POL00460606
POL00460606
Group Assurance — Chairman Update - 16 May 2024
Attendees — Nigel Railton, Sarah Gray and Anshu Mathur
1. Group Assurance (GA)
a. Very small team c 5 FTE (incl 1 loaned and 1 FTC due to end in July) — refer to
Appendix 1
b. Formally established in April 2023, but operating from September 2022, to plug a
significant gap in second line coverage of key and critical business areas/activities.
c. Despite being small we have delivered a considerable amount without recourse to
incremental expenditure. Our strategy and or plans are captured in:
i. Approach to Legacy Assurance — refer to Appendix 2
ii. Approach to SPMP Integrated Assurance - refer to Appendix 3
2. All GA activities are subject to the oversight and challenge of the RCC and ARC
a. Not SEG?
b. See current SPMP ARC update for SPMP and Group Assurance Dashboard —
Appendix 4
3. At request of GGC (and he was 100% right) created a POL Control Framework in 2022.
This was approved as Draft to be implemented on best endeavours — refer to Appendix 5
4. Adopted a tactical and heavily manual approach to Assurance due to the following gaps:
a. No common universe definition and or coverage for POL activities (people, process,
systems).
b. Even IA do not have a comprehensive universe and they were not assessing the
sustainability and or impacts of the actions implemented for Issue Judgements — a
major cause of divergence between their outcomes and ours!!!
c. SNOW our GRC tool cannot be relied upon for completeness and or accuracy, with a
lens of both risks and controls. This view has been communicated to both RCC and
ARC.
d. So what? - We had no choice to build our own excel based universes:
i. Common Issue Judgement — 365 lines
ii. SPMP Integrated Assurance & Risk Universe — 509 lines
NB: I am aware we need to at some point converge all data sets into SNOW, but with
ARC approval we are focussing on delivering Assurance in the short/medium term.
5. Assurance Gaps
a. See Appendix 6, which shows the gaps in Compliance coverage and the issues in
OD i.e. skewed towards 1 and 1.5 activities and not second line.
b. To remediate we created a revised TOM with a LCAS focus only and then LCAS
and Risk focus. Submitted last year with a plan to commence execution in late
2023, never took off.
Strictly Confidential
POL00460606
POL00460606
Key issues and significant Concerns - All of these are easily fixable
1. Lack of accountability and consequence management
a. This is the single root cause of all issues in POL.
b. Assurance outcomes despite showing significant issues have no consequences:
° Cl
« SPMP
2. Closed mindset - Capability and Competence - Low
Lesson of the past at an inherent level are not imbibed in the DNA of POL.
Many seniors have a myopic lens on their role
Many are afraid to make decisions, therefore so many committees
a9 fF 9
Newly created Leadership Team has excluded line of defence — Most illogical
considering lessons of the past and themes arising from the Inquiry
3. Governance
a. Entity level - Exists and operates effectively in terms of cadence and structure i.e.
Board and sub Boards.
i. That said these lack qualitative input and challenge
ii. Key papers lack SME (risk/Control/Assurance) input / opinions
iii. Despite POL significant issues, board/ARC seem afraid to intervene or
challenge overtly for management to course correct.
iv. Senior Management believe ARC alignment/request not necessary.
v. DoA — Has not kept up to date with organisational changes and restructures.
b. Operational level — Disparate, illogical and non-existent vs good or even basic
practice
i. Responsible person is not a SME in this field
ii. Committees — Their composition, purpose and lines for exception not defined.
¢ Objective challenge missing in key committees — SPMP, Retail
iii. RCC — Structurally Flawed — Has no requirements for business areas to
reflect and opine on their control environment under the overview of lines of
defence.
« Proposal to restructure RCC provided several times (Refer Appendix ),
but never executed by Chairs.
iv. How decisions are made, and where these are made visible to — unclear
v. PM Detriment — No single line of sight
vi. No POL Control framework — therefore risk and control awareness and
maturity is significantly low — (Budget for creating training was refused.)
vii. Lack of integrated Assurance — currently diverged
4. SPMP - Integrated Assurance
a. Significantly behind — Appendix 7 — synopsis of external review of IPA and PD
b. Procurement for external assurance SME underway — top tier, except EY, dropped out.
c. SPMP lacks capability and forward thinking to execute assurance effectively — we are
leaning in heavily.
Strictly Confidential