POL00460598
POL00460598
POST OFFICE LIMITED
GROUP EXECUTIVE REPORT
ae les ‘Historical Matters’ - Assurance = 4
Title: Approach and Plan Meeting Date:
. Anshu Mathur, Interim Group .
Author: Compliance Director Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting and Approval
The GE is asked to note:
i. Our assurance approach and plan for assurance on ‘Historical Matters’
ii. PO Control Framework — Prioritisation, Commencement and Approach
Previous Governance Oversight
Over the last few years a number of papers have been submitted to the GE, sponsored by GGC,
within the area of Compliance, Assurance and the Three Lines of Defence. These papers are
listed below:
¢ 17% April 2019 - Post Office & Compliance
e January 2021 - Oversight and Governance - Part 2
« 7% September 2021 - Creating a Compliance Culture in the Post Office
The overarching principles stated in these previous papers are still valid, and this paper builds
on them, particularly the execution of appropriate assurance for Historical Matters and a POL
Control Framework.
Questions addressed
1. Why are we prioritising Assurance on Historical Matters?
2. What is the proposed approach to provide assurance and the role of Group Compliance?
3. What are the challenges and support we need from the GE?
Executive Summary
Generally, and following the Common Issues and Horizon Issues judgements and the focus of
the Statutory Inquiry which will bring with it heightened public focus and exposure, it is
essential that Post Office (“POL”) can demonstrate to the Inquiry that all ‘Historical Matters’
have been dealt with fairly, lessons have been learnt and actions taken in a sustainable manner
to prevent repetition of the significant failings of the past or similar risks re-emerging.
Consequently, we are implementing an approach to provide assurance on ‘Historical Matters’
which comprises the following key area:
a. Schemes/Treatment Strategy - HSS, OHC, PM Detriment, Stamp Scheme
b. Sustainable Resolutions/ Fixes - IDG (ie operational conformance with CIJ and HIJ)
c. PO Control Framework - Integrated Assurance, Three Line of Defence, Control
assessments - initially focussing on Tech (change), Whistleblowing and
Investigations
d. Inquiry Team - Readiness Assurance
Whilst several valuable and insightful Internal Audits (third line) have been performed, POL
needs to have an embedded first and second line approach to demonstrate robust assurance
on ‘Historical Matters’. This will ensure that Management have ongoing assurance to assess
Strictly Confidential
POL00460598
POL00460598
whether ‘Historical Maters’ have been remediated in a sustainable manner, but more
importantly these can be demonstrated.
Group Compliance have engaged with relevant GE members and their respective teams in the
creation of this plan and the implementation of an approach which leverages existing SME
(Group Risk, Technology, HMU, Strategy & Transformation), supported by a core Controls Team
within Group Compliance.
Sourcing SMEs within POL vs contractors to drive and deliver this Assurance plan ensures we
have continuity, retain corporate knowledge and provide POL with a great platform to then
launch and embed a POL wide Control Framework. To date, support from the wider teams and
GE has been extremely positive which overtly showcases our values of ‘Working in Partnership’
and ‘One Team’.
Our plan adopts a phased approach which involves creation of an assurance universe for
Historical Matters, and then assessing the robustness of documentation or artefacts to
demonstrate what has been delivered and their effectiveness. It is acknowledged that the plan
timelines are challenging, and we accept that in some instances decisions will have to be taken
on priorities, but the December 2022 timeline is geared towards being ready for the Inquiry in
2023.
Lastly, POL also needs a common standard or framework for its Control Environment (CF) to
be formally assessed and monitored against. In parallel to the assurance work on ‘Historical
Matters’, Group Compliance and Group Risk, will be creating a POL CF. The CF will provide the
core standards / pillars and guidance which will have to be adopted consistently across POL.
The intention is to initially apply the CF within Tech (Change), Whistleblowing and Investigation
(prior to Dec 2022), and then launch this formally within POL in January 2023.
Our approach will also support POL to be able to demonstrate to BEIS how we are delivering
against the strategic objectives for 2022/23 namely “A key objective for POL’s current Board
and management team is to demonstrate to the Inquiry’s satisfaction that changes have been,
or are in the process of being, made to POL’s systems and processes so that they are fit for
purpose. I should be grateful if you would write, by the end of the parliamentary summer
recess, to let me know what assurance, both internal and external, the Board is putting in place
to demonstrate this’.
Our approach
1. The key driver underpinning our approach is to prioritise assurance for those areas under
Inquiry scrutiny, collectively referred to as ‘Historical Matters’, within this paper:
a. Schemes/Treatment Strategy - HSS, OHC, PM Detriment, Stamp Scheme
b. Sustainable Resolutions/ Fixes - IDG (ie operational conformance with CIJ and HIJ)
c. PO Control Framework - Integrated Assurance, Three Line of Defence, Control
assessments - initially focussing on Tech (change), Whistleblowing and
Investigations
d. Inquiry Team - Readiness Assurance
2. The core outputs will be:
a. Validation of coverage, completeness, consistency and sustainability of key activities.
b. Timely identification of those areas where the POL/business may have to strengthen
their oversight, governance and documentation.
1 STRATEGIC PRIORITIES FOR 2022/23 - Sarah Munby Permanent Under-Secretary of State letter to Tim Parker (dated 23 May
2022)
Strictly Confidential
POL00460598
POL00460598
@
c. Monitoring of gaps and their timely resolution.
d. POL Control Framework - minimum standards for an effective control environment
including clarifying integrated assurance and the three lines of defence.
3. I Approach:
a. Core Team - We have created a core team of POL SMEs (circa 5) from Group
Compliance, Group Risk and IDG. This team is creating the methodologies,
templates, assessing artefacts required and providing guidance / support to the
business to ensure we can provide a view on ‘Historical Matters’ and related
assurance.
To expand, this team is and will be working closely with the business involved in
Historical Matters (for instance Tech, Retail, HMU etc) to:
i. Ensure coverage of ‘Historical Matters’ is adequate;
ii. Identify current artefacts and documents;
iii. Assess the efficacy of these artefacts (coverage, completeness, consistency and
sustainability);
iv. Identify any gaps and remediations needed; and
v. Prepare an assurance plan for ‘Historical Matters’ for regular assurance (first
and second line) reporting and oversight.
NB: We have been able to secure the core team from existing resources within Group
Compliance (3), Strategy and Transformation (1) and Group Risk (22). These
resources will be prioritising and balancing delivering this plan, with their BAU
activities.
This team will work under the direct supervision of the Interim Group Compliance
Director, with overall Executive Sponsorship with the Group General Counsel.
b. Phased approach and timelines - July to December 2022
The phases of the assurance plan are designed to leverage existing documentation
and knowledge within the business and have minimal disruption to BAU activities.
In Phase 1 the Group Compliance Team will be creating an assurance tracker for
each area under review. This assurance tracker will help the business in the
identification of key documents and artefacts required to demonstrate to the Inquiry
that appropriate process, procedures and assurances has been applied.
Group Compliance commenced this activity in July, and are now targeting end
August for the teams to complete their self-assessments against the assurance
trackers.
At the end of Phase 1, we intend to provide the GE a ‘lay of the land’ and agree with
respective GE next steps, including resources and prioritisations, for those areas
where we may be missing assurance or have material gaps.
In Phase 2 (August to September), the Group Compliance team, will commence
a review of all documents identified in Phase 1 to assess whether they provide
adequate assurance and the degree of confidence that can be placed on them.
? Group Risk support is part time.
Strictly Confidential
POL00460598
POL00460598
In Phase 3, the Group Compliance team will create an Assurance Framework for the
areas under review to ensure that the GE are provided monthly assurance on
‘Historical Matters’. This will have the following key components:
* Tracking remediations of gaps identified in phase 1 and phase 2
« Group Compliance Assurance on key activities under ‘Historical Matters’.
The phases and their timelines are summarised in the table below:
Phase 1 - July/August
Fact Find/First Line self-
assessment
Phase 2 - August to
September
2m Line Assurance
Phase 3 - October onwards
Continuous Monitoring
Obtain affirmations and
documentary evidence.
Complete the assurance review
and provide a formal report on
material exceptions and/or
Create an Assurance Framework
to provide Monthly/Quarterly
gaps. (TBC) 2"4 line assurance.
Please refer to Appendix 1 (page 4, 5 and 6) for the detailed plan and approach.
c. PO Control Framework (July - December)
Working with Group Risk, we will be creating a POL Control Framework to provide
clarity on what constitutes an effective Control Environment and the key building
blocks through which this can be demonstrated.
In addition, this will define POL three lines of defence model, clarifying the roles and
responsibilities for the business (first line), functional assurance/compliance/risk
(second Line) and internal audit (third line).
Recognising that POL has already embarked on strengthening its control environment
particularly within Technology, Service & Support and Supply Chain, the POL Control
framework by design will not be prescriptive, allowing the business to adopt their
own procedures and methodologies, as long as the business can demonstrate the
key building blocks of their Control Environment, namely their universe of key
activities and processes, risks and controls, assurance procedures to measure
efficacy of controls, and how their control environment is monitored and maintained.
With an Inquiry lens the principles of the POL Control Framework will be applied
within three areas first (July - December) - Technology (Change), Whistleblowing
and Investigations. This will enable us to fine tune the Control Framework before
launching this formally in January 2023 across POL.
We will share a draft version of POL Control Framework with the GE, RCC and ARC
in August/September 2022.
Please refer to Appendix 1 - Assurance Plan for ‘Historical Matters’.
What we need from the GE
As mentioned, with an Inquiry lens the timelines of the ‘assurance plan’ are very ambitious and
therefore heavily reliant on the business owners to support the approach. That said
engagement to date has been exceptional.
Strictly Confidential
POL00460598
POL00460598
@
The key functions which are impacted by this plan are:
HMU (Lead - Evelyn H)
Technology (Lead - Dean B)
Group Risk (Lead - Rebecca B)
Retail (Supply Chain, Support Teams, Network, Service Support)
Strategy and Transformation (Lead - Joanne W)
Whilst most of the heavy lifting will be done by Group Compliance, we will need the support of
the business functions for identification and review of documentations, process and procedures
that relates to the areas under scope of ‘Historical Matters’.
As mentioned above we would have a clearer picture of the ‘lay of the land’ at the end of Phase
1. At this point we will re-engage with relevant GE to assess impacts, resources needed and
prioritisations.
We will be providing the GE with a monthly tracker to monitor progress and provide an initial
view of key themes and or observations requiring GE attention.
Strictly Confidential
Appendix 1 — Assurance Plan — Historical Matters
1 and 2"4 LoD Assurance
A. Schemes/Treatment Strategy
* Historical Shortfall Schemes (HSS)
* Overturn Historical Convictions
(OHC)*
* PM Detriment
* Suspension Payments
* Aged Balances (TBC)
B. Stamp Scheme
C. Sustainable Resolutions/ Fixes
* Improvement Development Group
(IDG)
* BAU — Business ownership and
‘embedding fixes arising from:
“cu
HU
* Other issues
Strictly Confidential
Executive
Accountable
Ben F-
Lead Simon R
Legal
Dan Zinner
Lead Jo Welch
Functional
Executives
POL00460598
POL00460598
Assurance Plan
Phase 1 Phase 2 Phase 3
Fact Find / First Line Self Assessments Carry out 2"! Line Continuous Monitoring
Assurance
(July) (Aug - Sept) (Sept Onwards)
Obtain affirmations and documentary evidence for:
* Coverage (Universe)
* Risk Universe
* Control Universe
* Existing Frameworks
* Assurance Models for completeness, accuracy, valuations
and consistency
Policies and Procedures
* Identification and treatment of exceptions
* Decision Making authority, visibility and flow through
+ Reporting Cadences
Obtain affirmations and documentary evidence for:
* Allareas specified in A and B above
* Documentation of resolutions/remediations
+ Handover to BAU - Process and procedures
+ Monitoring or assurances in place to assess/track:
* Sustainability
* Efficacy
of resolutions/remediations implemented (against original
risk profiles and or emerging risk)
+ What process and procedures are in place to intervene
should resolutions or fixes stops working or looses
effectiveness and or creates new risks
Perform a second line
assurance review.
Provide formal report to
GE on material
exceptions and or gaps in
1 LoD.
From Phases 1 and 2 create
an Assurance Framework to
provide Monthly/Quarterly
Second Line assurances on:
+ Key processes and
procedures remain
effective
Cll, HU issues resolved
remain embedded and
effective
* Schemes are operating as
designed and consistently
being applied.
Appendix 1 Continued — Assurance Plan — Historical Matters
Executive
1* and 2"4 LoD Assurance
Accountable
D. PO - Control Framework (CF)
Ben F-
Lead:
Anshu M
Accountable
Exec’s
Strictly Confidential
Phase 1
Group Compliance
(July — Dec)
Design and obtain sign off for a ‘PO Control Framework’ with
clarity provided for*:
* 3 lines of defense and the RACI between First Line, Second
Line and Third Line.
Criteria to demonstrate functional universe coverage
(activities, processes, etc)
Definition of Key risks and key controls (aligned to risk
framework)
Minimum guidance/standards for:
* Control evidence
* Control sampling / assessment by first line
* Control sampling / assessment by second line
* thisis not exhaustive
In parallel start working with the teams accountable for:
* Tech (Change)
* Whistleblowing
* Investigation
Phase 2
Roll Out of Control
Framework
(Sept- March)
Design roadshows and
team talks to
communicate the
Control Framework
and requirements .
across the PO.
Prepare a functional
plan fortimingsand
support needed to
demonstrate
compliance.
Share with RCC and
ARC
POL00460598
POL00460598
Assurance Plan
Phase 3
Continuous Monitoring
(March Onwards)
First line self assessment
reporting
Second line assessment
reporting
Second line coverage plan
POL00460598
POL00460598
Appendix 1 Continued — Assurance Plan — Historical Matters
1* and 2™ LoD Assurance Executive Assurance Plan
Accountable
Phase 1 Phase 2 Phase 3
Fact Find / First Line Self Assessments Carry out 2" Line Continuous Monitoring
(July) Assurance (Sept Onwards)
(Aug - Sept)
E, Enquiry Team ~ Assurance 1), 2) and 4) HSF Tracker: From Phases 1 and 2 create
1) Enquiry 218 Q’s - Readiness * Assess completeness, accuracy and timeliness of trackers an Assurance Framework to
and identification of data provide Monthly/Quarterly
2) Responsibility tracker ae ey Acsese reporting and monitoring efficacy, Perform a second line Second Line assurances on:
ioe assurance review. + Key processes and
3) Witness Prep cane ENCurentrramenort procedures remain
Tomc kh f let aes Provide formal report to effective
4) Disclosure and Data simon gamete duly tale Ob ecebla EUR Tiss GE on material * CU, HU issues resolved
movements ie operational efficacy. (aarincatteslerI
exceptions and or gaps in
1 LoD.
effective
+ Schemes are operating as
designed and consistently
being applied.
Note: SPM - All outputs from the activities from A, B and C, will be shared with the SPM Team to ensure they have considered
associated risks and controls.
Strictly Confidential