POL00448011
POL00448011
@
POST OFFICE LIMITED GE MEETING
REPORT
cane Post Office Investigations: . .
Title: KPMG Review Findings Meeting Date: I 15 September 2021
Author: Group Legal Director: Sarah Sponsor: Group General Counsel: Ben
Gray Foat
Input Sought:
The Group Executive is asked to approve, for onward submission to the Board, the proposed
creation of a Centralised Investigation Unit and its associated costs.
Previous Governance Oversight
Group Executive Tactical Meeting of 5 May 2021
Executive Summary
1.
Following detailed assessment, KPMG has concluded that Post Office should create a
Centralised Investigations Unit (“CIU”). This will ensure all investigations are delivered in
line with a set of minimum standards and protocols and that high risk investigations are
performed by independent investigators. The introduction of the CIU will also ensure
investigations are properly planned, resourced and executed; with lessons learnt fed back
into the business.
. At present investigations are not conducted consistently across Post Office, with differing
levels of expertise, oversight, reporting and quality assurance. Where investigations touch
multiple business teams, accountabilities are confused and lessons learnt are rarely fed
back into the business and or acted upon.
. Investigations are also often undertaken purely froma contractual perspective and without
consideration of whether it could result in criminal, civil or disciplinary proceedings. A lack
of early engagement with the Legal team also means there is no proper consideration of
criminal or civil standards or consideration of when to liaise with Law Enforcement Agencies.
Questions addressed
1.
2.
3.
How does Post Office currently conduct its investigations?
In terms of the current state assessment, how does Post Office compare to market practice?
What areas for improvement have been identified and how will progress against these be
tracked?
What is the proposed optimum future state Investigations Target Operating Model?
Report
4.
5.
Post Office currently operates a decentralised investigations model. Investigations are
overseen and conducted by various business teams and individuals across the business.
KPMG has now completed a current state assessment and the design of a future state target
operating model (“TOM”) for how investigations should be conducted at Post Office going
forward.
The starting point for the work was to identify those teams across the business who carry
out investigatory type activities and to then determine which of these actually are
1
Confidential
POL00448011
POL00448011
@
investigations. A number of activities, such as providing additional support to postmasters
were found not to be investigations.
6. A working group (“WG”) was established and attended by those teams performing
investigations’. The WG agreed a definition for an investigation and a framework for
determining ‘high risk’ investigations. These are set out at annex A and B respectively.
Current State Assessment
7. For each team performing investigations, how they conduct these investigations has been
assessed by KPMG against market practice. Findings have been shared with the relevant
teams and have been checked for factual accuracy. Where areas for improvement have
been identified for particular teams, these have been shared, accepted[tbc by DP] and are
being taken forward. Progress is being tracked by IDG. Asummary of the findings, by team
is provided at annex C with the full KPMG report available in the Reading Room.
8. At a more holistic level however, the below summarises KPMG’s findings against a
framework of governance and process, people, and infrastructure.
Governance and Process
9. There is no clear consistent triage process in place across POL:
e In some teams there is no formal triage process in place. In others, triaging does take
place but this is largely based on product type and case age rather than the risk profile
of the incident or its potential outcome. Across Post Office there is no consistent
definition as to what constitutes a high-risk case.
10.Investigations are not conducted consistently across Post Office:
e The current decentralised framework means there is a lack of consistency across the
overall Post Office investigations process, including in relation to the documentation of
policies. Work on the Group Investigations Policy (“GIP”) was paused whilst KPMG
conducted their review. As a consequence, the GIP has not been fully embedded across
the Business and business teams feel certain elements of the GIP are too onerous if
applied to high volume low risk investigations.
e There are different levels of oversight and inconsistencies in reporting requirements,
standards and the use of the Legal team. As consultation requirements are not
formalised over when to liaise with Legal (and other SMEs), the wrapper of privilege
may not always be applied where it would be beneficial to do so, for instance in high-
risk cases.
e Currently investigations are undertaken from a contractual perspective and there is no
consideration at the start of an investigation as to whether it could potentially result in
criminal, civil or disciplinary proceedings. A lack of early engagement with the Legal
team also means there is no proper consideration of criminal or civil standards or
consideration of when to liaise with Law enforcement Agencies.
e Where investigations touch multiple business teams there is no formal handover or
process to monitor which business team currently holds the investigation, next steps or
who has accountability for the outcome. As a result, there is a risk that cases will get
delayed, lost or the appropriate next steps will not be actioned.
11.There is a lack of consistency in the availability and reporting ofMI by the various business
teams:
1 Service & Support Optimisation, Franchise Partnering, Compliance, Human Resources, Cyber, IT.
POL00448011
POL00448011
@
e HR in particular, due to the use of MyHRHelp, have limited ability to extract MI and
there is a risk that not all HR investigations are logged and recorded.
e There are also inconsistencies in the use of KPIs/SLAs and the reporting of MI to senior
leadership, whilst some teams have clear reporting lines, others do not formally report
outside of their teams.
12.There is no consistent approach to quality assurance across the business teams:
e Business teams have developed their own individual approach to quality assurance.
Whilst some business teams undertake formal monthly quality assurance reviews on a
sample of cases and feedback findings to the individual investigators others have a
more ad hoc approach.
e There is also no independent quality assurance reviews undertaken across Post Office
to ensure that business teams adhere to common standards, e.g. as set out in the GIP.
13.There is limited evidence of “lessons learnt” and continuous improvement arising from
investigations across Post Office:
e Whilst some business teams do monitor investigations in order to identify trends or
business improvements this is not consistent across all business teams. Where issues
are identified, the process for feedback within the business is informal and relies upon
conversations and emails. There is no formal process for collating lessons learnt and no
follow up to ensure continuous improvement had been actioned.
14. There is a lack of overarching governance and oversight over high-risk investigations:
e Currently, there is no overarching governance or central oversight over high-risk cases
and the majority of business teams do not differentiate between highrisk and other
cases when conducting an investigation. In addition, business teams have no specific
mechanism for collating and reporting details of high-risk cases meaning there is an
overall lack of central visibility over these cases.
People
15.Business teams often use Area Managers and Line Managers to conduct investigations:
e Teams with specific areas of focus such as Contracts and Cyber ensure investigations
are undertaken by staff within their function. In these instances, there are clearly
defined roles and responsibilities and clear accountability for outcomes. Other teams
such as HR and Whistleblowing rely on Area Managers / Line Managers to conduct
investigations on their behalf, in these instances there is a lack of clarity over roles and
responsibilities and who is accountable for outcomes. Where Line Managers undertake
investigations, into their direct reports there is a potential risk that investigators will
not be seen to be independent or there will be a perceived conflict of interest.
e Area Managers and Line Managers also often have limited investigations experience and
there is a risk they are not appropriately qualified to undertake high-risk investigations,
not least because there is no specialist investigations training provided to any of the
business teams or individuals conducting investigations.
Infrastructure
16.There is no consistent use of an investigations case management tool across Post Office:
e Currently business teams use a mixture of Excel, Dynamics, ServiceNow, MyHRHelp
and OneTrust to log cases and record investigations. While Dynamics is used by the
majority of teams there is inconsistency over the use of its functionality and there
appears to be little understanding of its full capabilities.
POL00448011
POL00448011
@
e Area Managers do not have access to Dynamics and record investigation findings on
Qualtrics, these must be manually uploaded by business teams.
17. To address these issues, KPMG’s recommendation is that Post Office centralise its
investigation function. This will ensure all investigations are delivered in line with a set of
minimum standards and protocols and high risk investigations are performed by
independent investigators. The introduction of a CIU will also ensure investigations are
properly planned, resourced and executed; with lessons learnt fed back into the business.
18.The Full KPMG report provides greater detail on the services to be provided by the CIU, its
core processes, tooling considerations, proposed governance structures, reporting and how
it would interface with the business, including a RACI. In essence:
e Investigations which do not meet the ‘high risk’ threshold would continue to be
conducted by the relevant business team but would adhere to the minimum standards
and protocols set by the CIU. The CIU would perform periodic quality assurance over
the ‘low risk’ investigations. MI over the ‘low risk’ investigations would be provided to
the CIU on a regular basis and reported on accordingly.
e Those investigations which are deemed to be ‘high risk’, would be conducted the CIU.
The caveat to this would be whereby a ‘high risk’ Investigation requires subject matter
expertise (e.g. DP, Cyber etc). For these investigations, the CIU would be accountable
for the investigation but reliant upon the relevant business teams with the SME
knowledge to gather evidence / help conduct the investigation.
e Internal Audit would undertake a wholesale audit of policies and procedures 18 months
after set-up with ongoing close links between Internal Audit and the CIU to ensure
consistent approach and alignment of objectives.
19. This and how the CIU would interface with the business i is summarised bel
Business teams
‘conducting low risk
investigations
Internal Audit
MLRO-
(Financial crime)
20. No changes would be made to statutory officer roles or their reporting lines. The statutory
officer role of the MLRO is not impacted in anyway and has been separated from the CIU.
Reporting to regulators would also remain with the relevant business team. The CIU would
however liaise with Law Enforcement Agencies if an investigation identified suspected acts
of criminal misconduct and/ or concluded that a victim of crime report should be made - in
4
POL00448011
POL00448011
@
accordance with the controls set out within the Co-operation with Law Enforcement
Agencies Policy (“CLEP”).
21.In terms of ‘what would change’ and additional cost - the Whistleblowing team? would move
from the Compliance function into the CIU. This is because all Whistleblowing reports would
likely satisfy the ‘high risk’ test. It is also not an efficient or effective use of resources to
run two separate teams with the same skillset.
22.Below is the proposed structure of the CIU. KPMG believe the structure and size to be
appropriate based upon the number of investigations known to have been conducted by
Post Office over the last 12 months:
‘Whistleblowing NED
Head of CIU
Band 4
Itis proposed that the Head of CIU reports into the Group
Legal Director to: vacancy
+ Align with ownership of the GIP and the CLEP.
+ To separate of tst and 2nd tines of defence
‘apply legal privilege for high risk investigations
+ To demonstrate the importance and focus that POL have
given to this area,
Existing roles
Internal Transfers
New roles
Whistleblowing and Reporting
Investigations manager
manager Band 3A/B x 2
Band 348
+ Draft changes to investigations policies and standards
+ Trlage whistlebowing reports to identity whether + Collate lessons learnt
investigations required and, i so, commission + Investigate righ prot cases
investigations + Provide oversight on QA and training activities
+ Provide oversight over ineligence gathering performed by Investigators
and reporting activities + Perform QA on high risk investigations
+ Liaise with LEAS andior regulatory bodies
Intelligence analyst Investigators
fond 2A Band 24/8 x 2
+ Perform both whistleblowing and high-risk investigations (support and perform) with
2 reporting ine fo both the Whistleblowing manager and Investigations manager.
+ Line managed by Investigations. manager
+ Identity training requirements, develop training content and deliver training on
Iinimum investigation standards
+ Conduct GA on low risk cases
‘+ Monitor the whistleblowing reporting line and high-risk cases triage
+ Produce hl and Reporting for CIU and performs trends analysis
+ Consolidate Mi provided by business teams
Note: The SLC criminal and SLC disputes also report to the Group Legal Director
23. As detailed above, 4 new roles would be created, at a cost? of c£320k per annum. The
Head of the CIU would lead the CIU, reporting into the Group Legal Director (who is the
Policy Owner for the GIP and CLEP). They would be accountable for all ‘high risk’
investigations.
24.The proposed Investigations TOM has been shared with Organisational Design Team who
are supportive of its creation and have confirmed they have budget to support its
implementation. Though no offer will be made ahead of the appropriate approvals being
received at GE, the Board and from the Finance Team; to accelerate implementation, the
recruitment process for the Head of CIU has begun, with x candidates identified to date
with interviews pencilled in for x September.
25.The Group Executive is asked to approve, for onward submission to the Board, the
proposed creation of a CIU and its associated costs.
2 Which constitutes a Whistleblowing Manager and the two investigators which are approved by yet to be appointed.
3 In terms of annual salary. Benefits, Bonus, NIC etc would need to be added to this figure.
Annex A -
'nvestigations
Cash. stock and foreign
‘currency balance
‘monitoring verification
Postmaster support
Information gathering
‘Compliance and
assurance
Investigatory Type Activities Performed at Post Office
ome ——r—“‘<SESs=s™”r—<—As ssl
‘We have used the following criteria to define a POL investigation:
‘+ Where itis mandated by law or regulatory requirements such
slavery, money laundering, or data protection breaches;
Where there is @ suspicion or allegation of misconduct or wrongdoing;
‘Where an investigation is required to establish the facts and an outcome specific to POL is generated e.9.
following up 8 whistieblowing incident, employee discipinary action, civil proceedings. Postmaster termination
POL receive complaints and allegations of misconduct or wrongdoing from numerous sources. Teams who
‘receive compiaints/allegations of wrongdoing often do not undertake the investigation themselves but refer them
to.Area Managers or Operational Line Managers,
‘allegations of bribery and corruption, modern
POL monitor branch activity to help ensure the accuracy of branch accounting records relating to cash, stock and
foreign currency and to assure the integrity of cash, stock and foreign currency is maintained, Monitoring is
designed to ident risks and help the branch resolve associated issues, These teams do not conduct
investigations but identify potential issues which are then flagged to the relevant teams.
If Postmaster identifies a discrepancy within their branch accounting they can raise the issue with POL who wil
‘seek to resolve these accounting discrepancies, These discrepancies usually arise as a result of Postmaster error
and there is no suspicion of wrong-doing or misconduct
POL respond to a number of extemal information requests including requests from LEA's, 67 notices and DPA
requests. in addition, intemal information gathering is undertaken by the Data Protection team in response to
intemal investigations.
Compliance reviews are undertaken on the sale of financial services products, and risk assessments are
undertaken with product managers to identity and remediate potential financial crime risks. These are not
investigations but compliance and assurance reviews.
POL00448011
POL00448011
int team and inc
type
Contracts - contac breaches
Whistebiowing- Whistebiowing incidents
Issue Resolution - Postmaster complaints
Customer Support - Customer compiaints
Customer Experience - Modem Slavery incidents
Financial Crime - SARs reporting*
‘Cyber ~ Cyber breaches
Data Protection ~ Data breaches
Human Resources - Grievances, breaches of
Dignity at Work (DaW) and Code of Conduct
Network Monitoring - Branch monitoring
‘Audit Support~ Branch monitoring
Financial Crime - Bureau monitoring
Postmaster Dispute Resolution - Postmaster
disputes
Secunty ~ responding to information requests
Financial Crime -s.7 notices and OPA requests
Data Protection - email review and data colection)
‘Conduct Compliance ~ assurance reviews
Financial Crime -product risk assessment &
Annex B - Criteria Against Which to Identify ‘High Risk’ Investigations
Possible criteria for BAU Potential to be high risk if several
Wedtelret
Financial impact
Financial impact under e.g. £60,000 Financial impact between e.g, £50,000 and £1m
Reputational damage Unlikely to be reputational damage Potential for reputational damage
‘Seniority of those being
iesstignea Below Band 4 Band 4 and above
Postmaster or employee
N/A - No allegation of theft or
theft or miseppropriation of reapproptabon of assets ‘Suspicion of theft or misappropriation of assets
Regulatory breaches by .
Darrueiarang N/A - No regulatory involvement Potential for regulatory notification
Misconduct by employee __Allegation of misconduct Potential tobe gross misconduct
Privilege required No suggestion of litigation Possibility of ttigation
Postmaster detriment NiA- No Postmaster detriment Potential for individual Postmaster detriment
Referral from business
NA NA
Possible criter
investigations
for high risk
Financial impact e.g. > £1m
‘Capable of significant reputational damage
to the business / significant media coverage
‘Concems a member of Board / GE / certified
role
Serious allegation of theft
‘or misappropriation of assets
Relates to a identified breach or issue
Relates to gross misconduct
Likely to result in litigation
Potential to lead to pervasive Postmaster
detriment
Requested by a Director level or above
‘These criteria are designed to allow flexibility and interpretation, rather than provide a prescriptive approach to ensure that all investigations are given the appropriate consideration
in relation to risk
POL00448011
POL00448011
Annex C: Summary Current State Assessment by Incident type
Findings by theme ©
Thome Investigations. (aero Lack of
c I overarching I consi monitor
ie} co
ina =< aaa
[ORUReUELaMeI vonron Iyeeatan
[govemance tage reporting ‘vestigations, investigations,
I andl oversight in pa teat CMT across
I 2ver high isk POL
I investigations,
ersight ‘Thiage [Monitoring of Production
c vanagerent
ici en om Capability ItodependenceI Traning I Technology
I overa
I Ot rons e ° ° e eo e@
[Pesmase e e e e e e Ie
e ele ° e -e I oe
I customer, e e e ° e Ie [ e
[compton e ; e e ° e Ie Ie i eo I
Whisteboning I e r e e e O eo e e
I rumen Rescues] e la e e e ° e ee
lowe ‘I e I om e ele ele ee
[modem Save I e@ nla e iz e e ° e ele
Rating Description
Limited or no evidence of established market practice
aa Some evidence of established market practice
In line with established market practice