POL00458051
POL00458051
@
POST OFFICE LIMITED
GROUP EXECUTIVE REPORT
cate Post Office Investigations: - .
Title: KPMG Review Findings Meeting Date: I 15 September 2021
Author: Group Legal Director, Sarah Sponsor: Ben Foat, Group General
Gray Counsel
Input Sought: Approval
The Group Executive is asked to approve, for onward submission to the Board, the proposed
creation of a Centralised Investigation Unit and its associated costs.
Previous Governance Oversight
e Group Executive Tactical Meeting of 5 May 2021
Executive Summary
1. Following detailed assessment', KPMG has concluded that Post Office should create a
Centralised Investigations Unit (“CIU”). This will ensure all investigations are delivered in
line with a set of minimum standards and protocols and that high-risk investigations are
performed by independent investigators. The introduction of the CIU will also ensure
investigations are properly planned, resourced and executed; with lessons learnt fed
back into the business.
2. At present investigations are not conducted consistently across Post Office, with differing
levels of expertise, oversight, reporting and quality assurance. Where investigations
touch multiple business teams, accountabilities are confused and lessons learnt are
rarely fed back into the business and or acted upon.
3. Currently investigations are often undertaken within POL from a contractual or
regulatory perspective and there is little consideration at the start of an investigation as
to whether it could potentially result in criminal, civil or disciplinary proceedings. Early
engagement with Post Office Legal would enable proper consideration of criminal or civil
standards or consideration of when to liaise with LEA’s.
Questions addressed
1. How does Post Office currently conduct its investigations?
2. In terms of the current state assessment, how does Post Office compare to market
practice?
3. What areas for improvement have been identified and how will progress against these
be tracked?
4. What is the proposed optimum future state Investigations Target Operating Model?
Report
5. Post Office currently operates a decentralised investigations model. Investigations are
overseen and conducted by various business teams and individuals across the business.
KPMG has now completed a current state assessment and the design of a future state
* The scope of KPMG’s work did not include a review of historical investigations or those conducted in relation to the Historical
Shortfall Scheme
1
Confidential
POL00458051
POL00458051
@
target operating model (“TOM”) for how investigations should be conducted at Post
Office going forward.
6. The starting point for the work was to identify those teams across the business who
carry out investigatory type activities and to then determine which of these are actually
investigations. A number of activities, such as providing additional support to
postmasters were found not to be investigations.
7. A working group (“WG”) was established and attended by those teams performing
investigations’. The WG agreed a definition for an investigation and a framework for
determining ‘high risk’ investigations. These are set out at annex A and B respectively.
Current State Assessment
8. For each team performing investigations, how they conduct these investigations has
been assessed by KPMG against market practice. Findings have been shared with the
relevant teams and have been checked for factual accuracy. Where areas for
improvement have been identified for particular teams, these have been shared and are
already being taken forward. Progress will be tracked by IDG. A summary of the
findings, by team is provided at annex C with the full KPMG report available in the
Reading Room.
9. At a more holistic level however, the below summarises KPMG’s findings against a
framework of governance and process, people, and infrastructure.
Governance and Process
10. There is no clear consistent triage process in place across Post Office:
e In some teams there is no formal triage process in place. In others, triaging does
take place but this is largely based on product type and case age rather than the
risk profile of the incident or its potential outcome. Across Post Office there is no
consistent definition as to what constitutes a high-risk case.
11. Investigations are not conducted consistently across Post Office:
e The current decentralised framework means there is a lack of consistency across
the overall Post Office investigations process, including in relation to the
documentation of policies. Work on the Group Investigations Policy (“GIP”) was
paused whilst KPMG conducted their review. As a consequence, the GIP has not
been fully embedded across the Business and business teams feel certain elements
of the GIP are too onerous if applied to high volume low risk investigations.
e There are different levels of oversight and inconsistencies in reporting
requirements, standards and the use of the Legal team. As consultation
requirements are not formalised over when to liaise with Legal (and other SMEs),
the wrapper of privilege may not always be applied where it would be beneficial to
do so, for instance in high-risk cases.
« Currently investigations are often undertaken within Post Office from a contractual
or regulatory perspective and there is little consideration at the start of an
investigation as to whether it could potentially result in criminal, civil or disciplinary
proceedings. Early engagement with POL Legal would enable proper consideration
of criminal or civil standards or consideration of when to liaise with LEA’s.
? Service & Support Optimisation, Franchise Partnering, Compliance, Human Resources, Cyber, IT.
Confidential
POL00458051
POL00458051
@
e Where investigations touch multiple business teams there is no formal handover or
process to monitor which business team currently holds the investigation, next
steps or who has accountability for the outcome. As a result, there is a risk that
cases will get delayed, lost or the appropriate next steps will not be actioned.
12. There is a lack of consistency in the availability and reporting of MI by the various
business teams:
e HR in particular, due to the use of MyHRHelp, have limited ability to extract MI and
there is a risk that not all HR investigations are logged and recorded.
e There are also inconsistencies in the use of KPIs/SLAs and the reporting of MI to
senior leadership, whilst some teams have clear reporting lines, others do not
formally report outside of their teams.
13. There is no consistent approach to quality assurance across the business teams:
e Business teams have developed their own individual approach to quality assurance.
Whilst some business teams undertake formal monthly quality assurance reviews
on a sample of cases and feedback findings to the individual investigators others
have a more ad hoc approach.
e There is also no independent quality assurance reviews undertaken across Post
Office to ensure that business teams adhere to common standards, e.g. as set out
in the GIP.
14. There is limited evidence of “lessons learnt” and continuous improvement arising from
investigations across Post Office:
e Whilst some business teams do monitor investigations in order to identify trends or
business improvements this is not consistent across all business teams. Where
issues are identified, the process for feedback within the business is informal and
relies upon conversations and emails. There is no formal process for collating
lessons learnt and no follow up to ensure continuous improvement had been
actioned.
15. There is a lack of overarching governance and oversight over high-risk investigations:
e Currently, there is no overarching governance or central oversight over high-risk
cases and the majority of business teams do not differentiate between high-risk
and other cases when conducting an investigation. In addition, business teams
have no specific mechanism for collating and reporting details of high-risk cases
meaning there is an overall lack of central visibility over these cases.
People
16. Business teams often use Area Managers and Line Managers to conduct investigations:
e Teams with specific areas of focus such as Contracts and Cyber ensure
investigations are undertaken by staff within their function. In these instances,
there are clearly defined roles and responsibilities and clear accountability for
outcomes. Where other teams such as HR and Whistleblowing rely on Area
Managers / Line Managers to conduct investigations on their behalf, in these
instances there is a lack of clarity over roles and responsibilities and who is
accountable for outcomes. Where Line Managers undertake investigations, into
3
Confidential
POL00458051
POL00458051
@
their direct reports there is a potential risk that investigators will not be seen to be
independent or there will be a perceived conflict of interest.
e Area Managers and Line Managers also often have limited investigations experience
and there is a risk they are not appropriately qualified to undertake high-risk
investigations, not least because there is no specialist investigations training
provided to any of the business teams or individuals conducting investigations.
Infrastructure
17. There is no consistent use of an investigations case management tool across Post Office:
e Currently business teams use a mixture of Excel, Dynamics, ServiceNow, and
MyHRHelp to log cases and record investigations. While Dynamics is used by the
majority of teams there is inconsistency over the use of its functionality and there
appears to be little understanding of its full capabilities.
e Area Managers do not have access to Dynamics and record investigation findings
on Qualtrics, these must be manually uploaded by business teams.
18. To address these issues, KPMG’s recommendation is that Post Office centralise its
investigation function. This will ensure all investigations are delivered in line with a set of
minimum standards and protocols and high risk investigations are performed by
independent investigators. The introduction of a CIU will also ensure investigations are
properly planned, resourced and executed; with lessons learnt fed back into the
business.
19. The Full KPMG report provides greater detail on the services to be provided by the CIU,
its core processes, tooling considerations, proposed governance structures, reporting
and how it would interface with the business, including a RACI. In essence:
e Investigations which do not meet the ‘high risk’ threshold would continue to be
conducted by the relevant business team but would adhere to the minimum
standards and protocols set by the CIU. The CIU would perform periodic quality
assurance over the ‘low risk’ investigations. MI over the ‘low risk’ investigations
would be provided to the CIU on a regular basis and reported on accordingly.
e Those investigations which are deemed to be ‘high risk’, would be conducted the
CIU. The caveat to this would be whereby a ‘high risk’ Investigation requires
subject matter expertise (e.g. DP, Cyber etc). For these investigations, the CIU
would be accountable for the investigation but reliant upon the relevant business
teams with the SME knowledge to gather evidence / help conduct the investigation.
e Internal Audit would undertake a wholesale audit of policies and procedures 18
months after set-up with ongoing close links between Internal Audit and the CIU to
ensure consistent approach and alignment of objectives.
20. This and how the CIU would interface with the business is summarised below:
Confidential
POL00458051
POL00458051
Business teams Other SME's
‘conducting low Fisk
investigations
H fice & Support H
Optimisation
Fra
Whistleblowing
MLRO
Inteligence gathering H H (Financial crime)
‘and liaison H H
21. No changes would be made to statutory officer roles or their reporting lines. The
statutory officer role of the MLRO is not impacted in anyway and has been separated
from the CIU. Reporting to regulators would also remain with the relevant business
team. The CIU would however liaise with Law Enforcement Agencies if an investigation
identified suspected acts of criminal misconduct and/ or concluded that a victim of crime
report should be made - in accordance with the controls set out within the Co-operation
with Law Enforcement Agencies Policy (“CLEP”).
22. In terms of ‘what would change’ and additional cost - the Whistleblowing team? would
move from the Compliance function into the CIU. This is because it is not an efficient or
effective use of resources to run two separate teams with the same skillset.
23. Below is the proposed structure of the CIU. KPMG believe the structure and size to be
appropriate based upon the number of investigations known to have been conducted by
Post Office over the last 12 months:
3 Which constitutes a Whistleblowing Manager and the two investigators which are approved by yet to be appointed.
Confidential
POL00458051
POL00458051
Itis proposed that the Head of CIU reports into the Group
Legal Director to: Vacancy
up Legal Director + Align with ownership of the GIP and the CLEP Existing roles
+ To separate of 1st and 2nd lines of defence
+ To apply legal privilege for high risk investigations
+ To demonstrate the importance and focus that POL have
alven to this area,
Internal Transfers
Head of CIU
Band 4
New roles
Whistleblowing and Reporting
Investigations manager
manager Band 3A/B x 2
Band 348
+ Tilage whisteblowing reports to identify whether
fequiced and, itso, commission
ide oversight over intligence gathering
+ Draft changes to investigations policies and standards
+ Collate lessons learnt
+ lavestigate high profile cases
+ Provide oversight on QA and training activites
24.
25.
26.
‘+ Monitor the whistieblowing reporting line and high-risk cases tage
+ Produce Ml and Reporting for CIU and performs trends analysis
+ Consolidate Ml provided by business teams
performed by investigators
+ Peitarm QA on high tisk Investigations
+ Liaise with LEAS andor regulatory bodies
Investigators
Band 2B x2
+ Perform both whistleblowing and high-risk investigations (support and perform) with
a reporting line to both the Vvhistieblowing manager and Investigations manager.
+ Line managed by investigations manager
+ Identity vaining requirements, develop training content and deliver taining on
minimum investigation standards
+ Conduct QA on low risk cases
and reporting activities
Intelligence analyst
Band 24/8
Note: The SLC criminal and SLC disputes also report to the Group Legal Director
As detailed above, 4 new roles would be created, at an annualised staff cost* of c.
£480k with c. £60k amount held for recruitment. The Head of the CIU would lead the
CIU, reporting into the Group Legal Director (who is the Policy Owner for the GIP and
CLEP). They would be accountable for all ‘high risk’ investigations.
The proposed Investigations TOM has been shared with Organisational Design Team who
are supportive of its creation in the format set out in this paper and have included
budget to support its implementation within the POM T3 business case which was
financially approved at IC on 5™ July 2021 with the implementation details going to
approval at GE on 7" September 2021. Though no employment offer will be made ahead
of the appropriate approvals being received at GE, the Board and from the OD
Programme Team; to accelerate implementation, the recruitment process for the Head
of CIU has begun.
The Group Executive is asked to approve, for onward submission to the Board, the
proposed creation of a CIU and its associated cost.
* Costs pulled from the Organisational Design team model, which was validated externally and internally, and approved as the
source for all workforce financial changes.
6
Confidential
POL00458051
POL00458051
Annex A - Investigatory Type Activities Performed
at Post Office
Investigations
Description
‘We have used the folowing criteria fo define a POL investigation:
*+ Where itis mandated by law or regulatory requirements such as allegations of bribery and
slavery, money laundering, ot data protection breaches,
. SS
. an irvestioaton fs requed to establish the facts ant an outcome specie POL is gonetaied €
{ctovig up ¢ whstebowing der employee dacpinay soso, col poseedngs, Pon eanaon
OI rcaie capi ard ope of incont wrong tom mrpra sos, Tears wt
recene ‘of wrongdoing offen do not undertake the investigation themselves but refer them
ince wescaee Creer ne Merwe psspecann er tee
Cash, stock and foreign POL monitor branch activity to help ensure the accuracy of branch accounting records relating fo cash, stock and
‘currency balance {foreign currency and to assure the integrity of cash, stock and foreign currency is maintained. Monitoring is
‘monitoring verifcation designed to identify risks and help the branch resolve associated issues. These teams do not conduct
‘investigations but identify potential issues which are then flagged tothe relevant teams.
Postmaster support fa Postmaster identifies a discrepancy within their branch accounting, they can raise the issue with POL who will
‘seek fo resolve these accounting discrepancies.
Information gathering _POL. respond fo @ number of external information requests including requests from LEA's, s 7 notices and DPA
requests. In addition, intemal information gathering s undertaken by the Data Protection leam in response to
intemal investigations.
Compliance and ‘Compliance reviews are undertaken on the sale of financial services products, and risk assessments are
assurance with product to identify and remediate ‘rime risks. These are not
‘investigations but compliance and assurance reviews,
‘Data Protection — Data incidents and suspected
breaches
‘Human Resources - Grievances, breaches of
‘Dignity at Work (DaW) and Code of Conduct
'Netivork Monitoring — Branch monitoring
‘Audit Support — Branch monitoring
Financial Crime - Bureau monitoring
Postmaster Dispute Resolution ~ Postmaster
disputes
‘Secunty — responding to information requests
Financial Crime - 7 notices and DPA requests
‘Data Protection - email review and data collection)
‘Conduct Compliance ~ assurance reviews
Financial Crime -product risk assessment &
‘assurance
Annex B - Criteria Against Which to Identify ‘High
Risk’ Investigations
‘Type of criterion Possible criteria for BAU Potential to be high risk if several Possible criteria for high risk
investigations criteria met investigations
Financial impact Financial impact under e.g. £60,000 Financial impact between e.g, £50,000 and £1m
Reputational damage Unlikely to be reputational damage Potential for reputational damage
Seniority of those being
instead Below Band 4
Band 4 and above
Postmaster or employee
theft or misappropriation of
assets
N/A- No allegation of thett or
Espnorelon of 5 ‘Suspicion of theft or misappropriation of assets
Regulatory breaches by
Postmaster or employee Bey ene
Potential for regulatory notification
Misconduct by employee __ Allegation of misconduct Potential to be gross misconduct
Pri
ge required No suggestion of litigation Possibility of litigation
Postmaster detriment N/A—No Postmaster detriment Potential for individual Postmaster detriment
Referral from business NA NA
Financial impact e.g. > £1m
Capable of significant reputational damage
to the business / significant media coverage
Concems a member of Board / GE / certified
role
‘Serious allegation of theft
‘or misappropriation of assets
Relates to a identified breach or issue
Relates to gross misconduct
Likely to result in tigation
Potential to lead to pervasive Postmaster
detriment
Requested by a Director level or above
‘These criteria are designed to allow flexibility and interpretation, rather than provide a prescriptive approach to ensure that al investigations are given the appropriate consideration
in relation to risk
Confidential
POL00458051
POL00458051
Annex C: Summary Current State Assessment by
Incident type
Findings by theme e
Lack of No clear ‘No consistent approach fo I Limited
consistent quay assurance ”
‘govemance — tiage proce:
‘and aversght in place
over bigh-ask
invesigations:
Policies and Legal Oversight Triage Monitoring of Production
Performance Lessons
processes involvement cases oft I «OA I management leamt I Casbiliy I Independence I Trahing I Technology
e e e e e e e e
Postmaster
complaints e e wa e e e e e e e e e e
Contracts: e e wa e e e e e e e e e e
Customer
contents e e nla e e e e e e e e e e
Data protection e e wa e e e e e e e e e e
‘Whistiebowing e e heed e e e e e e e e e e
Human Resouces) @ e a e e e ° O e e e e e
yber e e wa e e e e e e ° e ° e
Modem Siavey I @ e a e e e e e e ° e e e
Rating Description
Limited or no evidence of established market practice
Some evidence of established market practice
In line with established market practice
Confidential