UKGI00011874 - BEIS Partner Organisation Governance & Sponsorship: Post Office - Final internal audit report

Evidence on official site

UKGI00011874
UKGI00011874

ae

Government
Internal Audit
Agency

BEIS

Partner Organisation Governance & Sponsorship: Post Office

Final internal audit report

Date of issue: 315‘ October 2019

Audit reference: 1920-BEIS-022

This document has been prepared for and is only for BEIS management and staff. BEIS must consult with GIAA (pursuant to part 3 of the Secretary of State
Code of Practice issued under section 45 of the FOI Act) before disclosing information within the reports to third parties. Any unauthorised disclosure,
copying, distribution or other action taken in reliance of the information contained in this document is strictly prohibited. The report is not intended for any othe
audience or purpose and we do not accept or assume any direct or indirect liability or duty o& care to any other person to whom this report is provided or
shown, save where expressly agreed by our prior consent in writing.
UKGI00011874
UKGI00011874

Contents
Contents 2
Executive summary 3
Summary of findings 5
Detailed findings 1 8
Detailed findings 2 9
Detailed findings 3 11
Detailed findings 4 15
Annex 1: Management action plan 18
Annex 2: Objectives, scope and limitations 22
Annex 3: Our classification systems 24

Page 2 of 24
UKGI

Executive summary

Opinion RAG

Moderate

Some improvements are required to enhance the adequacy and effectiveness of the framework of governance,
risk management and control.

acucnay

The department's approach to governing sponsorship and shareholder activities over Post Office Limited (POL) are designed to
ensure that Ministers, and the Department, receive accurate and timely advice with regards to the discharge of their duties in
respect to the Company. To support this Sponsor and Shareholder Teams liaise with the Company on all aspects of their delivery
work and will act as the first point of contact between Government and the Company.

While we have identified examples of good governance and sponsorship, we have also identified areas where there is scope for
improvement, although the risks surrounding this are known and improvements are being made to strengthen governance and
reporting arrangements. We have therefore given a Moderate opinion with the assumption that the improvements currently in-
progress will be implemented in a timely manner, including the finalisation of the Framework Document and ways of working
around POL with all stakeholders.

In the context of improving existing sponsorship and shareholder activities, we have identified the following areas for
improvement for which corresponding recommendations have been made in the action plan in this report:

« Improving communication links between the Post Office Policy Team and the BEIS Partnerships Team. Discussions
between the Policy Team and the Partnerships Team are infrequent, with no regular engagement around performance,
risks, issues or concerns. This could result in risks or opportunities to share good practice being missed, negatively
impacting POL’s operations, or BEIS’s oversight of POL.

« Formalising roles and responsibilities between organisations. A draft MoU and RASCI agreement are currently in the
process of being agreed between UKGI; BEIS: POL Policy Team; Partnerships Team; and Finance Team. Whilst we saw
evidence that there had been input from UKGI and the BEIS: POL Policy Team, we could not confirm that the BEIS:
Partnerships Team and Finance Team had been involved in the drafting; however, we have been informed that an initial

Page 3 of 24

UKGI00011874
100011874
UKGI00011874

UKGI00011874

‘ways of working’ document around POL. We also noted that the framework document did not fully identify the reporting/
information sharing arrangements between BEIS and UKGI, which will therefore need to be documented elsewhere.

Providing greater visibility of POL risks within BEIS. The BEIS Policy Team does not have oversight of risk management
activities conducted within POL and/or concerning POL by UKGI or the BEIS Partnerships Team (including quarterly risk
assessments which filter up to BEIS ExCo, as well as UKGI's risk management activities). This could impact the
Department's ability to influence/ oversee the mitigating actions in place to ensure risks are aligned to their risk appetite
and the quality of risk reporting to the Permanent Secretary.

Improving corporate knowledge of POL within BEIS. This risk has been recognised and is improving, although historic
knowledge around POL continues to be concentrated in one individual. Whilst knowledge will spread organically as time
goes on (the Policy Team, for example, is relatively new), a focused effort should be made around ensuring that key
information is well-known and formally recorded.

Updating the 'strategic vision’ to ensure that it continues to reflect business need. The 'strategic vision’ for POL was
published in 2010 by BIS and may therefore be out of date, although work has recently commenced (following Ministerial
approval) on a refreshed vision. However, work on this vision was still in its infancy at the time of fieldwork and as a result
we have included a recommendation to ensure that progress is sufficiently monitored.

Further information around the recommendations mentioned above, as well as some areas of good practice identified, can be
found in the ‘summary of findings’ and ‘detailed findings’ sections of this report.

High Medium Low

Recommendations 0 6 0

Page 4 of 24
UKGI00011874
UKGI00011874

Summary of findings

Risk: If processes designed to (i) develop an effective Framework Document between BEIS, UKGI and POL,
and (ii) ensure that the document’s content is appropriate and aligned to the achievement of its objectives,
are flawed, an ineffective governance framework could come to undermine the achievement of stated
objectives.

A sponsorship framework has been established, although the Framework Document is not currently in place to outline
key activities; roles; responsibilities and accountabilities between BEIS, UKGI and Post Office Ltd, which is outlined
within Managing Public Money guidance. The draft Framework Document in place was produced through consultation
1 with BEIS, UKGI and HM Treasury (HMT) and forms the basis of the framework. POL’s Legal Team is currently

considering the specifics of the document to ensure that all parties are happy with the content before it is presented to
Ministers or the POL Board for approval - although this review has been delayed due to their Legal Team being
engaged with an ongoing litigation case.

Processes around the development of the Framework Document for POL are effective and the content of the
document (whilst still in draft and under review) is appropriate and in line with existing documentation/ working
practices and good practice and has been approved by HM Treasury. Whilst POL was not included in the initial
development of the document, they have been given sufficient input to the review and challenge of the content of the
draft document, which should ensure that it aligns with their expectations of their relationship with BEIS.

Risk: If the accountabilities, roles and responsibilities of BEIS, UKGI and POL are not clearly defined,
consistently understood, and/or effectively implemented, ineffective governance activities could come to
undermine the achievement of stated objectives.

2 The draft Framework Document outlines all relevant roles and responsibilities of key individuals at POL (as well as
the Board and the company in general), including reporting requirements and rules that need to be followed. Although
still in draft, roles and responsibilities are clearly understood. In addition, key responsibilities are outlined for the:
Shareholder Principal Accounting Officer (PAO); POL PAO; Shareholder policy & corporate governance roles
(including Ministers; the Policy Sponsor within BEIS; and UKGI); and the POL Board.

Page 5 of 24
UKGI00011874

UKGI00011874

A memorandum of Understanding (MoU) between BEIS (including its Policy, Sponsorship and Finance Teams) and
UKGI, which defines their individual roles and responsibilities relating to POL in more detail than is covered by the
Framework Document, is also in the process of being finalised and agreed, as is a RASCI document. We were
informed that since our fieldwork concluded, an organisation level MoU has been agreed between BEIS and UKGI,
with work now commencing on a working level agreement around ‘ways of working’ with POL.

The POL Policy Team is leading on this for BEIS and are currently in the process of progressing this action. However,
during fieldwork our interviews noted no plans to extend the review of roles and responsibilities to the Finance and
Partnership Teams, although we were informed that this had been addressed following the agreement of the
organisation level MoU. We also noted that BEIS did not currently intend to use this MoU to ensure all reporting/
information sharing requirements between BEIS and UKGI are clearly defined. (Recommendation)

Risk: If sponsorship and governance arrangements (to include scrutiny and challenge of performance Ml,
risk management and control activities) are not sufficiently robust, BEIS may lack confidence that POL’s
activities align with its expectations.

An effective reporting framework is in place between POL and UKGI (with UKGI acting as Shareholder
representative, performance management falls under their responsibility) supported by a good working relationship
providing regular engagement, reporting and challenge.

The existing ‘strategic vision’ for the Post Office was issued by BIS in 2010, and is now in the process of being
updated, with initial Ministerial approval confirmed and an initial project plan and supporting documents developed.
This vision is expected to cover the next 10 years and will provide an update on the previous document. We have
raised a recommendation regarding its completion to ensure that we are able to evidence the work being completed.
(Recommendation)

Risk management oversight is currently provided by UKGI who maintain an operational POL risk register and
populate quarterly risk assessments for BEIS Partnerships and Portfolio Teams and reporting within BEIS.

However, the BEIS Policy Team do not have oversight of any of UKGI or BEIS Partnership Team’s risk management
activities around POL and are currently in the process of producing their own team risk register. As a result, the Policy
Team does not currently receive any information on POL risks and so are not in a position to effectively implement
mitigations as are required. There is an additional risk that the information recorded on UKGI’s registers may not align
with BEIS's risk appetite and the Policy Team may not be able to fully update the Permanent Secretary on current
risks and mitigations. (Recommendation)

Page 6 of 24
UKGI00011874

UKGI00011874

Risk: If BEIS fails to provide effective support to POL (e.g. through sponsorship, Finance, Commercial,
and/or Policy Teams), the delivery of stated objectives could be undermined.

Support to POL is provided at various levels of the organisation through BEIS (and its policy, sponsorship and
specialist teams) and UKGI. The POL Policy Team is still a relatively new team, is sufficiently resourced to enable
them to allocate time to more proactive and forward-looking activities and now appears to be settling into its role,
which is evident by the planned and ongoing work around a new strategic vision for POL.

We identified that the POL Policy Team and UKGI regularly interact with other teams across BEIS as needs arise to
tap into specialist knowledge. However, we noted that the BEIS: POL Policy Team and the BEIS Partnerships Team
do not have any regular formal communications/ engagement with each other around POL or good practice/ common
issues in other ALBs. Where teams involved in managing POL do not communicate effectively, there is a risk that
they will overlook/ miss opportunities for efficiencies; duplicate efforts; or negatively impact their reputation/
relationship with Partner Organisations. (Recommendation)

An overarching risk exists within the BEIS Post Office Policy Team with regards to their internal succession planning
and knowledge management, which is especially relevant as they remain a relatively new team which has grown. A
large percentage of the team are new, with a large amount of the knowledge around POL concentrated in one of
individual. Whilst knowledge will spread throughout the team as time goes by, we feel that a concerted effort should
be made to ensure that knowledge around POL is retained. (Recommendation)

Page 7 of 24
UKGI00011874

UKGI00011874

Detailed findings 1

Risk 1: If processes designed to (i) develop an effective Framework Document I Opinion on .
between BEIS, UKGI and POL, and (ii) ensure that the document's content is panagerent of risk:
appropriate and aligned to the achievement of its objectives, are flawed, an

ineffective governance framework could come to undermine the achievement
of stated objectives.

Findings

Engaging other BEIS Teams around responsibilities
POL generally has 3 points of contact with its sponsor and shareholder, which are:

¢ BEIS Post Office Policy Team (the Policy Team) - core contact with POL for Ministerial and Parliamentary queries, as
well as completing work to develop a long-term strategic vision for POL on behalf of the Government;

e BEIS Partnerships Team - corporate governance sponsor, with main involvement around Exec/ Board level recruitment
at POL and ensuring the appropriate risk management information is fed into core BEIS risk management arrangements;
an

e UK Government Investments (UKGI) - act as the Shareholder Representative for POL and manage/ monitor
performance. UKGI have the most direct and frequent contact with POL, with regular, formal steering meetings and
representation on the POL Board of Directors.

Our testing and discussions with BEIS, POL and UKGI members of staff provide a sound basis for confidence that current
arrangements around the department's sponsorship of POL are fundamentally proportionate and effective, and aligned with the
EAST strategy (Engage, promote Assurance, Strengthen alignment and foster Talent).

A Framework Document to outline key activities; roles; responsibilities and accountabilities between BEIS; UKGI and Post Office
Ltd, in line with Managing Public Money guidance, is in the process of being agreed and signed off.

Page 8 of 24
UKGI00011874

UKGI00011874

The draft Framework Document, which was produced through consultation with BEIS, UKGI and HM Treasury (HMT) forms the
basis of the framework. POL’s Legal Team is currently considering the specifics of the document to ensure that all parties are
happy with the content of the document before it is presented to Ministers or the POL Board for approval - although this review
has been delayed due to their Legal Team being engaged with an ongoing litigation case.

Whilst POL was not included in the initial development of the document, they have been given sufficient input to the review and
challenge of the content of the draft document, which should ensure that it aligns with their expectations of their relationship with
BEIS.

Processes around the development of the Framework Document for POL are effective and the content of the document (whilst
still in draft and under review) is appropriate and in line with existing documentation/ working practices and good practice and has
been approved by HM Treasury.

Implications and recommendations

No formal recommendation has been raised in this area as it has been evidenced that work is already in advanced stages to
implement this control. Furthermore, we have not identified any significant instances of working practices that were not aligned
with those outlined in the draft Framework Document

Detailed findings 2

Risk 2: If the accountabilities, roles and responsibilities of BEIS, UKGI and Opinion on .
POL are not clearly defined consistently understood, and/or effectively management of risk:
implemented, ineffective governance activities could come to undermine the

achievement of stated objectives

Findings

Page 9 of 24
UKGI00011874

UKGI00011874

Engaging other BEIS Teams around responsibilities

BEIS and UKGI are in the process of finalising and agreeing an MoU between them that defines their individual roles and
responsibilities relating to POL in more detail than will be covered by the Framework Document. A RASCI document is also in
draft form and being agreed. We were informed that since our fieldwork concluded, an organisation level MoU has been agreed
between BEIS and UKGI, with work now commencing on a working level agreement around ‘ways of working’ with POL.

For BEIS, the roles and responsibilities outlined include those for the POL Policy Team; the Partnerships Team; and the Finance
Team. The Policy Team is leading on this for BEIS and are currently in the process of updating and clarifying their roles and
responsibilities (which UKGI have already done). However, our discussions noted that there were not currently any plans to
extend the review of roles and responsibilities to the Finance and Partnership Teams, although we were informed that this had
been addressed during the agreement of the organisation level MoU.

The Policy Team have yet to utilise the MoU to formalise reporting/ information sharing arrangements between BEIS and UKGI.
This presents an opportunity to further ensure that all information required by the Policy Team is shared on a routine basis.

Implications and recommendations

Risk
Where teams at BEIS do not have sight of their roles and responsibilities that are being formally defined, there is a risk that key
actions/ roles may not be completed due to a lack of clarity regarding responsibilities.

Recommendation

As was initially identified (and was since implemented for the MoU), BEIS Finance and Partnerships Teams should be consulted
on their respective activities during the agreement of the ‘ways of working’ document. This review process should also be utilised
as an opportunity for BEIS to ensure they are happy with the requirements that are currently outlined and that all reporting/
information sharing arrangements have been clearly defined.

Page 10 of 24
UKGI00011874
UKGI00011874

Detailed findings 3

Risk 3: If sponsorship and governance arrangements (to include scrutiny and I Opinion on ;
challenge of performance Ml, risk management and control activities) are not I management of risk:
sufficiently robust, BEIS may lack confidence that POL’s activities align with its

expectations

Findings

An effective reporting framework is in place between POL and UKGI (with UKGI acting as Shareholder representative,
performance management falls under their responsibility) and includes monthly finance reports; quarterly investment reports and
bi-monthly reports on the POL network. These reports are reviewed and challenged formally by UKGI at meetings between them
and POL. Our examination of the supporting documentation, including evidence of additional challenge over email by the UKGI
Team around financial queries confirmed an environment of constructive challenge.

A representative from the BEIS Policy Team also attends the bi-monthly Network Programmes Performance Update meetings
alongside UKGI colleagues, as the size and geography of the network is a specific interest of BEIS and one of POL’s core
strategic objectives.

BEIS and UKGI Teams have an effective working relationship, with discussions and updates at all levels. At working level, we
were informed that staff communicate on an almost daily basis around current issues/ activities; there are fortnightly meetings
between the DD Post Office Policy and Sectors Briefing Hub and her counterpart in UKGI; as well as monthly meetings between
the BEIS Director and the UKGI Director who is a NED on POL’s Board.

The existing ‘strategic vision’ for the Post Office was issued by BIS in 2010. Work on updating and refreshing this outlook has
recently commenced, with initial Ministerial approval confirmed and an initial project plan in the form of a Gantt chart that includes
timescales for actions around: vision development; stakeholder engagement; and inputs and evidence base.

Page 11 of 24
UKGI00011874

UKGI00011874

The desired output from this exercise has not yet been agreed at the time of fieldwork (i.e. whether this will be a formal
publication or not); however, we were informed that this is expected to be aligned to the next spending review process. This
vision is expected to cover the next 10 years and will provide an update on the previous document.

We have seen evidence that this process has been initiated and agreed with Ministers, and that work on updating and refreshing
this outlook has commenced. However this work was in its infancy at the time of fieldwork, which we have identified as a control
gap and raised a recommendation to ensure that progress is sufficiently monitored.

We also note that following the implementation of a new strategic vision, existing documentation (including the Framework
Document and roles and responsibilities) will need to be re-visited and reviewed to ensure they remain appropriate and support
the implementation and delivery of the new vision.

Risk management around POL

The BEIS Post Office Policy Team do not formally record and monitor risks to BEIS relating to POL; however, we were informed
that the production of a team risk register is underway, following the completion of their Directorate risk register. Discussions with
the Policy Team noted that they were not currently kept up to date of additional risk reporting conducted around POL, including
UKGl's activities and the quarterly risk assessments which are reported through BEIS’ central risk management processes. As a
result, current risk management reporting arrangements are not adequate to ensure BEIS have an understanding of key risks
relating to POL.

UKGI maintain an operational POL risk register which describes the main risks to them around POL; their impacts; current
mitigations; RAG rating (inherent and residual); and a ‘current status’ update. Risks are segregated into seven headings: network
monitoring; financial performance; strategy; litigation; compliance; governance; and appointments and pay. This register is
updated monthly as part of an organisation-wide review of asset risks, with more detailed discussions held when risks move. We
were informed that POL’s risk score last changed in November 2018 as a result of the litigation case progressing, and as a result
was discussed by the UKGI Board and ExCo.

UKGI also populate quarterly risk assessments around POL and submit these to the BEIS Partnerships and Portfolio Teams at
which point any scoring/ information can be challenged as required. The Portfolio Team then use this risk assessment to compile
regular reports to ExCo on the risks facing the department from its Partner Organisations (PO). A complexity grid is also
maintained for each PO which are then used by ExCo to focus their attention on the highest risk POs.

However, the BEIS Policy Team do not have oversight of any of UKGI’s, or the BEIS Partnership Team's, risk management
activities, which could negatively impact the Department's fundamental understanding of its key risks relating to POL. We believe

Page 12 of 24
UKGI00011874

UKGI00011874

that this information should be shared with the POL Policy Team to ensure that risks are known and BEIS can take effective
action to mitigate risks to the Department relating to POL, as is appropriate/ required.

Additional area for possible improvement — which has not constituted a formal recommendation

Risk management reporting around Partner Organisations (POs) is not currently reviewed/ monitored through BEIS' online
reporting system and is instead reported through standard risk assessment reporting templates. Risks are still reported through
to ExCo, and we were informed that BEIS' central risk management team were currently considering making central reporting
available to PO teams. Once this has been implemented, we would expect to see a more efficient and effective risk management
system from one single source, with input from all relevant stakeholders. This will represent a significant improvement.

Implications and recommendations

Risk:
Where an updated strategic vision is not in place for POL, there is a risk that BEIS is not providing enough support/ guidance on
what POL should be aiming to deliver (outside of stipulations from their subsidy agreement or the transformation programme).

This could result in mis-aligned strategic objectives which may not meet the needs of the public, the Department, or the wider
Government.

Recommendation:

As is the current intention, the Post Office Policy Team (with input and engagement from UKGI and POL) should develop a new
strategic vision for POL.

Upon completion and agreement of this vision, existing documentation (including the Framework Document and roles and
responsibilities) should be reviewed to ensure that they remain appropriate and that their content supports the delivery and
implementation of the new vision.

Risk:

Where the BEIS Policy Team does not have oversight of risk management processes for POL and undertake its own risk
management activities, there is a risk that key risks may not be known, which could result in decisions being made which may not
be appropriate if all the information was available.

Recommendation:

Page 13 of 24
UKGI00011874
UKGI00011874

The Post Office Policy Team at BEIS should have oversight of all current risk management activities around POL, including the
quarterly risk assessments, as well as insights into UKGI’s risk management activities/ opinions.

The Policy Team should utilise this information and record it within their own risk register. This should be maintained in line with
the Department's risk management framework, and risks should be escalated to the directorate risk register as appropriate.

This oversight of risk reporting should be utilised as an opportunity for the BEIS Policy Team to ensure that risks have been
considered in line with the Department's risk appetite and methodology and that any variances are investigated, discussed and
mitigated as necessary.

Page 14 of 24
UKGI00011874
UKGI00011874

Detailed findings 4

Risk 4: If BEIS fails to provide effective support to POL (e.g. through Opinion on .
sponsorship, Finance, Commercial, and/or Policy Teams), the delivery of Magagement of risk:
stated objectives could be undermined

Findings

The POL Policy Team is still a relatively new team and now appears to be settling into its role, which is evident by the planned
and ongoing work around a new strategic vision for POL. However, in our interviews we identified an overarching risk exists
within the BEIS Post Office Policy Team with regards to their internal succession planning and knowledge management, which is
especially relevant as they remain a relatively new team which has grown. A large percentage of the team are new, with a large
amount of the knowledge around POL concentrated in one of individual. Whilst knowledge will spread throughout the team as
time goes by, we feel that a concerted effort should be made to ensure that knowledge around POL is retained.

Our interviews with the team noted that this would not have previously been possible due to resourcing difficulties, as the focus
was on responding to Ministerial queries around letters received or Parliamentary questions that related to POL. However, the
team now appear to be sufficiently resourced to enable them to allocate time to more proactive and forward-looking activities,
such as the vision.

We identified that the POL Policy Team and UKGI interact with other teams across BEIS as needs arise to tap into specialist
knowledge, but noted that the most common of these were the Legal, Finance and Partnerships Team, with UKGI having a
fortnightly catch-up with Partnerships, who act as the Corporate Governance Sponsor for POL.

However, we noted that the POL Policy Team and the BEIS Partnerships Team do not have any regular formal communications/
engagement around POL or good practice/ common issues in other ALB’s. Where teams involved in managing POL do not
communicate effectively, there is a risk that they will overlook/ miss opportunities for efficiencies; duplicate efforts; or negatively
impact their reputation/ relationship with Partner Organisations.

UKGI monitor succession planning at POL as part of their responsibilities as Shareholder Executive. This is led by the Director
who sits on the POL Board as a Non-Executive Director (NED), and we were informed that a paper discussing this topic is due to

Page 15 of 24
UKGI00011874

UKGI00011874

be reviewed before the end of 2019, with previous discussions on this topic paused while POL shifted its focus to recruiting a
new Chief Executive. The Partnerships Team at BEIS offer support in this area, and support all Board and Executive recruitment
at partner organisations, including POL.

While UKGI have established effective working relationships with both BEIS teams, we noted that the communication links
between the teams within BEIS did not seem to be as effective. Our interviews identified that discussions between the Policy
Team and the Partnerships Team were infrequent, with no regular engagement around performance, risks, issues or concerns.

Our interviews with the Policy Team also identified that they are currently seeking out other ALB Policy Teams who have a
similar working relationship with UKGI in order to identify common issues and discuss areas of good practice. Whilst this was still
ongoing, we believe that this represents a good opportunity to identify potential improvements (or share some) with another team
in the Department.

Implications and recommendations

Risk:

Where knowledge around POL is largely concentrated in one individual, there is a risk that that key information could be lost if
that person left the civil service or changed teams/ Departments.

Recommendation:

The Policy Team should ensure that key knowledge around POL is spread throughout the team. This should include a good
understanding of:

« the relevant governance meetings that take place and who attends them;

« the reporting framework in place;

« key decisions that impact the relationship with POL and/or UKGI;

* any areas where UKGI leads on the relationship with POL, including how a summary of this information is relayed to BEIS;
and

« key contacts throughout BEIS; UKGI and POL and their areas of responsibility. A contact log (or similar) should be
considered.

Page 16 of 24
UKGI00011874
UKGI00011874

Risk:
Where teams within BEIS do not communicate effectively when their work is aligned, there is a risk that they will overlook/ miss
opportunities for efficiencies; duplicate efforts; or negatively impact their reputation/ relationship with Partner Organisations.

Recommendation:

The Post Office Policy and the Partnerships Team should review their working relationship to ensure effective an open
information sharing and communications around their responsibilities towards POL.

The Post Office Policy Team should also continue with current intentions to contact other Policy Teams at BEIS who work with
UKGI in a similar way. This should facilitate further sharing of good practice and discussions around common issues.

Page 17 of 24
UKGI00011874
UKGI00011874

Annex 1: Management action plan

If the accountabilities, roles and responsibilities of BEIS, UKGI and POL are not clearly

Risk 2. defined consistently understood, and/or effectively implemented, ineffective governance
activities could come to undermine the achievement of stated objectives
Opinion on management of risk: Moderate
Recommendations: Priority Actions Agreed Target date: Owner:

2.1

As was initially identified (and was
since implemented for the MoU), BEIS
Finance and Partnerships Teams
should be consulted on their respective
activities during the agreement of the
‘ways of working’ document. This
review process should also be utilised
as an opportunity for BEIS to ensure
they are happy with the requirements
that are currently outlined and that all
reporting/ information sharing
arrangements have been clearly
defined.

Medium

Consult BEIS Finance and
Partnership teams on ways of
working document.

31% December
2019

Pranita Bhargava

Risk 3.

If sponsorship and governance arrangements (to include scrutiny and challenge of
performance MI, risk management and control activities) are not sufficiently robust, BEIS
may lack confidence that POL’s activities align with its expectations

Opinion on management of risk:

Moderate

Recommendations:

Priority

Actions Agreed

Target date:

Owner:

Page 18 of 24
UKGI00011874
UKGI00011874

“Produce advice to Ministers

I 31% March 2020

should have oversight of all current risk
management activities around POL,
including the quarterly risk
assessments, as well as insights into
UKGl's risk management activities/
opinions.

The Policy Team should utilise this
information and record it within their
own risk register. This should be
maintained in line with the
Department's risk management
framework, and risks should be

UKGI, then update Post
Office entries in Directorate’s
risk register

2019

3.1 I As is the current intention, the Post Medium Pranita Bhargava
Office Policy Team (with input and on draft long-term vision for
engagement from UKGI and POL) Post Office. Once this is
should develop a new strategic vision completed, agree and publish
for POL. new long-term vision for Post
Office
3.2 I Following completion, publication and Medium Update existing 30" June 2020 I Pranita Bhargava
agreement of the new POL vision, documentation to reflect new
existing documentation (including the vision
Framework Document and roles and
responsibilities) should be reviewed to
ensure that they remain appropriate
and that their content supports the
delivery and implementation of the new
vision.
3.3 I The Post Office Policy Team at BEIS Medium Agree this new approach with I 31% December I Pranita Bhargava

Page 19 of 24
UKGI00011874
UKGI00011874

escalated to the directorate risk register
as appropriate.

This oversight of risk reporting should
be utilised as an opportunity for the
BEIS Policy Team to ensure that risks
have been considered in line with the
Department's risk appetite and
methodology and that any variances
are investigated, discussed and
mitigated as necessary.

Risk 4. If BEIS fails to provide effective support to POL (e.g. through sponsorship, Finance,
. Commercial, and/or Policy Teams), the delivery of stated objectives could be undermined
Opinion on management of risk: Moderate
Recommendations: Priority Actions Agreed Target date: Owner:

41

The Policy Team should develop a plan
which will ensure key knowledge
around POL is spread throughout the
team going forward. This should
include developing a good
understanding of:

« the relevant governance meetings
that take place and who attends
them;

« the reporting framework in place;

« key decisions that impact the
relationship with POL and/or UKGI;
and

Medium

Knowledge-sharing within
team

31% January
2020

Pranita Bhargava

Page 20 of 24
relationship with POL, including how
a summary of this information is.
relayed to BEIS.

UKGI00011874
UKGI00011874

4.2

The Post Office Policy and the
Partnerships Team should review their
working relationship to ensure effective
an open information sharing and
communications around their
responsibilities towards POL.

The Post Office Policy Team should
also continue with current intentions to
contact other Policy Teams at BEIS
who work with UKGI in a similar way.
This should facilitate further sharing of
good practice and discussions around
common issues.

Medium

Meet BEIS Partnerships
team to discuss the results of
this audit and agree way
forward. Following this, we
will continue to build
relationships with other policy
teams in BEIS.

31% December
2019

Pranita Bhargava

Page 21 of 24
UKGI00011874

UKGI00011874

Annex 2: Objectives, scope and limitations

Objectives:
The objective of this audit is to provide reasonable assurance over the adequacy and effectiveness of Departmental sponsorship
arrangements in respect to POL.

The POL sponsorship team are currently in the process of creating a Relationship Framework Agreement between the
department and POL. As such, this review the current relationships between BEIS; UKGI; and POL and whether these are
effective through a review of governance arrangements. We will also consider the powers and responsibilities BEIS has with
regards to POL as its sole shareholder, and whether staff are fully aware with these to ensure that sponsorship arrangements
remain effective.

Scope and Limitations:

To provide assurance over the governance and sponsorship systems and processes including compliance of the Partner
Organisations to the Cabinet Office code of best practice, financial rules, and relevant regulations.

The review will provide assurance that:

e Plans are in place around the production of the POL Shareholder Framework Document and current performance against
time scales;

e BEIS, UKGI and POL roles and responsibilities are clearly defined, understood and working in practice, and BEIS / UKGI
are providing effective governance and direction;

e BEIS and UKGI are aware of their powers and responsibilities regarding POL as shareholder and shareholder
representative;

¢ BEIS and UKGI have an effective working relationship to ensure effective governance and oversight for POL;

e Support is effectively provided by BEIS as per the sponsorship model to support the POL control framework (e.g.
Managing Public Money guidance).

Page 22 of 24
UKGI00011874
UKGI00011874

Distribution:

Sarah Munby — Director General, Business Sectors

Carl Creswell - Director, Professional Business Services, Retail and Post
Beth White - Deputy Director, Post Office Policy and Sectors Briefing Hub
Pranita Bhargava — Head of Post Office Policy and Sectors Briefing Hub
BEIS Internal Controls Team

Authors:

Andrew Harrold — Audit Manager
Ryan Douglas — Senior Internal Auditor

Page 23 of 24
UKGI00011874
UKGI00011874

Annex 3: Our classification systems

Opinion

The framework of governance, risk management and control is adequate and effective.

Some improvements are required to enhance the adequacy and effectiveness of the framework of governance, risk
management and control.

There are significant weaknesses in the framework of governance, risk management and control such that it could be or
could become inadequate and ineffective.

There are fundamental weaknesses in the framework of governance, risk management and control such that it is
inadequate and ineffective or is likely to fail.

Recommendations

Priority Definition Action required

Significant weakness in governance, risk management Remedial action must be taken urgently and within an
and control that if unresolved exposes the organisation to I agreed timescale.
an unacceptable level of residual risk.

Weakness in governance, risk management and control I Remedial action should be taken at the earliest opportunity
that if unresolved exposes the organisation to a high and within an agreed timescale.
level of residual risk.

Scope for improvement in governance, risk management I Remedial action should be prioritised and undertaken within
and control. an agreed timescale.

Page 24 of 24