Agenda
UKGI00038546
UKGI00038546
©
POST OFFICE LIMITED
Meeting: Audit, Risk & Compliance
Committee
Date: 30 March 2021
Time: 09.00 - 11.30
Location: 1.19 Wakefield, Finsbury Dials, 20
Finsbury Street, London, EC2Y
9AQ / Microsoft Teams
Present: Invited Attendees:
Carla Stent (Chair)
Alison Rodwell (BEIS ARAC NED Observer)
Tom Cooper (NED, UKGI)
Zarin Patel (NED)
Tim Perkins (Service and Support Optimisation Director):
Item 2
Tracy Marshall (Postmaster Effectiveness Director): Item
2
Regular Attendees:
Tim Parker (Group Chairman, POL)
Amanda Jones (Retail and Franchise Network Director):
Item 2&9
Sally Smith (Money Laundering Reporting Officer & Head
of Financial Crime): Item 3
Nick Read (Group CEO)
Amanda Bowe (Post Office Insurance ARC Chair): Item 7
Alisdair Cameron (Group CFO)
Ben Foat (Group General Counsel:
Jonny Lonsdale (Business Continuity Manager): Item 8
Martin Hopcroft (Head of Health & Safety): Item 8
Andrew Paynter (Audit Partner, PwC)
Andy Kingham (Franchise Partnering Director): Item 9
Sarah Allen (Senior Manager, PwC)
Rosie Clifton (Manager, PwC)
Mark Siviter (Product Portfolio Director - Mails, Retail,
PUDO & Gov services): Item 9
Johann Appel (Head of Internal Audit)
Mark Baldock (Head of Risk)
Jonathan Hill (Compliance Director)
Rebecca Whibley (Senior Assistant Company Secretary)
Hugo Sharp (Deloitte Partner)
Regular Attendees:
Ken McCall (SID)
Join Microsoft Teams Meeting
gdom, London (Toll)
Item
Owner Action
Welcome & Conflicts of Interest
Chair Noting
Postmaster Policies
Tim Perkins, Approval
Policy
2.1 I Postmaster Complaints Handling
Tracy Marshall &
Amanda Jones
Policy
2.2 I Network Transaction Corrections
Network Cash and Stock
Management Policy
Review Policy
Postmaster Termination Decision
Postmaster Onboarding Policy
Postmaster Training Policy
Postmasters
Guide to Policy Standards for
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
1 of 178
Agenda
@
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
2 of 178
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
09.30 3. Whistleblowing Policy Review Sally Smith Discussion &
Approval
09.40__I 4. Previous Meetings Chair
4.1 I Minutes (26 January 2021 & 26 Approval
February 2021)
4.2 I Action List Noting
4.3 I Draft Risk and Compliance Noting
Committee Minutes (16 March 2021)
(subject to RCC Chair review)
09.45 I5. Compliance and Internal Audit
es
09.45 Risk Update Mark Baldock Noting
09.55 Risk Appetite Statement: Legal & Ben Foat & I Noting & Approval
Compliance Jonathan Hill
10.05 5.3 I Compliance Update Jonathan Hill Noting
10.15 5.4 I Internal Audit Update Johann Appel Noting
10.25 I 6. Internal Audit Plan 2021/22 Johann Appel I_Noting & Approval
10.35 I 7. Update from Subsidiaries: Post Office Amanda Bowe Noting
Management Services (ARC)
10.45, 8. Business Continuity Review Jonny Lonsdale Noting
& Martin
Hopcroft.
11.00 9. DeepDive: Dangerous Goods Andy Kingham, Noting
Mark Siviter &
Amanda Jones
11.20 10. I Committee Terms of Reference Review Rebecca Noting
Whibley
11.25 11. I Any other business All Noting
Items for Noting
These items will not be presented to the Committee and any questions should be sent to the Secretary for
submission to the author for response. Questions and answers will be recorded as appendices to the meeting
minutes.
1. Cyber Security Tony Jowett Noting
2. Procurement Governance & Compliance Barbara
Brannon
3. Law & Trends Sarah Gray &
Ben Foat
4. Bi-Annual Legal Risk Review (Non Sarah Gray &
GLO/Starling) Ben Foat
2
UKGI00038546
UKGI00038546
Agenda
©
POST OFFICE LIMITED
5. I Strategic Partner Financial Stability Update Emma
Conway/Dan
Zinner
6. DeepDive: Payzone Governance Andrew Goddard
7. Foreign Currency and Hedging Tom Lee & Peter
Mitchell
Items for approval via Written Resolution
These items will not be presented to the Committee and approval will be sought via Written Resolution to be
signed by members prior to the meeting. Any questions relating to these items should be sent to the Secretary
for submission to the author for response.
1. Policies for Approval/Noting Jonathan Hill Approval
1.1__I Summary Paper
1.2 I Health & Safety
1.3__I Procurement Policy
Next ARC Meeting: Tuesday 18 May 2021 at 09.30 to 12.00 in 1.19 Wakefield, Finsbury Dials, 20
Finsbury Street, London, EC2Y 9AQ
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 3 of 178
UKGI00038546
UKGI00038546
Tab 2 Postmaster Policies
40f 178
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Postmaster Policies Meeting Date: I 30 March 2021
Amanda Jones, Retail and
Franchise Network Director
Tim Perkins, Service and
Author: Support Optimisation Director
Sponsor: Reviewed & approved by
sponsor for presentation to the
Committee.
Input Sought: Decisions
The Committee is asked to approve the six new Postmaster policies (set out in the Appendices),
to be effective from the date of Audit, Risk & Compliance Committee’s (ARC) approval:
Postmaster Complaint Handling Policy
Network Transaction Corrections Policy
Network Cash and Stock Management Policy
Postmaster Termination Decision Review Policy
Postmaster Onboarding Policy
Postmaster Training Policy
The Committee is asked to separately approve the issuing of a policy guide for postmasters
(also set out in the Appendices), considering the legal advice, to be issued from a date to be
confirmed after ARC’s approval:
* Postmaster Guide to Policies
Previous Governance Oversight
The policies listed above were approved by the Risk and Compliance Committee on 16" March,
subject to the following additions, which have been completed.
1. In the Termination Decision Review Policy, to make clear that the Review Panel referred
to is independent and external.
2. In the Postmaster Training Policy, to make clear that a trainer will be present at the
postmaster’s first cash collection, delivery and branch monthly balancing.
Executive Summary
Following the Group Litigation Order (GLO), Post Office set about ensuring that its processes
complied with the findings of the GLO.
The focus on processes delivered a large number of changes to the support that Post Office
offers postmasters, but these processes were not necessarily governed by a policy at the point
of process changes being made. Primarily this was the case because no policy existed in the
first instance or the policy was so dated that it was irrelevant to the processes undertaken pre
or post the GLO.
Having policies in place for the support Post Office provides postmasters will bring Post Office
in line with best practice franchise businesses. The purposes of the policies are to provide
1
Internal
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 2 Postmaster Policies
guidance, s set down principles and 1 highlight risk areas, while also ensuring g that Post t Office is
able to support postmasters effectively and compliantly with the GLO.
As part of an overall review of postmaster support policy requirements, this paper seeks
approval for four new postmaster policies to reflect how Post Office will provide support to
postmasters as well as a guide to policies that will be made available to postmasters.
Questions addressed
1. What policies are required to support the changes made to postmaster support following
the GLO?
2. What policies have recently been developed and now require approval?
3. What further policy work is required to ensure there is a full complement of postmaster
support policies in place and how will these be continually reviewed in the future?
Report
Background
1. Following the Common Issues Judgment and Horizon Issues Judgment in the GLO, Post
Office focused on improving processes to ensure compliance with the outcomes of the
judgments.
2. Whilst process improvements were delivered, Post Office has identified that there was an
absence of overarching policies for these processes to sit under. Where policies previously
existed, they were often very aged and did not bear relevance to the processes that Post
Office had improved.
3. As such, Post Office has set about developing a set of postmaster policies across key areas
of postmaster support.
Postmaster Policies
4. Post Office has identified that a comprehensive suite of postmaster policies is required to
demonstrate and ensure GLO compliant support to postmasters in the following areas:
e Network Monitoring and Audit Support
e Network Cash and Stock Management
« Network Transaction Corrections
e Postmaster Account Support
« Postmaster Accounting Dispute Resolution
* Postmaster Contractual Performance
« Postmaster Suspension
« Postmaster Termination
« Postmaster Termination Decision Review
« Postmaster Complaint Handling
e Postmaster Training
« Postmaster Onboarding
5. The policies relating to Network Monitoring and Audit Support, Postmaster Account Support,
Contractual Performance, Postmaster Suspension and Postmaster Termination are already
approved and in use.
6. The policy relating to Postmaster Accounting Dispute Resolution is ready for ARC approval
by written resolution following offline reviewing with members of the ARC and legal.
2
Internal
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
5 of 178
UKGI00038546
UKGI00038546
Tab 2 Postmaster Policies
©) /
6 of 178
7. This paper seeks approval of the policies relating to Postmaster Complaint Handling,
Network Transaction Corrections, Network Cash and Stock Management, Postmaster
Termination Decision Review, Postmaster Onboarding and Postmaster Training. These
policies can be found in the appendices to this paper.
8. This paper also seeks approval of the Postmaster Guide to Policies which can be shared with
postmasters. This document can also be found in the appendices to this paper.
9. Previous papers to the RCC and ARC indicated that a Postmaster Accountability policy would
also be developed. Following a review of the requirements for this particular policy, the
requirement for such a policy has been de-scoped.
10.All policies and the policy guide have been reviewed by Post Office internal stakeholders,
the National Federation of Subpostmasters (NFSP) and have had external legal oversight
from Herbert Smith Freehills or Norton Rose Fulbright.
Policy Overviews
11.The Postmaster Complaint Handling policy sets out the standards relating to the
management of postmaster complaints, that a fair process is followed for all postmaster
complaints and that any complaint raised is taken seriously and investigated fully. It also
gives guidance on the identification of whistleblowing reports. To help the ARC understand
the application of the policy in practice, the Complaint Handling process is included in
Appendix 8 and the template used for internal reporting of complaints and progress against
resolving them is at Appendix 9.
12.The Network Transaction Corrections policy details the standards behind how Post Office
identifies and issues Transaction Corrections and Transaction Acknowledgements, ensuring
that postmasters are notified without undue delay and that support is provided to
understand the reasons behind the issuing. The process for issuing a Transaction Correction
is included in Appendix 10 to this paper to help the ARC understand the application of the
policy in practice and the list of controls that are monitored within Service and Support are
in Appendix 11 (Operational Controls Self-Assessment) for the same purpose.
13.The Network Cash and Stock Management explains the principles to ensure that postmasters
are supported effectively in managing cash and stock provisions in branch.
14.The Postmaster Termination Decision Review policy sets out how Post Office will deal with
any situation whereby a postmaster does not agree with a decision to terminate their
agreement, either by notice or immediately.
15.The Postmaster Onboarding policy details the principles that ensure that new postmasters
are supported effectively in their early days, ensuring that the onboarding process meets
regulatory and contractual obligations.
16.The Postmaster Training policy sets out the standards for ensuring that postmasters receive
a comprehensive training provision to support the effective running of their branch(es).
Postmaster Guide to Policies
17.The Postmaster Guide to Policies is a document that can be shared with postmasters and is
a guide to the principles that Post Office teams need to follow and how these principles are
linked to specific policies.
18.A legal review of this document has identified some legal risks in the publication of this
document. These are:
Internal
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
ab
UKG1I00038546
UKGI00038546
Postmaster Poli
19.These risks have been mitigated to some extent by including wording in the guide and each
policy to state that they do not form part of the contract with postmasters, and through
ensuring that the guide will not be issued to postmasters prior to them entering into a
contract with Post Office.
20.These risks should also be taken in perspective with Post Office’s desire to provide
reassurance to postmasters that Post Office has robust policies in relation to postmaster
support following the GLO and its desire to be transparent in its dealings with postmasters.
Next Steps & Timelines
21. Following approval of the six policies, Post Office will ensure that:
e all relevant teams are fully trained on the new policies by the end of April 2021.
« the policies will be reviewed annually, for approval at RCC, beginning April 2022.
22.Policies previously approved at RCC and ARC in 2020 and 2021, will be updated and
resubmitted with a list of changes at the RCC meeting to take place on the 4" May 2021,
and the ARC meeting on the 18" May (following the request from the ARC Chair), in line
with the annual review requirements of the policies.
23.In addition to the annual review of policies, as requested by the RCC, there will be quarterly
reporting to the RCC on compliance with the Postmaster policies.
24.Following approval of the policy guide, Post Office will ensure that:
e the guide is published to postmasters in line with the re-issue of the Postmaster
Support Guide.
e the guide is made available for postmasters to access online.
e the guide will be reviewed annually in line with policy approvals beginning April 2022.
Internal
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 7 of 178
UKGI00038546
UKGI00038546
Tab 2 Postmaster Policies
Appendices
1. Postmaster Complaint Handling Policy
2. Network Transaction Corrections Policy
Network Cash and Stock Management Policy
Postmaster Termination Decision Review Policy
Postmaster Onboarding Policy
Postmaster Training Policy
Postmaster Guide to Policies
Postmaster Complaint Handling Process
Postmaster Issue and Complaints Dashboard Template
10. Transaction Correction Issuing Process
11. Operational Controls Self-Assessment
PRN DMRY
Internal
8 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
Title: Whistleblowing Policy Review & Meeting Date: I 30 March 2021
Report
Sally Smith, Money Laundering
Author: Reporting Officer & Head of
Financial Crime
Ben Foat, Group General! Counsel
Input Sought: Discussion & Approval
The Committee is asked to:
- review and discuss the whistleblowing review and its conclusions as part of its role in
monitoring the adequacy and effectiveness of the Group’s whistleblowing systems and
controls; and
- approve the proposed amendments to the whistleblowing policy’ and the appointment of
the Whistleblowing Champion.
Previous Governance Oversight
Annual Whistleblowing report and policy review July 2020. These proposed policy amends and
the accompanying report were approved at POL Risk & Compliance Committee on 16 March
2021.
Executi
Post Office is able to demonstrate that it has good policies and procedures in place which have
been followed. Post Office's Whistleblowing Team have reviewed past whistleblowing reports
for evidence of subsequent ‘detriment’ to the reporters which found no evidence of ‘detriment’.
As a result of the review of whistleblowing policy, processes and culture, there are a number of
recommended enhancements to improve and mature these areas, including the creation of a
Non-Executive Board Director Whistleblowing Champion.
1 The revised Whistleblowing Policy (clean and track changed) is available in the Reading Room.
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 9 of 178
UKGI00038546
UKGI00038546
leblowing Policy Review
10 of 178
Questions addressed
1. Are the current whistleblowing arrangements adequate in light of the GLO and the Public
Inquiry?
Is there any evidence of detriment to whistleblower reporters or subjects?
What improvements are required to enable anyone who is aware of, or suspects,
wrongdoing which affects others (e.g. Postmasters, customers, members of the public,
colleagues or the Post Office) to raise their concerns and be confident that those concerns
will be acted upon
Report
4,
A number of improvements have been implemented since 2017, these include:
e Enhancing Post Office policy and procedures, including attendance by whistleblowing
team at industry forums to learn best practice
e Raising awareness through communications and posters (which in turn has led to an
increase in reports received)
e Developing monthly MI and providing to key stakeholders
e Regular reporting to RCC and ARC, including an annual whistleblowing report which
summarises all whistleblowing reports received over the previous 12 months,
compared to the prior 12 months. This report also details any issues or outcomes,
together with key activities delivered to drive reporting
However, it was recognised that more could be done to improve the maturity of the Post
Office approach and as part of the review of this, Post Office approached Protect (the UK
whistleblowing charity) for support. This has included a self-assessment and industry
benchmarking of the regulatory requirements, current industry best practice and Protect’s
Code of Practice on effective whistleblowing arrangements, and a training workshop which
was attended by some GE members and senior managers.
. A review of high-level summaries of the 163 whistleblowing reports and investigations
received since 2013 was undertaken by Post Office to identify if there was any evidence of
‘detriment’ to reporters and specifically Postmasters. These cases were also considered,
at a high level, for conformance to Post Office’s obligations arising from the Common Issues
Judgment (CIJ) from the GLO. The review is summarised in Appendix 1 which shows 103
cases where no detriment was suffered by the whistleblowing reporter, the subject or
anyone associated with the report, and 15 cases which show acts which could be argued
to be detriment to the subject of the report, but which were considered by Post Office to
be justified in the circumstances.
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
6.
10.
The monthly MI pack produced on whistleblowing has been updated to provide more
granular data on issues that are raised by or about Postmasters.
As part of the work reviewing Postmasters complaints and issues handling, a review has
also been undertaken to ensure that there is sufficient understanding across teams that
interact with and capture those complaints and issues, so that any that are in fact
whistleblowing reports are passed to the Whistleblowing Team and investigated and
resolved in accordance with the whistleblowing policy.
and as part of the work with Protect
a review was undertaken of the oversight, governance and resourcing for whistleblowing.
It is agreed that we should have a dedicated Whistleblowing Manager within the Compliance
Team to manage whistleblowing but also to assist in the conduct of investigations. External
recruitment for this role is nearing completion and it is hoped to have this in place for end
April/early May. In addition, an approach was made to the ARC Chair to discuss creating a
Whistleblowing Champion at Non-Executive Director level, following which Zarin Patel has
been asked to fulfil this role, and has agreed, subject to ARC approval.
Following migration of the external speak up line and website to the new Navex Global
EthicsPoint platform, call enhancements have been implemented to include an IVM that is
specific to Post Office and provides reassurance to callers as below:
« Thank you for calling the Post Office Whistleblowing Speak Up line. Post Office is
committed to ethical behaviour in all our business dealings and your call and any related
reports will be treated confidentially and respectfully to the extent legally permissible.
Protecting our colleagues, Postmasters and customers is the number one priority for
Post Office, and this includes protecting those that raise concerns. To maximize
confidentiality, this Speak Up line is operated by NAVEX Global, an unaffiliated, third-
party service provider.
To address the lack of formal training, a new module has been developed in Success Factors
and is currently being undertaken by all employees for completion by 1% April 2020,
together with a number of planned communications for employees and Postmasters to raise
awareness.
Self-assessment and benchmarking
11.
12.
13.
14.
15.
The outcome of the Protect self-assessment and industry benchmarking was in line with
expectations given that the benchmark is modelled around best practice and the bar is
deliberately set very high.
Post Office achieved a score of 86% for its written policy and procedures and there were
no specific recommendations, indicating that the basic foundations put Post Office in a good
place to improve.
It was in the areas of training, engagement and communications that further work was
identified.
The need for formal training and awareness in Post Office had already been recognised,
with budget to develop a training module included in 2020/21.
The table below shows the overall performance of Post Office v. organisations with a
comparable number of employees and also within the financial services sector which has a
3
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
11 of 178
UKGI00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
12 of 178
more mature approach to whistleblowing, given the additional regulatory obligations for
this sector (see Appendix 2 for scores within these overall areas):
Governance 72% 6
Engagement 24% 39%
Operations 36% 55%
Total 48% 60%
It should be noted that nearly all organisations come out very poorly for Engagement
the first time they do self-assessment — this is because the main resolution for this area
is training which is generally costly, and most often not seen as a priority. Usually
selected people and teams have some form of training, but not enough and not company-
wide. Also, there is a heavy score weighting for Line Manager training, and this is an
area that Post Office was unable to demonstrate.
Organisations also tend to score poorly in the area of Operations and there are a number
of factors here:
o Whistleblowing process maturity tends to reflect the cases organisations have had to
deal with - if an organisation has not had any cases that are material/significant, or
had whistleblowing reporter claims of detriment, then they are less likely to have
matured their processes.
o Included in this area are questions about seeking feedback from whistleblowers about
their experiences or doing ‘tests’ or ‘stress tests’ of the whistleblowing processes —
most organisations do not do this, but it is best practice.
A number of organisations re-run the self-assessment and benchmarking exercise
annually to help them demonstrate continuous improvement as part of their Board
reporting which means the benchmark is continually rising as organisations improve. We
will re-run the self-assessment in June 2020 (and annually thereafter) following the
implementation of planned enhancements to show how Post Office is building on its
improvements.
Whistleblowing Policy Review
16. In addition to further enhancements suggested by the Protect self-assessment work and
17. The policy has been amended to reflect the following new roles and governance oversight:
« The creation of a Non-Executive Director Whistleblowing Champion to oversee that:
o A '‘whistleblowing culture’ is promoted across Post Office, ensuring employees are
genuinely encouraged to speak openly and honestly about their concerns and
misgivings
o The current arrangements are always challenged and assessed for areas of
continuous improvement
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
18.
co Barriers to speaking up are uncovered and addressed
o The whistleblowing team, senior managers and leaders receive training on the
importance of whistleblower support
o Root cause analysis is undertaken for all cases and issues, so that continual
improvements can be made in the relevant areas
* The creation of a new dedicated Whistleblowing Manager to manage whistleblowing
processes and investigations, triaging reports and assigning to investigating managers,
completing root cause analysis and ensuring any corrective controls are implemented,
designing and delivering a programme of training and awareness
A number of amendments and additions have been made to reflect best practice, enhance
the policy and help encourage reporting. These include:
e Removal of some duplication and clarifying the definition of whistleblowing, the
investigations process and the treatment of reporters
« Providing more information to reporters (e.g. other external advice available)
e Clarification of some of the definitions used in the policy
« Clarification that reporters do not need to provide evidence and the different reporting
types along with the benefits and disadvantages of open/confidential/anonymous
reporting
e Anew minimum control standard for line managers.
e Anew minimum control standard for checking that whistleblowers feel supported
Conclusions and Recommendations
19.
20.
21.
22.
Post Office has a good policy and reports received have been managed in accordance with
that policy, although clearly further work on engagement including training together with
operational improvements are needed and are being quickly remediated Whilst the policy
and process were intended to cover employees and the protections afforded them under
the law, reports have historically been received from postmasters, their teams, customers
and the general public, and these reports have always been investigated and managed
under the whistleblowing policy. Improvements to communications and awareness have
been made in recent years, but the lack of training for all employees and, in particular, line
managers needs addressing.
The work with Protect has highlighted that whistleblowing process maturity tends to reflect
the cases organisations have had to deal with. To date, Post Office has not had any material
reports, or found evidence of significant or material (or disclosable) wrongdoing through
the whistleblowing channel. By quickly implementing the recommendations within this
report, management believes that it would put Post Office in a good place.
Prior to the Protect self-assessment, it had been recognised that a training and
communications programme was required in 2020/21 and this was budgeted for, although
this was hampered by Covid, and the loss of the role supporting this work in November
2020.
The following lists key recommended activities to be delivered in 2021/22 (see Appendix 3
for full actions and timescales):
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
13 of 178
UKGI00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
14 of 178
Continue to work with Protect to identify improvements and enhancements
Provide the monthly whistleblowing MI pack to all GE members to ensure visibility
Quarterly meetings with the Whistleblowing Champion to review cases and activities,
together with monthly meetings with the postmaster and customer complaints teams to
ensure that complaints or issues they receive that are in fact whistleblowing, are
appropriately identified and investigated.
Work with the People Function and L&D to enhance on-boarding and line manager
training relating to whistleblowing
Review and update the Whistleblowing Team’s procedures, including those relating to
the whistleblower and mechanisms to obtain feedback from whistleblowers
A programme of continual communication and awareness, including refreshing posters
for office locations as staff return to work locations following Covid
Update Settlement Agreements to remove potential ambiguity
The Protect self-assessment benchmarking should be undertaken again in June 2021 and
annually thereafter to test and demonstrate improvements achieved from planned
activities
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 3 Whistleblowing Policy Review
UKG1I00038546
UKGI00038546
Appendix 1 - Whistleblowing Report Review
Number of Whistlebloi
ig Records Reviewed (From 25/04/2013 to 25/01/2021)
REVIEW FOR DETRIMENT
163
Number of cases ongoing (no apparent detriment and no CI) breaches identified in investigation of complaint to date).
6
Number of historic cases where information is insufficient for assessment 9
These predate whistleblowing falling under the remit of the Financial Crime Team. The most recent record is 23.09.2017
Number of Whistieblowing Reports NOT within Scope of the Whistleblowing Policy 30
+ Employment matters between Postmaster and the Postmaster’s employees: 5
+ Properly dealt with outside of Whistleblowing channels e.g. dignity at work: 11
+ Properly referred to external organisations such as RMG: 5
+ Other cases which did not meet WB criteria (These cases are quite varied but include for example, PMs are calling for advice from the
Security team; a report raised by a known individual harassing branch staff, and errors/mistakes relating to applications for hardship
grants): 9
Number of Whistleblowing Reports WITHIN scope of the Whistleblowing Policy 118
No detriment suffered by the Reporter, the Subject or anyone associated with the Report: 103, including
6 cases where inadequacies with POL's policies and procedures alleged but where no specific detriment to an individual identified
(for example, two complaints related to the same alleged incident of sexual harassment which took place outside of POL
premises. The reporters were not the victim of the alleged incident; one of the POL managers was present at the time and the
reporters were concerned that the manager didn't take any action/ provide support when the alleged victim returned to work. HR
could not investigate any further due to lack of information).
1 case where reporter withdrew complaint due to 5]
by the Subject of the WB report. Legal advised the
HHI The POL employee who was due to investigate the WB disclosure left the business without informing the WB team which
caused delays. The WB team did contact the Reporter to encourage them to pursue the case, but did not receive any response.
Detriment suffered by the Subject, with Detriment justified based upon evidence and rationale: 15
12 cases where PMs have been suspended and/or terminated due to ongoing operation issues.
2 cases where the agent assistant/clerk was dismissed by the PM for suspected/admitted theft
© L case there were formal consequences for the Branch Manager, which were justified upon investigation. In addition, in this case,
the Subject was said to have obtained copies of witness statements which, had the WB disclosure not been made anonymously,
could have compromised the Reporter's identity. Enquiries were made but these were not able to determine how or if the witness
statements had been shared with the Subject.
ised
CI) CONFORMANCE REVIEW
CI) Issues NOT relevant
142,
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
15 0f 178
UKGI00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
eee eee ee ta
CD Issues ARE relevant: 24 (including £ case still ongoing) 2
Dealt with in a GLO conformant Manner: 12 (including 1 case still ongoing)
© Not dealt with in a GLO Conformant Manner: 9 - While suspensions appear to be justified by the circumstances, the PMs were
suspended without pay (predates the CIJ). This is being separately considered by the Historical Matters Unit and will be
remediated as appropriate.
8
16 of 178
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
RST
E
Appendix 2 — Protect Review Recommendations
Section Score
Accountability 61%
Written Policy and Procedures 86%
Review and Reporting 59%
Total 12%
Accountability - 61% Considers the roles different individuals have and their engagement
with the whistleblowing arrangements. Clear accountability structures will help staff better
understand their roles in relation to the whistleblowing arrangements. Active engagement from
senior leaders may improve staff trust and confidence in your whistleblowing arrangements.
Recommendation - You have a good score in this area. In order to improve on this score in line
with best practice, you need to show how senior leaders within your organisation engage with
the whistleblowing arrangements and actively demonstrate a commitment to workers raising
concerns without fear of reprisal. You also need to ensure that designated personnel (for
example the whistleblowing champion and team) clearly understand their roles and
responsibilities.
Written Policy & Procedures - 86% A well drafted whistleblowing policy helps to provide
staff with a clear understanding of what whistleblowing is and the processes by which an
individual can raise and/or escalate a concern. It will also provide staff with assurances about
victimisation and confidentiality
Recommendation - You have achieved a good score in this area and there are no specific
recommendations at this stage
Review & Reporting - 59% Considers the processes by which you review and report on
whistleblowing arrangements. Conducting reviews enables organisations to practically see
whether whistleblowing arrangements are effective in practice and action learning points.
Recommendation - You have achieved a good score in this area, but additional work should be
considered to strengthen governance. When reviewing the arrangements, recommendations
should be assigned ownership with a timeline for completion. Serious concerns raised and
positive outcomes from whistleblowing cases should be reported to the Board. These should be
redacted in order to protect the identity of the whistleblower. You could consider incorporating
an overview of management information on whistleblowing in published data e.g. annual
reports,
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 17 of 178
UKGI00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
18 of 178
Sechon Score
Communications 30%
Training 8%
Total 24%
Communications - 30% Engaging regularly with staff is essential to building a strong speak
up culture. Staff will not have confidence in whistleblowing arrangements if they are not aware
of them.
Recommendation - This section requires improvement. We recommend that you review your
communications materials to ensure that you engage with different staff groups and cultures.
Messages encouraging staff to raise concerns might be included in various media such as
posters and staff training. Finally, think about how you test staff awareness and confidence in
the whistleblowing arrangements (for example by using staff surveys, focus groups and exit
interviews)
Training — 8% Clear and detailed training on whistleblowing provides your workforce with a
good understanding of arrangements. Training can help embed the importance of
whistleblowing and key policy messages.
Recommendation - This section requires improvement. We recommend that staff, designated
managers and line managers receive in-depth training on whistleblowing. In most
circumstances line managers or named designated contacts are the first people to receive a
whistleblowing concern. Accordingly, line managers should receive appropriate training in order
to accurately identify concerns and effectively handle the individual raising the concern. This
minimises the likelihood that concerns will be escalated further and helps make best use of
your resources. You may wish to review how you provide training to your workforce (e.g.
instructor led by e-learning).
Section Score
Support and Protection 41%
Recording and Investigations 56%
Resolution and Feedback 18%
Total 36%
Support & Protection — 41% Considers internal processes in place for supporting and
protecting staff who raise whistleblowing concerns. Implementing effective processes for
managing confidentiality and victimisation will help to ensure staff are appropriately supported
and protected when they raise concerns. Implementing clear policy messaging and protocols
for supporting and protecting staff who raise concerns is essential.
Recommendation - This section requires improvement. We recommend that you operate
multiple support networks within your organisation to enable whistleblowers to seek support
when raising concerns (such as whistleblowing advocates trade unions and Employee
10
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 3 Whistleblowing Policy Review
Assistance Programs). Consider how you ensure that confidentiality is maintained throughout
the whistleblowing process. You should ensure the risk of victimisation is considered in each
whistleblowing case and that appropriate safeguards are put in place to prevent this. Finally,
you should ensure that any settlement agreement that you have with staff clearly states that
nothing in the agreement prevents staff from making a whistleblowing disclosure.
Recording & Investigations — 56% This section considers the processes by which you record
and investigate concerns, Having clear processes and principles for recording and investigating
concerns will help to ensure consistency in handling a whistleblower.
Recommendation - You have achieved a good score in this area. We recommend that you
periodically review management information to ensure consistency of processes in recording
concerns. You should ensure that investigation guidance is clear on the key principles that are
to be followed when whistleblowing concerns are investigated (such as confidentiality,
competence and independence). You should ensure that an independent internal function
conducts periodic reviews of your investigations, to ensure that the principles have been
followed.
Resolution & Feedback — 18% This looks at your processes for resolving concerns and how
you provide feed receiving feedback from whistleblowers. Clear processes on feedback after
the investigation will help give your staff confidence that their concerns have been addressed.
Recommendation - This section requires improvement. We recommend that you implement
standard processes for resolving any substantiated concerns. Where possible ensure that you
provide feedback to whistleblowers on the outcome of concerns that are raised (subject to
limitations imposed by confidentiality). Consider how you seek feedback from whistleblowers
at the end of the process and use this information to improve your arrangements.
11
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 19 of 178
Tab 3 Whistleblowing Policy Review
UKG1I00038546
UKGI00038546
20 of 178
Appendix 3 — Whistleblowing Action Timetable
to whistleblowing
Action By when Status
Protect training workshop January Complete
Review how complaints are captured by various back February Complete
office teams and enhance procedures to correctly
triage potential whistleblowing complaints and pass to
whistleblowing team
Design and deliver employee survey via One Comm February Complete
(440 responses fed into Protect self-assessment)
Enhanced Whistleblowing monthly MI to provide more I February Complete
granular detail about Postmaster/agent assistant
reports
Protect self-assessment and benchmarking February Complete
Review all historic whistleblowing reports February Complete
Whistleblowing Manager role designed, approved and February Complete
advertised
Whistleblowing Champion role approved in principle February Complete
Navex Global Speak Up Line - call enhancements to February Complete
include IVM that is specific to Post Office and provides
reassurance to callers
Review and update Whistleblowing Policy March Complete
Determine whether there is any evidence of detriment I March In progress
to whistleblower reporters or subjects
RCC and ARC whistleblowing approach and policy March Pending
approval
Interviews for new Whistleblowing Manager role and End April In Progress
recruitment
Design and deliver new employee Success Factors 1 April In progress
whistleblowing training module
Design and deliver new Team Talk whistleblowing 1S April Complete
training module for DMB staff and Supply Chain (non-
Success Factor users)
Design and deliver postmaster whistleblowing April In progress
awareness communications
Establish monthly meetings with the postmaster and April
customer complaints teams to review complaints or
issues
Training and induction for Whistleblowing Manger May
Design a programme of continual communication and May
awareness
Establish quarterly meetings with Whistleblowing May
Champion
Design and deliver employee survey via One Comm May
Review and update all whistleblowing processes and May
guidelines
Re-run Protect self-assessment benchmarking June
Annual whistleblowing report to RCC and ARC July
Enhance on-boarding and line manager training relating I July
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
12
Tab 3 Whistleblowing Policy Review
UKGI00038546
UKGI00038546
Refresh and deliver new whistleblowing posters to all
Post Office back office locations and DMBs
July
(dependent on
Covid)
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
13
21 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKGI00038546
UKGI00038546
@&
POST OFFICE LIMITED
22 of 178
MINUTES OF A MEETING OF THE AUDIT, RISK AND COMPLIANCE COMMITTEE OF
POST OFFICE LIMITED HELD ON TUESDAY 26" JANUARY 2021 AT 20 FINSBURY
STREET, LONDON EC2Y 9AQ AT 08.30AM (VIA CONFERENCE CALL)*
Present:
Carla Stent (Chair)
Invited Attendees:
Sam Banks (Analyst Independent Audit): Observer
Ken McCall (SID) (KM)
Richard Sheath (Partner, Independent Audit):
Observer
Tom Cooper (NED, UKGI) (TC)
Zarin Patel (NED) (ZP) (to 10:00am only)
Regular Attendees:
Sally Smith (Money Laundering Reporting Officer &
Head of Financial Crime): Item 5 (SS)
Tan Holloway (Director of Risk & Compliance, Post
Office Insurance): Item 6 (IH)
Tom Lee (Head of Finance Financial Accounting and
Controls): Item 7 (TL)
Tim Parker (Chairman, POL) (TP)
Christine Kirby (Financial Controls Manager): Item
7 (CK)
Nick Read (Group Chief Executive Officer) (NR)
Andy Jamieson (Head of Tax): Item 8
Alisdair Cameron (Group CFO) (AC)
Ben Foat (Group General Counsel) (BF)
Andrew Paynter (Audit Partner, PwC) (AP)
Sarah Allen (Senior Manager, PwC) (SA)
Amanda Jones (Retail & Franchise Network
Director): Items 9 & 10 (AJ)
Tim Perkins (Service and Support Optimisation
Director): Item9&10(TP) _
Declan Salter (GLO Director): Item 11 (DS)
Graham Hemingway (Historical Matters Portfolio
Lead): Item 11 (GH)
Rosie Clifton (Senior Manager, PwC) (RC)
Tony Jowett (Chief Information Security Officer):
Item 12 (T3)
Johann Appel (Head of Internal Audit) (JA)
Mark Baldock (Head of Risk) (MB)
Jonathan Hill (Compliance Director) (JH)
Rebecca Whibley (Senior Assistant Company
Secretary) (RW)
Hugo Sharp (Deloitte Partner) (HS)
Apologies:
Zarin Patel (from 10:00 onwards)
Action
1. Welcome and Conflicts of Interest
1.1 A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call
Government guidance on home working. However,
requirements of the Company’s Articles of Association, the location of
the meeting was agreed to be the Company’s Registered Office.
given the current
given the
1.2 The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
* Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
requirements of section 177 of the Companies Act 2006 and the
Company's Articles of Association.
Policies: Investigations Policy
Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. The following points were discussed:
- The existing policy had not been used for some time and as such,
the policy has been completely overhauled, following an industry
approach.
- The policy sets out minimum standards for how Post Office will
conduct investigations wherever they might take place in the
business to ensure a consistent approach, building on comments
in Fraser J’s judgment.
- The Chair noted that an issue that was made clear from the
Group Litigation Order (GLO) was the attitude of the investigator.
Whilst issues like the duty of good faith would only apply in the
Post Office/Postmaster relationship (not commercial
relationships), it was agreed that the attitude of the investigator
should be addressed in the policy.
- It was also noted that matters such as the independence of the
investigator and the level of expertise needed should also be
clear in the policy. It was explained that the policy was simply a
framework and other policies were still relevant such as Conflicts
of Interest. Nonetheless, it was agreed that these matters should
be made clear in the policy, including references to other policies
as appropriate.
- Ken McCall questioned whether the policy considers service level
agreements (SLAs) with Postmasters and Board/Committee
review of the relevant metrics in this regard. Ben Foat explained
that such matters were for specific Postmaster polices and this
policy was very much a minimum standards framework.
- Ken McCall was also concerned about the accessibility of the
policy, particularly for Postmasters, and how the policy would be
rolled out. It was explained that this was an internal policy, rather
than Postmaster facing. Nonetheless Compliance was developing
a one to two page summary to make the policy more accessible
as well as engaging with relevant Policy Owners to ensure they
understand the requirements and can evidence compliance.
- Tom Cooper requested that the policy also be externally
reviewed.
Accordingly, the Committee APPROVED the Investigations Policy,
subject to:
i. The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent ACTION:
and have the appropriate expertise and appropriate BF
references to other relevant policies; and
STRICTLY CONFIDENTIAL 2
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
23 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
24 of 178
POST OFFICE LIMITED
UKG1I00038546
UKGI00038546
ii. The policy being externally reviewed, and the results of this
review being considered and included as appropriate.
Previous Meetings
3.1 The minutes of the meeting of the Audit and Risk Committee held on
24 November 2020 were APPROVED and AUTHORISED for signature
by the Chair.
3.2 Progress against the completion of actions as shown on the action log
was NOTED.
Action 1 from 27 July 2020 (para 4) Pensions Assurance: See update
to action 5 from 22 September 2020 below. Quantification to be known
in March 2021 and an update to be provided to the Audit, Risk &
Compliance Committee (ARC) or Board as required at this point. An
update paper was also presented to the Committee for noting (see para
14 below). The action remained open.
Action 2 from 27 July 2020 (para 6) Update from Subsidiaries: The
Master Services Agreement and Master Distribution Agreement
amendments were executed by both parties on 5 January 2021 via
Web3. The action was closed.
Action 3 from 22 September 2020 (para 4.1) Risk Appetite Statements:
Legal and Compliance Risk Appetite Statement paper was presented to
the Committee for noting (to be approved at a later date) (see para
4.2). Further statements were in train including IT (with Jeff Smyth,
Group Chief Information Officer) and Operations (Postmasters) (with
Amanda Jones, Retail and Franchise Network Director). There was
further discussion regarding prioritisation during the meeting, see para
4.2 below. The action remained open.
Action 4 from 22 September 2020 (para 5.5) SuccessFactors: This
action was address by a noting paper presented to the Committee (see
para 14). The action was closed.
Action 5 from 22 September 2020 (para 6.4) Pension Assurance: The
quantum is likely to be known in March 2021 following analysis and
review by the Trustee. The approach to correcting the members
benefits including any proposed clawback will be discussed by the
Trustee and Post Office following the Trustee Board meeting on 23
March 2021. The intention was to engage early with the Trustee to
ensure Post Office’s preferred approach was known. A further update
was to be provided to the ARC or Board as required in March 2021. An
update paper was also presented to the Committee for noting (see para
14 below). The action remained open.
Action 6 from 22 September 2020 (para 7.3) Suspense Accounts: An
update paper was provided to the Committee (see para 9). The action
was closed.
Note: Action 7 in the papers was a duplicate of Action 2 above (due to
copy and paste error).
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
Action 8 from 24 November 2020 (para 3.1) Risk Dashboard: At this
point the Risk team was not in position to provide system-aggregated
Dashboards as it was finalising the risk management transition from
RSA Archer to ServiceNow (IRMPro). This had just been completed. A
refreshed set of GRC risk reports in line with ARC requirements was to
be presented to ARC in March 2021. The action remained open.
Action 9 from 24 November 2020 (para 3.2) Risk Policy (Legal &
Compliance Risk Appetite): The Legal & Compliance Risk Appetite paper
has been developed and has been shared with the Chair. However, this
is still a work in progress and as such, the Committee was not asked to
approve the Risk Appetite statement at its January meeting.
Accordingly, the Committee may discuss and feedback as required in
the meeting. The further iteration was to be shared with the Committee
prior to its next meeting if so required. (See para 4.2 below). The action
remained open.
Action 10 from 24 November 2020 (para 3.2) Risk Policy (Risk
Management Responsibilities): See para 4.1 where the ARC has
approved the division of risk management responsibility between the
ARC and Board. The action was closed.
Action 11 from 24 November 2020 (para 3.2) Risk Policy (Approval
subject to amendments): Risk Policy scope was amended as required
and the Board approved the final policy in January 2021. The action
was closed.
Action 12 from 24 November 2020 (para 3.2) Risk Policy (Page
Numbers and Policy Paper): Page numbers were viewable on the tabs
created by Diligent Boardbooks, this included the page range for each
section. The policies before the Committee in January 2021 are to be
approved by parallel Written Resolution included as either a track
changes version (where changes are minor) or the existing policy
(where the changes are more substantial i.e. a complete re-write). The
action was closed.
Action 13 from 24 November 2020 (para 3.4) Internal Audit (Data
Privacy (Document Retention)): A revised action was agreed, and the
completion date re-stated to 31 March 2021. This was to be tracked
through the usual process and reported back to the ARC. The action
was closed.
Action 14 from 24 November 2020 (para 3.4) Internal Audit (Deep
Dives): Deep dive audits to be added to IA plan as follows: Financial
Crime Q4 FY21, Loss Prevention FY22 tbc, Compliance Function FY22
tbc and Risk Management Framework FY22 tbc. The action was closed.
Action 15 from 24 November 2020 (para 4.3) Suspense Accounts: All
elements have been completed and the report was approved by the
Board for publication. The action was closed.
Action 16 from 24 November 2020 (para 7.1) Post Office Insurance
Travel Refund Complaints: A memo in response to this action was
STRICTLY CONFIDENTIAL 4
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 25 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
26 of 178
provided to the Committee via email on 4 January 2021. The memo
was also available in the Reading Room. The action was closed.
Action 17 from 24 November 2020 (para 9.1) Historical Matters Unit
RACI Matrix): Discussions concerning UK Government Investments
(UKGI)/Department of Business, Energy & Industrial Strategy (BEIS)
involvement in Historical Shortfall Scheme (HSS) approvals, which
directly affects the operation of the schemes, have continued during
December and were expected to be finalised during January. A verbal
update was provided to the ARC (see para 11 below). Further update
will be provided in March 2021. The action remained open.
Action 18 from 24 November 2020
Action 20 from 24 November 2020 (para 10.1) Payzone Risk Report:
Capita have confirmed to PipIT that they need to stop using Post Office
branches and find another method. PipIT have asked if they can have
two weeks to sort out a new provider which Post Office/Payzone has
agreed to and the proposal was for PipIT to stop using Post Office by
31 January 2021. (Note: PipIT is the gateway for Zeepay, Glow remit
etc. If PipIT stop using Post Office branches, then the others will also
be stopped). A further update will be provided when it is confirmed
PipIT have stopped using Post Office. The action remained open.
Action 21 from 24 November 2020 (para 12.1) Deep dive:
Transformation Office Change Update 2020: Dan Zinner and Saira
Burwood met with Tom Cooper on 15 January 2021 to discuss the action
regarding metrics on Change controls. Mark Baldock also joined the
meeting as he was transitioning all the controls into a new tool
(ServiceNow) which would then be able to provide a suite of reports on
the controls. These reports and dashboards would be provided to ARC
on a regular basis once ServiceNow transition was complete and Mark
agreed to give Tom early sight of these when available. The action was
closed.
3.3
The draft minutes of the Risk and Compliance Committee held on 12
January 2021 were NOTED.
Risk, Compliance and Internal Audit Updates
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
Risk Update
Mark Baldock introduced the paper, which had been circulated
previously and was taken as read. The key points were summarised as
follows:
- Governance, Risk & Compliance (GRC) tool (move from Archer
to Service Now): Phase 1 was now complete with 520 risks
moved, with the system was now live in the central risk team
and Archer has been decommissioned. Work had now started on
phase 2 which was rolling out the risk capability to the business
and migration of controls for IT, Finance and the Portfolio Office,
which would allow formal links of the controls to the risks.
- Key Risks:
o Commercial: There has been a long standing risk around
the Master Distribution Agreement (MDA) with Royal Mail,
however this has reduced due to the signing of MDA2.
However, the team was still speaking to business to
ensure the score was correct and consider whether more
mitigation was required. A further risk noted was adverse
trading due to macroeconomic environment.
o Operational: Postmaster risks were already articulated,
but further work was to be carried out, as well as
considering whether other risks had an impact on
Postmasters. The Chair noted a discussion in the Internal
Audit meeting that morning about how to implement
controls around Postmaster risks and how to validate GLO
initiatives. Mark Baldock was asked to pick this up with
Jonathan Hill with an update to be provided at the March
meeting. Multiple partner fragility was also noted as a key
operational risk due to the economic threats to the high
street.
o People: There were long standing risks about work life
balance and work pressures on colleagues, which had been
exacerbated recently given the greater degree of
uncertainty about easing of lockdowns. Much was being
done by management, however there was a concern that
some colleagues may suffer from burnout. Zarin Patel
questioned how this might affect work being done in the
risk and control environment. Nick Read explained that the
risk and need for improved engagement in the current
lockdown was recognised and Lisa Cherry (Group Chief
People Officer) and Richard Taylor (Group Corporate
Affairs, Brand and Communications Director) were
working through the engagement strategy.
- Risk management by the Board & ARC: Recognising that there
was a need to clearly differentiate where risk was managed, it
was recommended that:
o the Board should provide oversight of (and direction on)
management of the key strategic business risks that could
ACTION:
MB
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
27 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
28 of 178
threaten the delivery of the Post Office’s strategic
objectives, including setting the risk appetite and focus on
key risks.
o ARC should support the Board and consider what needs to
be referred to the Board. Otherwise, it should focus on
audit and compliance risks and controls.
The Committee made it clear that the ARC should get an overall
picture of risks, with material commercial, strategic and
reputational risks escalated for Board consideration.
Ken McCall requested that the following be reviewed:
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about
funding;
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of
material long term industrial action; and
- Paragraph 27 relating to adverse external economic factors,
noting that much of this was outside Post Office’s control and
that, some elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with
Ken McCall and provide an update for the next Committee meeting.
The Committee NOTED the current status of key risks and GRC
implementation and APPROVED the proposals on the role of the Board
and ARC with respect to oversight of Post Office risk management as
set out in paragraph 31 of the paper.
ACTION:
MB
4.2
Risk Appetite Statement: Legal & Compliance
Ben Foat introduced the paper, which had been circulated previously
and was taken as read. It was summarised as follows:
- This is a noting paper for the direction of travel for the risk
appetite statement for Legal and Regulatory risks across the
business and as such, the business needed to be comfortable
with the appetites.
- There were six statements and risks have been split into
statutory and regulatory.
- There were three areas which were adverse to appetite:
competition, Anti-Money Laundering(AML) and pensions.
- The paper was a living document and would change over time.
The next steps were to ensure there were Key Risk Indicators
(KRIs) in place and then operationalise, with engagement with
the 1* line of defence.
The Committee discussed the following points:
- Ken McCall questioned why the risk rating for competition was
adverse. Ben Foat explained that this was due to the
consequences of the risk being so severe as well as Post Office’s
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
POST OFFICE LIMITED
dominant mails position and being number two or three in the
bill payments market. There were no specific breaches or
incidents, but the controls were not considered sufficient.
Competition law was not well understood in the business and
needed to be such that it was in the minds of colleagues engaging
with other market players. As such training by Pinsent Masons I ACTION:
was being arranged. It was requested that Ben Foat consider the I BF
wording of paragraph 14 relating to “breaching tolerance” as, in
fact, it was more about needing stronger controls.
- Tom Cooper highlighted that Pick Up Drop Off (PUDO) was aI ACTION:
competition risk given the investment being made in the Express I BF
Post Office proposition and noted an argument could be made
about state aid. This was to be considered and, if appropriate,
added to the paper.
- The Chair noted that the risk relating to Post Office being in a I ACTION:
less competitive position due to new legislation or regulation was I BF
really a commercial risk. This should be corrected in the paper.
- Following a question from the Chair, it was explained that whilst
AML risk was rated red, the financial crime risk was rated green
as AML was a subset of financial crime where there had been
some specific breaches.
The Chair noted the extensive work that had gone into the paper and
questioned whether, given the resourcing pressures, it was better to
work on KRIs to trigger a red/amber/green rating. The Committee
agreed but noted that Legal and Compliance and Postmaster related
activity were important areas in which to have risk appetite statements.
There was also a suggestion that areas that were less under pressure
in the short term could also be considered (such as finance). As such,
Mark Baldock was asked to look at identifying the KRIs for Postmasters I ACTION:
with the Network team and consider working on statements for one or I MB
two other areas for update at the March Committee meeting (in the
usual Risk Paper).
Otherwise, the Committee NOTED the draft corporate Legal &
Compliance Risk Appetite Statements which will be shared with the
Senior Leadership Team so that these can be further refined and
assessed within the business in commercial decision making.
STRICTLY CONFIDENTIAL 8
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 29 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
30 of 178
Compliance Update
Jonathan Hill introduced the paper, which had been circulated
previously and was taken as read. It was summarised as follows:
- Controls Framework: Work was being undertaken with the
Historical Matters Unit (HMU) to ensure the correct controls were
embedded into the relevant areas, so as to meet obligations
arising from the Common Issue Judgment (CIJ), Horizon Issue
Judgment (HIJ) and the stamps review. There was an existing
controls framework in Finance and IT (although the latter was
being overhauled), but there was no consistent approach across
the rest of the business. This was what the Framework was to
provide, such that the business could self-assess controls with
assurance provided by Compliance. Ken McCall noted that the
report outlined that there had been changes to the Postmaster
Onboarding process and questioned whether this meant the
onboarding process was quicker. Jonathan Hill was asked to
confirm this point for update at the next meeting. This area was
ultimately owned by Dan Zinner, Group Chief Operating Officer,
but supported by Amanda Jones (Retail and Franchise Network
Director), Finance and Legal. Nick Read highlighted that
recruitment of the Postmaster Director and the Customer
Experience Director was critical but would require careful
recruitment criteria.
In response to questions from Ken McCall raising concerns about
the wording of this section in the report (paragraph 11), it was
confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than
the controls themselves. Key was evidence of controls and a
consistency of approach. The HMU team was working with the
relevant business areas to address this. However, the Chair
asked Jonathan Hill to further consider before the next meeting
any underlying issues (not just related to mapping), what
controls were in place and whether or not they were appropriate.
Zarin Patel also requested that the Committee have sight of the
KMPG review of the HIJ when this was ready, noting that there
were a lot of papers regarding Postmasters before the Committee
and the Board and therefore questioned whether the issue was
under control. Al Cameron explained that much work had been
done to ensure legal compliance with the judgment, but work
was on-going and KMPG and Deloitte were likely to raise issues
that had not yet been considered. As such the controls
framework was very important and must be sustainable.
- Data: The site review was now coming to an end and the main
focus was now on disclosures required for 5 February 2021. So
ACTION:
JH
ACTION:
JH
ACTION:
JH
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
far, nothing had been found in the reviews that had not already
been disclosed. However, work was on-going.
- Cookies: Previous direction was that Post Office should look to
be in the “middle of the pack” when it comes to cookies. The
recent decision in France against Google and Amazon Europe was
noted and it was explained that typically (pre-Brexit), the
Information Commissioner's Office (ICO) aligned with Europe. As
such, the Digital and Compliance teams were looking at the
commercial impact of tightening the approach to cookies, with a
view to still remaining in the “middle of the pack.” The Chair
requested that the team carefully consider appropriate
benchmarking in a post Brexit world.
- Fire Risk Assessments: The Committee requested to be kept up
to date regarding the outstanding actions in respect of fire risk
assessments undertaken in June and July which are currently
being investigated by the Head of Health & Safety. This was to
be included in the Compliance report for the March meeting.
The Committee NOTED the Compliance update, in particular:
- The Controls Framework update;
- The Data Management activities; and
- Post Office's approach to cookies.
ACTION:
JH
44
Internal Audit (IA) Update
Johann Appel introduced the paper which had been circulated
previously and was taken as read. The following points were discussed:
- The team continued to make good progress and have finalised a
further five audits since November 2020 and issued one interim
report,
- IT_Controls Framework (ITCF): This was continuing to improve
but the report highlighted that the operation of the ITCF had been
interrupted by the absence of key personnel and no second line
assurance. This was further discussed in paragraph 12 below.
- Mails and Parcels: The audit highlighted several issues
concerning worsening performance with respect to compliance
with Prohibited and Restricted Items (Dangerous Goods)
requirements. Segregation of parcels and accuracy of Mail
Redirection forms were similarly underperforming. Unless
segregation performance improved, there was a risk that Post
Office could be liable for increased service credits under the new
agreement with Royal Mail. Tom Cooper and Ken McCall were
concerned that this was an on-going issue that did not seem to
be being addressed. Johann Appel was asked to send Tom
Cooper a summary of the audit actions from the report and a
detailed review of this issue, including what could be done at
ACTION:
JA
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
10
31 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
32 of 178
source and what other carriers were doing in this area. An update
was requested for the next meeting in March 2021
(accountability sitting with Amanda Jones (Retail and Network
Franchise Director) and Mark Siviter (Product Portfolio Director -
Mails, PUDO, Retail and Branch Identity Services)).
Interim Report on Historic Matters - CIJ Operations Improvement
Programme: It was noted that the chart in the report was
outdated and there were now 23 green actions, 10 amber and 1
red. The key finding was that there was no formal handover
process between the HMU and Operations. Nick Read highlighted
that in this area, the business was legally compliant, but not
necessarily fit for purpose. This was a key focus for the next six
months to ensure Operations, IT and culture were all fit for
purpose. A GLO Dashboard would be presented to the Board on
a monthly basis to give an overview of progress.
Belfast Exit Follow-Up and PCI Compliance: These were both
follow up reviews. Governance and day-to-day management
have improved since previous reviews, but there were still
significant risks that were largely outside the control of
programme teams and this reduced confidence that objectives
will be achieved as planned. Nick Read was requested to re-
establish the regular dialogue with the Ingenico CEO.
There was one outstanding audit action (Health & Safety
Response to COVID-19) and this was on track for completion by
the end of January 2021.
It was noted that the planned audits on GLO Historical Shortfall
Scheme - Claims and Payments and Strategic Platform
Modernisation were due to be deferred from March 2021 to the
next audit year as evidence was not yet available.
Otherwise, the Committee NOTED the Internal Audit update,
specifically progress being made with delivery of the Internal Audit
programme and completion of audit actions.
Zarin Patel left the meeting.
ACTION:
RW
(agenda,
inform)
ACTION:
NR
ACTION:
NR
Money Laundering Annual Report
Sally Smith introduced the paper, which had been circulated previously
and was taken a read. The following points were discussed:
The conclusion was that the framework of Anti-Money Laundering
(AML) / Counter Terrorist Financing (CTF) controls were generally
effective and Post Office was complying with its regulatory
requirements under the Money Laundering Regulations (MLRs).
However, the challenges were: the increase in scams, increasing
regulatory scrutiny and the potential introduction of the
Economic Crime Levy. A particular challenge was the increasing
volume of Suspicious Activity Reports (SARs) due to increased
cash deposits. Furthermore, the additional SARs were causing a
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
11
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
resourcing issue within the central team. Roles and
responsibilities changing across the business was making Fit &
Proper a challenge, but this was being managed.
There were some on-going data issues impacting premises and
agent data with manual work arounds in some areas.
The Financial Conduct Authority (FCA) has written to all banks
requesting updates on their controls regarding cash deposits. The
team was working closing with the Banking Framework 3 (BF3)
team to ensure the AML accountability requirements were clearly
assigned in the Framework. Ultimately, accountability was with
banks and Post Office cannot replicate a Know Your Customer
(KYC) process for all banking customers in the UK. Ken McCall
noted that with increasing bank closures, the pressure on Post
Office would only increase and questioned whether there could
be cost recovery under BF3. Nick Read explained commercial
discussions with the banks were on-going with the role of Post
Office, regulation and costs all being live issues.
Tom Cooper questioned what key change was required to resolve
the AML and BF3 issue. Sally Smith explained that there were
existing controls that the banks have at their disposal that can
be deployed, but each bank has different infrastructures and
customer needs. Some banks used chip and pin for deposits
which made setting limits on volume and value easier. Other
banks still use paper deposits, and others were made up of
smaller institutions with different processes and levels of
sophistication. In addition, the pace of change in the banks is
slow. However, pressure from the National Economic Crime
Centre (NECC) Project Admiralty and the 2020 National Risk
Assessment would likely bring the issue further onto the banks’
radar, together with work through the Banking Framework
Agreement (BFA) AML Sub Group. The problem arose as the
banks had fully considered the challenges when depositing
through Post Office. The Chair advised that whilst conversations
regarding the banks’ responsibilities should continue, Post Office
could not rely on banks entirely and investment in analytics was
also important. It was noted that the fundamental challenge is
not having real time data or analytical capability at point of
deposit in the branches. This linked to loss prevention and
honouring the CIJ (see paragraph 9 below).
In response to questions from Ken McCall, it was explained that
MoneyGram can block transfers to certain countries and change
limits at a branch level. This was an on-going daily contact with
the MoneyGram.
On technology, Sally Smith explained that she was discussing
this area with Jeff Smyth (Group Chief Information Officer) to see
if there was anything that could assist the team, noting that Post
Office did not currently actively monitor cash and MoneyGram
(as this is the responsibility of the Banks and Moneygram,
respectively and would be a significant task for Post Office to
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
12
33 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
34 of 178
replicate). Post Office could demonstrate that enough was being
done internally to augment the bank / Moneygram controls. The
Chair highlighted that additional resources/technology must be
part of the BF3 commercial negotiations.
- On resourcing, more was required but this should be in the
business and banking team (1° line of defence), rather than the
central team (2"¢ line of defence).
Accordingly, the Committee APPROVED the recommendations within
paragraphs 9 - 12 of the report (including the table on pages 3-7),
noting that all actions must have due dates, and paragraph F of the
Annual Report of the Money Laundering Reporting Officer, prior to the
Annual Report being issued to the regulator, Her Majesty’s Revenue and
Customs (HMRC).
6. Update from Subsidiaries: verbal update
Post Office Management Services (ARC)
6.1 The Committee NOTED the update from the Post Office Insurance (POI)
ARC.
7. Annual Report & Accounts Update
71 Al Cameron introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Work was actively progressing to complete the Annual Report
and Accounts (ARA) for the financial year end 29 March 2020.
The ARA was largely drafted but needed some considerable
updates given the events over the last six to eight months.
Outstanding issues included:
1. A provision for Post Group Litigation Order and the
calculation of the accounting estimate in respect of the HSS,
as well as disclosure updates in respect of this scheme, the
contingent liability for Starling litigation and subsequent
events disclosure for the historical criminal cases.
2. Impairment on insurance business investment which was
likely to be around £15-20m
3. A provision for hard to place branches, which might be up to
£30m, although there was a question as to whether this was
a past event or a new decision for inclusion in accounts to the
financial year end 29 March 2020. (Tom Cooper noted that
this was a joint reputational issue for Post Office and the
Government and needed to be discussed at the Board). Note:
This was subsequently discussed at the Board meeting later
on the same day.
4. The wording regarding contingent liabilities needed to be
discussed.
5. The Committee would need to agree that the CCRC issue was
included as a subsequent event (as it was in the future as at
29 March 2020).
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
13
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
POST OFFICE LIMITED
UKG1I00038546
UKGI00038546
- Adetailed going concern assessment then needs to be completed
for a period of 18 months (rather than 12 months) from accounts
submission. Therefore, forecasts were being examined. PWC
have made it clear that unless a viability statement covers a
period of 18 months, they would likely include an emphasis of
matter paragraph in their opinion. Tom Cooper remarked that his
team were discussing this disclosure with BEIS Finance.
- The intention was for the Committee to review the accounts for
approval (for onward submission to the Board) on 26 February
2021.
- The sections relating to Risk and Remuneration would largely be
unchanged but the CEO and Chairman’s report were being
completely redrafted.
The Committee NOTED:
i. the status of the Post Office Limited Group Annual Report and
Accounts for the year ended 29 March 2020
ii. the key items required for completion and signing of the ARA;
and
iii. the plan for completion and signing.
Tax Update & Tax Strategy
8.1
Andy Jamieson introduced the paper, which had been circulated
previously and was taken as read. The key points were highlighted as:
- VAT: This was complex to manage on a day-to-day basis and this
year has seen some additional challenges, namely Brexit (with
new reporting requirements for goods to Northern Ireland),
making tax digital, changes of income and introduction of Web3
which has allowed automation of tax coding. COVID has meant
no “in person” HMRC audits, but an online audit had been
completed.
- Corporation tax: As performance was improving, Post Office
would likely be in a position to pay this tax in 2022/23.
- Employment taxes: Historically, Post Office has not had any
expertise in this area and HMRC have expressed concerns.
However, an expert has now been recruited to review HR
processes and build in improvements.
- Feedback was to be provided by HMRC on the IR35
implementation in their March report.
The Committee NOTED the Tax Update and APPROVED the annual
review of the Tax Strategy.
Update on branch losses and balances on Postmaster accounts
Tim Perkins introduced the paper, which had been circulated previously
and was taken as read. The following points were highlighted:
- Performance has continued to be positive. Average loss per
branch has fallen from just under £135 per trading period per
branch to £63.44 per trading period per branch. This has been
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
14
35 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
36 of 178
driven by proactive intervention, less cash in network, timeliness
of corrections and improved training.
Next steps were to continue with these interventions and see
what can be done to improve the speed of corrections and
improvement in stock. Work was being done with HMU to remove
the “settled centrally” terminology from Horizon and add a
dispute button at the point of settling.
Tom Cooper queried when the minimum value that can be settled
centrally would be changed from £150 to £0, noting he thought
this had been removed previously. Tim Perkins explained that
Accenture had just quoted to do this, and it was requested that
Tim Perkins provide the date as to when this would happen to
the Committee once he is advised of it.
In response to further questions about branches being able to be
‘rolled’ into the next trading period and how disputed items were
dealt with, Tim Perkins explained that balances are moved to a
Postmaster account to allow an investigation to take place to
establish the cause of the loss. A button would also be added to
Horizon to allow immediate dispute.
Age of the transaction error was the crucial, rather than the
number of errors. At present, measurements were based on
transactions over two months old. A measurement of 45 to 60
days (depending on the type of transaction) was being
considered to take into account how long client reconciliation
takes.
At the request of Ken McCall more detail was provided on the
process where a cash declaration had not been done for 10 days
or for trading period roll overs (where not done for 60 days).
First, the Postmaster would be called by the team (bearing in
mind any branch closure) and the issue would be escalated to
the Area Manager. Where repeated contact has to be made, the
branch will also be visited to ensure they understand the
requirement and to understand the barrier(s) to completion.
There would also be a conversation with the contract advisor
team about contract performance.
It was confirmed that branches with high cash holdings or highest
levels of cash deposits have excellent compliance with the branch
accounting requirements. However, for branches with high levels
of cash deposits, more transaction errors were seen, and this was
an area of focus, particularly as to whether better equipment
could be provided. Additional support from Area Managers and
Security Managers was being provided with a visit every month.
The Committee commented that key was to tackle this issue at
source. Al Cameron explained that any proposed changes had
been postponed given ongoing process reviews in this area.
The Chair noted that it was good to see the figures decreasing
but that it would be useful to see a dashboard of branch balances
and transaction corrections, possibly as an addition to the
ACTION:
TP
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
15
UKGI00038546
UKGI00038546
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
The Committee NOTED the update on balances posted to Postmaster
customer accounts following a request at the Committee in September
2020.
reporting on post GLO remediation. (Tim Perkins and Amanda I ACTION:
Jones to action for the next Committee meeting). TP/AJ
Via email outside the meeting, Zarin Patel also suggested that I ACTION:
route cause analysis should be undertaken into the gross I TP/AJ
losses/gains and net balances as these seemed very high
(paragraph 8 of the paper). (Tim Perkins and Amanda Jones to
consider for update at the next Committee meeting).
10.
Postmaster Policies
10.1
Amanda Jones introduced the paper, which had been circulated
previously and was taken as read. It was explained that these three
policies were being proposed to formalise the improvements made to a
number of processes in response to the CIJ. Each policy was taken in
turn:
Network Monitoring and Audit Support Policy: Norton Rose
Fulbright (NRF) (external lawyers) have reviewed the Postmaster
process changes which this policy covers. The Chair questioned
why the Risk Appetite section was missing. It was confirmed that
the risk appetite was averse, but that this linked back to the
earlier discussion regarding the risk appetite statement for
Postmasters and the need for clear KRIs, which were particularly
required to judge if the policy was being embedded and enforced.
This section should be added into the policy in line with the work
to be completed on KRIs for Postmasters (see action above in
paragraph 4.2).
There was also an action to carefully consider references to
“employee” throughout the document.
It was also confirmed that this was an internal policy (not
Postmaster facing), but a similar version would be created as
part of the Postmaster manual. It was explained there would be
an overarching document demonstrating how the policies fit I ACTION:
together and it was agreed this would be presented to the I TP/AJ
Committee in March 2021 with the Chair requesting that it be
clear in this document who was the audience of which policy.
Postmaster Account Support Policy: This policy had been
reviewed by NRF. A different approach was being taken by the
former loss recovery team, which was to be supportive and
understanding of discrepancies.
It was explained that the three policies interfaced to provide
support to Postmasters. The Network Monitoring policy related to
ACTION:
TP/AI/
MB
ACTION:
TP/AJ
STRICTLY CONFIDENTIAL 16
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
37 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
38 of 178
POST OFFICE LIMITED
UKG1I00038546
UKGI00038546
investigation, Account Support was for proactive support and
Dispute Resolution sets out the tiers of support provided in the
event of a discrepancy (section 4 of the policy).
The Chair questioned the wording of the risk appetite section and
it was requested that this was reviewed before the policy was
published/implemented.
With respect to the writing off of discrepancies, it was explained
that the team were working hard to reduce the number and size
of discrepancies. There were no caps on amounts that could be
written off over a period of time as the controls to approve the
write offs ultimately formed part of the finance processes.
- Postmaster Accounting Dispute Resolution Policy: NRF have
reviewed the Postmaster process changes which this policy
covers.
Tom Cooper questioned whether after the Tier 3 support level
(section 4 of the policy) litigation was the only option,
considering that the amount could be small. Tim Perkins
explained that the account support processes were used to
consider how the discrepancy should be dealt with and whether
it should be written off, with a lot of engagement with the
Postmaster. Where there were persistent losses or carelessness,
then this would be dealt with from a contractual performance
perspective i.e. termination on notice.
The Committee requested that the following elements were
included in the policy:
1. A suggested timetable for decision-making;
2. Who would be involved in making decisions under Tier 3
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records,
Horizon data etc.);
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
Zarin Patel (by email outside of the meeting) also raised the following
points:
i. Both the Postmaster Account Support Policy (para 2.5 and
4.1) and the Network Monitoring and Audit Support Policy
(para 2.5) referred to “reasonable and fair investigations”
without adequately defining this; and
ii. The Network Monitoring and Audit Support Policy should
address skill set and attitude of lead auditors and how the
ACTION:
TP/AJ/
MB
ACTION:
TP/AJ
ACTION:
TP/AJ
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
17
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
new culture would be embedded so they did not approach the
audit with preconceived biases.
Accordingly, the following policies were APPROVED by the Committee:
e Postmaster Account Support Policy (subject to a review of the
wording of the risk appetite section and addition of a definition
of a “reasonable and fair investigation”); and
e Network Monitoring and Audit Support Policy (subject to the
addition of a risk appetite section and a definition of a
“reasonable and fair investigation” as well as the skill set and
attitude of the lead auditors and how the new culture would be
embedded).
The Postmaster Accounting Dispute Resolution Policy was to be revised
in line with the Committee’s discussions (including a review of all risk
appetite references) and approved by written resolution after the
meeting.
11.
Historical Matters Unit: Fraudulent Claims Controls & Delegation
of Authority
Declan Salter and Graham Hemingway introduced the paper which had
been circulated previously and taken as read. The key points were
highlighted as:
Respon: ies, accountabilities and decision-making
authorities: Work was being done to produce an operating
charter and a RACI, including delegated authorities and
accountabilities. This has taken longer due to engagement with
BEIS and UK Government Investments (UKGI). A ways of
working document has been agreed, but a decision-making flow
chart was still being updated. Once complete, it was to be
circulated to the Board at its CCRC meeting. Further discussions
were being held on reporting to BEIS/UKGI.
- Mitigations against risk of fraudulent claims: Fraud risks were
being actively managed by Herbert Smith Freehills (HSF) and the
Project team covering 21 separate fraud risks as set out in
appendix 1 of the report. By way of email outside the meeting,
Zarin Patel suggested that the team consider best practice for
fraudulent claim controls, such as those used for Payment
Protection Insurance (PPI) claims. Graham Hemmingway
provided the following response: the mitigations have been
compiled and reviewed by his team, which included programme
and project managers as well as business analysts with
experience of managing PPlI-type claim schemes at Lloyds
Banking Group, Barclays, Nationwide, RBS and Co-op Bank.
Further Declan Salter’s experience has also fed into the ongoing
risk management activities, particularly around risk of
interception of emails. Internal Audit or an external team could
review the mitigations as part of their planned reviews.
ACTION:
GH/DS
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
18
39 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
40 of 178
POST OFFICE LIMITED
UKG1I00038546
UKGI00038546
- Data relating to fraudulent claims and eligibility to be appended
to_ the CCRC Board pack: MI showing latest eligibility results
(values and volumes) from HSS was already being distributed as
part of an MI pack that HSF share with Board members on a
weekly basis. Information relating to identification of fraudulent
claims has been shared as part of the CCRC Board packs since
14 January 2021. In response to questions from the Committee,
Graham Hemingway further explained that eligibility checks were
a standard under the Terms of Reference of the HSS. Work was
still being done to work through the data and evidence available
on each claim, which was difficult due to the age of some claims.
It was also confirmed that the team was looking to instruct legal
counsel to understand rules around deceased estates and
bankruptcy in other jurisdictions (mainly Scotland and Northern
Ireland), which was necessary for a small sub-set of claims.
Otherwise, the Committee NOTED how risks relating to fraudulent
claims are being managed in the Historical Shortfall Scheme (and the
Stamps Scheme) and that controls were in place to confirm the
eligibility of claims.
12.
IT Controls Assessment
12.1
Tony Jowett introduced the paper, which had been circulated previously
and was taken as read. The main focus of work in the IT Controls was
the Internal Audit Report actions and focus of the improvement effort
was on the controls of greatest risk, namely those areas connected with
the management of the third-party estate through the lens of Post
Office's crown jewel systems. The Committee requested that there be
a detailed review of this, and this review would be reported to the
Committee, targeting the next meeting.
On resource constraints flagged by the Internal Audit report, Tony
Jowett further explained that the size of the team had been doubled
and someone had been appointed to the business continuity role but
was not yet in post.
The Committee NOTED the status and plans regarding the reduction of
risk associated with IT Controls.
ACTION:
TI
13.
AOB
13.1
14,
There being no further business, the meeting was closed at 11:27.
Items for Noting
14.1
The following papers were circulated to the Committee prior to the
meeting, but were not discussed at its meeting and NOTED by the
Committee:
- Pensions Controls
- Success Factors
- Cyber Security
-__Joiners, Movers, Leavers (JML)
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
19
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
- Law & Trends
- Accountable Person*
- Mails Fraud Update**
*Outside of the meeting, Tom Cooper requested that paragraph 18
needed to be amended to remove the following line: “There is a UKGI
representative on the POL Board, who have oversight of the Group
Executive ("GE”) and are able to challenge and review relevant
decisions made by the AP and the GE team” as his role on the Board
was not linked to the role of the Accountable Person.
** Subsequent to the meeting, Tom Cooper questioned whether power
outages (affecting label printing) had implications for the integrity of
branch accounting and accuracy of postmaster balances. Declan Salter
has confirmed that, absent fraudulent activity, there would be no
financial loss. Furthermore, that, in this regard, there are no system
related integrity issues.
Meeting Actions:
Para
No.
Action Detail
Action
2.1
Investigations Policy: Accordingly, the Committee APPROVED the
Investigations Policy, subject to:
i. The inclusion of details on the appropriate attitude of the
investigator; the need for the investigator to be independent and
have the appropriate expertise and appropriate references to
other relevant policies; and
The policy being externally reviewed, and the results of this review being
considered and included as appropriate.
Ben
Foat
4.1
Risk Update: The Chair noted a discussion in the Internal Audit meeting
that morning about how to implement controls around Postmaster risks
and how to validate GLO initiatives. Mark Baldock was asked to pick this
up with Jonathan Hill with an update to be provided at the March meeting.
Multiple partner fragility was also noted as a key operational risk due to
the economic threats to the high street.
Mark
Baldock
4.1
Risk Update: Ken McCall requested that the following be reviewed:
- The wording of paragraph 13 relating to the financial risk around
“insufficient” funding reflect the risk of uncertainty about funding;
Mark
Baldock
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
20
41 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
42 of 178
POST OFFICE LIMITED
UKG1I00038546
UKGI00038546
- Paragraph 25 relating to the risk of prolonged industrial action as
this should refer to pace of response rather than the risk of material
long term industrial action; and
- Paragraph 27 relating to adverse external economic factors, noting
that much of this was outside Post Office’s control and that, some
elements had upsides for Post Office.
Mark Baldock was asked to review these sections, discuss further with Ken
McCall and provide an update for the next Committee meeting
4.2
Risk Appetite Statement: Legal & Compliance: It was requested that
Ben Foat consider the wording of paragraph 14 relating to “breaching
tolerance” as, in fact, it was more about needing stronger controls.
Ben
Foat
4.2
Risk Appetite Statement: Legal & Compliance: Tom Cooper
highlighted that Pick Up Drop Off (PUDO) was a competition risk given the
investment being made in the Express Post Office proposition and noted
an argument could be made about state aid. This was to be considered
and, if appropriate, added to the paper.
Ben
Foat
4.2
4.2
4.3
4.3
4.3
4.3
Risk Appetite Statement: Legal & Compliance: The Chair noted that
the risk relating to Post Office being in a less competitive position due to
new legislation or regulation was really a commercial risk. This should be
corrected in the paper. lS ie
Risk Appetite Statement: Legal & Compliance: As such, Mark Baldock
was asked to look at identifying the KRIs for Postmasters with the Network
team and consider working on statements for one or two other areas for
update at the March Committee meeting (in the usual Risk Paper).
Compliance Update: Ken McCall noted that the report outlined that there
had been changes to the Postmaster Onboarding process and questioned
whether this meant the onboarding process was quicker. Jonathan Hill was
asked to confirm this point for update at the next meeting.
Compliance Update: In response to questions from Ken McCall raising
concerns about the wording of this section in the report (paragraph 11),
it was confirmed that it was the mapping of processes for activities
addressing the CIJ that had no consistent approach, rather than the
controls themselves. Key was evidence of controls and a consistency of
approach. The HMU team was working with the relevant business areas to
address this. However, the Chair asked Jonathan Hill to further consider
before the next meeting any underlying issues (not just related to
mapping), what controls were in place and whether or not they were
appropriate.
Compliance Update: Zarin Patel also requested that the Committee have
sight of the KMPG review of the HIJ when this was ready, noting that there
were a lot of papers regarding Postmasters before the Committee and the
Board and therefore questioned whether the issue was under control.
Compliance Update: Fire Risk Assessments: The Committee requested
to be kept up to date regarding the outstanding actions in respect of fire
risk assessments undertaken in June and July which are currently being
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Ben
Foat
Mark
Baldock
Jonatha
n Hill
Jonatha
n Hill
Jonatha
n Hill
Jonatha
n Hill
21
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
investigated by the Head of Health & Safety. This was to be included in
the Compliance report for the March meeting.
4.4
Internal Audit Update: Johann Appel was asked to send Tom Cooper a
summary of the audit actions from the [Mails & Parcels] report.
Johann
Appel
4.4
Internal Audit Update: a detailed review of [the Dangerous Goods]
issue, including what could be done at source and what other carriers were
doing in this area. An update was requested for the next meeting in March
2021 (accountability sitting with Amanda Jones (Retail and Network
Franchise Director) and Mark Siviter (Product Portfolio Director - Mails,
PUDO, Retail and Branch Identity Services)).
Rebecc
a
Whibley
44
4.4
Internal Audit Update: Nick Read highlighted that in this area, the
business was legally compliant, but not necessarily fit for purpose. This
was a key focus for the next six months to ensure Operations, IT and
culture were all fit for purpose. A GLO Dashboard would be presented to
the Board on a monthly basis to give an overview of progress.
Internal Audit Update: Belfast Exit Follow-Up and PCI Compliance:
These were both follow up reviews. Governance and day-to-day
management have improved since previous reviews, but there were still
significant risks that were largely outside the control of programme teams
and this reduced confidence that objectives will be achieved as planned.
Nick Read was requested to re-establish the regular dialogue with the
Ingenico CEO.
Nick
Read
Nick
Read
9.1
Update on branch losses and balances on Postmaster accounts:
Tom Cooper queried when the minimum value that can be settled centrally
would be changed from £150 to £0, noting he thought this had been
removed previously. Tim Perkins explained that Accenture had just quoted
to do this, and it was requested that Tim Perkins provide the date as to
when this would happen to the Committee once he is advised of it.
Tim
Perkins
9.1
Update on branch losses and balances on Postmaster accounts:
The Chair noted that it was good to see the figures decreasing but that it
would be useful to see a dashboard of branch balances and transaction
corrections, possibly as an addition to the reporting on post GLO
remediation. (Tim Perkins and Amanda Jones to action for the next
Committee meeting).
Tim
Perkins
/
Amanda
Jones
o1
Update on branch losses and balances on Postmaster accounts: Via
email outside the meeting, Zarin Patel also suggested that route cause
analysis should be undertaken into the gross losses/gains and net
balances as these seemed very high (paragraph 8 of the paper). (Tim
Perkins and Amanda Jones to consider for update at the next Committee
meeting)
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: It was confirmed that the risk appetite was averse,
but that this linked back to the earlier discussion regarding the risk
appetite statement for Postmasters and the need for clear KRIs, which
were particularly required to judge if the policy was being embedded and
enforced. This section should be added into the policy in line with the work
Tim
Perkins
/
Amanda
Jones /
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
22
43 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
44 of 178
to be completed on KRIs for Postmasters (see action above in paragraph
4.2).
Mark
Baldock
10.1
Postmaster Policies: There was also an action to carefully consider
references to “employee” throughout the document.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: It was explained there would be an overarching
document demonstrating how the policies fit together and it was agreed
this would be presented to the Committee in March 2021 with the Chair
requesting that it be clear in this document who was the audience of which
policy.
Tim
Perkins
/
Amanda
Jones
Postmaster Policies: The Chair questioned the wording of the risk
appetite section and it was requested that this was reviewed before the
policy was published/implemented.
Tim
Perkins
/
Amanda
Jones /
Mark
Baldock
10.1
Postmaster Policies: The Committee requested that the following
elements were included in the policy:
1. A suggested timetable for decision-making;
2. Who would be involved in making decisions under Tier 3
(indicating that it should be people of appropriate seniority);
3. Information that would be provided to the Postmaster through
the dispute resolution process (i.e. accounting records, Horizon
data etc.);
4. Reference to classroom training that would be provided to
Postmasters on investigating balance discrepancies; and
5. A checklist for each tier.
Tim
Perkins
/
Amanda
Jones
10.1
Postmaster Policies: Zarin Patel (by email outside of the meeting) also
raised the following points:
i. Both the Postmaster Account Support Policy (para 2.5 and 4.1)
and the Network Monitoring and Audit Support Policy (para 2.5)
referred to “reasonable and fair investigations” without
adequately defining this; and
ii, I The Network Monitoring and Audit Support Policy should address
skill set and attitude of lead auditors and how the new culture
would be embedded so they did not approach the audit with
preconceived biases.
Historical Matters Unit: Fraudulent Claims Controls & Delegation
of Authority: A ways of working document has been agreed, but a
decision-making flow chart was still being updated. Once complete, it was
Tim
Perkins
/
Amanda
Jones
Graham
Heming
way /
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
23
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
@&
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
to be circulated to the Board at its CCRC meeting. Further discussions
were being held on reporting to BEIS/UKGI.
Declan
Salter
12.1
IT Controls: The main focus of work in the IT Controls was the Internal
Audit Report actions and focus of the improvement effort was on the
controls of greatest risk, namely those areas connected with the
management of the third-party estate through the lens of Post Office’s
crown jewel systems. The Committee requested that there be a detailed
review of this, and this review would be reported to the Committee,
targeting the next meeting.
Tony
Jowett
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
24
45 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
@&
POST OFFICE LIMITED
UKGI00038546
UKGI00038546
46 of 178
MINUTES OF AN ADDITIONAL MEETING OF THE AUDIT, RISK AND COMPLIANCE
COMMITTEE OF POST OFFICE LIMITED HELD ON FRIDAY 26'" FEBRUARY 2021 AT 20
FINSBURY STREET, LONDON EC2Y 9AQ AT 08.30AM (VIA CONFERENCE CALL)*
Present:
Invited Attendees:
Carla Stent (Chair) Tom Lee (Financial Controller) (TL)
Ken McCall (SID) (KM)
Christine Kirby Financial Controls Manager (CK)
Tom Cooper (NED, UKGI) (TC)
Zarin Patel (NED) (ZP)
Regular Attendees:
Tim Parker (Chairman, POL) (TP)
Nick Read (Group Chief Executive Officer) (NR)
Alisdair Cameron (Group Chief Finance Officer)
(AC)
Andrew Paynter (Audit Partner, PwC) (AP)
Sarah Allen (Senior Manager, PwC) (SA)
Rachel Owens (Director, PwC) (RO)
Rosie Clifton (Senior Manager, PwC) (RC)
Rebecca Whibley (Senior Assistant Company
Secretary) (RW)
Apologies:
N/A
Action
1. Welcome and Conflicts of Interest?
1.1 A quorum being present, the Chair opened the meeting and noted that
participation was solely by conference call given the current Government
guidance on home working. However, given the requirements of the
Company's Articles of Association, the location of the meeting was agreed
to be the Company’s Registered Office.
1.2 The Directors declared that they had no new conflicts of interest in the
matters to be considered at the meeting in accordance with the
requirements of section 177 of the Companies Act 2006 and the
Company's Articles of Association.
Annual Report & Accounts
2.1 Alisdair Cameron introduced the papers, which had been circulated
previously and were taken as read. He also referred to a short summary
note that had been circulated via email to the Committee on 25 February
2021. It was noted that Her Majesty’s Treasury (HMT) had approved the
£285m funding for the Historical Shortfalls Scheme (HSS) late on 25
February 2021. There were conditions attached to this approval which
were still being clarified, however it was agreed that these were not
Participation in the meeting was entirely via Microsoft Teams from participants’ personal addresses. In such
circumstances the Company's Articles of Association (Article 64) require that the location of the meeting be
deemed as the chair’s location. However, it was not deemed appropriate to record personal addresses on the
Company record. As such, the Registered Office is recorded as the meeting location.
? This meeting is an addition to the scheduled meetings so standard items, such as minutes and matters arising,
have been carried over to the 30 March 2021 meeting.
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
‘ebruary 2021)
material such that the Committee could not consider the review and
approval of the Post Office Limited Group Annual Report and Accounts for
financial year end 29 March 2020 (ARA) at its meeting.
Alisdair Cameron outlined that there was a lot of documentation that
required signature before the ARA could be finalised, namely the Funding
Agreement with the Department of Business, Energy & Industrial Strategy
(BEIS), letter of support from BEIS, three year working capital facility
extension, loan agreement with BEIS, HSS Operations agreement and
Equity agreement. The Funding Agreement included a change to the
definition of a Post Office location, subject to a Cabinet write around to
other Government departments. Tom Cooper confirmed one department
had raised an issue, on which there would some back and forth, but it was
not thought the definition would change as a result. The letter of support
was highlighted as important for the Committee and the Board as it would
state : “However, we confirm that it is our present intention that BEIS‘’s
support for Post Office will continue and we will inform Post Office
immediately if that situation changes.” This was key for the HSS payments
and going concern assessment.
2.2
STRICTLY CONFIDENTIAL 2
Post Office Limited -
, Risk & Compliance Committee-3¢
‘ebruary 2021)
UKG1I00038546
UKGI00038546
2.3
On the going concern assessment, Al Cameron explained that:
- The assertion was that Post Office was a going concern for the
next 18 months, rather than the traditional 12 months as this
was now best practice and also reflected the revised government
spending reviews. It was noted that the requirement is still a 12
month forward period review.
- Post Office had significant facility headroom.
- It was possible that within the 18 month period, some
contingent liabilities might crystallise e.g. the post criminal
conviction liability (CCRC) or the worker’s rights tribunal
(Starling). This was where the letter of support from BEIS was
important.
- Ultimately, there were material uncertainties (HSS, CCRC and
Starling) but these were described transparently. It was right
that PwC would refer to this in their audit report.
- The Committee carefully considered the Starling disclosures,
especially in light of the recent legal case vs Uber. The
NR/AC
STRICTLY CONFIDENTIAL
Post Office Limited - , Risk & Compliance Committee-3¢
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKGI00038546
UKGI00038546
Committee requested that an update on Starling be brought to
the Board in May 2021.
Andrew Paynter explained that PwC have been working with management
on the relevant disclosure and noted that there were some enhancements
still suggested, but they would not change the crux of the disclosures. PwC
would draw attention to the material uncertainty of the HSS, CCRC and
Starling, but this would be on a going concern basis, noting that the
material uncertainty was specifically about the impact on the going
concern assessment, not the uncertainty of the HSS provision.
The Committee confirmed it agreed with the going concern assessment
but that it wanted to wait for the letter of support to be received from
BEIS before any di minimus payments under the HSS were made.
2.4
Zarin Patel questioned how the disclosure regarding Defined Benefit
Pension Scheme would be made. Al Cameron explained that the disclosure
was minimal because (1) there was not much information available, (2)
those affected had not yet been advised of the issue and (3) it was unclear
that there would be material exposure for Post Office. Any figures would
only be available in the next month or so, which would be after the
signature of the accounts. The figures would fall into three categories: (1)
those who have not yet had their pension quote (quotes would be
corrected and liability would be zero), (2) those who have drawn their
pension, and these would be honoured and not reduced and (3) those who
have had a quote but have not drawn their pension and it depended on
the cost as to whether these could be honoured. There would also be
discussions around the proportion of costs that the Trustees should share.
At present, as there was no clarity over the amounts involved, it was not
clear that more should be disclosed.
In response to a question from Tom Cooper, Al Cameron also confirmed
that a 7% contribution by Post Office had not been confirmed due to lack
of paperwork: the Scheme was in surplus, although there was a theoretical
risk that if the Scheme went into deficit, Post Office might be asked to
contribute more. However, Post Office could argue against this, but this
would involve discussions with Royal Mail. Andrew Paynter stated the
auditors had proposed a couple of additional words to the disclosure to
make it clear this was based on the current funding contribution.
2.5
At the request of Al Cameron, the Committee also confirmed that the tone
struck the right balance between apologising for the past and
demonstrating that Post Office was now moving forwards. Tom Cooper
mentioned that he had a few comments about the budgeting cycle that he
would share with Al Cameron directly.
AC/TC
Audit Summary Memorandum FY 2019/20
3.1
Andrew Paynter introduced the paper, which had been circulated
previously and was taken as read. He noted that many items had already
been discussed but highlighted the following:
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
49 of 178
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKG1I00038546
UKGI00038546
50 of 178
- Impairment of fixed assets: The assets of Post Office needed to
be underpinned by future cash flows. This was an exercise done
every year with cash flows updated and the same cash flows
have been looked at for the going concern assessment. The
auditors were comfortable with the impairment calculation.
There was headroom over carrying value of fixed assets: this
was £500m in June and was now down to £244m. The auditors
were comfortable with this, the discount model used and
impairment on the insurance business.
- Defined Benefit Pension Scheme disclosure: As the Scheme was
£60m in surplus, the auditors were comfortable with the
disclosure.
- CCRC: Given timing of the accounts and the unfolding of the
events, this was a post balance sheet event as at 31 March 2020
and not a contingent liability.
- Going concern: This was addressed on page 10 of the report,
with auditors concluding that this basis of preparation was
appropriate, with the material uncertainty identified.
- Controls: These were discussed with the Committee last June
and most were now closed.
- Telco unadjusted misstatements: At the Chair’s request, Al
Cameron confirmed these would be corrected/cleared when the
sale completes.
Andrew Paynter further highlighted the incremental costs of the audit for
financial year 2019/20, which had run for circa 9 months and that these
were being discussed with Al Cameron. It was also noted that fees for
financial year 2020/21 also needed to be agreed. All fees were to be
approved by the Committee and should be brought back for approval once
agreed with the auditors.
AC
3.2 Given the confirmation of the HSS funding, the Committee agreed it was
appropriate to recommend the ARA for approval to the Board, with a
delegation to the Group Chief Finance Officer, the Group Chief Executive
Officer and the Chair of the ARC to finalise prior to signature. Tim Parker
confirmed he was content with this approach.
3.3
Accordingly, the Committee:
i. NOTED the status of the Post Office Limited Group Annual
Report and Accounts (ARA) for the year ended 29 March 2020;
ii. NOTED the main changes in the ARA since they were last
presented to ARC in June 2020;
iii. NOTED the plan for completion and signing of the ARA;
iv. NOTED and DISCUSSED the key judgements and decisions
made in determining the disclosures made in the ARA in respect
of key estimates, judgements and other significant matters (see
above minutes);
Vv. NOTED the Audit Summary Memorandum financial year
2019/20; and
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.1 Minutes (26 January 2021 & 26 February 2021)
UKGI00038546
UKGI00038546
vi. APPROVED the ARA for onward submission to the Board,
subject to the matters discussed and agreed during the meeting,
and with a delegation to the Group Chief Finance Officer, the
Group Chief Executive Officer and the Chair of the ARC to finalise
prior to signature.
Audit FY 2020/21 Update: IT Controls
Rachel Owens introduced the paper, which had been circulated previously
and was taken as read. It was highlighted that there was good progress
being made and more progress would be seen as Tony Jowett’s (Chief
Information Security Officer) initiatives continue into the next financial
year. The Committee otherwise NOTED the Audit FY 2020/21 Update on
IT Controls.
AOB
cl air
There being no further business, the meeting was closed at 09:30. The
Board met immediately after the Committee to approve the accounts.
ate
Meeting Actions:
Para
No.
Action Detail
Action
2.3
The Committee carefully considered the Starling disclosures, especially in
light of the recent legal case vs Uber. The Committee requested that an
update on Starling be brought to the Board in May 2021.
Nick
Read/Al
Cameron
(Dan
Zinner)
2.5
Tom Cooper mentioned that he had a few comments about the budgeting
cycle that he would share with Al Cameron directly.
Al
Cameron
/Tom
Cooper
3.1
Andrew Paynter further highlighted the incremental costs of the audit for
financial year 2019/20, which had run for circa 9 months and that these
were being discussed with Al Cameron. It was also noted that fees for
financial year 2020/21 also needed to be agreed. All fees were to be
approved by the Committee and should be brought back for approval once
agreed with the auditors.
Al
Cameron
STRICTLY CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
51 of 178
Tab 4.2 Action List
52 of 178
Post Office Limited Audit, Risk & Compliance Committee
UKGI00038546
UKGI00038546
‘OPEN ACTIONS
Masting [wine
homo] See I aoa ‘Action Owner] Due Date Sana
cons Acree, I23/032021: See update to action 8 below.
, 1210112021: See update to action 64 fom 22/09/2020
‘Boerd Meeting & 3t\+9 be provided to ARC or Board as required at this point. An
May 2021 ARC/B02" I agate paper wil aso be presented to the Committee for
I communcaton pan shld be develoed vith RehardTayior (OL mene i
1 27/a7;2020 ‘ IGroup Communications Director) should the issue become public Maxine Cross: Incting on 26 January 2024
nome, Tone necting :
rename as enang agen tem un be revertd to amuary ARC or oar as requred
GR TBOaL Ts Way bom Sra wl vs OSD
parison oot enh te crane roe ee
‘Procurement Policy: The team are also supported by the LegalI tag Cn eee
2 I zs I 21 Ipocurement manus sumpled for crest oucrenoy being revesned,I S852 I arch 2023 ARC
fmicn wast De competed by Rowenta 2990, ate: tis action was, ufrurately, massed fom the ARC
scene it for previo ectinge and se suchas ot Been
previously updated
ekiaal os ben crag adhe OBL cee
caren ene Gebete commas esis: Recommend
ecucmene wre resent curing opton tote GE and ord ona} _arbara =
2 ee 22 I consulting OJFU to appoine a POL pane! for professional services by Bannon Mash aL ARCs ad bel woe aera lesa ce uc ARE
aren 2083 Scien tet for previous meeting aed ae such has ot ben
presi ucts
{Wis hasbeen complted and was evewad
Span danany pet et. Te ecorment Poy st
procurement Pec: Append A was tbe ved aod venixead I gg [noroval yt commttey on 30 rch 2021 vs wen
4 I 2270972000} 22 wk subssnction in man Procurement Policy on substhreshold Barbara I starch 2021 ARC Iresolsion, Recommended for closure.
Secure y Noverer 200, at: is acon ms, urtorturaty se rm the ARC
scone tor revive meting and be such bas Wt bee
rently upestes
08/032001: A postive reponse veceved rom UKGI aro
I [revered the Pocrernet Poy with no changes
eeriere, nase eeea ne comer:
4 procurement Poy To Caspr advied tis KG erocirement II Barbara 5
a broeine 2-3 I specialist would review the aoicy by November 2020 Bannon) I Maren 2024 ARE
\Mote: This action was, unfortunately, missed from the ARC
lactions lst for previous meetings and as such has not been
[previously updated,
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.2 Action List
UKGI00038546
UKGI00038546
22/09/2020
24
Procurement Policy: A working ramework be develooed with secured
(CCS panels to reduce the need for advertising professional services
‘opportunites (due by 32 March 2021).
Barbara
Bannon
March 2023 ARC
(08/01/2021: This hes been completed and the OJEU process
's due to commence in the summer. Recommended for
‘dlosure,
Note: This action was, unfortunately, missed from the ARC
lations list for pravious maetings and as such nas not been
[previously undated.
22/09/2020
ar
[Risk Appetite Statements: Updated risk appetite statements for
\Legal, Compliance & Governance ane technology would be p
March 2021 ARC.
TOTZOAT TCS PK SEPT UPCSTE SPT CSET TOT
ROC/ARC 2/2021 meetings. Following iitial noting in
1/2023, formal ARC approval now sought to LCG rs«s
lappetite postion
‘Central Ris n devon with Retafl and Franchise Network
{0 putin place an Operational RAS (given this will cover
[postmaster-centrc risks). The plan Is get io an internally
lazreed postion oy rd of 3/2021 whch can then be taied
ie Corrina is Roversbur an fuer uabieerts suihd ba aught
[before the Committe in January and March 2023.
‘Marie Baldock
‘Mocting-
(emer Mar 2024)
Hor ARCin 5/2021.
'20/04/2021: Legal and Compliance Rick Appetite Statement
[paper has been produces are to be presented by Ben Foat to
Ihe Committee on 26 January 2024 for nating (to be
lapproved at» later date). Furtrer statements are in train
including TF (wlth Jeff Smyth) and Operations (Postmasters)
{wit Amanda Jones). One of these statements will be
Ipresentad in March 2021
22/09/2020
64
Pensions Assurance: 2? raised concer atthe levels of stress/upset
Ite clawback could cause for members, particularly where members
hed passed away, and requested tne following be presented
1.A stratogic plan for law-back.
2.Sight of the complications and controls in lace,
3.4 review ofall quantum figures.
Maxine Cross
Before May 2021
ARC/Boerd Meeting & at
May 2021 ARC/Board
meeting
Boore-Mecting
January 2021 ARC OF-
Boore Meeting
(23/03/2021: HR will meet the Trustee on 24 March 2021
allowing their Board meeting on 23 Maren 2021. This will baI
‘the first sight of the Impact ofthe errors. Once the Impact Is.
luncerstood, the tearns will meet with Lisa Chery ane Al
(cameron on 31 March 2021 and then ciscuss with Steerco on
'8 Apri 2021. It should de noted that the Trustee's
[calculations are based on Post Office's data whicy is believed
20 be final. However the Trustee has asked for assurance that
{the Unions are supportive ofthe reconstruction work. Work
{to get that assurance from them is 09 going. Further update.
‘to be provided before and at the May 2021 Committee
‘meeting
‘The quantum is likely to be known in Maren
"2021 following analysis and review by the Trustee. The
‘approach to correcting the members benefits including any
[proposed clawback will be discussec by the Trustee and POL
“allowing the Trustee board meeting on 23rd March. We
Intenc to engage early with the Trustee te ensure our
preferred approach is known. A further updete will be
[provided tothe ARC or Board as required in March 2021. An
lupdate paper will aso be presentec to tre Committee for
inating on 26 Jenvary 2021,
‘This wil be addressed at the January 2021 ARC
'9211112020'
lor Board Meeting as require,
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
53 of 178
Tab 4.2 Action List
54 of 178
UKGI00038546
UKGI00038546
[Risk Dashboard: Mors Baldock was asked to review the dashboard
107/03/2021: Updatec Centrai Risk Dashboard tabled for
IRCCYARC meetings in 3/2021. Draft format shared in advanceI
Iwith ARC Chair anc approach sensed checked with Gartner.
Format wil be flexed to pocommodate changing need 35 new
and make key {bigger picture) risks and trencs clearer, pulling this out TUNER 202 AN”. [Pabled-ernhe & Mie fate, Receleemanlad fer ebeeiate,
5 I aunumed’ a1 owttecgeh OM wetoarpcet ta ana terete I mark ck
ror tect aescy nthe destined ania the eo i pakeaag sa eae ones
Souty fun cueskesfemiae ce Teetng _[zyster-aggregated Dashtoards ete a2 Just falsing the rsx
‘ ert erates conenice
Rees mare espender crass po
aa ete ran ne crocs oma
pelea i ignite
(07/03/2021: LCG risk appetite update paper tabied for
eats tate iret ee cam eeeI
ele aa Oaeecce er eer cone
[Risk Policy: The Policy and Risk Appetite approach looked sensible ut sleet ere ti tral nz
without « rorked example, twas hard to know HR could be applied in Prior to March 2021 ipiace ite
[pproech to Risk Appetite via emall tthe Committee Defoe the oext I 20nat2an Hl oa eel som rom ee sre sm CAN
Senses aians mene can anion meee rc etlg [ese Sala werk pene a hye
Eee nti tina ots scty nouns sccrupy ne Cries
yb tne euler ee vesng ne
ee a cer cees win na cries ie
Seer caer ace
11 I 2uriy2020I 9.1 [har noted thatthe delegation of authanty co the HNL needed to beI 4.2 I eetng __laaeresed ac prt of standard project management
Sete ewat sce eras wou he peated tee noon oe mroryaibiane. (rteiseractes (ne asoseeen
I20/01/2021: Discussions concerning UKGI/BEIS Involvement
in Wistonca! Shortfall Scheme (HSS) approvals, which directly
latfecs the operation ofthe schemes have continued during
December and are expected to be finalised during January. A
\verbal update will be provided to the ARC relating tothe
latest postion agreed as at the meeting dates in January
12021. Furtner updete to be proviced in March 2021,
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.2 Action List
UKGI00038546
UKGI00038546
Rao Snead newcomer ee
commanded or danse
PeynneRisk apo: Aron Gn nd onto i west I gry I Blo ne an 202% IavoaG2: copa hae ended Piet hy ned
to I oapty2000 I soa fe sseuss the previausy raised ive relating to Capt anc Money I Ate, I" "anc Meeting stop using Post Oce branches and nd nner method
Savon Santee ee bro"2.) en teeters yx I Sate tr sea vty cfs wes oss ote
imag very as : sated = [posmpnen sae ti a coe earn
igen ao cang 07 S700. te Pot ste
toy for ney rot seven ped
Sat a oc tics, rate ae
Inventory re ORAS HROVEDTS eG ee
sites i ee ‘: [independence wording acced. A Working Group has been
sa I swovamesI a [testa he me frie vento lnependet dave I pgs ay, I Bf eur 2021 as ee acne orca
lponaes; ane Norton Rose Fullbright sndertaking
on a Flight re sneating an
Theos ecume rvs oe eet ot ean uaa: wren Rose
sponse TIDES Cen aE ETE ITER
[ars ds desea cue opts ten
leer gee at, Uae @ Hara 201 lice Aronhse Nene out spe on orn
44 I 26/01/2021 4a ‘Postmaster risks end how to validate GLO initiatives. Mork Baioock was rk Baldock) “""32C wiesting [risks appetite to cover such risks, The Compliance-ied wicer
fete tet op thru wea ue ee poe [aml even wl cap ec ae wich
Seinen ete” mato per apy wor ented rar Inesedaanane tone cpt Gro
aS ei eitiecesint oni rr ey fordoasre
Rak update: Ken Hai egies at te lining De even
Scent tn eth i ancy abu rc
[Pong 25g oth to prtrgs ett cn ois
x I ova] a1 (OMAN oe aemoreemterienine acta, Fa ce I lee © Merch 021 Red en ch ln we etna eso
(-Poragranh 27 relating to adverse external economic factors, noting [oar deserts Recetereeteet a Coe
fran teas ose atl nd Ot sare
vos hes ura non orc
spn mes na cier, aiser
Keres ga ot on eae nt cones mane
ppute Stators Lega & Cmplact Ras ts
‘that Ben Foat consider the wording of peragraph 14 relating to March 2001 AR. peeeaals Lat eee ee,
se I awovamas I aa naa entcome nerd wragi aura I aes ang I ME 2OTL ARC Ne i Ree ET ess
pervect en a "9 Recommended for closure.
SEE Appoue statement Lega «complica Ton Cape
aries tax ret un Oep OF (U0) war copstion Rk oen vere, 2001 ac A021: Lge conpanc ra pete
17 I 26/1/2001 42 _Itheinvestment being mace in the Express Post Office avopostion and Ben Foat a ‘update paper tabled for RCC/ARC 3/2021 meexings. SummaryI
inoted an argument could be made about state aid. This was to be ne Is included in this paper Recommended for closure.
spcesa pap ste oe
tele Spits ecm roar
[nine aking Prete ngs Campane eon vino a0a1 ake [paz hist ben core, Recomended or
1s I 26/01/2021 a2 \due to new leaisiation or regulation was really 3 commercial risk. This 867 Foat Meeting ‘closure,
per iegeereriens
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
55 of 178
Tab 4.2 Action List
56 of 178
UKGI00038546
UKGI00038546
‘Risk Appetite Statement: Legal & Compliance: As such, Mark
Bldock was asked to look at entifying the KRIs for Postmasters with
WUSIOAT CCE TUPSRRE paper TABTET TOT
ROC/ARC 3/2021 meetings which provides an update on workI
{9 produce @ set of supporting LCG Key Risk Indicators
Tes eee a ithe tee
Recommended for closure.
20 I 26/01/2021 43 Iquestioned whether this meant the onboarding process was quicker. I Jonathan nin I Mare 2024 ARC /23/08/2021: An update wil be provided at the meeting in
[to address this. However, the Chair asked Jonathan Hill to further ‘Mesteg- Iuptote to ine provicied bn May.
ICommittee and the Board end therefore questioned whether the issue / Je*f Smyth). i" Deloitte and KPMG to the Board on 25/2 (as part of the CCRC
Ee enectepe rie
23 I 26/01/2071 4.8 Internat Audit Update: Johann Apoe was asked to send Tom Cooae I Johann Appel I Before. Max {ond the rest ofthe committee) on tre 27% af January.
La summary of the audit actions from the (Mails & Parcels] report. are. Recommended for closure.
Se tag act oo gies dines oar Ge Soremnmenrereryrertes
\Mails, PUDO, Retail and Branch Identity Services)). ick lagenda item. It has been added to the March ARC agenda.
26 26/01/2021 44 Iwas a key focus Hor the Psoer spender ra opbeenenne hed Nick Read I Update @ March 2021 snared ahead of the next Board Mecting on 30th March 2021.
: eo eae ee
{culture were al fit for purpose. A GLO Dashboard would be presented to
{the Board on a monthly basis to give an overview of progress.
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.2 Action List
UKGI00038546
UKGI00038546
SLEEP NOR THE ELEN SOT TG
[Wocclne 1 nave requested te reestablshrnet of quarter
on ese ace erat ec emeanae
Internat Audit Update: Gelfast Exit Follow-Up and PCI Compliance: Ithe PCL-DSS programme. Worldline are marshalling re
enaad ncaa sop ganteasdtucaaast caged, ncn [correct senior representatives with the in'bal session targeted I
‘management have mproved since prevos reviews, but there were si ‘ian ee
27 I asoyzazsI 44 I agntcane rata tot were argey ouside te corr progremane. I Nek Regd I UPUAEG March 2021 Jor AM202N
fears and this reduced concence that ebjecivee wil be achleved as Imorthy Fults governance session which wind bah
Sanned: nce Rad was requesed fo re-etash the regular dle cept ortcienes enter oat ence
pith the Ingentoy- CD. \plans {for Belfast Data Centre Exit anc PCI-OSS) ,
esmmeras and cote Ths il commence on Ist AprL
Recommended for closure
‘Update on branch losses and balances on Postmaster accounts: ‘ess
ftom cooper qvened when the minimum vaue thet on be sted Update @ tay 200%, I23003/2021: Anew text an faunch pan fr he Horizon
\centrally would be changed from £150 to £0, noting he thought this had_ PARC estan \change Is underway with launch dates mid-end April (either
28 I 26/01/2021 on ‘been removed previously. Tim Perkins explained that Accenture had Tim Perkins: "9 114th April or 28th Apsil depending on the number of test
jst quoted odo ti, andit was requested that Tm Pore provide e cycles mon need tobe completed). Further upate tobe
he date ast wen ts would noppen tothe Comme once hes Ane Mecing — Iprovded in May 2021.
aa
‘The Chai noted tat nas geod ta See the gues cecresing But tha. 23/03/2021: The numberof aged balances and vansbction
zo I zerxyauzI 9a [Rodd be sefl to ree a dasoard of brane lances and Tim Peking I March 2021 Ane. [totretons are im tracked monthly ax one a he mets oF
Ms ltransaction corrections, possibly as en addition to the reporting on post I Amanda Jones I Meeting Ithe Voice of the Postmaster dashdoard. See exemple from
Le reat, cn nat rand oan Sno oynry (23 54 Vl of he PostranerDarbore
GPR Se Branch tonnes and batancas on Postmaster Scour
Ma emai outste tne menting, Zara Poel io suggested that route Update @ May 202: 23/3/2021: Tim Pstins wl provide a verbal update on this
ao I aeoyaoasI oa [suibaraysis shove be undewaken into che grostloseraais ane I Tim eins I ancesting pot pon hewn fe leave, at ve ae mesg on
et olneas as these semed very high (paragraph & ofthe paper). I Amends Tones I Updete-@ Moreh 2024-[Tueaay 30th March, Further update tobe provided at he
(ities oer ae ett ene Ane ecing May 2021 meeting.
Comte
‘Postmaster Polcas (Network Monitoring and Aualt Support
Paley: it wos contre tat the rox appette wos averse, but hat
this inked back to the earlier discussion regarding the risk appetite Update @ May 2021 I23403/2021: Alongside the postmaster policies creation and
Istatement for Postmasters and the need for clear KRIs, which were Tim Perkins / ARC Meeting [review, we are also reviewing risk appetite statements with
a1 I 26/01/2001 10. eter soeairca te judge the pity was kelngemmbecckalsea I Amanda Jones 1 og \Mark Baldock, with the aim of defining a set of oparational
parc required to judge he poicy was being embedded and I Baldock Ick ppete Statements for Use n these ond fare plies
Iwo fo be completed on Kis tor Postmaster (cee acon above In AReectog upgae tobe provided May 2022
poraoraoh 4)
Poataator ROTGCE (NEtWaTK WOGTONG 380 AUGH SUpHOR : OSTEOEL TS pa TORE a WT ECTS
zz I 2soxz0z1] 10.1 [paiey Ther mas san acon co cretuly conte references to I T!™ Pains 8 I Update @ March 2021 [Tey ot pay wich caeri taking place, Pure”
employee” nee gROU ‘the document. mands 203 weet update to be provided in May 2021.
Sa aS eae HOT TD
ociment emonststing now te plies together and eae 9°€€4I i acne nI awh 001 aR The overarching cociment lca the
33 I 26/01/2021 10.1 [this would be presented to the Committee in March 2021 with the Chair I T™ on me a Postmaster Guide to Policies and has been submitted to ARC.
‘requesting that it be clear in this document who was the aucience of I Amanda Jones I —— Ifor review on 30th March. It is Appendix 7 of the Postmaster
hich pay. ae utruion Recommended fr on
Postmaster Policies (Postmaster Account Support Policy): The I im ertine / I UP#RKE® May 202% review, we ae sla reviewing isk appetite statements vith
34 I 26/01/2021 10.1 ICnalr questioned he worcing of te rsk appetite secion and was I Aranda tonesI yp AC, "2eU"9, mark Baldock, wit the slm of defring a set of operational
Fequested that the wos reviewed before the poy mas, 7'arkBaloceI UPdate @ Mor-2021-\y sppette sttement or Use ntese and Nore poles
published/implemented. jecting Update to be provided in May 2021.
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
87 of 178
Tab 4.2 Action List
58 of 178
UKGI00038546
UKGI00038546
Policies (
LA suggested timetable for decision-making;
‘2.Whe woulé be involved in making decis’ons under Ter 3 (incieating
“The policy was updated accordingly and
35. I 2e/or/2021 I 10.1. [that snou be people of eppropaoe snort): Among lonesI —"Ghesg © jeeviewed by ne Choir before being ent othe Commas for
“Information that mouls be prov de tothe Foetaster through the tc Ifpprovl va writen reolston, Recommended for closure.
ldegue reson process (.e- acount records, Haron dla et)
Reference to dassroom taining that wuld be provided
ostmosters on ivesignng balance deeepances; and
[Sa check for exch ee
Postmaster Police: Zan Pil by emelouse fhe meeting) 22ISURDR The pint aut remote and ae
sz razed te folowing pots: Jeonldered in he review ofthese poles which is urerty
“oth te Postmaster Account Support Ply (para 2.8 and 4.1) ane uptate @ Hay 2001. (meee
the Network Monto sna Aust Suppo Paley (poe 3) retest I om genene I mate. an 2 .
26 I asoxyaonsI 104 franca rimestignne ro cena ctting I ee a part ofthe traning pln, we alo adress some ofthe
He ewer ontorng ant Act Suppert Py tad aes ‘seeing artes tee ce a ot pense
Si set ond atte of eed auditors and ow the new culture wld be facing teams
Jemeaded so they ci not approach the aut with preconceived aes lan update wl be provides at the May 2021 Meeting
'23103/2021: The RACID is being expand to include HSS
governance changes, specicaly, monty reviews wth
[Sees ane querer reviews to alco ncluce Treasury.
Historical Matters Unit: Fraudulent Cais Contos & Delegation of Update @ Hay 2021. IAdatoraly, ACID updates are requred pending oresrnt
Autrey: Aways of wortng docimenthes been opreed, bur Secon] _ Graham ate @ Nay 2021 IAdiioray, RACTO wndates ae required pending green
a7 I ayoxranI 12.1 [ning ton eno wos stil eng upcted nce compte, wos to9e"I Hemingway / I ggARG Mes, [a funda and PL govenance aangement eating a
heuintea tothe Bon atts Re meting, "rer sessions mere I Dactan sae’ I UPMH® © More 20211 and conformance, whic rans unde cusion ot
Being held on reportng to BEIS/LKGL tobe proved atte May 2021 Commitee mecing, Work
Jessocated wth Fraudulent clans controls ow beg
sccresced as part of standard proc management
orocessasecives, eeu aes Seton 1
ee
eters:
[Ate Reser acions and focus ofthe Improvement ere was onthe
Updote © March 2021 I KPMG review of existing IT contol underway
contls of ereatest rk, namely rose arees connected with the [AkC Meeng (FeoortoI- Controls second ine TOM in develooment = hee with
ae I aeyoxaozsI 121 [management ot ne trap exare rouge te veo Post O's I Tony Jowets I ME Neeting (root to I Contos Second ine TOM dev
cw ewe systems, The Commitee requested ha there be a detaled SGETARC Masing) I Sample of Contra or Managing Supple focusing on
"eve ofthis, and this review would be reportes tote Commi ortzn aly beng analyses aaj exercae th
faraetig the next meeting. Mllcon T GLO team th sons to be spread across all 3rd
nary suppers once corolte.Purter update tobe proviced
tthe May Convaice meeting.
RAR Repo W REBUA POISTRO THe COMTI CAPE on
se I 2evozyz021 I —a.3—(eonsidered the Starling sclosures, especially in light of the) (MOK REAHM I june 2021 Board I23/03/2024: This isto be addressed atthe une 2021 Board
3 [fecent legal case vs Uber. The Commitee requested that anI etna
a
Starling be brovaht to the Board in Mav 2021.
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 4.2 Action List
Report & Accouats 2019/0, Tom Cooper mentioned tral — morch 200i I23/03/2021: The budget e due to be prevented othe Bond
40. I 26voz/2021 25 [he hed a few comments about the budgeting cycle that he would) A! Cameron_I UPd#Ms © Moreh 2021 Io30 march and fnoncs hove held mecting wth Tom CooperI
Recommended for closure,
FY -ZOIs720-—-Anarew Paynter
further highlighted the incremental costs of the audit for financial
year 2019/20, which had run for circa 9 months and that these!
at I 26/07/2021 3.1 Iwere being ciscussed with Al Cameron. Tt was also noted that) AlCameron I May 2021 ARC Mecting
fees for nancial year 2020/21 also needed to be agreed. All fees
were to be approved sy the Committee anc should be brush
(22/03/2021: Approval of fees will be requested at the May
2021 ARC,
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 59 of 178
UKGI00038546
UKGI00038546
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
60 of 178
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
@
POST OFFICE LIMITED
MINUTES OF A MEETING OF THE RISK AND COMPLIANCE COMMITTEE OF POST OFFICE
LIMITED HELD ON TUESDAY 16 MARCH 2021 AT 10:00 VIA MICROSOFT TEAMS
Present:
Alisdair Cameron (Chair) (AC)
Helen Rhodes (People Shared Service Director) (deputising
for Lisa Cherry, Group Chief People Officer) (HR)
I Attendees:
Tony Jowett (Chief Information Security Officer) (TJ): Item
5
I Peter Mitchell (Treasurer - Tax, Treasury and Supply Chain
Finance) (PM): Item 6
Ben Foat (Group General Counsel) (BF)
Amanda Jones (Group Retail and Franchise Network Director) I
(A))
Jonny Lonsdale (Business Continuity Manager) (JL): Item 9
Martin Hopcroft (Head of Health & Safety) (MH): Item 9
Cathy Mayor (Finance Director, Commercial) (CM)
Andrew Goddard (Managing Director, Payzone) (AG): Item
10
Jeff Smyth (Group Chief Information Officer) (3S)
Mark Siviter (Product Portfolio Director - Mails, Retail, PUDO
I_& Gov services) (MS): Item 11
Regular Attendees:
Andy Kingham (Franchise Partnering Director) (AK): Item
11
Johann Appel (Head of Internal Audit) (JA)
Mark Baldock (Head of Risk) (MB) (for Items 1 - 6)
Dan Zinner (Group Chief Operations Officer) (DZ): Item 12
Katie Secretan (Head of Strategic Partnerships) (KS): Item
12
Jonathan Hill (Compliance Director) (3H)
Barbara Brannon (Procurement Director) (BB): Item 13
Tom Lee (Financial Controller) (TL) (for Items 1 - 8)
Tim Perkins (Service and Support Optimisation Director)
(TP): Item 15
Sarah Gray (Group Legal Director) (SG)
Sally Smith (Money Laundering Reporting Officer & Head of
Financial Crime) (SS): Item 16
Rebecca Whibley (Senior Assistant Company Secretary)
(RW)
Apologies:
Lisa Cherry (Group Chief People Officer) I
1.
Welcome and Conflicts of Interest
Action
The Chair opened the meeting and advised that all papers would be taken as read.
No conflicts of interest were declared.
Minutes and Action Lists
The minutes of the Committee meeting held on 12 January 2021 were APPROVED.
Progress on completion of actions as shown on the action log was NOTED as follows:
Action 1 from 7 November 2019 para 3.2 Supplier Contracts out of Governance -SSK:
Commercial negotiations did not conclude as planned due to GDPR complexities and
the contract has been extended on an interim basis again to the end of March. The
completed contract was received on Monday and was now awaiting review and
approval from Post Office Legal. This review was expected to complete prior to 22nd
March in order that the risk is closed by the submittal of the Audit, Risk & Compliance
Committee (ARC) paper. Further update to be provided at the next Committee
meeting. The action remained open.
Action 2 from 14 January 2020 para 10.6 - Money Laundering Reporting Officer
MLRO) Annual Report: MRC were still not conducting any meetings. The action
remained open.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Page 1 of 15
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
UKGI00038546
UKGI00038546
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Action 3 from 13 July 2020 para 3.5 Compliance Report - TelCo: The Telco sale
completed on 15 March 2021 and the action was closed.
Action 4 from 10 September 2020 para 4 Pensions Assurance: The final data has been
sent to the Royal Mail Pension Plan (RMPP). This will form the basis for the Trustee's
report to the Trustee Board on 23 March 2021. HR has have requested advanced sight
of the data to be presented. This was expected to give an initial view of the quantum
of the errors. A paper was being prepared for Project Assurance Steerco on 8 April
2021 that will bring together the data, Post Office’s obligations and wider
considerations so that an approach to discussions with the Trustee can be agreed. A
further update will be provided at the next Committee meeting. The action remained
open.
Action 5 from 12 November 2020 para 3.1 Risk, Compliance & Audit Update - Risk
Dashboard: Updated Dashboard presented to the Committee on 16 March 2021 (see
para 3.1 below) with data derived directly from ServiceNow following successful data
migration of Post Office risk data set in January 2021. Draft format has been shared
with ARC Chair. Format would be flexed in light of changing needs and requirements.
The action was closed.
Action 6 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update - Internal
Audit (Controls): An update on this work was contained within the Compliance paper
presented on 16 March 2021. [Please also refer to Action 19]. However this work has
been paused and was not expected to restart for circa six months. Accordingly, the
action was closed with further updates in the Compliance Paper in due course.
Action 7 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update - Internal
Audit (Joiners, Movers, Leavers): The IT actions for this have now been completed
with no discrepancies reported. HR have also confirmed this is complete. The action
was closed.
Action 8 from 12 November 2020 para 3.4 Risk, Compliance & Audit Update - Internal
Audit (Data Deletion): Further action by IT to create an auto-delete capability was
subject to funding, which will be reviewed during 2021/22. This action remained open.
Action 9 from 12 November 2020 para 4.2 Cyber Security (Phishing Training): This
list was provided as requested. The action was closed.
Action 10 from 12 November 2020 para 4.2 Cyber Security (Culture): The next steps
on culture/cyber awareness were now factored into the planning for the 2021/22
Cyber programme described in March paper (see para 5.2 below). The action was
closed.
Action 11 from 12 November 2020 para 4.4 Belfast Data Center Disaster Recovery
Testing: Jeff Smyth has agreed to schedule the next Disaster Recovery (DR) test at
a time in June which coincides with an opportune time in the Belfast exit programme
and a least invasive time in the PCI-DSS programme. There was some further
discussion around the dates now given some of the milestones in these projects will
be moved but the DR testing would remain in the same place (relative to milestones)
for those two programmes. In addition, IT were also looking at doing further testing
between now and the full DR test to ensure that more assessment of resiliency was
done (as far as practically possible) in parallel to the programmes in question. The
action was closed, but the Chair requested that it be fed back that the test in June
must go ahead (Rebecca Whibley to advise team).
RW
Strictly Confidential Page 2 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
61 of 178
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
62 of 178
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKG1I00038546
UKGI00038546
Action 12 from 12 November 2020 para 6 Notification of Transaction Error: The
changes required in CFS have been agreed with Finance and Accenture. The date for
completion was to be confirmed, but will be later than 19 March 2021 as indicated in
previous updates. The subsequent Branch Focus article would also be delayed. The
action remained open, with the Chair noting that the delay in implementing this was
uncomfortable. Amanda Jones explained that the issue was discussed on 12 March at
the Improvement Delivery Group (IDG) and direction was that the action needed to
be completed.
Action 13 from 12 November 2020 para 16 Data Governance: An updated was in the
Compliance Paper (see para 3.3 below). The action remained open.
Action 14 from 12 January 2021 para 3.1 Risk Update (MDA2): Risk rating was
reduced to 4:2 in line with signing of MDA2. The action was closed.
Action 15 from 12 January 2021 para 3.1 Risk Update (Purpose & Postmasters): This
was ongoing: Central Risk were currently supporting Retail & Franchise Network in
the identification of intermediate and local postmaster-centric risks (as well as
existing risks that that have impact postmasters). Update dataset was to be included
on GRC in next reporting period. The aim was for this to be underpinned by appetite
statement on which ARC approval would be sought in May 2021. The action remained
open.
Action 16 from 12 January 2021 para 3.1 Risk Update (GRC Tool): Business Case
approval was being sought for GRC Phase 2 rollout from April 2021. This would
support the rollout of risk management capacity to all Business Unit Heads and Risk
Owners thereby ensuring accountability was positioned appropriately. There would
be a requirement for Risk Owners to their review their risks every 2 months to allow
for accurate Committee/ARC updates. The action was closed.
Action 17 from 12 January 2021 para 3.1 Risk Update (Telco Sale): In light of Telco
sale the status of all associated risks have been changed to ‘inactive.’ The action was
closed.
Action 18 from 12 January 2021 para 3.2 Risk Update (Legal & Compliance Risk
Appetite): Legal & Compliance risk appetite paper was presented at the Committee
in March (see para 3.2) which provides advice on how the approach to risk appetite
would address the challenges around Modern Slavery risks. The action was closed.
Action 19 from 12 January 2021 para 3.3 Compliance Update (Controls Framework):
An update on this work was contained within the Compliance paper (see para 3.3).
[Please also refer to Action 6 above]. However this work has been paused and was
not expected to restart for circa six months. Accordingly, the action was closed, with
further updates in the Compliance Paper in due course.
Action 20 from 12 January 2021 para 3.3 Compliance Update (Data Management):
The Data Governance Steerco was already established for the data strand and was
up and running. A dedicated Data Governance lead role was being recruited (an offer
has been made) to take over the ownership of data governance and pick up the initial
work already conducted in this area e.g. identification of data owners / stewards /
SME's etc. The project was currently being led by Matthew Warren. Further update to
be provided at the next Committee meeting. The action remained open, with the
Chair commenting that this work was important and the Committee commented the
key was to be clear on overall accountabilities and a timetable. Jonathan Hill explained
this would be further addressed once the Data Governance lead was in post.
Strictly Confidential Page 3 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKG1I00038546
UKGI00038546
Action 21 from 12 January 2021 para 3.3 Compliance Update (Cookies): An update
on this work was contained within the Compliance paper (see para 3.3). The action
was closed.
Action 22 from 12 January 2021 para 3.3 Compliance Update (Financial Services -
Multi-Principal Review): The team were still awaiting the first draft of this review from
the Principals. It has been chased and a response was expected within the next 2
weeks. Further update to be provided at the next Committee meeting. The action
remained open.
Action 23 from 12 January 2021 para 3.3 Compliance Update (Financial Services -
Mystery Shopping): An update on this work was contained within the Compliance
paper (see para 3.3). The action was closed.
Action 24 from 12 January 2021 para 3.4 Internal Audit (Mails & Parcels): More
detailed actions were agreed with Mark Siviter and the report was re-circulated. The
action was closed.
Action 25 from 12 January 2021 para 3.4 Internal Audit (Historic Matters - Common
Issues Judgment (CIJ)): Management comment was added for the ARC summary and
the report was updated to reflect the latest status. A verbal update would be provided
at the ARC to reflect any further progress. Internal Audit now track and report the
remaining actions on a weekly basis. The action was closed.
Action 26 from 12 January 2021 para 3.4 Internal Audit (Post Office Insurance): Audit
report rating has been included in the table. The action was closed.
Action 27 from 12 January 2021 para 3.4 Internal Audit (Audit Actions): GE have
provided their approval of baseline crown jewel systems. No further follow-up action
required as update process is triggered by retirement/implementation of key systems
to baseline inventory. The action was closed.
Action 28 from 12 January 2021 para 4.1 PCI-DSS Update: This risk has been closed
off by the tech team in discussion with Santander tech team. They have confirmed
that Santander service will continue even while migration for the dedicated link to the
common Vocalink connection is undertaken, and all banks (including Santander) can
continue to use existing transaction types —- so no change was required from any
bank. The action was closed.
Action 29 from 12 January 2021 para 4.3 Joiners, Movers, Leavers: The paper was
updated as requested prior to submission to the ARC on 26 January 2021. The action
was closed.
Action 30 from 12 January 2021 para _6 Supply Chain Historical IT Risks
Questionnaire): IT have developed a “shadow IT” questionnaire and were testing
this approach locally within IT. This activity will be completed by 30 April 2021. Then
the IT will progressively use the same “amnesty and sweep” approach across the
wider business to determine scale and importance of non-IT supported systems. The
team will report back in May on IT progress findings with a proposal for how to rollout
across wider business. The action remained open.
Action 31 from 12 January 2021 para 6 Supply Chain Historical IT Risks (Further
Update): Following on from the previous update given to the Committee in January,
KPMG who undertook forensic examination of the impacted PCs have found that no
Strictly Confidential Page 4 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
63 of 178
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
64 of 178
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKG1I00038546
UKGI00038546
external access had been made to the devices. As a result no compromise of Post
Office data has occurred and no breach of any GDPR obligations. KPMG made
recommendations around password security and ensuring the business had a robust
asset register of all IT assets in order to ensure that this issue could not be repeated
again. The Supply Chain / IT review of all Supply Chain sites has not uncovered any
further breaches and as such no further actions are required. The action was closed.
Action 33 from 12 January 2021 para 7 Annual Money Laundering Report (Money
Service Businesses (MSBs)): Following the last meeting, there has been more
movement at an industry level on driving focus on resolving the issues with cash
deposits, with several banks now being more proactive and have tightened their
controls. Martin Kearsley and Sally Smith have had several meetings with UK Finance,
and the National Economic Crime Centre (NECC) Project Admiralty is now meeting
monthly. The NECC were also meeting with UK Finance and Sally Smith to discuss
further ways to drive control improvements. At this stage, the issue with MSBs has
not been raised specifically with the banks, as if they implement required controls,
this ceases to be an issue for Post Office. We were also aware of ongoing Law
Enforcement/Regulator activity with certain MSBs which will likely result in better
controls. A further update will be provided to the next Committee meeting. The
action remained open, with the Chair noting that a clear outcome was needed by May
2021.
Action 34 from 12 January 2021 para 7 Annual Money Laundering Report (Amazon
Vouchers): Payzone were progressing changes, but do not yet have implementation
dates, transactional changes and limits to the product are also being pursued by EPay,
but they have not yet confirmed date of changes. Financial Crime have requested
that Payzone press EPay for a delivery date, or ‘pause’ sales of the product. Payzone
have provided the following update: weekly meetings were scheduled with the
Financial Crime team were ongoing to ensure progression. Talks with EPay and
Amazon regarding fraud mitigations were continuing with feedback expected for the
next meeting. A ticket has been raised with Service Now for a pop up message. A
further update would be provided to the next Committee meeting. The action
remained open, and at the request of the Chair, Jonathan Hill further explained that
the team was also looking to impose a basket limit and a pop up warning, which were
subject to deployment time. This would reduce the risk. The Chair noted that the data
on transactions should be tracked to monitor this issue.
Action 35 from 12 January 2021 para 7 Annual Money Laundering Report (Report
revision): This was addressed in ARC report in January. The action was closed.
Action 36 from 12 January 2021 para 7 Annual Money Laundering Report (PCI_ DSS
Programme): Session held between Jeff Smyth, Sally Smith and relevant team
members to understand types of data analysis that the team perform. As part of data
platform activity, the Financial Crime Team “use cases” will be incorporated into the
overall platform demand plan. Their needs will be prioritised versus other business
demand. It was anticipated that requirements gathering/analysis phase will occur in
FY21 Q1, although this is subject to Investment Committee funding prioritisations.
The action was closed.
Action 37 from 12 January 2021 para 8 Pensions Assurance: David Scothern replied
to Ben Foat on 22 January 2021. Further update since then: The pensionable pay
data shows errors that date back to 2014 and contains both overpayments and
underpayments: It should be noted that this was data on pensionable pay and
allowances. This data will need to be processed by Royal Mail Pension Plan (RMPP_
administrators to convert it into pension benefits. RMPP processes included the
Strictly Confidential Page 5 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKGI00038546
UKGI00038546
application of various underpins so errors in pensionable pay data do not necessarily
become errors in pension benefits. The action was closed.
Action 38 from 12 January 2021 para 10 Update on Branch losses and balances on
Postmaster accounts (Change Spend): The change budgets relating to service
improvements, and including the Deloitte work, have all been put under a single
programme of work (Postmaster Service Improvement Programme) and _ this
programme has been approved at Project Review Board and Investment Committee.
The programme will manage prioritisation of activities taking its lead from the Deloitte
work. The action was closed.
Action 39 from 12 January 2021 para 12 Mails Fraud Update (Analytical Capability):
he scope for this work was being looked at in the wider context of a forensic capability
being stood up within Horizon IT: there are natural synergies around the set of
capabilities to provide analytical services across a broad range processes and these
can leverage off the work being looked at around rapid surfacing if transactional data.
Further update was to be provided in May 2021. The action remained open.
Action 40 from 12 January 2021 para 13 Historical Matters Unit (HMU) (RACI Matrix):
A draft RACID matrix was shared with Historical Matters Committee on 18 February
2021 and with GE w/c 22 February 2021. Additionally, draft RACID shared with
internal audit for feedback. Feedback from CFO was being reviewed and discussions
are ongoing with Finance and with Strategy and Transformation Director relating to
governance arrangements which will then be incorporated into an updated RACID.
The action remained open and it was agreed that there remained uncertainty and
about the roles within HMU and its interaction with BAU. The Chair also highlighted
assurance within HMU and Johann Appel explained that the Internal Audit had found
that governance was taken too long to formalise within HMU. It was agreed that
Graham Hemingway should meet with Gareth Clark of IDG to finalise the RACI from
both sides (HMU and BAU) and then this should reviewed by the Chair, Ben Foat, Dan
Zinner, Declan Salter and Johann Appel. (Rebecca Whibley to inform relevant
individuals)
Action 41 from 12 January 2021 para 13 HMU (GE Report): The HMU GE reports to
contain risks and controls. Risk Log for Scheme additionally shared with UKGI and
top risks reviewed at monthly monitoring meetings. Programme updates for each
workstream are included in the reading room for every Board submission. Declan
Salter calls-out any issues in his monthly report for both GE and Board. The action
was closed.
Actions 42 - 44 from 12 January 2021 paras 14 & 15 Policies: These were corrected
prior to submission to the ARC. The actions were closed.
RW
Risk, Compliance and Audit Update
Risk
Mark Baldock introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted:
- The paper was now again in dashboard format as ServiceNow was
implemented. The team was now seeking approval for the next phase of the
ServiceNow roll out at the Project Review Board, which would email risks to
be managed beyond the Central Risk team by the relevant owners across the
business.
- There has been some challenges getting information on risks from the HMU
and all HR risks have been reviewed and added to the system.
- Postmaster risks were still being worked through but a Postmaster centric risk
view and appetite statement would be prepared soon. In a response to a
Strictly Confidential Page 6 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
65 of 178
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
66 of 178
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKG1I00038546
UKGI00038546
3.2
question from Amanda Jones about whether the local risk on non-compliance
with GLO findings should in fact be an intermediate risk, it was explained that
there was no difference between the importance or visibility of a local risk and
an intermediate risk
- Risks have been included for the post-COVID future workplace based on
returning to the office round September 2021.
- Around a third of the risks were acceptable risks, meaning that if rating are
satisfactory, the business can be guided to focus on higher level risks. The
risks identified as the “top risks” were taken from ratings made by the business
and were mainly in the commercial space.
- The risk numbers and risk weights within the paper showed all risks across
the business, grouping by area and type. There might be some churn in these
risks, but ultimately the these were thought to be about right.
The Committee discussed he following points:
- Ben Foat highlighted the need for the relevant business areas to consider risks
before they are reported to the Committee and Mark Baldock confirmed the
system reports would be run a week after the end of each two-monthly
reporting period and would then be circulated to GE for input.
- Ben Foat also questioned the 63 risks listed for Legal, Compliance and
Governance (LCG_. Mark Baldock advised that these were a combination of
LCG-owned risks and legal & compliance risks owned by other parts of the
business (such as Commercial). He would include such ‘horizontal’ analysis of
such corporate-wide risks in the next version of the Dashboard.
- It was also agreed that Mark Baldock would consider how to present the
Enterprise risks (see slide 6 of the paper) in relation to legal and regulatory
non-compliance as the risk was very dependent on what law/regulation was
not complied with.
- It was agreed that Mark Baldock would share the risk dashboard with Deloitte
and that he should join up with Deloitte as part of their work on post GLO
compliance.
- The Chair requested that Mark Baldock produce a covering paper for the
dashboard to make it clear which risks were changing.
The Committee otherwise NOTED the Risk Dashboard for onward submission the
ARC.
Risk Appetite Statement: Legal & Compliance
Strictly Confidential Page 7 of 15
Post Office Limited - Audit, Risk & C ice Committee-30/03/21
SG
UKG1I00038546
UKGI00038546
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Compliance
3.3 Jonathan Hill introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted and discussed:
- Controls Framework: A decision has been taken to pause this work and review
this at the end of the summer, given Public Inquiry work and the need for
business to have processes properly mapped. Controls work was be done as
needed, with Jeff Smyth particularly highlighting the IT controls given the
KPMG report.
- Telco: The transaction completed on 15 March 2021 and the team has moved
to Shell.-Ofcom has confirmed it won’t investigate the comms incident and in
respect of PSD2, the audit was accelerated. It passed for all bar two individuals
and for these individuals remediation actions have been agreed. Close down
report on Telco sale was expected later in the week.
- Cookies: Compliance has worked with the Digital team in Commercial and it
was agreed that there would be negligible commercial impact to put in changes
to place Post Office back “in the middle of the pack.” The Chair agreed that
good progress has been made, but highlighted that being middle of pack was
not a commitment and if it becomes further discussion was required.
- Financial Crime: PipIT contract has now been formally exited. The Chair
questioned whether individuals depositing high values onto numerous cards
belonging to multiple partner banks at branches located in Scotland advising
that the funds are to pay university tuition fees was an issue. Jonathan Hill
explained the question was whether if this was what the deposits were actually
for and whilst it was the banks job to establish this, Post Office supported
because of its work with NECC Project Admiralty. It was also noted that the
nationality of the individuals was irrelevant and should be removed from the JH
Paper.
- Supply Chain Compliance: It was identified that there were issues with the
Note Circulation Scheme Bond, with incorrect values being paid in.
Subsequently it was established that there were 14 late Bond incidents over
the last year. These have now been investigated, root causes established and
corrective actions to prevent recurrence have been implemented. Compliance
has undertaken assurance reviews at both Birmingham and London to ensure
new controls are effective and no further issues were identified. A formal
response to the Bank of England was sent on 26 February 2021. The Bank
will decide if the incident warrants losing the late Bond facility, issuing a fine
or if they take no action. No response has been received as yet.
- Documents from the Postal Museum: The Chair also noted that he had been
asked to help allow better access to the Postal Museum to examine documents
before the deadline for filing at Court of 22 March 2021. Ben Foat agreed he
would follow up with Nick Vamos on this.
BF
The Committee otherwise NOTED the Compliance Update for onward submission to
the ARC.
Internal Audit
Strictly Confidential Page 8 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 17 of 178
2
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
68 of 178
UKGI00038546
UKGI00038546
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
3.4
Johann Appel introduced the report, which had been circulated previously and was
taken as read. The following points were discussed:
- Good progress had been on the current year plan but the last three audits had
been delayed in order to provide assurance to the IDG in preparation for the
Public Inquiry.
- CIj Improvement Programme: Four actions were outstanding which would be
tracked through the IDG and normal action tracking process. Johann Appel
was meeting with Declan Salter later on 16 March 2021 to agree the
management comment.
- Historic Matters - Set-up and Governance: Johann Appel would also agree
management comment and finalise outstanding actions with Declan Salter
later on 16 March 2021. Johann Appel was asked to ensure the report was
discussed with Nick Read before it was finalised for the ARC.
Ben Foat highlighted that when discussing HMU governance, it needed to be
made clear that governance has only been lacking/not formalised over the last
six months or so, since the creation of the HMU and particularly in relation to
the Historical Shortfalls Scheme (HSS) and the Stamps scheme. The
Committee also made clear that this report should be shared with Deloitte to
ensure they were working from the same data and Internal Audit discussions
with Deloitte on this topic should continue.
- Postmaster Reporting: This has concluded that the Management Information
(MI) currently provided was not fit for purpose and was largely reliant on Area
Managers providing the information, with no self-serve option. Actions were
being finalised with Nick Beal and then the report would be issued. Amanda
Jones highlighted that there was no “silver bullet” answer to this issue as it
depended on a number of things including data and system investment. The
Chair noted that there were a number of MI issues across the business and
any fixes would need funding. This needed to be highlighted in the
commentary and conclusions of the report before it was submitted to the ARC.
In response to a question from Ben Foat, Amanda Jones confirmed that a
Postmaster scorecard was being developed as part of the Voice of the
Postmaster meeting. This particular audit was about the information provided
to Postmaster to help them run and grow their Post Offices. The team were
considering what could be done on Branch Hub support the provision of this
information.
- Post Office Insurance Pricing Audit: The Chair requested that Johann Appel
add more information to the report before submission to ARC as to why the
audit was rated as needs significant improvement.
- Audit Actions: It was highlighted that the outstanding audit action regarding
Cyber Security Maturity Assessment should not be postponed a third time.
The Committee NOTED the Internal Audit update, specifically progress being made
with delivery of the Internal Audit programme and completion of audit actions.
JA
JA/AI
JA
Internal Audit Plan 2021/22
Johann Appel introduced the paper, which had been circulated previously and was
taken as read. It was explained that the initial plan had been adapted to address IDG
requirements. The plan was dynamic and would be reviewed quarterly. Depending on
outcome of the planned IDG reviews in Q1, some of the Postmaster focussed reviewed
Strictly Confidential Page 9 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKGI00038546
UKGI00038546
could be brought into the main plan. The plan was Postmaster centric, but the
challenge was completing these Postmaster focussed reviews alongside the required
IDG work.
The Committee_NOTED the draft audit programme for 2021/22 and APPROVED the
2021/22 Internal Audit plan, for the onward submission to the ARC.
IT Updates
PCI-DSS
5.1
The Committee NOTED the progress made during the last reporting period and the
key risks. It was also agreed that this need not be a standing agenda item for the
Committee moving forwards.
Cyber Security
5.2
Tony Jowett introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted and discussed:
- The Security Architecture document was late but was in progress. It was
agreed that an interim update should be provided to the ARC in March and
Tony Jowett was asked to add this to the paper before it is submitted to the
ARC.
- On the 2021/22 Cyber Programme, the focus was on Postmaster support and
Post Office’s underlying maturity. The programme was now going through
portfolio and financial approval.
- A second desktop exercise has been completed and the report contained
report from Nettitude (red team and pen test supplier). Essentially the rest
went well across IT, but gaps were found in Post Office’s technical capabilities
to quickly identify the location of Personal Information within their network.
The need for this capability will be assessed as part of programme planning
for 2021/22 and could cost around £1.5m. It was requested that that the
potential £1.5m cost be “brought to life” including the cost of the software,
potential cost or risk of not doing anything and any alternatives. This needed
to be added to the paper before it was submitted to the ARC.
- On the Dashboard, a follow up with GE members on the recent fake phishing
attack has been completed. Those who clicked on the link but did not complete
the follow up 5 minute training task have been individually contacted by the
relevant GE members. Another fake attack will be done and better behaviour
was required.
The Committee NOTED the status and plans regarding the reduction of risk
associated with Cyber Security.
TJ
Tj
I Foreign Currency and Hedging
Tom Lee and Peter Mitchell introduced the report, which had been circulated
previously and was taken as read. The following points were highlighted and
discussed:
- Post Office holds inventory (foreign currency) on its balance sheet (hedging)
for which there is a policy and this needed to be accounted for and reported
correctly.
- An issue was picked up in December 2020 relating to an automated
programme (from Accenture) which should revalue any stock and then post
the value. The programme was revaluing but was not then posting correctly.
This meant that Post office was slight overstating its balance sheet and under
stating its Profit & Loss. This affected around £25m and as stock reduced
significantly during COVID-19, the issue was not picked up sooner. Foreign
currency holdings as at the end of December 2020 were manually revalued.
- Helen Rhodes questioned whether there was any redress with Accenture. Peter
Mitchell explained that this was being discussed with IT and that Accenture
Strictly Confidential Page 10 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
69 of 178
UKGI00038546
UKGI00038546
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
had acknowledged they were partly at fault. However, ultimately, Post Office
had not lost money, it was just slow to recognise accounting entries.
- Jeff Smyth questioned whether another opinion on the issue was required.
Peter Mitchell explained that himself and Tom were looking at it from a
Treasury and Accounting perspective respective, with Accenture considering
the technical solution. Manual revaluation has been used for the last three
months and this proved effective. Another opinion or internal audit view could
be sought, but the crux was making sure the manual calculation was correct.
- Ben Foat questioned the ramifications of this issue including exposure to First
Rate Exchange Services (FRES) and other operational implications. Peter
Mitchell explained the only implications were for the Post Office balance sheet.
An adjustment has been put through to “catch up” the balance sheet. There
was no fundamental issue for the balance sheet or P&L, it was just delayed
recognition. There has been no loss to FRES or the customer. However there
were clearly lessons to be learnt about governance and testing of systems
before accepting the handover of them.
The Committee NOTED:
i. the process of revaluing foreign currency and the hedging of foreign exchange
risk at Post Office; and
ii. the summary of issues identified in year, the manual fix implemented and
planned changes to create a better process.
Mark Baldock left the meeting.
i-Annual Legal Risk Review (Non GLO/Starling)
Law & Trends Update
Strictly Confidential Page 11 of 15
mpliance Committee-30/03/21
st Office Limited - Audit, Risk & C
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Tom Lee left the meeting.
UKGI00038546
UKGI00038546
9. Business Continuity
Jonny Lonsdale and Martin Hopcroft introduced the paper, which had be circulated
previously and was taken as read. It was explained that a gap analysis of the
alignment the Business Continuity Management System (BCMS) to the BSI ISO 22301
(Business Continuity) standard has been completed. The Gap Analysis has found that
the overall status of the Post Office BCMS was non-compliant with some aspects of
the industry standard, and in particular the lack of detailed Business Impact Analysis
(BIA) for each department. A BIA should be in place for each department to enable
prioritisation of activities with the biggest impact in the event of an issue. This
underpins the BCMS and testing. There was definitely a lot more work to do. The
Committee raised the following points:
- Johann Appel was concerned that some of the gaps identified were those that
had been identified before through Internal Audit and that had been confirmed
as closed. IT was agreed that Johann Appel and Jonny Lonsdale would discuss
this offline.
- The Internal Audit Plan also included a review of Business Continuity in Q4.
- The Chair was pleased to see progress in this area and questioned whether
Business Continuity Plan owners had been identified to ensure accountability.
Jonny Lonsdale explained that the majority of owners had been identified,
along with BIA Champions and meetings has started to guide individuals
through the BIA and Business Continuity Plan. The key was to document the
accountability.
- Hele Rhodes questioned whether there were any inherent risks or whether it
was simply an issue of lack of documentation. Jonny Lonsdale explained that
ultimately, the risks were unknown because the BIA was not documented.
- The Chair further highlighted that an end-to-end test of Horizon and cloud
migration had not been completed and this was one of the biggest risks. Jonny
Lonsdale was asked to discuss this with Howard Booth and provide an update
to the Committee at its next meeting.
The Committee NOTED the summary findings of the Business Continuity Gap
Analysis review for Post Office Group for onward submission to the ARC.
10. I Deep Dive: Payzone Governance
The Committee NOTED the Payzone Risk & Compliance Update report for onwards
submission to the ARC.
JL
11. Deep Dive: Dangerous Goods
Amanda Jones, Mark Siviter and Andy Kingham introduced the paper, which had been
circulated previously and was taken as read. The Committee discussed the following
points:
- This has always been an area of concern as branches are the first line of
defence so ultimately, Post Office could not control completely. However,
responsibilities needed to be taken seriously as the consequences of breaches
would have significant financial and reputational impacts. However, it was a
complex area and not easy for Postmaster. The key was to improve and
systemise where possible so to reduce the risk of breaches.
- Andy Kingham explained that the first phase of improvement was to offer a
Horizon menu-based alternative to the manual scanning of the dangerous
goods laminate (which requires individuals to remember to scan the laminate).
This was currently being trialled in 167 branches for feedback. Provided this
feedback was positive, this would be rolled out in waves from April 2021
onwards with the potential of a full roll-out across the entire network by the
end of quarter one 2021/22. Further phases were outlined in the paper. The
Strictly Confidential Page 12 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
71 of 178
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
72 of 178
UKG1I00038546
UKGI00038546
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
Chair requested that the timeframes were made clearer in the paper before
the paper was submitted to the ARC.
Around half of the failures from mystery shopping visits were because the
mystery shopper did not see the Postmaster put the relevant label on the
parcel. This could be addressed by printing the label with the transaction
(phase two). This required permission from the Civil Aviation Authority (CCA).
This required a three way dialogue including the CCA and Royal Mail, but Mark
Siviter was confident the CCA would agree to the proposal.
Phase three was subject to a business case and involved simplification on
Horizon to move the Dangerous Goods transaction start point earlier and
customer self-certification via the Pin-Pad. These changes could increase the
transaction time so this needed to be considered carefully.
It was also explained that the pandemic had had the benefit of Area Managers
being in more frequent contact with branches, meaning Branch Insight Tool
data could be acted on more quickly.
Accordingly, the Committee NOTED:
the activity undertaken and planned in order to improve conformance to the
required process; and
the anticipated improvement in mystery shopping conformance as a result of
the proposed system changes
for onward submission to the ARC.
AK/MS
12.
I Stra
tegic Partner Financial Stability Update
Katie Secretan and Dan Zinner introduced the paper, which had been circulated
previously and was taken as read. The following points were raised in discussion:
The Chair questioned the strategy for building relationships with these
partners given it was clear that shops like McColls had benefited from the
pandemic but were still reducing the number of Post Offices in their network.
Dan Zinner explained that there was a hill to climb because of Post Office’s
history with its partners, but that the key was considering different
propositions of Post Office and ensuring better value for money, technology
and processes, Katie Secretan noted that for many smaller stores an
integrated Post Office proposition would help sell the partnership. The
partners’ approach has shifted from looking at having Post Office’s over the
whole estate to a branch by branch view. The key was to get them to see the
value of having Post Offices across their whole estate: the idea being that
partners would have Post Offices across their whole network but that they
could have flexibility on what format was used in each branch.
The Chair also questioned whether there was a place for cashless branches.
Katie Secretan explained that for most partners simplicity was key, but
whether cashless was the best approach would depend on looking at data on
what services customers utilise in a particular branch. A further consideration
was what services drive additional basket spend in store.
The Committee otherwise NOTED the Strategic Partner Financial Stability update for
onward submission to the ARC.
13.
Procurement Compliance & Governance
Barbi
ara Brannon introduced the paper, which had been circulated previously and was
taken as read. The following points were highlighted:
Lexington Communications Ltd was subject to approval by GE on 17 March
2021.
Cheque Processing for Postal Orders and Camelot risk was due to be closed by
the end of March.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Page 13 of 15
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKGI00038546
UKGI00038546
- Digidentity was to be discussed at GE on 17 March 2021. It was explained that
essentially, Digidentity were the only supplier able to offer the services
required for the UK Verify contract, however, Procurement were working to
ensure Post Office was not committed to an extension with Digidentity if the
requirements of UK Verify changed.
- Largely, the picture on Procurement was unchanged since January with a two
large, compliant contracts forming part of the GE paper for 17 March 2021.
The Committee otherwise NOTED the Procurement Risk Exceptions submitted to the
Post Office Limited Group Executive and Board since January 2020 and the
Procurement Pipeline for onward submission to the ARC.
14.
Policies for Approval
The following policies were APPROVED for onward submission to the ARC:
« Health and Safety; and
* Procurement.
15.
I Postmaster Policies = =
Amanda Jones and Tim Perkins introduced the report, which had been circulated
previously and was taken as read. The following points were highlighted and
discussed:
- Six policies were presented for approval, which were part of a suite of 12 new
policies. They have been reviewed by Legal and had input from the National
Federation of Sub-Postmasters (NFSP).
- A Guide for Postmaster on the policies was also included which was a specific
request from the ARC. The policies were internal i.e. for colleagues and the
guide sets out Post Office’s obligations to Postmaster as part of the Postmaster
support guide.
- The Chair highlighted the need to measure the outcomes of these policies to
demonstrate that they were effective and it was critical to build in compliance
and assurance testing. Tim Perkins agreed that this was vital and that an
interim set of controls were already in place to ensure policies were working
effectively. A self-assessment of controls was carried out on a monthly basis,
feeding into measure of policy effectiveness. More broadly, there was a
complaints and investigations dashboard and reporting to the Voice of the
Postmaster meeting on transaction corrections. Tim Perkins was asked to add
this detail to the ARC paper prior to submission.
- It was also noted that the Chair was listed as the GE Sponsor for the Network
Cash and Stock Management Policy but he had not been asked to review.
Jonathan Hill was asked to ensure that policy sponsors were properly briefed
before policies were submitted for approval.
- On the Termination Policy, the Committee discussed whether someone
independent should be given the opportunity to review the termination
decision, Amanda Jones explained this was still being considered and she was
keen to understand what other franchises do. One option was to use the
Postmaster Non-Executive Directors. It was agreed that the policy should be
amended to include the intention that there would be some form of
independent review prior to submission to the ARC.
- On the Training Policy, questions were raised about how Post Office could tell
whether training was effective and the Chair felt that the policy should state
that onsite training would include times when cash deliveries and pick ups
happened as well as when monthly balancing was done. Tim Perkins explained
that training reviews were done at three and six month intervals and the plan
was to use branch data for better insight and to produce dashboards. It was
agreed that the policy would be amended to include more detail on measures
of training effectiveness. Ben Foat further suggested that operational
examples needed to be included in the policy to bring it to life and this was to
TP
3H
TP
TP
Strictly Confidential Page 14 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
73 of 178
Tab 4.3 Draft Risk and Compliance Committee Minutes (16 March 2021) - pending Chair Review
74 of 178
THIS MINUTES ARE SUBJECT TO REVIEW BY THE RCC CHAIR, AL CAMERON.
UKG1I00038546
UKGI00038546
be done before the policy was submitted to the ARC. It was also agreed the TP
Tim Perkins would feedback to Tracy Marshall (Postmaster Effectiveness
Director):
1. Concerns about the reduction in training time from 5 weeks to a digital
offer with two days face to face training and a week of shadowing. TP
2. Whether the half day course on loss recovery/balancing should be
compulsory or longer.
- It was also requested that the MI from the monitoring of these policies was
reported on a quarterly basis to the Committee, with more regular reporting
to the Voice of the Postmaster meeting. (Rebecca Whibley to add to the RW
Committee agendas moving forward).
- Jeff Smyth also highlighted that there were some produced that you could not
train on in the Counter Training Office and some support processes could not
be practiced in full. Thought needed to be given as to how full training on
these products and processes could be given.
The following policies were APPROVED for onward submission to the ARC, alongside
the cover paper, subject to the amendments discussed above:
« Guide to Policy Standards for Postmasters;
« Postmaster Complaints Handling Policy ;
« Network Transaction Corrections Policy;
« Network Cash and Stock Management Policy;
« Postmaster Termination Decision Review (see amendments above);
« Postmaster Training Policy (see amendments above); and
« Postmaster Onboarding Policy.
16. Whistleblowing Policy
The Committee APPROVED the proposed amendments to the Whistleblowing Policy
and the appointment of the Whistleblowing Champion, for onward submission to the
ARC.
17. Review of draft Audit, Risk and Compliance Committee meeting agenda for
30 March 2021
The draft ARC agenda for 30 March 2021 was NOTED with the following comments:
1. The Payzone Governance Report could be a noting only item;
2. The Foreign Currency and Hedging Paper presented to the Committee should RW
be added to the agenda for noting only; and
3. Tracy Marshal (Postmaster Effectiveness Director) should be invited to attend
the Postmaster Policies section;
subject to the agreement of the ARC Chair.
18. Any other Business
There was no other business, save that it was noted that at future meetings, the
Chair would agree with the Committee at the beginning if there were any papers that
need not be discussed, such that presenters could be stood down in good time.
Strictly Confidential Page 15 of 15
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 5.1 Risk Update
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
UKG1I00038546
UKGI00038546
elas . Meeting
Title: Risk Report Date: 30 March 2021
Author: I Mark Baldock, Head of Risk Sponsor: _I A/sdair Cameron, Chief Finance
Input Sought: Noting
The Audit Risk & Compliance Committee (ARC) is asked to note the current status of key
risks, our risk appetite activity and GRC implementation.
Executive Summary
ARC is asked to
.
note the key risks we currently face with particular focus on those in the Strategic,
Postmaster, Commercial, People, Operational and Financial space
note our risk appetite activity
note current progress on the design and build of the GRC tool
Report
.
.
.
What are our key risks (new and existing) and their materiality?
What is the status on risk appetite?
What is the status of GRC implementation?
Key Risks
As at the end 2/2021 the Post Office had 556 active risks (14 enterprise, 90
intermediate, 453 Local). Detailed analysis is provided in the appendix.
Overall the Post Office’s risk profile is broadly stable and being effectively managed with
clear focus on priority areas such as Postmaster and HMU risks. The key risks we face
(new & existing, top-down & bottom-up) are primarily in 6 areas namely Strategic,
Postmaster, Commercial, People, Operational and Financial.
Strategic
These concern risks arising from pursuing a strategy which is subsequently seen as
poorly defined, and/or is based on flawed or inaccurate data or fails to support the
delivery of commitments, plans or objectives due to a changing macro-environment.
Risks are increasing.
There is a need to secure shareholder alignment/agreement on the optimal balance
between securing the requisite trading profit and the importance of maintaining ongoing
support for Postmasters, given the challenges faced in a pandemic environment. It is
also the case the Post Office Brand could be threatened by the imminent court
judgements and the outcome of the Judge led Inquiry.
A key workstream in this area is our support of the Historical Matter Unit in articulating
a set of risks which can be mitigated and tracked. Work continues but risks already
1
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
75 of 178
Tab 5.1 Risk Update
76 of 178
identified include (i) the possibility of additional claims being against the Post
Office from postmasters not part of the original court action and (ii) the
pos: ity the ongoing Inquiry is critical of the Post Office response to the
findings. On the latter effective participation in the Inquiry is being managed by a
specific workstream with work is overseen by an executive chaired Steering Group.
External support is also being provided by Lexington
To ensure all risks in this complex and multi-layered environment are being surfaced
Central Risk are sighted on the outputs of the recent established Improvement Delivery
Group. We have also agreed with emerging recommendations from the Deloitte
Postmaster journey review. This seeks to place Central Risk at the heart of the Voice
of the Postmaster forum to understand all the risks associated with postmasters, the
controls in place to mitigate these risks, setting a clear risk appetite for each area as
well as identifying out assurance requirements across the 3 Lines of Defence over the
key risks.
Postmasters
7.
It is important to note the Post Office have proactively supported Postmasters during
the pandemic such that remuneration has increased overall this year (compared to
2019/20) and is forecast to increase slightly in 2021/22. Clearly the pandemic has a
material (but reducing) impact on the number of branches such that we needed to
request a waiver in 6/2020 to the 11,500 network target. More recently the Deloitte
Postmaster journey review has been shared with the Board. In addition, we are aiming
for mediation on workers’ rights claim. We acknowledge that although there is great
deal of work to do we consider a lot of progress has been made, particularly in recent
months. In light of this we consider the risk profile is reducing.
Central Risk are proactively supporting the business in the identification of a wide range
of postmaster-centric risks around, for example, dispute resolution, transaction
corrections, cash & stock management, complaints handling, on-boarding,
training and contract performance. The recently produced Postmaster policies (with
their minimum control standards) are a key input into this work. Urgent discussions are
already underway to ensure the risks are correctly articulated, rated and appropriate
mitigation plans in place. They will have a supporting risk appetite statement as well.
The outcome of this work will be reported to ARC in 5/2021. As we have advised before
notwithstanding such risks evidence shows Postmasters continue to trade strongly
during the ongoing difficult trading conditions (particularly around Mails & Parcels) and
have not reacted strongly to the GLO judgements.
Commercial
9.
10.
The overarching risk we face in this space is that our Commercial proposition is
unattractive because existing products are too complex or confusing and new products
are cost ineffective, unable to be scaled and/or unattractive to the market. Overall risk
position is flat.
Key downstream risks include (i) existing and emerging requirements of Post
Office (new and existing) customers across the various sectors not being met
and (ii) the Post Office being unable to offer a relevant ID Service which meets
customer need and remains relevant to the market. A series of recent initiatives are a
direct response to such risks.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
eed
Tab 5.1 Risk Update
11.
12.
13.
14.
15.
16.
UKGI00038546
UKGI00038546
For example, the Post Office’s joint venture with Yoti will enable companies to use Post
Office and Yoti identity verification services for fraud detection, E-signatures and
customer authentication services. This will support the expansion of our identify
services and help secure new additional revenue for Postmasters.
In addition, we have also partnered with Amazon to launch a click and collect trial in
200 branches in Newcastle, Preston, and Edinburgh. This will allow customers to pick
up Amazon parcels at their local Post Office. If the trial works the click and collect
system could expand to other parts of the UK.
Finally the Post Offices’ decision to sell its Broadband and Home Phone service to Shell
Energy allows for a greater focus on our core services, albeit we are unable to invest
the outcome of the sale for profit. This sale had the advantage of reducing our overall
risk profile given the residual Telco risks were formally closed following completion of
the sale.
We continue to have a risk around our continuing close relationship with Royal
Mail. However this is being effectively mitigated as a result of the recent signing of
MDA2 in 12/2020 which ended our exclusive mail distribution agreement with them,
hence the Amazon partnership mentioned earlier.
We are also at an advance stage of our work on Banking Standard Framework 3.
There remain commercial risks around adverse trading performance in part
prompted by the ongoing consequences of the pandemic although trading continues to
be strong in Mails and Parcels. Nevertheless a risk remains that travel insurance will
continue to be adversely impacted. Although POI have successfully launched a COVID
compliant product (and a travel product is back on sale) ongoing and unpredictable
European travel restrictions is likely to continue to hamper travel recovery well into
2021.
People
17.
18.
19.
These concern risks of potential ineffective leadership and engagement, a sub-optimal
business culture, inappropriate behaviours, the unavailability of sufficient capacity and
capability, industrial action and/or non-compliance with relevant employment
legislation/HR policies resulting in negative impact on performance. Since 1/2021
Central Risk and HR have undertaken a significant review of risks in this area. Overall
risk position is flat.
A risk remains around prolonged industrial action in the event the Post Office fails
to proactively engage with CWU and Unite, albeit we have recently secured a pay deal
with the former. There is concern some form of industrial action will take place due to
the planned reduction of the DMBs (albeit the re-commencement of DMB franchising
has not yet been agreed). In terms of mitigation a dispute resolution has been put in
place (including GOLD teams), relevant stakeholders engaged and supporting
operational contingency plans designed.
A further risk recently identified is that as the macro-pandemic environment extends
and unemployment rises we could experience increased resistance from impacted
colleagues during any consultation around any further organisational re-
structure . The Organisational Design team are utilising macro unemployment data
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
77 of 178
Tab 5.1 Risk Update
UKGI00038546
UKGI00038546
78 of 178
20.
and internal data to understand risk categories for potentially impacted individuals and
will plan accordingly. This work is planned to complete by end of 5/2021.
Post Office continue to face potential risks around an inadequate Work-Life balance.
In this context Central Risk are supporting the HR-led ‘Future of the Workplace’
workstream to identify risks and mitigations associated with the various options being
considered. This includes flexible home/office models that could be put in place/piloted
from 6/2021 with limited changes in 9/2021.
Operational
21.
22.
23.
24.
These are risks that would arise from potentially inadequate, poorly designed or
ineffective/inefficient internal processes resulting in fraud, error, impaired customer
service (quality and/or quantity of service), non-compliance and/or poor value for
money. A key focus here is around whether the Post Office are being sufficiently
supportive of Postmasters. Overall risk position is flat.
Another operational risk remains the potential financial fragility of multiple
partners, albeit the current financial monitoring of large multiple partners suggests the
situation is relatively stable. Retail partners are having a mixed lockdown. Convenience
section is doing better than the High Street. It is also the case that McColls and WHS
are reducing their number of branches (which improves risk over time) and the recent
Telco sale will reduce our regulatory and compliance risk profile.
Safety performance remains strong. A new audit is being planned. We continue to rely
heavily on Fujitsu and the contract extension has not yet been signed.
Finally, work continues on the development and delivery of a refreshed network strategy
coupled with the delivery of new flexible & attractive propositions (including increased
automation).
Financial
25.
26.
27.
These are risks arising from a potential inability to managing finances in
accordance with requirements and financial constraints. If such risks materialise the
Post Office could see a poor return on investments, a failure to manage assets/liabilities
or to obtain value for money from the resources deployed, and/or non-compliant
financial reporting. Overall risk position is flat.
Key downstream risks include the number of challenges impacting the Group’s trading
position. Until recently there was an increased risk of the business not being a going
concern as at the balance sheet date, without appropriate government funding and
support being in place. PwC undertook an in-depth going concern review and recently
signed an audit opinion in 3/2021. This confirmed Post Office was a going concern but
with net liabilities. Funding agreements for the next 12 months, and working capital
facility for 3 years, are due to be signed imminently. Funding of contingent liabilities
uncertain as is funding for 2022-24. Clients and key counterparties may react adversely
following the publication of the ARA.
There is also the possibility that because of the banking framework and changing cash
profile the risk profile of Post Office's business operations could increase.
Workshops have been held with banking, supply chain, security, risk and health & safety
to review and seek alternative solutions, including consideration of whether adequate
4
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 5.1 Risk Update
UKGI00038546
UKGI00038546
protection can be put ir in place to prevent risk to Supply Chain "staff, I Postmasters, their
staff and families where cash levels are high. In addition appropriate intervention is
to be deployed in high risk routes (including cash destruction (glue and ink), ‘tracker’
devices in carry cases and body cameras).
Risk Appetite
28.
29.
A separate update paper has been tabled on Legal & Compliance appetite on which ARC
approval is being formally sought. In parallel with this Central Risk have been working
with the business in pulling together an initial set of supporting KRIs along with potential
data sources and indicative tolerances. Although work continues such KRIs might
include, for example, the number of Gifts & Hospitality breaches, the number of material
AML breaches), a percentage increase in the number of Suspicious Activity reports. We
plan to include the latest LCG appetite and KRI trends in the standard Dashboard from
5/2021.
Building on this Central Risk are in discussion with Retail & Franchise Network around
an Operational risk appetite which will pick up our work on articulating postmaster-
centric risks (see paragraphs 21 and 7). We plan an internally agreed position by end
of 3/2021 with ARC approval being sought in 5/2021.
GRC implementation
30.
31.
32.
33.
As ARC will be aware the Post Office have embarked on a journey to implement a
corporate approach (and supporting tool) to Governance, Risk and Compliance (GRC).
Phase 1 went live, on time, in mid 1/2021 and involved, essentially, migrating the
Central Risk dataset from RSA Archer to Service Now. This forms the backbone of the
Risk Dashboard. We have now secured Phase 2 funding. This focuses on the rollout of
risk management capability beyond Central Risk to Business Unit Heads and individual
Risk Owners and migrating the POI risk dataset from Xactium. In addition we will
migrating the IT, Finance Controls and Strategic Portfolio Office controls onto Service
Now (linking them to their associated risks for the first time) as well as deliver a Vendor
Risk Management capability.
We plan a phased deployment between April-July 2021 within initial focus on the rollout
of risk management (potential piloted first in IT, Comms and Legal), then the migration
of the IT Controls before, finally, the Finance Controls. The latter is targeting 7/2021 to
avoid extensive workload during the ‘year end’ period.
GRC does not directly impact on Postmasters. However, a more efficient and effective
identification, assessment and response to Postmaster-centric risks, other broader risks
(which have a direct impact on Postmasters) and a linked assessment of the
effectiveness of the associated controls will clearly enhance our ability to deliver our
Strategic Purpose. We will report on progress at the next ARC.
Next Steps
34.
The ARC are asked to
. note the key risks we face with particular focus on those in the Strategic,
Postmaster, Commercial, People, Operational and Financial space.
. note the update on risk appetite
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
79 of 178
UKGI00038546
UKGI00038546
Tab 5.1 Risk Update
. note current progress on the design and build of a GRC tool
Confidential
80 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 5.1 Risk Update
UKGI00038546
UKGI00038546
Appendi
1. Ratings, Categories & Response
Central Risk Dashboard (January-February 2021)
‘Shes etree aan o
rexponse. To be addressed in next
Summary
Residual Ratings: Banding satisfactory. Will be assuring 6 very high
‘ide ratings ara compant and Iso, sare Gatalled nitgatons. 26
igks have no rating, These ace in the T space as just bec
added to the system. tion being addressed.
Rizk Category: Shows 109 risks {of $56) ars in Legal 8 Regulato)
pace. Although recent risk appetite work has seen 9 increase Inthe
‘number of such risks classification to be reviewed In next report. (tis
exported this wil result in a more equitable xpraad across the
categories, Cross thematic report to be included in next Cashboard.
Risk Response: 168 risks have an ‘accept’ response. Need to align this
vith the Rais. In most cases the residual rating is low But some are not.
Challenging in next reporting period.
17 risks do not have 2 response ~ the majority are result of internal
Tick transfer where importing business urst need to Formally
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Strict Conlon!
81 of 178
UKGI00038546
UKGI00038546
Tab 5.1 Risk Update
2. Risk numbers
Stanmary
SRY ona conporsi Yoxtonta vow of tho’ Post Post Office Risks Number (by GE command and Enterprise Category)
Dffice's 586 active risks by number. The %’ acs Kats the
indhvat SE Commands with tha "axis provicing tho
‘enterprise risk categories,
Key headlines
Busters
“This is wor in progress andi influenced by the accuracy wit
of risk allocation {by GE Group 2nd individual
classification}. Centrat Risk now assuring this data s0 there
may 6 some further recalibration
+ Group Comemerciat= hag a material number of Legal &
Faputatory risks (generally inthe nan-complance apace)
+ Geoup bance: a reasonable spread but interestingly has
ao Chonge ar Technology risks
General Counsel: not surprisingly has 9 significant number
SFdgat rats in part hvlucnced by the rece work on
appetite. Central Risk will be check this allocation
+ Stoup Information: a high proportion of risks are in the
{eter} security space
+ Soup Operations: a material number of change related
‘sks but little classified a¢ operations as these ara picked
up vathin Retail @ Franchise Network
+ SrounPeoale: 2 reasonably enuitabie spread
stneical Motterst_ very light on the number of
(dented TORS Contal Risk i rosctve discussions to
ensure incceasad articulation in the next reporting ferios.
ange
Shictly Contaertal
Confidential
82 of 178 Post Office Limited - A\
Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 5.1 Risk Update
3. Risk weighting @
I Senpnary i Se by Gl a terprise Cate;
his table Complements tha earl tabte by providing a Post Office Risks Number (by GE command and Enterprise Category}
corporate “harizontal’ view uf the Post Offiea’s 55 active risks
but this time by average risk rating {j.2. a summary total of
the individual risk ratings divided by the aumber of risks).
‘Yhe x’ axis lists the individual GE Commands with the axis
providing the enterprise risk categories,
Key heattines
+ AS before this Is snark in progress as the data is influenced
by the atcuracy of risk allocation, Central Risk raw fully
assuring this data so there may be sorme racalibration at
‘and of the naxt period
+ Group.Commercial: their 108 risks are equitably spread
but have a higher weight in the Financial, Security and
Strategy space
* ‘Suman Setl& Ecnchie the $7 ek have» higher isk
segs in H&S, Lana and People in part because ofthe
irdernay aed pastraatr ras
: ‘even though very light on the
‘nurnber af risks the ¢isk weight is relatively high compared
‘to other GE Groups. This is not surprising and is Bkely to
‘increase as more risks get articulated.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 83 of 178
UKGI00038546
UKGI00038546
Tab 5.1 Risk Update
4. Enterprise Risks: Summary
etme i ee)
Symmes re
io eases sotartne tse re costa poedary
en at erase eer eeeneen
co Rico, saie nn eat mechcnarseryens he
hn Heh nd Sato at Yad ec pout
a Seen areata shafl scncn in beth abe
Salerpien te
* ee
Bot Egan Liteny sede omsncuaegay et shoves te
me oo
Kp ok ve foobce spine eee ath
va Moracey sal agers os
Aovhnetoay fice ta antes le
se erties ihe tbe toon Poon
seicetntaeeah Reputation: ok oostte Foose menitce
Siiregareaydunnyegia voseas eh eeccered
Seraieceuninkty
ah ide Ls oad Veco
Summary
14 entarprise risks of which 11 have a rating of 16+. These risks are the apex of the aversil risk data set with their ratings shaped directly by their downstceam risks and the
ctfectiveness of their mitigating activity. These risks tend to get managed through the aggregated activity at the intermediate and local level. Key sisks in this area indude:
‘CommerciaI: Risks the Commercial proposition is unsttractive because existing products are too complex oF confusing, new products are cost ineffective, unable to be scaled and
tnattractive to the market.
: Because of external HRS events (e.g. pandemic}, detrimental business activities and/or external factors there is a risk that the Post Office business and its staff
are adversely impacted.
inansial: Risks the Post Office has insufficient funding and/er uncontrolled costs in the short-, medium and tong-term such it fs unable to deliver is strannoic objectives.
‘Legal: Risks the Post Office is unable to comply mith legislative and regulatory obligations and/or the outcome of other external legal activity fie. tigation, Disputes).
Stetly Coder!
10
Confidential
84 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 5.1 Risk Update
5. Intermediate Risks: Summary
a
; une corsplianar wth Paving Super
He Wedawtne Ran onion esy soh
Spears ae
a kt ow sew te moe none ner
jae chfaumemongemie ata
(I se pa Eee Pane ai ein oun et st
Sa ES, Gartner ed onetan nants one monn bears
I I Rk 2 “3
i mee ag coun ee et ert
; Ss Se RAN imreerentw
> ee
la
cece
Linn ooeenoese
a
Summary
90 intermediate risks of which 37 have a rating of 16+ including:
PO {ion-compliance with Sricing SumesComplaint}: Risk that POt is not ready for new: FCA price walking regime rules go live, Central Risk working with the business on detailed
mitigation plan, POI Goard paper on dealing with FCA changes and winning writhin market. Key contrats include project plan, project quallty control and development of strategy
for maximising return within the mariet. .
201: Risk Post Office tnsuranee product sales remain significantly below forecast resulting in reduced revenue Travel product back on sate, Significant uncertainty Femains around
rate of recovery, quarantine restrictions increasa daubt. Branch sales continua to be at low level.
Risk existing/emerging requirements of Post Gifice (nev and existing) customers across the various sectors are not met such that
‘customer demand declines rapidly. Central isk working with the business on detailed mitigation plan
‘Commercial (la. senvices): Risk may not be able to offer a refevant 10 Service if requisite Government funding is not forthcoming. Reviewing a faster roll out of the tablet sorvices
{0 ensure ready for Ure travel Dounce-back period, Oiscussing an awareness campaign with Marketing, Regular meetings with Government Depariments on role PO can play
11
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 85 of 178
UKGI00038546
UKGI00038546
Tab 5.1 Risk Update
6. Local Risks: Summary
ee Mem tal aps hh dey thee
«Hogi tame wh ng Goare ned base cbne ok
FOES taste cy (LOVED RHEL.
2 SLR as ait soteay asec fuaneh tern
e-campna/ wit GLO ating Koh oe
Lenk I Mets St a en
2
: ite =
1 Su Ray
I Hes: Risk to postmasters & supply chain employees’ mental and physicat safety given their visibility and accessibility and the demand of the pandemic , Safety video on Branch
I Hub and increasing the number of Health Check calls to branches.
Risk that Group may enter position of tit Labities which may triggar a number of events such 3s default on commercial agreements and funding arrangements.
long
ih pre-emptive action for impacted arrangements If required
orleal Matters overtuinad convichions: Becaust ctions the Pest Office is perceived as dishont
[Resets Agents, pariners and/or customers hich "ads ‘lees as Sales and and/or increased costs through Fines and fagal fo2s.
12
Confidential
86 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
ITTEE
Corporate Legal & Compliance Risk
Appetites: An Update
Jonathan Hill, Director of
Author: I Compliance
Sarah Gray, Group Legal Director
30 March 2021
Ben Foat, Group General Counsel
Input Souc Noting/Approval
The Committee are asked to:
i. Note the latest position on the Post Office’s appetite to corporate Legal &
Compliance risks and our response to the comments provided by RCC/ARC in
1/2021, along with our proposed Next Steps and timeline; and
ii. approve the Post Office’s appetite position to corporate Legal & Compliance risks.
Imm
Confidential & Legally Privileged
liance Committee-30/03/21
Post Office Limited - Audit, Risk & Com
UKG1I00038546
UKGI00038546
Confidential & Legally Privileged
UKG1I00038546
UKGI00038546
Confidential & Legally Privileged
UKG1I00038546
UKGI00038546
Confidential & Legally Privileged
UKGI00038546
UKGI00038546
Confidential & Legally Privileged
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 91 of 178
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
POST OFFICE LIMITED
AUDIT, RISK AND COMPLIANCE COMMITTEE REPORT
Title: Compliance and Audit Report fssting 30 March 2021
Jonathan Hill, Director: Compliance Al Cameron, Group Chief Finance
Author: Johann Appel, Head of Internal Sponsor: Officer
Audit Ben Foat, Group General Counsel
Input Sought: Noting & Decision
The Committee is asked to:
1. note the Compliance update.
2. note the Internal Audit update, specifically progress being made with delivery of the
Internal Audit programme and completion of audit actions.
Executive Summary
This paper provides an update on key and emerging risks, compliance matters and an update
on the latest internal audit position.
Confidential
92 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
1. Following a decision made by members of the Investment Committee in February, the
Controls Project work was stopped, pending a review at the end of the summer.
2. The value of having one master controls framework and IT enabling tool was recognised
in the Investment Committee sub-group discussion. Although the approach was to be on
a modular, tranche basis, carrying out controls and process mapping in parallel, it was
decided that;
i. The business has enough to focus on now, especially with the Public Inquiry,
ii. in order to put controls in place, the business first needs to have processes mapped,
and
iii. it needs to have a clear standardised process framework on which to put controls.
Summary of work completed:
3. A Controls Framework was designed together with the user requirements for an
operational controls ServiceNow-based system. Deloitte had agreed to review and
benchmark the Controls Framework and offer advice on the design and use of the controls
tool. This work has been put on hold pending the review in the summer.
4, Recruitment of 3 Controls Analysts to support the project to review, assess and assure
the controls identified. The initial scope of work was to capture controls for process
improvements that had been put in place following the GLO.
5. It had been assumed there would be process maps in place for each of the business units
impacted by the Common Issues judgement (“CIJ”) and Horizon Issues judgement (“HI”),
which the analysts could review for controls. However, few process maps were identified
and where they did exist, they were not up to the required standard, with some being out
of date.
6. During the period November - December, ahead of a comprehensive Controls tool being
built in ServiceNow, a temporary Power Apps workflow tool was developed. This tool
would ‘house’ the controls and allow self-assessment by the business prior to assurance
by the analysts. Following testing of the system, a training pack was produced to support
the system users.
7. The Business Analysts in the Historical Matters Unit CIJ team started workshops with
business units in January; the first being the Branch Reconciliation team (BRT).
8. Further sessions were held with the business areas to gain more information on the
controls and provide training on the use of the Power Apps tool.
9. The Controls team also started work with the Postmaster Onboarding Team. An initial
review indicated that more work was required to create effective process maps and
document controls.
10. As at 19'* February, 40 Branch Reconciliation controls had been added to the Power Apps
tool and were awaiting assessment by the Controls Analysts.
Data Protection in relation the Telecoms Sale to Shell
11. Compliance has established a post-completion BAU process for management of Subject
Access Requests (SARs), including requests regarding personal data for ex-customers of
the Telecoms business, for whom Post Office will remain responsible.
12. During the transaction it was identified that that c5,000 ex-customers were still using a
Post Office provided e-mail account. All impacted customers with closed accounts were
2
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 93 of 178
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
94 of 178
contacted on 15** February to inform them that their email accounts were expired and that
they would be deleted in 28 days' time. The incident and investigation documents have
been updated to reflect this closure task
Ofcom
13. Communications Incident - Ofcom has now confirmed it will not be investigating the
comms incident reported in September 2020 on the basis that we have put in corrective
actions and self-reported.
14. Complaints data - Ofcom will continue to publish the details of Post Office complaints in
this year’s annual service report because it focuses on historical information. Ofcom has
not yet decided when it will remove Post Office from the quarterly complaints reports as
the Post Office brand will remain in use post sale for up to 12 months.
15. PSD2 - The FCA has approved the ECE notification and received both audits confirming
conformance.
Data Management - Remote Location / Back Office and Oasis Searches:
16. A project ran in conjunction with Legal, the Historical Matters Unit and Compliance has
been progressing since Q3 2020.
17. The objective of this was to provide an assurance to Post Office, our legal team and the
Courts that we have conducted reasonable and appropriate searches for any relevant
information and have considered any documentation that may be found
18. A review of the boxes identified was completed with all relevant material assessed by the
appropriate external law firms for relevance to the various work streams.
19. Any in-scope materials were added to disclosure packs or further analysis was carried out
to test for significance to the various workstreams.
20. This work is now completed for the Criminal Cases Review Commission (CCRC), the Post-
Conviction Disclosure Exercise (PCDE) and Starling. An assessment is to be run for
applicability for applicants to the Historical Shortfall Scheme (HSS) with a recommendation
due to go the Historical Matters Committee the week commencing 15" March.
Record Retention
21. All Data Owners were identified and provided with a copy of the Retention Schedules,
Remediation Logs and copies of the Document Retention and Disposal and Protecting
Personal Data policies.
22. The Compliance and CISO teams are starting to work with the business on the remediation
logs. There are concerns around the remediation plans and how these can be progressed
with initial thoughts that a remediation project may be required.
Record management in branches
23. Compliance, Property Services and the Network team are in the process of standing up a
mini-project to implement a change programme for Records Management with the
Branches. This project will look to:
24, There are several outstanding issues on this yet, these are:
e Designing a robust indexing system based on the products and services offered in
branch so that we can be sure that the right information is being archived
e Designing the correct Standard Operating Procedures for the indexing, boxing up and
transporting of boxes to Oasis
e Identifying the best method for transportation of boxes and a decision on where the
funding is being provided for associated costs
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
@
e Procuring enough boxes to ensure that we can cover the entire network
e Developing Comms to go out to PMs on this project.
* Create a new process for record archiving on a regular basis and not just on the closure
of a branch as is the process today
25. Given the demands to complete the Data Management exercise for 224 February for the
CCRC this project is due to start in late Q4 2020-21 or early Q1 2021-22
Post Office Ltd approach to Cookies:
26. We have updated our cookie banner, which has addressed concerns that our previous
approach was increasing the risk of being non-compliant and falling outside of the agreed
“middle of the pack” approach. It now delivers a clear and simple guide to why cookies
are used and how customers can tailor their preferences. The Digital team has assessed
that these changes will have a negligible commercial impact
27. With the recent publication of the draft e-Privacy Directive proposing browser solutions
which give individuals more control over their consent to cookies through whitelisting and
major organisations such as Google phasing out the use of third party cookies, Data
Protection and the Digital team are agreed that prudent actions are appropriate to reflect
our evolving approach balanced against maintaining Post Office’s ability to be competitive
in the market.
neral Data Protection Regulation (GDPR’ ntract Remediation
28. The Contract Remediation project was formally closed at the end of July as reported to
the previous RCC. Work is ongoing on and the number of outstanding contracts is 3 fewer
than reported at the previous Committee meeting.
29. We now have an agreed approach on the Fujitsu Horizon Contract and, as part of the
Telecoms sale, a signed Data Processing Agreement for Fujitsu Telecoms.
30. Monthly Contract Review Group meetings continue to monitor progress and support
negotiations. This will continue until all outstanding contracts are finalised.
Freedom of Information Requests:
31. Asa direct result of the GLO, HSS, the public inquiry and having Postmaster seats on the
Board we are seeing a change in the number and complexity of Freedom of Information
requests.
Freedom of Information Requests (1°t September 2020 — 2" March 2021)
Historical Matters
Related Requests
General Requests
Total Requests
01.09.20 — 02.11.20 12 27 39
03.11.20 — 02.03.21 25 35 60
Total Requests 37 62 99
32. The more complex cases deal with information which may be either Legally Privileged,
Commercially Sensitive, Provided in Confidence or containing Personal Data. There is a
balancing act between transparency and protecting Post Office’s commercial and legal
interests.
33. As a result of this complexity, Legal and Compliance are having to prepare briefs for GE
and Board as many of the requests involve sensitive subjects such as the decision by POL
to seek to have Justice Fraser recused during the Common Interests hearing.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
95 of 178
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
@
96 of 178
34,
Compliance and Legal meet on a weekly basis with internal and external counsel to ensure
that any released information is in line with information released to the Inquiry and to
responses made for similar requests by BEIS/UKGI.
Compliance with Money Laundering Regulations
35.
36.
37.
38.
39.
40.
41.
Suspicious Activity Reports (SARs) continue to rise, with 2,955 between 27" October 2020
to 25‘ February 2021 (compared to 1,074 in the same period last year). The rise is
primarily driven by:
e The continued identification of cases linked to complex banking investigations
e Branches raising concerns about customers undertaking multiple consecutive high
value cash deposits, and
e Reports from cash centres concerning an increase in branches returning high volumes
of Scottish and N.I notes.
« We also continue to see an increase in suspicious activity from Bureau de Change
transaction monitoring despite international travel restrictions and lockdown.
In this same period there were 375 Financial Crime investigations (compared to 218 in
the same period last year), 38 of these were cash deposit cases (up 65% on 2019/20).
We continue to work with the National Economic Crime Centre Project Admiralty and the
Banking Framework members to address the risks of cash laundering via Post Office.
Cases include:
e Chinese nationals depositing high values onto numerous cards belonging to multiple
partner banks at branches located in Scotland advising that the funds are to pay
university tuition fees
e° c.£7.4m deposited at 9 branches in Birmingham
e Significant cash deposits at c.50 branches in Leicester, which has also been the subject
of a Section 7 request submitted by the National Crime Agency (NCA)
e We have also been advised of arrests and cash seizures in relation to some of the
Money Service Business (MSB) cash deposits in East London.
The risk assessment process was presented at the Commercial lead team meeting in
October 2020, and this led to an improvement in stakeholder engagement, however, this
has since declined. We are engaging with the product teams to refresh the approach.
Payzone - Capita’s contract with PIPIT was exited on 31% January and remaining re-seller
contracts are being reviewed as part of ongoing Bill Payment and Payzone assessments.
The product team is continuing to progress controls for Amazon vouchers, with a pop-up
warning being deployed week commencing 224 March. 39 transactions by 12 customers
totalling £27.8k were identified in SAR reports in February, of which c.£11.3k was refused
and prevented by branches following targeted training and awareness via Area Managers.
The pop-up warning will be applied to other high-risk vouchers, but there is no deployment
date yet. In respect of other more robust controls, the product team had hoped that EPay
(the client the vouchers are processed through) would implement these (e.g. voucher
volume/value limits), but the only option identified so far is to set a sales limit that would
trigger the sales at that location being switched off, which is likely to cause genuine
customer disruption and confusion in the Network. A solution is needed if the product is
to remain on sale.
As highlighted in the 2021 MLRO report, the accredited Financial Investigations Officer
within Security Operations who assisted with the review of SAR disclosures relating to
5
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
@
possible Post Office employees and postmasters left the business at short notice in
December and the replacement resource will not have the required accreditation. The
Financial Crime team are monitoring volumes and assessing resource impact and at the
time of writing this report there are a number that are awaiting initial review.
Anti-Bribery and Corruption (“ABC”) update
42. An issue was reported in December in relation to a Network employee who received a gift
from a customer, which included £60 in cash. This was not identified until after the
customer left the branch. The branch was advised to return the funds to the customer
but as they have not returned to the branch the branch has been advised to give the cash
to charity and provide evidence that this has been done.
Whistleblowing Update
43. Please refer to the separate agenda item.
Fit & Proper (F&P) update
44. Redeclarations for Cohort 1 were completed in good time, with a large number of sole
traders completing via the new Branch Hub option. This option is not yet available to
limited companies and partnerships, and there is currently not a timescale for delivering
this solution. A number of issues were fixed with the release of the changes to
accommodate MoneyGram-only and ‘paused’ branches, but there are still some
outstanding issues and a meeting is planned to understand the extent of these and ensure
a smooth handover to the new team responsible for agent F&P declarations.
45. Work continues with HR and recruitment to implement better processes for direct
employee F&P tests, and there have been no issues in the last 2 months.
External Threats
46. The FCA have started a consultation into Strong Customer Authentication (SCA) and they
are exploring the option of increasing the contactless limit from £45 to £100. The risk of
increased card fraud has been assessed and it is not believed that this will pose a
significant financial crime risk to Post Office.
47. MT Global Limited, a Money Service Business, was fined £23.8 million by HMRC for
significant breaches of the regulations between 2017 and 2019. This is the largest ever
fine issued by HMRC. The failings related to risk assessments and associated record
keeping, policies, controls and procedures. We do not believe Post Office is at risk as the
Compliance team carries out risk assessments before product and service go-live and
periodically throughout their lifecycle, as stated in the group policy.
48. The FCA has launched criminal proceedings against NatWest for allegedly failing to prevent
money laundering, in the first prosecution brought under rules introduced in 2007. It is
alleged that NatWest systems and controls failed to adequately monitor and properly
scrutinise transactions linked to a corporate customer account that was undertaking
increasingly large cash deposits between November 2011 and October 2016. It is alleged
that £365m was paid in over that five-year period, including £264m in cash. No individuals
are being charged.
Supply Chain Compliance
49. During the remote Supply Chain assurance work at the end of 2020, it was identified that
there were issues with the Note Circulation Scheme Bond, with incorrect values being paid
in. Subsequently it was established that there were 14 late Bond incidents over the last
year. These have now been investigated, root causes established and corrective actions
to prevent recurrence have been implemented. Compliance has undertaken assurance
reviews at both Birmingham and London to ensure new controls are effective and no
further issues were identified. A formal response to the Bank of England was sent on 26"
6
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 97 of 178
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
98 of 178
50.
February. The Bank will decide if the incident warrants losing the late Bond facility, issuing
a fine or if they take no action.
A number of issues were also raised in the remote assurance relating to H&S, many
relating to fire door issues. Six are on track to be resolved by end February and the
remaining one is likely to be resolved in March, all other fire door issues have been
resolved.
Multi Principal Review of 1* line controls.
51.
This was reported at the previous meeting. The final report is now due at the start of April,
which we will share at the following Committee meeting.
ATM strategy and Post Office LINK membership.
52.
53.
54.
As part of the Post Office strategy of taking over the Bank of Ireland (Bol) ATM estate it
has become clear that 24 and 3" line oversight needs to be in place for this business
activity. In particular LINK membership, which is required as part of this programme,
requires control obligations to be met, as ATMs are part of the UK’s critical infrastructure
and LINK is overseen by the Bank of England.
Compliance and Internal Audit are working closely with the 1% line product team through
workshops to determine both the type and amount of 2" line oversight that will be
required for both LINK membership but also more widely over our running of the ATM
estate.
The first milestone will be the end of April 2021 when Post Office will send a draft
application to LINK for membership. This will need to include identified controls.
Compliance Monitoring
55.
56.
With the implementation of the latest Covid-19 lockdown we agreed with our Principals to
suspend branch mystery shopping. Following the Government announcement of the
planned easing of restrictions, our mystery shopping company is undertaking a survey of
their mystery shoppers to see when they would be willing to commence activity. This is
unlikely to be before mid-April and subject to national variations within the UK.
Sales of Travel Insurance are currently suspended in branch; all of our other financial
services products remain on sale and promotional activity is ongoing for both protection
and savings business. As with previous lockdowns, we have been focussing on remote
monitoring measures to review performance such as cancelations, complaints and
customer validation calls and regular governance meetings with the Principals remain in
place.
FS Key Regulatory updates
57.
58.
A summary slide of the key future developments is included in the reading room at
Appendix 1.
As part of the Government and FCA’s focus on access to cash, the FCA is assessing what
role it should play in overseeing Post Office as part of this critical cash infrastructure. Nick
Read is meeting with the Chief Executive of the FCA to discuss this on 22" March 2021.
In advance of this meeting Ed Smith, the Head of FCA Retail Banking Supervision, has
asked for some additional clarity from Post Office in relation to the wide array of financial
and related services we provide and their regulatory status. We have provided a response
to the FCA with the support of legal and external counsel. Our hope is that this summary
information provided will give FCA a rounded view of our services in this area rather than
leading into further scrutiny and regulation. This dialogue needs to be managed carefully.
7
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
Compliance and external counsel are providing advice and a brief for the 224 March
meeting.
Vulnerable Customer FCA Forward Guidance publication in February.
59. The published guidance has followed the lines of the previous vulnerable customer
consultations. The FCA expects regulated firms and its Appointed Representatives to
ensure the interests of vulnerable customers are protected throughout the product life
cycle. There are no new hard rule requirements, but it expects to see firms meet good
practice by following the guidance and it has outlined examples of good and poor practice.
60. Post Office has had vulnerable customer on our agenda for some time and we have a
number of good practices we put in place, particularly during the pandemic. However, our
Principals are undertaking a gap analysis on the guidance to assess if there is anything
additional, that they or the Post Office should be doing.
61. The Overall Compliance Dashboards (Appendices 2 and 3) are included in the reading
room.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 99 of 178
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
Internal Audit
Progress against Internal Audit plan
62. Delivery of the 2020/21 programme is making good progress, with a further four audits
completed in the current reporting cycle (3 POL and 1 POI).
63. Current delivery status is as follows:
POL Internal Audit Plan POI Internal Audit Plan
Status: Total Audits = 28 Status: Total Audits = 6 @
= Completed = Fieldwork » Deferred = Completed = Reporting
‘Target number of reviews based on revised plan for 2020/21 approved by ARC (18 Internal control reviews & 10 change assurance reviews).
Details of the audit plan status are included in the reading room (Appendix 7).
®)PO1 ARC approved baseline plan for 2020/21. One additional audit is currently being planned for delivery in Q4/Q1.
64. A re-prioritised Internal Audit programme was approved at the May ARC meeting in
response to Covid-19. A more dynamic (quarterly rolling) audit plan was adopted and is
being reviewed at each ARC. Further revisions to the plan was approved at the September
ARC meeting and is included in the reading room (Appendix 7).
65. An urgent request was received from the GE to support the Improvement Delivery Group
(IDG) in assuring all improvements (c.400) in preparation for the Public Inquiry. Three
reviews from the 2020/21 IA plan have been deferred in order to create capacity to
support this work,
66. The following audits are in progress or planned for delivery in Q1:
Review Sponsor Timing I Status
1 I HD Operations Improvement Programme Declan Salter Feb Fieldwork
2 I Change Controls Effectiveness Dan Zinner Feb-Mar I Fieldwork
3 I IDG Support & Assurance - Phase 1 Dan Zinner Feb-May I Fieldwork
4 I Third Party Revenue Data Assurance Al Cameron Feb-Apr I Fieldwork
5 I IDG Support & Assurance - Phase 2 Dan Zinner May Not Started
6 I Historical Shortfall Scheme - Claims & Payments Declan Salter April Not Started
7 I Note Circulation Scheme (BoE Controls) Al Cameron May Not Started
8 I Payzone Control Environment Owen Woodley June Not Started
9 I Treasury Operations Al Cameron June Not Started
10 I Strategic Platform Modernisation (SPM) Set-up Zdravko Mladenov I April Not Started
9
Confidential
100 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
@
Internal Audit reviews completed
67. The following POL audits were completed during the current reporting cycle:
1 Historical Matters - CI] Improvement Programme (Final Draft Report)
2 Postmaster Reporting (Management Information) (Final Draft Report)
3 Historical Matters - Set-up & Governance (Final Draft Report)
68. Our findings and observations from these reports are summarised below (para. 69-71),
with the full reports available in the reading room (appendices 4-6).
69. Historical Matters - CIJ Operations Improvement Programme (Ref.2020/21-15)
Following the judgments from the Group Litigation Order, Post
Not Rated Office has undertaken a programme of improvements to
; ; overhaul culture, practices and procedures throughout every
Progress with completion of I part of the business. In addition to launching the Historical
NRF recommendations: Shortfall and Stamps Schemes, as part of its operational
improvement plan, and to address issues which arose from
I group litigation concluded last year, Post Office has
eo established a new Historical Matters business unit (HM) to
oversee and deliver the programme of improvements.
34 Work on formally implementing operational improvements as
a result of the CIJ findings has been ongoing since June 2019
and has involved teams from across the whole of POL’s
operations.
Complete ‘in Progress This report is not rated due to the evolutionary nature of the
Postponed audit work. Our interim report was issued in January 2021
and this has since been adopted as a management tracking
tool to drive actions. The Ops Improvement Project was
Sponsor: originally planned to have concluded their work in December
Declan Salter 2020, but the complications introduced by the OE activity
have meant that the project had to be extended until March
Audit actions: 2021.
5
Whilst the remaining actions will not be fully completed until
P2 1 the end of March 2021, there is a clear route to ensure that
P3 0 this deadline is achieved (detailed in the body of the report).
Total 6 A key lesson to be learned by the Ops Improvement Project
and HMU is around the need for robust handover processes
when passing changes into BAU operations.
Appendix 4 Internal Audit will continue to track and validate the
remaining actions as part of the assurance provided to IDG in
preparation for the Public Inquiry.
Management Comment provided by Declan Salter (Director - Historical Matters)
The Internal Audit of the CI] Operations Improvements has provided reassurance that the set up and
governance of the CIJ related workstreams has been effective and robust with the formal handover of
operational improvements to BAU now agreed and in place. While much work has been undertaken,
with 29 of 34 NRF action completed (with one postponed) the report clearly identifies the outstanding
work to be completed; Item 4 - Policies and Procedures , item 12 - Operator engagement (both on
track to be completed by the end of the financial year) and Items 15 - Policies and procedures Operator
engagement and 16 - Trading Statements which are being progressed. The latter two involve HM IT
and progress is being made to provide a postmaster centric solution.
10
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 101 of 178
Tab 5.3 Combined Compliance & Internal Audit Update
102 of 178
aster Reporting (Management Information) (Ref.2020/21-19)
70. Postm:
This audit assessed the provision of management information to
Postmasters and the controls in place to ensure that the Postmaster
has the means to effectively manage and develop their business.
The scope included assessment of data accuracy, integrity &
reliability, management information presentation, variation &
usability, and ease of accessibility.
Needs Significant Improvement We conclude that the provision of management information to
Postmasters in its current form, is not fit for purpose. The
frequency and quantity of information provided to Postmasters
Sponsor: varies depending upon their volume of weekly customer sessions,
Amanda Jones with all branches categorised according to a three-tier system. The
area manager structure was revised in April 2019 to ensure every
Audit actions: branch receives support. Each area manager is responsible for
2 between 75 and 125 branches of all types and sizes and is the main
P2 3 source of provision of management information for those branches.
P3 1 The three-tier system means that, of necessity, there is a greater
Total 6 priority afforded to the needs of the busier branches, leaving the
smaller branches feeling unsupported. There is limited information
available to Postmasters on a self-serve basis, largely due to a
Appendix 5 legacy of under-investment which imposes a_ significant
administrative burden on the area manager population and results
in disparity in the frequency that branches receive management
information, with smaller (tier 3) branches receiving information as
infrequently as once every six months.
Our audit also considered the output from the recent Postmaster
consultation, where participants indicated that readily available
access to more and improved management information is a
priority for the majority of Postmasters. Additionally, Internal
Audit have directly consulted with Postmasters to understand their
perspective and requirements for management information.
Management Comment provided by Amanda Jones (Retail and Franchise Network Director)
Iam pleased that this audit has identified the current limitations we have in being able to provide relevant
and timely MI for Postmasters, in a format that works best for them; this finding is consistent with one
identified by the current Deloitte review. Having access to key Management Information is critically important
to enable Postmasters to operate their Post Offices effectively and for POL to support them to thrive.
The report notes that MI provision of MI is limited due to the variability of Area Manager visits (e.g. smaller
branches receive visits less frequently). Whilst this statement is true, the limitations are largely driven by
the lack of MI specifically developed for Postmasters. For example, when an Area Manager visits a branch
face to face, they will go through the Branch Insight Tool data with the Postmaster, but aren’t able to
electronically send it to them, neither is the PM able to self-serve. Other reports such as Sales reports, will
be emailed to Postmasters if a face to face visit isn’t due. This has been the only way to share MI whilst Area
Managers have been remote working due periods of lockdown. Therefore, it is important to note that whilst
it is timely to review the appropriateness of the current branch tiering support model, this in itself will not
address the issue of limited MI for Postmasters.
Being able to provide meaningful M1 to Postmasters will require input and investment from across business
areas. As part of the ‘Hot-Housing’ programme which started in 2019, a piece of scoping work was completed
to determine the MI requirements for Postmasters as-well as the Area Manager. I expect much of this scoping
is still relevant, however, properly addressing the MI requirements for PMs will require funding and this is
currently not on the plan for FY 21/22.
To deliver some improved MI to Postmasters in the short term, the Business Transformation Unit are
exploring options and costs, e.g. making existing Postmaster MI such as Remuneration and sales reports
available to self-serve on Branch Hub.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
11
UKG1I00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
71. Hist tters —- Set-up a e (Ref.2020/21-15)
Following the judgments from the Group Litigation Order, Post
(Advicesy Review) Office has undertaken a programme of improvements to overhaul
culture, practices and procedures throughout every part of the
business. In addition to launching the Historical Shortfall Scheme,
Sponsor: as part of its operational improvement plan and to address issues
which arose from group litigation concluded last year, Post Office
has appointed a new Director, reporting to Tim Parker and Nick
Read, to head up a separate business unit responsible to implement
the claims schemes and the programme of measures that will
oversee the delivery of the operational improvements to address
the criticisms from the Common Issues Judgment (CIJ) and the
Horizon Issues Judgment (HIJ).
Historical Matters Business Unit (HMBU) has been through a period
of clarification and refinement of its governance and structure. The
design and implementation of the operating model has taken
significantly more time and effort than initially anticipated and was
initially under-resourced. It has not yet been fully formalised,
agreed and embedded.
Declan Salter
Appendix 6
However, this does not mean that HMBU is operating without
governance and control. The claimant schemes activities operate
within well-defined governance principles supported by the
adoption of core ‘change’ controls since they were launched. As
such, key activities could be carried out without an overarching
HMBU level governance being present. The core ‘Change’ controls
are being phased out, but its transition has not been well structured
and clearly articulated.
Working in collaboration with HMBU, we have identified areas that
require management focus in order to deliver a clear, complete and
agreed operational model which must be clearly communicated
across Post Office. In addition, we have made suggestions and
proposed improvements intended to assist management in their
efforts.
Although there are key elements pending completion, in our
opinion, HMBU is implementing the elements of governance
required, although, its pace of delivery must be increased.
Management Comment provided by Declan Salter (Director - Historical Matters)
HM is confirmed by IA as operating effectively, with expected elements of governance in place since its
formation in August 2020 and appropriate controls over scope and change mirroring those in place in
wider POL BAU areas. As the areas of work being managed are both complex, non-discretionary and
with extreme time pressures, focus remains on supporting these key activities and achieving as positive
an outcome for POL as possible taking into account the serious nature of the historical events and the
far-reaching impacts both on Postmasters, as well as on the wider organisation and beyond.
These challenging activities are beginning to bear fruit, both in terms of favourable outcomes (for
example the recent positive CCRC feedback on the necessary disclosure exercise), completion of key
pieces of work (for example the Settled Centrally change implemented recently) and positive outcomes
for Postmasters (the commencements of compensation payments for c. 300 Postmasters as part of the
Historical Shortfall Scheme), along with our positive participation in the Inquiry, which is supporting
and helping manage the impact of this crucial, extensive and demanding activity for POL, both across
GE/business areas and also at an individual level where necessary. All of these are helping to contribute
to changing the perception of POL for the wider public and importantly for Postmasters both past and
present. These activities remain ongoing, and challenging in nature, but we are approaching the end
12
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 103 of 178
Tab 5.3 Combined Compliance & Internal Audit Update
@
of the beginning and have an appropriate structure and team in place to face into these challenges.
During this seven month period since its inception, while effort has been spent on establishing expected
elements of governance, structure and formality - focus has necessarily been on the extensive demands
of the work, both in responding to the changing demands of the work itself, but also in securing support
and funding from our shareholder, BEIS and Treasury. This has taken a lot of senior management time
and effort and resulted in some elements of governance and control, such as an Operating Charter and
RACID being largely drafted but not yet finalised. The impact of changes in organisation during this
period has additionally impacted on the completion of this activity and wider discussions remain ongoing
within the wider business, the resolution of which are a necessary precursor to final agreement to and
implementation of full governance/control arrangements.
Work to agree protocols for the handover of work to BAU areas has been accelerated and as some of
these BAU areas themselves undergo change, have been revised and it is expected this will continue
to happen, but the importance of establishing this is fully acknowledged and remains a key objective.
The feedback of Internal Audit as part of the production of this report has been welcomed, with a
number of areas highlighted in the report being confirmed as addressed and with actions in train to
address the remaining outstanding areas. It is accepted that the pressures of work as outlined above
have impacted on the speed of delivery, particularly on work to extend work on controls. Due to the
size of the significant financial impact of the work involved, it has been necessary to ensure continued
focus on management of both general workload and external legal firm spend, which will continue to
be necessary to ensure value for money.
As interaction with UKGI, BEIS and Treasury has increased in the last quarter - and is expected to
continue over an extended period - heralding the introduction of new governance requirements, it is
expected that delivery of key control elements as part of this interaction (e.g. Measurements of success,
KPI monitoring, financial reporting etc.), will help address some areas highlighted in this report.
Looking ahead, it is envisaged that some of the ‘ongoing’ areas of work, for example in Operations and
IT, will naturally transition to BAU accountabilities, with handover arrangements planned to support
this. Other discrete activities with little crossover into BAU, for example the completion of the Historical
Shortfall Scheme, are expected to complete with handover activities limited to closure processes,
knowledge transfer and archiving - again, with support and involvement from IA being sought to ensure
the appropriateness of these closure activities for the organisation.
7
Post Office Insurance (POI) Audit Programme
2. The table below shows the status of the POI audit programme:
UKGI00038546
UKGI00038546
I Review Timing I Status / Rating
1 Cyber Security (POL-POI Gap Analysis) Aug
2 I Incident and Breach Management Aug Reporting “*
3 I Data Governance: Ethics, security and privacy
«Phase 1 - Third Party Data Security Sept Neede faprovericnt
+ Phase 2 ~ Data Governance Dec LL
4 I Special Investigation (Confidential) Sept Complete (not rated)
Pricing: Principles, policies and process N Needs Significant
ov Improvement
6 I Financial Promotions Communications Jan Reporting
7 I Effectiveness of Risk Management - original plan Q4 Planning
8 I Channel review: Non-branch sales - original plan Cancelled (no longer
compelling).
N1 This audit was delayed due to special investigations undertaken at management request and with POI ARC approval.
Confidential
104 of 178
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
13
Tab 5.3 Combined Compliance & Internal Audit Update
73.
rating, a summary of the audit findings is provided below for information:
Internal Audit undertook a review of Pricing within POI as part of its 2020/21 plan. This was
predicated on the conclusion of the Morpheus and Nemesis programmes, whereby POI had
set up an in-house pricing capability for Travel and Home products. As an FCA regulated
entity, POI has a responsibility to treat customers fairly. Pricing is a significant element of
fairness and is an area facing ongoing scrutiny and challenge from the regulator, as well as
being of critical strategic importance to the commercial success of the entity.
We found that the POI pricing function had developed significantly in the past year to meet
the demands of the new operating model, and a continuing drive to increase maturity was
evident. However, a number of weaknesses in the risk and control environment were
identified. Specifically, operating risks and the related controls were not clearly documented,
and controls were not subject to regular review. As a result, the expected control standards
were unclear and did not reflect certain operational changes that had increased the inherent
risk around price changes. The report was rated ‘Needs Significant Improvement’.
A pricing error, resulting in financial loss, was reported by the business immediately prior to
the start of fieldwork. Management conducted its own review (with Board oversight) into the
cause and impact of this incident. A number of actions were instigated to improve risk and
controls management across Pricing and the wider business. All due audit actions have been
completed on time, and the area continues to receive significant management and Board
focus.
Status of Audit Actions
74. The movement and ageing of audit actions are shown in the table below (status at 22
March 2021). There are currently no overdue actions.
Audit Action Status (POL): Ageing:
Open actions at last ARC 35 Open (not yet due) 33
Less: Actions closed in period 17 Overdue (<60 days) 0
Add: New actions in period 15 Overdue (>60 days) ie}
Total open actions 33 Total open actions 33
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Post Office Insurance: Pricing principles, policies and process - Due to the adverse audit
UKGI00038546
UKGI00038546
14
105 of 178
UKGI00038546
UKGI00038546
Tab 5.3 Combined Compliance & Internal Audit Update
106 of 178
Appendices?
Compliance
Appendix 1: FS Regulatory Calendar
Appendix 2: Compliance Dashboard summary
Appendix 3: Compliance Dashboard
Internal Audit
Appendix 4: IA Report: Historical Matters - CIJ Improvement Programme
Appendix 5: IA Report: Postmaster Reporting (Management Information)
Appendix 6: IA Report: Historical Matters - Set-up and Governance
Appendix 7: Internal Audit Plan for 2020/21
1 Appendices are accessible in the Diligent Reading Room.
15
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 6 Internal Audit Plan 2021/22
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
UKGI00038546
UKGI00038546
Title:
2021/22 Internal Audit Plan
Meeting Date:
30 March 2021
Author:
Johann Appel: Head of Internal
Audit
Sponsor:
Al Cameron: Chief Financial
Officer
Input Sought: Decision
The Committee is asked to:
e note the proposed internal audit programme for 2021/22;
* consider if the proposed reviews individually and collectively represent an appropriate
programme to support management in their activities and to provide assurance to the
Audit, Risk & Compliance Committee (ARC) over key risks to Post Office;
° approve the internal audit programme for 2021/22.
Previous Governance Oversight
The proposed internal audit programme was reviewed by the POL Risk and Compliance
Committee (RCC) on 16 March 2021.
Executive Summary
An integrated audit plan has been prepared to provide assurance over principal business risks
and significant change activities. This paper sets out the process followed to identify and select
the audit candidates.
The proposed internal audit programme for 2021/22 consists of 24 audits (16 internal control
reviews and eight change / programme assurance reviews). In addition, we will also perform
around five audits in POI.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
107 of 178
UKGI00038546
UKGI00038546
Tab 6 Internal Audit Plan 2021/22
Introduction
1.
The Post Office annual risk-based Internal Audit plan for 2021/22 has been prepared in
accordance with the applicable requirements of the Internal Audit Charter as approved by
the ARC in May 2020, as well as the professional standards of the Chartered Institute of
Internal Auditors (CIIA).
. The proposed Internal Audit Plan was developed with input from Post Office GE and the
wider business, and was benchmarked against industry.
The Planning Context
3.
Post Office risk profile is impacted by continued and significant internal change, increased
regulatory scrutiny and market pressures. The 2021/22 Internal Audit plan is designed
to provide assurance over the organisation’s principal risks, core processes and material
change activities.
. The proposed 2021/22 Internal Audit plan is ‘Postmaster Centric’ and supports the new
Purpose and Post GLO improvement activities.
. In 2017/18 we introduced a three year rotation plan for core processes. Core processes
are usually mature and generally expected to be well controlled, but warrant cyclical
validation due to their criticality to the business. The first 3-year rotation was completed
in 2019/20; the 2020/21 plan included the start of the second cycle of core process
reviews, however, many of the core process reviews had to be delayed in light of Covid-19
priorities. The 3-year rotation plan is therefore being re-assessed and reprioritised. The
full three rotation plan is included in para 13.
The Planning Process
6. The following diagram shows the process we followed to identify, assess and prioritise the
processes and activities to be assured in 2021/22:
Identify Audit Universe
All Auditable Components Source: Strategic Objectives, Legal Entities, Org
(business units, functions, Structure, Business Units {incl. MU), Products, Core
processes, activities, Processes, Change Portfolio
programmes, products)
Griteria: Postmaster Impact, Inherent Risk, Strategic
Coggeg Priorities, Control Frameworks, Prior audit sults &
Risk Assessment “VEEP! coverage, Risk Events, Change impact, Brand impact,
Value at Risk, Regulations
_.. Informed by: Post Office Purvose, Post GLO improvements,
Benchmark Industry benchmarking (Deloitte, PwC, KPMG, CIIA), Planning
workshop, Internal Audit ‘Hot Topics’
Revicw dl 1 Input from: Senior Management, RCC, ARC, Alignment with
& Rank ° resource budget, Other 2" line and external assurance activities
2021/22 Audit i
fam Watch list
2
Confidential
108 of 178
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 6 Internal Audit Plan 2021/22
The Planning Results
7. The proposed list of audits was discussed and agreed with GE members and senior
management and their feedback and requests have been incorporated.
8. The tables below outline the proposed internal audits to take place in 2021/22. Internal
and external events may cause priorities and risk profiles to change, and management
may have additional requests during the year for advisory support or audit assistance. In
consequence, we may consider amending the plan as the year progresses. We will also
re-assess and refresh the plan at least quarterly to ensure it remains relevant. We will
seek ARC approval for all material changes to the plan.
9. Table 1 represents the baseline plan for internal control reviews, including reviews of the
Historic Matters Unit and Post GLO improvement activities.
reviews. High level audit scopes for each review can be found in Appendix 1.
Table 1: Internal Control Reviews (target = 16 reviews)
i Postmaster roe
Rank I Proposed Review GE Sponsor(s
p pi (s) Impact? Timing
Priority Audits
1 IDG Support & Assurance - Phase 2 I Dan Zinner Direct Qi
2 GLO Historical Shortfall Scheme - I Dacian salter Direct Qi
Claims & Payments
3 Note Circulation Scheme (BoE Al Cameron No Qi
Controls)
4 IDG Support & Assurance - Phase 3 I Dan Zinner Direct Q2
5 GLO Stamp Stock Scheme Declan Salter Direct Q2
Rolling Plan
6 Payzone Control Environment Owen Woodley No Ql
7 Treasury Operations Al Cameron Indirect Ql
Effectiveness of Second Line — "
8 Financial Crime Function Ben Foat Indirect Q2
9 CFS Application Controls Al Cameron No Q2
Effectiveness of Compliance 7
10 Function Ben Foat Indirect Q2
11 I JML Deep Dive Jeff Smyth Indirect Q3
IT Operations and Incident
12 Management Jeff Smyth Indirect Q3
13 Cyber Security Jeff Smyth Indirect Q3
14 I ATM Link Scheme Assurance Owen Woodley No Qa
15 Third Party Data Validation Al Cameron Indirect Q4
Business Continuity (Incl. Post- .
16 crisis assessment and ITDR) Al Cameron Direct a4
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
The target delivery is 16
109 of 178
Tab 6 Internal Audit Plan 2021/22
110 of 178
UKGI00038546
UKGI00038546
10. Table 2 below shows a list of reviews with a Postmaster Focus. We expect that many of
these processes will be covered through our IDG assurance work. We will assess the
need for end-to-end reviews of these areas based on the outcome of the IDG assurance
work and the Public Inquiry.
Table 2: Alternative reviews with a Postmaster Focus
: Postmaster
Rank I Proposed Review GE Sponsor(s) Impact?
1 Horizon Application Controls (follow I Jeff Smyth (Simon Direct
up KPMG recommendations) Oldnall)
Postmaster Journey Follow-up .
2 (Placeholder) Amanda Jones Direct
Postmaster Performance A
3 Management & Offboarding Amanda Jones Direct
4 Postmaster Issue Resolution Amanda Jones Direct
5 Revenue Protection (Deep Dive) Dan Zinner Direct
6 Postmaster On-boarding Process Dan Zinner Direct
7 Branch Cash Forecasting Al Cameron Direct
8 TransTrack Application Controls Russell Hancock Direct
9 Stamp Stock Controls Al Cameron Direct
11. Table 3 represents assurance provided over Post Office’s change risk. The baseline plan
is for eight change assurance reviews. This is an indicative list based on the current
change portfolio and will be reviewed and updated continuously as the portfolio of
change programmes develop and the risk profile changes.
Table 3: Programme Assurance (target = 8 reviews)
7 Postmaster pa
Proposed Review GE Sponsor Impact? Timing
Strategic Platform Modernisation
1 I (SPM) Setup & Business Case Zdravko Mladenov Direct ai
2 Belfast Follow-up - Part 2 Jeff Smyth Direct Qi/2
3 I PCI Follow-up - Part 2 Jeff Smyth Direct Q2
4 I SPM Mobilisation/Delivery Jeff Smyth Direct 3/4
5 I Change Controls effectiveness Dan Zinner No Q4
6 I Belfast Follow-up - Part 3 Jeff Smyth Direct 03/4
7 I Placeholder Change Project (TBC) TBC tbd TBC
8 I Placeholder Change Project (TBC) TBC tbd TBC
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 6 Internal Audit Plan 2021/22
5 ROSi:
3
UKGI00038546
UKGI00038546
12.
Table 4 is our ‘watch list’ of alternative topics and additional areas for consideration
during the year, should either the assurance needs for the priority areas decrease or risk
levels for items on our watch list increase. The watch list will also inform the 2022/23
internal audit plan.
Table 4: Watch list alternative topics (top 10 items only)
Topic / Area
ITCF Follow up
Financial Controls Framework
Management of Strategic Partners
Compliance with Prompt Payment Regulations
Product Risk Assessment (MoneyGram / Lottery Products / ATMs)
Top Down / Overarching People Review / Onboarding Process
ServiceNow Implementation
IT DR (Deep Dive After Belfast Exit - Q4/2021/22)
olalNialusalwlnie
Effectiveness of IT Security - Operational (2% Line)
10 I Management Information (Fit for purpose / standardised / one version of truth)
Three Year Rotation Plan
We introduced a rotational audit plan in 2017/18 to assess core business processes over
13.
a three year cycle in order to provide regular assurance on the effective operation of
controls over critical business processes. The rotational plan in the table below has been
based on the last review of these processes, known issues and ongoing remedial
programmes.
Core Processes - 3 Year Rotation Plan
Year 1: 2021/22 Year 2: 2022/23 Year 3: 2023/24
Financial Reporting Controls"? Financial Reporting Controls Financial Reporting Controls
Third Party Data Validation “! Third Party Data Validation Third Party Data Validation
Contract Management Supply Chain Management
Sales (Product tbc)
(Strategic Partners) "2 (CViT)
Branch Cash Forecasting ‘? Payroll Employee Expenses
Business Continuity “! Financial Close Process Agents Remuneration
IT Operations “* Fixed Assets FS Conduct Management
Cyber Security "! Procure to Pay Receivable) (Accounts
Treasury Operations “! Client Settlements Process Sales (Product tbc)
Regulatory Compliance ‘2
Ni ~ Included in 2021/22 rolling plan. N2 ~ To be prioritised once other priority audits have been completed.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
111 of 178
UKGI00038546
UKGI00038546
Tab 6 Internal Audit Plan 2021/22
112 of 178
Post Office Insurance Internal Audit Plan
14. We will carry out a programme of internal audit reviews on behalf of Post Office Insurance
(POI), as per the Master Service Agreement between POL and POI. The 2021/22 plan is
pending approval by the POI ARC, and will be reported to the POL RCC and ARC once this
is done.
Financial Impact
15. The approved headcount for the internal audit team is 6 FTEs. We are currently at full
headcount. The co-source requirement to support delivery of the 2021/22 plan was
estimated at approximately 470 days with a total cost of £523k (excluding POI).
16. The cost implications of the co-source element of delivering the internal audit plan is as
follows:
Number of I Estimated effort (days) I Co-source cost
Category 7
audits Total Co-source 2021/22 I 2020/21
Core Internal Audit 16 610 255, £255k £240k
Change Portfolio 8 375 215 £268k N? £191k
Total 24" 985 470 £523k £431k
Nt 2020/21 plan was for 26 audits.
‘2 The increase in forecasted cost for change assurance is to provide for SME input into complex programmes, such as Belfast Exit, SPM.
and PCI.
17. During 2018/19, we benchmarked the cost of providing Post Office internal audit services
against Deloitte’s 2018 Global Auditing Information Network (GAIN) Survey. Post Office
spends around 0.14% of revenue on internal audit, which was found to be comparable with
similar size FS organisations (0.12%) and higher than similar size retail organisations
(0.04%). We believe that the level of spend on internal audit is appropriate for the nature
and size of the organisation and that this benchmark is still relevant.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 6 Internal Audit Plan 2021/22
Appendix 1 - High level audit scope statements
Rank I Proposed Review High Level Scope
To provide independent validation and assurance over key improvements in support of
the Inquiry. Around 400 improvements have already been identified, which will be
validated for completeness and effectiveness. Testing will prioritise highest Postmaster
impact actions and will be proportionate to the risk.
1 _I IDG Support & Assurance - Phase 2
Review of the scheme governance arrangements, including oversight, reporting,
2 _ I GLO Historical Shortfall Scheme — Claims & Payments I escalation and claimant journey. Review of operational controls to ensure the prompt
and proper resolution of claims
Review the controls over BoE notes held in vaults, the process of moving notes to
3 I Note "borrow' from BoE and accuracy of declaration to BoE and accounting treatment.
culation Scheme (BoE Controls)
‘Same as item 1. This is a placeholder to validate additional improvement in preparation
4 !0G Support & Assurance - Phase 3 of the Inquiry or as a result of the Inquiry.
Review of rationale, set up and controls of the scheme, including controls over the
5 I GLO Stamp Stock Scheme i
logging, assessment and payment of claims.
To include compliance with POL Group Policies and progress to bring IT systems,
6 Payzone Control Environment
i equipment, security and resilience up to an acceptable standard.
Assess the design and operating effectiveness of end to end Treasury operations,
7 I Treasury Operations including Governance, Policies & Procedures, Skills & Capabilities, SOD, bank mandates, &
DOA.
Review of Financial Crime function activities, to include team resilience. Will consider
ffecti Fi ‘ial Cri Ft i " " "
8 I Effectiveness of Financial Crime Function both first and second line activities, and clear separation between the lines.
Review general application controls including OS, Database and application access,
CFS Application Controls "
° ppc system and change control, IT operations and DR.
Review of scope vs. expectations across business, particularly of the interaction between
10 I Effectiveness of Compliance Function first and second line activities and the split between compliance and the first line.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 113 of 178
UKGI00038546
UKGI00038546
Tab 6 Internal Audit Plan 2021/22
Rank I Proposed Review High Level Scope
Review status of JML roadmap, in-depth testing of joiners, movers, leavers, PAM, RBAC,
SoD and re-certification. Review integration/automation, etc.
11 I JML Deep Dive
Provide assurance that IT services are delivered consistently, reliably and at an
appropriate level of service. This includes management of infrastructure changes,
12. I !T Operations and Incident Management monitoring of operational IT infrastructure, and issue diagnosis and resolution. The
backup and recovery of systems in the event of an incident or service interruption is
covered separately under IT DR (incl. in Business Continuity).
Assess the implementation of the agreed actions and evaluate the level of progress
‘towards increased Cyber Security Maturity following the 2019 and 2020 Deloitte
assessments. Progress will be assessed across the highest risk domains and those areas
highlighted by the 2020 review to be in most need of improvement.
13. I Cyber Security (Maturity Assessment)
Following the takeover of ATMs from Bol, Post Office need to join the Link Scheme, which
14 I ATM Link Scheme Assurance has a requirement for annual attestation by the 3rd line that the Link Scheme controls
were complied with,
Review Business Process and IT controls for key revenue generating third parties to
Third Party Data Validation " heer
15 ty ensure accuracy, reli and integrity of data. Perform data analytics as necessary.
To assess how the learnings from the business response to Covid-19 have been
embedded in BC management. To include a review of overall BCP processes and focus on
ITDR for Horizon,
Business Continuity (Incl. Post-crisis assessment and
16 I itor)
Confidential
114 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 8 Business Continuity Review
@
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Business Continuity Gap Analysis Meeting Date: I 30 March 2021
. Jonny Lonsdale (Business . Alisdair Cameron, Chief Finance
Authors Continuity Manager) Sponsor: Officer
Input Sought: Noting
The Committee is asked to note the summary findings of the Business Continuity Gap Analysis
review for Post Office Group.
Previous governance oversight
The Risk & Compliance Committee on 16 March 2021.
Executive Summary
Background: In an effort to determine the status of the Business Continuity Management
System (“BCMS”) the Business Continuity Manager has completed a gap analysis on its
alignment to the BSI ISO 22301 (Business Continuity) standard. The folders of documentation
provided by Tim Armit have been assessed as part of this review.
Standard: A BCMS aligned with ISO 22301 is based on Business Impact analysis and takes
into consideration the organisation as an entirety. It includes disaster recovery and business
continuity plans that focus on the recovery of specific activities, operations, functions, sites,
services,etc,
Conclusion: The Gap Analysis has found that the overall status of the Post Office BCMS is non-
compliant with some aspects of the industry standard, and in particular the most concerning
gaps are in the following areas;
. Business Impact Analysis
. Business Continuity Plans
- Governance Framework
. Exercising and Testing
BWNE
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 115 of 178
UKGI00038546
UKGI00038546
Tab 8 Business Continuity Review
116 of 178
2.
Questions addressed
1.
Does Post Office have a fit for purpose BCMS in line with the BSI IS022301 standard?
What changes are needed to the BCMS to meet the requirements of the standard?
Report
Audit, risk and control
4.
Post Office does not have a detailed Business Impact Analysis for each department;
therefore, the organisation does not have a process of determining the criticality of business
activities and associated resource requirements to ensure operational resilience and
continuity of operations during and after a business disruption. Although the Post Office
does not have documented BIA’s, the RCC and ARC should take assurance that disruption
to key activities have been limited during the pandemic and its work from home strategy
which displays that the organisation is aware of its key activities.
. Not recognising the critical activities in an organisation prevents identification of risks which
need to be prioritised in preparedness for a major incident resulting in an unacceptable
standard of resilience. However, the Post Office manages major incidents effectively through
its escalation process and should have some comfort in the response to the pandemic
outbreak which limited impacts to the continuity of its products and services.
. A departmental business continuity plan allows those accountable to design their own
recovery strategy. This includes the minimum business continuity objective (staff resource),
the time of which to resume the key activities and location. Although I have seen some
departmental plans (Supply Chain) which detail response procedures and alternative
locations, this is not replicated through the business and if we do not have these
documented procedures our ability to respond to incidents will be impacted.
Stakeholder and workforce engagement
7.
A group of Business Continuity Plan owners and BIA Champions have been identified to roll
out the refreshed BCMS. These stakeholders will be required to complete a Business Impact
Analysis and Business Continuity Plan with the guidance of the Business Continuity Manager.
Completion of these sessions will be held on a 1-1 meeting basis to ensure the information
is completed effectively and consistently.
Critical Systems
8.
It is also noted that the critical branch supporting system, Horizon, has not been fully
disaster recovery tested therefore confidence in that the system would remain operational
in the event of a Data Centre outage is not established. Testing on Horizon is planned for
this year and it is expected a _ full failover test will be completed.
Financial Impact
3. There is limited financial impact to implement the refreshed BCMS. However, a Service
Now module has been identified as a useful tool to aid the BCMS effectiveness although
2
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 8 Business Continuity Review
Risk Assessment, Mitigations & Legal Implications
4.
The present work area recovery strategy for the Chesterfield office is to relocate to the
SunGard site in Leicester, This contract expires on the 31% March and a decision has been
made not to extend the contract. The Post Office is aware of the risks associated with
ending this contract and have plans in place to mitigate this. With many colleagues now
working from home this decision will have limited impact. If laptops are damaged in an
incident, there may not be enough spare laptops in storage to replace a large number. A
desktop strategy is currently being considered with IT in order to mitigate this risk and for
colleagues to leave laptops at home when coming to work in one of the offices.
There is no defined list of up to date critical suppliers of products and services that support
the strategies of the BCMS. This may result in not identifying risks associated with
suppliers which could be mitigated or used to plan contingencies if they become
unavailable. For example, COVID response, impacts and business resilience.
A list of our most high value or most dependent external partners have not been
established which prevents appropriate Business Continuity strategies being developed to
ensure we meet the needs of those customers. By creating this list, we can identify our
SLAs and ensure these timescales can be achieved in the event of a Business Continuity
incident.
Stakeholder Implications
7.
10.
Each department or team will be required to complete a BIA during Q1 with the assistance
of the Business Continuity Manager. Each BIA will take approximately 1 hour to complete
with an additional hour for the Business Continuity plan.
There is a risk that due to the lack of training and awareness for colleagues in regard to
the identification of Business Continuity risks we currently a number of unknown risks
which require mitigation in order to ensure the Post Office can continuity to provide its
products and services at an agreed level. A competency matrix will be established to
identify what training would be the most appropriate for the BCMS stakeholders.
Once BIA’s and Business Continuity plans have been created, a series of scenario-based
testing exercises will be scheduled that each Business Continuity plan holder will require
to attend. The Gap Analysis found that one department of the organisation has a robust
testing and training programme of Business Continuity activity in place which was Supply
Chain.
An annual audit should be agreed for our Internal Audit team to review the BCMS against
the BSI 22301 standards to ensure a degree of compliance is achieved and improvements
measured following this gap analysis.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
this is in the e early stages of discovery therefore no business case has been put forward
for approval.
117 of 178
UKGI00038546
UKGI00038546
Tab 8 Business Continuity Review
@
118 of 178
Other Options Considered
11. Implementing a BCMS framework is to inform and drive continual, effective, cross-
functional, multi-level continuity planning through holistic, integrated risk management
practice in the following ways;
12. Establish a control environment to link corporate governance, risk management, business
planning and operational performance to the Post Office strategic direction (business
continuity programme);
13. Invest time, tools and techniques to ensure BCMS is a fully embedded, auditable business
management process;
14. Provide senior managers with opportunities to obtain a sound understanding of business
continuity management and requisite skills to implement business continuity effectively;
15. Ensure the framework is sufficiently flexible to meet the challenges of scalability, different
department business profiles and various geographic needs coupled with governance,
regulatory and legal regimes;
16. Assist and manage events that require information and resource coordination across
multiple business functions;
17. Uphold a resilience philosophy in which the Post Office business continuity capability
always reflects the needs, technology, structure and culture of its business.
Next Steps & Timelines
18.
For Post Office BCMS to achieve compliance with ISO22301 standard the following BCMS
schedule of work is to be completed over the course of the next 12 months;
Creation of BIA Create BC Plans Testing Schedule Plan Internal Audit
of BCMS
BIA Roll Out Create Internal / Create Competency I Create BCMS annual
External Incident Matrix for workflow
Communications Stakeholders
statements
Identify Key Create BC Create Improvement
Suppliers & Review Sharepoint site for Tracker
BCP Status document repository
Identify Contractual I Training &
Obligation Awareness Sessions
Create Framework Create BCMS
Document invocation Severity
Matrix
4
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 8 Business Continuity Review
Review and update Review Business
BC Risks in Risk Continuity Policy
Register (SNOW)
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 119 of 178
UKGI00038546
UKGI00038546
Tab 9 DeepDive: Dangerous Goods
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Prohibited and Restricted Items
Title: Meeting Date: I 30 March 2021
Progress Update
Mike Elliott, Network Sales
Author: Development Manager Sponsor: Amanda Jones, Retail &
Andy Kingham, Franchise Franchise Network Director
Partnering Director
Input Sought: Noting
The Committee is asked to note:
i. the activity undertaken and planned in order to improve conformance to the required
process.
ii. anticipated improvement in mystery shopping conformance as a result of the proposed
system changes.
Executive Summary
Since 2012, Post Office has contracted with Royal Mail to help meet its obligations to the CAA
(Civil Aviation Authority) for checking the list of prohibited and restricted items and any
applicable packaging, volume, quantity, labelling and product restrictions that apply prior to
posting any item. Royal Mail provides a comprehensive A-Z list that gives detailed information
about the things that cannot be posted with us, or where restrictions are in place and covers
all our UK mail and International mail services. This list of prohibited and restricted items
reflects Royal Mail’s general terms and conditions.
During the most recent audits, the CAA have highlighted that Post Office Ltd. can only act in
the capacity as the first line of defence regarding the acceptance or refusal of prohibited and
restricted items. Whilst the ultimate responsibility lies with Royal Mail, Post Office Ltd. takes
this responsibility seriously.
To monitor compliance levels for Prohibited and Restricted Items (P&RI), Mystery shopping is
completed on a monthly basis by IPSOS. Since its inception, POL results have been inconsistent,
falling below acceptable levels in most months. Over the last 6 months compliance levels for
International performance peaked at 77% and inland 56% - (latest wave was Period 9, due to
mystery shopping being paused due to the pandemic).
This paper provides an update on the progress to date to deliver performance improvements
and outlines the next steps we are and need to take to improve compliance levels further for
the acceptance of Dangerous goods items.
Confidential
120 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 9 DeepDive: Dangerous Goods
Questions addressed
1. Why do we need to improve conformance levels for Prohibited and Restricted items?
2. What is the impact of not doing this?
3. What steps have been implemented since the last update (July 2020) to address this?
4. What additional steps are planned to improve compliance further?
5. What is the current focus in the network to address this?
Report
1. Why do we need to improve conformance levels for Prohibited and Restricted items?
To comply with national and international regulations governing the carriage of mail, and to
ensure that mail in transport does not present a danger to the general public, we restrict or
prohibit certain items from entering our network and the Royal Mail pipeline.
We want to ensure the mail is safe for everyone, with many items, such as batteries, aerosols,
nail varnish and perfumes (amongst other items and substances), considered as dangerous
goods under transport legislation. For items posting overseas, other postal administrations may
have different prohibitions and restrictions. All the individual and country specific restrictions
and prohibitions add further complexity to the transaction at the counter.
Area Managers have continued to focus their efforts on driving increased awareness and
understanding in order to deliver improvements in conformance as BAU activity on branch visits
and Teams calls. This has been underpinned with additional training where required and
through frequent communications.
The latest mystery shop results described below, show performance levels for Inland continue
to remain static ranging between 44% and 55%* with International between 65% and 90%*.
*number of branches correctly following the correct process based on mystery shopping
2020/21 YTD Mystery Shop Performance - periods 3:10
(N.B. limited P10 data due to cessation of Mystery Shopping mid-period)
MS Performance
21 2020-21
Pac
21 2020-21
POG
2020-21 2020-21 26
24 2020-24
03 Pos P; 7
FoR
== inland =8= Internationa’
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 121 of 178
UKGI00038546
UKGI00038546
Tab 9 DeepDive: Dangerous Goods
122 of 178
The graph below shows the number of parcels disposed of per 100,000 items of mail
accepted, as a result of the parcel containing a prohibited or restricted item. This data is
provided by Royal Mail. This shows an improving trend year on year as follows:
2018/19 1.7 items disposed of per 100,000 items of mail
2019/20 1.6 items disposed of per 100,000 items of mail
2020/21 YTD 1.1 items disposed of per 100,000 items of mail (Period 11 0.6)
The target for 2021/22 is 0.5 items per 100,000 items, and we are confident that this will be
achieved following on from the planned Horizon system updates. Area Managers will continue
to make targeted interventions with branches using the Branch Insight Tool (BIT).
2. What is the impact of not doing this?
The Civil Aviation Authority may withdraw the authorisation of individual PO Branches to sell
parcels in the event of non-compliance. The limitation of POL liability to an aggregate amount
of £20 million per year - although POL has not to date received any claims for compensation
from RMG for non-compliance with the MDA dangerous goods compliance requirements. In
addition to this, there are reputational risks to the POL brand in the event of an incident
occurring as a result of mail accepted in branch.
3. What steps have been implemented since the last ARC update (July 2020) to address this?
A meeting was held with RM and the CAA to discuss performance at the end of April, this was
attended by senior members of the POL mails and network teams. POL and RM have continued
their monthly Dangerous Goods working group to discuss performance and monitor
improvement activities.
Following these meetings, and after several consultations with Postmasters during lockdown 1,
there were a number of suggestions made for improvements. All improvements were scoped,
prioritised and are being tracked in a project plan, some of which have already been
implemented as part of phase 1 and some are in flight within phases 2 and 3. Following the
implementation of each phase, we expect to see marked improvements across all Prohibited
and Restricted metrics.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 9 DeepDive: Dangerous Goods
We are confident that the planned system changes described below, will drive a a significant
improvement in conformance as we are minimising risk by removing the reliance on the counter
colleague to follow the correct process.
Phase One:
« Horizon System Changes - We will be able to offer a Horizon menu-based alternative to
the manual scanning of the dangerous goods laminate. The Dangerous Goods process
will be integral to the Mails transaction and will form a key part of the Mails conversation
with customers without the need to use additional support aids such as the existing
Dangerous Goods laminate. The current process relies on the colleague remembering to
use the laminate. This new process is currently going through Network gateway for UAT
testing and Postmaster feedback.
Trial across 167 branches commenced on 11" March 2021 and finished on 20° March
2021, feedback from Postmasters is currently being reviewed with the potential of a full
roll-out across the entire network by the end June 2021.
(Accompanying this paper is a PDF document that demonstrates the changes from the existing
to the new Horizon customer journey).
« Branch Insight Tool (BIT) enhancements - The initial review in July 2020 identified the
need for improved management information to support the identification of ‘At Risk’
branches. Following this review, from Q3 of last year, individual branches are now scored
and ranked to prioritise those branches with significant non-conformance. This is based
on overall Mails volumes, interception volumes, previous mystery shop results and
Dangerous Goods laminate scan percentages. This development within the BIT tool, now
provides Area Managers with improved visibility of overall performance across their
areas. Looking forward, this will facilitate both reactive and pro-active actions to drive
improvements in conformance.
4. What additional steps are planned to improve compliance further?
Phase Two (subject to CAA approval):
e Labels Compliance - We are working on a solution to enable the Horizon system to print
both the ID8000 and Lithium battery label. Our worst performing mystery shop scenario
is where these labels are required. Forcing the label to print during the transaction will
drive further improvements in conformance by removing the option to add the label at a
later stage. (The current anticipated to go live for phase two is mid-June 2021).
Phase Three (subject to business case):
« Simplification - We have requested a quote to update Horizon from our IT suppliers to
see if we can move the DG transaction start point to earlier in the Post Mail items journey
and will be subject to costings and appropriate finance approval.
« Customer Self-Confirmation - Further system changes are planned as part of phase 3
leading to a requirement for customers to confirm their self-declaration using Pin-Pad
devices for Mails items. (The current anticipated to go live date for phase 3 is the end of
July 2021, with a dependency on the availability of Ingenico resource).
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 123 of 178
UKG1I00038546
UKGI00038546
Tab 9 DeepDive: Dangerous Goods
5. What is the current focus in the network to address this?
The current focus in the network is as follows:
« Postmaster Engagement - The Horizon system changes, (described in phase 1) above,
are now ready for testing and we have engaged with Postmasters to seek their input
regarding the original needs analysis and whether the new system design will deliver
against these needs.
« Targeted Activity - Conformance Champions are in place across the 9 regions and they
have been asked to lead regular sessions with their teams to increase focus and
awareness across each area. Area Managers are now contacting their worst 20 branches
based on zero scans of the Dangerous Goods laminate which highlights marginal/non-
existent activity at the counter. This activity will continue ongoing which will lead to
greater reach and positive impact across the network in the worst performing branches.
* Contractual Intervention - Work is progressing to agree and deploy a formal contractual
process, where following three interventions and support provided by Area Managers, a
branch continues to be non-conformant. We expect this to be in place by the beginning
of the new financial year.
Conformance improvements expected
As a result of the anticipated Horizon improvements we expect to see a significant improvement
in conformance to the process, as the necessary prompts and interventions are systems
generated and will address current failure points.
For phase 1 we expect to see conformance improve as follows:
« Increase inland dangerous goods conformance to c.70%
« Increase international dangerous goods conformance c.85%
For phase 2 we anticipate conformance for inland and international dangerous goods
conformance to improve to c.90%.
The anticipated improvements from the implementation of phase 3 changes would see
conformance improvement to c.95% with the inclusion of customer confirmation.
N.B. In addition to the Management Information we have available to report on the use of new
Horizon screens versus the use of the laminates, with Mystery Shopping due to recommence
on 12/04, we will also be able to report on actual conformance improvements. We should start
to see the benefits in the next wave of Mystery Shopping, but it will take two or three Mystery
Shop waves to fully embedded each phase.
Confidential
124 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 10 Committee Terms of Reference Review
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
wel e Review against Terms of Reference . .
Title: 2020/21 Meeting Date: I 30 March 2021
. Rebecca Whibley, Senior Assistant . Veronica Branton, Group
Author: Company Secretary Sponsor: Company Secretary
Input Sought: Noting & Approval
The Committee is asked to:
1. note the outcome of the review against the Terms of Reference, confirming that the
responsibilities under the Terms of Reference for financial year 2020/21 have been met
save for the exceptions outlined in the report;
2. note and approve the actions to address the matters not adhered to; and
3. approve the revised Terms of Reference for onward submission to the Board.
Executive Summary
The Financial Reporting Council’s (FRC) Guidance on Board Effectiveness 2018 refers to the
need for “properly structured and appropriate terms of reference.” As part of the annual
Governance Report to the Board, the Board Committees review their Terms of Reference to see
whether any changes are required and to evaluate whether the Committee’s responsibilities
have been discharged.
The complete review against Terms of Reference is available in the Reading Room alongside
the Terms of Reference applicable in FY 2020/21.
The following elements of the Terms of Reference have not been complied or have only been
partially complied with in FY 2020/21 and suggested remedial action is outlined below:
Item Remedial Action Commentary
7. Approve the Group Treasury and banking I This last approved in March 2020 and was due to
policies be approved in March 2021 but has been moved
to May 2021 due to capacity issues in the Treasury
team. This will therefore be reviewed and
approved in May 2021.
36. Independence of internal audit including an I There has been no review of non-audit services
annual review of any non-audit services provided provided by, particularly, Deloitte as Internal
by internal audit Audit Co-Source. It is recommended that the
Committee receive a report from Deloitte and
Internal Audit covering non-audit services and
fees annually moving forwards.
38. External Audit reappointment, fees and scope +The Committee has not formally reappointed the
of engagement approval auditors for FY 2020/21, due to the delay in
approving the Annual Report & Accounts. The
Board reappointed the auditors for FY 2020/21 at
its meeting on 18 March 2021.
As already recognised at its meeting on 26
February 2021, Committee should approve the
fees and this should also include scope of
engagement for onward submission to the Board
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 125 of 178
Tab 10 Committee Terms of Reference Review
UKGI00038546
UKGI00038546
r POST
OFFICE
126 of 178
in early 2021/22 (Latest action update is that this
is due to be completed in May 2021).
Moving forwards, these matters should be dealt
with at the Committee meeting dealing with the
Annual Report and Accounts approval and the
Company Secretariat will ensure that these
matters are subsequently approved by the Board.
41. Approval of External Audit Plan
The Committee noted this plan, but moving
forwards the Committee should approve.
43. Review of Representation Letter
45 & 48. Annual Review of External Audit services
including independence, non-audit fees,
qualifications, expertise and resources of the
external auditor and the effectiveness
The Committee did not review this letter and it is
suggested this review is undertaken in future
years.
This has not been done in a formal way, but it is
covered in the audit report for FY 2019/20 and
FY2020/21 Audit Plan. It is suggested that a more
formal annual review is carried out following the
approval of the Annual Report and Accounts
moving forwards.
72. Circulation of Committee Minutes to the whole
Board
This has not been done previously, but now all
Board members have access to the Committee
Reading Room on Diligent Boardbooks containing
all signed minutes and draft minutes (post Chair
approval) will be circulated to all members of the
Board. The majority of the Board attend the ARC
in any event with standing invites to the Chair of
the Board and Lisa Harrington should they wish to
attend.
The review has also shown that the Terms of Reference does not include the following items
which are, in practice, responsibilities of the Committee or are not responsibilities of the
Committee and as such, the Terms of Reference should be revised accordingly (subject to Board
approval):
1. The Committee has authority to approve policies under the Group Key Policy Framework
pursuant to the Matters Reserved to the Board and in practice, approves most Group
Key Policies.
2. The Tax Strategy is approved annually by the Committee.
3. Banking policies are not approved by the Committee so should be removed.
Appendices
1. Table of Review against the Terms of Reference
2. Current Terms of Reference
3. Revised Terms of Reference (Clean)
4. Revised Terms of Reference (Track Changed)
CONFIDENTIAL
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.1 Cyber Security
@
POST OFFICE LIMITED
AUDIT & RISK COMMITTEE REPORT
Title: Cyber Security Update Meeting Date: I 30 March 2021
Tony Jowett, Chief Information
Security Officer
Author: Sponsor: Jeff Smyth, Group CIO
Input Sought: Noting
The Committee is asked to note the status and plans regarding the reduction of risk associated
with Cyber Security.
Previous Governance Oversight
Rolling item at each Committee.
Executive Summary
« We continue with our programme of work to develop higher levels of cyber maturity.
Progress continues on track in all areas.
« We describe the focus of our 21/22 programme balancing the needs for focus on inquiry,
postmasters and cyber maturity increase.
e We describe the results from our second desktop cyber incident drill.
* Our current cyber operations dashboard and resulting highlights are discussed.
Questions addressed
. What is the latest update on the cyber programme?
. What is the focus of our 21/22 cyber programme?
What are the results from the recent cyber incident desktop drill?
. What are the highlights from the current Cyber Operations dashboard?
RYN
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 127 of 178
Tab 12.1 Cyber Security
UKG1I00038546
UKGI00038546
128 of 178
Report: Programme Update
1. The Status of the actions from the recent cyber maturity audit is as per the table below
all are complete or on track within target dates
Finding Status Target Date
Target maturity levels for cyber Completed - target maturity levels I 30/9/20
security should reflect POL's risk to stay as is unless risk appetite
profile changes significantly
POL's list of crown jewels should Completed - approved by GE 30/11/20
be agreed with the business
Security architecture is not fully Completed - next update Q3 2021 I 28/2/21
documented I revised date
There is no documented long- Completed - next update Q2 2021 I 31/12/20
term cyber strategy
There is no end-to-end In Progress - being developed in I 31/3/21
programme defined for Cyber line with 21/22 planning cycle -
programme focus discussed in this
paper
The cyber action tracker requires Completed 30/9/20
updating
JML processes are not fully Covered under JML paper - I 31/3/21
integrated requirement is to introduce
automation of workflow where
feasible
There is no documented strategy Completed 28/2/21
for Cloud security
revised date
2. The roadmap for the cyber programme and dependencies is described in the next section.
Report : What is the focus of our 21/22 cyber programme?
3. Since we planned our 2020/21 programme the world of the Post Office has changed
significantly. As per the above table we have developed a new cyber strategy which we
have adapted to focus on three themes:
a. Postmaster support
i, Acti
ies that directly support postmasters which will cover but not
be limited to hardening of counter terminals, detection/prevention of
external fraud against postmasters, fraud detection within the network
and rationalisation of access management controls.
ii, Indirect postmaster support - through providing cyber input to key
programmes that are aimed at keeping postmasters at the centre of what
we do e.g., SPM, PCIDSS, Banking Framework
b. Inquiry-related improvements - resulting from the CIJ, HIJ and other
inquiry-related activity
c. Group-wide Cyber maturity increases - those activities that reduce the
overall risk to the whole organisation and help ensure that the Post Office
exists/is not taken out for a significant amount of time. The Group functions
cannot exist without postmasters and vice versa. These improvements are
aimed at us reaching our cyber maturity targets.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.1 Cyber Security
4.
5.
A one-page view of the programme is at Appendix 1.
The programme is now going through portfolio and financial approval.
Report : What are the results from the recent cyber incident desktop
drill?
6.
We previously reported to the committee that, whilst we had confidence in our defences,
we were keen to perform a number of desktop incident drills. We have recently completed
the second of these and this is described below.
We engaged Nettitude (our red team and pen test supplier) to run the test for us using
skilled personnel to simulate potential large-scale loss of customer data.
The test was designed to be as realistic as possible and was run remotely due to COVID
restrictions. The following constraints applied:
a. No malicious code was to be introduced by Nettitude during the incident.
b. Any PII data used during the exercise was fake and randomly generated.
c. Nettitude would not provide any 3rd party Incident Response resources - we
could only use our own and other third party if we had them.
The scenario we tested was as follows:
a. You have this morning received communication from a freelance security
researcher at email address stumpyuk1@gmail.com, sent via the “Contact Us”
web form on the Post Office website.
b. The researcher claims to have found some interesting data on the internet: An
individual who posted the data on the paste site claims to be in possession of
full dump of customer data from the Post Office.
c. The researcher has sent you 3 x sample of records. The security researcher has
copied and pasted the message in his message to the Post Office.
10. During the exercise a number of interruptions were made by Nettitude as the incident
progressed with new and emerging facts.
a. Inject 1 - You are unable to find the claimed information online. After
communication with the security researcher, he enquires if Post Office offer a
bug bounty and if so suggests 0.1 BTC might be a suitable bounty to pay in
return for the URL to the paste site.
b. Inject 2 - The Post Office may pay the bounty or convince the researcher to
supply the URL (or completely disengage with the researcher). If more
interaction with researcher, they send the URL to the paste.
c. Inject 3 - The Post Office confirm that the 2x samples are consistent with data
that they hold. The samples claim to come from The Post Office and the paster
has provided an email address and demand for 0.1BTC for full copy of the dump.
Researcher eventually discloses the URL: Pastebin.com/VEBjcYBB
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
129 of 178
UKGI00038546
UKGI00038546
Tab 12.1 Cyber Security
130 of 178
11.
12.
13.
14.
15.
d. Inject 4 - Multiple Post Office customers contact The Post Office claiming that
they have received phishing emails that contain specific and accurate
information only held by the Post Office.
The results of the test are discussed below - taken directly from the Nettitude report with
no edits.
The scenario presented to the Post Office was complex and contained uncertainties along
with issues that cut across multiple departments. As such, representatives from the
Cyber Security Team, Major Incident Management Team and Data Protection Team were
involved in the exercise.
In terms of People, The Post Office staff performed to a very high standard during the
exercise. They were presented with a wide range of complex issues and they were quickly
able to identify the risks and develop strategies for managing the risk. They closely
followed the processes documented in relevant policies. Each of the relevant stakeholders
demonstrated that they had an excellent grasp of the documented policies that they were
responsible for. The decision making, based on available information was also excellent.
All the representatives on the exercise pooled their knowledge in order to work their way
through an increasingly complex set of problems.
In terms of Process, during the exercise, documented processes were tested to their
limits and withstood complex issues that progressively escalated in severity. It was
apparent to Nettitude that a lot of thought and planning had gone into the development
of the documents. As the scenario progressed The Post Office correctly escalated their
response at the appropriate junctures, and seamlessly handed off ownership to the correct
stakeholders. In the previous tabletop exercise delivered to the Cyber Security Team, gaps
were found in the documented Cyber Security Incident Response processes. Those gaps
have now been closed, thus during the initial phase of the incident, the incident was
correctly categorised and subsequently correctly escalated into the Major Incident
Management Team. The participants in the exercise were able to identify which team had
overall ownership of the incident during its progress and were able to identify the correct
organisations and Post Office stakeholders to notify at the correct time.
In terms of Technology, In respect of this specific incident, it was noted that whilst The
Post Office have strong policies in place around how Personal Information is stored and
shared, they have no technical solution for locating Personal Information within their
network, thus ensuring that Data Protection policies are being adhered to. Within the
scenario presented to them, The Post Office identified the need to establish where within
their network that customer Personal Data was held, they had no technical means to
achieve this. In addition, the identification, procurement, and deployment of such a
solution would likely take weeks or months, thus be of limited value to The Post Office.
Nettitude’s experience is that quickly deploying data discovery tools to scan a network of
The Post Office’s size would cost upwards of £1.5 million pounds. The Post Office should
therefore assess the impact of a large-scale breach of their customer data and consider if
there is value in purchasing a data more reasonably priced solution ahead of any such
potential event.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 12.1 Cyber Security
UKGI00038546
UKGI00038546
16. In summary
a.
b.
The Post Office Cyber Security, Major Incident and Data Protection staff
successfully completed the tabletop exercise.
Gaps previously identified in the Post Office’s Cyber Security Incident Response
documentation were confirmed to have been closed.
No gaps were found in respect of the Post Offices current documentation for
managing security incidents.
Gaps were found in The Post Office’s technical capabilities to quickly identify the
location of Personal Information within their network. We have the POL data
privacy policy which clearly states the care people need to take around the
handling of such data. The impact of losing such data from POL by whatever
means could be an investigation by the Information Commissioners Office and
a resulting fine of up to 4% of Global turnover. To remove this risk we need to
identify and remove such data, where it is outside normal handling measures.
This needs additional tooling. The need for this capability is included as one of
the initiatives that form part of programme planning for FY21/22. In selecting
technical options for this we must balance the needs to make rapid
improvements in cyber defences, protect postmasters more effectively and the
availability of money to make such changes. We are now writing the business
cases for these initiatives and will report back on progress in this committee.
Appendix 1 shows the programme portfolio.
Report: What are the highlights from the Current cyber dashboard?
17. Appendix 2 shows the current cyber operational metrics dashboard.
18. Key points to note:
Confidential
a
b.
Controls maturity increases have slowed due to focus and funding being applied
to inquiry and postmaster activities.
We have completed the insource of our Security Operations Centre (SOC) from
Verizon at a net annual saving of £450k.
There is an increase of activity around managing security of our 3 parties with
particular emphasis on Fujitsu but with broader application to follow.
We completed the follow up with GE members on the recent fake phishing
attack. Those who clicked on the link but did not complete the follow up 5-
minute training task have been individually contacted by the relevant GE
members.
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
131 of 178
UKGI00038546
UKGI00038546
Tab 12.1 Cyber Security
Appendix 1 cyber 21/22 Programme & Alignment with Priorities
I
‘Security Incident and ‘Sxpand our capability ta cover PO Group plus Horizon.
“Device authentication * —_enovento wear Acs oa tap unauorad evesconncing the ot ie network
Reviewsand Red Teams > _fealfe rlendlyhackingot our defences tere hardening
pe ‘Expand out capability ta cover Office 365 and AWSby integrating tel mative oolswth ours
eMenkoring (EM) I Cnettc nn teundivect mtwon nora =x w*& *
‘enhancement
‘Data Lost Fravention utc cpa and ome esi tering te cranbaon * ok *
Service Now Inte ‘nna f motes prov neater ict i aseurents an conclu Pot fea
oe ae x &
‘User authentication: I 1 Delve ofa pmoword management tooltehelpusers stare andretnn complexpacswordsacronsthe PO gg
rate
selvery of utter Authentationcapabiity reduce therskafunmuthotsedacenss ee * -
‘Outbound Emall securlty * Use of DMARC/DKIM echnolgy to ston posting cf emalls io custemers and postmastrs
ed mot faces defences Dee ke
Si + Reuse of apattty developed by Gto team to become persisten’ and POL Group wide ue ke
ain. + Aulamotonot it vt peacesses toredee ks pssotaed wth ML ok ,
Posoanster: security . erring te cant oie ee Ce
a - Pole tential aaa oo ~- ihe
a a He Ration bal ol sesamiae Coma near sts ee SES: ee Se a Z a
cyber Behaviours ia acing ig prs ima gs par aac koa
‘fered dato pretecton *
Risk: ba Representation of Cyber rsk in monetary terms,
ee 1 Munomcunsngmtrocmawuieneneaza 8 ee Ye
6
Confidential
132 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 12.1 Cyber Security
UKGI00038546
UKGI00038546
Appendix 2 Cyber Dashboard
Cyber Operations 1 _ -
‘Threst Landecape (Cyber Parepective)
lunar Threst Vunoraity Alert Hanagement
Seumre — “Proteaten, ed untaty
gs
rertnator ed Poirt——cernal Theat
Poems pronaion romutce
Overall Securit Posture
The exiting controls are
provcingprotection across al
sreasand I Securtyvstiyis
Ccomingimonths a aer-use cases in SIEM tooling now under SOC contol are
Gevelopedatpace. Addvonalloaéto SOC éve In Aaa with onboeeingot PC!
to scope, Centralised Vulnerablty managementviaServiceNow TSM tooling
‘wllringennanced intelligence to view
Page Break
Confidential
Post Office Limited - A\
‘Vulnerabilities (Accenture and CC)
Common Digit Platform (status 2h eb 2023)
‘Qualys scan was completed on 20th an 202, report has been released on
and Feb 2021
. ‘sl tcl and high valnerabiliveshave been ready
remediated/addressed since report eleased on 2nd Feb
*Butstanding Medium and tw vulnerabilty wil txgettobevemedated
‘nagreedpathing/release scvedue
Excludes Fy Horizon and
on ath an
Verizon data Back Ofiee (status 12h Feb 2021)
‘ualys scan was completed weey bass, report hasbeen exacteé on
tran 2022
‘BBLoutol 4S lal vlnerablies haw
— since repo
cea Now20 Dee sand Febe2h
sep-20
TOTAL: tossed sta cre
TOTAL - Open SLA itil
TOTAL Logged sta Heh
SA TOTAL -open six igh
‘Throat Intelligence
13000
00
= =
Sez oc20
Sep200ct20Nov20Dee20Jan21_— Feb 300 Rested to Thcat
Dismissed -—ResoWed —In Progress
14300) Bache spare
1k Federation Repored
1 Imperonton Rete
Risk & Compliance Committee-30/03/21
”
‘s0utstanding cso and High vulnerabiltes wl targettobe remmedated
In appeoved patching schedule
‘ns Escaaton Form has been submited for Credence EOL RHEL servers
Phishing Protection (Al and 800)
How20 Dee20 Sonat Feb-21
1 0) User ports
(500 orevened Poneg
18 $0C) netigation Regios
(anMatarefpihing ks ited
(apo ntngata sor Puehng
133 of 178
Tab 12.1 Cyber Security
UKGI00038546
UKGI00038546
Cyber Operations 2
POL Security Operations Contre Ticket Mgmt
o hi tite
ied
sen-20 Now20 e020 dant Feb
‘Srcimaermicenteste) SNOW Scop Spunt Une aes naa bent)
Senvze Now ISM aed ens vestigate Freel Assan EWAF(aleimproverert)
BSeneceCataose Engen Tee poor Bins Peesed ets peau ASDC SOS)
Mall Fittering
1000000
‘0000
600000
‘400000
°
sep-29 02.20 Now20 Dee20 sana reba
Automated Rejections Sm ag W-dound Email —=—TotaI Outbound Ema
Page Break
Confidential
S52 SiRMIOTSS- Unauthrised Acess— Alert iggeredfornposible vel - se lagged with noes Wom AWS in
America, requested password & AV scan on device
‘5210342371 Possible Counter Unit Expoted to Malware — Counter immedaty moves frm serve, Machine
‘swapped ou by CC engineers and shipped back to Servicecentre fr
‘53-SROOIONE- Possible download ofamotet stage 1~ Nosign of compromise requested users machin ioe scanned.
S8-tRom0650-napropate software us Acco to Team
sofware isnot required byuserand has now been remove
St Sienna Two Sry Cor
er user lagged with aif connections to team viewer,
til investgstions wth Pople Management and Data Protection underway
Of Personal FM Send ei r e Brest
ur of unigue users each weak who Rave Breachéa ne po
Population court fa pork
134 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
divided by the total active user
Tab 12.1 Cyber Security
UKGI00038546
UKGI00038546
Cyber Compliance
‘Campaign 4 (CovidT
Leet 4 Phishing campaigns I
1 .
Quarntined Mel)
Sep200ct.20——-Nov20—_—Dee 20
a octlg
‘memnumber reviewed Fale Posies
Confidential
ant
(EB Confrmed Closure = SeeAlets generated
aE
(a Nonew of Actions
Acton: coved
‘2am Actions ocr than 3 months
== 0pen Actions
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Compsien 3 (covid) ES I
(Campaign 2 (LinkedIn /
‘Amazon) Lil as
‘Comnpaign 1 (rclease Mail
‘coflee cake)
© 1000 2000 3000 40005000
Reported Lured Did not report Phishing
IBM Actions
2 SNS
Sep200c-20Now20—Dec20 ant
‘= No new of Actions [= Actons oder then 3 months
‘ma Actions closed mm Open Aetons
mem ontld
135 of 178
UKGI00038546
UKGI00038546
Tab 12.2 Procurement Governance & Compliance
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
136 of 178
Seles Procurement Governance & 7 .
Title: Compliance Report Meeting Date: I 30 March 2021
. Barbara Brannon, Procurement . Alisdair Cameron, Group Chief
Author: Director Sponsor: Finance Officer
Input Sought: Noting
The Committee is asked to review the report, noting the Procurement Risk Exceptions submitted
to the Post Office Limited Group Executive and Board since January 2020 and to consider and
give direction in respect of the contracts in the Procurement pipeline which are high value and
at risk of being awarded or extended non-compliantly.
Previous Governance Oversight
e November 2020 - RCC & ARC Report
e January 2021 - RCC & ARC Report [no Board submission required]
Executive Summary
As a business in receipt of public funds Post Office Limited (POL) is bound by the Public Contract
Regulations (2015), PCR 2015 oblige POL to behave in a fair, objective & transparent way when
contracting with 3° party suppliers. Additionally, set procedures must be followed for spend
above £25k and £189k.
The purpose of this report is to set out both breaches to Post Office governance and key controls
around contracts and compliance to PCR regulation in the award of contracts.
The aim of collating this information is to drive improvement in awareness and compliance
behaviour across the organisation. The second and primary aim is to work with GE and Business
Units to commence commercial reviews in a more timely way ensuring POL obtains value,
commercial and contractual flexibility fitting the requirements and business strategy of the
organisation.
In March 2020, Post Office Board requested prior approval of all Exceptions. This was revised
in September 2020 to above threshold Exceptions >£189k only in a revision to existing
governance. From November 2020 sub threshold exceptions will be submitted to the Group
Executive for prior approval and reported retrospectively to RCC and to ARC.
A Procurement Risk Exception Note is required to accompany all Exception Requests and a
Legal Risk note for requests >£189k.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.2 Procurement Governance & Compliance
Questions addressed
1. How many and what types of procurement risk exceptions have occurred in the past
quarter?
Since the last RCC report at the end of January there have been two Procurement Risk
Exceptions submitted to the Group Executive for approval.
e NCR SSK Support - Interim extension of 30 days to 28.02.2021
e NCR SSK Support - Interim extension of 30 days to 31.03.2021
We also have a lapsed contract with our auditors, PWC which is an internal governance
breach. A compliant extension option exists to extend but they are currently working at
risk preparing an audit plan for 2020/21 while commercial terms are negotiated. This has
not been resolved since the last RCC report in January.
What are we doing about it?
Active reviews continue with Business Units with the highest values relating to non-
compliance.
Our overall non-compliance value has reduced from £27.7m in July, £7.7m in January and
is now £8m.
A visual breakdown on all Open incidents at 5/03/2021 is available in Appendix 1.
What is in the current Procurement pipeline which is high value and at risk of being
awarded or extended non-compliantly?
One Procurement risk exception has been submitted for Board approval.
a) Lexington Communications —- Circa £500k.
The PR&Comms team wish to extend the existing non-compliant contract [£173k] with
Lexington Communications out to September 2021 in order to cover immediate
business requirements relating to GLO.
Aggregated value is forecast at circa £500k to September 2021.
A Procurement Risk Exception request has been submitted to the March Board for
consideration.
There are two pending Procurement Risk Exceptions
b) Digidentity - TBC
Contract and settlement negotiations with Digidentity are continuing. A full commercial
overview and risk analysis will go to GE and Board in due course, noting that by
2
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
137 of 178
UKG1I00038546
UKGI00038546
Tab 12.2 Procurement Governance & Compliance
accepting a non-' compliant extension from GDS, and therefore, commercially entering
into an extension with Digidentity to provide the services, a Procurement Risk
exception must be considered and approved.
c) Grant Thornton - TBC
Further services will be required in order to close the sale process for Home Phone and
Broadband. The services are described as subject matter expert review and assistance
with negotiating challenges/questions arising from the Shell draft Completion
Statement. A Procurement Risk Exception request shall be raised in May for the
services which are anticipated for delivery in late May/early June into July.
Conclusion
Risk Exceptions are subject to extensive internal governance, legal and risk review, in line with
POL governance guidance on value and risk. This is reflected in the material reduction in the
value of open risks over the past 3 years.
Individually, all large value non-compliant contracts have been reviewed by appropriate Post
Office governance forums with agreement on next steps and actions towards remediation
allocated where appropriate and/or available.
Executive support towards moving POL towards a more compliant footing is very strong, but
equally as important there is extensive support towards the cultural change required to ensure
that Procurement activities and outcomes will support longer term business strategies and we
reduce commercial risk making our 3" party arrangements fit for purpose.
Report
4. What are the potential consequences of non-compliant awards?
a) Pre-contractual remedies overview: During a Procurement, an aggrieved party can
seek an interim injunction suspending the tender or the implementation until the court
decides on an outcome.
b) Post-contractual remedies: The court can order an ‘ineffectiveness order’ rendering
the contract void &/or can award damages.
5. Why are these incidents of non-compliance occurring, and what can be done about it?
Non-compliant awards may be made for a number of reasons at the Post Office.
a) Low value, time constrained or highly sensitive/specialist engagements are not
uncommon.
b) Large commercial arrangements cannot often be easily competed or unravelled
without operational impact, and re-procurement may be subject to a pending evolution
of a supporting Business Strategy and/or completion of large, and complex technical
programmes of work to maintain or enhance services prior to a possible exit.
c) The contractual arrangements may pre-date PCR 2015 regulations or the contract
novated during separation from RMG, automatically becoming non-compliant at the
Strictly Confidential
138 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.2 Procurement Governance & Compliance
10.
renewal I point. Non- compliant. awards z are s frequently made ona tactical basis I to extend
contractual services while public tender processes are executed.
d) Delays to public sector panels of suppliers becoming available. The Post Office makes
extensive use of this low-cost route to market and new/refreshed panels are subject
to frequent delays from Crown Commercial Services. Single interim extensions [of
periods under 12 months] while tender processes are run are considered to be low
risk legally.
e) Changes in scope or value over the term of a contract may render the extension or
renewal of services non-compliant. Material changes to the scope of a contract may
render the whole contract non-compliant.
f) Disregard for, or lack of understanding of the regulations.
Why are we receiving this report?
A decision to collate this information into a single location was taken in the Autumn of
2016. The aim is to track and improve our overall compliance and commercial results as
an organisation, while also ensuring perceptions are accurate. However, it should be noted
that it will facilitate timely responses to Freedom of Information requests which adds risk
to the Post Office commercial landscape.
Are any of these breaches arguable on regulatory grounds or are they all breaches?
A full explanation of the individual compliance breaches for direct awards over £189k
[previously £164k & £181k] threshold is attached in Appendix 1. Each entry details the
nature of, and the value of the breach. The threshold is altered every two years based on
the FX rate between GBP and the Euro.
The Procurement Compliance Register does not at present give an indicative risk level
attached to the award. This information is provided to the accountable executives under
internal governance processes in the form of a PCR risk note before a contract above
threshold is entered into, and if necessary, under Legal Privilege. In addition, all
signatories to a contract have sight of the Risk note as part of the Contract Authorisation
Form [CAF].
All entries are compliance breaches. A period of challenge applies to each PCR breach once
an aggrieved party becomes aware or ought to have become aware. This risk finally
expires at 6 years from the date of breach. The defensibility of a legal challenge is outlined
within a Risk Note.
How many of the breaches were approved in advance and how many retrospectively?
All contracts entered into during this period were compliant with internal governance
processes on contract and commercial review.
Why were the approvals given?
The rationale for approval is relevant to the individual service and is detailed within
Appendix 1.
What were the unapproved, material breaches?
There were no unapproved, material breaches during this period.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
139 of 178
UKGI00038546
UKGI00038546
Tab 12.2 Procurement Governance & Compliance
140 of 178
11. Describe what y you are doing about the breaches. Where we are in I breach, do we have a
plan to come back into compliance and over what time period will that plan take effect?
a)
b)
c)
d)
e)
f)
g)
h)
i)
k)
A forward view of material contracts falling under each Business Unit is currently
prepared by the relevant Procurement Manager for discussions with their key
stakeholders. The maturity of this look ahead view does vary currently and is
consistently a high priority activity within the team.
Sourcing options papers are prepared for review by contract managers and key
stakeholders [risk, legal, security] with routes to market agreed. In many cases these
are dependent on evolving business and operating model strategies and the
Procurement team are actively involved helping to advise and review options as
thinking evolves.
Where a non-compliant award is proposed due to time pressure, Procurement are
actively working on long term mitigation with awards made on an interim basis to
meet urgent operational needs.
Each RCC member now receives a regular report on compliance within their business
unit[s].
A Risk & Governance process requires a Risk Exception report to be created for non-
compliant direct awards with GE sign off.
Awards over £189k must have prior Board approval before being entered into.
All Professional Services engagements must be approved in writing in advance by the
CFO/COO. A compliant panel of preferred consulting partners has been appointed and
proposed engagements outside of this panel are subject to additional review and
challenge.
Procurement provides training as part of the revised Induction process for new staff.
Training packs are being updated for existing staff and a new training module made
available on Successfactors. Ad hoc training sessions for interested Business Units are
also run.
A new Intranet site has been launched for Procurement to improve visibility of process,
regulation, and the panels of approved compliant suppliers available to POL business
units.
A revised POL Procurement Policy and supporting processes is in progress giving more
granular guidance.
Using Crown Commercial Services frameworks, panels of Preferred Suppliers are being
refreshed and updated across a wide range of spend categories to reduce time to
market, improve compliance and greatly improve commercial outcomes and legal risk.
A planned change to operational systems will, once live, give Procurement earlier
visibility of potential compliance issues eg: contractual value thresholds.
Risk Assessment, Mitigations & Legal Implications
12. As a business in receipt of public funds POL is bound by the Public Contract Regulations
(2015), PCR 2015 oblige POL to behave in a fair, objective & transparent way when
contracting with 3 party suppliers. Additionally, set procedures must be followed for
spend above £25k and £189k.
13. Failure to abide by the legislation or “slicing and dicing” contracts exposes POL to risk,
both as far the commercial outcomes of the contracts as well as the reputational damage,
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.2 Procurement Governance & Compliance
legal remedies, censure & fines that can follow the discovery of a breach. Our compliance
to PCR can be requested under a Freedom of Information request at any time.
14. The PCR Compliance Register allows for the tracking of breaches to PCR regulations at the
Post Office and internal governance processes. One aim of collating this information is to
drive improvement in awareness and compliance behaviour across the organisation. The
second and primary aim is to work with GE and Business Units to commence commercial
reviews in a more timely way ensuring POL obtains value, commercial and contractual
flexibility fitting the requirements and business strategy of the organisation.
15. Contract and financial governance policy and processes at Post Office are set by the Legal,
Risk and Governance team with clear guidelines for staff availably on the Company
Secretariat team intranet site. This sets out steps to be taken to obtain financial and
contractual approvals prior to making a binding commitment to an external party. Non-
compliance to internal governance processes are also captured within this report.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 141 of 178
UKGI00038546
UKGI00038546
Tab 12.2 Procurement Governance & Compliance
Appendix 1 - All Open Material Incidents
10/01/2028 IITsofware Reta & Franchise ir [annual maintenance ard support previously provided under
Regulation 32 exemption fr IPR. Covers now expired anda
[compliant route found, Negotiations are underway.
BARRO PR (Corporate Afaws & Comm Itichard Taylor [Carew Group I & I Diectaward-no procurement engagement
D/B/A Soave ir lewsmvte [interchange I POL nherited the Galany system and suppor contracts rom Royal
teri) id Mail was part of, then descope fom compliant LEU tender or
[ack Ofice in 2015
23/03/2020 FSoiware ir Teifsmvth —_[eSMAccent I € x Part ofthe Galaxy solution for Swindon stods, the future of
iter) E [swindon has beon under consieration fr sometime an these
Icenses ane support contracts have been rolled over year on year
=n the absence ofa long term dvection
2/3 [Media (Noretng Band emma (cat z [contact extended to cover OIEU process Ue line which has bee
‘Soringham lxtended due to Covi. Completion due March 2021
73/03/2020 [Marketing (Marketing & Brand Jemma aa z Ne rarieworks and ne appetite in Busnes oF ull OU. Unies
‘sorngham lother suppers who have acess othe market or similar
sotware. Software Reselier not an option. Approved by Board
IMarch 2020
2705/2020 [Supp Chain (Gperations& Supply Gain IAlsdal Camevon [Rings Secure I € cern contact pt n place wile POL exis ATM terminals For
[reemotogies \WSmits. Board approval granted
21/05/2020 [Supply chain (Gperations& Supply Chain IAladaie Cameron [Carctrones I 1 inter contact ut m place whe OL exks ATI terminals For
“ Iwitsmiths. Board approval granted
BIOS ROW IiTsaas (Nareting & Brand Ienma Spash = IReorocureent exercise was underway but due to Covie19 and
‘Sorngham ¥ budget restraints tis exercise ha tobe put on hold. ls require
Inout fom solution architec ard workload has prevented this
25/06/2020 [Banking Services [Retail & Franchise [Owen Woodley z ending (Contract extended with Barclays beyond the Fits the EU.
towed
"75/06/2020 [Banking Sewices [Reta & Franchise [Owen Woodley [Bardays G “Pendia I Postal Orers/camelot cheques. Service originally with Co-Op
they terminated the contract inorder to ext cheque eating
‘market. Barles stepped into pick up service a very srr to
\ueque clearing. Work underway toreview it can be tendered
‘alongside the main cheque earing services,
70/07/2020 [Public Aas (Corsrate Afar & CommsI Richard Tayor [lexington eT [Dvect award for GLO related PR seraces, dard approval even.
[communications
10/07/2020 IMaretng Martine Brand (emma [craatobar I “Penal [iret award waderark verdes, Contract iranserred aro to
soringham [Marceting but compliance status was unknown and it was too late
: te retender. WP for 2021
70/07/2020 IPreessionalSewices Finance [Aiedsr Cameron lens Nexus I € ITeeshold beached - was areviously complant
‘2/11/2020 [Auctors Finance [als Cameron we € 's compliant contract isin place but has Iapsed during contract
negotiations. 1-2 year extension should have been signed before
(october. Tis hast happened as we have rot agree fees for
i ext years uci with PwC thus fr.
‘70972620 [Profesional ervies [Commercial [Owen Woodley [Grant Thornton I € 151k [gent finaneal support equied in ration to HPGB sale
11/11/2020 Professional Services Finance [aisdsrComeron Smith & € 'oard requested addons professional advice supporto form an
jwitarson Independent view ofthe way in which the Group's funding
agreements, financing arrangements, headroom fmt, coss-
(éetauts, commercial contract implizations and net labilty
35 the “Facies” have been forecast
16/12/2020 Professional Serviees_[Commerdal [Owen Woodley [Grant Thommion I € 125; [urgent financial support equeed in ation to PHB sale
‘30/01/2024 I Hardware ir Detsmnth (NCR 5 interim 1 month extension wile commer negotiations
ceri) ‘conclude
2a/OrPeOri_ [Hardware 7 lettsmyen NCR z n inter 1 menth extension while commercial negotiations
(exer aE conclude
€ 921601881
££ 8,016,018.81 excluding Audit Value
Strictly Confidential
142 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 12.3 Law & Trends
UKGI00038546
UKGI00038546
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
=
Title: Law & Trends Report Meeting 30 March 2021
Date:
Author: Sarah Gray, Group Legal Director Sponsor: Ben Foat, Group General Counsel
Input Sought: Noting
The Committee is asked to note the new or proposed material changes to laws and regulations
since the last Audit, Risk & Compliance Committee (ARC).
Executive Summary
There are 6 matters for the Committee to note (details of which are set out in the Appendix):
1. The Restriction of Public Sector Exit Payments Regulations 2020 revoked
The Restriction of Public Sector Exit Payments Regulations 2020 (“the Regulations”) came into
force on 4 November 2020 and set a £95,000 cap on exit payments (“the Cap”) for public sector
authorities. After extensive review of the application of the Cap, the Government has concluded
that the Cap may have had unintended consequences and the Regulations were revoked from 12
February. HR have identified one former employee who was affected by the Cap and will be
entitled to the additional sums that would have been paid had the Cap not been applied.
2. Supreme Court rules Uber drivers are workers
The Supreme Court has unanimously ruled that Uber drivers are employees under the
Employment Rights Act 1996 and are entitled to the national minimum wage, annual leave
entitlements and other legal protections afforded to employees. The judgment represents part of
a continuing trend for courts to find ‘worker’ status where they consider it appropriate to do so
on the fac es
Public Contract Regulations (“PCR”) Post-Brexit
¥
The key changes to PCR following the UK’s separation from the EU are mostly practical changes
which will impact how POL conducts its new procurements from 1 January 2021, including
limitations on the enforceability of EU law and treaties; introduction of “Find a tender
service” the new UK e-notification service to replace OJEU; and inflight procurements, new
procurements and concluded frameworks. Procurements inflight as at 1 January will continue to
be subject to the unamended PCR regulations. New procurements will be subject to the
amended PCR regulations. Also, the operation of framework agreements concluded prior to 1
January will be subject to the unamended PCR regulations. POL is compliant with the post-
Brexit requirements.
4. State Aid - Update
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
143 of 178
Tab 12.3 Law & Trends
144 of 178
UKGI00038546
UKGI00038546
A consultation (closing at the end of March) has been launched on the proposed approach for
establishing a new subsidy control regime to replace the state aid regime of the EU. POL is
preparing a response.
5. FCA finalised Guidance on the Vulnerable Customer
The FCA have issued finalised Guidance for firms on the fair treatment of vulnerable customers.
The Guidance highlights the actions firms should take to understand the needs of vulnerable
customers to make sure they are treated fairly. This has become a key focus for the FCA due to
the impact of coronavirus. Post Office Compliance Team have been aware of the guidance and
are considering the collection of vulnerability data to assist with their review of current practices.
6. Trial Witness Statements in the Business and Property Courts
From 6 April 2021, witness statements for use at trial in the Business and Property Courts only
will have to comply with the newly published Practice Direction 57AC (the “PD”). The PD therefore
will not affect any matters brought before employment tribunals e.g Starling nor will it have any
impact on the Public Inquiry. It was introduced following judicial disapproval of witness
statements crafted by lawyers containing extensive reference to documents rather than
embodying the language of the witness. It makes substantial changes to the preparation and
content of witness statements. POL Legal will put a guidance document on the LCG Academy
intranet page.
Questions addressed
1. What new or proposed material changes to laws and regulations should the Committee
be aware of?
2. What are the implications to the Post Office business?
Report
See Appendix.
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 12.3 Law & Trends
ppendix 1
1. Law & Trends Report: New material updates
UKGI00038546
UKGI00038546
Issue
The
Restriction
of Public
Sector Exit
Payments
Regulations
2020
revoked
Supreme
Court rules
Uber drivers
are workers
Why it matters?
‘As reported at RCC in November
2020, a Cap of £95,000 on exit
payments in the public sector was
introduced and applied to
employees’ exit payments from 4
November 2020.
The Regulations —_ provided
that Post Office "must not” pay exit
payments (such as those due upon
redundancy) at amounts in excess
of £95,000. As such they purport to
override I employees’ existing
expectations (some of which are
contractual) to —_ redundancy
payments.
However, the Government revoked
these Regulations on 12 February
this year.
Latest Developments
‘A former employee has been identified
who was directly affected by the Cap
whilst it was in force. They will be entitled
to request from Post Office as their
former employer, the amount they would
have received had the Cap not been in
place.
Impact on Post Office
‘As the Regulations have only been in force
for a short period of time, Post Office does
not have significant steps to undo/ reverse.
Payment to a former employee who exited
during the period the Regs were in force the
‘sum they would have been due [£x] had the
Cap not been in place.
Future exits by senior employees may cost
Post Office more as a result of the revocation
of these Regs.
Action
‘The Government still has the power to
implement legislation and they have
indicated they may have another
attempt at bringing in similar
regulations. Post Office HR will continue
to monitor any developments.
It is anticipated that if they do revisit
exit cap regs, that they will only apply
to new joiners rather than existing
employees.
RAG
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
145 of 178
Tab 12.3 Li
aw & Trends
UKG1I00038546
UKGI00038546
Issue
Public
Contract
Regulations
(PCR) post
Brexit
Why it matters?
Latest Developments
Impact on Post Office
Post - Brexit, PCR 2015 remains
but, the Public Procurement
(Amendment etc.) (EU Exit)
Regulations 2020 has __been
published as a UK statutory
Instrument to amend procurement
legislation to reflect necessary
changes required by the UK leaving
the EU.
The key changes are:
1. The UK's new “Find a Tender
service for publishing contract
rotices went live on 1 January
2021, replacing the Official Journal
Of the European Union (only for
United Kingdom).
2. EU references have all been deleted
from PCR.
3, The Government have published
new guidance for Below Threshold
Contracts allowing for more
flexibility. This will allow POL the
option to reserve contract
‘opportunities by location;
and/or reserve contracts to
SMEs/VCSEs only (subject to
restrictions),
4. Cross-Border Interest test - no
longer applies to England, Wales
and Scotland contract opportunities.
5. EC Treaty Principles - no longer
applies to England, Wales and
Scotland contract opportunities.
As a result of the NI Protocol Agreement
where POL procures below threshold
supplies into NI and there is cross border
Interest (ie from a supplier in a EU
Member State) POL must advertise the
contract opportunity and conduct a
competition in accordance with the EC
Strictly Confidential
146 of 178
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 12.3 Law & Trends
UKG1I00038546
UKGI00038546
Issue
Why it matters?
Latest Developments
‘Treaty Principles and POL's internal
procurement policy.
@. State Aid —
Update
From 31 December 2020, the State
Aid (Revocations and Amendments)
(EU Exit) Regulations 2020 revokes
EU State aid rules and the EU no
longer has any power to investigate
and take decisions on state aid
measures granted by the UK.
[The exception is state ald that
affects trade between Northern
Ireland and the EU - this would be
subject to the Protocol on
Ireland/Northern Ireland.)
From 1 January, until the UK establishes
detailed rules for a domestic subsidy
regime, it will be now operating under an
interim subsidy regime. After 1 Jan 2020,
when awarding subsidies, public
authorities should take into account:
1. Giving a subsidy correctly
(subject to international
obligations) a subsidy is
currently defined as a measure
which is given by a. public
authority; makes a financial or
in-kind contribution to an
enterprise; and affects
international trade;
2 Whether the subsidies are
prohibited; and
3, Whether the subsidy meets the
terms of the principles in the UK:
EU Trade and Cooperation
Agreement (if over £350,000).
‘The Government has launched a public
consultation to consider and inform the
further development of its new Subsidy
Control regime. The Consultation closes
on 31 March 2021.
In its consultation the Government is
asking for views on:
+ whether the UK should apply its
‘own additional principles on
subsidy control, as well as those
et out in the UK-EU Trade and
Co-operation Agreement
+ how best to ensure transparency
across the system
+ the possible roles and
responsibilities ofthe
independent body that will
oversee the new system
Impact on Post Office
Action
2
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
147 of 178
Tab 12.3 Law & Trends
UKGI00038546
UKGI00038546
Capital One, BOT and POL (as an
appointed representative of POMS).
Since then, the business have been
considering further work, notably
around culture and understanding
the makeup of our customer base.
The FCA considers 47% of the
population could be regarded as
potentially vulnerable,
the FCA's expectations on:
understanding the needs of vulnerable
consumers; ensuring that frontline staff
have the necessary skills and capability
to recognise vulnerability; and for firms
to consider the characteristics of
vulnerability present in their target
‘market or customer base and how they
‘can meet customers’ needs through the
design of products and services, their
customer services and their
communications.
shocks and low capability, such as poor
literacy or numeracy skills. As such, one key
requirement for POL is to better understand
‘our customer database.
Post Office would be required to consider
anything that would have an impact on
vulnerability. Consideration needs to be
made across the whole life cycle of a
product from its design to distribution and
thereafter.
POL has provided vulnerable customer
training on SuccessFactors and produced
accessibility guidance.
Notwithstanding the above, our two
principals are both doing a gap
analysis to review processes to
evaluate where the needs of vulnerable
consumers have not been met, so that
improvements can be made.
For example in POMS call centres they
will be asking customers to self-
Identify their vulnerability
Issue Why it matters? Latest Developments Impact on Post Office Action
+ how this independent body could
have some role in supporting
enforcement of the principles,
alongside normal judicial review
standards
+ how the system could seek to
introduce exemptions consistent
with our international
obligations (for example, natural
disaster relief or in response to
global economic emergencies)
5. FCA Following consultations in July 2019 I The FCA has now finalised its Guidance _ I The FCA’s view of vulnerability Is as @ Te should be noted that this is guidance
finalised ‘and 2020, the FCA published a for firms on the fair treatment of spectrum of risk. All customers are at risk of I rather than mandatory and there is no
draft consultation Guidance for vulnerable customers. The Guidance becoming vulnerable, but this risk is immediate requirement to implement
Fr Firms on the Fair Treatment of aims to provide a framework that allows I increased by having characteristics of any changes.
onthe Vulnerable Customers. The firms to accurately assess whether they I vulnerability. These could be poor health,
Guidance is on how regulated firms I are treating vulnerable consumers fairly, I such as cognitive impairment, life events
Vulnerable I would meet the FCA Principles for I ensuring consistency across the financial I such as new caring responsibilities, low BE
Customer I Business and they apply to POMS, I services sector. The Guidance sets out I resilience to cope with financial or emotional
SEE
Strictly Confidential
148 of 178
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 12.3 Law
Issue Why it matters? Latest Developments Impact on Post Office Action RAG
Strictly Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 149 of 178
Bi-Annual Ley
UKGI00038546
UKGI00038546
150 of 178
H2 Legal Risk Report 20/21
30 March 2021
Sarah Gray, Group Legal Ben Foat, Group General
Director Counsel
Input Sought: Noting
The Committee is asked to note this report and endorse current actions designed to mitigate
the risks identified and suggest any further actions that should be implemented.
Strictly Confidential & Legally Privileged
UKG1I00038546
UKGI00038546
Strictly Confidential & Legally Privileged
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
152 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 153 of 178
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
154 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 155 of 178
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
156 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 157 of 178
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
158 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
Strictly Confidential & Legally Privileged
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 159 of 178
UKGI00038546
UKGI00038546
Tab 12.4 Bi-Annual Legal Risk Review (Non GLO/Starling)
1
Strictly Confidential & Legally Privileged
160 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.5 Strategic Partner Financial Stability Update
PO!
OFFICE
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Strategic Partner
Title: Financial Stability update [Meeting Date: 80 March 2021
[Emma Conroy, Interim Head of
. [Strategic Partnerships / Ed Dyer, . [Dan Zinner, Group Chief OperationsI
Author: forking Capital & Cash Management Sponsor: Officer
Lead
Input Sought: Noting
The Committee is asked to note the partner financial stability update.
Previous Governance Oversight
Audit, Risk & Compliance Committee (ARC) papers Mar 20 and Nov 20, Risk & Compliance
Committee (RCC) Mar 21
Executive Summary
1.
At the ARC meeting Nov 20, discussion was held as to the rigour around the monitoring
and tracking of Strategic Partners, the ask was to provide the committee with confidence
that the business had a robust solution in place to support monitoring and mitigation of
risk and to come back to you in May, we are on track in delivering this for the May
committee.
This paper provides an update specifically on McColls where risk has been greater over
the past 18 months. We update on the current trading position of McColls, where some
positive news has been communicated in the last few weeks, and given previous
concerns, this news should provide the business with some comfort around the stability
of trading conditions within the McColls estate. Appendix 1 provides an updated
Dashboard on McColls.
WHS has also been cited by the committee in similar regard by way of level of risk, no
material change has been seen since the last update, albeit news in the last few days
has been positive in terms of Jan & Feb trading vs PY performance up at 74% & 84%
retrospectively. Interim HY results are due from WHS on 29 April, therefore we propose
to provide a further update at the ARC meeting in May.
Questions addressed
4. What is the current financial status & risk to the most concerning of our strategic partner
McColls?
1
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
161 of 178
UKGI00038546
UKGI00038546
Tab 12.5 Strategic Partner Financial Stability Update
162 of 178
What is the current financial status & risk to the most concerning of our
strategic partner McColls?
McColls (status: AMBER)
5.
10.
11.
12.
McColls’ preliminary results for the 53-week period ended 29 November 2020 are due to
be published on 23 March 2021. The trading update published on 10 December 2020
pointed to adjusted EBITDA pre IFRS 16 of between £29m to £30m (FY19: £32.1m).
Revenue growth of 2.3% has been offset by margin pressures driven by a change in
shopping behaviours during the pandemic to deliver EBITDA lower than the previous
financial year.
McColls continues to suffer from an overleveraged balance sheet, with a net debt to
EBTIDA ratio of c.3.1x as at 29 November 2020.
Importantly, McColls announced support from its banking syndicate on 1 March 2021
which has agreed to amend McColls’ facilities to offer improved headroom against
covenants, a realigned amortisation schedule and an extended maturity date to February
2024. The updated facility consists of a £100m revolving credit facility and an amortising
£67.5m term loan. This follows the sale of its head office for £7.3m in January 2021,
which appears to have been a condition of the debt facilities restructure.
In the same update, McColls announced new terms with Morrisons to become the single
wholesale supplier to the whole of the McColls estate until January 2027. The agreement
also covers the conversion of 300 stores to the Morrisons Daily format over the next
three years. Whilst McColls expects this to drive improved profitability, it raises its key
partner risk.
The market reacted positively to the 1 March 2021 announcement with McColls’ share
price increasing from c.24p before to trading around c.31p as at 9 March 2021.
Prior to the extension of its banking facilities, Experian’s reporting of supplier payments
beyond terms showed McColls delay payments to suppliers on a growing basis from 63
days in February 2020 to 156 days by January 2021. This suggests cash conservation in
order to comply with banking covenants. The support from McColls’ banking syndicate
should enable the business to improve payments to suppliers, which we will monitor over
the coming months.
McColls continues to deliver against its closure plan announced last year which has seen
the Post Office branches reduced from 608 to 522, with a view to this reducing to 456
by June 2021. We are currently collating with the network a RAG status report by partner
of those locations that are critical / important / managable risk, to ensure we understand
at any one time the level of critical risk within the partner estates.
In conclusion, the recent announcement from McColls is positive as it provides a period
of stability to deliver against the turnaround plan. However, it is important that POL
remains alive to the risk of failure given McColls overleveraged financial position which
leaves it vulnerable to trading downsides or adverse shocks. We will continue to monitor
McColls closely.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 12.5 Strategic Partner Financial Stability Update
Appendix 1
UKGI00038546
UKGI00038546
McColls risk overview & update
McColl’s Red Flag Report: Mar-21
McColl's Retail Group plc
Reverse Newis
Operating Protti{iees) Newts
Net DebyEBITDA Wew-20
Market cap OS-Marat
Expevar De ph Ses pta]
+ Odds of Failure {reat 12 martha}
Ustarding CIs
umber s?=\
leou:
Poutrss me
[Pou trseme YTD v Tange!
Lbrarsher
YD Emi
Veer end: November
Interim peried end: May
1-year share price trend
Beures, hargrowsse Laney
Red flags:
+ Announced plans to close 200 stores in Feb-20 (including 152 PO brenches).
Bank debt of c.£L68m is approx. 5.7x pre-IFRS 16 EBITDA of £29230,
which is high relative to typical fending limits of 4x.
Supolier payments being stretched (see graph below}, suggesting cash flaw
pressures.
+ Obtained supocrt fram its banking syndicate on 1 March 2621 to offer
improved headroom against covenants, a realigned amortisation schedule and
an extended maturity date to February 2024. The undated facility consists of
£100m revelying credit facility and an smortising £67.5m term (can. This
follows the sale of its head affice for £7.3m in January 2021, which appears to
have keen 2 condition of the debt facilities restructure.
Delayed release of interim results from 14 July to 4 August {indication that
semething needed resolving).
4 of the 8 directors appointed in 13 months: Giles David (CFO), Richard
Crampton [CCO}, Senedict Smith (lten-Exec} and Dominic Lavelle (Nan-Exer}.
Operating profit In yfe Nov-19 driven by £98,6m gendwil imoairment,
Supplier Payments Beyond Terms
PS DP DD PP Pe
PN SF phe hE oF
Meco —tncustry average
Sows: Exgoron
eS
Post Otfice
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
estisd ~ Cocrimoncisl le Corfivea ce
163 of 178
UKGI00038546
UKGI00038546
Tab 12.6 DeepDive: Payzone Governance
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
164 of 178
Payzone Bill Payments Deep Dive
Title: Report Meeting Date: I 30 March 2021
Michelle Embrey, Quality & Risk
Manager
Andrew Goddard, Payzone Bill
Author: Payments Managing Director
Sponsor:
Input Sought: Noting
The Committee is asked to note the Payzone Risk & Compliance Update report.
Previous Governance Oversight
This is a follow up action for a deep dive from the previous Audit, Risk & Compliance Committee
(ARC) meeting on 22 September 2020. The paper was reviewed at the Risk & Compliance
Committee on 16 March 2021.
Executive Summary
This paper provides a summary of the following items within the Payzone Bill Payments (PZBP)
business:
« Key risks and mitigations
Internal governance
Compliance with regulation
Internal audit
Complaints and whistleblowing
Customer and employee satisfaction
A comprehensive risk register exists within PZBP, with mitigations in place and reviewed
monthly by the senior management team. Improvements in the internal governance have been
implemented in the areas of risk management, change control, business continuity and
information security as well as the ongoing project to align key PZBP policies with the Post
Office (POL). The internal audit conducted by POL concluded that the control environment in
PZBP is appropriate for the size and complexity of the organisation. Ownership of the PZBP.
legal register has been transferred from POL group legal to PZBP and reviewed annually at the
PZBP Board.
Complaint handling improvements have been identified to incorporate feedback from
customers, retailers and client. The overall Trustpilot scores remain high at 4.5, reflective of
strong retailer and customer helpdesk support, with some of the highest scores in the last 12
months in Period 11. Employee satisfaction levels remain positive, with small negative changes
in wellbeing during the lockdown, and engagement following the first of two major
organisational restructures within 6 months.
Overall, the business has progressed significantly in incorporating controls, policies, and risk
management practices, with further improvements identified and resourced.
Questions addressed
1. What are the key risks within PZBP and what are the mitigations for these?
2. How is the internal governance embedded into the PZBP operation?
3. Are PZBP fully compliant with relevant regulations?
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.6 DeepDive: Payzone Governance
4
5
What is the complaints and whistleblowing process?
What are the customer and employee satisfaction levels?
Report
1. Key Risk
The following risks are extracted from the PZBP risk register that is aligned with the POL
risk register;
Intermediate Risk — the ability for PZBP to deliver the 5 yr plan (risk score 9)
This risk has been promoted to become the intermediate risk at group level. The 5-
year plan on revenue and cost lines has been re-forecasted as a response to the
changing priorities due to the demands on the business from the Covid-19 pandemic.
At this stage, we continue to monitor the changes in customer buying behaviour (cash
to digital) and the requirements / desire of clients to enter into exclusive contracts as
well as plans to migrate to digital payments.
. Poor trading conditions in the current pandemic (risk score 9)
The lockdowns during 2020/21 have had a significant impact on the bill payment trading
conditions with performance running behind original budget whilst holding up against
LY at 95%, and 96% of target (year to date week 49). Performance has been impacted
due to vulnerable customers shielding at home, clients working with customers to offer
credit and payment holidays, and branch and store closures/reduced opening hours
driving non-cash customers to pay through alternative means. We have continued to
negotiate with key clients by signing new Energy clients in Bright and Jersey and driven
new volume from agreements re-signed with E.On, EDF and via our energy platform
partners, Siemens and Itron, and we will drive additional revenue from new deals with
Allpay and Capita.
. The impact of the Covid-19 pandemic on clients (risk score 6)
We are starting to see some of the smaller Energy companies struggle and fail due to
bad debt and cash flow impact. Their customers however are being absorbed by the
big 6 suppliers e.g., Robin Hood Energy taken over by British Gas, and this will drive
transactions into our networks. The transport industry has been significantly impacted
and will continue until people can travel freely, albeit we have positive engagement
with the likes of National Express Coach & Bus, GoAhead, First Group, Transport for
Wales, and Lothian Bus.
. The long-term impact of the pandemic on finances (risk score 6)
Notwithstanding the changeable impact from Covid-19, the actions completed within
the PZ credit management function has resulted in a reduction in retailer debt to below
the levels seen pre-pandemic at only 0.5% for failed direct debits and a collection rate
at 99%. Close daily monitoring and integrated credit, helpdesk and field support have
resulted in the improved performance.
. The dependency on third parties (risk score 6)
Throughout the 12 months of the pandemic there is a risk to business-critical activities
that have a high dependency on third parties which have a possibility for high exposure,
2
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
165 of 178
UKG1I00038546
UKGI00038546
Tab 12.6 DeepDive: Payzone Governance
for ‘example, PLS which provide P: PZBP’s device engineering resource. The 2 key suppliers
were contacted and requested to complete a questionnaire to understand their business
continuity plan arrangements in place to enable service levels to resume during the
pandemic situation. Regular calls are in place with key suppliers to monitor the service
during this changeable situation.
2. Internal Governance
a. Responsibilities
The PZBP Board of Directors are responsible for the overall business strategy and
ensuring that an efficient system of internal controls are in place. These functions
include risk management, compliance, internal audit, change control, financial
accounting, information security and business continuity.
The senior management team are responsible for overseeing the process of
communications with the board by regularly reporting and informing on relevant
aspects and be actively engaged with the business to enable well informed decisions.
The senior management team also oversees the implementation of the strategy, the
risk culture, code of conduct and the integrity of the financial information. The senior
management team identify, manage and mitigate actual or potential conflicts of
interest.
b. Framework
PZBP have ensured that the organisational framework is suitable, effective and
transparent. The effectiveness is a result of appropriate human resource allocation.
A particular focus being on the improvement of the following internal controls:
. Improvement of the risk culture and management
¢ Change control with the implementation of the change advisory board and will be
further enhanced with the introduction of the gating process
. Business continuity and information security evidenced by PZBP’s ability to
efficiently continue operations in the current pandemic crisis and the achievement
of the UKAS accredited certifications ISO 27001 information security and ISO
22301 Business continuity.
The overall framework and relationship with POL governance is detailed in the process
flow map in Appendix 1.
c. Policy Update
In an effort to align the key policies within PZBP, a gap analysis exercise was conducted
comparing PZBP and Post Office policies. The result of this was a list of 28 policies that
should be adopted, or PZBP specific policies created where adoption is not possible.
This paper provides a summary of the current status of the review with full detail in
Appendix 2. The recommendations put forward to the PZBP board are as follows:
. Adoption of 19 policies with no addendums or variations which will be submitted
to the PZBP April Board meeting
Confidential
166 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 12.6 DeepDive: Payzone Governance
. A variation required for 1 policy (the variants of Modern Slavery and Vulnerable
Customer have already been approved by PZBP board), to be actioned by the July
PZBP board meeting
. There are 5 policies that are currently classed as under review and will be
implemented by the July PZBP board meeting
3. Compliance with Regulation
Compliance with regulations within PZBP is externally audited by a UKAS accredited
certification body as part of the ISO 27001 Information Security and ISO 45001
Occupational Health and Safety certifications. PZBP were found to be compliant with
applicable legislation.
A dedicated PZBP legal register is now managed by PZBP Legal Counsel and linked into
the POL legal register and is reviewed annually by the PZBP Board.
4. Internal Audit
An internal audit was conducted within the finance and IT functions by the POL audit team
in 2019. This audit concluded that the control environment in PZBP is appropriate for the
size and complexity of the organisation. There were 15 findings raised and of these only
2 are ongoing (See Appendix 3), to be completed by August 2021. PZBP are due to be
audited again in Q1 of the 2021/2022 auditing schedule once the schedule is approved by
ARC.
PZBP have 2 internal auditors responsible for the internal audit programme across all
functions within PZBP. This process assesses the quality of the internal control framework
by reviewing existing policies and procedures to ensure they remain suitable and comply
with the requirements of the ISO certifications. PZBP is also externally audited as part of
the UKAS accredited ISO standards. PZBP are currently certified to the following ISO
standards:
. ISO 9001:2015 Quality Management Systems
. ISO 45001:2018 Occupational Health and Safety Management Systems
. ISO 14001:2015 Environmental Management Systems
. ISO 27001:2013 Information Security Management Systems
. ISO 22301:2014 Business Continuity Management Systems
5. Complaints and Whistleblowing
The total number of customer complaints logged during 2020 were low, with an average
of just 2 complaints per month,
There are a series of improvements to the made that have been instigated and will be
completed by Q3 2021
. SLAs to be introduced on response and completion
. Targets should be introduced and linked into business KPI’s
. Complaints to be formally defined to ensure all complaints received are logged
. Technical upgrade to CRM system to capture complaints
. Complaint reporting to be included in business performance KPI's regularly
communicated to the senior management team.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 167 of 178
UKGI00038546
UKGI00038546
Tab 12.6 DeepDive: Payzone Governance
168 of 178
There have been no instances of whistleblowing within PZBP ‘during 2020. However, a
number of improvements have been identified, including adopting the group
Whistleblowing policy, appointing a whistleblowing officer and improved awareness of the
process. This will be completed by the July PZBP Board meeting
Customer and Employee Satisfaction
a. Customer Satisfaction
The customer satisfaction is currently evaluated via a monthly customer satisfaction
survey and ongoing Trustpilot reviews. The results from the 2020 data show that customer
satisfaction is high with a Trustpilot score of 4.5 and the customer satisfaction survey
producing an average satisfaction level of 94%. Appendix 5 highlights the improving
Trustpilot scores with P11 showing the highest scores in the year against categories such
as friendly, going the extra mile, and overall satisfaction. Any retailers that are highlighted
via these channels that have provided a customer with a poor service are issued an
etiquette form and followed up, and this process needs to be enhanced.
There are a series of improvements that are currently being implemented and are
scheduled for completion August 2021
e Alignment of the PZBP surveys to the POL survey
e Customer satisfaction follow-up process and reporting
e¢ NPS improvements
b. Employee Satisfaction
PZBP has assessed employee satisfaction via two pulse surveys in both April and
December 2020. The individual pulse surveys showed an increase in mental and physical
wellness from April to December and also showed a slight increase in individuals’
productivity in this same period. This increase from April to December is likely to be a
reflection of employees accepting the working from home requirement that was introduced
in March 2020, in response to the pandemic crisis. There was also a major restructure
implemented in September 2020 which explain the few areas that saw a minor decrease
in satisfaction (see Appendix 4). The high-level responses collated from these pulse
surveys were presented to the management team. Engagement champions were involved
in order to generate and implement the action plan.
A further pulse survey will be released in April 2021 and full engagement survey will be
released in November 2021, and then annually thereafter.
Next Steps & Timelines
7. The key group policies recommended for adoption to be submitted for approval to the April
2021 PZBP Board meeting, with the physical security variation and review of the remaining
key group policies submitted to the July 2021 PZBP Board meeting.
8. The implementation of the complaints process improvements scheduled to commence May
2021, customer satisfaction improvements to be implemented by August 2021, pulse
survey in April 2021 and the engagement survey will be released in November 2021.
5
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
Tab 12.6 DeepDive: Payzone Governance
Appendix 1: Governance Framework
2) pr toate
ate Ga steno
piss TONSA
sr
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 169 of 178
Tab 12.6 DeepDive: Payzone Governance
170 of 178
Appendix 2: Policy Update
Recommends
Department Policy Payee PT Jastification
joptionI Variation I Revie™I
Confit of terest v
Corporate [oomrace execution vy [=~
Governance
v Currant ctatomant cor not bu adapted dus ta PZ not having
Modetn clorety statement DMB. PZBP could be inched in future iterations with
amendments
5 Rick Appetite Statement v
isk
ick v
Financial crime v
‘Antimanay neva & ee
Financial [counts terroricm nding
Sth [vadiunacwae Currant policy con not be adopted duc te PE nat having
aera cut v Eve
THABIE TRE proper
atandarde ¥
Anti-bribery & corruption v
Business I Bucinacocontinany v
Continuity I manegement
Investigation? [lnvectigntions policy icin draft Form
Legal
Law enforcement agenciee v
Freedom of information ~
Data
Protscting perzonsl data
Protection ss ad
Document retention policy I
Internal Audit J internal audit charter 4
iT oR “
Cyber Security Cyber & information security]
Procurement I Procurement M_I Procurement policy ic in draft form
Heath &
aug _[ Health & safety Y_JLoizeucsion with NAH with regard to applicability te PZBR
Physical i
wsical
Senay IPhusicalsecurty
Coriduct Code v
Code of business
Human suf
Re aera WAT BS Tae Ro AR PE SCOTCH
eSources I Whistleblowing v. blowing manager and contact deal
Equality diversity & v7
inclusion
Finance [Post Otfice neasuy A [Further review by sn naividuat wth epeatic experince
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
UKG1I00038546
UKGI00038546
Tab 12.6 DeepDive: Payzone Governance
pendix 3: Internal Audit
Ap
Action
Finding Rating” Date Response Status
i I owner is
Finance
Scope Area: Governance
Financial policies and The main process are documented. Further Ongoing
processes do not fully Stephenie work required regarding VAT and debtman but
1. P2 4 31/12/19 P
reflect the current Smith these are due to changes. Completion date
operation scheduled for July 2021
No formal internal Siachente Document of authority has been created and Complete
2. I delegation of P2 Sa i 30/11/19 I authorised. Last reviewed Dec 2020
authorities matrix
Scope Area: Core Financial Processes
Gods Receintine! Siephent This is mitigated by ensuring that the Mitigated
joods Receipting is ephenie Ae ae :
5. Pi hi
30: Pi ceneicbent 8 Seatth 31/12/20 I invoice is approved by the originator prior
to payment being made
Client Trust bank ATSAis in place with Takepayments. A project I Ongoing
a Stephenie is underway to enable the separation of the
4. I accounts remain in the P2 25/10/20 - i
Smith banking structure. Completion date scheduled
name of PZUK
for Aug 2021
Credit Control policy Credit limits have been set and the policy Complete
does not reflect actual dad updated to reflect this
5. I merchants credit P2 As 31/12/19
Munro
limits or payment
terms in operation
Scope Area: Retail
Process for the The onboarding process has been documented I Complete
onboarding of new Andy within the updated Credit Control policy
® merchants is not S Munro eaiaalae
documented
IT
Scope Area: IT Governance
The PZ IT strategy is now clearly defined. The Complete
overall objective of the strategy is to reposition
its core system hosting platform into AWS
IT Strategy is not fully igs whilst delivering IT software solutions centred
7. I defined or P2 I sisckburn I 31/3/20. I on product offerings (Energy, telco etc).
documented ‘Supporting these offerings are a consistent
device strategy that underpins the offerings of
the PZ business and also additional post office
services where applicable.
Scope Area: System Development
PZ it uses a consistent development framework I Complete
g._I Coding standards are p2__I Ralph 31/3/20 _I that is underpinned by the over-arching
“I not defined Wort strategy. In addition to industry frameworks we
also adopt internal policies and procedures
8
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 171 of 178
Tab 12.6 DeepDive: Payzone Governance
UKG1I00038546
UKGI00038546
such as peer reviews, internal audits etc.
Structured coding standards are at the core of
our software development processes
Scope Area: Infrastructure and Systems Integration
There are no Supplier code of conduct and questionnaire in Complete
9. I processes for ongoing Neil Davey I 31/3/20 I place
third party assurance
Scope Area: Access Controls
There are noJML The JML process has been documented Complete
processes for dormant Michelle
10. 31/12/1!
AD or application Embrey rane
accounts
No monitoring of i Only admin users (IT Ops) can create SSIDs. I Complete
ee A *
11, I wireless network Blackburn, 31/12/19 I JD has disabled discoverable feature on all
creation machines
Fire wall is for internet monitoring and Complete
control only (block FTP). Mitigation in
place: Filters in place to stop malicious
content, end point protection (Sophos),
The Sophos XG :
% User names and passwords required for
firewall controlling fein ici Fant
. traffic into and out of lee cee logins, IT Ops admin accounts, Firewall in
"I the Northwich HO: Blackburn DC controlled and managed by Vodafone@
location is not IP address level.
securely. configured POL auditor wanted network level firewall,
implementing this will cause disruption and
incur extra cost. This is an unnecessary
action
Lack of consistency of Reminder email has been issued detailing Complete
45 controls over physical Michelle 30/11/19 the importance of keeping the reception
"I access to Northwich Embrey door closed. Visitors and contractors must
site sign in.
Scope Area: IT Security and Operations
Patch management i The patch management process has been Complete
14. I processes are not fully Bigckburr 31/12/19 I documented within the Patch Management
documented Policy
Scope Area: Data Privacy
Data Protection Michele The data breach and information request Complete
15. I processes not yet Embre 31/12/19 I processes have been implemented and training
integrated af is currently being rolled out to the organisation.
9
Confidential
172 of 178
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
Tab 12.6 DeepDive: Payzone Governance
Appendix 4: High-level Pulse Survey Results
December 2020 Pulse Survey
April 2020 Pulse Survey
53% response rate
75% response rate
100% of respondents are feeling between great and
okay physically
‘93% of respondents were feeling between great and
okay physically
98% of respondents are feeling between great and
okay mentally
94% of respondents were feeling between great and
okay mentally
93% of respondents say their current working
environment enables them to be productive within
their role
91% of respondents said that their current working
environment enabled them to be productive within
their role
83% of respondents say that their work schedule is.
flexible enough for them to balance their
responsibilities between family & personal.
91% of respondents said that their work schedule was
flexible enough for them to balance their
responsibilities between family & personal
93% of respondents say that their manager listens to
their ideas and feedback
95% of respondents said that their manager listen to
their ideas and feedback
84% of respondents say that their line manager
creates an environment which encourages team
collaboration and clarify of direction
91% of respondents said that their line manager,
creates an environment which encourages team
collaboration and clarify of direction
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKGI00038546
UKGI00038546
10
173 of 178
Tab 12.6 DeepDive: Payzone Governance
UKGI00038546
UKGI00038546
Appendix 5: End user Customer Satisfaction Results
[Driver cove [rvienily [Professional [knowledge [Understanding [EFicie fase —_[tlean'& rid
Period ox EERI OLS 20% Bec 32.90% SR —93.20%I —eSS0RI 90.008
Persea oI 95.s0%I 95.8004 96.305 5.40% 35.60 5.20% I 96.00% 2.80%) 94.00%
Peried I 33.60%] 94208 32.505 33.90% 33.50% 53.20% I 93.008] 92.19%] 89.908]
Period I 35.20%I 95.5084 35.05 54.708 35.208 s5.a0%I 95.20%] 94.308) 91.905
Period o5I 34.50%] 95.208 34.505 34.10% 33.40% 5.00%] 94.50% I _¢3.40%I 94.508
Period 35.60%] 95.208 36.008 35.00% 35.50% =5.20%I 85.80%] 3.20%) 51.20%]
Period o7I 36.10% $6,308 36.305 36.00% 36.00% $6.00%I 96.00%] 58.10%] 93.205)
Perios oI 32-50% 982084 32.005 52.70% 32.80%] $3.10%I 52.60%] 3.108) 52.008]
Period 0 a0] 93.90%] 35.00% 33.20% A.20% 34.10%I 95.00%] 92.20%) 91.60%]
rs ETA saul r FETA
Year 2020/23I 2 2 fect fea
IEmotional impact IPerceived Wait Time Clear Directions IAverage (PERCEIVED WAIT TIME] [Extra Mile IOpportunity I ry
71508 7.0% 92.70% 2.65 Fz) FF) sm)
35.005 74.1056 34.708 Fz) a0] F) 510
33.205 71.30%) 32.60% 323 333 3] 356)
2.07% 22.30%) 33.008 277] a3 Fr) S45
85.60%] 86.80% 34.20%] 2.54 237I 4 424)
35.508 6.00%) 34.20% z5] 3] 335
8.40 88.50% 35.505 zal [_ipse]] a_i ssa
35.105 2.20% 32.30% Fr a Fr 559
87.105 71 50% 32.30%] 3391 ED ol 364]
Be acco Blt Ered 2 i u 30,
25.205) 24.20% 35.905] 273) 408 7235
Confidential
174 of 178
TRUSTPILOT REVIEW BY STAR RATINGS
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
11
Tab 12.7 Foreign
UKGI00038546
UKGI00038546
Currency and Hedging
POST OFFICE LIMITED
AUDIT, RISK & COMPLIANCE COMMITTEE REPORT
Title: Foreign Currency and Hedging Meeting Date: I 30 March 2021
Tom Lee, Financial Controller Al Cameron, Group Chief
Author: I pete Mitchell, Treasurer Finance Officer
Sponsor:
Input Sought: Noting
The Committee is asked to note:
The process of revaluing foreign currency and the hedging of foreign exchange risk at Post
Office.
The summary of issues identified in year, the manual fix implemented and planned changes
to create a better process.
Previous Governance Oversight
Presented to Risk & Compliance Committee on 16 March 2021
Executive Summary
1. Post Office have a requirement to hold foreign currency inventory of notes and coins to
support the travel business. They buy and sell foreign currency both centrally from First
Rate Exchange Services via Hemel and at individual branch level. The Group’s foreign
currency risk management objective is to minimise the impact on the profit or loss account
of fluctuations in the exchange rates. The Group hedges its foreign currency risk through
external forward contracts.
2. The foreign exchange movements are recorded at individual currency level, by branch, in
the Core Financial System on the SAP platform. Foreign currency holdings as at the end of
December 2020 were manually revalued. This manual revaluation demonstrated issues with
the auto-revaluation programme causing a £1.4m understatement of realised exchange
differences in profit and loss account. A catchup posting was made in P9 to recognise this
amount and a manual fix has been put in to mitigate this risk going forward. Post Office
paid Accenture to design and implement the FX programme in SAP. A project is currently
underway to fix these issues within the FX programme.
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
175 of 178
UKGI00038546
UKGI00038546
Tab 12.7 Foreign Currency and Hedging
176 of 178
Questions addressed
1. How is foreign currency revalued at Post Office?
2. Is our hedging strategy and processes fit for purpose?
Report
1. The aim of this paper is to provide an overview of foreign currency revaluation at Post Office
and how the Group seeks to hedge against its exposure for foreign currency risk.
Foreign Currency
2. Post Office branches hold numerous foreign currencies that may be bought from, or sold
to, customers. Reserves of foreign currency are held at the cash distribution centre in Hemel
Hempstead. The bulk of foreign currency holdings relate to Euros (c.65%) and US Dollars
(c.20%). Foreign currencies are supplied to Post Office by First Rate Exchange Services,
the joint venture with Bank of Ireland.
3. Accounting standards require foreign currency holdings to be recorded at the spot exchange
rate between the functional currency (for Post Office, this is Pounds Sterling) and the
foreign currency at several points in time:
a. Initial recognition (purchase of foreign currency).
b. Reporting date (period end and year end).
c. De-recognition (sale/settlement of foreign currency).
Exchange differences arising on the revaluation of foreign currency holdings at period or
year end are considered unrealised and are not immediately recognised in profit or loss.
Exchange differences arising on the revaluation of foreign currency when it is sold or settled
are considered realised and are immediately recognised in profit or loss. Any unrealised
exchange differences relating to the sold or settled foreign currency are also now recognised
in profit or loss.
4. In February 2020 an auto-revaluation programme was implemented in the Group’s Core
Finance System (“CFS”). Accenture built and tested the programme, with review and final
sign-off performed by Post Office. The programme executes every weekend.
5. Subsequent to implementation, several interrelated issues were identified with the auto-
revaluation programme, namely:
a. The programme does not realise exchange differences in profit or loss unless the
branch holding is zero when the programme is executed on a weekend.
b. The programme assumes that exchange differences should only be realised in profit
or loss if the sale results in a branch holding of zero for said foreign currency. Due
to this, if the branch holding remains above zero then the exchange difference is
treated as unrealised. There is no partial recognition of exchange differences in profit
or loss for currency sold during the week.
c. When the branch holding is zero at the point of revaluation, the programme realises
exchange differences in profit or loss. However, there is no associated posting to
clear out the unrealised exchange difference to profit or loss. Due to this, the
unrealised value builds up on the balance sheet, even if the associated foreign
currency has been sold.
6. Foreign currency holdings as at the end of December 2020 (P9) were manually revalued
and have been revalued monthly since. This suggested that the issues with the auto-
revaluation programme had caused a £1.4m understatement of realised exchange
differences in profit or loss. A manual journal adjustment has been posted into CFS to correct
2
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21
UKG1I00038546
UKGI00038546
Tab 12.7 Foreign Currency and Hedging
the profit oF or Floss 2 account, I which was 1s effectively a catchup journal for balances which should
have flowed within the year.
7. Post Office Limited (POL) were reliant on Accenture’s design of the FX programme and hence
guided by them on the initial proposal. A common approach adopted by many organisations
who do not have internal expertise
8. Accenture have been re-engaged to investigate and correct the issues identified in the auto-
revaluation programme. This work is currently underway and is expected to deliver a
solution by [year end]. We are working closely with Accenture to ensure that the revised
programme is thoroughly tested and addresses all issues identified.
9. In addition, the foreign currency revaluation process at Post Office has been reviewed, and
the following improvements are to be implemented by [year end]:
a. Responsibilities consolidated into Treasury, facilitating more oversight and control
over the end-to-end process.
b. Bi-monthly manual revaluation performed, providing a timely sense-check against
the auto-revaluation programme so that discrepancies can be quickly escalate and
investigated.
c. New validation checks and re-calculations built into the balance sheet reconciliations
for foreign currency general ledger accounts, providing additional assurance over
the accuracy of the auto-revaluation programme.
Hedging
10.The Group is exposed to foreign currency risk resulting from balances held to operate Bureau
de Change services. The Group’s foreign currency risk management objective is to minimise
the impact on the profit or loss account of fluctuations in the exchange rates. The Group
hedges its foreign currency risk on Euros and US Dollars, principally through external
forward foreign currency contracts to cover near-term future revenues with a number of
providers, including First Rate Exchange Services Holdings Limited.
11.FX hedging strategy has been reviewed and benchmarked. POL are hedging 80-120% of
their exposure, up to a five weeks in the future. This in line with market practice using FX
forwards to manage the exposure. Minor adjustments could be made to both the length
and the percentage of hedges, this would not have negated the issue.
12.The FX hedging process is split into 2 parts, the calculation of the hedge is prepared by the
Commercial team and executed by the Treasury team. Up until December 2020 when the
FX issue was highlighted there was minimal review and oversight by the Treasurer. A
monthly review with the commercial team is now in place. We are also discussing the options
to give Treasury more control of the end to end process. All hedges are currently recorded
on a spreadsheet, which is saved on a secure SharePoint site, however, this opens up risk
to manual errors when recording the hedges and is not best practice. We currently place all
hedges with one bank and the process is managed by Email and telephone, this is not best
practice.
Conclusion
13.The hedging strategy and processes are not the reason for the FX issue, there is some room
for improvement but there is no material issue or risk with the hedging.
14.The SAP FX programme implemented by Accenture in February 2020 to revalue the Balance
Sheet and post realised gains and losses is not working as expected, overstating the cash
position and understating the Profit and Loss, as a result of not sweeping balances to the
Confidential
Post Office Limited - Audit, Risk & Compliance Committee-30/03/21 177 of 178
UKG1I00038546
UKGI00038546
Tab 12.7 Foreign Currency and Hedging
Profit and Loss. The issue was not discovered early, due to the cumulative nature of the
problem and reduced trading levels, masking the issue,
15.A good implementation partner should have manually revalued the solution for us, for at
least three months post Go Live, to ensure programme was working in different levels of
trading. We are paying a premium to Accenture for their depth of expertise.
16.POL were reliant on Accenture’s design of the FX programme and hence guided by them on
the initial proposal. A common approach adopted by many organisations, who do not have
internal expertise to lean on. Other Treasurers and SAP experts I consulted share my view
on this. We pay Accenture because they are the experts in SAP development and solution
design.
Actions
Action: Owner Completion Date
Realised Gains and Losses for the identified Tom Woodhouse I Monthly until fix in place
calculation errors manually recalculated
Create Request to Quote (RTQ) for Accenture I Pete Mitchell/Tom I 19/03/2021
containing the Target actions Woodhouse
Accenture to quote time and cost to complete I Accenture 26/03/2021
the Target actions
Treasury to start 2nd review of Balance Sheet I Pete Mitchell 12/03/2021
reconciliations associated with FX movement
Implement automated FX trading process Pete Mitchell 23/04/2021
4
Confidential
178 of 178 Post Office Limited - Audit, Risk & Compliance Committee-30/03/21