POL00460599
POL00460599
POST OFFICE LIMITED
AUDIT & RISK COMMITTEE REPORT
Title: Group Assurance Update Meeting Date: 25" September 2023
Author: Anshti Mathur, Group Assurance! Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting/Approval
The Committee is asked to note and discuss the Group Assurance update, particularly:
Historical Matters Assurance — With 10 out of 13 planned Assurance reviews completed, ARC is
requested to note that only two reviews are rated ‘satisfactory’. Group Assurance, are now creating
a continuous assurance program for the reviewed areas, along with implementing an action
tracking process to ensure remedial actions are completed on a timely basis.
We have provided, for the benefit of the recently appointed members of the Audit & Risk
Committee, an overview of the current POL Assurance landscape, which at best be would be
assessed between Undeveloped and Informal, with some pockets of Standarised.
For ARC discussion we have summarised the POL Integrated Assurance Approach which was
approved by GE in July 2023, and the status of the key steps to implement this.
All matters covered in this paper are for Audit & Risk Committee overview.
Group Assurance - Status / Overview
1.
Historical Matters Assurance* - Status and outcomes
“As previously presented to RCC/GE and ARC - ‘Historical Matters’ Assurance covers Schemes, IDG (HIJ/CLJ), Inquiry, Control Framework.
At 31 August 2023, the status of the Group Assurance plan is as follows:
* Completed 10 (76%)
«Fieldwork 2 (16%)
e Not started 1 (8%)
Please refer to Appendix 1 for the status and summary of all Group Assurance activities.
During the period since the last ARC in June 2023 Group Assurance have completed and issued:
e Five assurance reviews which were presented and discussed at the July 2023 ARC:
e Retail - Common Issue Judgement (ClJ) (Needs Significant Improvement’)
e Retail - PM Policies (Needs Significant Improvement)
e LCG - Speak Up (Satisfactory)
e Remediation Unit - HSS (Needs Significant Improvement)
e Inquiry - Rule 9 (Unsatisfactory)
e One assurance review within LCG, this is summarised below:
Central Investigation Unit (CIU)* - Needs Significant Improvement
The core objective of the review was to assess the level of process compliance in accordance
with the Group Investigations and Co-operation with Law Enforcement Policy (GICLE) and the
1 Group Assurance have adopted Group internal Audit’s rating definitions.
2 Now renamed as ‘Assurance and Complex Investigations’
1
POL00460599
POL00460599
Investigators Manual. Our work sampled 8 investigations performed by the CIU team. For
clarity this review excluded the CIU Assurance activities over Retail Investigations.
The CIU team actively and constructively engaged with our assurance review, and they are
overtly aware of the Common Issue Judgements. Their intent and approach in ensuring
mistakes of the past are not repeated can clearly be evidenced not only in their revised set of
processes and procedures, but also in the positive behaviours and culture they are trying to
embed within CIU and across POL.
The final outcome of the report reflects improvements needed within CIU to demonstrate
adherence to their processes and procedures, such as:
e Evidence to demonstrate Head of CIU review, sign off or criteria for decision making has
not been maintained within CIU case files, for example, triage criteria, case closure,
criminal investigation, conflicts etc.
e Whilst meetings with CIU staff anecdotally show that review meetings are held twice a
week on cases, these are not reflected in casefile.
e Use and completion of key CIU documents need to be embedded consistently, such as
the Combined strategy/investigation strategy document and Investigation Control
Document, or their non-use formally explained.
e Case and file structures have only recently been adopting a consistent approach
therefore for older investigation (2022) navigating case files is challenging.
Group Assurance acknowledge that this is mainly due to the fact that the team is newly formed,
with processes still being created and embedded, compounded by a heavy CIU workload.
With the completion of the above six reviews the Group Assurance plan is substantially completed
with only three reviews remaining:
« Control Framework - Tech Change - The fieldwork is completed and a final close out report
is pending. ARC should note that whilst the POL Control Framework was approved by ARC
as DRAFT in September 2022, the principles within this framework are being applied to
assess the state of POL’s control environment in all Group Assurance Reviews.
¢ Horizon Issue Judgement? - A session was held with Technology on 4 September 2023 to
discuss the draft fieldwork findings and it has been agreed that Technology will reassess
the data provided for the review.
e¢ OHC/Detriment - This is contingent on Remediation Unit readiness.
2. Tracking of remediation actions and sustainability - WIP*
The profile of the Group Assurance reviews completed and rated to date is as follows
e 2 (25%) - Unsatisfactory (Inquiry & Suspension Payments)
e 4(50%) - Need significant Improvement (CIU, Short Fall Scheme, ClJ, Postmaster Policies)
¢ 2 (25%) - Satisfactory (Speak Up & Stamp Scheme)
Whilst the assurance opinions are weighted needing significant improvements and higher, this
outcome is not surprising given the fact the Group Assurance plan, created in September 2022, was
consciously designed to assess inherently high risks areas, many of which linked to remediating
issues of the past.
3 For verbal discussion at the ARC
* Contingent on continuing availability of assurance resources.
2
Strictly Confidential
POL00460599
POL00460599
The core drivers for the Group Assurance opinions were summarised in the July 2023 ARC, but at
an aggregate level the improvements needed can be consolidated into the following areas:
e Ml/Dashboards - End to end monitoring and oversight, use of KRI and KPIs, policy
compliance/oversight
e Root cause analysis — to understand the drivers of issues and errors.
* Overt evidence to demonstrate execution of controls
e Document controls and Quality Assurance — Lack of standarised approach
e Lack of embedded completeness and accuracy checks - especially when dealing with PM
remediation payments
e Sign off, review and POL oversight over third parties.
« Data management and control
The Assurance reviews completed provide a foundation for management to implement their agreed
actions in an appropriate manner to ensure risks identified are sustainably mitigated to improve their
control environment.
To this effect, the Group Assurance team are now in the process of:
e Action status tracking - a tracking and review/closure mechanism is being embedded, and
we are aiming to provide regular action status updates to the RCC and ARC from October
2023 onwards
e Assurance Universe —- Continuous monitoring - Given that these reviews are inherently high
risk, the Group Assurance team are in the process of creating an Assurance universe based
on our work papers and knowledge obtained from the business.
This Assurance universe will then be risk rated for priority and a continuous assurance
program will be commenced (and shared with RCC and ARC in October 2023).
The outcomes of these continuous assurance activities are intended to be shared via an
Group Assurance dashboard.
3. Assurance Current State
Whilst POL has a limited three lines of defence model a number of assurance activities exist across
the first line, second line and third line. These, at present, are neither integrated nor aligned and
therefore gaps exist in the assurance coverage of POL’s footprint.
A previous compliance paper in 2020 noted the gaps in the Compliance Function including
assurance and made several recommendations.
POL as a natural consequence has an over reliance on Group Internal Audit and where assurance
is performed by the first line, limited systemic processes exist to ensure regular objective oversight.
The Group Compliance function currently focusses on financial and regulatory compliance (as 1.5/2
LoD) and this was called out as a gap back in 2019.
As mentioned in section 2, Group Assurance activities to date have tactically focussed on assessing
areas of high risk and have leveraged Group Compliance resources to deliver these.
At the request of the Group General Counsel, a POL Control Framework® was created and
subsequently approved by the ARC (AS DRAFT) in 2022 to be embedded on best endeavours. As
a result, whilst we are assessing (indirectly applying) the business against the principles and
standards contained within the Control framework, this in its very nature is ad hoc and not pervasive
across POL’s footprint.
5 POL Control Framework (DRAFT) 2022 — Please refer to Reading Room
3
Strictly Confidential
POL00460599
POL00460599
The organisation has created a repository of risk and controls (GRC —- SNOW) however its coverage,
completeness and timely monitoring is not being assured. Some business functions perform control
self-assessments, but again this is not objectively assured.
Whilst ‘sum of the parts’ may exist in GE reporting and Functional score cards, a formalised and
integrated dashboard does not exist to measure the state and direction of travel of POL control
environment (KRI’s, Incidents, PM Metrics, Business Self-Assessment scores, ERM (Out of
tolerance), outcomes of second and third line activities).
Consequently, POL assurance/control environment would at best be assessed between
Undeveloped and Informal, with some pockets of Standarised.
4. Integrated Assurance Vision, Approach and Next steps (DRAFT)
Whilst integrated assurance should be systemically embedded across POL, due to the significant
transformational and business change activity under way it is recognised that a tactical and top
down approach may have to be adopted to ensure POL is aware, managing its key risks and has.
appropriate mechanism in place for Senior Management to assess and assure their control
environment at a programme and E2E basis.
With this in mind, and leveraging activities undertaken in the last 12 - 15 months, the GE approved
an Integrated Assurance approach in July 2023, which can be found in the reading room, and is
summarised below.
The key outcome of the ‘Integrated Assurance’ approach is to ensure The CEO and General
Executives (including Senior Leader Population) should have effective integrated assurance
embedded across the organisation to ensure POL:
« is operating effectively;
e is proactively managing key risks within appetites and tolerances agreed with the Board;
«has timely and objective assurance to assess and monitor effectiveness of key controls; and
* can provide appropriate Ml/visibility on risk and control environment maturity to the Board.
Accordingly, in the short term the scope for Integrated Assurance will comprise:
e STP - Technical Assurance / Retail Transformation Programme (RTP)
« Business Readiness - Critical Support Activities
Finance
Data
Retail
ClU/Speak up
Contracting
Legal and regulatory compliance
e¢ Culture
« Effective Governance
e©o0000
The above have been selected due to their criticality, co-dependencies and to ensure Senior
Management have an E2E view and assessment of the POL universe.
Accritical short term outcome would be the creation of an Assurance Universe (comprising key
risks/activities and controls) which will form the foundation of ensuring POL has a robust NBIT/RTP
Integrated assurance plan and coverage.
If successfully executed this would then provide a robust platform and resources to apply Integrated
Assurance organisation wide over the medium term (12 -24 months).
4
Strictly Confidential
POL00460599
POL00460599
The key milestones are set out below:
A. Establish a Group Assurance Team and a formalised Network of Assurance Champions
We will form a light Group Assurance Function® whose key role will be to:
e Set the Integrated Assurance standards, principles and a clear RACI for POL and Assurance
Activities — [Management remain accountable to demonstrate and provide assurance that they
have an appropriate control environment. The Group Assurance team will ensure objectivity by
design].
e Ensure adequate objective oversights exists to ensure key risk and control footprint is robust,
measurable and reportable.
e Perform assurance reviews and continuous monitoring activities.
e Create, maintain and oversee a universe of Integrated Assurance activities across 3 LoD’s.
e Report to GE on the status of the control environment or ability of first line to demonstrate their
control environment.
In summary the role of Group Assurance will be to coordinate and integrate the different strands of
assurance (across second line and within the business), ensuring no gaps in coverage and
reasonable standards across all assurance ‘providers.’ This will also enable the business to benefit
from real time assurance rather than a retrospective assessment conducted by Internal Audit.
To ensure we leverage existing resources, knowledge and have an agile Integrated Assurance
approach we will formalise a ‘Network of Assurance’ structure across the in scope areas.
This network of assurance would form the foundations for moving towards a pragmatic 3LoD
model and Integrated Assurance (12- 24 months).
Please refer to Appendix 2 which shows how this will be applied within SPM.
Who and by when - Anshu Mathur/General Executive —- 30 September 2023
Current Status — Funding for three Group Assurance Heads has been secured and recruitment is
under way (NB Attracting Assurance talent into POL is proving challenging). NBIT assurance
resources are being identified to be formalised with business functions. Discussion with Finance
have commenced.
B. ‘Universe’ of Integrated Assurance
Using the Assurance Teams, create an ‘Integrated Assurance’ universe to formally document:
e The universe of key risks (top down and SNOW) that Management must assure
e Expected standards and or controls that remediate the risks
e Sources of assurance across 3 Lod’s — ongoing, planned or gaps — Internal, external etc.
e E2E coverage of key risk across the ‘in scope’ areas
e Plans to mitigate any gaps of assurance coverage
Who and by when - Anshu Mathur/Assurance Teams — November / December 2023
Current status — Leveraging the assurance resources within NBIT, we have a first draft version of
NBIT universe, once internally reviewed (mid September 2023) we plan to leverage EY to
informally challenge the universe.
§ Please see org chart in Appendix 2
Strictly Confidential
POL00460599
POL00460599
C. Management reporting and MI
Align Integrated Assurance reporting across Programme Steerco’s, RCC, GE and ARC clearly
highlighting:
e Status of assurance plan vs delivery
e Status of key risks and related assurance opinions
e An aggregated ‘net risk’ position for in scope areas and a whole for POL.
e Status of committed management actions and their status — to manage risk positions
e Horizon scanning for upcoming challenges, risks, or blockers
Who and by when - Anshu Mathur/Assurance Teams — November / December 2023
D. Group Compliance - ToM
In parallel, and on the request of the Group General Counsel, we have also commenced a review
on the ToM for the second line Group Compliance function, to ensure this aligns with the 3 LoD
model as defined in the draft POL Control Framework.
Who and by when - Anshu Mathur — 30 November 2023
Strictly Confidential
POL00460599
POL00460599
Appendix 1 - Status of Group Assurance Plan at 1 September 2023
Inquiry Rule 9 Process compliance and accuracy/completeness
1 I Request Inquiry I in futfiling Rule 9 Request Liieatin rary,
Process compliance, in dealing with Speak Up
2 Speak Up LCG cases, to ensure cases are being dealt with ina Satisfactory
consistent and fair manner.
Process compliance in accordance with the
3 Investigations Los Group Investigations and Co-operation with Law Needs Significant
(clu) Enforcement Policy (GICLE) and the Improvement
Investigators Manual.
PM Detriment Compliance to and design adequacy of Historical
pOrA Remediation I Matters Suspension Payment Processes with
4 . a particular focus on completeness, accuracy and Unsatisfactory
‘Suspension Unit °
Payments reasonableness of Suspension Payments. (NB
Review requested by Remediation Unit Director)
i Satisfacte
5 I Stamp Scheme —_ Remediation I Ciims dealt with in a fair and consistent manner. aero,
(Ss) Unit (NB Final opinion)
Not Rated - Review highlighted
Pause Payments ~ Iparnegiation I Maltagement requested Group Assurance there 's Significant isk for POL
6 I Outstanding I opinion on the risk associated with continuing to nuing
Balances Unit I recover outstanding balances from Postmasters. I _ Utstanding balances from
‘9 g Postmaster for 21 cases
between 2006 and 2020.
7 I Shortfall Scheme [Remediation I 4 sherence to scheme processes & procedures. alin alco
Unit Improvement
OHC/ PM Remediation 1 1
8 Detriment Unit Targeting to commence fieldwork in Q3. Not Started
9 cu Retail Assess documentary evidence to support Needs Significant
remedial ClJ actions and their sustainability. Improvement
10 I Postmaster Retail I Postmaster policy compliance - 12 PM Policies veal = Het ee eign Tea
Policies Improvement
Not Rated - Identifying and
ensuring accuracy of business
I requirements is challenging and
"1 wer Business Technology Whether the NBIT programme has appropriately therefore raises the inherent risk
equirements captured mandatory compliance requirements. nes ae
of error or inability to assess
completeness/accuracy of
requirements.
The Technology team has completed majority of
12 CF- Tech Change ITechnology I the work; blocker is the Assurance Directors Fieldwork - Completed
capacity to finalise the review.
HlJ review is currently on hold. Preliminary
13 HI Technology I observations have been shared with the Horizon Fieldwork - On Hold
and GLO IT Director. Formal draft not issued.
POL00460599
POL00460599
DRAFT
Appendix 2 - Group Assurance structure and Network of Assurance
The above principle would equate to a Group Assurance team below, supported by 2-3 junior
assurance resources:
S
i}
5
a
=
a
a
Oo
¢
oOo
fe
a
FA
8
<x
o
a
}
LO}