POLARC 17(15")
POL ARC 17/01 — 17/16
UKGI00007544
UKGI00007544
Strictly Confidential
POST OFFICE LIMITED
(Company no. 2154540)
(the ‘Company’)
Minutes of a meeting of the AUDIT, RISK AND COMPLIANCE COMMITTEE
held at 2.00 pm on 30" January 2017 at 20 Finsbury Street, London EC2Y 9AQ
Present:
Carla Stent
Richard Callard
Tim Franklin
Ken McCall
In Attendance:
Paula Vennells
Alisdair Cameron
Jane MacLeod
Alwen Lyons
Amanda Radford
Nick Kennett
Mike Morley-Fletcher
Johann Appel
Richard Williams
Kevin Gilliland
Owen Woodley
Jonathan Hill
Jenny Ellwood
Rob Houghton
Geoff Smyth
Tim Armit
Peter Mclver
Claire Johnson
Chair
Non-Executive Director (RC)
Non-Executive Director (TF)
Non-Executive Director (KM)
Chief Executive Officer (CEO)
Chief Financial & Operations Officer (CFOO)
General Counsel (GC)
Company Secretary (CoSec)
Group Financial Controller (AR)
Chief Executive Financial Services & Telecommunications and CEO of
POMS (NK)
Head of Risk and Assurance (MMF)
Senior Manager Internal Audit (JA)
Senior Manager Risk (RW)
Chief Executive Retail (KG) (Minute POLARC 17/04)
Sales Director (OW) (Minute POLARC 17/04)
Head of FS Risk & Regulation (JH) (Minute POLARC 17/04)
Head of Transformation Risk and Assurance (JE) (Minute POLARC
17/06)
Chief Information Officer (RH) (Minute POLARC 17/07)
Head of Telecommunications (GS) (Minute POLARC 17/07)
Business Continuity Planning (TA) (Minute POLARC 17/13)
Audit Partner, Ernst & Young (PMI)
Senior Quality Leader, Ernst & Young (CJ)
POLARC 17/01 WELCOME AND CONFLICTS OF INTEREST
(a)
A quorum being present, the Chair opened the meeting. The
Directors declared that they had no conflicts of interest in the
matters to be considered at the meeting in accordance with
the requirements of section 177 of the Companies Act 2006
and the Company's Articles of Association.
POLARC 17/02 MINUTES OF THE MEETING HELD ON 17 NOVEMBER 2016,
MATTERS ARISING AND ACTIONS LIST
(a)
The minutes of the meeting held on 17" November 2016 were
approved as presented and the Chair of the Committee was
POL ARC, 30 January 20171DRAFT
(c)
Strictly Confidential
authorised to sign them as a true record.
The Committee challenged the closed status of actions:
e POLARC 16/27(i), BCP testing. GC explained that a
testing programme was being put in place by the new
BCP Manager who had an agenda item to update the
Committee on progress. BCP would return to the
Committee as a matter of course and the specific
action was therefore closed.
« POLARC 16/44 (d), POMS risk dashboard. NK
explained that the dashboard would be developed
through the year, with risks picked up in his summary
management paper.
The Committee acknowledge the work to date and the actions
status report was noted as accurate.
MANAGEMENT OF KEY OPERATIONAL RISKS
POLARC 17/03 FINANCIAL CONTROL UPDATE
(a)
(b)
(c)
(d)
The CFOO reported the continued progress to implement the
Financial Controls Framework which would be in place by the
end of the Financial Year.
The Committee discussed the self-assessment controls. The
CFOO confirmed that self-assessment required internal audit
assurance to test its veracity.
The CFOO reported that the work to reconcile branch cash
balances between Horizon and POLSAP was now complete
for sterling but that the accuracy of branch cash declarations
remained an issue. An initial workshop has been set up to
look at the processes in place and to understand the root
cause.
The Committee noted the report and thanked the CFOO for
the good progress.
The Committee noted that the IT Controls Update report
would be included in the IT Strategy paper being discussed at
the Board meeting on 31 January 2017, but would appear on
future Committee agendas.
POLARC 17/04 NETWORK CONDUCT RISK ACTION PLAN
UKGI00007544
UKGI00007544
IRRELEVANT
POL ARC, 30 January 20172DRAFT
UKGI00007544
UKGI00007544
Strictly Confidential
IRRELEVANT
POL ARC, 30 January 20173DRAFT
UKGI00007544
UKGI00007544
Strictly Confidential
IRRELEVANT
(c) The CEO noted the report appeared to suggest that there was
an emerging risk of suicide. She explained that this risk arose
very occasionally in the postmaster population but that the
number of instances had not increased. The process to
handle these situations when they arose was sympathetic and
supportive for all involved, and it was not considered an
emerging risk.
(d) The Committee noted the report
POLARC 17/06 TRANSFORMATION RISK UPDATE
POLARC 17/07 CYBER-ATTACK ON POST OFFICE TELECOMMUNICATIONS
BUSINESS
POL ARC, 30 January 20174DRAFT
UKGI00007544
UKGI00007544
Strictly Confidential
POLARC 17/08 ANNUAL RISK REVIEW
IRRELEVANT
ACTION: GC
POL ARC, 30 January 20175DRAFT
POLARC 17/09
POLARC 17/10
Strictly Confidential
LEGAL
(a)
(b)
(c)
(d)
GC presented the annual review of legal risk and highlighted
the five areas of greatest concern:
1. Lack of Contract Management experience and
expertise
Lack of compliance to contract obligations
Lack of understanding of relevant regulation
Lack of understanding of competition rules
Lack of deterrent due to reduced prosecutions.
aon
The Committee discussed the control of cash, and its effect on
fraud and cash utilisation. The CFOO explained that an end to
end review was underway to improve cash management
which should also enable more effective monitoring and
intervention to reduce fraud. GC stressed that although the
Business had not initiated any recent prosecutions, the police
prosecuted cases where they believed it appropriate.
GC gave an update on Sparrow. The Group Litigation Order
had been heard by the Court. The initial hearing went as well
as could be expected, with the court requiring a high level of
information from the claimants. The next procedural hearing
would be in October but it was not expected that any
substantive matters would be heard before next year.
The Committee noted the Annual Legal Risk Review.
INTERNAL AUDIT REPORT
(a)
(b)
Johann Appel, Senior Manager Internal Audit, presented the
report and explained that although the programme was
currently behind plan it would be delivered by the end of the
year. JA gave the Committee his assurance that the
resourcing problems had been now been resolved.
The Committee stressed the importance of aligning the audit
plan with the strategic plan and focusing on the areas of
greatest risk. JA assured the Committee that since his arrival
he had been working on the new plan for 2017/18 which
would include the areas of greatest risk. The Business
Continuity Audit would be postponed and included in the
POL ARC, 30 January 20176DRAFT
UKGI00007544
UKGI00007544
(c)
(d)
(e)
Strictly Confidential
2017/18 plan which would be presented to the Committee in
March.
The Committee noted that two IT audits had been deferred
until May 2017 and stressed the need to ensure these were
included in the plan.
The Committee challenged the correlation of the findings in
the audit reports and the overall ratings given to audits. JA
explained that the ratings were based on four areas; Value;
Risk; Urgency and Impact on the business. The Committee
were particularly concerned by the lack of rating for the
‘Winning with Retailers PIR’ and the average rating for the
Data Protection audit. The Committee asked for assurance
that ratings had not been negotiated away during
management feedback sessions. JA assured the Committee
of his independence and promised to apply a robust rating
process in the future.
The Committee noted the internal audit activity.
POLARC 17/11 EXTERNAL AUDIT REPORT
(a)
(b)
ACTION: AR (c)
(d)
ACTION: CFOO
(e)
ACTION: PMI (f)
The Chair asked Peter Mclver, Ernst and Young (EY), to give
an update on the External Audit Plan.
PMI assured the Committee that all the planning work was
complete for POL and POMS audits. PMI explained that there
had been some delay in receiving the Service Organisational
Control (SOC) reports from Fujitsu, Accenture and CSC.
The Financial Controller would chase the SOC reports
from Fujitsu, Accenture and CSC.
The CFOO would bring the IRIS and Pensions accounting
treatment to the March ARC.
EY would consider the longer-term accounting policies outside
of the annual external audit.
The Chair asked PMI to confirm that their action to inform
PwC of the POL materiality levels had been discharged.
POLARC 17/12 RISK UPDATE
(a)
(b)
ACTION: AR/PMI
MMF updated the Committee on the changes to the Group
Risk Profile and explained that management had identified
key actions for the top 15 risks, as well as the Risks of the
Moment.
The CFOO reported that access to systems such as
payroll, would be checked as part of the EY audit to
ensure there were no balance sheet implications.
POL ARC, 30 January 20177DRAFT
UKGI00007544
UKGI00007544
UKGI00007544
UKGI00007544
Strictly Confidential
(c)
The CFOO explained that Credence reliability was captured in
‘IT availability and ability to trade risk’ and it was currently
slightly more stable but would not be without risk until it was
replaced.
(d)
The Committee discussed the need to ensure a commercial
approach to risk and risk appetite, and recognised that the
risk report was inevitably a pessimistic view of the Business.
GC acknowledged that the report would highlight risks,
however an effective risk framework should also identify
areas where appropriate for taking more risk.
(e) The Committee noted the Risk report.
POLARC 17/13 BUSINESS CONTINUITY (BC) UPDATE
POLARC 17/14 HORIZON SCANNING
IRRELEVANT
POL ARC, 30 January 20178DRAFT
UKGI00007544
UKGI00007544
Strictly Confidential
IRRELEVANT
POLARC 17/15 ANY OTHER BUSINESS
(a) No any other business raised.
POLARC 17/16 ARC SESSION WITH THE RISK TEAM
(a) All attendees left the meeting apart from the Committee
members and the Risk team. The Committee debated areas
of concern for the Committee and the risk team.
(b) There being no further business the Chair closed the meeting.
POL ARC, 30 January 20179DRAFT