POL00448531
POL00448531
Forensics and Integrity
Services —Whistleblowing
Assurance Review
July 2022
Confidential
a
EY
Building a better
working world
A) -Y- I bt ae) } cy
Industry
Understanding Why EY & insights &
of your needs credentials best practices
Approach &
Proposed team methodology Commercials Dependencies
Contents
Section
Unc ding of your needs
Why EY & credentials
Industry insights and best practices
Appr h and metho
Commercials
Dependencies
Jentials
Understanding
of your needs
Why EY &
credentials
Slide Number
Industry
MQ,
best practices I Proposed team
Approach &
methodology
WY
Dependencies
POL00448531
POL00448531
POL00448531
POL00448531
EY understands the importance of having an effective whistleblowing framework
Our understanding of your requirements Key deliverables
» The Post Office requires an independent assessment of the current whistleblowing Awritten report to the Post Office, providing:
policy iprocesses'and.controls witha specific focus ons » An assessment of the current state of the Post Office's whistleblowing policies,
The current Speak Up policy (last updated c. one year ago) processes and controls
The appropriateness of the Conversant system for the Speak Up » An assessment of the Post Office's whistleblowing investigations and the
framework as well as of how it is used within the Post Office compliance with internal process, regulatory standards and industry standards
The communication with Speak Up reporters (from initial report through to » Acomparison to best practices including relation to both whistleblowing and
case closure) information gathering
The operational conduct of the investigations arising from Speak Up » Recommendations as to the target end state for those policies, processes and
reports controls identified in the assessment
» The effectiveness of protection provided to Speak Up reporters Ahalf day workshop to socialise our observations and recommendations with key
stakeholders and discuss potential next steps
You require this assessment of the extant policies, processes and controls to
independently verify the quality, effectiveness and current status of the existing
frameworks, including the consistency of application across the franchise business
model of the Post Office Limited Structure.
You require a comparison to best practices (to include mandatory requirements), Scope of the assessment
identifying where improvements can be made and providing recommendations as to
any changes that should be implemented to enhance those policies, processes and
controls, including identifying a target end state.
» Geography - This assessment will draw on global best and leading practices,
with operational effectiveness testing of controls limited to the UK
We have assumed that this assessment should also include operational effectiveness » Entities ~ This assessment will be specifically for The Post Office Limited
testing, focusing on the likely areas of weaknesses, to test how well the policies, >» Timeline ~We understand that this engagement shall commenceat the start of
processes and controls are understood and embedded within the business culture August 2022 with a final report and action plan to be delivered by October
and how effective the controls are in enforcing the policies and processes. 2022
You have articulated that this project is of a highly sensitive nature and » Should you wish this work to be performed under legal privilege, this can be
communication within your own business is required to be on a need-to-know basis. discussed prior to commencing work. We have experience working with the
As a consequence, the project team has been sized accordingly and due to the clients’ legal representatives and also in partnership with EY Law.
sensitivity of the project kept to minimum numbers.
Industry A ne
Understanding] Why EY& insights & pproacl .
of yourneeds I credentials I best practices I Proposed teamI methodology Commercials I Dependencies
POL00448531
POL00448531
We have the experience to conduct high profile, sensitive reviews under accelerated ,
timescales
Your requirements
The value EY will bring to the Post Office
a
I We have performed high-profile engagements for multiple corporate entities, demonstrating our experience in dealing with i
! sensitive initiatives and working for Boards and Senior leadership, including: Whistleblowing reviews, Senior Manager t
Accountability reviews and bespoke business reviews where we reported to UK regulators, several past business reviews that I
I fequired submissions to regulators. H
! We have also conducted similarly sensitive and high profile reviews as well as industry investigations for corporate institutions on !
behalf of regulators and other public authorities. t
Se en tt St
* Our team brings extensive experience of whistleblowing and investigations, drawn from first-hand practice in dealing with 1
whistleblowing cases, working with over 10 financial institutions on similar initiatives and through our proprietary survey and
I comparative data, which allows us to compare the Post Office to whistleblowing best practices '
! We are able to draw on our network to provide insights from both financial services and retail aspects which are most important to j
TO a ee !
1 We have put forward a senior team of professionals, led by Spencer John who has experience and credibility with regulators and
! public bodies. Our team has experience of conducting similar reviews of whistleblowing and investigations combined with expertise}
in controls assessments. i
Ge ae ee ee en A et tt a a
a eS A SO SH
! We will deploy a tried and tested approach that focuses on delivering a robust assessment that will stand up to challenge andis I
cognisant of your desire for confidentiality. Where needed, we will use our maturity assessment models to focus the assessment!
j 0n the areas that matter most, to provide a comparison to industry practice in accelerated timescales, and to support our findings. I
! Our approach is to run the framework review and effectiveness testing in parallel, sharing resources and information to increase I
t
cite speed of delivery and minimise the impact on Post Office stakeholders.
poe eh hee neste nh ne em eb Hn
I We understand the importance of effective whistleblowing and investigations to the overall health of a business. Our approach and!
I recommendations will focus on helping you to understand how your policy, procedures and controls compare to market practice I
{2nd provide you with actionable recommendations and define the target end state H
Industry
Understanding Why EY & insights &
Approach &
of yourneeds I credentials I best practices I Proposed teamI methodology
Commercials I Dependencies
POL00448531
POL00448531
Our experience and industry insights put us in a unique position to conduct this assessment
Sample cre: Is
Ir dient identified the seen and
‘enhancement of its whistleblowing framework -
asa key priority in prereee for ers
Tequlations
I provided Ge and. fi eldwork resource
during a Goup Internal Audit review of our
client's whistleblowing framework ‘
ea was eroded inalarge Fraud Risk ‘
Neneotient and es Presisnine
EY were engaged by the FCA Enforcement
division to investigate past governance and
sent Panos ofa ns UK bank I
EY was engaged to review a whistleblowing a
‘programme because a concerns about its
Understanding
of your needs
vvvvy
EY value added
A
I» We provided our client with an assessment of each element of the whistleblowing framework against the EY maturity model, to indicate how the bank I
1 compared to leading practice, allowing them to prioritise initiatives for improvement
1 We were able to provide valuable insights from our experience of current leading practice that were relevant to the bank, and give practical
1 recommendations to help them further enhance the whistleblowing framework.
' + our client valued our practical recommendations and have requested us to assess the enhanced framework following implementation of our
1 recommendations.
Wn i a a a a a ae a ee
Our team displayed sound judgement and knowledge of best practice in relation to the creation and operation of whistleblowing frameworks beyond a I
1 central whistleblowing line.
1» We worked alongside the internal audit team to upskill them in the technical area of whistleblowing and we received positive feedback on our support I
! to the team.
1
> EY assisted the client's Internal Audit team to provide deliverables of a high standard which stood up to testing when challenged by senior 1
L stakeholders within the business. t
1
1 > Amajor North American financial institution engaged EY to assist in benchmarking its Fraud Risk Management (FRM) against industry leading i
I practices and to provide recommendations to improve overall FRM effectiveness. Given that a large proportion of fraud is identified through I
1 whistleblowers, our work included an assessment of the bank's whistleblowing policies, procedures and reporting I
a
Wn ec a se a a a cr a a oo eS a 6 AS FO FE SS
Our work focused on four work-streams (corporate governance, accounting and risk management, loans and impairments and rights issues) and i
1 included evidence gathering, multi-disciplinary analysis and regulatory reporting I
1» This was a high profile and highly sensitive investigation with interest from the highest levels of the FCA. Due to the sensitivity, strategic importance I
and scale of the investigation it was critical to have a high level of partner and specialist involvement. 1
Our team included relevant industry experience, technical and investigation skills and knowledge of FCA processes. 1
> The final notice issued by the FCA resulted in the largest penalty imposed on a senior executive in the UK. '
Ma a i 0s re ae se a se a se es a ee el
j > The Board of a global logistics company operating in over 50 countries approached us to conduct a review of its whistleblowing programme because I
1 ofconcerns about its general operation, the quality of reporting and adherence to international legisation and regulation i
1 > Our recommendations have led to a significant uplift in reports across the entire business. I
i
1
Was nt es tet a a Sd nt
Industry
insights &
best practices
Approach &
Why EY &
methodology
= Dependencies
credentials RY
Proposed team Commercials
POL00448531
POL00448531
EY has proprietary market insights on industry best practices 7
I EY has developed leading maturity models which we will employ to assess the strength of design, suitability and operational health of the
I Post Office’s whistleblowing framework. In doing so, we will compare the Post Office against the current legal and regulatory landscape as
I well as against our experiences working with other organisations, including franchise model risks
In applying EY's whistleblowing maturity model to the Post Office, we will consider the following:
Legislation and regulatory focus — Including relevant legislation and regulations from the UK and US and global bodies such as the FCA’s SYSC requirements
including the Senior Managers Regime (appointment of a whistleblowing Champion), BCBS corporate governance principles, the G30 study on Conduct and
Culture, and OSHA guidance. Additionally, EY shall consider drawing on the most appropriate elements of the Regulation of Investigatory Powers Act and the
National Intelligence Model, where it is practical to apply in a commercial environment
EY’s experience — EY has practical experience of performing similar assessments in corporate and financial services industries, as well as performing
whistleblowing investigations, and has developed a view on what would be considered best practice. Spencer John has significant experience in control
ownership roles in the financial services sector and has delivered assessments of whistleblowing frameworks in the FS sector. Rachel Sexton, who will act as
the EY Quality Partner, has founded and chairs the Financial Services Investigators forum, providing unique insight into investigations best practice within
the financial services sector.
EY whistleblowing Survey — EY conducted a survey across over 40 companies from multiple industry sectors in the UK to discuss their whistleblowing
arrangements. “Across the companies surveyed, the average ratio of whistleblowing disclosures to staff was seven disclosures per 1,000 staff per year,
however almost 60%of respondents are not confident that they capture all disclosures made directly to a manager.”
EY EMEIA Integrity survey — The 2022 EMEIA Integrity Survey, which is our largest yet, represents the views of 4,762 board members, managers and
employees in 54 countries and provides compelling insight into perceptions of fraud, bribery and corruption across the region, including insights into
attitudes towards whistleblowing. Within the UK, 81% of respondents answered no to personally ever reporting issues of misconduct to management or to a
whistleblowing hotline
Industry A ne
Understanding] Why EY& insights & pproacl .
of yourneeds I credentials I best practices I Proposed teamI methodology Commercials I Dependencies
POL00448531
POL00448531
We bring an experienced pragmatic team that will deliver tangible value to the Post Office
complianc
le change prc
int experience in stakeh:
jons and financial crime
1 large
Rachel Sexton crime compliance partner with
Quality Partner She has r ewed the operations of investigations teams at two universal bz
internal lighted several areas of imr nt including the
Re he investigation at eight major bank
‘0 review their whistlebl
that need investigating
at EY and 8 years
ancial institutions and p
m at E
rience in conducting whistle
1d Forensic:
Abbie Steele
t Le:
number of whistleblowing review
ment an
unning r
Michelle Acton- ears
Phillip:
Engagemi
Nas ass
Delivery team
Fraud,
Whistle
workshops
pent extensive
is highly experienced in delivering wh
ws for
rime and Forensics team
n house investigation funct
n the
‘on
Evan Sarosik > E
Deliver
livering quality assurance r
nere his recom
sds on s
Evan recently completed ¢
Tom is highly experienced in delivering whistleblowing framewor or numer¢
Tom Bendor- > Tom works in the Financial Crime and
Samuel
Delivery and SMR
100 bank's whistleblow
30 worked on the impleme!
tion phase
ding policies and procedures updates
communications plan and pro 1 for employees facing
e experience of operatio
ge of or
Senior Consultant
e fairness of a financial institution’s determinations by
rN
A \
12)
<
Approach & .
Proposed teamI methodology I Commercials
Why EY & insights &
of your needs credentials best practices
Our proposed approach - overview
Document Review
and Interviews
Through a desktop review of available documentation and
interviews with relevant key stakeholders, we shall perform
Feview covering
Policy ~ Where we can build on the recent implementation
the Speak Up policy ents that
may y more accessibl dable and
areness, case
s keholder
Audit, external Counsel and SME
contributions su
support
Governance ~ Providing options for improved
s and greater alignment to global regu
This o: clude a common challenge ai
ent Information and Whistleblower protection
Our review will also be conducted with reference to the
requirements and standards of relevant regulation andi
legislation such as SYSC 18
Efficient use of your time: We s
possible, limiti
of your needs credentials
In our experience des!
aluabl
‘on how wel
very
confidence i
The sample case walkthroughs will focus on, for example
triage decisioning: time taken to investigate anc
d treatment of, the whistleblower
Why EY &
Operational
Effectiveness
mM previous reviews at
the pr
ional
op reviews and di:
but do not provide
\histleblowing Framework de
propose to conduct a walkthrough of a
small sample of cases, focusing on qualifying Speak Up
reports as well as those determined to be out of scope
v ploring other options for testing Op
ven
ff
issions can be
ano!
other
effective
tional
institutions in as:
and we c:
ci
s with operational control of
veness exe!
nolude
wareness assessment; review of policy
ds/ views; traini
insights &
best practices
completion.
Approach &
Proposed teamI methodology
embarked upon a
Whistleblowing program
There are many non
Maturity
Comparison
When assessing the Speak Up Framework
shall compare the existing arrangements with those of other
organisations we ha
known to have had
Whist
significant
wing prog!
Commercials
ss of conti
e worked with, in
cognition b
Ing progral
FOA and PRA tules rel
institutions
ual enhancement
cluding ir
regi
mes.
EY
Dependencies
partnered many such
sing or implementing these programme:
© leverage this experience to bring the Post
Office additional examples of the features and capabilities of
leading programmes.
POL00448531
POL00448531
ting to
e
f their
t the Post Office we
stitutions
ors for operating an
S corporate institutions that have also
ancement of th
POL00448531
POL00448531
Whistleblowing maturity model
nine key areas against which we
k. The model
vill inform our
maturity whi
industry pre
also drive recomm
ice and non-
Whistleblowing . — . i [ 7 —
framework I 9 Policy & 12) Confidential atthe “Oversight & Awareness & Osis cEOE 6 Gaee Investigation Effectiveness
elements procedures reporting culture. “top “Teporting training «=I Seaseofuse I Management ‘
Each of the above whistleblowing framework elements will be assessed against
EY’s maturity model as set out below
EY maturity ©
model - oe eve o i Established oo cet Advanced
Leading
Practice
Almost nothing exists for Some parts of this Performance factor is Performance factor is Performance factor is
this performance factor performance factor exist, pragmatically defined and defined in more detail and defined in more detail and
application on different consistently applied on a consistently applied on consistently applied on all
levels is inconsistent few levels most levels levels.
Evolving maturity
OS
a
=
Industry = :
Understanding] Why EY & insights & pproacl :
of yourneeds I credentials I best practices I Proposed teamI methodology Commercials I Dependencies
Whistleblowing maturity model
r
1 Each of the EY whistleblowing framework elements are assi
1 Oversight and Reporting at each maturity level
J
L.
Whistleblowing
framework
elements
ed against established control expectations. Below is an illustrative example of EY expectations of
POL00448531
POL00448531
No reporting to
the audit
committee &
external
stakeholders
about the
performance of No reporting to
the external stakeholders
whistleblowing
programme.
General overview
provided to the audit
committee and to
management at
various levels.
Understanding
of your needs
Established
Established systems for
reporting (whistleblowing
reports and outcomes) to the
audit committee, management
teams at all organisation
levels
External communication on
whistleblowing programme to I
customers, regulators, and
the public.
Effective record keeping
allowing FCA examination.
Anon-executive director
appointed as the whistle-
blowers’ champion.
BY
Industry
insights &
best practices
Why EY &
credentials
Advanced
Audit committee receives regular and
robust reports and metrics about the
whistleblowing programme including
operation and reported concerns.
External communications about
integrity and compliance are used to
compare against other organisations
and gain insight about external
perceptions of the organisation.
The whistleblowing champion has a
level of authority and independence
within the firm and access to
sufficient resources and information,
including access to independent legal
advice and training
Approach &
methodology
Proposed team
Commercials
Leading
Practice
Compliance and integrity are
‘embedded in the board's
comprehensive risk-management,
governance, and management-
review processes.
Tested board procedures in place to
conduct independent investigations
& manage related business, legal
and reputational issues.
Whistle-blowers’ Champion role
clearly defined & promoted across
the organisation, focusing on
integrity, independence and
effectiveness of the process and
protection of whistle-blower.
Dependencies
Stage 0:
Mobilisation and
planning
» Identity key stakeholders
Plan and conduct scoping
interviewswith the
business
Assess key documentation
Define further data
gathering/ validation
requirement
Ensure all key risks have
been identified
Design test procedures
Finalise timings from the
assessment
Our proposed approach - detailed
Stage 1: Document reviews and
interviews (3 weeks)*
Performdesign adequacy assessment
via interviews with relevant stakeholders
and walkthroughsof relevant processes
Assess the whistleblowing process
framework against the following
components (to be selected and agreed)
Quiture
Tone at the top
Policy and guidance
Oversight and reporting
‘Awarenessand training
Accessibility/ease of use
Triage and case management
Investigation
Effectiveness
©ervonsona
Key challenge areas such as
whistleblower protection and
management information can be
assessed in several of the above areas
» Detailed scope document
Issues / findings relating to the design of
the process, procedures and controls.
This will take into account regulatory
requirementsand guidance to identify
gaps and areas for improvement
Stage 2: Operating
effectiveness (2 weeks)*
Assess and document effectiveness
of controls using defined test
procedures.
Obtain evidence to substantiate
control operation
Document control gaps and propose
solutions to facilitate remediation
Select samples across all significant
business areas and channels
Run a “dummy” whistleblowing
incident to determine if escalated
through relevant channels
Issues / findings relating to the
operating effectivenessof controls
Stage 3: Maturity
Assessment!
‘Comparison (4
week")
POL00448531
POL00448531
Stage 4: Report
"findings and
“recommendations
(2 weeks")
» Compare whistleblowing
process against best and
leading industry practices
Develop prioritised
recommendationsfor
actions on the future state
of frameworks
Discuss report with the
stakeholders
leveraging market
insights to highlight
recommendations
Draft and finalise the
report
» Comparison analysis within
report
Draft and Final Report
Half day workshop for
senior stakeholders
Understanding
of your needs
To be run in parallel over a project period of four weeks
Why EY &
credentials
Commercials
Dependencies
POL00448531
POL00448531
Our commercial proposition —EY fee estimate
Our commercial proposition is bas ef provided and the fe are ha
J on our understanding of the
mptions documented in this prop
iss the 2, appr and further to rr cific requirements.
Rate
Activities and assumptions Fee (GBP) Dependencies and assumptions
0 Availability of Post Office stakeholders and
contributors for detailed discussions or workshops
3s are b 1 on the fees charges for similar sc ts with a similar sensitive nature. Our fee estimate excludes VAT and expe!
Whistleblowing core capability assessment
- 4 weeks
- Document review and interviews 0 Access to “as is’ documentation to quickly assess
- Operational effectiveness activities current state. To be provided prior to starting
- Market comparison
- Output: A report with findings and
recommendations for opportunities for
enhancement and a % day workshop to discuss 0 Only closed investigations will be part of the scope of
the results and next steps the engagement
1 Operational effectiveness exercise is dependent upon
the availability of data
Potential additional area: Investigation QC/ QA
Process 1-2 weeks
- Target completion by mid-September
- Can berun concurrently with core capability
eed based on
The information in this pack is intended to provide only a
general outline of the subjects covered. It should not be
assessment - A
regarded as comprehensive or sufficient for making
Potential additional area: Additional Deep dives decisions, nor should it be used in place of professional
on specific areas To be discussed and advice. Accordingly, Ernst & Young LLP accepts no
e.g. Investigations, triage and case management, agreed based on the responsibility for loss arising from any action taken or
conflicts of interest, operating model, etc. findings and priorities not taken by anyone using this pack.
identified by previous
Implementation support phases
Industry
Understanding Why EY & insights & Approach &
of your needs credentials best practices I Proposed team methodology
Dependencies
POL00448531
POL00448531
Working together to deliver project objectives
i Assumptions i
ee oe
EY is making the following assumptions
The Post Office will have one policy and a set of
processes for whistleblowing which are applied
across the business
Due to the sensitive nature of the work the
number of stakeholders we will interview will be
agreed upfront and will be focused to give us
adequate insight
We will performa sample of 10 whistleblowing
cases, sample selection to be agreed with you
i Dependencies H
4
Timely access to documents and availability of
relevant staff for interviews. To assist the
interview scheduling process, we would suggest
a representative of the Post Office is assigned
responsibility for arranging interviews with an
agreed list of key individuals.
Provision of relevant documentation prior to
starting. We will provide a detailed document
request list when the scope is finalised, however
we anticipate this will include:
Whistleblowing policy
Whistleblowing training and awareness
documents
Any relevant internal audit reports relating
to whistleblowing
Investigations policy
Whistleblowing MI and reports to the board
Timely feedback on our initial findings
Industry
. !
A Senior engagement ;
cm ns oo to et ots ol
We anticipate that we would want to interview
the following senior staff:
Whistleblowing team, including:
Head of Whistleblowing
NED/ whistleblowing Champion
Whistleblowing steering committee
Compliance professionals including Chief
Compliance Officer
Legal and investigations professionals
including General Counsel
Internal Audit
Understanding Why EY & insights & Approach &
of yourneeds I credentials I best practices I Proposed teamI methodology Commercials I Dependencies
EY I Assurance I Tax I Transactions I Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality
services we deliver help build trust and confidence in the capital markets and in economies the
world over. We develop outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better working world for our people,
for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of
Ernst & Young Global Limited, each of which is a separate legal entity. Emst & Young Global
Limited, a UK company limited by guarantee, does not provide services to clients, For more
information about our organization, please visit ey.com
Ernst & Young LLP
The UK firm Ernst & Young LLP is a limited iabilty partnership registered in England and Wales with registered number 0300001
and is a member frm of Ernst & Young Global Limited,
Ermst & Young LLP, 1 More London Place, London, SE1 2AF
©2017 Emst & Young LLP. Published in the UK.
All Rights Reserved.
ey.com
POL00448531
POL00448531