Group
Assurance
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Content
¢ Assurance Team Structure
¢ Assurance Activities on a page
« Common Issue Judgement
¢« PM support Policies
¢ Horizon Issue Judgement
¢« Speak Up and CIU
¢ Other Reviews
¢ Action Tracking and Integrated Assurance
¢ SPMP Assurance
¢ Retail Assurance
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
It will be important for POL to demonstrate to the Inquiry that measures have been put in place to prevent
the same issues being repeated as well as what it is doing by way of continual monitoring and improvement.
It is recognised that there is cross over between some of the topics.
a) what improvements have been made across POL from 2000 -— to date,
b) anything further that POL has put in place or intends to put in place going forwards.
c) how POLis or proposes to ensure areas to ensure that history does not
repeat itself and to test how effective the change(s) have been.
d) the commitments it has made to learn lessons and make changes
e) the work undertaken by POL to date, further work that is required in each area and identify documents that may
assist in drafting narrative documents.
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
[Member of:
* Inquiry Steering Committee (ISC)
- IDG 2.0
Regular attendee of:
- RCC
kt ARC
Assurance activities overseen by:
- RCC
kt ARC
Sean Farrow
Assurance Manager
3B
PhilJames (FTC)
Floating Resources from Group
+—I Assurance Manager
2A (Compliance:
* Sally Smith
Feyi Omisore (FTC) \, “ERG “
;—) Assurance Manager in
2A » Reena Chohan
Nazrana Patel
Team support /
Assurance Analyst
2B
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Assurance Activities on a page
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Group Assurance - Activities on a Page and outcomes
Control Framework Status / Outcomes
e Framework includes 3 LoD and RACI between 1st line, 2nd e The PO Control Framework remains in draft.
line and 3rd line. e Principle are applied on best endeavours basis, and via all
e Defined / Clarity for key risks and controls Assurance reviews
e Guidance for — Control Evidence, control sampling — first
and second line.
e Submitted and approved as Draft at Sept 2022 ARC
Complete - BAU
je) I Assessment of Tech controls
I te
Assessing the effectiveness and adherence of
processes and controls for Speak up cases
Central
Central
ntral Assessing the effectiveness and adherence to
Investigations
processes and controls for Investigations
I
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Group Assurance - Legacy Activities Status / Outcomes
» Actions taken by POL in response to the Common Issues
Common Issues Judgement Judgement
Postmaster Support Policies Assurance of effectiveness of Postmaster Pocunacter
Support Policies pport Policies
rove _ Processes and procedures for dealing —
wslly) ae 2 raseessstss with Rule 9 requests from Inquiry Inquiry Rule 9
Actions taken by POL in response to the Requests
Horizon Issues Judgement
Forizon Issues
Judgement
Issues Judgem
i2)
fe)
I
(0)
=)
=
Horizon Issues Judgement
Claims from current and ex-postmasters in relation
Fistorical Shortfall scheme
to losses occurred due to shortfalls
stamps Scheme Claims from current and ex-postmasters in
relation to losses occurred due to Stamp Stock
To obtain objective assurance of the Suspension
uspension Payments
Payment process — accuracy and completeness
Provide assurance to HM Legal on their assessment of the
I Stamps Scheme I
risk of continuing to receive payments from Postmasters
. I . spension
ante Identifying and ensuring accuracy of business ayments
Ml requirements
istori Ongoing - Remediation scheme for postmasters
Le onvictins. who were wrongly convicted
Pause Payments
NBiT business requi
Unrated recommendation
not to pursue the recovery
Inquiry Rule 9 / Sect 21 Ongoing - Supporting updates to process NBiT business Unrated — some significant
I Requests flows for Rule9/Sect 21 requests Lact a opportunities
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Common Issue Judgement
Post Office Limited - Document Classification: CONFIDENTIAL
Common Issues Judgement
OBJECTIVE & APPROACH
* To review the status of actions implemented to address / remediate issues
raised within the Common Issues Judgement.
+ Accritical approach applied to assess evidence from a sustainability perspective
and identify further risks or areas of improvement from a POL and/or
Postmaster lens to prevent detriment and ensure appropriate governance /
oversight.
ASSURANCE OPINION
+ Anumber of challenges had to be overcome and considerable time invested with
the Retail team prior and during the review, this however has resulted in the
following benefits for POL:
+ Single universe of actions (365), clearer ownership / risk articulation.
+ Central repository of evidence, incl. links to sites, clearly tagged to CU:
o 1,594 evidence items, and access to 53 live sites (containing policies,
processes, documents, MI, and access to live systems such as Power BI
Dashboards).
o This should now be used for continuous assurance and support Inquiry
preparati
Retail have completed majority of the Cl actions (97%). This in isolation is a
considerable achievement, given the cost challenges, changes to personnel, team
structures etc.
That said, and as mentioned above, our review has gone beyond the evidence, to
review with a critical lens whether the actions are sustainable, can demonstrate or
track the impacts on PMs, and where applicable, there is appropriate oversight
and governance. With this context we have identified a number of significant
improvement opportunities:
POL00460597
POL00460597
CU Action status - Assurance View % of total
Completed 269 97%
Not completed 8 3%
Excluded from Assurance scope (linked 4 1%
to HU)
*365 less duplicates 86 = 279 Do)
Needs improvement *Cld 1 (Onboading) & ClJ 9 (Culture & Comms)
*ClJ3 (Audits - now known as Branch Assurance)
*ClJ4 (Shortfalls)
*ClU6 (TC & Disputes)
\J7 (Suspensions)
*ClJ8 (Terminations
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Common Issues Judgement — Key drivers of Assurance Opinion 1/3
« Some original actions have not been completed or partially completed, for example:
o Loss Recovery process has not been implemented
o Stock Auto Rem and Stock Auto Replenishment - due to lack of funding
o Refresher training is partially completed.
o Discrepancies from returned stock is partially complete
o Fundamental thematic themes emerge which either negate the impact of the actions completed or lead to ineffective oversight of these:
co -MI, Dashboards and Reporting (thematic across all ClJ)
+ Whilst the Retail Team have considerable data, MI and dashboards it is very challenging to assess (on an E2E basis) what the overall impact
has been of the actions delivered for ClJ.
* It is unclear how KRI’s, KPI’s and exceptions are tracked holistically or triggered for escalations to ensure timely visibility, and appropriate
governance, for example, the Complaints Dashboard does not provide qualitative information particularly in relation to Branch Assurance Reviews
and Transaction corrections, to indicate if postmasters are seeing a positive change on the ground or not or whether a positive impact in a process
is not negated by any other process (E2E view).
* The GE receive on a regular basis a ClJ dashboard, this in our opinion therefore requires a revamp and should be created with a E2E view of the
PM journeys or akin to a balanced scorecard that many consumer facing organisations have to measure their impact and protection of consumers.
o Root Cause Analysis (thematic across all ClJ)
* Whilst causes or buckets of errors is captured for Transaction Corrections, root cause analysis is not currently used and or reported to support
understanding of why issues/errors are occurring. We believe outcomes of this type of analysis could be used to improve training and support.
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Common Issues Judgement — Key drivers of Assurance Opinion 2/3
o Quality Assurance (QA)
* QA processed are being used/introduced to various teams within Retail such as Branch Assurance and Transaction Corrections and Disputes,
this is a positive step to provide assurance on activities completed by these teams. And should therefore be closely monitored to ensure these
are embedded.
* Scripts have been introduced to ensure a consistent approach to contact with Postmasters, and a call recording system has been implemented
allowing call monitoring to take place. However, in some instances, calls made via mobile phones cannot be recorded and therefore not able
to be monitored.
* PM Suspension payments are calculated by Finance however these are not independently checked to ensure the accuracy and or completeness
of the Remuneration components.
o Loss Recovery and Investigations
* Based on the current approach to loss recovery for losses that have been investigated and found to be genuine losses, POL is treating
postmasters differently. Some Postmasters are not engaging with POL on losses and are not repaying them whilst other Postmasters
who do engage with POL are repaying losses.
* Additionally, discrepancy cases identified following Branch Assurance reviews are not prioritised for investigation, not prioritising cases may
mean the suspension time is extended unreasonably.
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Common Issues Judgement — Key drivers of Assurance Opinion 3/3
o Other Thematics
+ A standardised approach to document control (incl. version control) needs to be adopted across the Retail team to ensure POL can
demonstrate changes (or no changes) and evolutions to key processes and procedures.
+ Postmaster Support policies - this action has been picked up in ClJ areas where policies are mentioned, however overall, there needs to
be a process or KPI's/metrics to assess the effectiveness and compliance to all Postmaster policies.
+ Effectiveness of Key Support roles
* Conflicts in Decision making — Retail org design
o Other Actions - In addition to the Thematics, 29 additional actions were identified from the findings in each of the individual ClJ areas:
o Onboarding - 2
o Training -6
o Branch Assurance - 4
o Central Ops - 8
o Retail / Retail Ops - 8
o Culture - 1
o Postmaster policies - 45
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Common Issues Judgement — Status of Assurance Actions
+ Tracking, reporting and assessing status of actions formally commenced from December 2023.
+ This is overseen via RCC and ARC.
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
PM Support Policies
Post Office Limited - Document Classification: CONFIDENTIAL
Postmaster Support Policies
OBJECTIVE
To understand, test and gain assurance based on
some point of control testing that the Postmaster
Support policies are working, complied with and fit
for purpose.
Whilst there is a close alignment with CU reviews,
and we have aligned both reviews where possible,
the approach of the Postmaster policy reviews was
fundamentally more myopic and did not apply a E2E
view of the POL universe.
Outcomes
eThe pol
ies themselves are generally fit for
purpose, however to demonstrate effective
compliance, significant improvements would be
needed in areas such as:
O Policy monitoring and oversight.
O KPI and or KRIs
O Clearer articulation, assessment and monitoring of
key controls
POL00460597
POL00460597
Overall policy rating
Is risk adequately identified?
Is the risk appetite correctly identified?
Are the key personnel correctly
identified?
Are reported minimum controls actually
controls?
What are the key controls?
What are the key metrics / KPI's?
Is the process / procedure correctly
articulated?
Does the evidence show the policy is
working?
Given the above, can we be sure the
policy is fit for purpose?
Onboarding (CUI 1)
Network and Cash
management (CU 4)
Network monitoring (CI 3
Transaction correction (CU
Account support (CU 5)
Account dispute resolution
Complaints handling (CU
Contracts performance (CU
Contract suspension (Cl 7)
Aligned to draft not issued
Contract termination
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Horizon Issue Judgement
HIJ — Assurance Review Paused
POL00460597
POL00460597
5 HJ Review
Row Owners HIJ Actions lines STATUS Comments
4. Key evidence still outstanding despite chasing (RG/CL) — MI on the number of defect post releases, and of
which how many are PM impacting, Tally or Ml of HSA decisions made categorized by #approved, #conditional
approval, and # rejected, with a thematic of the drivers behind these articulated, universe for a) sub postmasters
were not informed about identified defect b) some defects were not detected by automatic system checks and as
peers Build a robust capability to deliver change 3 a result lay undiscovered for years c) Legacy Horizon and HNG-X were not remotely robust as demonstrated by
& prevent and manage defects in the future the number of defects found d)The lack of records or logs for the use of powerful access roles also contributes to
this.
2. Universe of defects still not sent. Horizon solution Authority processes and procedure are robust. That said
improvements needed in capturing minutes, universe of change ie change can still bypass HAS
3.
Understand and address the root cause of 1. Underlying processes and procedures are adequate but need to be reviewed and refreshed with a PM lens / PM
Martin existing defects / Provide Sub postmasters detriment lens. For eg Horizon Implementation Defect Review TOR, Itis very difficult to assess efficacy of
Godbeld/Pau) I With close to real time information on 5 defect mgt process without an aggregated view of defects and their ageing, Test exit report — the so what is not
goth known defects in Post Office systems / clear from the report, basically, there is no formal summary of any risk assessment having taken place in this
Establish application monitoring processes document, ie it cant be a standalone.
and tools to proactively identify defects 2._Evidence collation not a priority. MG has taken over and consequently accountability is an issue.
Build a robust capability to secure, control Feedback has been provided to DB, regarding sum of the parts vs how this come together from a universe,
and audit access to Horizon / Provide an governance and monitoring perspective. Review feedback is being taken on board with revision being made and
Dean Bessell effective, transparent and auditable 7 In progress I iteratively , albeit slowly, getting there. Refreshed data re-sent AM to review.
outcome for Postmasters in the event of
financial discrepancies All data sets or metrics may still not be generated. But great cooperation from CISO. TBC
Sree Provide actionable information to 1. Evidenced received Nov. Very convoluted evidence, and in my opinion has been made complex.
Balachandran I Post masters and POL to allow timely 4 9
querying of transactions .
1. The way the journey has been laid out makes sense as it show the level of diligence applied to this area to
Improve the Horizon Application to improve identify problem statements (PS). That said:
usability and reduce defects / Build a + The documents in many cases do not hang together to show the movement from PS to the number of issues
Sally Rush/Paul I Oust Capabilly to manage data/Provide that were finally targeted for remediation. (426 - 212 — 26 - ??)
Smith requirements to the data platform 15 + Itis difficult to understand the impact POL has made vis a vis the HJ areasilines this is covering.
programme / Establish the capability to + Asummary of actions taken, their impact, and how these are monitored would probably help.
securely record and manage Transaction + But with either linking to the PS or ignoring them.
Corrections le Overall this can be and should be simplified
2
Grand Total 34
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Speak Up and Complex
Investigations Unit
Post Office Limited - Document Classification: CONFIDENTIAL
Speak Up
OBJECTIVE
The objective of the review was to assess the level of Speak Up process
compliance, when dealing with Speak Up cases.
SCOPE & APPROACH
+ Asample of 10 Speak Up cases (raised between April 2022 — January 2023)
were reviewed against Speak Up policies and procedures and focussing on:
* Security and access of ‘Speak Up’ data — especially maintaining
confidentiality/anonymity
+ Effectiveness of Speak Up communications
* Speak Up monitoring and governance
+ Effectiveness of Speak Up training
Assurance Conclusion:
The Speak Up team was established approximately 18 months ago and during this
period, the team have invested heavily in reviewing and updating processes and
procedures and have also introduced monitoring dashboards for Speak Up which is
reported to Group Executives and Board members monthly.
Whilst being a relatively new team, they are embedding robust processes and
procedures, and have a culture of continuous improvement.
Consequently, our opinion is that the overall control environment is Satisfactory.
POL00460597
POL00460597
GREEN - SATISFACTORY
STATUS OF ACTIONS - 5
Four actions were closed as of 315t August 2023
One remains open —
"POL external Speak Up website is in the process of
being changed and updated".
Work is progressing and forms part of the 2 year Speak
Up strategy to raise awareness of the Speak Up function.
The Speak Up team are working with the Comms team
and have agreed a comms plan.
THEMATICS AND FINDINGS
1. Speak Up Process and procedures — Some
improvement needed
2. Speak Up communications — No material exceptions
Identified
3. Speak Up — Governance and first line assurance — No
exceptions identified
4. Speak Up training — No exceptions identified
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Complex Investigation Unit (CIU)
OBJECTIVE
The core objective of the review was to assess the level of process
compliance in accordance with the Group Investigations and Co-
operation with Law Enforcement Policy (GICLE) and the Investigators
Manual.
-SCOPE & APPROACH
* Our work sampled 8 investigations performed by the CIU team (over
2022 and 2023). For clarity this review excluded the CIU Assurance
activities over Retail Investigations
Assurance Conclusion
The CIU team actively and constructively engaged with our assurance review, and they are overtly aware of the Common Issue
Judgements.
Their intent and approach in ensuring mistakes of the past are not repeated can clearly be evidenced not only in their revised set of
processes and procedures, but also in the positive behaviours and culture they are trying to embed within CIU and across POL.
Significant improvement reflects CIU to be alate to demonstrate adherence to their brocesses and cele such as:
«Evidence to demonstrate Head a a a b aintained within CIU case
files, for example, triage criteria, case closure, criminal investigation, eoniiles etc.
Meetings with CIU staff anecdotally show that review meetings are held twice a week on cases, these are not reflected in
casefile9s).
eUse and completion of key CIU documents need to be embedded consistently, such as the Combined strategy/investigation
strategy document and Investigation Control Document, or their non-use formally explained.
eCase and file structures have only recently been adopting a consistent approach therefore for older investigation (2022)
navigating case files is challenging.
Group Assurance acknowledge that this is mainly due to the fact that the team is newly formed, with processes still being created
land embedded, compounded by a heavy CIU workload.
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Other Reviews
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Inquiry (Rule 9)
OUTCOME
Documentary evidence to demonstrate compliance with processes and procedures could not be
provided. Gaps related to application of POL governance and oversight, and assessment of completeness and accuracy.
Fundamental weaknesses in the control environment were identified such that management of key
inherent risks and associated design and execution of controls was unsatisfactory.
Opinion - the risk of inaccuracy or omissions cannot be ruled out for Rule 9 requests covered in our sample period.
KEY THEMATICS AND FINDINGS
Based on the Rule 9 samples:
- Lack of clear consistency and governance around storage and traceability of documentation for Rule9 requests though their lifecycle
- Roles, Responsibilities and Ownership for Rule 9 process and governance were not clearly defined.
Post Office Limited - Document Classification: CONFIDENTIAL
Suspension remediation review (at request of HM Director)
POL00460597
POL00460597
OBJECTIVE
roup Assurance have performed a review of Post Office’s Suspension
Remediation Review processes and procedures to assess
he robustness of their control environment.
SCOPE & APPROACH
The Assurance Team performed a desk top review of the Historical
Matters Suspension Payment Processes to identify key inherent risk
and expected controls.
A sample of three Suspension Payments was then selected to perform
a walkthrough to assess the effectiveness of controls.
This review was performed during June 2023, and therefore our
opinions and comments reflect the state of the control environment
during this period.
RED - UNSATISFACTORY
STATUS OF ACTIONS
The status of the 10 actions identified at the time of fieldwork,
are summarised below:
+ Four resolved via Legacy team board paper
* Five changes to tightening the process completed
* One was already in place and being completed
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Pause Payments
OBJECTIVE
Objectively assess whether HM Legal’s recommendation to continue to receive payments in connection to 21 PM cases deemed as low/medium
was appropriate based on the evidence available.
APPROACH
Group Assurance reviewed a sample of six cases:
e twocases were randomly selected from the three categories - Apparent Dishonesty, Apparent NCE and CC).
All documentary evidence provided by HM Legal was reviewed for the six samples selected.
ASSURANCE OPINION
The process used by the HM Legal team to complete and document their assessment to continue recoveries of losses for 21 cases involving PMs
is very methodical with good file structures and a clear application of logic to categorise the risk classifications.
That said our review has highlighted the following risks that management need to carefully consider prior to assessing whether recoveries
should continue or be paused:
+ Itis unclear whether the POL individuals involved in these cases (audit, investigation, and security teams) and the processes and practices
they adopted (dates range from 2006 to 2020) were similar to those that led to incorrect historical convictions.
+ The level of documentation varied for the cases reviewed, in two cases (both CCJ) there was significantly less documentation.
+ In cases where there was genuine theft perpetrated by third parties, it is unclear how POL discharged its duty of care to Postmasters. No
evidence exists of POL employees advising the Postmasters to contact the police and/or check if they had Business insurance to cover such
losses.
Consequently, in our opinion the associated risk in continuing to recover outstanding balances in relation to the 21 cases is extremely high.
and the reputational risk outweighs the financial benefit.
Post Office Limited - Document Classification: CONFIDENTIAL
Stamps (SS) & Historical Shortfall (HSS) Schemes
Objective
Scope &
Approach
Final Report
Rating
Thematic
actions
Action status
Stamps Scheme
This review was completed following the closure of
the Stamp Scheme, the objective was to ensure SS
claims were dealt with in a fair and consistent
manner.
The Review consisted of:
* review of 54 randomly selected SS claims; and
* assessing responses to 67 Assurance questions
along with evidence provided.
As the Scheme was closed, and improvements made
following initial and ongoing feedback, the report
was not rated, however Minor improvements needs
were identified.
One key action was identified — a document retention
policy had not been agreed, this has since been
completed.
Action closed
POL00460597
POL00460597
Shortfall Scheme
This review was completed whilst claims were being assessed
and the objective was to ensure the claims were dealt with in
accordance with agreed processes.
The Review consisted of:
+ Assessing responses to 95 assurance questions including
evidence; and
+ Review of 8 randomly selected claims.
Significant improvements were identified, and the report was
graded Amber
19 actions were identified across several themes including the
HSS and Data universe, Document retention in Relativity,
Governance (including oversight of 3 parties), Policies and
procedures.
All actions closed
Note — these were the first two schemes that were reviewed, and during the course of each review initial and ongoing feedback was
provided to the relevant teams. As a result, the reviews took longer than anticipated however the learnings have been used to inform how
future schemes are run.
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Action Tracking and
Integrated Assurance
Post Office Limited - Document Classification: CONFIDENTIAL
Action Tracker
Stamp scheme Remediation Unit 9 9 Closed
Historic Shortfall scheme Remediation Unit. 19 19 Closed
Suspension remediation Remediation Unit} 10 10 Closed
review
Grand Total as at 206 92 114 100 2
18/12/23
POL00460597
POL00460597
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Integrated Assurance
Plans for integrated assurance
Following the completion of the Legacy assurance activities, Group Assurance is moving into
the ‘BAU Continuous Assurance’ phase of the original plan.
Approach
Using our knowledge from the Legacy Assurance activities, Group Assurance has
created an Assurance Universe which is made up of:
* CU activities
« Assurance & Complex Investigations
* Speak Up
+ Remediation Unit
Each Universe has been shared with the business areas to gain feedback which as
been collated into the final version. Workplans are now in the process of being created
and shared.
Group Assurance is also supporting the Remediation Unit in completing ad-hoc
Assurance activities.
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
SPMP Assurance
POL00460597
POL00460597
Why does SPM need an
Integrated Assurance Universe?
>—> — ae
nN 5
?
5 5
? ?
Author: SPM Integrated Assurance Team
17 April, 2024
Post Office Limited - Document Classification: Strictly Confidential
POL00460597
POL00460597
What are the main areas of risk in the
Integrated Assurance Universe?
The building blocks of the SPM Integrated
Assurance Universe focus on those
program or business activities that are
fundamental to the go live of SPM, or
those business functions that would be a
consumer of SPM outputs. These are listed
on the table to the right.
Whilst the ARC signed off on circa 10
areas we have gone beyond these to
ensure all interdependencies are
captured.
The universe once completed will remain
alive, iterative artefact to ensure we
capture new, emerging risk and lessons
identified from assurance activities.
The allocation of P1, P2 and P3 classifications
will need to be confirmed by the identified by
the universe areas / domain owners to ensure
these are prioritised in accordance with their
impact to go no go decisions/gateways.
Assurance work plan and scheduling of
activity will be created based on the ratings
provided and future release go live dates. To
ensure any assurance activity results are
provided before go live decisions are taken
On what basis with the Integrated
Assurance Universe be prioritised?
POL00460597
POL00460597
a risk event in the future
it will not likely have a
ramme but could crystalize as
Categories broken down by number of line items and
volume in the universe
Governance, 13,
Contracts (780), 8
Business Support, 5
Transaction Integrity
clU/Assurance &
Complex Investigations
Notes:
* Areas require validation for completeness / accuracy
« Ratios could change as they are validated by owners
POL00460597
POL00460597
Weighting by prioritisation across universe areas
Breakdown of Priority
Notes:
+ Areas require validation for completeness / accuracy
to ensure the priorities are agreed by owners and
relevant stakeholders.
POL00460597
POL00460597
What are the main areas of risk in the
Integrated Assurance Universe?
Assurance Universe — So What
diagrams provide an example of the
look and feel of the Integra Assurance
Universe
Each of the areas will have their own
Articulation of risk
Dependencies if any, across universe
areas
Key indicators / monitoring and
Mapping to the relevant observations
from the Inquiry
Links to Universe Framework and
Strategy
+ Master copy ver0.20 Integrated
assurance plan _ERM 24
Octob x
+ Integrated Assurance
Stategy.docx
POL00460597
POL00460597
What will our work plan look like?
The work plan will include: Draft 2024 workplan
(contingent on POL / SPM completion and ownership of the Integrated Assurance Universe)
+ How much assurance coverage we
have within SPM (i.e., self assessment
completed by domain areas)
+ The extent to which lines of defence will
be assured incrementally etc.
+ Specifically, the level of first line
coverage (and if any third line
coverage, if time is available)
The goal of a robust workplan is to report
and track against three main questions: Factors used to determine work packages:
+ — Risk basis (P1,2,3) -i.e., whether critical to go live and / or governance
* — Utilisation of internal resources versus external SME
* Opportunities to leverage existing assurance (if possible)
* Opportunities to leverage third line external relationships
+ Have we done what we and the
business were supposed to have
done/assured?
+ What was the outcome?
Where possible, packages will be aggregated to ensure efficiency, coverage of
* What is our opinion on the control interdependencies and / or one time assurance. The work package may be a
environment for that period?. Has is it combination of coverage areas (i.e., this is not being done in a siloed or myopic manner).
been effectively integrated? :
Option
What are the options for SPM Assurance?
POL00460597
POL00460597
Description
Pause the programme while
assurance catches up
Conduct a targeted Assurance
review to assess state of
readiness
Assess Assurance conducted to date which may no longer be reliable and so may need to be
reperformed and / or widened for adequate coverage and completeness (i.e., the basics)
Leverage known assurance reports (where possible) and the Accenture review to assess what has
been delivered to date, understanding whether the programme / POL can demonstrate that robust
procedures have been applied, touching on key aspects of programme delivery (e.g., risk
management, business requirements, end-to-end delivery life cycle)
Perform a desk-top / black box
assurance review over artefacts
the programmes provide for
current go / no-go releases
Continue SPM releases in
absence of assurance
Hire external support to help
complete assurance
Support a go / no-go opinion through a desk-top / black site assurance review; this is likely to be of
limited value and so is the least preferred option
Continue releases without assurance, provided residual exposure is defined, assessed and monitored
Hire external assurance capability to work with POL assurance (SPM) to provide first line assurance
across the SPM programme using the SPM integrated Universe
SPM Assurance - Key Steps/ Actions
Complete build of the Assurance
Universe
Create and agree an Integrated
Assurance Plan / Work packages
Release Alignment
Execule Prioritsed Assurance
Work plans
Description
Ensure completeness, accuracy and risk prioritaisation has been validated
via SPM / Business Owners.
Focusing on Pl Assurance Universe line items. build an Assurary
ie what needs to be assured as a minimum baseline
1 costs needed ie internal and or external
Using step 2 above, assess what assurance
and the implication to go liveIs) past and pl
been assured, but must be
le Assurance activities per timelines agreed
and identify
e baseline
0 Jan
2023
POL00460597
POL00460597
POL00460597
POL00460597
APPENDIX
POL00460597
POL00460597
What previous audits and assurances have
taken place within SPM / NBIT?
Caveat: These have not been consumed in the Integrated Assurance Universe or assessed for reliability
FY21/22. May-Jun 21 SPM Programme Business Case Review 3rd Line Business Case Review lA/Deloitte
FY21/22 01/07/2021 SPM Programme Business Case Review 3rd Line Business Case Review lA/Deloitte
FY21/22 Aug -Sep 21 T&C Transaction Integrity Assurance 3rd Line RI Credera
FY21/22 01/10/2021 SPM MVP Pilot Deployment (D&C GO/NO/Go 3rd ine GO/NO/GO Criteria Review KPMG
FY21/22 Oct 21-Jan 22 SPM Programme Set-Up and Governance Audit 3rd Line RI IADeloitte
FY21/22 Apr-May 22 SPM Set -Up and Governance ( follow up from Oct 21 3rd Line RI lA/Deloitte
FY22/23 Apr 22 - Jun 22 Slim Counter Review Ist Line R1 E2E Review NBIT Slim Counter Assurance Unit NBIT
FY22/23 01/08/22 External Advisory Review to assess progress made since Ist Line RI Credera
Sept-21 external review with new recommendations
FY22/23 Aug 22 - Oct 22 SPMP —Milestone 1 (Counter Pilot 1# Line R1 IA/Deloitte
FY22/23 01/10/2022 Drop and Collect Review 1 Line RI Credera
FY22/23 01/10/2022 R1 Lessons Learnt (Internal) 1# Line RI Assurance Unit NBIT
FY22/23 18-20 Jan 23 Gating Review 39 Line Prog Status Review BEIS
FY22/23 Mar/Apr 23 Technical review (code/standards/methodology 1# Line R2 Credera
FY22/23 Mar 23 Gating Process — R2 Review 1 Line R2 Slalom
FY22/23 Mar 23 Assurance Strategy 2°4 Line E2E Assurance universe dev Mazars
FY22/23 Jun 23 Test Assurance 1* Line R2 EY
FY22/23 Jun 23 Credera Tech Review 1 Line R2 Credera
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Retail Assurance
POL00460597
POL00460597
RETAIL
UNIVERSE
DRAFT
WORKPLAN
DRAFT Assurance Principles and Approach
TBC
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Purpose
Purpose of today's session is to provide an overview of the Retail Assurance workplan and discuss and agree
principles for the way forward.
Retail are accountable for ensuring they own and have appropriate oversight of their Retail Universe.
Group Assurance along with other assurance functions (Compliance and Internal Audit) are responsible for
monitoring the control environment on an objective and or independent perspective ie the 3 LoD
Group Assurance will TBC:
* Onasample basis objectively validate the assurance activities of the Retail team; and
* Complete ‘spot checks’ on roughly 25% of the completed activities/universe
ARC Commitment
Reporting to ARC in January 2024 will comprise the approach agreed, and plan (ie number of) for
commencement of assurance activity.
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Retail Universe — Pragmatic risk distribution
Grand Total
CIJ1 - Onboarding 12
C2 - Training 18
(C3 - Branch Assurance 11
C4 - Shortfalls 12
CU5 - Loss Prevention 12
CU6 - TC and Disputes 10
C7 - Suspensions 12
CU8 - Terminations 12
Total 99
Risk definitions
e P1- Quarterly — If no assurance is undertaken, this could have an immediate and significant material effect on operational processes
and impact the Postmaster detrimentally.
. P2 - Bi-annually — These risks are not time critical however if no assurance is undertaken, the consequence of the risk materialising may
not be immediate but could still affect operational processes and impact the Postmaster.
. P3 - Annually - These risks are not time critical and less significant, however if no assurance is undertaken, the consequence of the risk
materialising may impact on operational processes causing Postmaster detriment.
Post Office Limited - Document Classification: CONFIDENTIAL
Size of the Retail Universe
Retail Universe Draft Workplan
Q4 P1 P2 P3
Total Retail GA/Comp] Total Retail GA/Comp] Total Retail GA/Comp
(CJ1 - Onboarding 4 2 2 5) 0 i) 3) 2 1
(C2 - Training 10 8 2 5 4 1 3 3 fe)
C4 - Shortfalls 6 3 3} 5) 0 0 1 0 (e)
ICIJ5 - Loss Prevention 6 2 4 4 0 0 2 0 ie)
ICU6 - TC and Disputes 4 0 4 4 0 0 2 0 (e)
(C3 - Branch Assurance 3} 2 1 7 2 5) 1 1 fe)
ICIJ7 - Suspensions 4 2 2 6 1 5 2 0 2
(CU8 - Terminations 3 1 2 6 2 4 3 1 2
Total lines 40 20 20 28) 9 20 2 7 5
In Q4 there are likely to be reduced number of lines as we have matched actions from the ClJ review to the Universe
risks.
For example, there are 3 x P1 risks and 1 x P2 risk in CU 2 (Training) but these are aligned to actions with an end date
of 31/3/24. This means that these lines will not be included in the final Q4 numbers. Once the actions are marked as
complete, these lines will be tested in the following quarter.
POL00460597
POL00460597
P2 &P3
activity for
CU 4,5&
6 will be
picked up
inQi
POL00460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Alignment where possible — will feel clunky at first. These figures do not include P2 & P3 activity for CU4,
5, & 6 which are planned for Q1
Group Assurance to complete
assurance
P1-8 (20%)
P2- 15 (35%)
P3 — 4 (23%)
In addition, Group Assurance will
review 27% Retail assurance activity
and provide assurance on 27 (c 9
per month) line items.
Post Office Limited - Document Classification: CONFIDENTIAL
Next Steps
Group Assurance will:
¢ Share the Retail Universe and the proposed work plan with the Retail team.
¢ Work with the retail team to provide clarity where needed.
Retail team to provide a proposal on how to deliver the workplan.
Based on the numbers in slide 4 an example of how the lines could be spread over the quarter:
Example plan
January
February
March
POL00460597
POL00460597
POLO0460597
POL00460597
Post Office Limited - Document Classification: CONFIDENTIAL
Retail Universe Workplan
The workplan has been created using:
¢ Information gathered from the Retail teams (feedback from the Universe shared)
* The universe is now aligned (continue to be so iteratively) with
« AC&l team on the Quality Assurance activity we have removed duplications which they are focussed on
¢ Other assurance activities such as Compliance and Internal Audit.
How owners were identified
Collating the information provided we have allocated responsibilities as follows:
* Yellow — information to be provided by the Retail team(s)
* Pale Green - Group Assurance led activities
* Blue — Outcome of Compliance and Internal Audit assurance
* Beige - AC&l
(As defined within the Retail work plan)
POL00460597
POL00460597