POL00460603
POL00460603
Group Assurance TOM
proposal
08/05/24
V0.2
POL00460603
POL00460603
Post Office Limited - Document Classification: STRICTLY CONFIDENTIAL
GROUP ASSURANCE - TOM
This is a new proposal combining all Assurance functions,
expectation is that all second line roles will be
multiskilled and able to carry out compliance/assurance/oversee risk activities across the business in an
I
mmsow I[ “mesma II cettemt, I ( vetetoom )( conmane I ( weasormat : coor III scateaac: III Soma
Corporate functions come Lee meled ‘charge (3) a a
or
‘ Z J
I
=a ances! I (wosiamyy ){ movement oon
the other Heads of including Head or Risks & Controls, the saving could be ased to ensure more feet on the ground?
Me should also consider having just one platform for risks and controle ~ not a separate one for change progrannes.
+ The Compliance Ops manager [¢ team of 1 but may not be needed) could ait under the Head of Compliance ~ Reg & Corporate functions, this would reduce
the Line management burden of the GAD and give the “Head of" role the ownership of reporting ~ including dashboards ete.
I changed the Head of Risk to Risk & Controls - the roles sitting under this should be specialists - but with improved ways of managing risks and
oversight of controls ~ implenenting the control franework working with all the Heads of.
This would require a ToM review within current set up and within first Line function to enoure clear separation between first and second Line
+ Tuternal Audit would be separated under a Chinese wall, but under GAD to ensure integration and alignnent.
‘The number in brackets:
© Blue boxes are proposed number (except for Head of Risk @ Controls which is based on current Risk team and IR/DP which is based on
current numbers, the rest would need to be scoped out further.
Orange boxes ~ nunbers are based on current nunbere of the 3 functions - 1.4 3, Currently report to Strategy and Transformation which is under the
Ps Director and te inte the 2
POL00460603
POL00460603
Post Office Limited - Document
on: STRICTLY CONFIDENTIAL
*The previous slide is a revised version of the
original ToM proposal for LCAS presented in
October 2023. The previous slide looks across all
Assurance activities and is a starter for ten.
*The Oct version was inward looking into LCAS only
and are captured in slides 4 to 9. Slide 10
looked at incorporating Risk only.
* This version was formally shared with Finance and the
People Team, but was never progressed.
‘In strict confidence — work in progress - subject to formal consultation’
POL00460603
POL00460603
oat Offic Limited Document Clasicaton: STRICTLY CONFIDENTIAL
"As is' Activity Analysis
table 1 - As is FTE
‘Breakdown
Based on a detailed bottom-up analysis of cluster op split (FTE) ‘Total
the activities undertaken within Group
Compliance, the following are some key
observations:
* only 27 % of the FTE's are involved in
true second line activities
* That said, as POL is aware this is
skewed to certain functions only (See
Table 2)
Majority of the team, c 43%, perform
functional (first line (1.5)) activities
which fall under categories such
as continuous monitoring, investigating
etc.
* The Financial Crime & Financial
Ss
Financial Crime
‘Supply Chain - - 2 2
IR/DPO 7 3 ° 10
Financial services
Conduct. J a Q 8
Central Team (JH, 8J) 2 2
HM Assurance (JP, SF, - 5 a
Ns)
overage:
Financial Crime - Conmercia
Supply Chain - Retail
IR/DPO - All functional areas
Financial Services Conduct ~
etail/Commercial/POI
Conduct Team -in-particutar-fatimder
this category.
* The IR/DPO ach ithict éenfideticd-} wrk inpréigress - subject to formal consultation’
nature are 'doing roles' and
POL00460603
POL00460603
POL" Unprvrersam. T CO be T
Compliance Coverage,
Using th® POL Organisation Structure
GB-1, GE-2) we have created a starter
Assurance Universe and rated these a
‘High', ‘Medium’ and Low driven by their
inherent risks. Please see Table 3.
(ce,
Accordingly, we can then logically assess
which functions would need second line
coverage, which is summarised in Table 4,
namely:
+ Heavy
* Technology
* Retail
* Commercial
+ Medium
* People
+ Finance
+ Light
* Lee
+ None
Corp Affairs
* Strategy and Transformation
Heavy ~ Assure twice a year ; Medium ~
Assure once a year ; Low - Assure once
every two/three years
NB - How Assurance is obtained varies but
Group
= r WFotal
onmercial ‘ 7 24 37
Ec & pr (as) n 1 4 16
-inance A 12 24 1 46
bcc 23 3 8 2 36
eople 2 8 4 6 20
etail u uu 19 1 45
orp Affairs a 1 7 9
‘erat and Tranet @ 2
TO (2M) 4 19 25 48
er 65 123 30 265
’ 258 25% 48 4 100.00
‘Table 4 ~ DRAFT Desired Functional Focus
Finance ‘AL Cameron Medium
1s Ben Foat Light
People Tean New CPO Medium
Ent Cloud and Data Transformation ce / smith Heavy
Retail Martin Roberts Heavy
commercial owen Woodley Heavy
coro cB / ZMladeno Heavy
Corporate Affairs, Brand & Reputation Richard Taylor None
Strategy and Transformation zim McInnes None
“In strict confidence — work in progress - subject to formal consultation’
POL00460603
POL00460603
PAGO ln on To eb GATTO S rurit VPLLIUNL FT
11
se
Group Compliance TOM Assumptions #11
+ This analysis is myopic to Group Compliance ie has not considered any synergies or overlaps
across wider POL second line functions (see slide Xx)
+ PA - Is a team resource
+ MERO - Stays within Compliance, under core assumption that job specs for wider team include
Fin Crime, ABC coverage, and matrix managed.
+ IR/DP - Are first line roles moving into Group Legal.
Functional Compliance/Assurance Leads ~ Network of Assurance will need to be created across
first line (per ARC Integrated Assurance Sign off)
+ Group Compliance ~ All roles would need revised job specs as change is greater than 30% and
approach is very different ie floating resource.
* Group Compliance - Roles transitioning to First line would not need a revaluation in the
short rum (see next slide)
“In strict confidence — work in progress - subject to formal consultation’
POL00460603
POL00460603
Post Office Limited - Document Classification: STRICTLY CONFIDENTIAL
‘Table 1 Asis FTE Breakdown
luster Asis
{LoD split (TE) Asis
Total (FTE)
Lod I 1.5 tod Total Legal I Retail I Comm
A
Financial Crime a I a
supply Chain =
1RyoP0 2I 4
Financial Conduct a] 43 I ao 5 -I->]a4]/a alals
Central Team (Or) 7 2 =I-] =]. 2 2
HM Assurance P.SENS) = 3 3 7S Sr -
a
2023/28 budgeted HC37.8 (Period 5 Actual 35.6) I fy I I
‘In strict confidence — work in progress - subject to formal consultation’
MIRO ~ Group Compliance
Generic skill set
Requires no hand over
Head of and Compliance Lead
‘ADirector and EA
A-B-C=3 Net reduction
* Efficiency of scale revisitin
12 months
POL00460603
POL00460603
Post Office Lirpited - Document Classification: STRICTLY CONFIDENTIAL
Financial Crime Compliance
Activity Review
TC a
HI i 2
a 2 2 a5
Financial Crime activities are predominantly 1-5 and cover MLRO and regulated activities to support Travel Money
and other products and services subject to the MURS.
Assumes current 1 @ 1.5 LOD activity moves with the current personnel into 1% line.
wnat are the key principles for release of FTE (see *):
A
First Line Conformation that transferred activity continues ‘6 months NA
‘Objective oversight by 2" Line ‘Ongoing ‘Monthly
Adequate MI and reporting to demonstrate regulatory compliance and SLAs/OLAs are met 6 Months N/A
Formal process established for escalation to 2" Line of high risk/incidents/potential breaches First 30 days N/A
Review and sign off by Group Compliance of transfer of activities 6 months* N/A
Review of effectiveness and operational efficiencies with sign off by 1® Line and 2” Line 12 months Annual
‘In strict confidence — work in progress - subject to formal consultation’
POL00460603
POL00460603
Post Office Limited - Document Classification: STRICTLY CONFIDENTIAL
Timeline
Month 1 Month 2 Month 3 Month 4 Month 5 Month 6
“+ Resource Transfer * Review a + PUnevesingol + Mentoring by?! + Mentoringty 2"
cei I as ine Line
+ Resew and Une Assurance
(se update process + Meeting with + Monthiymoeting + Monthy meeting
‘eeunerts + 2itinetoutend I MIROKZ"Une wth "Une and) with 1* Line ond
2 Travel Money fecomal toredew 2 Une Pine
‘Troncion + Exablshformal Compliance ‘M/Dashiboard
Monitoring 2 Uneesedion Meetings + 2 uneroarend +
(ay process + Peuneroatend —— exeral
‘enema Compliance
3. suspicious Compliance Meetings
Aedaty Repors Meetings
receipe &
Invesgations
a)
4 nani ime
The below are 4 examples activities out of
45 activities to be transferred to
Month7-11 Month 12
A
+ Review ad ign Monitoringby2™ +
om Une
of Operational
transierof : ‘Hictencles wth
ciate spn offby 1 Line
nd?" Une
+ 2 new atend
!
2 ne ‘neon
Conliance
+ 2 une soatcend
exer
Compliance
ona. ‘In strict confidence — work in progress - subject to formal consultation’
POL00460603
POL00460603
FTRICTLY CONFIDENTIAL
“Group Compliance, A
TOM — Option 2 # 13
i GS ES
= ==
ssurance & Risk Director —
=e =— ne
Functons tS
I Compliance I Iit/Data Protection!
(Usirance Leads jj
Key assumption:
+ Resources are floating
+ HPT ~via matrix performance management
+ Universe coverage ~ 8 FTE X 5 Universe Lines = 40 = 1/3 cyclical coverage
‘In strict confidence — work in progress - subject to formal consultation’
POL00460603
POL00460603
Post Office Limited - Document Classification: STRICTLY CONFIDENTIAL
TOM — Option 3 #18
a aes Ee
i! netional i
na Head of Data :
i, i comiance I
iPeecionntennt I grace ets I
Head of Assurance - R&C and Head of Head of Data Management and Head of
“Assurance Change / Technology could be DP/IR could be merged into 1 frst line team)
‘merged into 1 secondline team inthe now as well.
future.
:
&
;
i
i
g
8
}
:
i
Data isa key short term key risk
ISPMP isa material short term key risk
‘In strict confidence — work in progress - subject to formal consultation’
POL00460603
POL00460603