RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
ARC (11)6™
51 - 60
ROYAL MAIL HOLDINGS plc
(Company no. 4074919)
AUDIT AND RISK COMMITTEE
Minutes of the meeting held at 100 Victoria Embankment London on
8 December 2011
Members of the Committee Present:
Paul Murray
Donald Brydon
Nick Horler
Cath Keers
David Currie
Apologies:
Orna Ni Chionna
Les Owen
In attendance:
Derek Foster
Moya Greene
Matthew Lester
Jon Millidge
Mike Prince
Andrew Poole
Catherine Doran
Chris Day
Lesley Sewell
Rod Ismay
Paul Meadows
Jeff Triggs
Anne Fletcher
Richard Wilson
Kath Barrow
Ben Marle
ARC11/51
(a)
ARC11/52
(a)
Non Executive Director, Chair of the Committee
Chairman
Non Executive Director
Non Executive Director — by Telephone
Non Executive Director
Non Executive Director
Non Executive Director
Internal Audit & Risk Management Director
Group CEO
Group CFO
Company Secretary
Financial Director, Management, Control & Shared Services
Deputy Company Secretary
Group ClO
CFO — Post Office Limited
Head of IT — Post Office Limited
Head of Product & Branch Accounting — Post Office Limited
Head of Risk & Compliance — Post Office Limited
Interim General Counsel
Group Compliance Director for ARC(11)56
Ernst &Young
Ernst &Young
Ernst &Young
The Chairman welcomed everyone to the meeting.
MINUTES
The minutes of the meeting of the 17" November 2011 were
considered and approved as an accurate record of the
meetings.
STATUS REPORT ARC(11)51
The Committee noted the status of actions from the previous
meeting.
55
ARC11/53
ACTION
Moya Greene
(a)
(b)
(c)
(d)
(e)
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
INTERNAL AUDIT & RISK MANAGEMENT UPDATE
ARC(11) 52 & 53
Catherine Doran joined the meeting. Derek Foster introduced
the Internal Audit & Risk Management report dated
December 2011.
There had been a number of significant changes /
enhancements to the Risk Management Framework in the
period. These should improve governance, and increase the
view of Royal Mail as an investable proposition from the
perspective of robustness of risk management / governance
processes. The key changes included strengthening of the
Risk Management Committee, refresh of Top 25 Group
Risks, articulation of sizing of top risks and of current controls
and future mitigation plans, creation of list of key processes
and critical underlying controls, design of an attestation
programme to begin to give a separate and specific
assurance on specific key risks and key controls, and re-
issue of the risk management policy including specifying
minimum standards expected from units / functions;
Of the 24 IA&RM assignments completed in the period,
IA&RM highlight four that were significant and had specific
line of sight to the Top 25 Risks. These were: Information
Technology Environment: Information Security and IT Service
Resilience; Project Benefits Recording and Monitoring and
Protection of Revenue. In each case, the findings were
significant and support the business positioning of the issue /
risk as key. In each case an action plan had been developed
as a proportionate response, and the action plans were
underway;
IT: IA&RM had conducted a review of the Information
Technology Environment. The Committee were updated on
the most significant reviews undertaken in the period by
IA&RM in relation to IT: Service resilience and information
security. Catherine Doran gave her perspective and update
on the issues of service resilience and IT security in the
broader context of the IT challenges facing the Group. A
major factor was the age and complexity of the systems in
RMG, and the fact that the business had very little in-house
IT capability, due to IT outsourcing activity. The business had
embarked on a programme of improvement, but this would
take over two years to complete. Paul Murray noted that this
was a significant risk for the business and asked for regular
updates at future meetings. Moya Greene said that she
would bring the Improvement Framework back to the
committee and would also consider incentives for key IT
staff;
Revenue protection: The business, like every other postal
operator, was reliant on customer declarations for the
56
(f)
(9)
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
generation of account mail revenue and there was little or no
incentive for a customer to ensure that their declaration and
mail specification was accurate. Furthermore, for single piece
mail the business relies on the sender paying the right
amount of money (through smart stamps, stamps or meters)
for the format and weight of the product they wish to use.
The ability to tackle the root cause of revenue leakage was
restricted by a number of competing strategies and priorities
(e.g. ‘Easy To Do Business With’ initiative, maintenance of
Quality of Service) and a lack of punitive measures to enforce
compliance. There was a need for an overall strategy and
accountability for the protection of revenue in the business,
specifically to: set the strategic direction for the control
environment for the protection of revenue; establish a risk
appetite for revenue leakage; and, coordinate activity in the
business impacting revenue leakage. Work was in hand by
the Finance team to find methodologies such as “paper work
on collection” and the further use of automation to help
improve the position on Revenue protection. The meeting
agreed that until all mail processing was automated (which in
theory would mean that every bulk mail piece was identified
using a bar code which highlighted the sender) revenue
protection was an inherent risk.
Project benefits recording: The project benefits recording and
monitoring process was designed to capture modernisation
frontline staff costs by unit and by project. At a detailed level,
this was achieved by means of the Integrated Finance Report
(IFR)/ Business Warehouse (BW) tools. The Strategic Plan
assumed a reduction, from seven programme strands and
forty-three active projects, of £1.4bn per annum in the cost of
operations by 2016/17, as compared to 2009/10.
The objective of the review was to assess whether robust
processes were in place to record and monitor frontline
benefit savings.
The key conclusions were that the absence of a standard
operating procedure, incorporating a documented end-to-end
process with accountable benefit owners, resulted in Regions
and Programme Teams designing their own approach to
benefits recording and monitoring. This resulted in a lack of
confidence in unit generated submissions, and Programme
teams and central finance created their own monitoring tools,
creating dual reporting with differing numbers.
In addition, reasons for under/over achievement of benefits
were not always captured to improve future deployments.
Information produced for senior management did not contain
a level of granularity that would allow effective monitoring of
the successful achievement of benefits and remedial action
where required. The key specific issues were consistency of
benefits recording in IFR/BW, granularity of reporting,
completion of post implementation reviews (PIRs), and
communication of Standard Operating Procedures;
the methodology for calculating the frontline staff benefits for
Walk Sequencing, Delivery Methods and Packet Simplified
57
ACTION
Derek Foster
ACTION
Matthew Lester
ARC11/54
(h)
(a)
(b)
(c)
(d)
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
Sort Architecture projects had been documented, which
accounted for 87% of total frontline staff benefits. The
methodology for Collection projects and Mail Centre projects
was still work in progress.
The roll-out of the benefits calculation methodologies, which
includes forecasting, had been supported by a series of
“training day” visits to Regions which is ongoing. Seven of
the Regions had had their training days so far with a further
three planned for November. Follow-up visits and ongoing
support would also be provided to ensure the methodologies
were fully understood.
The Committee noted the report and the actions being taken
and planned to mitigate these risks. Derek Foster would
include a summary of all ‘not satisfactory rated’ audit reviews
in future reports to the Committee.
Group Risk Profile: The Committee noted the update to the
Group Risk Profile dated December 2011. Matthew Lester
would revert to the Committee at the March meeting with
more detail on the residual risks and risk appetite for the
business.
POST OFFICE LIMITED = ARC(11) 54
Pension overpayment: The Committee noted a paper
providing an update on the progress made in Post Office
Limited (POL) on the recent pension overpayments issue.
The update included the quantification of the issue and the
steps taken to resolve it;
In July 2011 the business became aware of errors in the POL
pensionable pay records. Non pensionable bonus payments
in relation to the 2008 Unite CMA pay award had been
incorrectly included in final salary pension calculations.
Further investigations found additional errors and, as a result,
a number of employees and former employees have been
issued with incorrect benefits illustrations and a number of
POL pensioners have been overpaid and, indeed, underpaid.
The financial cost of the error has now been confirmed at
£261k (subject to minor refinement);
The Committee noted the findings on the pensions
overpayments issue and that the actions taken have
contained the issue; and noted the further steps being
pursued to ensure the issue would not arise again; and noted
that an update would be provided to the POL Board.
Update on Horizon controls and relationship with Fujitsu: The
Committee noted that unlike other RMG major IT suppliers,
Fujitsu does not have a SAS70 or equivalent report on its
controls, and the consequence of this is that Ernst & Young
(EY) needs to do full testing of all systems which are integral
to the financial results as part of the RMG annual audit
58
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
process. A number of IT control issues were identified during
the 2010-11 year end audit, which were largely centred on
Fujitsu. Overall EY was satisfied that the control systems
were reliable but they had to perform additional audit work to
make this conclusion, and they made certain
recommendations in the management letter following the
audit for improvements which have been implemented. The
IT control issues identified during the audit did not relate to
the integrity of accounting data in the system. Rather, EY
made recommendations about the documentation and
authorisation of changes to systems and about opportunities
for streamlined assurance;
(e) Fujitsu Services have committed to covering the cost to
implement a SAS70 approach for POL for 2012-13 with EY
carrying out this work so we expect a reduction in audit costs
for 2012-13. The activities completed during the 2011-12
audit will provide the foundations for a SAS70. EY has ratified
the approach we have taken for this year’s audit and the
planning is underway for the 2012-13 audits.
(f) Challenges to Horizon: POL has, over the years, had to
dismiss and prosecute a number of sub-postmasters and
Crown staff, following financial losses in branches. A small
number of these have defended the prosecution on the basis
that they were not guilty of the charges made but that
Horizon was faulty. Some former subpostmasters had
defended civil debt recovery action by POL on the same
basis. The Committee noted the update on this matter.
(g) Update on POL Financial Services Compliance: The
Committee noted an update on the progress made in Post
Office Limited (POL) with regard to Financial Services
compliance and to raise one issue with regard to a breach of
data protection legislation;
(h) In November 2010 BO! transferred its joint venture
agreements to BOI (UK) ple (a wholly-owned subsidiary of
BOI), incorporated in the UK. BOI (UK) is regulated by the
FSA. Customers are, where applicable, protected by the
Financial Services Compensation Scheme (FSCS). POL is
an Authorised Representative of BOI (UK) and is not directly
regulated by the FSA. BOI assumes responsibility for any
regulatory failure by POL but POL will, in certain
circumstances, be liable to compensate BOI! for any loss
resulting from any such failure;
(i) POL Compliance has continued to focus on delivering
improved compliance, by building on the outputs of the 2010
RMG Internal Audit. The 2010 POL Organisation Review
provided an opportunity to re-shape the POL Compliance
team which was re-launched at the start of 2011 as the Risk
& Compliance (R&C) team, with a new structure. The
strategy for the new team focuses on building a ‘culture of
compliance’; driving business accountability for compliance,
59
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
with support from the R&C team; and providing tools and
support to ensure focus on key risk areas. The new team has
also developed a closer collaborative relationship with the
BOI compliance function;
(1) In 2006 POL was investigated by the Information
Commissioner's Office (ICO) for a breach of the data
protection principles (a bag of sensitive waste had been left
outside a branch for waste collection). In lieu of the ICO
taking enforcement action, POL agreed to an audit of waste
disposal process in branches and signed a_ formal
undertaking in 2007. Any further similar breach would be
considered in light of this situation; any breach of the
undertaking may lead the ICO to issue an Enforcement
Notice;
(k) A data protection breach occurred on 25 September 2011
when the Sub-Postmaster at the Portland Road, Hove
agency branch left six boxes of waste outside his premises
for collection the following morning by a waste company; two
boxes included customer personal information. One box was
found by two passers-by who informed the local press (The
Argus) and the Police;
(l) A message was issued to all Agency branches on 28
September confirming the requirement to follow confidential
waste disposal procedures. A full investigation has been
conducted and the customer information has been retrieved
and analysed. A further Network communication is planned
after the conclusion of the contract case. Next steps will then
include an audit of Network compliance with data protection
standards. The Committee noted the update.
ARC11/55 GROUP TAX /SENIOR ACCOUNTING OFFICER
GOVERNANCE ARC(11)55
(a) I Matthew Rose joined the meeting. The Committee noted a
paper update for the Audit and Risk Committee (“ARC”) on
the Group’s tax governance, particularly with regards to the
“Senior Accounting Officer” (“SAO”) compliance requirement;
(b) Royal Mail's tax governance approach has been enhanced as
a result of the work undertaken for SAO. This includes a
greater awareness of process risks and a greater level of
business involvement, including the sign off of tax sensitive
processes. An internal sign-off letter and an awareness
programme are in the process of being rolled out. There are
a number of wider considerations that will be covered going
forward. These include the future change to Royal Mail's
operating structure and tax profile, potential tax resource
constraints and the impact of moving out of the year 1 ‘light
touch' SAO regime into the full regime;
(c) the Committee noted that the Group had filed its first SAO
60
ARC11/56
(d)
(e)
(f)
(9)
(h)
(i)
(a)
(b)
(c)
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
certificate in September 2011 without qualification. This was
done with support from EY; the report from EY includes
recommendations for further actions and considerations as
we move into year 2;
Initial discussions with HMRC confirmed there have been
significant improvements over the years but that a continued
focus is needed to move towards “low risk” status and to be
able to continue to file clean certificates; and
The Group is to provide training to senior Finance teams to
enable them to provide internal certification to the Group
CFO as part of the preparation for year 2;
The Committee supported the approach towards
implementation of a number of the identified actions from
Year 1 in the Consultants and Travel and Expenses areas as
well as the above actions for Year 2 in terms of training and
use of external assistance where needed;
the Finance, IT and Commercial teams continuing to support
appropriate implementation of required actions to enable VAT
to be correctly applied on postal services systems and the
associated accounting systems supporting VAT compliance;
the focus on reducing the dependence on some bespoke tax
systems and a small number of key individuals without
significant cover within the Group Taxation environment
Investment Counterparty Letter to HMG: The Committee
supported the proposed letter to be sent to BIS seeking
agreement to the us e by the Group of RBS plus continued
use by POL and GLS of various conterparties subject to
appropriate due diligence and on-going monitoring.
GROUP COMPLIANCE UPDATE ARC(11) 56
Compliance Report: Anne Fletcher introduced a report
updating the Committee on key compliance activity during
2010/11 and the first part of the 2011/12 financial year and
highlights key priorities for the current year, following the
‘below the line’ report to the October Board;
Whilst there had been significant change in both the
regulatory environment and the wider compliance
environment, it was important that the business did not lose
sight of business as usual compliance activity. The current
period had been a very busy , with the need to respond to a
number of RFls, investigations and complaints whilst working
with the business to strengthen compliance procedures to
mitigate risks further;
The Committee noted the Compliance report dated
December 2011 including the priorities outlined for 2011/12.
61
ARC11/57
ACTION
Kath Barrow
ARC11/58
ACTION
Moya Green
ARC11/59
ARC11/60
(d)
(e)
(f)
(a)
(b)
(c)
(a)
(b)
(a)
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
Bribery Act Implementation Update: The report updated the
Committee on key Anti-Bribery compliance activity from the
2010/11 financial year to date, and highlights key priorities for
the remainder of this year. The Bribery Act came into force
on 1 July 2011, in preparation we have strengthened our
processes in key areas and this work continues. Our anti-
bribery compliance programme had been based on the 6
principles underpinning the Ministry of Justice guidance on
adequate procedures;
the Committee gave a strong and clear message that the
Group Bribery policy would apply to Post Office Limited, GLS
and other JV’s where appropriate. E&Y would report on the
adequacy of procedures at the year-end;
The Committee noted the update.
AUDIT APPROACH 2011-12 AND PROPOSED FEES
ARC(11)57
Kath Barrow introduced an update to their report presented at
the 17" November meeting providing additional information in
respect of the detailed audit approach for the year ended 25
March 2012. This included the impact of the auditors
consideration of risk, the extent of the control testing and the
use of analytical tools and techniques to identify anomalies in
large populations of data;
Paul Murray agreed to attend an E&Y planning meeting;
The Committee approved the 2011-12 Engagement Letters
and delegated authority to the CFO to sign them.
RMG COPORATE RESPONSIBILITY REPORT ARC(11) 58
The Committee reviewed and approved the Corporate
Responsibility Report for the financial year 2010/11, and that
the report would be presented to the Disclosure Committee
prior to publication; and
noted Management's recommendations for improving the
reporting of Corporate Responsibility activities over the next
12 months.
DIRECTOR’S EXPENSES ARC(11) 59
The Committee noted schedules (copied to Committee
members only) providing a summarised total of Directors’
expenses and individual Directors’ expenses incurred during
2010-2011, together with hospitality received.
ANY OTHER BUSINESS
62
RMG00000003
RMG00000003
Royal Mail - Strictly Confidential
(a) Data migration: Moya Greene reported that the business had
recently suffered from a problem with data migration affecting
on-line customers. Royal Mail had now contacted all
Smartstamp customers whose payment cards had been
debited twice and an additional payment of £25 had been
made as a gesture of goodwill. The process would be
complete in the next few days. Royal Mail continued to work
closely with Capgemini, who manage the website on our
behalf, to restore services to normal.
(b) Euro crisis: Matthew Lester confirmed that whilst the
business was not undertaking the recent formal testing that
had applied to Banks; the business was however reviewing
its working capital levels across the business and preparing
appropriate contingency plans where necessary.
(c) General Meeting: Jon Millidge reported that a General
Meeting of Royal Mail Holdings Plc would be held
immediately following the Audit & Risk Committee to approve
amendments to the Articles of Association.
ARC11/61 DATE OF NEXT MEETING
The scheduled January 2012 meeting was cancelled. The
next meeting of the Committee will be held on the 22" March
2012.
63