of Practice had been considered when reviewing the
Charter and there had been some debate as to whether to refer to this
new Code or the International Standards of Internal Auditing. Ultimately,
it was decided that the Charter should refer to the International
Standards, although a reference to the Code and the Internal Professional
Practices Framework could be added.
The Committee NOTED the Internal Audit Charter, which was updated to
reflect new reporting lines and APPROVED the Internal Audit Charter for
continued use for the next two years, subject to the Charter being
amended to:
- specifically include cash and cyber security within its Role and Scope
(paragraph 3);
- move the explanation of the process to track and report audit
actions from paragraph 6 to paragraph 5; and
- add reference to International Professional Practices Framework
and The Internal Audit Code of Practice (paragraph 11).
Action
JA
JA
3.3
Review against Terms of Reference
The Chair introduced the paper which was taken as read. It was
highlighted that the responsibilities under the Terms of Reference had
largely been met with two outstanding items being approved in the
present meeting. Accordingly, the Committee APPROVED the outcome of
the review against the Terms of Reference, confirming that the
responsibilities under the Terms of Reference for financial year 2019/20
have been met, with the exception of the review and approval of the
Internal Audit Charter and the approval of the Internal Audit Plan, both of
which were approved on 19 May 2020 and NOTED the new Terms of
Reference for the Committee adopted by the Board on 8 April 2020 to
reflect the new Governance Framework.
3.4
Committee Evaluation Report
The Chair introduced the Committee Evaluation Report, which was taken
as read. It was noted that there were improvements on last year and the
following was highlighted:
- Compliance with the regulatory landscape was a lower scoring
element and a paper was now being presented (see item 12) on
Law & Treads. The Committee agreed this addressed the gaps in
this area.
- As to the receipt of information and timeliness, it was noted that
management had been good at submitting reports, even in the
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
POL-BSFF-107-0000092_0005
@
POST OFFICE LIMITED
POL00448008
POL00448008
current crisis period, however this was a general point that had also
come up in the Board evaluation.
- Tom Cooper suggested that there should be a regular discussion on
legal risks relating, particularly, to contract management,
Postmaster contracts, Starling and procurement. In response, it
was highlighted that Starling and Postmaster contracts (as part of
the Group Litigation Order work (GLO)) were Board level
discussions. Procurement risk was addressed at item 13 and contact
management was at item 11. It was agreed that the Annual Legal
Report could be produced on a quarterly or half yearly basis, but
this should focus on areas other than Starling and GLO. This would
be added to the forward plan. Where possible, existing BAU
reporting and processes should be used to avoid too much extra
work. The legal risks should also be included in the regular Risk
report and on Archer. Moreover, a Law & Trends forum would be
established to proactively manage new and emerging legal and
regulatory requirements. A Law & Trends report has now been
prepared to report to Risk & Compliance Committee and the
Committee of the new and emerging requirements.
- It was agreed that the right pattern of meetings was in place and
noted that a specific meeting to review the Annual Report and
Accounts was scheduled in June 2020.
- Work would be done to publish the Committee’s forward plan and
consider the timings of meetings.
- The lack of IT expertise was specifically being addressed by the
recruitment of Lisa Harrington (new Non-Executive Director) whose
induction included a specific focus on IT.
Action
BF/RWi
To do: RW
RW
3.4.1 I The Committee NOTED the outcome of the Committee Evaluation for
2019/20 and APPROVED the recommended actions to address points
raised and areas which may require development.
4. Co-operation with Law Enforcement Agencies and Addressing
Suspected Criminal Misconduct Policy
4.1 Ben Foat introduced the paper, which was taken as read. He explained
that further work was needed on the policy to operationalise the processes
and review the policy optically, considering how it would be received
should it become public in the future. In summary, the policy set out how
Post Office should respond to requests for information from law
enforcement bodies, regulators or industry-accredited associations. It
outlined that:
STRICTLY CONFIDENTIAL,
POL-BSFF-107-0000092_0006
POL00448008
POL00448008
The Committee was asked to approve the suggested approach and discuss
the policy.
Action
4.2
4.3
The Chair questioned whether this policy should ultimately be approved
by the Board given its links to GLO. Tim Parker agreed this was a Board
was highlighted that the Horizon judgement stated that HNG-A was robust
and that the business needed to ensure that it remained robust. Zarin
Patel highlighted that the Horizon judgement stated that HNG-A was
“relatively robust” and the business needed to be really clear on why it
believed it was robust. She further highlighted that she had concerns
about the conditions on reporting crime as the crime potentially related to
public money and so should be reported. The Committee agreed that the
wording needed to be double and triple checked before final approval in
consideration of how the policy might be perceived if it were to be made
public.
BF/RWi
44
Accordingly, the Committee APPROVED the approach proposed in the
"Group Policy: Co-operation with Law Enforcement Agencies and
Addressing Suspected Criminal Misconduct,” subject to the comments
relating to the wording of the policy as outlined in the minutes. The
Committee AGREED that the final policy should be approved by the Board.
BF/RWi
4.5
Post meeting note:
STRICTLY CONFIDENTIAL
POL-BSFF-107-0000092_0007
Previous Meetings
@
POST OFFICE LIMITED
POL00448008
POL00448008
Action
The minutes of the meeting of the Audit and Risk Committee held on 24
March 2020 were APPROVED and AUTHORISED for signature by the
Chair.
Progress against the completion of actions as shown on the action log was
NOTED and the following actions were closed:
Action 6 (x 2) from 24 March 2020 relating to the Annual Legal Risk
Report, the due diligence approach and revised contract
management plan (addressed in item 11);
Action 7 from 24 March 2020 relating to the Internal Audit plan
(addressed in item 3.1);
Action 10 from 24 March relating to the Contract Management
Framework Update (addressed ini item 11);
Action 11 from 24 March 2020 relating to Managing Procurement
Relationships (a paper was provided to the Board on 8 April 2020
and this item was further addressed in item 13);
Action 13.1 from 24 March relating to PCI-DSS and the regular
confirmation from the Fujitsu and Ingencio CEOs;
Action 15 relating to the Audit Update and the implementation of
Archer (addressed in item 8.1);
Action 4.7 from 28 January 2020 relating to FRES review of
systems;
Action 4.8 from 28 January 2020 relating to Joiners, Movers and
Leavers;
Action 11.9 from 28 January 2020 relating to cookies;
Action 11.11 from 28 January 2020 relating to GDPR and Contracts
Governance.
Action 5.3 from 25 November 2019 relating to Contract
Management and the top 50 contracts (addressed in item 11);
Action 7.5 from 25 November 2019 relating to Commercial Partner
Contingency;
Action 5.6 (x 3) from 23 September 2019 relating to PCI-DSS.
Action 12 from 24 March relating to Selling Regulated Products in the
branch Network was to remain open as it had been agreed that an Action
STRICTLY CONFIDENTIAL
To do: RW
Action
POL-BSFF-107-0000092_0008
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
POL00448008
POL00448008
10 of 39
Plan would be created and this was still in train. There was an update on
this in item 8.2. Jonathan Hill explained that the team was working on a
plan to enable Pin Pad validation for mails contents and in the meantime,
training was being undertaken and Area Managers were monitoring
compliance with training requirements as a priority. Ken McCall requested
that Jonathan Hill speak to McKinsey as a matter of priority about this
Action Plan.
All other actions remained open.
JH
5.3
The draft minutes of the Risk and Compliance Committee held on 06 May
2020 were NOTED. Al Cameron highlighted four items from the minutes:
- An independent review of suspense accounts as part of the GLO
work: This work was being undertaken by KPMG to look at suspense
account processes. A report was being prepared under legal
privilege, but the initial view seemed to be that the process was
good and no concerns were being flagged. There was some advice
on how to make the process better including a formal policy on how
debits are resolved when they have passed through all resolution
stages and still haven’t been resolved and ensuring that the credit
back log does not build up (this was to be actioned immediately).
- An independent review of stamps and whether any GLO
implications: A third party team was reviewing this to check if
money was lost. This was difficult to ascertain and the work was
ongoing.
- CBRE performance issue: HSL have previously audited Post Office’s
health and safety procedures and have been complementary. They
have now examined property compliance, which was largely
outsourced to CBRE, with whom the business has had issues in the
past. The audit has shown that CBRE is unreliable and the business
has been relying on them. Notably, they had failed to complete a
lift inspection in Chesterfield on time. The HSL view was that this
was incompetency rather than fraud. Work was being undertaken
to review the contract and consider options to exit them as a
contractor.
- Work ongoing to validate historical final salaries for the defined
benefit_pension scheme: It has been discovered that there were
some errors in the calculations under the final defined benefit
pension scheme. Towers Watson have agreed that there were
errors. In 2014, final salaries were capped under the scheme as
way of reducing cost, and the manual process determined the final
salary. The process was very complicated and there could be 70
different possible allowances which had to be considered. The
process was not automated and had limited oversight, however
there has not been a compliant or challenge on the amount
determined in the period. The assumption therefore was that we
have inclined towards being generous and we have asked for this
to be quantified. The time period in question was from 2014 to
present. The outcomes were uncertain and there was, as yet, no
AC/BF
AC/BF
/RWi
AC
AC
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
10
POL-BSFF-107-0000092_0009
POL00448008
POL00448008
‘ab 1 May Minutes for Signature
@
POST OFFICE LIMITED
sense of materiality, but the work was progressing with urgency. It I Action
was highlighted that there was some discretion over the final salary
amount and if need be, we would correct any under payment. The
business needed to consider what to do if it was found that
overpayments had been made. It was explained that there is a
surplus in the scheme whose purpose was to pay the liabilities, but
it may be argued by the trustees that more should be paid.
However, this would need to be examined once the review was
complete. Audits had been done on the scheme previously, but this
element was excluded from the scope because the scheme was
closed and we had done a buy-in. It was further noted that the
Pensions Regulator did not need to be informed provided the issue
was resolved. Al Cameron would produce paper for the Committee’s
next meeting in July 2020.
Update from Subsidiaries:
6.1 Post Office Insurance (POI) Audit, Risk & Compliance Committee (ARC)
Amanda Bowe joined the meeting.
Amanda Bowe provided a verbal update from the POI ARC. The focus in
last week’s meeting was on COVID-19 and the risks to POI. The business
has done a fantastic job delivering the Nemesis Project (home re-
engineering) and the BAU environment was operating well. Reverse stress
tests have been developed to consider what COVID-19 means for
performance, and then operational and customer facing risks were
discussed. In addition to COVID-19 focus, there was an update from the
external auditors who have a couple of questions regarding goodwill.
There were also BAU updates on Internal Audit and changes were agreed
to the Internal Audit plan in light of the current circumstances. The POI
ARC also approved regulatory return to the Financial Conduct Authority
(FCA) and received a routine update on Financial Crime. The POI was due
to meet on 20 March 2020 for a deep dive on protection strategy and
further discussion about potential financial mitigations. The Committee
NOTED the verbal update from the POI ARC.
Deep Dive: POI Risk and Compliance Update
71 Ian Holloway and Ed Dutton joined the meeting.
Tan Holloway introduced the paper which was taken as read. He
highlighted the following:
- The primary concern was the customer base and the need for
flexibility towards customer needs during the current crisis, for
example change in driving habits, travel to different and
unexpected places and cancellation of travel policies without
penalty.
- POI stopped selling travel products in March 2020 as it was felt
these could not give cover for COVID-19 risks and were largely not
STRICTLY CONFIDENTIAL, 11
ARC Minutes for signature-21/09/20 11 of 39
POL-BSFF-107-0000092_0010
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
POL00448008
POL00448008
12 of 39
needed as travel was not permitted. It was hoped that these
products could be sold again in June 2020.
- Cash flow was being monitored as there were no travel sales and
sales of protection were lower. If sales were to continue in this
trajectory, there may be a need to delay or reduce commission
payment to Post Office. However, the key focuses for the business
over the next few months were getting travel sales back up and
running and to improve the protection strategy to maximise sales.
- Aside from these risks, POI was also monitoring their third party
suppliers to ensure service levels and financial performance were
maintained. It was noted that so far, all had transitioned well to
home working. Project Nemesis had also been completed, despite
the crisis.
Action
7.2
In response to a question from Ken McCall on the write down of good
Ed Dutton explained that required ongoing monitoring. There was
of tangible sede assets from the srainal Purchase of th
iS
made to commission rates paid to Post Office to ensure the statutory entity
of POI is stable. Al Cameron further explained that all impairments were
being reviewed across the organisation. There were some impairments in
IT which may be written off, but otherwise there were no issues. However,
post-COVID-19, we may need to consider if there would be broader
business impairments. He confirmed commission rates were being
reviewed already in light of the fact that there were now lower branch
sales than were originally envisaged when POI was first set up. Andrew
Paynter confirmed these were very live issues and that intangible assets
may need to be examined again.
7.3
Tom Cooper questioned POI's approach to fairly dealing with customers.
‘rebate. Ed ‘Dutton further explained that there: was an issue of practicality:
POI was not an underwriter and did not, therefore, benefit from customers
driving less. There have been discussions with the underwriter as to
whether rebates could be offered, but there was also a budgetary
intermediary between this relationship. Admiral were in a better and
easier position to offer rebates, being a monoline insurer. Otherwise, only
LV were also offering rebates, with others only reflecting rates to panels.
The issue would continue to be monitored along with the budget to see if
this could be offered in the event there was a more market wide response.
It was highlighted that travel had been withdrawn from sale and these
policies had been refunded. All aspects of the FCA guidance was being
adhered to, including offering three months forbearance. Management
was comfortable that it had done as much as it could in the circumstances.
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
12
POL-BSFF-107-0000092_0011
POL00448008
POL00448008
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
7.4 On People risk, Ed Dutton also outlined that morale seemed high in POI,
although many would like to return to some kind of normality. A drop in
productivity had not been seen but there were some of the usual concerns
about colleagues with more difficult home working set ups. POI was I Action
aligned with Post Office on its People surveys and support.
7.5 The Committee NOTED the report on the POI Risk and Compliance
Update.
Amanda Bowe, Ian Holloway and Ed Dutton left the meeting.
Consolidated Report from Risk, Compliance and Internal Audit
8.1 Risk Report, including update on internal controls software
Mark Baldock introduced the paper, which was taken as read. The COVID-
19 risk response was dealt with at item 2 above. COVID-19 risks were
now wrapped into non-COVID-19 risks with 15 enterprise risks identified,
alongside the 54 linked intermediate risks. The key enterprise risks were
outlined as:
- Commercial: Post Office’s commercial proposition may be
unattractive because the existing products were too complex or
confusing, new products were cost ineffective, unable to be scaled
and unattractive to the market;
- Legal: Post Office may be unable to comply with legislative and
regulatory changes.
- Financial: Post Office may have insufficient funding and/or
uncontrolled costs in the short, medium and long-term.
- Technology: Post Office was heavily reliant on third party suppliers
and has an ageing IT infrastructure on both hardware and software
components.
- Marketplace: Post Office services and products across the various
sectors may decline and/or loyalty to the Brand reduce resulting in
loss in attractiveness for Postmasters, loss in revenue and
reputational damage
8.1.2 I On the implementation of Archer, all risks were expected to be on this
software by the end of May 2020. This would offer greater visibility around
strategic risks and the aspiration was that the next report to the MB
Committee would be dashboard based as generated from Archer. In
response to a question from Zarin Patel, it was confirmed that there were
three elements of ratings for risks (inherent where there were no controls,
residual risks where there was an element of judgement and a target RAG
status). This would allow trends to be reported over time.
8.1.3. I Al Cameron explained that the Risk team had also been asked to review MB
the Risk Appetite Statement which was last approved by the Board in
January 2015. It was proving difficult to articulate statements which could
be agreed and would help the decision-making process. Once this
Statement was approved, this could be built into Archer and linked to the
risks and trends.
STRICTLY CONFIDENTIAL, 13
ARC Minutes for signature-21/09/20 13 of 39
POL-BSFF-107-0000092_0012
POL00448008
POL00448008
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
8.1.4 I The Chair raised the potential risk associated with the sudden departure
of the Royal Mail CEO, noting that we were presently negotiating a new
contract. Al Cameron confirmed this has been discussed with Nick Read,
Owen Woodley (Group Chief Commercial Officer) and Mark SiviterI Action
(Managing Director, Mails & Retail). The view was that we should carry on
as normal as we are close to securing a new contract and should not look
to take advantage of the situation. Tim Parker agreed, noting that it was
best not to draw attention to the negotiations and hope that any
replacement CEO would not turn the negotiations on their head. It wasI AC/
agreed that at this stage, there did not need to be a change in approach NR
but this would be monitored.
8.1.5 I The Committee NOTED the Risk update, specifically:
the status of the current enterprise risks and intermediate risks;
the status of the current COVID-19 risk position; and
the latest position on the implementation of the Post Office’s Governance,
Risk & Compliance tool (Archer).
8.2 Compliance Report, including the Mails Dangerous Goods Compliance
Action Plan
Jonathan Hill introduced the paper, which was taken as read. The following
was highlighted:
Regulators: None were stepping back from compliance in the
current circumstances but they were being more understanding
about the timing of reporting. There has been an increased focus
on vulnerable customers and critical services across the board.
Ofcom: Telco has now been asked to provide weekly updates on
capability and service standards during the COVID-19 crisis. The
rating on metrics for regulatory notifications has therefore been
pushed out to Amber as these reports needed to be provided
alongside focusing on service provision and business sale.
Telecoms Commitments: These have been requested by the
Government in light of COVID-19 and Post Office was meeting these
commitments relating to free and low cost calls for vulnerable
customers, working with customers who may be struggling with
debt, removal of data caps, priority fault repairs for those who are
self-isolating or provision of an alternative means of communicate
and support for NHS workers.
PSD2: The business had confirmation from Fujitsu that a solution
will be in place by August 2020. This was not the neatest solution
but would ensure full compliance. A draft letter was being prepared JH
to the FCA to update them on the latest position .They have already
indicated they are happy with our approach. Once the solution was
in place, the business may apply for an Electronic Communications
Exemption (ECE).
European Electronic Communications Code: The Department of
Culture, Media and Sport (DCMS) were seeking to hold businesses
to a compliance deadline of 21 December 2020. However, Ofcom
STRICTLY CONFIDENTIAL, 14
14 of 39
ARC Minutes for signature-21/09/20
POL-BSFF-107-0000092_0013
POL00448008
POL00448008
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
was working to clarify timings and push the deadline into next year.
This was a watching brief.
Use of Cookies on Internet and Apps: The commercial impact of
being fully compliant was understood but it had been previously I Action
agreed that we want to be “in the middle of pack.” This has been
achieved and customers could choose which cookies are on/off and
could change their selections.
Lost HR files: ICO has confirmed that it will not take any further
action in respect of the loss of at least 13 Personnel boxes. This was
a significant win for the business. However, work was being
undertaken to ensure those who have been impacted were
supported and training procedures were being refreshed. The ICO’s
advisory comments would be implemented as appropriate.
Belfast Data Centre Exit and move to the Cloud: IT Strategy was to
exit the Belfast Data Centre in 2021 and move Horizon to a cloud
based solution. IT have selected AWS as the partner of choice and
contract negotiations were due to commence over the next two
weeks. A lot of work has been done to find the right approach in
respect of data protection and the team was now working with the
upstream provider and the relevant contract owners. It was
confirmed that whilst this work was due to complete in September
2021, it appeared in the 2020/21 budget as work needed to start
in the current financial year to ensure the completion deadline was
met.
Her Majesty's Revenue and Customs (HMRC) Fit & Proper
Registration Fees: Post Office has requested, via contacts with Her
Majesty’s Treasury (HMT) and the Department of Business, Energy
and Industrial Strategy (BEIS) that HMRC either cancels the annual
registration fee for 2020/21 or that it allows Post Office to delay
payment until it has been able to de-register approximately 3,000
branches that were not now commercially viable for Travel Money
and assessed the impact of COVID-19 on the remaining Travel
Money branches. However, HMRC have today refused to allow
anything other than deferring payment until 1 December 2020, with
payment being based on branches registered in June. Tom Cooper
noted that the Minister was about to send a letter to HMRC on this
issue and questioned if it was now required. Jonathan Hill explained
that the letter could not hurt as a further discussion about fees was
being scheduled for three weeks’ time.
Mails - Dangerous Goods Action Plan: This was discussed under the
actions log as outlined in item 5.2 above.
8.2.1 I The Committee NOTED the Compliance update, the impact of COVID-19
on the approach to compliance, the deferment of the HMRC branch
registration fees and the update on the Mails Dangerous Goods Action
Plan.
8.3 Internal Audit Report
Johann introduced the paper, which was taken as read. It was noted that
last year’s audit plan was substantially completed with one audit report
STRICTLY CONFIDENTIAL, 1s
ARC Minutes for signature-21/09/20 15 of 39
POL-BSFF-107-0000092_0014
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
POL00448008
POL00448008
16 of 39
being cleared with management. This report would be circulated to the
Committee once complete. The Committee raised the following points in
relation to the four other audit reports presented:
Postmaster Onboarding: Ken McCall questioned whether feedback
had been sought from branches on the process. It was felt that this
was critically important due to the sensitivities surrounding this
topic. Johann explained that the audit looked at the implementation
of procedures post-GLO and there had been a survey element, but
that he would need to check the extent and nature of the survey.
Fit & Proper: Johann Appel confirmed that the Fit & Proper process
remediations were due to be implemented by the end of August.
The Committee questioned whether there was annual rechecks of
critical individuals and noted that there should be, at least, rechecks
every three years for all staff and contractors. Johann Appel
confirmed that there was no process for rechecking of vetting once
an individual had entered the business, but there were rechecks for
Fit & Proper. All vetting was done prior to an individual joining and
having access to systems. Johann Appel was asked to confirm the
time periods for rechecking.
Action
JA
JA
8.3.1
The Committee noted the progress being made with delivery of the
Internal Audit programme and completion of audit actions.
Annual Report and Accounts & Audit Update
Al Cameron introduced the paper, which was taken as read. He outlined
that we had substantially, but not wholly, completed the subsequent
events procedures. The PwC audit process was running smoothly, and this
would flow into a June Committee meeting and a draft of the accounts
would be circulated shortly. Realistically, the accounts would not be signed
quickly as the funding position with Government needed to be addressed.
This would improve impairment assessment and inform our going concern
assessment. Work on the GLO disclosures and any potential provisions
was being held off until the funding position was confirmed. Andrew
Paynter confirmed there were substantial issues that needed to be picked
up later but there were practical issues of leaving these key decisions until
the summer
9.2
As to the status of the audit work, Sarah Allen confirmed this was going
well but there were areas that needed to progress quicker. However, on
the whole, it was impressive how the teams have adapted to working and
conducting the audit remotely. For example, cash counts were brought
forward so they were completed before the lockdown. The IT work was
now complete, and the team were a good way through their sampling and
checking. Areas around revenue generation were more challenging as
there were so many different revenue streams. In some instances, manual
adjustments have been made outside of Horizon and these have to be
added together to get to the ledger position. The Chair highlighted that
the Committee needed to understand how the revenue and adjustments
tie into agent remuneration and requested assurance on this matter. It
PwC/
AC
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
16
POL-BSFF-107-0000092_0015
POL00448008
POL00448008
Tab 1 May Minutes for Signature
POST OFFICE LIMITED
also suggested an independent review be undertaken. Al Cameron
explained that the issue was the same last year and it was not particularly
controversial. Andrew Paynter also confirmed it was a complexity issue for
the audit and that there were only around eight complaints on agents pay
per month, amounting to less than 1% of payments that give rise toI Action
complaints. It was agreed that this issue would be discussed in detail at
the June meeting given the sensitivities around agent remuneration and I Te do: RW
GLO.
9.3 The Committee NOTED the PwC update on their audit of the Company for
financial year 2019-20 and the status of the FY19/20 close and proposed
plans for the Annual Report and Accounts (“ARA”) signing.
10. PCI-DSS and Cyber Security Update
10.1 PCI-DSS, including broader Fujitsu relationship
Jeff Smyth joined the meeting.
Jeff Smyth introduced the paper, which was taken as read. The following
was highlighted:
Ingenico & Post Office PCI DSS Executive Call was held on 16 April
2020.
Banking API specification has been signed off;
Point to point specification has started its 12 week accreditation
cycle;
COVID-19 has had no significant impact on the overall programme
critical path delivery timeline at this stage.
Overall, the programme was on target and delivering against its
milestones. The next significant milestone was the retail accreditation
from Global Payments, which would give assurance on retail side of
transactions. It was hoped that the end to end banking transaction process
would commence in September with accreditation in December 2020.
10.1.1 I The Chair noted that there was really good progress on this programme
and Tom Cooper requested that Jeff Smyth share the presentation from js
the CEO to CEO session with Ingencio with the Committee.
10.1.2 I It was further outlined that a broader piece of work was being undertaken
to look at the Fujitsu relationship across the business, particularly in
relation to PCI - DSS, Telco and Freedom of Information Requests. This
work was being undertaken with Lisa Harrington (Non-Executive Director) Js
and McKinsey have done a deep dive into the Fujitsu contract. The work
was looking at where the relationship was heading and where the business I To do:
wants it to go (feeding into Project Neo). The work would be brought to mw
the May and June Boards.
10.1.3 I The Committee NOTED the PCI-DSS programme progress in the last
reporting period.
10.2 Cyber Security
Tony Jowett joined the meeting.
STRICTLY CONFIDENTIAL 17
ARC Minutes for signature-21/09/20 17 of 39
POL-BSFF-107-0000092_0016
‘ab 1 May Minutes for Signature
POST OFFICE LIMITED
POL00448008
POL00448008
18 of 39
Tony Jowett introduced the paper, which was taken as read. The following
points were highlighted:
Cyber Security Maturity: The business was close to maturity and
Deloitte were re-testing the maturity levels at present. This was to
be focussed on 20 of the 34 cyber capabilities where there has been
major progress in the maturity model. An update on the actual
achievement, re-baseline of the target level maturity and plans for
any gap remediation would be shared with the Committee once the
audit was complete.
COVID-19: The operating model of the back office has changed
beyond recognition. Controls needed to be loosened over a short
period of time to facilitate home working, and the team has also
been responding to the UK National Cyber Security Centre’s (NCSC)
guidance on specific threats. These related largely to phishing,
malware distribution and registration of new website domains (as
good copies of official websites). A phishing awareness campaign
was run internally with a fake attack being sent, with follow up
comms including the results of the test.
Joiners/Movers/Leavers: The COVID-19 crisis took some manpower
away from this project but the enhanced automation process was
still due to be completed by July 2020.
Protecting ourselves on social media: It was highlighted that it was
important that all Committee members reviewed their social media
presence in light of the guidance circulated to the Group Executive
and Board (and contained within the paper) so as to protect
themselves and the business.
Action
Ti
Ti
10.2.1
The Committee NOTED:
- the status and plans regarding our pursuit of agreed target maturity
levels;
the status and plans regarding our response to the Cyber-related
threats associated with COVID-19;
the status and plans regarding the reduction of risk associated with
Joiners, Movers and Leavers (JML); and
the guidance for all Risk and Compliance Committee and Committee
members regarding the secure use of social media.
11.
Contract Management Framework Update
11.1
Sherrill Taggart joined the meeting.
Ben Foat introduced the paper, which was taken as read. It was
highlighted that the Contract Management Framework (CMF) had initially
identified 50 material contracts, however it was now understood that there
were in fact 142. The proposal was to reallocate the funding for external
accredited training for contract managers to roll out the Framework to all
the material contracts. For other contracts, the Framework would be
applied to them over the ordinary contract life cycle. A further tranche of
work to bring contracts into the Framework could be considered later when
the financial position allowed. There were around 1500 contracts that
would be incorporated as they come up for renewal which would be a
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
18
POL-BSFF-107-0000092_0017
POL00448008
POL00448008
‘ab 1 May Minutes for Signature
@
POST OFFICE LIMITED
period of a maximum of three years. Application of the Framework would
be expediated where possible. Sherrill Taggart highlighted that the
Committee should not lose sight of the new contracts coming into play
which were not yet under the Framework. There were around 300 new
,contracts.since.October.2019 and there. would.be.onaging annual costs of
Lo ___.... IRRELE! T ‘as new and existing I Action
contracts were brought onto the Source to Settle system. Al Cameron
explained that the process for new contracts needed to be confirmed with
funding allocated so to ensure they were under the Framework. It was
also confirmed that the list of 1500 may reduce as data was added to
Source to Settle but that the business did have a lot of contracts due to
the many different business lines.
11.2 The Committee NOTED that:
- The implementation of the pilot of the Contract Management
Framework (“CMF”) was to complete, as planned, on 19 May 2020;
- The projected final costs of the pilot; and
- The costs, timeframes and residual risk associated with the post
pilot options for the implementation of CMF across the Post Office
Group as presented within the paper.
The Committee APPROVED the recommended approach, as outlined:
- While internal training has been provided, accredited external
training would not be provided to identified contract managers for
material contracts, accepting the risk that this may result in a
baseline level of capability not being established amongst this group
of individuals.
- Reallocating riginally included in the budget to
provide external training in order to complete the upload and
mapping of all remaining contracts identified by the Group
Executive (“GE”) as being material in terms of strategic and
financial value by the end of June 2020 (“Material Contracts”).
- The implementation of CMF across those contracts not identified as
being material by the GE (“Other Contracts”) be done outside of
this project through the natural ‘lifecycle of a contract’ e.g. as they
are renewed, cease or new agreements are entered into. This will
take significantly longer, through BAU resource and processes, but
from the 20/21 Change Portfolio Budget.
12. Law & Trends Update
TA Ben Foat introduced the paper which was taken as read. He explained that
it ensured the proactive management of legal and regulatory risks and
was an extension of the Law & Trends Forum which had been implemented
by the Legal, Compliance and Governance Function. This was a cross-
functional forum that identifies new and emerging regulatory and
legislative requirements and considers how to operationalise the
conformance within Post Office. A number of areas were highlighted in the
paper:
- Streamlined Energy and Carbon Reporting Update;
STRICTLY CONFIDENTIAL, 19
ARC Minutes for signature-21/09/20 19 of 39
POL-BSFF-107-0000092_0018
b 1 May Minute:
@
POST OFFICE LIMITED
POL00448008
POL00448008
- Morrisons Supreme Court Appeal;
- IR35 ‘Off-Payroll’ Rules Update
Employment Legislation Update; and
Business Area Update.
Action
12.2 The Committee NOTED the new or proposed material changes to laws and
regulations this month.
Sherrill Taggart left the meeting.
13. Supplier Contracts out of Governance
15.1 Barbara Brannon joined the meeting.
Barbara Brannon introduced the paper, which was taken as read. The
Chair noted that the decision of the Board on 8 April 2020 was that all PCR
exceptions (whatever the value) should be approved by the Board. It was
agreed by the Committee that these would be reported straight to the
Board from the Risk & Compliance Committee and did not need to be noted
by this Committee. Barbara Brannon explained that the paper sets out
(for completeness) the exceptions approved by the Board on 8 April 2020.
The following pipeline contracts were highlighted:
- End User Computer Services (EUC): A project has been initiated to
re-procure End User Computer services for both Branch and
Colleague Services. The current plan was to have a new supplier(s)
in place before the end of the current contract [April 2021 with 2
years exit services] with a targeted migration by April 2021. This
was due to be discussed at the GE on 22 May 2020, however it
looked like the contract would be compliant.
- Common Digital Platform: This was a tactical 2 year DOS contract
which was agreed in June 2018, with a compliant six month
extension option to Dec 2020 on a short term basis to allow for
cloud migration and long term strategy adoption. At 31 December
2020, there would be a hard stop with no exit assistance period.
Discussions were underway with the supplier to trigger the
compliant six-month extension option while procurement
process(es) were run. This was due to be discussed at the GE on 20
May 2020.
- Contracts for Brands/Rep, Identity Services and ATM were risk
items that were being reviewed given the current COVID-19
environment.
13.2 The Chair noted that the Identity Services contract was of particular
concern given additional work being generated in this area by the COVID-
19 crisis. Barbara Brannon explained that the current contract with
Digidentity expires in October 2020 and negotiations were on-going to
STRICTLY CONFIDENTIAL,
ARC Minutes for signature-21/09/20
20
POL-BSFF-107-0000092_0019
POL00448008
POL00448008
Tab 1 May Minutes for Signature
POST OFFICE LIMITED
agree a six month extension to March 2021 in line with the expiry of the
Verify contract. There was a question as to whether we proceed with the
OJEU or take a different strategic approach. A six-month extension would
provide additional time to consider this. This would be discussed at GE and
Board in due course. Tom Cooper noted that there have been discussions I Action
in the past about whether Digidentity were the appropriate partner and Al
Cameron was asked to raise this with Nick Read and Owen Woodley to AC
ascertain exactly what was being done with respect of this work.
13.3 In response to questions from the Committee, Barbara Brannon confirmed
that there were pipeline plans for procurement over the next 3 - 5 years
covering strategy, transition, technical and other risks. The procurement
team hold monthly meetings with the relevant stakeholders to discuss
contracts in the pipeline. Al Cameron confirmed that extensive work was
being done on this and that it was just not visible to the Board.
Accordingly, the Committee requested that the paper requesting approval
of PCR exceptions by the Board included a 12 month overview of pipeline BB
contracts.
13.4 The Committee NOTED the contents of the Supplier Contracts out of
Governance Report.
Barbara Brannon left the meeting.
14, AOB
19/2020 18:04
STRICTLY CONFIDENTIAL, pal
ARC Minutes for signature-21/09/20 21 of 39
POL-BSFF-107-0000092_0020
POL00448008
POL00448008
David Parry
From: no-reply¢ GRO i
Sent: 22 September 2020 18:0.
To: David Parry
Subject: The vote has been passed for '20200519_POL_ARC_MIN_APPROVEDBYCHAIR.docx’
The vote has been passed for the Voting Document entitled
'20200519_POL_ARC_MIN_APPROVEDBYCHAIR.docx' in book 'ARC Minutes for signature’.
Vote Response Count (%)
For 1 100
Against 0 0
Abstained 0 0
Not Cast 0 ie)
Voter Status
Carla Stent For 22/09/2020 06:04 PM GMT Standard Time
Comments have been added to this vote.
1 votes were required to pass the vote.
POL-BSFF-107-0000092_0021