POL004488
POL00448819
i
I
° EY
Building a better
® morking world
Industry
Understanding Why EY & insights & Approach &
HOME ofyourneeds I credentials best practices I Proposedteam I methodology Commercials Dependencies
POL00448819
POL00448819
Contents
Understanding of your needs 3
Why EY & credentials 4-5
idustry insights and best practices 6
Proposed team 7
Approach and methodology 11
Commerc 12
Dependenc 13
Appendices Appendix Deck
» CVs
» Additional credentials
Industry Rn nO
Understanding} Why EY & insights & STORE TE A ‘i
of yourneeds I credentials I best practices I Proposed team] methodology I Commercials Dependencies
POL00448819
POL00448819
EY understands the importance of having an effective whistleblowing framework
Our understanding of your requirements Key deliverables
> The Post Office requires an independent assessment of the current whistleblowing A written report to the Post Office, providing
policy, processes and controls with a specific focus on:
» An assessment of the current state of the Post Office’s whistleblowing policies,
» The current Speak Up policy (last updated c. one year ago) processes and controls
» The appropriateness of the Conversant system for the Speak Up » An assessment of the Post Office's whistleblowing investigations and the
framework as well as of how it is used within the Post Office compliance with internal process, regulatory standards and industry standards
The communication with Speak Up reporters (from initial report through to » Acomparison to best practicesincluding relation to both whistleblowing and
case closure) information gathering
The operational conduct of the investigations arising from Speak Up » Recommendations as to the target end state for those policies, processes and
reports controlsidentified in the assessment
>» The effectiveness of protection provided to Speak Up reporters A half day workshop to socialise our observations and recommendations with key
You require this assessment of the extant policies, processes and controls to stakeholders and discuss potential next steps
independently verify the quality, effectiveness and current status of the existing
frameworks, including the consistency of application acrossthe franchise business
model of the Post Office Limited Structure.
You require a comparison to best practices (to include mandatory requirements), Scope of the assessment
identifying where improvements can be made and providing recommendationsas to » Geography - This assessment will draw on global best and leading practices,
any changes that should be implemented to enhance those policies, processes and with operational effectiveness testing of controls limited to the UK
controls, including identifying a target end state.
: / ’ ’ » Entities — This assessment will be specifically for The Post Office Limited
We have assumed that this assessment should also include operational effectiveness
testing, focusing on the likely areas of weaknesses, to test how well the policies, > Timeline —We understand that this engagement shall commence at the start of
processes and controls are understood and embedded within the business culture August 2022 with a final report and action plan to be delivered by October
and how effective the controls are in enforcing the policies and processes. 2022
You have articulated that this project is of a highly sensitive nature and » Should you wish this work to be performed under legal privilege, this can be
communication within your own business is required to be on a need-to-know basis. discussed prior to commencing work. We have experience working with the
As a consequence, the project team has been sized accordingly and due to the clients’ legal representatives and also in partnership with EY Law.
sensitivity of the project kept to minimum numbers.
we
methodology I Commercials I Dependencies
Industry
Understanding Why EY & insights & Approach &
of yourneeds I credentials I best practices I Proposed team
POL00448819
POL00448819
We have the experience to conduct high profile, sensitive reviews under accelerated
timescales
Your requirements The value EY will bring to the Post Office
atti td et tt i a te ts pie it enti et
We have performed high-profile engagements for multiple corporate entities, demonstrating our experience in dealing with
sensitive initiatives and working for Boards and Senior leadership, including: Whistleblowing reviews, Senior Manager
Accountability reviews and bespoke business reviews where we reported to UK regulators, several past business reviews that
I required submissions to regulators.
! We have also conducted similarly sensitive and high profile reviews as well as industry investigations for corporate institutions on
{behalf of regulators and other public authorities
* Our team brings extensive experience of whistleblowing and investigations, drawn from first-hand practice in dealing with 1
whistleblowing cases, working with over 10 financial institutions on similar initiatives and through our proprietary survey and 1
I comparative data, which allows us to compare the Post Office to whistleblowing best practices. /
1
! We are able to draw on our network to provide insights from both financial services and retail aspects which are most important to
I We have put forward a senior team of professionals, led by Spencer John who has experience and credibility with regulators and
! public bodies. Our team has experience of conducting similar reviews of whistleblowing and investigations combined with expertise
1 in controls assessments.
oo oo ao oo oo
! We will deploy a tried and tested approach that focuses on delivering a robust assessment that will stand up to challenge andis
cognisant of your desire for confidentiality. Where needed, we will use our maturity assessment models to focus the assessment!
I on the areas that matter most, to provide a comparison to industry practice in accelerated timescales, and to support our findings. I
! Our approach is to run the framework review and effectiveness testing in parallel, sharing resources and information to increase
{ the speed of delivery and minimise the impact on Post Office stakeholders. !
p= —
I We understand the importance of effective whistleblowing and investigations to the overall health of a business. Our approach and!
! recommendations will focus on helping you to understand how your policy, procedures and controls compare to market practice I
and provide you with actionable recommendations and define the target end state.
Industry nx me
Understanding} Why EY & insights & STORE TE A ‘i
of yourneeds I credentials I best practices I Proposed team] methodology I Commercials POTEET
b A A Al A A
POL00448819
POL00448819
Our experience and industry insights put us in a unique position to conduct this assessment
Sample credentials EY value added
UK headquartered financial institution T H
1 1
> Ip o the bank e practical 1
1 f
H k following implementation of ou ;
Le ==
Multinational grocery and general T > Our team displayed sound whist
merchandise retailer 1 central whistleblowing lir
Ip vy ked alongside the internal audit team to upskill them in the technical area of whistleblowing and w ved positive feedback on ou
1» EY assisted the client’s Internal Audit team to provide deliverables of a high star 1 stood up to testing when challenged nior
! ‘eholde ‘ithin the busing
I eel om
Major North American financial institution me ; evios
1
1
t
=
I>
UK headquartered financial institution 1 inotue
> I> thi the sensitivit gic importan
1 and
1
1
L
.
Review of whistleblowing program for global ;
logistics company ia a global logist Mpany operating i roached us to conduct a review of its whistleblowing programme because
1 ¢ erns about it ation, the quali er to international legislation and regulation.
1
u
Industry Rn nO
Understanding} Why EY & insights & STORE TE A ‘i
of yourneeds I credentials I best practices I Proposed team] methodology I Commercials Dependencies
POL00448819
POL00448819
EY has proprietary market insights on industry best practices .
EY has developed leading maturity models which we will employ to assess the strength of design, suitability and operational health of the
Post Office’s whistleblowing framework. In doing so, we will compare the Post Office against the current legal and regulatory landscape as
well as against our experiences working with other organisations, including franchise model risks
In applying EY’s whistleblowing maturity model to the Post Office, we will consider the following
Legislation and regulatory focus — Including relevant legislation and regulations from the UK and US and global bodies such as the FCA’s SYSC requirements
including the Senior Managers Regime (appointment of a whistleblowing Champion), BCBS corporate governance principles, the G30 study on Conduct and
Culture, and OSHA guidance. Additionally, EY shall consider drawing on the most appropriate elements of the Regulation of Investigatory Powers Act and the
National Intelligence Model, where it is practical to apply in a commercial environment.
EY’s experience - EY has practical experience of performing similar assessments in corporate and financial services industries, as well as performing
whistleblowing investigations, and has developed a view on what would be considered best practice. Spencer John has significant experience in control
ownership roles in the financial services sector and has delivered assessments of whistleblowing frameworks in the FS sector. Rachel Sexton, who will act as
the EY Quality Partner, has founded and chairs the Financial Services Investigators forum, providing unique insight into investigations best practice within
the financial services sector.
EY whistleblowing Survey - EY conducted a survey across over 40 companies from multiple industry sectors in the UK to discuss their whistleblowing
arrangements. “Across the companies surveyed, the average ratio of whistleblowing disclosures to staff was seven disclosures per 1,000 staff per year,
however almost 60%of respondents are not confident that they capture alll disclosures made directly to a manager.”
EY EMEIA Integrity survey - The 2022 EMEIA Integrity Survey, which is our largest yet, represents the views of 4,762 board members, managers and
employees in 54 countries and provides compelling insight into perceptions of fraud, bribery and corruption across the region, including insights into
attitudes towards whistleblowing. Within the UK, 81% of respondents answered no to personally ever reporting issues of misconduct to management or to a
whistleblowing hotline
BQ
Understanding Why EY & insights & Approach &
Industry
of yourneeds I credentials I best practices I Proposed teamI methodology Commercials I Dependencies
POL00448819
POL00448819
We bring an experienced pragmatic team that will deliver tangible value to the Post Office
> Sper
interne
> Rachel i
> She has pI
internal escal
> Rachel founde
alisation of
ondon. The purp
reeting with the bank quarterly
stleblowing
wing programme. TI
ing, under
ial
orks in the
ses at across financial
ent and re
unning r
‘onducting in
and procedu
Forensi
Michelle Acton > ience working v
Phillips s ad clients in drafting
Engagement Lead a orks and training
lishing contre
and Facilitation
srating mode
AML, Anti-Fraud
Delivery team
s team at EY. E\ ing frame ving spent extensive
ion funct
histleb!
1 delivering whistlebl
for whist
rks in the Financial Crim
withir
wing inve
ell re
for numerous
m at EY. Tom is highly experienced in delivering whistleblowing framework reviews, includini
Tom Bendor
Sam
edures updates
nent project, including policies and
and intranet site refre
e of a FTSE 100 bank's whistleblowing enhan
program for employees fac
1 the implementation pt
nications plan and protec
operational
Industry Rn nO
Understanding] Why EY & insights & pproacl . .
of yourneeds I credentials I best practices I Proposed team] methodology I Commercials Dependencies
Our proposed approach - ove
Through a desktop review of available documentation and
interviews with relevant key stakeholders, we shall perform a
review covering:
Policy -Where we can build on the recent implementation of
he Speak Up policy to present potential enhancements that
ssible, understandable and
may make policy more acce
actionable
Process/ Procedures ~ Presenting opportunities for
enhancement across training, comms and awareness, case
calation and triage as well as relevant stakeholder
contributions such Internal Audi nal Counsel and SME
support
Governance — Providing options for improved Speak Up
arrangements and greater alignment to global regulator
expectations. Thi: in also inc a
Management Information and Wi
ommon challenge area
iistleblower protection
Our review will also be conducted with reference to the
requirements and standards of relevant regulation and
legislation such as SYSC 18
rview
erience de: and discussions can be
In our exe ktop reviews
very valuable, but do not provide an organisation with a vie
on how well a Whistleblowing Framework design is workin
We know from previous reviews at other organisations that
whistleblowing frameworks tend to be challenged by poor
communication of the policy and framework, employee
confidence in the process and the speed of investigation.
For this reason we propose to conduct a walkthrough of a
small sample of cases, focusing on qualifying Speak Up
reports as well as those determined to be out of scope, as
well as exploring other options for testing Operational
Effectiveness.
The sample case walkthroughs will focus on, for exampl!
triage decisioning; time taken to investigate and close case
communications with, and treatment of, the whistleblower
interviews with key stakeholders with operational control of
the program
Other potential Operational Effectiveness exercises include
aff awareness assessment; review of poli
nloads/ views; training completion
POL00448819
POL00448819
ce the introduction of the FCA and PRA rules relating to
Whistleblowing, UK regulated Financial Institutions have
embarked upon a process of continual enhancement of their
Whistleblowing programmes.
When assessing the Speak Up Framework at the Post Office we
shall compare the existing arrangements with those of other
organisations we have worked with, including institutions
known to have had recognition by regulators for operating an
effective Whistleblowing programmes.
There are many non-FS corporate institutions that have also
invested in significant enhancement of their own
Whistleblowing programmes. EY has partnered many such
institutions in assessing or implementing these programmes
and we can therefore leverage this experience to bring the Post
Office additional examples of the features and capabilities of
leading programmes.
> Efficient use of your time all ensure
ble, limiting the need for mul
iple in
ork approach: Our tried and tested
hroughout the engageme
Understanding
of your needs
credentials
Industry
insights &
best practices
Why EY &
Proposed team
Approach &
methodology
Commercials I Dependencies
POL00448819
POL00448819
Whistleblowing maturity model
ee ee
g maturity mod nine key arez e will cons r the Post Office's maturity whi vill inform our 1
vhistleb c ommendations based on leading industry practice and non- 4
ations. 1
1
1
1
framework
elements
Each of the above whistleblowing framework elements will be assessed against
EY’s maturity model as set out below
EY maturity
model Leading
Practice
amg (GStablished gi
» Almost nothing exists for » Some parts of this » Performance factor is » Performance factor is » Performance factor is
this performance factor performance factor exist, pragmatically defined and defined in more detail and defined in more detail and
application on different consistently applied on a consistently applied on consistently applied on all
levels is inconsistent few levels most levels levels.
Evolving maturity
Industry A 50
Understanding} Why EY & insights & STORE TE A ‘i
of yourneeds I credentials I best practices I Proposed team] methodology I Commercials Dependencies
POL00448819
POL00448819
Whistleblowing maturity model
Each of the EY whistleblowing framework elements are assessed against established control expectations. Below is an illustrative example of EY expectations of
Oversight and Reporting at each maturity level
(3) Tone at the
top
© contidential
reporting culture
) Policy &
procedures
ONieiea O Keeani O Triage & case
& training & ease of use I management
Whistleblowing
Investigation Effectiveness
framework Oversight &
elements
reporting
> No reporting to
the audit
committee &
external
stakeholders
about the
performance of
the
whistleblowing
programme.
General overview
provided to the audit
committee and to
management at
various levels.
No reporting to
external stakeholders
Understanding
of your needs
Why EY &
credentials
Established
Established systems for
reporting (whistleblowing
reports and outcomes) to the
audit committee, management
teams at all organisation
levels.
External communication on
whistleblowing programme to
customers, regulators, and
the public.
Effective record keeping
allowing FCA examination
Anon-executive director
appointed as the whistle-
blowers’ champion.
Industry
insights &
best practices
Proposed team
Advanced
>» Audit committee receives regular and
robust reports and metrics about the
whistleblowing programme including
operation and reported concerns.
External communications about
integrity and compliance are used to
compare against other organisations
and gain insight about external
perceptions of the organisation
The whistleblowing champion has a
level of authority and independence
within the firm and access to.
sufficient resources and information,
including access to independent legal
advice and training
Approach &
methodology
Leading
Practice
Compliance and integrity are
embedded in the board's
comprehensive risk-management,
governance, and management-
review processes.
Tested board procedures in place to
conduct independent investigations
& manage related business, legal
and reputational issues.
Whistle-blowers’ Champion role
clearly defined & promoted across
the organisation, focusing on
integrity, independence and
effectiveness of the process and
protection of whistle-blowers
POL00448819
POL00448819
Our proposed approach - detailed
i i I
1 i
1 H 1
1 i '
i 1
1 i '
1 1
1 i '
1 uN i
f ut 1
» Identify key stakeholders I!» Perform design adequacy assessment I I» Assess and document effectiveness I
»Plan and conduct scoping I{ via interviewswith relevant stakeholders! I of controls using defined test 1
interviewswith the I and walkthroughsof relevant processes I I procedures 1
business I Assess the whistleblowing process I I» Obtain evidence to substantiate I I » Compare whistleblowing » Discuss report with the
» Assess key documentation I! framework against the following 1 control operation I" process against best and stakeholdets:
» Define further data I Components (to be selected and agreed): I I » Document control gaps and propose I leading industry practices leveraging market
gathering/ validation 1 4, Culture 11 solutions to facilitateremediation _I I » Develop prioritised insights to highlight
requirement I 2. Toneat the top I I» Select samples across all significant recommendationsfor recommendations
» Ensure allkey riskshave I; 3, Policy and guidance I 1 business areas and channels actionson the futurestate I I » Draft and finalise the
been identified 1 4. Oversight and reporting 1 1» Run a “dummy” whistleblowing of frameworks report
» Design test procedures I 5. Awarenessand training I I incident to determineif escalated
» Finalise timingsfrom the Ii 6, Accessibility/ ease of use {1 through relevant channels.
assessment I. 7. Triage and case management Ht
1 8. Investigation in !
I 9: Effectiveness i 1
1 i '
1 Key challenge areas such as a !
I whistleblower protection and HH '
I Management information can be it '
I assessed in several of the above areas 1 I !
i Hee =_—_
» Detailed scope document II » Issues / findings relating to the design of I I » Issues / findings relatingto the » Comparison analysis within I I» Draft and Final Report
the process, procedures and controls operating effectiveness of controls report » Half day workshop for
This will take into account regulatory senior stakeholders
requirementsand guidance to identify
gaps and areas for improvement
Industry
Understanding Why EY & insights & Approach &
of yourneeds I credentials I best practices I Proposed team) methodology
Commercials I Dependencies
Our commercial proposition —EY fee estimate
» Our commercial proposition is based on our unde!
to discuss the scope, approach and further to meet your specific requirements
i]
I
I
i
harg
H cha
Fee (GBP)
Whistleblowing core capability assessment
- 4 weeks
- Document review and interviews
- Operational effectiveness activities
- Market comparison
- Output: A report with findings and
recommendationsfor opportunities for
enhancement and a % day workshop to discuss
the results and next steps £64,000
Potential additional area: Investigation QC/QA
Process 1-2 weeks
- Target completion by mid-September
- Can berun concurrently with core capability
assessment
of
£10,000 - £20,000
Potential additional area: Additional Deep dives
on specific areas To be discussed and
e.g. Investigations, triage and case management, . agreed b on the
conflicts of interest, operating model, etc. findings and priorities
dentified by previous
Implementation support phases
Industry
Understanding Why EY & insights &
provided and the assum
POL00448819
POL00448819
tions docur
Dependencies and assumptions
+ Availability of Post Office stakeholders and
contributors for detailed discussions or workshops
+ Access to “asis” documentation to quickly assess
current state. To be provided prior to starting
+ Operational effectiveness exercise is dependent upon
the availability of data
* Only closed investigations will be part of the scope of
the engagement
The information in this pack is intended to provide only a
general outline of the subjects covered. It should not be
regarded as comprehensive or sufficient for making
decisions, nor should it be used in place of professional
advice. Accordingly, Ernst & Young LLP accepts no
responsibility for loss arising from any action taken or
not taken by anyone using this pack.
Approach & . a a .
of your needs I credentials I best practices I ProposedteamI methodology I Commercials I Dependencies
Working together to deliver project objectives
Assumptions
EY is making the following assumptions
> The Post Office will have one policy and a set of
processes for whistleblowing which are applied
across the business
Due to the sensitive nature of the work the
number of stakeholders we will interview will be
agreed upfront and will be focused to give us
adequate insight
We will perform a sample of 10 whistleblowing
cases, sample selection to be agreed with you
Dependencies
» Timely access to documents and availability of
relevant staff for interviews. To assist the
interview scheduling process, we would suggest
a representative of the Post Office is assigned
responsibility for arranging interviews with an
agreed list of key individuals.
Provision of relevant documentation prior to
starting. We will provide a detailed document
request list when the scope is finalised, however
we anticipate this will include:
Whistleblowing policy
Whistleblowing training and awareness
documents
Any relevant internal audit reports relating
to whistleblowing
Investigations policy
Whistleblowing MI and reports to the board
Timely feedback on our initial findings
BQ
Industry
POL00448819
POL00448819
ee
Senior engagement
» We anticipate that we would want to interview
the following senior staff:
» Whistleblowing team, including:
« Head of Whistleblowing
« NED/whistleblowing Champion
« Whistleblowing steering committee
Compliance professionals including Chief
Compliance Officer
Legal and investigations professionals
including General Counsel
> Internal Audit
Understanding Approach &
of your needs
Why EY &
credentials
insights & Dependencies
best practices I Proposed team} methodology Commercials
EY I Assurance I Tax I Transactions I Advisory
About EY
EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality
services we deliver help build trust and confidence in the capital markets and in economies the
world over. We develop outstanding leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a better working world for our people,
for our clients and for our communities.
EY refers to the global organization, and may refer to one or more, of the member firms of
Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global
Limited, a UK company limited by guarantee, does not provide services to clients. For more
information about our organization, please visit ey.com.
Ernst & Young LLP
The Uk firm Ernst & Young LLP is a limited labilty partnership registered in England and Wales with registered number 0300001
and isa member firm of Ernst & Young Global Limited.
Ernst & Young LLP, 1 More London Place, London, SE1 2AF.
©2017 Ernst & Young LLP. Published in the UK.
All Rights Resened.
ey.com
POL00448819
POL00448819